1. General

Personal data is processed in the operation of this Website and the use of services offered through this website (“Website”) by Penta Fintech GmbH (“Penta” or “we”). This Privacy Policy is intended to inform you, as a visitor to the Site and to users of Penta services, about the nature, scope and purpose of the collection and processing of personal data.

The terms used in this Privacy Policy (e.g. “personal data”, “processing”, “pseudonymization” or “anonymization”) are in line with the definitions included in the General Data Protection Regulation (“GDPR”).

The controller of the personal data is the Website operator:
Penta Fintech GmbH
Hardenbergstrasse 32
10623 Berlin
Germany

Our Data Protection Officer is Intelliant GmbH, located in Berlin, Germany. You can reach our Data Protection Officer at any time writing to privacy@getpenta.com.

2. Data Processing

The type, scope and purpose of the processing of personal data depends on which Penta services are used. In particular when you use our business banking solutions, we will process specific personal data required for the service.

2.1. Provision of the Website

The data subjects with regards to the provision of the Website are all Website visitors.

In order to make the Website available, to enable basic functions and trouble-free operation, it is technically necessary to process personal data. Although these are basically device data, with this data it may possible to link them to the visitors. For example, the IP addresses of the used terminals, identifiers of the used terminals, the operating systems and the browser are processed solely in order to establish a connection between the terminal and the server hosting the web page and to display the contents in the intended layout.

We use the so-called web fonts for the uniform presentation of fonts. These web fonts are provided by Google Fonts, a service of Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”).

When a page is requested, the visitor’s browser loads the required web font into the visitor’s browser cache to display the texts and fonts correctly.

In order to do this, your browser must connect to the Google servers. This will notify Google that the Website was accessed via your IP address. The use of Google Fonts is used as per our interest of a uniform and attractive display of our online services. The use of Google Fonts is in the interest of a uniform and attractive presentation of our online services.

If your browser does not support web fonts, a default font will be used instead. The legal basis for the processing is article 6.1, paragraph (f), GDPR (legitimate interest).
You can find more information regarding Google Fonts on their website and in the Privacy Policy of Google.

2.2. Security of the Website

The data subjects with regards to the security of the Website are all Website visitors.

In order to ensure the security of the Website, the data is processed by accessing the Website as server log files. Although these are basically device data, with this data may possibly be made the reference to the Website visitors. These data are matched against existing attack vectors and evaluated when detected attacks.

Data stored in the server log files includes visited websites, date and time of the access, the amount of data sent in bytes, the URL of the previously visited website, the internet browser used, and the operating system used.

The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For the server log files, the maximum storage period is 7 days. If data needs to be retained for evidence, it will be exempted until the incident is finally resolved.

The legal basis for the processing is article 6.1, paragraph (f), GDPR (legitimate interest).

2.3. Range Measurement & Optimization of Our Offer

The data subjects with regards to the Range Measurement and the optimization of our offer are all the visitors of our Website.

This Website uses cookies for range measurement and optimization of our offer. The cookies are transmitted either from us or from third-party servers to the visitor’s browser.

As a result, a recognition of the used device is potentially possible. The data of the visitor which is collected through the use of cookies is pseudonymized. Thus, the connection between the collected data and a data subject is no longer possible, neither for us nor for third parties. The data will not be collected together with other data of the visitor. In some cases, the data is anonymized before use, so that the connection on the visitors is altogether impossible.

These cookies are only set once you have given us your consent. To grant your consent, we will provide you with a communication field at the beginning of the visit to the Website.

The legal basis for the processing of data using cookies is article 6.1, paragraph (a), GDPR (consent).

Any given consent can be revoked at any time with future effect in the cookie settings on our Website. The cookie settings can be found In the OneTrust Preference Center on this website. The set cookies will be deleted.

2.3.1. OneTrust

To administer and implement your consent on our website, we use the consent management solution OneTrust. This service is provided by the OneTrust Technology Limited (Cannon Green, 27 Bush Lane, London EC4R 0AA, UK; “OneTrust”).

OneTrust enables us to collect, manage and document the consent of our visitor for data processing and the use of individual third-party services and various web technologies on the Website.

The legal basis for the processing is art. 6.1 (c) GDPR (compliance with legal obligations).

