finAPI GmbH (hereinafter: ‘finAPI’), Adams-Lehmann-Straße 44, D-80797 Munich (registered in Commercial Register
Commercial Division B of the Munich AG (Amtsgericht/local court) under number HRB 175250), e-mail:
kontakt@finapi.io.
finAPI’s data protection officer can be contacted at the above address, for the attention of the Abteilung
Datenschutz (Data Protection Department) or by e-mail at datenschutz@finapi.io.
a) finAPI is a payment institution that is supervised by BaFin (the German Federal Financial Supervisory
Authority).
The account information service we provide is a service that allows you to retrieve your account information, to
process it if desired (depending on the desired service) (this processing including such data categorisation as
the determination of income, rental payments, number of return debit notes) and to then provide this information
to your service provider (e.g. online trader, creditor bank, finance management platform, provider of
creditworthiness checking services). To do this, you log into your online banking via our web interface. finAPI
then retrieves your account information from your bank and passes it to the provider you have selected.
Our payment triggering service allows you to trigger (i.e. release) payment orders and payment transactions at
your account provider. Your credit limit may be checked before they are submitted.
In order to deliver these account information and payment triggering services, we need to process your personal
data. The purpose of this processing is accordingly first of all to fulfil our contractual obligations in
respect of yourself as an end user or interested party, as well as in respect of our clients (i.e. your
providers).
b) In its capacity as a payment institution, finAPI is subject to special supervisory law requirements and regulatory duties such as the prevention, determination and assessment of cases of fraud or the prevention of terrorism financing. When you use finAPI’s account information services and payment triggering services then your personal data could also be processed by us to fulfil such legal obligations. Ensuring IT security and IT operations can also make it necessary under certain circumstances to process your personal data. In addition, we process the retrieved data for internal purposes within the limits of what is legally permissible and necessary in each case. This includes the processing for quality assurance purposes (e.g. the carrying out of evaluations and analyses for our services), for improving and expanding our services (such as learning how to classify account transactions) and for related R&D (research and development) activities of finAPI or its affiliated companies. In addition, we may process your personal data for our own receivables management or for the purpose of direct advertising for our own services. When you get in touch with us, for instance by e-mail, we process the information communicated by you in order to process the enquiry and for any follow-up correspondence. Where this is possible, we anonymise or pseudonymise your data.
We process personal data on the basis of the relevant data protection laws, especially the provisions of the
GDPR (the General Data Protection Regulation, known in Germany as the ‘DS-GVO’) and the German Federal Data
Protection Act (the ‘BDSG’) in accordance with the regulations of the ZAG (the German Payment Services
Supervision Act) .
Personal data is processed by us on the basis of Article 6, paragraph 1 letter b) GDPR and Article 59, paragraph
2 ZAG, for the implementation of precontractual measures and to fulfil the contractual duties of finAPI in
respect of our clients (your providers) and yourself as end user and/or interested party. You can find details
of this in our Usage Agreement, which applies to your use of our account information services and payment
triggering services.
Apart from this, we process your data to the extent absolutely necessary on the basis of Article 6, paragraph 1
letter c) GDPR to fulfil legal, especially supervisory law-related, duties. In accordance with Article 6,
paragraph 1 letter f) GDPR, we can process your personal data process, in so far as the processing is necessary
to protect the legitimate interests of finAPI or a third party and does not outweigh the interests or
fundamental rights and fundamental freedoms of the data subject required by the protection of his personal data.
A processing of personal data only takes place when this is permissible after weighing up all the interests. The
legitimate interest in the processing arises to this extent both from the respective purpose(s) in accordance
with Section 2.1 and can also be commercial in nature, by the way.
The account information to be provided to your providers may include special categories of personal data (see
Article 9, paragraph 1 GDPR). This may relate to statements about your racial and ethnic origin, political
opinions, religious or ideological beliefs, trade union membership, health data or data about your sexual life
or sexual orientation. For example, corresponding conclusions may be drawn from reasons for payment or payment
recipients. You agree with your provider the permissibility of processing this data in order to perform the
service.
