2. Contact person
Contact person and so-called person responsible for the processing of your personal data when visiting this website in terms of the EU Data Protection Basic Regulation (GDPR) is
– Data protection –
If you have any questions about data protection in connection with our services or the use of our website, you can also contact our data protection officer at any time. Our data protection officer can be reached as follows:
ISiCO Data Protection GmbH
– Data Protection Officer Ratepay –
At Hamburger Bahnhof 4
3. Data processing on our website
3.1 Access to our website / access data
Whenever you use our website, we collect access data that your browser automatically transmits to enable you to visit the website. The access data includes in particular:
– IP address of the requesting device,
– Date and time of the request,
– Address of the website called up and the requesting website,
– Information about the browser and operating system used,
– Online identifiers (e.g. device identifiers, session IDs).
The data processing of these access data is necessary to enable you to visit the website and to ensure the permanent functionality and security of our systems. For the purposes described above, the access data is also temporarily stored in internal log files in order to generate statistical data on the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices used to access the pages increases) and for general administrative maintenance of our website. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. As we have a legitimate interest in the operation and further development of our website.
3.2 Ratepay portals
3.2.1 Ratepay merchant portal
You have the possibility to register for our merchant portal if you as a merchant offer Ratepay payment methods. The registration information for the merchant portal is provided by Ratepay. Further information about the merchant portal of Ratepay can be found here [https://ratepay.gitbook.io/legal/terms/interfaces/en]. Legal basis of the processing is Art. 6 para. 1 lit. b GDPR.
3.2.2 Ratepay buyer portal
3.3 Establishing contact
You have the possibility to get in contact with us via a contact form. In this context we process data exclusively for the purpose of communicating with you. The legal basis is Art. 6 para. 1 lit. b GDPR, as far as the information is required for the initiation or execution of a contract. Otherwise, your data will be processed on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interests consist of communication with users and the processing of customer enquiries. The data collected by us when using the contact form will be automatically deleted after your enquiry has been completely processed, unless we still need your enquiry to fulfil contractual or legal obligations (see section “Storage period”). In addition, you will receive information about attractive payment solutions from our partners (Nets A/S, Denmark, www.nets.eu), provided you have consented to this, Art. 6 para. 1 lit. a GDPR.
3.4.1 You have the option of subscribing to our newsletter, in which we regularly inform you about innovations to our products and promotions. To send our newsletter, we use Cleverreach, a service of CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (“Cleverreach”).
3.4.2 For ordering our newsletters, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you are the owner of the e-mail address provided. If you confirm your e-mail address, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The storage is solely for the purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. Your data for the newsletter dispatch will be deleted within one month after the end of the newsletter receipt, provided that the deletion does not conflict with any legal retention obligations. We use standard market technologies in our newsletters to measure interactions with the newsletters (e.g. opening of the e-mail, links clicked on). We use this data in pseudonymous form for general statistical evaluations and to optimise and further develop our content and customer communication. This is done with the help of small graphics embedded in the newsletter (so-called pixels). The data is collected exclusively in pseudonymised form and is not linked to your other personal data. The legal basis for the processing is your consent pursuant to Art. 6 para. 1 p. 1 lit. a GDPR.
3.4.3 We want to share content that is as relevant as possible for our customers via our newsletter and better understand what readers are actually interested in. If you do not want the analysis of usage behaviour, you can unsubscribe from the newsletters or deactivate graphics in your email programme by default. The data on interaction with our newsletters is stored pseudonymously for 30 days and then completely anonymised.
3.4.4 If your subscription to our newsletter was made in return (e.g. for the provision of a whitepaper), the legal basis for the processing is Art. 6 (1) lit. b DSGVO. Your data will be used for the purpose of newsletter delivery as well as statistical analysis of the data generated when reading/interacting with our newsletter. Once you have verified your email address, you will receive regular information from us on the latest developments in the payment scene. Again, you can unsubscribe from the newsletter at any time free of charge by clicking on one of the unsubscribe links included in each newsletter message or by contacting us at the contact details provided above.
3.5 Google reCAPTCHA
Our website uses the service Google reCAPTCHA which is offered to users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). This feature is primarily intended to distinguish whether an entry is made by a natural person or is improperly made by machine and automated processing. To use this service, your web browser must connect to a Google server, which may also be located in the USA, when you access the contact page. Google is thereby informed that the contact page of our website was called up from the IP address of your device and, if applicable, further data required by Google for the service reCAPTCHA. The legal basis is Art. 6 para. 1 p. 1 lit. f GDPR, based on our legitimate interest in establishing individual responsibility on the Internet and avoiding abuse and spam. Google and Ratepay have recorded the respective data protection obligations in an agreement [https://cloud.google.com/maps-platform/terms/maps-controller-terms/].