The following third-party providers are used. The following information is relevant to you only if you have given the appropriate consent:

2.3.2. Google Services

We use the services Google (Universal) Analytics, Google Analytics Remarketing, Google Ads, Google Search Ads 360, and the Google Tag Manager. These are services provided by Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA, “Google”). Google is based in the third country USA, which basically lacks an EU level of protection. Therefore, Standard Contractual Clauses as appropriate safeguards according to Art. 46 GDPR are completed with Google.

You can find more information in the  Privacy Policy of Google.

2.3.2.1. Google (Universal) Analytics

Google Analytics uses cookies. The data collected with the cookies is usually sent to a Google server in the USA, where it is stored.

On this Website, the anonymization of the IP address takes place. The IP address of the visitors is shortened. Only in certain individual cases is the full IP addressed transmitted to the servers in the USA and shortened there. This shortening of the IP address eliminates the personal reference to the IP address of the visitor.

In accordance with the terms of the agreement we have entered with Google, Google uses the collected data to compile an evaluation of the use of the Website and the website activity across multiple devices and sessions, and provides services related to the use of the internet.

The data collected by Google on behalf of us are used to evaluate the use of the online offer by the individual visitors, e.g. to generate activity reports on the Website in order to improve the online offer.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.2.2. Google Analytics Remarketing

With Google Analytics Remarketing allows us to link the promotional audiences to the cross-device capabilities of Google Ads and Google Campaign Manager. In this way, interest-based, personalized advertisements that were adapted depending on the previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of devices of the visitor (e.g. tablet or PC). This assumes that the visitor has given Google the appropriate consent. If this is the case, Google links the web and app browsing history to the personal Google Account for this purpose.

To support this feature, Google Analytics collects Google-authenticated IDs of the visitors that are temporarily associated with our Google Analytics data to define and create audiences for cross-device advertisement promotion.

Website visitors who have a Google account can permanently opt out of cross-device remarketing / targeting by disabling the personalized ads in the Google Account following this link: https://www.google.com/settings/ads/onweb/

2.3.2.3. Google Ads (previously AdWords) and Conversion-Tracking

This Website uses as part of Google Ads the so-called conversion tracking. When a visitor clicks on an advertisement provided by Google, a conversion tracking cookie is set on your browser. These cookies expire after 30 days and are not used for the personal identification of the visitor. If the visitor visits certain pages in this Website and the cookie has not expired yet, we may recognize that the visitor clicked on the above-mentioned advertisement and was redirected to this page.

With the help of the conversion cookies, the gathered data is used to generate conversion statistics for us as Google Ads customers. We learn the total number of visitors who have clicked on their advertisement and were thus redirected to a conversion tracking tag page. We do not receive any data that personally identifies the visitors.

You can set your internet browser so that you are informed about the cookie settings and so as to allow cookies only in individual cases and to exclude some cookies or generally exclude all cookies and set the automatic deletion of cookies when you close the internet browser. Please note that disabling cookies may limit the functionalities of the Website. The same functionality applies to the next section.

2.3.2.4. Google Search Ads 360 (previously DoubleClick Search)

Analog to the previous paragraph; using Search Ads 360 allows Google and its partner sites to serve ads based on previous visits to our or other sites on the Internet. The data collected in this context may be transferred by Google to a server in the USA for evaluation and stored there. Unlike Google Ads, which is limited to the Google Search Network, Google Search Ads 360 allows to traffic ads and keywords to multiple supported search engines.

2.3.2.5. Google Tag Manager

Google Tag Manager manages Google Analytics tracking (see above). Google Tag Manager itself does not collect personally identifiable information.

2.3.3. Facebook Pixel & Facebook Remarketing

We use the Custom Audiences remarketing feature of Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland, “Facebook”). Facebook is based in the third country USA, which basically lacks an EU level of protection.

This function is used to target visitors with a Facebook user account with interest-based advertisements in the social network Facebook.

For this purpose, the Facebook Remarketing Tag has been implemented on this Website. Through the use of this tag, a direct link to the Facebook servers is made when visiting the Website and transmits to the Facebook servers which pages of our Website were accessed by visitors. Facebook assigns this data to your Facebook user account, if there is such an account. Within Facebook, visitors of our Website who are also Facebook members are then shown personalized, interest-based Facebook advertisements.