You are under no obligation to provide us with personal data. However, without this data it is not possible for
us to fulfil the contractual relationship and thus to provide the contractually agreed performances.
We process your personal data as part of the account information services and/or payment triggering services. The personal data that arises in this regard comes from credit institutions, financial services institutions, credit card companies and other providers of financial data and can only be accessed in our finAPI application with your consent and after a corresponding login by yourself in your online banking application. As a result, the data origin can differ depending on the service being used. Since the account access requires your consent each time, the accounts released for access by finAPI and the personal data contained therein is/are known to you.
Recipients for the purposes stated under Section 2.1 letter a) are clients (i.e. the providers selected by you) of finAPI that are domiciled in the EEA (European Economic Area) and in Switzerland and possibly in further non-European countries (in so far as a corresponding adequacy decision by the European Commission has been issued or standard contractual clauses have been agreed), which may be viewed https://www.finapi.io/datenschutz-dsgvo/. Further recipients can be - for the purposes stated in Section 2.1 letter b) - external service providers of finAPI by virtue of Article 28 GDPR as well as internal and external agencies of finAPI. In addition, for the purposes stated in Section 2.1 letter b), finAPI can also pass the client data on to third parties to the extent required and legally permissible in each case, these third parties including external service providers such as IT service providers, operators of end user applications based on finAPI services, affiliated companies such as SCHUFA Holding AG or business partners and account-holding institutions. Sensitive access data that make it possible to access account information at your account providers will be solely passed on by finAPI to the respective account-holding institutions and not to other third parties. finAPI is also subject to the statutory powers of invention held by state agencies.
We only retain personal data for a certain period of time. The decisive criterion for the determination of this period is necessity. Personal data are accordingly retained and processed for as long as necessary for the respective purposes. Please note in this regard that the business relationship with you may be entered into for a long period of time and that finAPI processes data to at least the end of this contractual relationship. Other commercial, tax law-related and supervisory law-related obligations may apply too in respect of retention, documentation and information provision. These periods of time usually have a duration of up to ten years. In addition, processing beyond this period may be necessary too, including for the purposes of data protection checks and data backup, as well as for legal defences. If the data is no longer needed for processing purposes then it is deleted.
You have the right in respect of finAPI to receive information by virtue of Article 15 GDPR, the right to
correction by virtue of Article 16 GDPR, the right to deletion by virtue of Article 17 GDPR, the right to limit
the processing by virtue of Article 18 GDPR and the right of data portability by virtue of Article 20 GDPR. To
assert these rights, you can contact finAPI at any time (for contact details, see Section 1). You also have the
option of turning to a supervisory authority. The supervisory body responsible for finAPI is the Bavarian State
Office for data protection supervision.
You can inform finAPI at any time that you are revoking the consents you have given. This also applies to
consents that were already granted before the GDPR came into force. The revoking of the consent does not affect
the legitimacy of the personal data processed up to the revocation.
We are obliged to inform you that by virtue of Article 21, paragraph 1 GDPR, you can object to the data processing on the basis of Article 6, paragraph 1 letters e) and f) GDPR on grounds that result from your specific situation. You can at any time object either to any utilisation of your personal data for advertising purposes by virtue of Article 21, paragraph 2 GDPR or to the individual use(s) in question. The objection can be made in any form and is to be addressed to finAPI GmbH, Adams-Lehmann-Straße 44, D-80797 Munich, Germany.
If your selected provider needs to do so then - following an account access that you have triggered via our
application - information from your online banking account may be processed automatically (categorisation) and
transmitted to your provider that permits conclusions to be drawn about your personal and financial situation
(e.g. average income, rent, borrowings, number of return debit notes).
We do not take any decision about a product transaction (e.g. granting of credit) that you may wish to make. It
is only your provider that can do so. He will inform you about any profiling or automatic decision-making
processes that he carries out.