Privacy policy for the use of the figo financial ID

figo GmbH (hereinafter referred to as “figo”) is always aware of the importance of the data entrusted to us. The responsible handling, confidentiality and protection of your data is therefore of particular importance to us. The Processing of your personal data is carried out exclusively within the framework of the statutory provisions, the applicable data protection law and this data protection policy. With this privacy policy we inform you which personal data we collect through your use of figo services via figo financial ID and figo partner services and for what purpose the data is used. The overarching goal of processing your data is usually to enable the integration of your financial data (possibly refined by figo) into figo partner services or a simplified payment initiation out of figo partner services.

In the following we will show you the type, scope and purpose of processing your personal data. You can access this information at any time on the figo financial ID website at by clicking on “About”. Additionally, we make the data privacy information pursuant to the EU General Data Protection Regulation available to you in a separate document.

We ask you to take note of the following information.

Controller/ Contact

figo decides on its own responsibility on the technical means used by figo to communicate with various financial sources, such as banks. The purposes of data processing are partly defined by legal regulations as well as by figo’s offer and in the context of the respective use. For these reasons, figo sees itself as “controller” according to Art. 4 No. 7 of the General Data Protection Regulation (GDPR), other data protection laws applicable in the member states of the European Union and further provisions of data protection law.

figo’s contact address is:

figo GmbH

Gaussstrasse 190c

22765 Hamburg, Germany


Authorised representatives: André M. Bajorat, Heiko Rahlfs

External Data Protection Officer: Marc Neumann, IBS data protection services and consulting GmbH, Zirkusweg 1, 20359 Hamburg, Germany

If you have any questions or suggestions regarding data protection, please do not hesitate to contact us by e-mail at

Since figo is the controller, there is no need to conclude a data processing agreement between figo and you, for example, if your own use of the financial ID also includes data of third parties in the context of a commercial relationship between you and the third party.

The subject of data protection

The subject of data protection is personal data. Individual specifications about the personal or objective relationships of a defined or definable natural person. Personal data is therefore information that can be used to draw conclusions about an identified or identifiable natural person. In principle, all information about which a personal reference can be established also falls under the concept of personal data. For example, a person’s name, address, e-mail address, telephone number, personnel number, vehicle registration number plate, appearance or walk are all personal data. Furthermore, usage data also has a personal connection. Usage data means data that is required to use our Website. This includes, for example, information about the start, end and scope of your use.

Scope of personal data processing

We only process personal data of our users if this is necessary to provide a functional service. Collection and utilisation of our users’ personal data is only undertaken periodically with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for legal or factual reasons and where the processing of the data is permitted by law.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU GDPR serves as the legal basis for the processing of personal data.

Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para 1 lit. d GDPR serves as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

Data erasure and storage period

The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.

Automated data collection in the provision of the figo financial ID

When you use our service, your browser or mobile phone automatically transmits the following data for technical reasons:

  • Date and time of access
  • Browser type/version
  • Operating system used
  • Resource retrieved
  • Quantity of data transmitted
  • The user’s IP address

This data is stored exclusively for technical reasons and is not assigned to any person at any time.

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

Legal basis for data processing

The legal basis for temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

Purpose of processing

The data is stored in log files to ensure the figo financial ID’s functionality. The data is also used to optimise the service and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is undertaken in this context. These purposes also encompass our legitimate interest in data processing in accordance with Art. 6 Para. 1 lit. f GDPR.

Storage period

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.

Objection and removal option

Collection of data for provision of the figo financial ID and storage of data in log files is absolutely necessary for operation of the website. Consequently, there is no option to object on the part of the user.

Transmission of data via the figo financial ID

By using the figo services and partner services of your choice as well as by entering corresponding data, you determine yourself which information you transmit to figo or to the partners selected by you. The input of any data is voluntary.