As a visitor of our Website and Facebook user, you can disable the Custom Audiences remarketing feature using the following link: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

You can find more information regarding the collection and use of data by Facebook, your rights in this regards and the ways to protect your privacy in the Privacy Policy of Facebook.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.4. LinkedIn Ads

We use the LinkedIn Ads feature of LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland, “LinkedIn”). LinkedIn is based in the third country USA, which basically lacks an EU level of protection. However, LinkedIn is certified under the EU-US Privacy Shield and thus offers an appropriate level of protection of personal data in accordance with article 45 GDPR.

This function is used to target visitors with a LinkedIn user account with interest-based advertisements in the social network LinkedIn.

For this purpose, a remarketing tag has been implemented on this Website. Using this tag, a direct link to the LinkedIn servers is made when visiting the Website and transmits to the LinkedIn servers which pages of our Website were accessed by visitors. LinkedIn assigns this data to your LinkedIn user account, if there is such an account. Within LinkedIn, visitors of our Website who are also LinkedIn members are then shown personalized, interest-based LinkedIn advertisements and sponsored posts/messages.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.5. Post Affiliate Pro

We use the affiliate program “Post Affiliate Pro” of Quality Unit, s.r.o. (Tomanova 80/c, SK-83107 Bratislava, Slovakia, “Quality Unit”). Quality Unit sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Among other things, Quality Unit can recognize that the visitor has clicked on the affiliate link on the website of our affiliate partner. 

You can find more information regarding the privacy and data usage by Quality Unit in the Privacy Policy of Quality Unit.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 60 days.

2.3.6. FinanceAds

We use the affiliate program of financeAds GmbH & Co. KG (Karlstraße 9, 90403, Germany; “FinanceAds“). The script enables us to pay advertising network partners a so-called lead or sale commission in the event of successful registration or subscription. The script will only be executed for users who have accessed our Websites from an affiliate partner in the FinanceAds network when the user accesses pages that are relevant for the commission. For this purpose, so-called Finance Ads parameters are stored locally in a cookie in the user’s browser and are read out script-based for billing-relevant calls to our website. The evaluation is carried out using pseudonymous data records and only for the aforementioned purposes.

You can find more information regarding the privacy and data usage by FinanceAds in the Privacy Policy of FinanceAds.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.7. AdCell

We use the affiliate program AdCell of Firstlead GmbH (Rosenfelder Str. 15-16, Germany; “AdCell“). AdCell sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Therefore, AdCell is able to track visitor numbers, website traffic and conversion rates based on the executed marketing actions and manage the commission in the event of successful registration or subscription. 

You can find more information regarding the privacy and data usage by AdCell in the Privacy Policy of AdCell.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.8. TradeTracker

We use the affiliate program TradeTracker of TradeTracker Deutschland GmbH (Uhlandstraße 26, 22087 Hamburg, Germany; “TradeTracker“). TraceTracker sets cookies to track the origin of website interactions and services that have been generated through links from our affiliate partners. Therefore, TradeTracker is able to track visitor numbers, website traffic and conversion rates based on the executed marketing actions and manage the commission in the event of successful registration or subscription. 

You can find more information regarding the privacy and data usage by TradeTracker in the Privacy Policy of TradeTracker.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.3.9. Tradedoubler

We use the affiliate program Tradedoubler of Tradedoubler GmbH (Herzog-Wilhelm-Straße 26, 80331 München, Germany; “Tradedoubler“). The Tradedoubler tracking cookie does not store any personal data. Only the identification number of the affiliate, i.e. the partner referring the potential customer, as well as the order number of the visitor to a website and the advertising medium clicked on are stored. The purpose of storing this data is to process commission payments between a merchant and the affiliate, which are processed via the affiliate network, i.e. Tradedoubler.

You can find more information regarding the privacy and data usage by Tradedoubler in the Privacy Policy of Tradedoubler.

Thus, in case of your consent, the cookie stored in your internet browser will be completely deleted after a maximum period of 90 days.

2.4. Communication and Social Media

2.4.1. Newsletter

The data subjects with regards to the newsletter are the newsletter subscribers.

The Penta Newsletter can be subscribed to through our Website. The newsletter is a separate, free information service that can be used independently of any existing customer relationship with Penta.

The subscriber has the possibility to agree to receive via e-mail information regarding current offers or events in the form of a newsletter from us. For the newsletter service, we need the e-mail address in order to send the newsletter, as well as the name and last name to be able to address you personally and avoid abuse. After registering for the newsletter, the subscriber will receive an e-mail. This e-mail has a link with which the subscriber must confirm the registration to the newsletter service. We will send the newsletter only after the conformation has taken place (double opt-in).

