With the following information, Yova Impact Investing GmbH (hereinafter “Inyova” or “we”) provides customers with an overview of how their personal data is processed by Inyova and their rights under data protection law. What data is processed in detail and how it is used very much depends on the services requested or agreed in each case. Customers are also requested to disclose information to current and future authorised representatives and beneficial owners. These include beneficiaries in the event of death or authorised signatories, for example.
The responsible department for data processing is:
Yova Impact Investing GmbH
Inyova has the status of a securities service provider authorised and licensed by the German Federal Financial Supervisory Authority (BaFin) and is subject to the associated auditing and quality requirements.
You can reach the company’s data protection officer on:
Yova Impact Investing GmbH
Processing of personal data
Inyova processes personal data that it receives from its customers in the context of the business relationship. This is the case when customers come into contact with Inyova (e.g. as an interested individual, an applicant or a customer and particularly when customers are interested in Inyova’s products and complete online agreement sections, sign up for online services or contact Inyova by email, phone or application, as well as when they use the products and services as part of an active business relationship). In all these cases, Inyova collects, stores, uses, transfers or deletes personal data.
To the extent necessary for the provision of the service, Inyova also processes personal data that it has received from other companies, such as IDnow GmbH, or from other third parties (Inyova’s other service providers) in a permissible manner (e.g. for the execution of orders, for the performance of agreements or based on consent given by customers). Beyond this, Inyova processes personal data that it has permissibly obtained from publicly accessible sources (e.g. land registers, commercial registers and registers of associations, Bundesanzeiger, press, media, internet) and that it is entitled to process.
In certain cases, Inyova collects personal data from potential customers and interested individuals.
To the extent necessary, Inyova shall also collect personal data from people who have no direct connection with it and who, for example, belong to one of the following groups of people:
- Family members
- Legal representatives (authorised signatories)
- Customers’ beneficiaries
- Customers’ beneficial owners
- Representatives of legal entities
- Employees of service providers or trading partners
(1) Personal data may be collected, processed and stored during the conclusion and use of products / services.
Inyova processes the following personal data:
- Identity information: e.g. first name and last name, ID card or passport number, nationality, place and date of birth, gender, photograph, IP address
- Contact information: address, email address and phone number
- Tax information: Tax identification number, tax status
- Banking, financial, and transactional data: (e.g. bank details (IBAN), money transfers to the customer’s (custody) account, assets, investor profile communicated)
- Data on habits and preferences: IP addresses, data concerning the use of Inyova’s products and services in relation to banking, financial and transactional data, data concerning interactions between the customer and Inyova (visits to Inyova’s website, face-to-face meetings, phone calls, chat histories, email traffic, surveys)
- Data on sustainability preferences (e.g. hand print, foot print, exclusion criteria), blacklisted companies and wishlist of companies
- Securities transaction: Information about knowledge and/or experience with financial instruments, the customer’s risk tolerance (MiFID status), information about education and profession (e.g. level of education, occupation, name of the employer, wages, financial situation including the ability to bear losses (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), marital status and family situation, tax information (e.g. information on church tax obligation), documentation data (e.g. declarations of suitability)
- Interest rate, currency and liquidity management: Information about knowledge and/or experience with interest rate / currency products / financial investments (MiFID status), investment behaviour / strategy (scope, frequency, risk tolerance), occupation, financial situation (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), tax information (e.g. information on church tax obligation), documentation data (e.g. declarations of suitability)
- Customer contact information: Further personal data (e.g. information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information about participation in direct marketing measures, as well as details of the customer’s interests and requirements that they have expressed to Inyova shall be generated in the context of the business initiation phase and during the business relationship, particularly through personal, over-the-phone or written contacts, initiated by the customer or by Inyova
- Audiovisual data: Information from the video identification procedure, recordings of calls
Personal data relating to racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person’s sex life or sexual orientation shall not be processed by Inyova as a matter of principle unless it doing so necessary for the payment of church tax or it is a copy of an identity document required by Inyova due to obligations under the German Money Laundering Act.