3.6 Google Maps
Our website uses the map service Google Maps which is offered to users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). In order for the Google Maps we use to be embedded and displayed in your web browser, your web browser must connect to a Google server, which may also be located in the United States, when you access the Contact Page. Google thereby receives the information that the contact page of our website was called up from the IP address of your device. The legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR, based on our legitimate interest in the integration of a map service for establishing contact. Google and Ratepay have recorded their respective data protection obligations in an agreement [https://cloud.google.com/maps-platform/terms/maps-controller-terms/].
If you call up the Google map service on our website while you are logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to be associated with your Google Profile, you will need to log out of Google before you can access our contact page. Google stores your data and uses it for the purposes of advertising, market research and personalised presentation of Google Maps. You can object to this collection of data from Google.
3.7 Use of own cookies
For some of our services it is necessary that we use so-called cookies. A cookie is a small text file that is stored by the browser on your device. Cookies are not used to execute programs or to load viruses onto your computer. The main purpose of our own cookies is rather to provide you with a specially tailored offer and to make the use of our services as time-saving as possible.
Most browsers are set by default to accept cookies. However, you can adjust your browser settings to reject cookies or to only store them after prior consent. If you reject cookies, not all of our services may work for you without interruption.
We use our own cookies in particular
– for login authentication,
– for load distribution,
– to save your language settings,
– to note that you have been shown information placed on our website ¬- so that it will not be displayed again the next time you visit the website.
In this way, we want to enable you to use our website more conveniently and individually. These services are based on our aforementioned legitimate interests, the legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR.
Insofar as consent has been obtained, the legal basis for the data processing described in the following section is Art. 6 para. 1 sentence 1 lit. a GDPR. Otherwise, the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in the needs-based design and continuous optimisation of our website.
In the following list of the technologies we use, you will also find information on the possibilities of objection regarding our analysis measures by means of a so-called opt-out cookie. Please note that after deleting all cookies in your browser or later use of another browser and/or profile, an opt-out cookie must be set again.
3.8.1 Google Analytics
Google will process the information gained from the cookies in order to evaluate your use of the website, to compile reports on the website activities for the website operators and to provide further services associated with the use of the website and the Internet.
You can, as shown above, configure your browser to reject cookies, or you can prevent the collection of data generated by cookies and related to your use of this website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on [https://tools.google.com/dlpage/gaoptout?hl=de] provided by Google. This will prevent the collection of data by Google Analytics within this website in the future (the opt-out only works in the browser and only for this domain). If you delete your cookies in this browser, you will have to click this link again.
3.9 Social Media
3.9.1 Online presence in social media
We maintain online presences in social networks to communicate with customers and interested parties and to inform them about our products and services.
User data is generally processed for market research and advertising purposes. In this way, user profiles can be created based on the interests of the users. For this purpose cookies and other identifiers will be stored on the users’ computers. On the basis of these user profiles, advertisements are then placed, for example, within social networks but also on third-party websites.
When using social networks, personal data of users may be processed outside the European Economic Area.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in effective user information and communication. The legal basis for data processing carried out by the social networks on their own responsibility can be found in the data protection information of the respective social network. The following links will also provide you with further information on the respective data processing and the possibilities of objection.
We would like to point out that data protection requests can be made most efficiently to the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly.
126.96.36.199 Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
188.8.131.52 Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
– Opt-out: https://twitter.com/personalization.
184.108.40.206 LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
– Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
220.127.116.11 Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg, Germany)
18.104.22.168 Glassdoor (Glassdoor, Inc., 100 Shoreline Highway, Building A, Mill Valley, California, 94941, USA)
If you participate in one of our surveys, we use your data for market and opinion research. As a matter of principle, we evaluate the data anonymously for internal purposes. If, in exceptional cases, surveys are not evaluated anonymously, the data will only be collected with your consent. In the case of anonymous surveys, the GDPR is not applicable and in the case of exceptional personal evaluations, the legal basis is the aforementioned consent pursuant to Art. 6 para. 1 sentence 1 lit. a of the GDPR.
3.11 Integration of videos
3.11.1 Integration of YouTube videos
We have embedded videos in our website that are stored on YouTube and can be played directly from our websites. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in the integration of video and image content.
By visiting our website, YouTube and Google receive the information that you have called up the corresponding subpage of our website. This occurs regardless of whether you are logged in to YouTube or Google or not. YouTube and Google use this data for the purposes of advertising, market research and demand-oriented design of their websites. If you visit YouTube on our website while you are logged into your YouTube or Google profile, YouTube and Google may also link this event to the respective profiles. If you do not want this assignment to take place, it is necessary for you to log out of Google before you visit our website.
