Postident procedure

Data collection and storage in the context of money laundering prevention efforts

In accordance with the provisions of the Act on the Tracing of Profits from Serious Crimes (“Money Laundering Act” – hereinafter “AMLA”), the company is obligated to collect, verify and retain data on its contractual partners, the persons acting on their behalf and the contractual partner’s beneficial owner. In individual cases, the company uses a service provider for the legally required verification procedure.

Purpose, type, means and legal basis of data processing

The company is a factoring institution authorised by the German Federal Financial Supervisory Authority (BaFin) within the meaning of Section 1 (1a) Sentence 1 No. 9 German Banking Act (KWG), and is, therefore, obligated pursuant to Section 2 (1) No. 2 ALMA.

In accordance with Section 10 (1) (1) and (2) ALMA, the company is obligated to identify and verify contractual partners, persons acting on their behalf and beneficial owners. The identification of said persons in Section 10 (1) (1) and (2) AMLA is performed in accordance with Section 11 (1) AMLA by collecting the data specified in Section 11 (4) and (5) AMLA. This data must be verified by the company in accordance with Section 12 ALMA.

As an obligated party under the ALMA, the company must comply with the provisions of the GDPR. Data processed on the basis of the ALMA is subject to purpose limitation in accordance with Section 11a ALMA.

What data is collected and checked?

With regard to natural persons, the following data must be collected and verified:

  • First name and last name
  • Date of birth, place of birth, nationalities
  • Residential address or postal address
  • ID data (incl. copy, possibly also incl. video chat for video identification purposes)
  • Function within the company (e.g. authorised representative, beneficial owner, shareholder, guarantor)
  • PEP status (Politically Exposed Person) and result of sanctions list screening
  • Connections to other companies, if applicable

How is the data collected?

The data is always collected by the company’s employees. The company’s employees will make copies of the relevant documents when checking the identity documents presented on site.

The company uses three procedures (PostIdent), which are offered by Deutsche Post AG as a service provider commissioned by the company, if verification in person is not possible.

In order to fulfil the statutory verification obligation, the company sends an e-mail to the person to be verified with a link to the Deutsche Post AG Postident portal. The data subject can choose from three identification methods for verification:

  • Online ID card function: This function can be used to verify a person’s identity using an ID card with an active online ID function. Identity verification using the online ID function can be carried out via a desktop or smartphone. When checking via a desktop, you will be redirected to the AusweisApp2 of Deutsche Post AG. In the event of verification via smartphone, this is handled via the Postident app of Deutsche Post AG. The ID card is read using a card reader connected to the smartphone/tablet. When performing the verification, the data subject must enter the 6-digit PIN of the ID card, which was previously activated when the online ID card function was activated. By entering the personal 6-digit PIN, the data subject consents to the encrypted data transmission of the previously displayed information to Deutsche Post AG.
  • Postident procedure in the branch: With the Postident procedure, the verification of a person’s identity can be carried out at a local post office. First, the data subject generates a QR code, the so-called “Postident coupon”, in the Postident portal. The data subject makes their way to the nearest post office with the printed coupon (with an individual reference number for internal allocation of the ID documents) together with their ID card or passport and a registration certificate. An employee at the post office checks the data from the ID documents using an ID card reader and transfers it to the coupon. The user’s photo is then compared with the ID document, and the data is checked by the employee in the branch. The data subject must then check the data and sign the coupon. The signed coupon is confirmed by the postal employee with a signature and stamp and sent to the company.
  • Videoident procedure: If the data subject has opted for the video ID procedure in the Postident portal, they may first have to enter their personal data themselves and select an ID document. A video chat is then conducted with a Deutsche Post AG service employee via the camera of the end device used. They will guide you through the identification process, check your ID data and take photos of it. In addition to the ID data, a photo/screenshot (portrait photo) is taken of the data subject. Biometric data may be collected in the process (this is not stored). Furthermore, a complete audio-visual recording of the conversation is made. The data subject then receives an SMS-TAN, which they must enter. The data subject thereby confirms and finalises the identification process.

The data collected in the Videoident procedure, the portrait photo and the video file are made available to the company via a Deutsche Post AG portal. The video stream for video identification is provided via an SFTP server due to the file size. The data is encrypted in each case. The company must actively collect the data.

 Legal basis for data processing

The processing of data within the meaning of Art. 4 (2) GDPR in conjunction with Sections 10 (1), 11 (1), 4, 5 AMLA is performed on the legal basis of Art. 6 (1) Sentence 1 Letter c) GDPR in conjunction with Section 11a AMLA.

Duration of storage or criteria for determining this duration

The data by way of the identification procedure is stored by the company, on the one hand, and, if the identification is carried out by Deutsche Post AG as the contractor, also by the latter.

Deutsche Post AG sets its own specifications for the storage period and deletion of data. For the storage period of the data at Deutsche Post AG and the deletion periods, please refer to the Supplementary Data Protection Information – POSTIDENT – on the website of Deutsche Post AG, in particular, Clause 7) of the aforementioned information.

The company stores data collected exclusively on the basis of Section 11 (1), (4), (5) AMLA in accordance with the statutory storage period. This data must be deleted by the company after expiry of the storage period specified in Section 8 AMLA.

A corresponding deletion run is implemented in the company’s core system, and runs at the end of each year.

With regard to other data, the storage period and deletion are based on the company’s general blocking and deletion concept.

If data other than that mentioned above is stored, this is not done on the legal basis of this section. The processing of further data shall take place on the legal basis of Art. 6 (1) Sentence 1 Letter b) GDPR. The aforementioned processing is not the subject of this data protection notice.

Reference is expressly made to Art. 15 et seq. GDPR.

Objection and removal options

If the data processing is based on a contractual relationship agreed between you and us, there is no right to object to the described processing operation in accordance with Art. 21 GDPR. If your consent is the legal basis for data processing, you have the right to object to this processing at any time. In accordance with Art. 17 GDPR, you also have the right to request the erasure of your data. Furthermore, you have the right to correct your data and to receive information about the data we have stored. In order to exercise your rights as a data subject, please contact the address stated in Clause 1.

If data is processed directly by Deutsche Post AG by means of the above-mentioned Postident procedure, your above-mentioned objection and cancellation options only exist directly vis-a-vis Deutsche Post AG.