The controller of the personal data is the Website operator:
Penta Fintech GmbH
Our Data Protection Officer is Intelliant GmbH, located in Berlin, Germany. You can reach our Data Protection Officer at any time writing to firstname.lastname@example.org.
2. Data Processing
The type, scope and purpose of the processing of personal data depends on which Penta services are used. In particular when you use our business banking solutions, we will process specific personal data required for the service.
2.1. Provision of the Website
The data subjects with regards to the provision of the Website are all Website visitors.
In order to make the Website available, to enable basic functions and trouble-free operation, it is technically necessary to process personal data. Although these are basically device data, with this data it may possible to link them to the visitors. For example, the IP addresses of the used terminals, identifiers of the used terminals, the operating systems and the browser are processed solely in order to establish a connection between the terminal and the server hosting the web page and to display the contents in the intended layout.
We use the so-called web fonts for the uniform presentation of fonts. These web fonts are provided by Google Fonts, a service of Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”).
When a page is requested, the visitor’s browser loads the required web font into the visitor’s browser cache to display the texts and fonts correctly.
In order to do this, your browser must connect to the Google servers. This will notify Google that the Website was accessed via your IP address. The use of Google Fonts is used as per our interest of a uniform and attractive display of our online services. The use of Google Fonts is in the interest of a uniform and attractive presentation of our online services.
If your browser does not support web fonts, a default font will be used instead. The legal basis for the processing is article 6.1, paragraph (f), GDPR (legitimate interest).
2.2. Security of the Website
The data subjects with regards to the security of the Website are all Website visitors.
In order to ensure the security of the Website, the data is processed by accessing the Website as server log files. Although these are basically device data, with this data may possibly be made the reference to the Website visitors. These data are matched against existing attack vectors and evaluated when detected attacks.
Data stored in the server log files includes visited websites, date and time of the access, the amount of data sent in bytes, the URL of the previously visited website, the internet browser used, and the operating system used.
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For the server log files, the maximum storage period is 7 days. If data needs to be retained for evidence, it will be exempted until the incident is finally resolved.
The legal basis for the processing is article 6.1, paragraph (f), GDPR (legitimate interest).
2.3. Range Measurement & Optimization of Our Offer
The data subjects with regards to the Range Measurement and the optimization of our offer are all the visitors of our Website.
These cookies are only set once you have given us your consent. To grant your consent, we will provide you with a communication field at the beginning of the visit to the Website.
The legal basis for the processing of data using cookies is article 6.1, paragraph (a), GDPR (consent).
Any given consent can be revoked at any time with future effect in the cookie settings on our Website. The cookie settings can be found at the bottom of this page. The set cookies will be deleted.
To administer and implement your consent on our website, we use the consent management solution OneTrust. This service is provided by the OneTrust Technology Limited (Cannon Green, 27 Bush Lane, London EC4R 0AA, UK; “OneTrust”).
OneTrust enables us to collect, manage and document the consent of our visitor for data processing and the use of individual third-party services and various web technologies on the Website.
The legal basis for the processing is art. 6.1 (c) GDPR (compliance with legal obligations).
The following third-party providers are used. The following information is relevant to you only if you have given the appropriate consent:
2.3.2. Google Services
We use the services Google (Universal) Analytics, Google Analytics Remarketing, Google Ads, Google Search Ads 360, and the Google Tag Manager. These are services provided by Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”). Google is based in the third country USA, which basically lacks an EU level of protection. However, Google is certified under the EU-US Privacy Shield and thus offers an appropriate level of protection of personal data in accordance with article 45, GDPR.
18.104.22.168. Google (Universal) Analytics
On this Website, the anonymization of the IP address takes place. The IP address of the visitors is shortened. Only in certain individual cases is the full IP addressed transmitted to the servers in the USA and shortened there. This shortening of the IP address eliminates the personal reference to the IP address of the visitor.
In accordance with the terms of the agreement we have entered with Google, Google uses the collected data to compile an evaluation of the use of the Website and the website activity across multiple devices and sessions, and provides services related to the use of the internet.
The data collected by Google on behalf of us are used to evaluate the use of the online offer by the individual visitors, e.g. to generate activity reports on the Website in order to improve the online offer.
