New EU Payments Directive as of 14th September 2019 – Change in Sofortüberweisung under the Second EU Payment Services Directive (PSD2).
In the course of the new EU PSD2 Directive we will change the process of Sofortüberweisung in order to make it even more safe and secure. In doing so, Sofortüberweisung will implement a second step of authentification, the so-called second factor, which can be different depending on the main bank. Learn more here.
The purpose of the Sofort GmbH privacy statement is to provide you with information on the personal data that we collect, process, use and which rights you have against Sofort and how you can exercise those rights when you use our “Sofort” service.
I. Responsible Entity
The responsible entity according to GDPR for processing personal data at using this website or the Sofort payment services is Sofort GmbH, Theresienhöhe 12, 80339 München, Germany, one part of the Klarna Group. You will find more detailed information in the imprint.
II. What is Sofort?
When you make a transaction using the Sofort service, you request that we automatically check whether or not your account covers the amount to be transferred (verification of sufficient funds), and whether any Sofort transactions you issued from your account in the last 30 days, if applicable, were successful, and if the answer is in the affirmative, to forward the transfer order you have approved to your bank by way of electronic transfer, and to inform the payee you have selected (merchant) of the successful placement of the transfer.
This ensures that the merchant knows in real-time that your online transfer has been placed and will be executed; the merchant does not have access to any data regarding your creditworthiness or be able to store such data. As a result of our service, your merchant can provide the service immediately.
III. What do we check and what personal data do we collect?
Depending on how your bank operates online accounts, different verification steps will apply:
Some banks only accept transfer orders if the relevant account has sufficient funds available. In that case, we will not check ourselves whether the account has sufficient funds available. In all other cases, we will check whether the sum of the bank balance on the one hand and the overdraft limit on the other hand covers the amount to be transferred. Any amounts which are yet to be debited to the account (e.g. pending transfers) will be deducted from the account balance.
In the case of transfers with an increased risk of misuse, we will additionally check whether any Sofort transactions you issued from your account in the last 30 days, if applicable, were successful. If and insofar as such Sofort transactions are recorded in our system, we will check the transaction data regarding your account to see if the transactions in question were in fact completed (e.g. match amount and reason).
The data necessary for such checks are processed online. In some cases, we are able to carry out these checks using specific software interfaces provided by your bank (e.g. in accordance with the HBCI Standard for Electronic Banking). Alternatively, our system will automatically call up the data via the user interface of your online banking service, much in the same way as if you logged on yourself. If you use the online banking facility to manage multiple accounts, our software, after you log on, will display the current accounts available for selection. We will not use or store any information on non-selected accounts, in particular, the account number and the respective balance of such accounts.
IV. What personal data do we pass on, when do we pass it on and to whom?
In order to process your transfer order we will provide your bank – following a positive check – with the information identified on the transfer form. We will not store user credentials (confidential log in details such as personal identification number or confirmation codes such as transaction authentication number); instead, these data will be provided to your bank using an encrypted connection that complies with the relevant banking standards.
We will confirm the successful placement of the transfer order to the merchant. The confirmation will only comprise the information on the transfer form itself (name, account number, sort code, reason for payment and the amount transferred) as well as the date (including time) and the transaction ID (e.g. order number) chosen by the merchant. In case of SEPA credit transfers and, depending on your bank, in case BIC code and IBAN code are necessary to place the transfer order in your online-banking-account, the confirmation to the online provider also contains BIC code and IBAN code. As such, the information given to the merchant will be limited to what is already available to the merchant on its bank statements. No personal data beyond that are provided to the merchant. In the event that the transfer should not be completed, we will not notify the merchant of the cause of the non-completion and the merchant will be unable to identify its cause. In that case (following an error notification) you will be redirected to the payments page, where you will be able to decide whether you would like to use a different payment method accepted by the merchant.
V. What personal data do we store and for how long?
For the purpose of settling accounts with the merchant and to comply with statutory obligations as to data storage, we will store the name, account number, sort code, reason for payment, date and amount transferred for the legally required time period. The legally required time ranges from three up to ten years. In case of SEPA credit transfers and, depending on your bank, in case BIC code and IBAN code are necessary to place the transfer order in your online-banking-account, we also store BIC code and IBAN code for the legally required time period. In addition, we will, for a period of 30 days, use such data in the case of future Sofort transactions for the above-mentioned check of previous Sofort transactions.
The data which we will use to check whether the account has sufficient funds and to check previous Sofort transactions will only be used for the purpose of the real-time verification set out above. We will not store any personal data beyond that, in particular, no account balance, transaction data, overdraft limits, account lists, online banking login passwords (such as personal identification number) or confirmation codes such as transaction authentication number.
VI. What happens if a transfer fails?
If we become aware that despite our positive check a Sofort transaction has not been received by the payee (for example, because a merchant subsequently informs us of such a case), we will inform the affected customer prior to his/her next use of Sofort. Until the matter is clarified, we will not process any further orders made by that customer and/or made via his/her online banking facility.
