Klarna Bank AB logo

v1.0.0

Published on April 7, 2022
Download as PDF

SOFORT UK’s privacy notice1. What is SOFORT UK's Payment Initiation Service?2. Who is responsible for your personal data?3. Your data protection rights as a data subject 4. What kind of personal data do we collect?5. What personal data are used for what purposes and with which legal basis?5.1 - Purposes for which your personal data is always used, regardless of the service you use.7. SOFORT UK’s profiling and automated decisions that significantly affect you.8. Whom do we share your personal data with?9. When can we transfer your personal data outside of the EU/UK, and how do we protect it then?10. How long we store your personal data11. How we use cookies and other types of tracking technology

It is important to us that you feel safe when you initiate your payment with SOFORT UK or use any of our other services. Therefore, we are providing all the information about how we use your personal data in this privacy notice.

In order for you to easily find the sections that interest you, we have divided the notice into a number of headings. To go directly to a section, just click on the heading in question in the list below.

  1. Who is responsible for your personal data?

  2. Your data protection rights as a data subject

  3. What kind of personal data do we collect?

  4. What personal data are used for what purposes and with which legal basis?

  5. How do you revoke your consent?

  6. SOFORT UK’s profiling and automated decisions

  7. Who do we share your personal data with?

  8. When can we transfer your personal data outside of the EU, and how do we protect it then?

  9. How long we store your personal data

  10. How we use cookies and other types of tracking technology

  11. Updates to this privacy notice

  12. SOFORT UK contact information

  • whether or not your account covers the amount to be transferred (verification of sufficient funds), and

  • whether any SOFORT transactions you issued from your account in the last 30 days, if applicable, were successful.

If the answer is in the affirmative,

  • we forward the transfer order you have approved to your bank by way of electronic transfer, and

  • inform the designated payee (hereinafter: "merchant") of the successful placement of the transfer.

This ensures that the merchant knows in real-time that your online transfer has been placed successfully and will most likely be executed; the merchant does not have access to any data regarding your creditworthiness, nor do we store such data. As a result of our service, the merchant can provide its service immediately.

Your rights

  • Right to have personal data deleted (“Right to be forgotten”).

    In some cases, you have the right to have us delete personal data about you. For example you can request us to delete such personal data that we (i) no longer need for the purpose it was collected for, or (ii) that we process based on your consent and you revoke your consent. There are situations where SOFORT UK is unable to delete your data, for example, when the data is still necessary to process for the purpose for which the data was collected, SOFORT UK’s interest to process the data overrides your interest in having them deleted, or because we have a legal obligation to keep it. You can read more about our legal obligations to keep data in section 5 and 10 in this Privacy Notice. The laws described there prevent us from immediately deleting certain data. You also have the right to object to us using your personal data for certain purposes such as direct marketing, which you can read more about in this list of your rights.

  • Right to be informed.

    You have the right to be informed of how we process your personal data. We do this through this privacy notice, by service-specific FAQs, and by answering your questions.

  • Right to receive access to your personal data (“Subject access”).

    You have the right to know if SOFORT UK processes personal data about you, and to receive a copy (“data extract”) of such data, so-called subject access. Through the data extract you will receive information about what personal data SOFORT UK holds about you and how we process it.


  • Right to access, and request a transfer, of your personal data to another recipient (“Data portability”). 


This right means that you can request a copy of the personal data relating to you that SOFORT UK holds for the performance of a contract with you, or based on your consent, in a machine-readable format. This will allow you to use this data somewhere else, for example to transfer your personal data to another controller/recipient.


  • Right to rectification.

You have the right to request that we rectify inaccurate information or complete information about you that you consider is inaccurate or incomplete.

  • Right to restrict processing.

If you believe that your personal data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of such personal data. You also have the possibility to request that we stop processing your personal data while we assess your request. If you object to our processing per your right described directly below, you may also request us to restrict processing of that personal data while we make our assessment.

  • Right to object against our processing of your personal data.

You have the right to object to processing of your personal data which is based on our legitimate interest (Article 6(1)(f) UK GDPR), by referencing your personal circumstances. You can also always object to our use of your personal data for direct marketing purposes. When you let us know that you no longer wish to receive direct marketing from us, we will turn off marketing for you, and stop sending it to you.

  • Right to object to an automated decision that significantly affects you.

