Skip to main content
SpringerLink
Log in
Book cover

FinTech and Data Privacy in Germany pp 53–84Cite as

FinTechs and Data Protection After the Implementation of the GDPR

  • Chapter
  • First Online:

Abstract

This chapter deals with data protection regarding FinTech services and how FinTechs dealt with it after the implementation of the GDPR in May 2018. The primary source of information on how FinTechs are handling data protection is the privacy statements of the respective companies. We analyzed these privacy statements with regard to three questions: What user data are processed? To whom are these data forwarded? And, if applicable, which third parties provide further information?

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   139.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    For example, the privacy statement of Appsichern states (originally in German, translation by the authors): “Types of data processed: inventory data (e.g., names, addresses), contact data (e.g., e-mail, telephone numbers), content data (e.g., text input, photographs, videos), usage data (e.g., websites visited, interest in content, access times), and meta/communication data (e.g., device information, IP addresses). Categories of persons concerned: visitors and users of the online service (hereinafter referred to collectively as ‘users’).”

  2. 2.

    A frequently used text module in the privacy statements is “Personal data is any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). A natural person shall be considered identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person” (originally in German, translation by the authors).

  3. 3.

    For example, the privacy statement of Damantis states (originally in German, translation by the authors): “Article 6 I lit. a GDPR serves our company as a legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for the delivery of goods or the provision of other services or consideration, the processing is based on Article 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, such as in cases of inquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Article 6 I lit. c GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our operations and his name, age, health insurance data, or other vital information would have to be passed on to a doctor, hospital, or other third party. Then the processing would be based on Article 6 I lit. d GDPR. Ultimately, processing operations could be based on Article 6 I lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and basic principles of the data subject do not predominate. Such processing operations are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the person concerned was a customer of the person responsible (recital 47 sentence 2 GDPR).”

  4. 4.

    For example, the privacy statement of auxmoney states (originally in German, translation by the authors): “In addition, auxmoney is subject to various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the German Tax Code (AO). The time limits for storage and documentation specified there are six to ten years.”

  5. 5.

    For example, the privacy statement of the equity crowdfunding platform GreenVesting Solutions GmbH states (originally in German, translation by the authors): “This general data and information is stored in the log files of the server. Data processed may include (1) the browser types and versions used can be recorded, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-sites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used to avert dangers in the event of attacks on our information technology systems. When using this general data and information, GreenVesting Solutions GmbH does not draw any conclusions about the person concerned. This information is needed to (1) correctly deliver the content of our website, (2) optimize the content and advertising of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary to prosecute a cyber attack.”

Reference

  • Dorfleitner, G., Hornuf, L., Schmitt, M., & Weber, M. (2019). Marktüberblick. In F. Möslein & S. Omlor (Eds.), FinTech-Handbuch. Digitalisierung, Recht, Finanzen (pp. 21–38). Munich: C.H.Beck.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center of Finance, University of Regensburg, Regensburg, Germany

    Gregor Dorfleitner

  2. Faculty of Business Studies and Economics, University of Bremen, Bremen, Germany

    Lars Hornuf

Authors
  1. Gregor Dorfleitner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lars Hornuf
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Dorfleitner, G., Hornuf, L. (2019). FinTechs and Data Protection After the Implementation of the GDPR. In: FinTech and Data Privacy in Germany. Springer, Cham. https://doi.org/10.1007/978-3-030-31335-7_4

Download citation

Publish with us

Policies and ethics

Search

Navigation