The subscriber can unsubscribe from the newsletter at any time. Each newsletter contains information to unsubscribe from the newsletter with future effects. Alternatively, the request to unsubscribe can be sent to us via e-mail at any time to privacy@getpenta.com.

The legal basis for the processing is article 6.1 (a) GDPR (consent).

For the distribution, management and statistics of the newsletter we are using Intercom.

2.4.1.1. MailChimp

We use Mandrill, a service provided by The Rocket Science Group LLC d/b/a MailChimp (675 Ponce de Leon Ave. NE, Suite 5000, Atlanta, GA, 30308, USA, “MailChimp”), for the provision, administration and distribution of our newsletter. Mailchimp is based in the third country USA, which basically lacks an EU level of protection. However, Mailchimp is certified under the EU-U.S. Privacy Shield and thereby provides an appropriate level of data protection according to article 45 GDPR.

This service enables us to internally manage a database of the e-mails and telephone numbers to communicate with subscribers. The service also manages data regarding when an e-mail was read by a subscriber and when a subscriber interacted with the incoming e-mail, for example by clicking on the links included in such e-mail. This is done by using the so-called web beacons, also known as tracking pixels. Tracking pixels are small image files that allow us to evaluate user behavior. 

MailChimp transmits personal data to external service providers in order to offer its services. MailChimp processes personal data in accordance with European privacy standards.

You can object to this tracking at any time by unsubscribing from the newsletter as described above. In the event that you de-activate the display of images in your e-mail program by default, the evaluation by MailChimp described above is not possible. In this case, the newsletter will not be fully displayed, and you will not be able to take advantage of all its features.

You can find more information regarding privacy in the Privacy Policy of MailChimp.

2.4.2. E-Mail- and App-Notifications

The data subjects with regards to the notifications are customers and prospective customers.

In the context of our contractual relationships, we contact our customers to provide legally required information, to inform them about new features about the services and products we are offering, present these, and to give the opportunity to voice feedback in term to improve our services.

In the case of prospective customers who showed interest in our products and services, we contact the parties to assist in the sign-up and account creation, as well as to support and remind about open steps in the registration and identification processes. The status of prospective customer is maintained for 3 months, after which the prospective customer has either completed the account creation or the incomplete registration will be deleted.

The legal basis for the processing is article 6.1 (b) GDPR (contractual relationship).

More information regarding our customers and our customer services can be found below (see section 2.5)

For the distribution, execution, management and statistics of the mailings we are using Intercom and HubSpot.

These services enable us to internally manage a database of the contact data to communicate with our customers and prospective customers. The services also manage data regarding when an e-mail was read by a recipient and when a recipient interacted with the incoming e-mail, for example by clicking on the links included in such e-mail. This is done by using the so-called web beacons, also known as tracking pixels. Tracking pixels are small image files that allow us to evaluate user behavior. 

In the event that you deactivate the display of images in your e-mail program by default, the evaluation by the services described above is not possible. In this case, the e-mails will not be fully displayed, and you will not be able to take advantage of all its features.

2.4.2.1. Intercom

We use the service Intercom from Intercom R&D Unlimited Company (2nd floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland, “Intercom”) in order to notify our customers. Therefore, customers can be contacted through different channels, e.g. E-Mail, in-App and chat.

You can find more information regarding privacy in the Privacy Policy of Intercom.

2.4.2.2. Hubspot

We use HubSpot, a service of HubSpot, Inc., 25 First Street, Combridge, MA 02141 USA (“HubSpot”), for the provision, administration and distribution of our e-mail messaging and for our customer relationship management. Further, HubSpot enables customers and prospective customers to book meetings for demonstrations and consultation with Penta. HubSpot is based in the third country USA, which basically lacks an EU level of protection. With Hubspot, Standard Contractual Clauses are completed as appropriate safeguards according to Art. 46 GDPR.

HubSpot transmits personal data to external service providers in order to offer its services. HubSpot processes personal data in accordance with European privacy standards.

You can find more information regarding privacy in the Privacy Policy of HubSpot.

2.4.3. Social Media

The data subjects with regards to social media are website visitors, who also are in particular members of the respective social media.