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
22.214.171.124. Google Analytics Remarketing
With Google Analytics Remarketing allows us to link the promotional audiences to the cross-device capabilities of Google Ads and Google Campaign Manager. In this way, interest-based, personalized advertisements that were adapted depending on the previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of devices of the visitor (e.g. tablet or PC). This assumes that the visitor has given Google the appropriate consent. If this is the case, Google links the web and app browsing history to the personal Google Account for this purpose.
To support this feature, Google Analytics collects Google-authenticated IDs of the visitors that are temporarily associated with our Google Analytics data to define and create audiences for cross-device advertisement promotion.
Website visitors who have a Google account can permanently opt out of cross-device remarketing / targeting by disabling the personalized ads in the Google Account following this link: https://www.google.com/settings/ads/onweb/
126.96.36.199. Google Ads (previously AdWords) and Conversion-Tracking
This Website uses as part of Google Ads the so-called conversion tracking. When a visitor clicks on an advertisement provided by Google, a conversion tracking cookie is set on your browser. These cookies expire after 30 days and are not used for the personal identification of the visitor. If the visitor visits certain pages in this Website and the cookie has not expired yet, we may recognize that the visitor clicked on the above-mentioned advertisement and was redirected to this page.
With the help of the conversion cookies, the gathered data is used to generate conversion statistics for us as Google Ads customers. We learn the total number of visitors who have clicked on their advertisement and were thus redirected to a conversion tracking tag page. We do not receive any data that personally identifies the visitors.
You can set your internet browser so that you are informed about the cookie settings and so as to allow cookies only in individual cases and to exclude some cookies or generally exclude all cookies and set the automatic deletion of cookies when you close the internet browser. Please note that disabling cookies may limit the functionalities of the Website. The same functionality applies to the next section.
188.8.131.52. Google Search Ads 360 (previously DoubleClick Search)
Analog to the previous paragraph; using Search Ads 360 allows Google and its partner sites to serve ads based on previous visits to our or other sites on the Internet. The data collected in this context may be transferred by Google to a server in the USA for evaluation and stored there. Unlike Google Ads, which is limited to the Google Search Network, Google Search Ads 360 allows to traffic ads and keywords to multiple supported search engines.
184.108.40.206. Google Tag Manager
Google Tag Manager manages Google Analytics tracking (see above). Google Tag Manager itself does not collect personally identifiable information.
2.3.3. Facebook Pixel & Facebook Remarketing
We use the Custom Audiences remarketing feature of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland, “Facebook”). Facebook is based in the third country USA, which basically lacks an EU level of protection. However, Facebook is certified under the EU-US Privacy Shield and thus offers an appropriate level of protection of personal data in accordance with article 45 GDPR.
This function is used to target visitors with a Facebook user account with interest-based advertisements in the social network Facebook.
For this purpose, the Facebook Remarketing Tag has been implemented on this Website. Through the use of this tag, a direct link to the Facebook servers is made when visiting the Website and transmits to the Facebook servers which pages of our Website were accessed by visitors. Facebook assigns this data to your Facebook user account, if there is such an account. Within Facebook, visitors of our Website who are also Facebook members are then shown personalized, interest-based Facebook advertisements.
As a visitor of our Website and Facebook user, you can disable the Custom Audiences remarketing feature using the following link: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
2.3.4. LinkedIn Ads
We use the LinkedIn Ads feature of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland, “LinkedIn”). LinkedIn is based in the third country USA, which basically lacks an EU level of protection. However, LinkedIn is certified under the EU-US Privacy Shield and thus offers an appropriate level of protection of personal data in accordance with article 45 GDPR.
This function is used to target visitors with a LinkedIn user account with interest-based advertisements in the social network LinkedIn.
For this purpose, a remarketing tag has been implemented on this Website. Using this tag, a direct link to the LinkedIn servers is made when visiting the Website and transmits to the LinkedIn servers which pages of our Website were accessed by visitors. LinkedIn assigns this data to your LinkedIn user account, if there is such an account. Within LinkedIn, visitors of our Website who are also LinkedIn members are then shown personalized, interest-based LinkedIn advertisements and sponsored posts/messages.
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.
2.3.5. Post Affiliate Pro
We use the affiliate program “Post Affiliate Pro” of Quality Unit, s.r.o. (Tomanova 80/c, SK-83107 Bratislava, Slovakia, “Quality Unit”). Quality Unit sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Among other things, Quality Unit can recognize that the visitor has clicked on the affiliate link on the website of our affiliate partner.
Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 60 days.
We use the affiliate program of financeAds GmbH & Co. KG (Karlstraße 9, 90403, Germany; “FinanceAds“). The script enables us to pay advertising network partners a so-called lead or sale commission in the event of successful registration or subscription. The script will only be executed for users who have accessed our Websites from an affiliate partner in the FinanceAds network when the user accesses pages that are relevant for the commission. For this purpose, so-called Finance Ads parameters are stored locally in a cookie in the user’s browser and are read out script-based for billing-relevant calls to our website. The evaluation is carried out using pseudonymous data records and only for the aforementioned purposes.
We use the affiliate program AdCell of Firstlead GmbH (Rosenfelder Str. 15-16, Germany; “AdCell“). AdCell sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Therefore, AdCell is able to track visitor numbers, website traffic and conversion rates based on the executed marketing actions and manage the commission in the event of successful registration or subscription.
We use the affiliate program TradeTracker of TradeTracker Deutschland GmbH (Uhlandstraße 26, 22087 Hamburg, Germany; “TradeTracker“). TraceTracker sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Therefore, TradeTracker is able to track visitor numbers, website traffic and conversion rates based on the executed marketing actions and manage the commission in the event of successful registration or subscription.
We use the affiliate program Tradedoubler of Tradedoubler GmbH (Herzog-Wilhelm-Straße 26, 80331 München, Germany; “Tradedoubler“). The Tradedoubler tracking cookie does not store any personal data. Only the identification number of the affiliate, i.e. the partner referring the potential customer, as well as the order number of the visitor to a website and the advertising medium clicked on are stored. The purpose of storing this data is to process commission payments between a merchant and the affiliate, which are processed via the affiliate network, i.e. Tradedoubler.
2.4. Communication and Social Media
The data subjects with regards to the newsletter are the newsletter subscribers.
The Penta Newsletter can be subscribed to through our Website. The newsletter is a separate, free information service that can be used independently of any existing customer relationship with Penta.
The subscriber has the possibility to agree to receive via e-mail information regarding current offers or events in the form of a newsletter from us. For the newsletter service, we need the e-mail address in order to send the newsletter, as well as the name and last name to be able to address you personally and avoid abuse. After registering for the newsletter, the subscriber will receive an e-mail. This e-mail has a link with which the subscriber must confirm the registration to the newsletter service. We will send the newsletter only after the conformation has taken place (double opt-in).
The subscriber can unsubscribe from the newsletter at any time. Each newsletter contains information to unsubscribe from the newsletter with future effects. Alternatively, the request to unsubscribe can be sent to us via e-mail at any time to email@example.com.
The legal basis for the processing is article 6.1 (a) GDPR (consent).
For the distribution, management and statistics of the newsletter we are using Mailchimp.
We use Mandrill, a service provided by The Rocket Science Group LLC d/b/a MailChimp (675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA, 30308, USA, “MailChimp”), for the provision, administration and distribution of our newsletter. Mailchimp is based in the third country USA, which basically lacks an EU level of protection. However, Mailchimp is certified under the EU-U.S. Privacy Shield and thereby provides an appropriate level of data protection according to article 45 GDPR.
This service enables us to internally manage a database of the e-mails and telephone numbers to communicate with subscribers. The service also manages data regarding when an e-mail was read by a subscriber and when a subscriber interacted with the incoming e-mail, for example by clicking on the links included in such e-mail. This is done by using the so-called web beacons, also known as tracking pixels. Tracking pixels are small image files that allow us to evaluate user behavior.
MailChimp transmits personal data to external service providers in order to offer its services. MailChimp processes personal data in accordance with European privacy standards.
You can object to this tracking at any time by unsubscribing from the newsletter as described above. In the event that you de-activate the display of images in your e-mail program by default, the evaluation by MailChimp described above is not possible. In this case, the newsletter will not be fully displayed, and you will not be able to take advantage of all its features.
2.4.2. Social Media
The data subjects with regards to social media are website visitors, who also are in particular members of the respective social media.
For marketing purposes, we are active on social media and provide information regarding current news, events and other information which may be of interest to you. Additionally, we will inform you about news and products from our portfolio companies. If you contact the respective page or account or our company in a social network, we will process the personal data that you provide to us in order to establish or maintain contact with you in this network on the bases of our legitimate interest (article 6.1 (f) GDPR).