    You have the right to object to an automated decision made by SOFORT UK if the decision produces legal effects or significantly affects you in a similar way. See section 7 on how SOFORT UK makes use of automated decisions.


  • Right to withdraw one’s consent. 


As described in section 6 below, where we process your personal data based on your consent or explicit consent, you have the right to revoke that consent at any time. When you revoke your consent we will stop processing your data for such purposes.


  • Right to lodge a complaint


If you have complaints about SOFORT UK ’s processing of your personal data, you may lodge a complaint with your supervisory data protection authority, (the Information Commissioner), which can be reached using this link: https://ico.org.uk/


  • Contact and identification data - First Name, Last Name, e-mail address 


  • Payment information - IBAN or bank account number and current account balance


  • Technical information generated through your use of SOFORT UK’s services - Technical data such as response time for web pages, download errors and date and time when you used the service. 


  • Information about your contacts with SOFORT UK’s customer service - Recorded phone calls, chat conversations and email correspondence.


  • Device information - IP address, language settings, browser settings, time zone, operating system, platform, screen resolution and similar information about your device settings. 



Some banks only accept transfer orders if the relevant account has sufficient funds available. In that case, we will not check ourselves whether the account has sufficient funds available. In all other cases, we will check whether the sum of the bank balance on the one hand and the overdraft limit on the other hand covers the amount to be transferred. Any amounts which are yet to be debited to the account (e.g. pending transfers) will be deducted from the account balance.


In the case of transfers with an increased risk of misuse, we will additionally check whether any SOFORT UK transactions you issued from your account in the last 30 days, if applicable, were successful. If and insofar as such SOFORT UK transactions are recorded in our system, we will check the transaction data regarding your account to see if the transactions in question were in fact completed (e.g. match amount and reason).


In addition, we can collect and store your User-ID allocated to your online-banking access (e.g. user number, contract number) in a shortened version as a so-called hash value. This also has the purpose of reducing the risk of misuse.


The data necessary for such checks are processed online. In some cases, we are able to carry out these checks using specific software interfaces provided by your bank (e.g. in accordance with the HBCI Standard for Electronic Banking). Alternatively, our system will automatically call up the data via the user interface of your online banking service, much in the same way as if you logged on yourself. If you use the online banking facility to manage multiple accounts, our software, after you log on, will display the current accounts available for selection. We will not use or store any information on non-selected accounts, in particular, the account number and the respective balance of such accounts.

In the tables below you can read about,

  1. what we will use your personal data for (the purpose),

  2. which types of personal data we use for that purpose, and if the personal data comes directly from you or from another source. In the cases where we have received personal data about you from another source, we provide the name of that source in brackets,

  3. what legal rights we have under current data protection legislation, such as the UK GDPR, to process the data about you, referred to as our “legal basis”, and

  4. when SOFORT UK stops using the personal data for each purpose. 

Purpose of the processing - what we do and why.

Type of personal data used for the purpose, and where they come from (the source). See section 4 to read more about the different types of personal data.

Legal basis for processing according to the UK GDPR.

When the purpose of using the personal data ends. See section 10 for when SOFORT UK deletes the data.

To manage our customer relationship with you in accordance with our agreements, for each service you use. This includes creating and sending information to you in electronic format (not marketing).

From you:

  • Contact and identification data.

  • Payment information.

  • Sensitive personal data. 

The processing is necessary for SOFORT UK to perform a contract with you (Article 6(1)(b) GDPR). 




When the requested transaction has been initiated. 

To ensure network and information security in SOFORT UK’s services.


From you:

  • Contact and identification data.


From other sources:

  • Information about your use of SOFORT UK’s services. (SOFORT UK)

  • Technical information generated through your use of SOFORT UK’s services. (SOFORT UK)

  • Device Information. (Your device)

The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest in being able to ensure network and information security, that the processing is necessary to realise that purpose, and that our interest outweighs your right not to have your data processed for this purpose. It is also in your interest as a customer that we ensure good information security.


You may contact us for more information about how the determination was made. See section 12 for our contact information.

This processing lasts for as long as you are using a service.

To be able to help you as a vulnerable customer (i.e. if you need extra support when contacting us due to particular circumstances). This means that we can offer you special support, for example, when you contact customer service.

From you:

  • Contact and identification data.

  • Sensitive personal data (in the form of information on your health). 

Based on your consent (Article 6(1)(a) and Article 9(2)(a) GDPR).

When you notify us that you are no longer a vulnerable customer or withdraw your consent. 