For marketing purposes, we are active on social media and provide information regarding current news, events and other information which may be of interest to you. Additionally, we will inform you about news and products from our portfolio companies. If you contact the respective page or account or our company in a social network, we will process the personal data that you provide to us in order to establish or maintain contact with you in this network on the bases of our legitimate interest (article 6.1 (f) GDPR).

We do not use scripted social media plugins to share data from our Website through social media. rather, our share buttons only contain a link to the social media (e.g. sharer.php for Facebook). As a result of this, we do not process your personal data in this context. In addition, it is ensured that your personal data such as your (possibly truncated) IP address, whole cookies or other information is only transmitted to the social media and thus possibly also to servers in the USA, if you press the relevant button. This also applies to the links to our social media pages that we have implements on our Website. It is possible that a social media provider can link your visit to our services with your user account.

We have no control over the amount and extent of the personal data which is processed by the providers of the social media if you click on a share button or clock on the respective link and access the social media page. Therefore, we can only inform you to the best of our knowledge. Once you access the social media site, the terms and conditions as well as the privacy policy of each social media provider apply. 

For the above-mentioned purposes, we use the following social media (you can find more information in the links to the respective privacy policies included below):

  • Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland);
  • Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland),
  • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland),
  • Instagram (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland).

This Website uses the service Shareaholic of Shareaholic, Inc. (2 Center Plaza, 3rd Floor
Boston, MA 02108, USA, “Shareaholic”), to allow visitors to share content of our Website, especially our Blog. Shareaholic offers social plug-ins which allow website visitors to share website content across various social media. If a visitor shares content through Shareaholic in services they either own or are logged in to, the visit as well as the sharing can be associated with such user. 

2.5. Services for registered users

The data subjects with regards to the services we offer for registered users are our customers. Between entering and completing the registration process, data subjects are considered potential customers.

Penta is a service provider for small and medium enterprises. Currently, the service portfolio focuses on the provision of banking solutions for business customers.

We process data which is required on the one hand for the provision of our services itself and on the other hand data for which statutory obligations, such as banking, commercial, tax and storage obligations exist. These are general data concerning the bank account, transaction data concerning the account management, but also personal data like names and e-mail addresses of beneficial owners, authorized representatives etc.

Further, Penta might contact existing customers occasionally, to inform about new services and to get feedback to improve existing services.

The legal bases for the services for registered users are article 6 paragraph 1 (f) GDPR (legitimate interest), article 6 paragraph 1 (b) GDPR (performance of a contract), and article 6 paragraph 1 (c) GDPR (compliance with legal obligation).

For the banking processes we use the services of solarisBank AG (Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany, “solarisBank”).

solarisBank is a provider of banking services with a German banking license. While Penta manages your bank account and provides you with your dashboard, analyses and the connected functions, solarisBank is the bank in charge of the account. solarisBank and Penta are Joint Controllers according art. 26 GDPR. As Penta remains the face to the customer, Penta will answer all requests of data subjects including the personal data solarisBank is processing. 

2.5.1. Account registration

To register for a account with Penta, several general data are collected. These data include besides the legal form of your business and the country your e-mail address. To open a bank account at solarisBank, these data are transferred to solarisBank. If the legal form of your business is not yet supported by Penta, you will be redirected to our partner Kontist – a transfer of data does not take place. 

2.5.2. Account management

Penta manages your bank account at solarisBank and provides you with a dashboard, your account overview and all functions connected to the bank account. To allow for Penta to deliver these functions, statistics, and to operate the account with transactions etc., Penta processes your transaction data like account number, references, account balance, account activity. As our customers are legal persons, most of the data are not considered personal data, for example references and transaction data may however contain personal data and are treated as such.

For the account management, Penta may further process personal data like names and e-mail addresses of beneficial owners or authorized representatives. In certain cases, Penta, in its role as face to the customer, is collecting data according to statutory obligations (GWG, BGB) and transferring the data to solarisBank.

2.5.3. Customer service

Customers and prospective customers can take advantage of our accompanying services. For this, we process the personal data stored in the context of the customer relationship and the personal data provided by the data subjects to the customer care services.

In certain cases, our customer service is provided by our associated entity Penta Fintech DOO Beograd, Bulevar Mihajla Pupina 10L, 11070 Novi Beograd, Republic of Serbia. Therefore, personal data is being transferred to a third country outside the EU. Standard contractual clauses between EU controller and non-EU controller offer sufficient safeguards on data protection for this international transfer. 

