Privacy statement

The purpose of the Sofort GmbH privacy statement is to provide you with information on the personal data that we collect, process, use and which rights you have against Sofort GmbH and how you can exercise those rights when you use the Payment Initiation Service "Sofort".

I. Responsible Entity

The responsible entity according to GDPR for collecting and processing personal data using the Sofort services is Sofort GmbH, registered at Theresienhöhe 12, 80339 München, Germany, and part of the Klarna Group. You will find more detailed information on the webpage www.sofort.de.

II. What is Sofort?

When you make a transaction using the Payment Initiation Service Sofort, we automatically check

If the answer is in the affirmative,

This ensures that the merchant knows in real-time that your online transfer has been placed successfully and will most likely be executed; the merchant does not have access to any data regarding your creditworthiness, neither do we store such data. As a result of our service, your merchant can provide its service immediately.

III. What do we check and what personal data do we collect?

Depending on how your bank operates online accounts, different verification steps will apply:

Some banks only accept transfer orders if the relevant account has sufficient funds available. In that case, we will not check ourselves whether the account has sufficient funds available. In all other cases, we will check whether the sum of the bank balance on the one hand and the overdraft limit on the other hand covers the amount to be transferred. Any amounts which are yet to be debited to the account (e.g. pending transfers) will be deducted from the account balance.

In the case of transfers with an increased risk of misuse, we will additionally check whether any Sofort transactions you issued from your account in the last 30 days, if applicable, were successful. If and insofar as such Sofort transactions are recorded in our system, we will check the transaction data regarding your account to see if the transactions in question were in fact completed (e.g. match amount and reason).

In addition, we can collect and store your User-ID allocated to your online-banking access (e.g. user number, contract number) in a shortened version as so called “hash value”. This also has the purpose of reducing the risk of misuse.

The data necessary for such checks are processed online. In some cases, we are able to carry out these checks using specific software interfaces provided by your bank (e.g. in accordance with the HBCI Standard for Electronic Banking). Alternatively, our system will automatically call up the data via the user interface of your online banking service, much in the same way as if you logged on yourself. If you use the online banking facility to manage multiple accounts, our software, after you log on, will display the current accounts available for selection. We will not use or store any information on non-selected accounts, in particular, the account number and the respective balance of such accounts.

IV. What personal data do we pass on, when do we pass it on and to whom?

In order to place your transfer order, we will provide your bank with your IP-address and – following a positive check – with the information identified on the transfer form. We will not store user credentials (confidential log in details such as personal identification number or confirmation codes such as transaction authentication number); instead, these data will be provided to your bank using an encrypted connection that complies with the relevant banking standards. If the placement of the transfer order requires an input of an additional security code (for example to activate specific countries for EU SEPA placements), we also transfer this security to your bank. We will not store the security code in our systems. If your bank demands a mobile number for placing your transfer order, we will transfer your mobile number to your bank. We will not store your mobile number in our systems.

We will confirm the successful placement of the transfer order to the merchant. The confirmation will only comprise the information on the transfer form itself (name, account number, sort code, reason for payment and the amount transferred) as well as the date (including time) and the transaction ID (e.g. order number) chosen by the merchant. In case of SEPA credit transfers and, depending on your bank, in case BIC code and IBAN code are necessary to place the transfer order in your online-banking-account, the confirmation to the online provider also contains BIC code and IBAN code. As such, the information given to the merchant will be limited to what is already available to the merchant on its bank statements. No personal data beyond that are provided to the merchant.

In the event that the placement should not be completed, we will not notify the merchant of the cause of the non-placement and the merchant will be unable to identify its cause. In that case (following an error notification) you will be redirected to the payments page, where you will be able to decide whether you would like to use a different payment method accepted by the merchant.

V. What personal data do we store and for how long?

For the purpose of settling accounts with the merchant and to comply with statutory obligations as to data storage, we will store the name, account number, sort code, reason for payment, date and amount transferred for the legally required time period. In case of SEPA credit transfers and, depending on your bank, in case BIC code and IBAN code are necessary to place the transfer order in your online-banking-account, we also store BIC code and IBAN code for the legally required time period. The legally required time ranges from three up to ten years. In addition, we will, for a period of 30 days, use such data in the case of future Sofort transactions for the above-mentioned check of previous Sofort transactions.

The data which we will use to check whether the account has sufficient funds and to check previous Sofort transactions will only be used for the purpose of the real-time verification set out above. We will not store any personal data beyond that, in particular, no account balance, transaction data, overdraft limits, account lists, mobile numbers, authentication certificates, security codes or online banking login passwords (such as personal identification number) or confirmation codes such as transaction authentication number.