(2) During visits to our website:
When the Inyova’s website is accessed, information is automatically sent to the Inyova’s website server by the browser used on the customer’s terminal device / computer. This information is temporarily stored in what is known as a ‘log file’. The following information is collected without the customer’s intervention and stored until it is automatically deletion:
- The accessing computer’s (or terminal device’s) IP address
- Date and time of access
- The name and URL of the retrieved file
- The website that access is gained from
- The browser used and (if applicable) the operating system of the computer (or terminal device) used, as well as the name of the customer’s access provider
(3) Supplier data
Inyova collects personal data from its suppliers in the course of working with them to ensure a smooth business relationship. Inyova collects the data of the contacts within the organisation (e.g. name, phone number and email address). Inyova also collects bank details so it can make payments to the suppliers.
(4) Purpose and means of digital data processing on the website
- Ensuring that a smooth connection is established to the website www.inyova.de
- Ensuring that our website is user friendly
- Evaluating system security and stability, and for other administrative purposes
- With the tracking measures used, we want to ensure that our websites are designed to meet our customers’ needs and are continuously optimised, and we also want to provide a statistical evaluation of how our websites are used.
Google conversion tracking
- Inyova uses what is known as ‘conversion tracking’ in the context of using the Google Ads service. When customers click on an ad placed by Google, a conversion tracking cookie is placed on his/her computer / device. These cookies shall cease to be valid after 30 days and do not contain any personal data and are therefore not used for personal identification purposes. The information obtained using the conversion cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. User data is processed with pseudonyms as part of Google’s marketing services. This means that Google, for example, does not store and process the user’s name or email address; instead, it processes the relevant data in a cookie-related manner within pseudonymous user profiles. In other words, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about users by Google marketing services is transmitted to Google and stored on Google’s servers in the USA.
- The Google marketing services we use include the online advertising program ‘Google Ads’. In particular, we use the remarketing function within the Google Ads service. In the case of Google Ads, each Ads customer receives a different ‘conversion cookie’. Cookies cannot, therefore, be tracked using Ads customers’ websites. The information obtained using the conversion cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. The Ads customers find out the total number of users who clicked on their ad and were forwarded to a page featuring a conversion tracking tag. However, the Ads customers do not receive any information that can be used to identify users personally.
- Inyova uses the ‘Facebook pixel’ of the social network ‘Facebook’, 1601 South California Avenue, Palo Alto, CA 94304, USA, within its website. What are known as ‘tracking pixels’ are integrated on the web pages. When customers visit our site, a direct connection is established between the browser of the customer and the Facebook server by means of the tracking pixel. Facebook thereby receives, amongst other, the information from the browser of the customer that our site was called up from his/her device. If the customer is a Facebook user, Facebook can assign the visit to our site to the user account of the customer. We would like to point out that we, as the operators of this website, are not aware of the content of the data transmitted or the purposes for which it is used by Facebook. We can only choose what segments of Facebook users (such as age, interests) to display our ads to. By accessing the pixel from the browser of the customer, Facebook can also see whether a Facebook ad was successful, e.g. led to an online agreement. This allows us to track the effectiveness of Facebook ads for statistical and market research purposes.
- Please click here if you do not wish to have data collected using the Facebook pixel: https://www.facebook.com/settings?tab=ads#_=_. Alternatively, you can disable the Facebook pixel on the Digital Advertising Alliance site at the following link: http://www.aboutads.info/choices/.
- Conversion pixel from ADITION technologies AG, Oststraße 55, D-40211 Düsseldorf. Used via:
- Performance Advertising GmbH, Gorch-Fock-Wall 1a, 20354 Hamburg, Germany
- Performance Media Deutschland GmbH, Gorch-Fock-Wall 1a, 20354 Hamburg, Germany
- Conversion pixel from Xandr Inc., 28 West 23rd Street, 4th Floor, New York, NY, 10010-5260, USA. Used via performance advertising.
- Conversion pixel from Seeding Alliance GmbH, Gustav-Heinemann-Ufer 74b, 50968 Cologne, Germany
Purpose of processing and legal basis
Inyova processes the aforementioned personal data in accordance with the provisions set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
(1) For the purpose of fulfilling contractual obligations (Article 6 (1) (b) of the GDPR):
Personal data processing is carried out for the provision of financial services in the context of the performance of Inyova’s agreements with its customers or for the performance of pre-contractual measures taken at the customers’ request. The purposes of data processing primarily depend on the specific product (see 2.) and may include (among other things) needs analyses, advice, asset management, investment support, and the execution of transactions. Customers can find further details on the purpose of data processing in the relevant contractual documents and terms and conditions.