To be able to perform risk analyses, prevent fraud, and carry out risk management.


We perform the processing counter criminal activities. 


From you:

  • Contact and identification data. 

  • Payment information.


From other sources:


  • Information about your use of SOFORT UK’s services. (SOFORT UK)

  • Technical information generated through your use of SOFORT UK’s services. (SOFORT UK)

  • Device information. (Your device)

The processing is necessary for SOFORT UK to be able to execute and perform a contract with you (Article 6(1)(b) GDPR). 


We are also required by law to conduct anti money laundering monitoring.



This processing will take place while you use any SOFORT UK service.


If SOFORT UK has identified a risk in how you use SOFORT UK, we will continue to use your information for this purpose and continuously update our risk assessment if there is a risk of fraud. This processing lasts as long as we are required by law to keep your information. See section 9 for more information on our obligations and right to retain information according to law.


To anonymise your personal data in order to improve our services and products and to analyse customer behaviour.


From you:

  • Contact and identification data.

  • Payment information.


From other sources:

  • Information about your use of SOFORT UK’s services. (SOFORT UK)

  • Technical information generated through your use of SOFORT UK’s services. (SOFORT UK)

  • Device information. (Your device) 

The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest in anonymising your personal data for product development purposes and in analysing customer behaviour in order to improve the service and customer experience. We ensure that the particular processing this entails is necessary to achieve the purpose in question, and that our interest outweighs your right not to have your data processed for this purpose. By anonymising information concerning you, we also ensure that we use personal data to the lesser extent possible.

This processing takes place for the entire period during which SOFORT UK must retain the information in its systems, for example to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law.

To produce statistics and reports for economic analyses or analyses of payment trends or payment volumes in certain regions or industries (if possible, we first anonymise the data, which means that no personal data processing takes place thereafter).


From you:

  • Contact and identification data.

  • Payment information.


From other sources:

  • Information about your use of SOFORT UK’s services. (SOFORT UK)

The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest in obtaining statistical data and reports for this purpose. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose. 

This processing takes place for the entire period during which SOFORT UK must retain the information in its systems, for example, to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law.

To check and verify your identity.


From you:

  • Contact and identification data. 

The processing is necessary for SOFORT UK to perform a contract with you (Article 6(1)(b) GDPR).

As long as you use one of SOFORT UK’s services.

To protect SOFORT UK from legal claims and safeguard SOFORT UK’s legal rights.

From you:

  • Contact and identification data.

  • Payment information.


From other sources:

  • Information about your use of SOFORT UK’s services. (SOFORT UK)

  • Technical information generated through your use of SOFORT UK’s services. (SOFORT UK)

  • Device information. (Your device) 


In the event of a dispute, SOFORT UK may also collect other types of personal data concerning you if we need them to exercise our rights. 

The processing is based on a balancing of interests (Article 6(1)(f) GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest in being able to protect ourselves from legal claims. We ensure that the processing this entails is necessary to achieve the purpose of the processing, and that our interest outweighs your right not to have your data processed for this purpose.

This processing takes place for the entire period during which SOFORT UK must retain the information in its systems, for example to perform the contract executed with you or to comply with applicable law. See section 9 for more information on our obligations and right to retain information according to law.


5.2 SOFORT UK’s processing when you contact SOFORT UK’s customer service.


Purpose of the processing - What we do and why.

Type of personal data used for the purpose, and where they come from (the source). See section 3 to read more about the different types of personal data.

Legal basis for processing in accordance with the GDPR.

When the purpose of using the personal data ends. See section 9 for when SOFORT UK deletes the data.

To handle all matters that come to SOFORT UK’s customer service.

This includes retaining various forms of written conversations to document customer issues, as well as for security purposes and to counter fraud. 

From you:

  • Information about your contacts with SOFORT UK’s customer service.


Performance of contracts (Article 6(1)(b) GDPR).

Up to ten years, based on the statute of limitations. See section 10 for more information on our obligations and right to retain information according to law.

 

Quality and service improvement (to ensure satisfactory customer service). We may record telephone conversations between you and our employees for quality purposes in order to deliver better products and services to you.

From you:

  • Information about your contacts with SOFORT UK’s customer service. 


From other sources:

  • Information about your contacts with SOFORT UK’s customer service. (SOFORT UK)

The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest in improving our services, our internal training and quality control. We ensure that the particular processing this involves is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. As a customer, you also have an interest in the quality of your interactions with SOFORT UK.