We do not use scripted social media plugins to share data from our Website through social media. rather, our share buttons only contain a link to the social media (e.g. sharer.php for Facebook). As a result of this, we do not process your personal data in this context. In addition, it is ensured that your personal data such as your (possibly truncated) IP address, whole cookies or other information is only transmitted to the social media and thus possibly also to servers in the USA, if you press the relevant button. This also applies to the links to our social media pages that we have implements on our Website. It is possible that a social media provider can link your visit to our services with your user account.
For the above-mentioned purposes, we use the following social media (you can find more information in the links to the respective privacy policies included below):
- Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland);
- Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland),
- LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland),
- Instagram (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland).
This Website uses the service Shareaholic of Shareaholic, Inc. (2 Center Plaza, 3rd Floor
Boston, MA 02108, USA, “Shareaholic”), to allow visitors to share content of our Website, especially our Blog. Shareaholic offers social plug-ins which allow website visitors to share website content across various social media. If a visitor shares content through Shareaholic in services they either own or are logged in to, the visit as well as the sharing can be associated with such user.
2.5. Services for registered users
The data subjects with regards to the services we offer for registered users are our customers. Between entering and completing the registration process, data subjects are considered potential customers.
Penta is a service provider for small and medium enterprises. Currently, the service portfolio focuses on the provision of banking solutions for business customers.
We process data which is required on the one hand for the provision of our services itself and on the other hand data for which statutory obligations, such as banking, commercial, tax and storage obligations exist. These are general data concerning the bank account, transaction data concerning the account management, but also personal data like names and e-mail addresses of beneficial owners, authorized representatives etc.
Further, Penta might contact existing customers occasionally, to inform about new services and to get feedback to improve existing services.
The legal bases for the services for registered users are article 6 paragraph 1 (f) GDPR (legitimate interest), article 6 paragraph 1 (b) GDPR (performance of a contract), and article 6 paragraph 1 (c) GDPR (compliance with legal obligation).
For the banking processes we use the services of solarisBank AG (Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany, “solarisBank”).
solarisBank is a provider of banking services with a German banking license. While Penta manages your bank account and provides you with your dashboard, analyses and the connected functions, solarisBank is the bank in charge of the account. solarisBank and Penta are Joint Controllers according art. 26 GDPR. As Penta remains the face to the customer, Penta will answer all requests of data subjects including the personal data solarisBank is processing.
2.5.1. Account registration
To register for an account with Penta, several general data are collected. These data include besides the legal form of your business and the country your e-mail address. To open a bank account at solarisBank, these data are transferred to solarisBank. If the legal form of your business is not yet supported by Penta,
2.5.2. Account management
Penta manages your bank account at solarisBank and provides you with a dashboard, your account overview and all functions connected to the bank account. To allow for Penta to deliver these functions, statistics, and to operate the account with transactions etc., Penta processes your transaction data like account number, references, account balance, account activity. As our customers are legal persons, most of the data are not considered personal data, for example references and transaction data may however contain personal data and are treated as such.
For the account management, Penta may further process personal data like names and e-mail addresses of beneficial owners or authorized representatives. In certain cases, Penta, in its role as face to the customer, is collecting data according to statutory obligations (GWG, BGB) and transferring the data to solarisBank
2.5.3. Customer service
Customers can take advantage of our accompanying services. For this, we process the personal data stored in the context of the customer relationship.
In certain cases, our customer service is provided by our associated entity Penta Fintech DOO Beograd, Bulevar Mihajla Pupina 10L, 11070 Novi Beograd, Republic of Serbia. Therefore, personal data is being transferred to a third country outside the EU. Standard contractual clauses between EU controller and non-EU controller offer sufficient safeguards on data protection for this international transfer.
We use the service Freshdesk from Freshworks GmbH (Alte Jakobstraße 85/86, Hof 1, Haus 5, 10179 Berlin; “Freshdesk”) in order to process your requests in an efficient way. Freshdesk is a customer service platform that facilitates the processing of customer inquiries and requests via various channels. Freshdesk processes the personal information of our customers exclusively to assist us in customer care service.
