4. FinTechs and Data Protection After the Implementation of the GDPR

For example, the privacy statement of Appsichern states (originally in German, translation by the authors): “Types of data processed: inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text input, photographs, videos), usage data (e.g., websites visited, interest in content, access times), and meta/communication data (e.g., device information, IP addresses). Categories of persons concerned: visitors and users of the online service (hereinafter referred to collectively as ‘users’).”

A frequently used text module in the privacy statements is “Personal data is any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). A natural person shall be considered identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person” (originally in German, translation by the authors).

For example, the privacy statement of Damantis states (originally in German, translation by the authors): “Article 6 I lit. a GDPR serves our company as a legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of other services or consideration, the processing is based on Article 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, such as in cases of inquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Article 6 I lit. c GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our operations and his name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or other third party. Then the processing would be based on Article 6 I lit. d GDPR. Ultimately, processing operations could be based on Article 6 I lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and basic principles of the data subject do not predominate. Such processing operations are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the person concerned was a customer of the person responsible (recital 47 sentence 2 GDPR).”

For example, the privacy statement of auxmoney states (originally in German, translation by the authors): “In addition, auxmoney is subject to various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The time limits for storage and documentation specified there are six to ten years.”

For example, the privacy statement of the equity crowdfunding platform GreenVesting Solutions GmbH states (originally in German, translation by the authors): “This general data and information is stored in the log files of the server. Data processed may include (1) the browser types and versions used can be recorded, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-sites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used to avert dangers in the event of attacks on our information technology systems. When using this general data and information, GreenVesting Solutions GmbH does not draw any conclusions about the person concerned. This information is needed to (1) correctly deliver the content of our website, (2) optimize the content and advertising of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary to prosecute a cyber attack.”