We process the recordings of telephone conversations for up to 90 days for quality assurance purposes.


Documenting what has been said when talking to our customer service (to ensure we have documented what has been agreed or discussed). We use recorded telephone conversations between you and our employees as well as our employees’ notations to document what has been said.

From you:

  • Information about your contacts with SOFORT UK’s customer service. 


From other sources:

  • Information about your contacts with SOFORT UK’s customer service. (SOFORT UK)

The processing is based on a balancing of interests (Article 6(1)(f) UK GDPR). When balancing interests, SOFORT UK has determined that we have a legitimate interest to document communications with SOFORT UK’s customer service. We ensure that the particular processing this entails is necessary to achieve that purpose, and that our interest outweighs your right not to have your data processed for this purpose. As a customer, you also have an interest in ensuring impartial means of documenting what has been discussed.



We process the recordings of telephone conversations for up to three years and the phone call notations up to six years, in order to document what has been discussed and decided on the call.



6. How do you withdraw your consent?

When SOFORT UK uses your personal data based on your consent, you can withdraw your consent at any time. You can do this by sending an e-mail to dataskydd@SOFORT UK.se .


You can also end the service where personal data is processed. We will then delete the information. If you withdraw your consent or delete the uploaded information, you may be unable to use the service in cases where SOFORT UK’s processing of personal data takes place based on your consent. 


Lastly: As described in section 3 above you also have the right to object against certain personal data processing (for example you may turn off marketing). You also have a right to have certain personal data erased, which is also described in section 3. 

7.1 SOFORT UK’s profiling of you as a customer.

“Profiling” means an automated processing of personal data to evaluate your usage of SOFORT UK’s service. SOFORT UK conducts no profiling.




When we share your personal data, we ensure that the recipient processes it in accordance with this notice, such as by entering into data transfer agreements or data processor agreements with the recipients. Those agreements include all reasonable contractual, legal, technical and organisational measures to ensure that your information is processed with an adequate level of protection and in accordance with applicable law. 

8.1 Categories of recipients with whom SOFORT UK will always share your personal information, regardless of the service you use.


8.1.1 Suppliers and subcontractors. 

Description of the recipient: Suppliers and subcontractors are companies that only have the right to process the personal data they receive from SOFORT UK on behalf of SOFORT UK, i.e. data processors. Examples of such suppliers and subcontractors are software and data storage providers, payment service providers and business consultants.


Purpose and legal basis: SOFORT UK needs access to services and functionality from other companies where it cannot perform them itself. SOFORT UK has a legitimate interest in being able to access these services and functionality (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 3 for more information about your rights.

8.1.2 Klarna Group. 

Description of the recipient: Companies in the Klarna Group.


Purpose and legal basis: This is required for SOFORT UK to be able to provide you with services and functionality. SOFORT UK has a legitimate interest in being able to access these services and functionality (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 3 for more information about your rights. Data will only be shared with companies in the Klarna Group that are located in the EU/EEA and pursuant to contracts compliant with the UK GDPR and GDPR.


8.1.3 A person who holds a power of attorney for your financial affairs. 

Description of the recipient: SOFORT UK may share your personal information with a person who has the right to access it under a power of attorney. 


Purpose and legal basis: This processing is carried out to facilitate your contact with us (through agents), and takes place based on your consent (Article 6(1)(a) GDPR).


8.1.4 Authorities. 

Description of the recipient: SOFORT UK may provide necessary information to authorities such as the police, financial authorities, tax authorities or other authorities and courts of law. 


Purpose and legal basis: Personal data is shared with the authority when we are required by law to do so, or in some cases if you have asked us to do so, or if required to manage tax deductions or counter crime. An example of a legal obligation to provide information is when it is necessary to take measures against money laundering and terrorist financing. [] The legal bases are the obligation to comply with the law (Article 6(1)(c) GDPR) or SOFORT UK’s legitimate interest in protecting itself from crime (Article 6(1)(f) GDPR).


8.1.5 Divestment of business or assets.

Description of the recipient: In the event that SOFORT UK sells its business or assets, SOFORT UK may hand over your personal information to a potential buyer of such business or assets. If SOFORT UK or a significant part of SOFORT UK’s assets is acquired by a third party, personal information about SOFORT UK’s customers may also be shared.