VII. Which data do we collect, process, and store if you request a transaction confirmation by email (optional service)?
On the confirmation page for a Sofort transaction, you have the possibility – if applicable – to request a transaction confirmation from us by email, which requires your email address. We will only use this email address to send the transaction confirmation for the Sofort transaction once, not for future transactions. Your email address will not be passed on to third parties and not be used for advertising purposes.
The transaction confirmation includes the following data: name of recipient account holder, name of sender bank, date of credit transfer, amount, reason and transaction ID.
We shall save and use the email with the transaction confirmation (including your email address) for the purpose of fulfilling the legal retention periods.
VIII. Legal base of processing your data
The legal base of each processing activity which Sofort performs is shown in this list.
|Reason of Processing||Legal Base||Explanation||Processing activity|
|Performance of Contract||Art. 6 par. 1 b)||processing is necessary for the performance of a contract to which Sofort and you are parties or in order to take steps at the request of the data subject prior to entering into a contract||
|Consent||Art. 6 par. 1 a)||You have given consent to the processing of his or her personal data for one or more specific purposes||
|Compliance with legal obligation||Art. 6 par. 1 c)||processing is necessary for compliance with a legal obligation to which the controller is subject||
IX. Which cookies and token do we use?
Cookies are small text files placed on your computer or mobile device in order to make visits to our website more user-friendly. We will fade in a consent banner in which you can give your explicitly consent for using the cookies. The consent is not coupled on using Sofort’s services. You shall have the right to withdraw your consent at any time with effect for the future by deactivating cookies being saved in your browser, limit them to specific websites or set your browser in such a way that it informs you as soon as a cookie is to be saved or you can manage cookies via app “settings” of your mobile device. You can also delete cookies subsequently from your computer or mobile device. For Sofort transactions carried out in apps on your mobile device, i.e. for which our payment form is opened in the app of the merchant (in-app payments), you can allow or refuse to save cookies under the menu item “Deactivate/activate local app storage”, depending on how the app has been integrated by the merchant.
In our payment form we use the following cookies:
A select language – cookie which stores the user’s preferred language so that it will already be preselected when you visit our payment form next time. The select language – cookie has a service life of 13 months.
A select bank – cookie which stores the sending country and bank interface (by means of the bank sort code and the login method (e.g. www or HBCI)) you last selected. With the help of this cookie, you can be forwarded directly to the login area within our secure payment form when using our Sofort service the next time without having to select country and bank again. The select bank – cookie has a service life of 13 months.
A prefill cookie which, if you requested a transaction confirmation by email from us, stores the email address entered for this purpose. This cookie allows to prefill the entry field for the email address for future Sofort transactions for which you request a transaction confirmation and you do not have to enter your email address again. The prefill cookie has a lifetime of 13 months.
The lifetime of the above-mentioned cookie is extended accordingly when the consent is given again or the transaction confirmation is requested again.
You can deactivate cookies being saved in your browser, limit them to specific websites or set your browser in such a way that it informs you as soon as a cookie is to be saved or you can manage cookies via app “settings” of your mobile device. You can also delete cookies subsequently from your computer or mobile device. For Sofort transactions carried out in apps on your mobile device, i.e. for which our payment form is opened in the app of the merchant (in-app payments), you can allow or refuse to save cookies under the menu item “Deactivate/activate local app storage”, depending on how the app has been integrated by the merchant.
For in-app payments, we additionally use a token apart from the cookies, depending on how the app has been integrated by the merchant. A token is a random, unreproducible sequence of numbers which is saved to the local app storage on your mobile end device. A data record on the token will be stored on our server containing the sender country and bank interface selected last (by means of sort code and login method (e.g. www or HBCI)). When you re-use the app of the merchant using the “Sofort” service, this data record can be read as a parameter by means of the token, allowing you to be redirected directly to the login area within our secure payment form. You do not have to select the country and bank again. The data record will be deleted after 13 months.
The lifetime of the above-mentioned data record is extended accordingly when the payment form is used again.
You can go to the menu item “Deactivate/activate local app storage” to allow or refuse to store tokens.
All cookies and token are only visible to our server, not to third party websites you may visit later.
X. Your rights
Right of access: You have the right to obtain from us confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
Right to rectification: You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you.
Right to data portability: You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format.
Right to erasure: You have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if there is no legally required obligation of storage.
Right to object: You have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning you. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to complain: You have always the right to complain about us at the competent privacy authority.
XI. Who can provide further assistance?
Should you have any questions about data protection in the context of Sofort transactions, or to exercise your rights please contact our privacy team at firstname.lastname@example.org or our data privacy officer (Mr. Andreas Schmidt, LL.M.) by writing a letter with the addition “personally to the data privacy officer”.
Version 2.0. en, May 2018