Inyova processes the personal data of individuals within its suppliers’ organisations so it can obtain services from them. It also stores financial data so that it can pay for its suppliers’ services.
(2) In the context of balancing of interests (Article 6 (1) (f) of the GDPR):
To the extent necessary, Inyova shall process customer data beyond the actual performance of the agreement to safeguard Inyova’s or third parties’ legitimate interests. Examples:
- Exercising legal claims and defence during legal disputes
- Ensuring Inyova’s IT security and IT operations
- Preventing crime, and particularly preventing fraud
- Conducting video surveillance for safeguarding domiciliary rights, for collecting evidence in the case of robberies and fraud offences
- Measures for building and plant security (e.g. access controls)
- Measures to ensure domiciliary rights
- Measures for business management and further developing services and products
- Ensuring a smooth connection is established to the website
- Ensuring that Inyova’s website is convenient to use
- Evaluating system security and stability, and
- For other administrative purposes
In no case does Inyova use data to draw conclusions about the customer in question as an individual.
(3) Based on the customer’s consent (Article 6 (1) (a) of the GDPR):
Insofar as the customer has given Inyova consent to process personal data for certain purposes (e.g. transfer of data within the network or to use their data for certain advertising purposes), the lawfulness of this processing is given based on the consent. Any consent given can be revoked at any time. The revocation is only effective for the future. Processing that took place before the revocation is not affected by the revocation. If Inyova would like to use the customer’s personal data for purposes other than those mentioned above, Inyova shall inform the customer accordingly and, if necessary, obtain the customer’s consent.
(4) Based on legal requirements (Article 6 (1) (c) of the GDPR) or in the public interest (Article 6 (1) (e) of the GDPR):
As a financial services provider, Inyova is also subject to various legal obligations. This means that legal requirements (e.g. German Banking Act, German Money Laundering Act, German Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority (BaFin)) must be met. The purposes of processing include (but are not limited to) verifying identity and age, preventing fraud and money laundering, ensuring compliance with sanctions and embargo provisions, responding to official enquiries from a competent governmental body or judicial authority, abiding by tax law monitoring and reporting obligations, and assessing and managing risks at Inyova.
Recipients of personal data belonging to customers
Within Inyova, access to the customer’s data is granted to those offices that need it to fulfil contractual and legal obligations. Service providers and vicarious agents employed by Inyova may also receive data for these purposes if they comply with banking secrecy and Inyova’s written instructions under data protection law.
With regard to the disclosure of data to recipients outside Inyova, it should first be noted that Inyova is obligated to maintain secrecy about all customer-related facts and evaluations that it becomes aware of.
Inyova may only pass on information about customers if doing so is required by law, if the customer has given their consent, and if processors commissioned by Inyova guarantee compliance with banking secrecy and the specifications set out in the General Data Protection Regulation / German Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be (for example):
- Public bodies and institutions (e.g. Deutsche Bundesbank, the Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities, the Federal Central Tax Office) if a legal or regulatory obligation exists
- Other credit and financial services providers, comparable institutions and processors to whom Inyova transfers personal data to carry out the business relationship with the customers. These companies are also legally or contractually obligated to treat personal data with the necessary care
- Service providers who support Inyova, specifically in the following activities: Supporting / maintaining EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing / procurement, credit processing service, recovery, customer management, letter shops, marketing, media technology, reporting, research, risk controlling, expense reporting, telephony, video identification, website management, securities services, share register, fund management, auditing services, payment transactions
- Members of certain regulated professions such as lawyers, notaries or auditors
- Other data recipients may be those bodies that the customers have given their consent to data transfer for
Note: Under no circumstances shall personal data be sold to third parties.
As a rule, data shall not be transferred to a third country or an international organisation
Data is only transferred to countries outside the EU or the EEA (‘third countries’) if doing so is necessary for the execution of the customer’s orders (e.g. payment and securities orders), if doing so is required by law (e.g. reporting obligations under tax law), if the customer has given their consent, or within the scope of order processing.
Data transfer to Switzerland: For services rendered to the customer, personal data will be processed by the parent company Yova AG in Switzerland. For Switzerland exists a resolution of adequacy (see Article 45 (3) GDPR) by the EU commission. This means that personal data may be processed in Switzerland due to the fact that a similar, adequate protection of data is guaranteed compared to the European Union.