Purpose and legal basis: SOFORT UK has a legitimate interest in being able to perform these transactions (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 3 for more information about your rights.


8.2 Categories of recipients with whom SOFORT UK shares your personal information when you use SOFORT UK

8.2.1 Stores.

Description of the recipient: By stores we mean the stores you visit or shop at (which may include the store’s group companies if you have been informed thereof by the store).


Purpose and legal basis: In order for the store to be able to perform and manage your purchase and your relationship with the store or its group companies, e.g. by confirming your identity, sending goods, handling questions and disputes, in order to prevent fraud and, where appropriate, send relevant marketing. The store’s privacy notice applies to the processing of your personal data that has been shared with the store and that the store processes. Normally, you will find a link to the store’s privacy notice on the store’s website. The legal basis for sharing data with stores is partly the performance of a contract (Article 6(1)(b) GDPR), insofar as the data sharing takes place to perform the contract between you and the store, and partly based on SOFORT UK’s and the store’s legitimate interest (Article 6(1)(f) GDPR). We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 3 for more information about your rights.

8.2.2 Payment service providers and financial institutions.

Description of the recipient: Payment service providers and financial institutions provide services to you to implement and administer electronic payments through a variety of payment methods, such as credit cards and bank-based payment methods such as direct debit and bank transfer. 


Purpose and legal basis: Some stores use payment service providers with whom they share your information for managing your payment. This sharing takes place in accordance with the stores’ own privacy notices. The store may also let SOFORT UK share your information with the payment service provider they use for processing your payment. Some payment service providers also collect and use your information independently, in accordance with their own privacy notices. This is the case, for example, for electronic wallet suppliers. In addition, SOFORT UK may share your information with other financial institutions when conducting transactions with your account to complete the transactions. Sharing with payment service providers and financial institutions is performed to make a transaction initiated by you and it is done to fulfil the agreement with you (Article 6(1)(b) GDPR). 

8.2.3 Fraud prevention agencies and companies providing identity checks.

Description of the recipient: Your personal data are shared with fraud prevention agencies and companies that provide identity checks. 


Purpose and legal basis: SOFORT UK shares your information to verify your identity, the accuracy of the data you have provided, and to combat fraudulent and criminal activities. The companies with which we work are listed here. Please note that these companies may process your data in accordance with their own data privacy notices. 

SOFORT UK shares your information based on SOFORT UK’s legitimate interest in conducting its business (Article 6(1)(f) GDPR), as the fraud prevention agencies and the companies providing identity checks have information on fraud activities and identity confirmation which are important for SOFORT UK to use as input to decrease its level of fraudulent transactions. We ensure that the processing this entails is necessary to pursue that interest, and that our interest outweighs your right not to have your information processed for this purpose. You are entitled to object to this processing, for reasons connected to the circumstances in your particular case. See section 3 for more information about your rights. You can also contact the entities listed in the link above, to exercise the same rights as stated in section 3 also against those entities. 


A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. 


Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.






When you shop with a store placed in a country outside of the UK/EU/EEA area, our sharing of your personal data with that store means that your personal data will be transferred to this country outside of the UK/EU/EEA area. 


If you want more information about our safety measures you can always contact us. 


Safety measures which SOFORT UK uses when transferring personal data outside of the UK/EU/EEA


Countries outside of the UK/EU/EEA may have laws that allow public authorities to request access to personal data stored in the country for the purpose of combating crime or safeguarding national security. Regardless of whether we or any of our providers process your personal data, we will ensure that a high level of protection is guaranteed when transferring that data and that appropriate protection measures have been taken, in accordance with applicable data protection requirements (such as the UK GDPR). Such appropriate safeguards include, but are not limited to, ensuring:


  • if the European Commission or the ICO has decided that the country outside of the UK/EU/EEA to which your personal data are transferred has an adequate level of protection, which corresponds to the level of protection afforded by the GDPR. This means for example that the personal data is still protected from unauthorised disclosure, and that you may still exercise your rights in regards to your personal data, or 

  • the European Commission’s standard clauses have been entered into between SOFORT UK and the recipient of the personal data outside the UK/EU/EEA. This means that the recipient guarantees that the level of protection for your personal data afforded by the UK GDPR still applies, and that your rights are still protected. In these cases, we also assess whether there are laws in the recipient country that affects the protection of your personal data. Where necessary, we take technical and organisational measures so that your data remain protected during the transfer to the relevant country outside the UK/EU/EEA.