You can configure your browser to reject cookies as shown above, or you can prevent the collection of data generated by cookies and related to your use of this website and the processing of this data by Google by deactivating the button “Personalised advertising on the web” in the Google settings for advertising [https://adssettings.google.com/]. In this case, Google will only display non-individualised advertising.
3.12 Job applications
You can apply to us for open positions via our applicant management system Personio of Personio Gmbh, Rundfunkplatz 4, 80335 Munich. The purpose of the data collection is the selection of applicants for the possible establishment of an employment relationship. For the purpose of receiving and processing your application, we collect the following data in particular: First and last name, e-mail address, telephone number, application documents (e.g. certificates, CV, cover letter), date of earliest possible start of employment and salary expectations. The legal basis for processing your application documents is Art. 6 para. 1 p. 1 lit. b and Art. 88 para. 1 GDPR in conjunction with Section 26 para. 1 p. 1 BDSG.
4. Disclosure of information
A transfer of the data collected by us will only take place in principle if:
• you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,
• the disclosure pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
• we are legally obliged to pass on the data in accordance with Art. 6 Para. 1 S. 1 lit. c GDPR or
• this is legally permissible and, according to Art. 6 para. 1 sentence 1 lit. b GDPR, is necessary for the processing of contractual relationships with you or for the implementation of pre-contractual measures which are carried out at your request.
Part of the data processing can be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include in particular computer centres that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to our service providers, they may use the data exclusively for the fulfilment of their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the persons concerned and are regularly monitored by us.
In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings if this is necessary for legal prosecution or enforcement.
If personal data is transferred to countries outside the European Economic Area (EEA) and no adequacy decision of the European Commission is available for this, we use standard contractual clauses of the European Commission or there are binding internal data protection regulations to ensure an adequate level of data protection, a copy of which can be requested via the above-mentioned contact details, or we rely on the exemptions of Article 49 (1) of the GDPR.
5. Storage period
As a matter of principle, we only store personal data for as long as necessary to fulfil contractual or legal obligations for which we have collected the data. Afterwards, we delete the data immediately, unless we need the data until the expiry of the statutory limitation period for evidence purposes for civil law claims or because of statutory retention obligations.
For evidence purposes, we must retain contractual data for a further three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred after the statutory standard period of limitation at the earliest at this point in time.
Even after this period, we still have to store your data in part for accounting reasons. We are obliged to do so because of statutory documentation obligations which may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the Money Laundering Act and the Securities Trading Act. The periods stipulated there for the retention of documents range from two to ten years.
6. Your rights
You have the right to information about the processing of your personal data by us at any time. In this context we will explain the data processing to you and provide you with an overview of the data stored about your person. If data stored by us is incorrect or no longer current, you have the right to have this data corrected. You can also request the deletion of your data. In principle, your data can only be deleted if certain conditions are met / if data is no longer required, if processing is not lawful or in other cases of Art. 17 GDPR. If, exceptionally, deletion is not possible due to other legal provisions, the data will be blocked – if the necessary conditions are met – so that they are only available for this legal purpose. You can also have the processing of your personal data restricted, for example if you doubt the accuracy of the data. Under certain conditions, you also have the right to data transferability, i.e. that we send you a digital copy of the personal data you have provided us with on request.
In order to assert your rights described here, you can contact us at any time using the contact details given above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection.
Your inquiries regarding the assertion of data protection rights and our answers to them will be kept for documentation purposes for a period of three years and, in individual cases, for the assertion, exercise or defence of legal claims even beyond this period. The legal basis is Art. 6 para. 1 lit. f GDPR, based on our interest in defending against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability under Art. 5 GDPR.
You have the right to revoke any consent granted to us at any time. As a result, we will no longer continue to process the data based on this consent for the future. Revocation of consent does not affect the lawfulness of the processing that took place on the basis of the consent until revocation.
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to the processing of your data for direct marketing purposes, you have a general right of objection, which will be implemented by us even without giving reasons.
If you would like to exercise your right of revocation or objection, it is sufficient to send an informal message to the contact details given above.
Finally, you have the right to complain to the data protection supervisory authority responsible for us. You may exercise this right before a supervisory authority in the Member State in which you are resident, your place of work or the place of the suspected infringement or any other data protection authority. In Berlin, the seat of Ratepay GmbH, is the competent supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin.
7. Data security
We maintain current technical measures to ensure data security, in particular to protect your personal data from dangers during data transfers and from third parties gaining knowledge of them. These measures are adapted to the current state of the art. To secure the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you enter.