In order to use the figo services completely, you must first register with us and create your personal figo account. You will need to enter your name, e-mail address and a password.

figo Services

In order for figo to fulfill its services for you, it is necessary that you integrate the financial sources you have chosen with your banks, credit card and other payment providers into your figo account. To do this, you must enter the access data for the respective services (e.g. user name and password, account number and bank code or PIN). These data are stored by us at your request and assigned to your figo account. By entering this data, the providers you have selected transmit to us your stored financial data, such as account master data, account balance and turnover. figo uses a current and state-of-the-art encrypted connection for this data transfer. Of course, you are free to decide to which bank account or to how many accounts or to which services you grant us access. The storage of your password or your PIN to the respective account is also voluntary. Depending on the use case, figo or the partner services selected by you can only partially unfold their full range of functions if the access data is stored in your figo account and we can keep an eye on your services (e.g. for the transmission of current balance information to you).

All address and bank data entered by you will be stored exclusively for the processing of the desired functions of figo Services and separately from other data collected by us.

Saving the PIN or password

You decide yourself whether we also save your PIN or password within the access data and thus receive automated access without having to ask you for a prior confirmation. If you choose this procedure, we can make our service or certain partner services easier for you. You will be informed of the possibility of storing your PIN or password at the appropriate point in the account setup process. Of course, you can also remove the saved PIN and/or password at any time. If you decide against saving your access data, the account information will only be updated when you enter your PIN or password again and compared with the previously communicated data of the respective service.

Partner services for your figo account or your figo financial ID

As mentioned above, you can also use your financial ID in third-party applications (e.g. book-keeping, accounting document management, tax consulting or contract management tools). To do this, you can integrate your figo account into various partner services. This means, in order to use the affiliate services with figo, you have to create an account with the respective affiliate and connect it to your figo account.

As far as you use the financial ID, your data stored in the figo account will also be transmitted to the third-party applications authorized by you. When authorizing in connection with the financial ID, you can decide yourself which of your accounts and services within your figo account the third-party applications may access. Only after your explicit approval the third-party applications will have access to the information and data stored by you within the figo account. Further use of the data in third-party applications is governed exclusively by the applicable data protection regulations of the third-party applications.

Data may also be passed on to third parties if it is necessary for the provision of the services or parts of the services and figo uses contractually affiliated external companies and external service providers (e.g. MailChimp for sending newsletters). In such cases, information is passed on to these companies or individuals to enable them to process it further for the purpose of providing services. These external service providers are carefully selected and regularly reviewed by us to ensure that the protection and confidentiality of your data is guaranteed. The service providers may only use the data for the purposes specified by us.

Additional passing-on of data to third parties is only permitted if this is necessary due to legal or official obligations.

No further forwarding of your data to third parties

Except for the aforementioned purposes, your personal data will not be passed on without your prior express consent.

Legal basis for data processing

The legal basis for processing is Art. 6 para. 1 lit. b. GDPR.

Purpose of processing

Your data is stored in order to secure our figo services via the figo financial ID.

Storage period

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

Possibility of objection and elimination

Your consent to the processing of your data via the figo financial ID and the associated storage of the data can be revoked at any time. You can send your revocation by e-mail to

Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to figo:

The right to be informed

As a data subject, you have the right granted by the European Directive and Regulator to receive free information from figo about your stored personal data and a copy of this information at any time. Furthermore, the European Directive and Regulator has granted you, as the person concerned, access to the following information:

  • the purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of a right to rectification or erasure of the personal data concerning you or of a restriction of the processing by the person responsible or of a right to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where the personal data is not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, in accordance with Article 22 Para.1 and 4, GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

Furthermore, you have a right of access to information as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, you have, in addition, the right to obtain information about the appropriate guarantees in connection with the transfer.

If you would like to make use of this right to information, you can contact one of our employees at at any time.

The right of rectification

Granted by the European legislator you also have the right to request the immediate rectification of inaccurate personal data concerning you. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, including by means of a supplementary declaration.

If you would like to make use of this right to information, you can contact one of our employees at at any time.

The right to limitation of processing

You have the right granted by the European legislator of directives and regulations to require figo to restrict processing if one of the following conditions are met:

  • The accuracy of your personal information is contested by you for a period of time that allows us to verify the accuracy of your personal information.
  • The processing is unlawful, you refuse to delete the personal data and instead demand a restriction on the use of the personal data.
  • We no longer need the personal data for the purposes of processing, but you do need it to assert, exercise or defend legal claims.
  • You have objected to the processing pursuant to Art. 21 Para. 1 GDPR and it is not yet clear whether figo’s legitimate reasons outweigh yours.