VI. What happens if a transfer fails?

If we become aware that despite our positive check a payment initiated by our Sofort service has not been received by the payee (for example, because a merchant subsequently informs us of such a case), we will inform the affected customer prior to his/her next use of Sofort.  Until the matter is clarified, we will not place any transfer orders in view of the respective online banking account.

VII. Which data do we collect, process, and store if you request a transaction confirmation by email (optional service)?

On the confirmation page for a Sofort transaction, you have the possibility to request a confirmation that your transfer was placed (transaction confirmation) from us by email, which requires your email address. We will only use this email address to send the transaction confirmation for the Sofort transaction once, not for future transactions. Your email address will not be passed on to third parties and not be used for advertising purposes.

The transaction confirmation includes the following data: name of recipient account holder, name of sender bank, date of credit transfer, amount, reason and transaction ID.

We shall save and use the email with the transaction confirmation (including your email address) for the purpose of fulfilling the legal retention periods.

VIII. Legal base of processing your data

The processing activities are performed on the following legal bases:

Reason of Processing Legal Base Explanation Processing activity
legitimate interests Art. 6 par. 1 f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest of SOFORT GmbH are in the present case performing the Payment Initiation Service which allows our contractual partners, the merchants, to offer a payment possibility to you. For that purposes we have to process your data, although we have no contractual relationship with you.
  • Check for sufficient funds
  • Transaction check
  • Collection and storage of the user identification
  • Transfer of transaction data to the recipient
  • Storage of transaction data
  • Transfer fail information
  • Transaction confirmation
Consent Art. 6 par. 1 a) You have given explicit consent to the processing of your personal data for one or more specific purposes. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You will be informed separately before giving your consent.
  • Select-Language-Cookie
  • Select-Bank-Cookie
  • Prefill Cookie
Compliance with legal obligation Art. 6 par. 1 c) Processing is necessary for compliance with a German or European legal obligation to which the controller is subject
  • Storage of transaction data (without PIN and TAN)

IX. Which cookies and token do we use?

Cookies are small text files placed on your computer or mobile device in order to make visits to our website more user-friendly. We will fade in a consent banner in which you can give your explicitly consent for using the cookies. The consent is not coupled on using Sofort’s services. You shall have the right to withdraw your consent at any time with effect for the future by deactivating cookies being saved in your browser, limit them to specific websites or set your browser in such a way that it informs you as soon as a cookie is to be saved or you can manage cookies via app “settings” of your mobile device. You can also delete cookies subsequently from your computer or mobile device. For Sofort transactions carried out in apps on your mobile device, i.e. for which our payment form is opened in the app of the merchant (in-app payments), you can allow or refuse to save cookies under the menu item “Deactivate/activate local app storage”, depending on how the app has been integrated by the merchant. The subsequent deactivation of the cookies does not affect the lawfulness of processing based on consent before the withdrawal.

In our payment form we use the following cookies:

The lifetime of the above-mentioned cookie is extended accordingly when the consent is given again or the transaction confirmation is requested again.

For in-app payments, we additionally use a token apart from the cookies, depending on how the app has been integrated by the merchant. A token is a random, unreproducible sequence of numbers which is saved to the local app storage on your mobile end device. A data record on the token will be stored on our server containing the sender country and bank interface selected last (by means of sort code and login method (e.g. www or HBCI)). When you re-use the app of the merchant using the “Sofort” service, this data record can be read as a parameter by means of the token, allowing you to be redirected directly to the login area within our secure payment form. You do not have to select the country and bank again. The data record will be deleted after 13 months.

The lifetime of the above-mentioned data record is extended accordingly when the payment form is used again.

You can go to the menu item "Deactivate/activate local app storage" to allow or refuse to store tokens.

All cookies and token are only visible to our server, not to third party websites you may visit later.

X. Your rights relating to your personal data

You have different rights in view of the processing of you data by Sofort GmbH:

Right of access: You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data. Therefore, we need a verification of your identity.

Right to rectification: You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Therefore, we need a verification of your identity and evidences of the correctness of the alleged circumstances.

Right to data portability: You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format.

Right to erasure/restrict: You have the right to obtain from the controller the erasure or restriction of personal data concerning you without undue delay. Therefore, we need a verification of your identity. The right to erasure only persists if no retention requirements are applicable.

Right to object: You have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning you. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Right to complain: You have always the right to complain about us at the competent privacy authority.

To exercise your rights please contact datenschutz@sofort.com.

XI. Who can provide further assistance?

Should you have any questions about data protection in the context of Sofort transactions, or to exercise your rights please contact our privacy team at datenschutz@sofort.com or our data privacy officer (Mr. Michael Schramm) by writing a letter with the addition “personally to the data privacy officer”.

Version 2.2. en, September 2019

Print this page