2.5.3.1. Freshdesk

We use the service Freshdesk from Freshworks GmbH (Alte Jakobstraße 85/86, Hof 1, Haus 5, 10179 Berlin; “Freshdesk”) in order to process your requests in an efficient way. Freshdesk is a customer service platform that facilitates the processing of customer inquiries and requests via various channels. Freshdesk processes the personal information of our customers exclusively to assist us in customer care service.

2.5.4. Product Loan

As a tipster, we enable our business banking customers to compare different loan offers, which can be applied for and concluded directly with the relevant credit institutions and which are provided by them. For this purpose, we process data required for the product comparison and the selection of suitable offers from partner credit institutions. 

The legal basis is Article 6 paragraph 1 (f) GDPR (legitimate interest). Penta collects the data on the basis of the mutual interest in enabling Penta customers to obtain a loan. The collected data will be stored for the duration of the customer relationship with Penta in order to optimize the service and to provide an application history for the customer.

The personal data collected by Penta to provide the settlement will not be automatically transferred to the credit institutions. The corresponding offers are therefore not individually calculated and are not binding. In order to be able to display only relevant financing offers to the Customer, a superficial, internal credit assessment is carried out on the basis of the account turnover data. No data is transmitted to third parties in the process.

Depending on the customer selection of a loan offer, either

  • Penta does not transfer the personal data to the selected partner credit institution. Via a link, the customer is directly forwarded to the website of the credit institution, where the financing can be applied for independently, and the associated data is collected directly. Or
  • the transmission of a loan request including all personal data provided for this purpose to the selected partner credit institution takes place. In addition, the partner credit institution will transmit the data directly to a credit agency for the purpose of credit assessment. The legal basis for the transmissions is Article 6 paragraph 1 (a) GDPR (consent).

The general terms and conditions and data protection declarations of the respective credit institutions apply to the conclusion and provision of financing.

2.5.5. Termination of the business relationship

When the business relationship between Penta and the customer is terminated, Penta is obliged to store your data according to statutory retention periods. When these storage requirements are fulfilled, Penta will delete your data. Data that does not fall under storage obligations will be deleted immediately.

2.6. Application Process – Careers at Penta

The data subjects with regards to the application process at Penta are all applicants and candidates.

For the recruitment process we use the services of Greenhouse Software, Inc., 18 W 18th Street, 11th Floor New York, NY 10011 (hereinafter: “Greenhouse”). Greenhouse is a webservice implemented in the Penta Website. By submitting your application through the form in the career section of the Penta website, the entered personal data and uploaded documents are transmitted to Greenhouse. Greenhouse provides the career portal, where all applicant data can be stored, administered, and deleted according to data protection and security requirements. The collection and processing of your personal data for the recruitment as well as the transmission to Greenhouse is necessary to take steps at your request prior to entering into a contract, Art. 6 Para. 1 b) GDPR. Furthermore, it is Penta’s legitimate interest to facilitate recruitment and to ensure the data privacy by encrypted processing, Art. 6 Para. 1 f) GDPR. 

We kindly ask for your understanding that due to data privacy reasons we cannot process applications received outside of Greenhouse.

2.6.1. Personal data of job applicants

If you apply for a position at Penta, we process your personal data to facilitate the entire job application procedure on the legal grounds of Art. 6 Para. 1 b) and f) GDPR. After the procedure we will delete your personal data as soon as possible, unless we have informed you that we require it for other purposes.

The following categories of personal data can be processed for the job application procedure:

  • Any personal data that you provide through our job application form including, but not limited to: Full name, email address, phone number, location, resume/CV, cover letter, picture, degree, educational data LinkedIn profile, visa information
  • Statuses, notes and planning related to your job application, and
  • Email communications.

We will store the application including the provided personal data in the recruitment process for a period of 6 months after the hiring decision for preventive reasons.

Under European data protection law, we are required to inform you that withholding personal data in your job application can give you a disadvantage in comparison to other candidates who are applying for the same role.

Further information about data protection at Greenhouse can be found in Greenhouse’s privacy policy.

Information regarding the controller of the data can be found in section 1 of this policy. Information on how to exercise the rights of data subjects can be found in section 3 of this policy.