2.5.4. Termination of the business relationship
When the business relationship between Penta and the customer is terminated, Penta is obliged to store your data according to statutory retention periods. When these storage requirements are fulfilled, Penta will delete your data. Data that does not fall under storage obligations will be deleted immediately.
3. Your Rights Against the Controller – Rights of data subjects
If your personal data is being processes, you are data subject as defined by the GDPR. Consequently, you have the rights described in articles 15 to 21 GDPR in relation to the controller. In order to exercise your rights or to obtain further information on data protection regarding Penta Fintech GmbH, please contact our data protection officer by sending an e-mail to firstname.lastname@example.org.
3.1. Right of Access
In accordance with article 15 GDPR, you have the right to request confirmation from the controller as to whether your personal data is being processed. If this is the case, you also have the right to receive free information regarding all your personal data being processed by Penta and the right to receive a copy of such personal data.
Additionally, in accordance with article 19 GDPR, you have the right to request the controller information regarding the recipients to whom your personal data has been forwarded to.
3.2. Right to Rectification
In accordance with article 16 GDPR, you have the right to request the rectification for your personal data if it is either incorrect or incomplete.
3.3. Right to Erasure
If your request does not conflict with a legal obligation to retain data, you have the right to have your personal data deleted in accordance with article 17 GDPR. Your personal data stored with the controller will be deleted if such data is no longer needed for its intended purpose and is not subject to any statutory retention period. If the deletion cannot be carried out due to a legal obligation to retain such data, the processing of the personal data will be restricted, in which case the data shall be stored and not processed for any purpose. The deletion of your data implies that the services of Penta can no longer be used in full or not at all.
Penta is obliged to delete personal data immediately if the processing is not required and for any of the following reasons:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- You have revoked your consent to processing and there is no other legal basis for processing;
- You have objected to the processing pursuant to article 21(1) GDPR and there is no overriding legitimate basis for the processing, or you have objected to the processing pursuant to article 21(2) GDPR;
- The personal data was processed unlawfully;
- The deletion of your personal data is required to fulfill a legal obligation under German or European law.
If Penta has made your personal data public and is required to delete it, we will take appropriate measures to inform our data processors who process your personal data of your request, so that, taking into account the available technology and implementation costs, they delete your personal data, links to or copies of such personal data. The measures are taken only to the extent that the processing is not required.
3.4. Right to Restriction of Processing
In accordance with article 18 GDPR, you have the right to as the controller to limit the processing of your personal data is one of the following conditions is met:
- You have contested the accuracy of the personal data. In this case the processing is restricted for a period of time which enables the controller to verify the accuracy of your personal data;
- The processing is unlawful, and you have opposed to the deletion of personal data and instead requested a restriction on the use of your personal data;
- The controller no longer needs your personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of a legal claim;
- You have objected to the processing under article 21 (1) GDPR and the verification of whether the legitimate basis of the controller override those of the data subject are still pending.
If the processing of personal data has been restricted in accordance with the conditions above, the processing of such data may only take place- with the exception of storage – with your consent or for the purpose of establishing, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the processing is restricted, Penta will notify you before the restriction is lifted.
3.5. Data Portability
You have the right, in accordance with article 20 GDPR, to receive your personal data which you have made available to the controller, in a structured, common and machine-readable format.
Additionally, you have the right to transfer your personal data by yourself or through us directly to another controller, as far as this is technically possible and the rights and freedoms of third parties are not affected.
3.6. Right to Object
In accordance with article 21 GDPR, you have the right to object at any time to the processing of your personal data which is based on points (e) or (f) of article 6.1 GDPR.
If you would like a correction, blocking, deletion or information regarding your personal data we store, or if you have questions regarding the collection, processing or use of your personal data, or if you wish to revoke your consent, please contact the data protection officer by sending an e-mail to: email@example.com.
3.7. Revocation of your Consent
You have the right to revoke your consent to the processing of your personal data at any time. All you need to do is send an e-mail to firstname.lastname@example.org.
4. Submitting a Complaint to the Supervisory Authority
Finally, in accordance with article 77 GDPR, you have the right to file a complaint with the supervisory authority responsible for the controller:
Berlin Commissioner for Data Protection and Freedom of Information
Visitors: Puttkamerstrasse 16-18
10969n Berlin, Germany
Telephone: 030 13889-0
Updated: December 2019.