Despite the above, if the store where you choose to shop is located in a country outside the EU/EEA, our data sharing with that foreign store (or with that foreign store’s local SOFORT UK entity) means that your personal data will be transferred to this country outside the UK/EU/EEA. Otherwise it would not be possible to administer your purchase. SOFORT UK primarily relies on the European Commission’s standard clauses to ensure the protection of your personal data for such data transfers, but as set out above, countries where the foreign store is located may have laws preventing the efficient protection by the standard clauses. Even if this is the case, your personal data will still be transferred to the foreign store (or the foreign store’s local SOFORT UK entity), as long as the data transfer is necessary to administer your specific purchase.


  • Personal data used for the contractual relationship between you and SOFORT UK is generally stored for the duration of the contractual relationship and thereafter for a maximum of 10 years based on statutes of limitations.


  • Personal data that SOFORT UK is under a legal obligation to retain, for example under anti-money laundering laws or bookkeeping laws, is generally retained for 5 and 7 years respectively.

  •  We process the recordings of telephone conversations for a time period of 90 days for quality assurance purposes. We will also retain recordings of inbound and outbound calls for up to three years, as well as SOFORT UK employees’ notations from these calls for up to six years, in order to document what has been discussed and decided on the call.]


  • Personal data which is not used for the purposes of your contractual relationship with SOFORT UK or where SOFORT UK does not have a legal obligation to retain the data is only retained as long as necessary to fulfill the respective purpose for our data processing (usually 3 months). More information can be found in the table in section 5.

In some limited cases, the personal data may need to be stored for a longer period because of capital adequacy laws which SOFORT UK has to comply with.


The legal obligations referred to above means that SOFORT UK can not delete your personal data, even if you request us to delete it, as described in section 3. If we don’t have a legal obligation to retain the personal data, we instead have to make an assessment if we may require the personal data in order to protect SOFORT UK from legal claims. 


Please note that just because we have a legal obligation to store your personal data, this does not mean that we are also permitted to use this data for any other purpose. SOFORT UK will make an assessment for each specific purpose of how long we may use your personal data. You can read more about this in section 5. 

In our payment form we use the following cookies:

  • A select language cookie which stores the users preferred language so that it will already be preselected when you visit our payment form next time. The select language cookie has a service life of 13 months.

  • A select bank cookie which stores the sending country and bank interface (by means of the bank sort code and the login method (e.g. www or HBCI)) you last selected. With the help of this cookie, you can be forwarded directly to the login area within our secure payment form when using our SOFORT UK service the next time without having to select country and bank again. The select bank cookie has a service life of 13 months.

  • A prefill cookie which, if you requested a transaction confirmation by email from us, stores the email address entered for this purpose. This cookie allows us to prefill the entry field for the email address for future SOFORT UK transactions for which you request a transaction confirmation and you do not have to enter your email address again. The prefill cookie has a lifetime of 13 months.

  • A select bank account cookie which stores the payment account which you would like to initiate payments from us. With the help of this cookie, this bank account is already pre-selected when using our SOFORT UK service the next time without having to select the bank account again. By agreeing to the storage of this cookie, we can - depending on your settings at your bank - also automatically retrieve account information for 90 days, which is necessary for the execution of a SOFORT UK transaction, in case of another SOFORT transaction within 90 days. The select bank account cookie has a maximum service life of 1 year. After a maximum period of 1 year the cookie will be deleted.

The lifetime of the above-mentioned cookie is extended accordingly when the consent is given again or the transaction confirmation is requested again.

For in-app payments, we additionally use a token apart from the cookies, depending on how the app has been integrated by the merchant. A token is a random, unreproducible sequence of numbers which is saved to the local app storage on your mobile end device. A data record on the token will be stored on our server containing the sender country and bank interface selected last (by means of sort code and login method (e.g. www or HBCI)). When you re-use the app of the merchant using the SOFORT UK service, this data record can be read as a parameter by means of the token, allowing you to be redirected directly to the login area within our secure payment form. You do not have to select the country and bank again. The data record will be deleted after 13 months.

The lifetime of the above-mentioned data record is extended accordingly when the payment form is used again.

You can go to the menu item "Deactivate/activate local app storage" to allow or refuse to store tokens.

All cookies and tokens are only visible to our server, not to third party websites you may visit later.









This privacy notice was last updated on 11. February 2022.



-------------------------------------