In the following we will show you the type, scope and purpose of processing your personal data. You can access this information at any time on the figo financial ID website at https://home.figo.me by clicking on “About”. Additionally, we make the data privacy information pursuant to the EU General Data Protection Regulation available to you in a separate document.
We ask you to take note of the following information.
figo decides on its own responsibility on the technical means used by figo to communicate with various financial sources, such as banks. The purposes of data processing are partly defined by legal regulations as well as by figo’s offer and in the context of the respective use. For these reasons, figo sees itself as “controller” according to Art. 4 No. 7 of the General Data Protection Regulation (GDPR), other data protection laws applicable in the member states of the European Union and further provisions of data protection law.
figo’s contact address is:
22765 Hamburg, Germany
Authorised representatives: André M. Bajorat, Heiko Rahlfs
External Data Protection Officer: Marc Neumann, IBS data protection services and consulting GmbH, Zirkusweg 1, 20359 Hamburg, Germany
If you have any questions or suggestions regarding data protection, please do not hesitate to contact us by e-mail at email@example.com
Since figo is the controller, there is no need to conclude a data processing agreement between figo and you, for example, if your own use of the financial ID also includes data of third parties in the context of a commercial relationship between you and the third party.
The subject of data protection
The subject of data protection is personal data. Individual specifications about the personal or objective relationships of a defined or definable natural person. Personal data is therefore information that can be used to draw conclusions about an identified or identifiable natural person. In principle, all information about which a personal reference can be established also falls under the concept of personal data. For example, a person’s name, address, e-mail address, telephone number, personnel number, vehicle registration number plate, appearance or walk are all personal data. Furthermore, usage data also has a personal connection. Usage data means data that is required to use our Website. This includes, for example, information about the start, end and scope of your use.
Scope of personal data processing
We only process personal data of our users if this is necessary to provide a functional service. Collection and utilisation of our users’ personal data is only undertaken periodically with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for legal or factual reasons and where the processing of the data is permitted by law.
Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU GDPR serves as the legal basis for the processing of personal data.
Insofar as the processing of personal data is required to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para 1 lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
Data erasure and storage period
The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.
Automated data collection in the provision of the figo financial ID
When you use our service, your browser or mobile phone automatically transmits the following data for technical reasons:
- Date and time of access
- Browser type/version
- Operating system used
- Resource retrieved
- Quantity of data transmitted
- The user’s IP address
This data is stored exclusively for technical reasons and is not assigned to any person at any time.
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
Legal basis for data processing
The legal basis for temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.
Purpose of processing
The data is stored in log files to ensure the figo financial ID’s functionality. The data is also used to optimise the service and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is undertaken in this context. These purposes also encompass our legitimate interest in data processing in accordance with Art. 6 Para. 1 lit. f GDPR.
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.
Objection and removal option
Collection of data for provision of the figo financial ID and storage of data in log files is absolutely necessary for operation of the website. Consequently, there is no option to object on the part of the user.
Transmission of data via the figo financial ID
By using the figo services and partner services of your choice as well as by entering corresponding data, you determine yourself which information you transmit to figo or to the partners selected by you. The input of any data is voluntary.
In order to use the figo services completely, you must first register with us and create your personal figo account. You will need to enter your name, e-mail address and a password.
In order for figo to fulfill its services for you, it is necessary that you integrate the financial sources you have chosen with your banks, credit card and other payment providers into your figo account. To do this, you must enter the access data for the respective services (e.g. user name and password, account number and bank code or PIN). These data are stored by us at your request and assigned to your figo account. By entering this data, the providers you have selected transmit to us your stored financial data, such as account master data, account balance and turnover. figo uses a current and state-of-the-art encrypted connection for this data transfer. Of course, you are free to decide to which bank account or to how many accounts or to which services you grant us access. The storage of your password or your PIN to the respective account is also voluntary. Depending on the use case, figo or the partner services selected by you can only partially unfold their full range of functions if the access data is stored in your figo account and we can keep an eye on your services (e.g. for the transmission of current balance information to you).