3. Your Rights Against the Controller – Rights of data subjects

If your personal data is being processes, you are data subject as defined by the GDPR. Consequently, you have the rights described in articles 15 to 21 GDPR in relation to the controller. In order to exercise your rights or to obtain further information on data protection regarding Penta Fintech GmbH, please contact our data protection officer by sending an e-mail to privacy@getpenta.com.

3.1. Right of Access

In accordance with article 15 GDPR, you have the right to request confirmation from the controller as to whether your personal data is being processed. If this is the case, you also have the right to receive free information regarding all your personal data being processed by Penta and the right to receive a copy of such personal data.

Additionally, in accordance with article 19 GDPR, you have the right to request the controller information regarding the recipients to whom your personal data has been forwarded to.

3.2. Right to Rectification

In accordance with article 16 GDPR, you have the right to request the rectification for your personal data if it is either incorrect or incomplete.

3.3. Right to Erasure

If your request does not conflict with a legal obligation to retain data, you have the right to have your personal data deleted in accordance with article 17 GDPR. Your personal data stored with the controller will be deleted if such data is no longer needed for its intended purpose and is not subject to any statutory retention period. If the deletion cannot be carried out due to a legal obligation to retain such data, the processing of the personal data will be restricted, in which case the data shall be stored and not processed for any purpose. The deletion of your data implies that the services of Penta can no longer be used in full or not at all.

Penta is obliged to delete personal data immediately if the processing is not required and for any of the following reasons:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • You have revoked your consent to processing and there is no other legal basis for processing;
  • You have objected to the processing pursuant to article 21(1) GDPR and there is no overriding legitimate basis for the processing, or you have objected to the processing pursuant to article 21(2) GDPR;
  • The personal data was processed unlawfully;
  • The deletion of your personal data is required to fulfill a legal obligation under German or European law.

If Penta has made your personal data public and is required to delete it, we will take appropriate measures to inform our data processors who process your personal data of your request, so that, taking into account the available technology and implementation costs, they delete your personal data, links to or copies of such personal data. The measures are taken only to the extent that the processing is not required.

3.4. Right to Restriction of Processing

In accordance with article 18 GDPR, you have the right to as the controller to limit the processing of your personal data is one of the following conditions is met:

  • You have contested the accuracy of the personal data. In this case the processing is restricted for a period of time which enables the controller to verify the accuracy of your personal data;
  • The processing is unlawful, and you have opposed to the deletion of personal data and instead requested a restriction on the use of your personal data;
  • The controller no longer needs your personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of a legal claim;
  • You have objected to the processing under article 21 (1) GDPR and the verification of whether the legitimate basis of the controller override those of the data subject are still pending.

If the processing of personal data has been restricted in accordance with the conditions above, the processing of such data may only take place- with the exception of storage – with your consent or for the purpose of establishing, exercising or defending rights or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the processing is restricted, Penta will notify you before the restriction is lifted.

3.5. Data Portability

You have the right, in accordance with article 20 GDPR, to receive your personal data which you have made available to the controller, in a structured, common and machine-readable format.

Additionally, you have the right to transfer your personal data by yourself or through us directly to another controller, as far as this is technically possible and the rights and freedoms of third parties are not affected.

3.6. Right to Object

In accordance with article 21 GDPR, you have the right to object at any time to the processing of your personal data which is based on points (e) or (f) of article 6.1 GDPR.

If you would like a correction, blocking, deletion or information regarding your personal data we store, or if you have questions regarding the collection, processing or use of your personal data, or if you wish to revoke your consent, please contact the data protection officer by sending an e-mail to: privacy@getpenta.com.

3.7. Revocation of your Consent

You have the right to revoke your consent to the processing of your personal data at any time. All you need to do is send an e-mail to privacy@getpenta.com.

4. Submitting a Complaint to the Supervisory Authority

Finally, in accordance with article 77 GDPR, you have the right to file a complaint with the supervisory authority responsible for the controller:

Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstrasse 219
Visitors: Puttkamerstrasse 16-18
10969n Berlin, Germany
Telephone: 030 13889-0
E-mail: mailbox@datenschutz-berlin.de
Internet: www.datenschutz-berlin.de

5. Changes to this Privacy Policy

We reserve the right to make changes to this Privacy Policy from time to time, to the extent permitted by applicable law. 

Updated: August 2020.