If one of the above conditions is fulfilled and you wish to request the restriction of personal data stored by figo, you can contact one of our employees at at any time. Our employee will arrange for processing to be restricted.

Right to erasure

You have the right granted by the European Directive and Regulator to require figo to delete your personal data immediately, provided that one of the following reasons applies and insofar as the processing is not necessary:

  • The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
  • You revoke your consent on which the processing pursuant to Art. 6 Para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR and there is no other legal basis for processing.
  • You submit an objection to the processing according to Art. 21 Para. 1, GDPR, and there are no overriding legitimate grounds for processing, or you submit an objection according to Art. 21 Para. 2 GDPR objecting to the processing.
  • The personal data has been unlawfully processed.
  • The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the responsible person is subject.
  • The personal data concerning you has been collected in relation to services offered by the information society according to Art. 8 Para. 1 GDPR.

If one of the above-mentioned reasons applies and you wish to have your personal data stored at figo deleted, you can contact one of our employees at at any time. The employee will arrange for the deletion request to be complied with without delay.

If the personal data has been made public by us and our company is responsible pursuant to Art. 17 Para. 1 GDPR to delete personal data, we will take appropriate measures, including technical measures, taking into account available technology and implementation costs, to inform other data processors who process the published personal data, that you have requested the deletion of all links to such personal data or of copies or replications of such personal data from those other data processors, where processing is not necessary. Our employees will do what is necessary in individual cases.

Right to data portability

You have the right granted by the European regulator to receive the personal data concerning you that you have provided to figo in a structured, common and machine-readable format. You also have the right to transfer this data to another data controller without obstruction by figo, provided that the processing is based on the consent provided for in Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract in accordance with Art. 6 para. 1 letter b GDPR and processing is carried out by means of automated procedures, except where processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

Furthermore, when exercising your right to data transferability pursuant to Art. 20 para. 1 GDPR, the right to require that the personal data is transmitted directly from figo to another responsible person, as far as technically feasible and provided that this does not affect the rights and freedoms of others.

To assert the right to data transferability, you can contact one of our employees at at any time.

Right of appeal

You have the right granted by the European legislator for reasons arising from your particular situation, to object at any time to the processing of personal data relating to you, which may be processed on the basis of Art. 6 para. 1 letters e or f GDPR. This also applies to profiling based on these provisions.

figo no longer processes personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If figo processes personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to any profiling connected with such direct advertising. If you object to figo processing for direct advertising purposes, figo will no longer process your personal data for these purposes.

Furthermore, for reasons arising from your particular situation, you have the right to object to the processing of personal data concerning you which figo uses for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, unless such processing is necessary to fulfil a task in the public interest.

To exercise your right of objection, you can contact any of our employees at at any time. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Automated individual decision-making including profiling

You have the right granted by the European directive and regulatory body not to be subject to a decision based exclusively on automated processing – including profiling – which has legal effect against you or which significantly affects you in a similar manner, provided that the decision (1) is not necessary for the conclusion or performance of a contract between you and figo, or (2) is admissible under Union or Member State legislation to which figo is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or (3) takes place with your express consent.

If the decision (1) is necessary for the conclusion or performance of a contract between you and us or (2) is made with your express consent, figo will take reasonable measures to protect your rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by figo, to state their own position and to challenge the decision.

If you wish to assert rights relating to automated decisions, you can contact one of our employees at at any time.

Right to withdraw data protection consent

You have the right to revoke your consent to the processing of personal data at any time as granted by the European Directive and Regulator.

If you would like to exercise your right to revoke your consent, you can contact one of our employees at at any time.

The right of appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data that concerns you is in contravention of GDPR.

The supervisory authority responsible for figo is:


Freie und Hansestadt Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information

Prof. Dr. Johannes Caspar

Kurt-Schumacher-Allee 4, 20097 Hamburg,

6th floor

Phone: 040 / 428 54 – 4040

Fax: 040 / 428 54 – 4000


The supervisory authority with which the appeal has been lodged shall inform the appellant of the status and results of the appeal, including the possibility of a judicial remedy under Art. 78 GDPR.