All address and bank data entered by you will be stored exclusively for the processing of the desired functions of figo Services and separately from other data collected by us.
Saving the PIN or password
You decide yourself whether we also save your PIN or password within the access data and thus receive automated access without having to ask you for a prior confirmation. If you choose this procedure, we can make our service or certain partner services easier for you. You will be informed of the possibility of storing your PIN or password at the appropriate point in the account setup process. Of course, you can also remove the saved PIN and/or password at any time. If you decide against saving your access data, the account information will only be updated when you enter your PIN or password again and compared with the previously communicated data of the respective service.
Partner services for your figo account or your figo financial ID
As mentioned above, you can also use your financial ID in third-party applications (e.g. book-keeping, accounting document management, tax consulting or contract management tools). To do this, you can integrate your figo account into various partner services. This means, in order to use the affiliate services with figo, you have to create an account with the respective affiliate and connect it to your figo account.
As far as you use the financial ID, your data stored in the figo account will also be transmitted to the third-party applications authorized by you. When authorizing in connection with the financial ID, you can decide yourself which of your accounts and services within your figo account the third-party applications may access. Only after your explicit approval the third-party applications will have access to the information and data stored by you within the figo account. Further use of the data in third-party applications is governed exclusively by the applicable data protection regulations of the third-party applications.
Data may also be passed on to third parties if it is necessary for the provision of the services or parts of the services and figo uses contractually affiliated external companies and external service providers (e.g. MailChimp for sending newsletters). In such cases, information is passed on to these companies or individuals to enable them to process it further for the purpose of providing services. These external service providers are carefully selected and regularly reviewed by us to ensure that the protection and confidentiality of your data is guaranteed. The service providers may only use the data for the purposes specified by us.
Additional passing-on of data to third parties is only permitted if this is necessary due to legal or official obligations.
No further forwarding of your data to third parties
Except for the aforementioned purposes, your personal data will not be passed on without your prior express consent.
Legal basis for data processing
The legal basis for processing is Art. 6 para. 1 lit. b. GDPR.
Purpose of processing
Your data is stored in order to secure our figo services via the figo financial ID.
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
Possibility of objection and elimination
Your consent to the processing of your data via the figo financial ID and the associated storage of the data can be revoked at any time. You can send your revocation by e-mail to firstname.lastname@example.org
Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to figo:
The right to be informed
As a data subject, you have the right granted by the European Directive and Regulator to receive free information from figo about your stored personal data and a copy of this information at any time. Furthermore, the European Directive and Regulator has granted you, as the person concerned, access to the following information:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of a right to rectification or erasure of the personal data concerning you or of a restriction of the processing by the person responsible or of a right to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data is not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, in accordance with Article 22 Para.1 and 4, GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, you have a right of access to information as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, you have, in addition, the right to obtain information about the appropriate guarantees in connection with the transfer.
If you would like to make use of this right to information, you can contact one of our employees at email@example.com at any time.
The right of rectification
Granted by the European legislator you also have the right to request the immediate rectification of inaccurate personal data concerning you. You also have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, including by means of a supplementary declaration.
If you would like to make use of this right to information, you can contact one of our employees at firstname.lastname@example.org at any time.
The right to limitation of processing
You have the right granted by the European legislator of directives and regulations to require figo to restrict processing if one of the following conditions are met:
- The accuracy of your personal information is contested by you for a period of time that allows us to verify the accuracy of your personal information.
- The processing is unlawful, you refuse to delete the personal data and instead demand a restriction on the use of the personal data.
- We no longer need the personal data for the purposes of processing, but you do need it to assert, exercise or defend legal claims.
- You have objected to the processing pursuant to Art. 21 Para. 1 GDPR and it is not yet clear whether figo’s legitimate reasons outweigh yours.
If one of the above conditions is fulfilled and you wish to request the restriction of personal data stored by figo, you can contact one of our employees at email@example.com at any time. Our employee will arrange for processing to be restricted.
Right to erasure
You have the right granted by the European Directive and Regulator to require figo to delete your personal data immediately, provided that one of the following reasons applies and insofar as the processing is not necessary:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- You revoke your consent on which the processing pursuant to Art. 6 Para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR and there is no other legal basis for processing.
- You submit an objection to the processing according to Art. 21 Para. 1, GDPR, and there are no overriding legitimate grounds for processing, or you submit an objection according to Art. 21 Para. 2 GDPR objecting to the processing.
- The personal data has been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the responsible person is subject.
- The personal data concerning you has been collected in relation to services offered by the information society according to Art. 8 Para. 1 GDPR.
If one of the above-mentioned reasons applies and you wish to have your personal data stored at figo deleted, you can contact one of our employees at firstname.lastname@example.org at any time. The employee will arrange for the deletion request to be complied with without delay.
If the personal data has been made public by us and our company is responsible pursuant to Art. 17 Para. 1 GDPR to delete personal data, we will take appropriate measures, including technical measures, taking into account available technology and implementation costs, to inform other data processors who process the published personal data, that you have requested the deletion of all links to such personal data or of copies or replications of such personal data from those other data processors, where processing is not necessary. Our employees will do what is necessary in individual cases.
Right to data portability
You have the right granted by the European regulator to receive the personal data concerning you that you have provided to figo in a structured, common and machine-readable format. You also have the right to transfer this data to another data controller without obstruction by figo, provided that the processing is based on the consent provided for in Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract in accordance with Art. 6 para. 1 letter b GDPR and processing is carried out by means of automated procedures, except where processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Furthermore, when exercising your right to data transferability pursuant to Art. 20 para. 1 GDPR, the right to require that the personal data is transmitted directly from figo to another responsible person, as far as technically feasible and provided that this does not affect the rights and freedoms of others.
To assert the right to data transferability, you can contact one of our employees at email@example.com at any time.
Right of appeal
You have the right granted by the European legislator for reasons arising from your particular situation, to object at any time to the processing of personal data relating to you, which may be processed on the basis of Art. 6 para. 1 letters e or f GDPR. This also applies to profiling based on these provisions.
figo no longer processes personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If figo processes personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to any profiling connected with such direct advertising. If you object to figo processing for direct advertising purposes, figo will no longer process your personal data for these purposes.
Furthermore, for reasons arising from your particular situation, you have the right to object to the processing of personal data concerning you which figo uses for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, unless such processing is necessary to fulfil a task in the public interest.
To exercise your right of objection, you can contact any of our employees at firstname.lastname@example.org at any time. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Automated individual decision-making including profiling
You have the right granted by the European directive and regulatory body not to be subject to a decision based exclusively on automated processing – including profiling – which has legal effect against you or which significantly affects you in a similar manner, provided that the decision (1) is not necessary for the conclusion or performance of a contract between you and figo, or (2) is admissible under Union or Member State legislation to which figo is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or (3) takes place with your express consent.
If the decision (1) is necessary for the conclusion or performance of a contract between you and us or (2) is made with your express consent, figo will take reasonable measures to protect your rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person by figo, to state their own position and to challenge the decision.
If you wish to assert rights relating to automated decisions, you can contact one of our employees at email@example.com at any time.
Right to withdraw data protection consent
You have the right to revoke your consent to the processing of personal data at any time as granted by the European Directive and Regulator.
If you would like to exercise your right to revoke your consent, you can contact one of our employees at firstname.lastname@example.org at any time.
The right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data that concerns you is in contravention of GDPR.
The supervisory authority responsible for figo is:
Freie und Hansestadt Hamburg
The Hamburg Commissioner for Data Protection and Freedom of Information
Prof. Dr. Johannes Caspar
Kurt-Schumacher-Allee 4, 20097 Hamburg,
Phone: 040 / 428 54 – 4040
Fax: 040 / 428 54 – 4000
The supervisory authority with which the appeal has been lodged shall inform the appellant of the status and results of the appeal, including the possibility of a judicial remedy under Art. 78 GDPR.