If service providers in other third countries are engaged, they are obligated to comply with the level of data protection in Europe by agreeing to the EU standard contractual clauses in addition to written instructions. If you require a hard copy of these terms and conditions or information about the availability of the same, you may request such information from the Institution.
Data storage period
Inyova processes and stores personal data belonging to customers for as long as doing so is necessary for the fulfilment of contractual and legal obligations. It should be noted that the business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless further processing is (temporarily) necessary for the following purposes:
- Fulfilment of retention periods under commercial and tax law. These include obligations arising from the German Commercial Code, the German Tax Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The retention and documentation periods stipulated therein range from two to ten years.
- Preservation of evidence under the statute of limitations. According to Section 195 et seq. of the German Civil Code (BGB), these limitation periods may be up to 30 years, with the regular limitation period being three years.
An indefinite retention period shall apply to applicants with whom an agreement is not subsequently concluded, but applicants retain the right to object to data storage and erasure at any point in time.
Protection of personal data
Inyova shall take reasonable and adequate measures that protect stored and processed information from misuse, loss or unauthorised access. Inyova has taken a number of technical and organizational measures for this purpose.
If you suspect that your personal information has been misused, lost or accessed without authorisation, please notify us as soon as possible.
Data protection rights under the General Data Protection Regulation
Every data subject has a right of access under Article 15 of the GDPR, a right to rectification under Article 16 of the GDPR, a right to erasure under Article 17 of the GDPR, a right to restriction of processing under Article 18 of the GDPR, a right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. The restrictions according to Sections 34 and 35 of the German Federal Data Protection Act apply to the right of access and the right to erasure.
The right of access includes information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or is being disclosed, the planned duration of storage, the existence of a right to rectification, erasure, restriction of processing, objection or data portability, the existence of a right to lodge a complaint, the origin of your data if it was not collected by Inyova, and the existence of automated decision-making including profiling, as well as any meaningful information regarding details of the same.
The customer may (at any time) request that incorrect personal data be rectified immediately, or that personal data collected by Inyova be completed.
The customer may request that their personal data that Inyova stores about them be erased insofar as processing is unnecessary for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims. Inyova shall delete this data if none of the cases mentioned above apply. Inyova shall usually also include the customer’s name in the list of people who do not wish to be contacted. In this way, Inyova minimises the chance that customers will be contacted in the future if their data is collected separately under other circumstances.
Under certain circumstances, the customer may request that Inyova restrict processing of their personal data. This means that Inyova shall only store the customer’s data in the future and cannot carry out any further processing activities until: (i) one of the conditions listed below has been cleared, (ii) the customer has given their consent, or (iii) further processing is necessary to assert, exercise or defend legal claims, to protect the rights of others, or if doing so is necessary due to legitimate public interest of the EU or a Member State. The customer may request that Inyova restrict processing of their personal data under the following circumstances:
- If the customer disputes the accuracy of the personal data that Inyova processes about them. In this case, Inyova’s processing of the customer’s personal data shall be restricted until the accuracy of the data has been verified.
- If the customer objects to Inyova’s processing of their personal data in accordance with Inyova’s legitimate interests. In this case, the customer may request that the data be restricted while Inyova reviews its reasons for processing the customer’s personal data.
- If Inyova’s processing of the customer’s data is unlawful, but the customer prefers to restrict Inyova’s processing instead of having the data deleted.
- When there is no longer a need for Inyova to process the customer’s personal data, but the customer needs the data to assert, exercise or defend legal claims.
The customer may request receipt of their personal data that they provided to Inyova in a structured, commonly used and machine-readable format or transfer to another controller.
If a decision to conclude or perform an agreement has only been made in an automated process (Art. 22 of the GDPR) and this decision has a legal effect on the customer or the customer is significantly affected in a similar way, the customer may request that Inyova carry out a manual review again after they have explained their position to Inyova and requested the manual review. If such a decision is made, Inyova shall also inform the customer separately of the reason for and the scope and intended effects of such data processing.
The customer also has a right to lodge a complaint (according to Article 77 of the GDPR in conjunction with Section 19 of the German Federal Data Protection Act). The customer may contact the data protection officer in this regard on firstname.lastname@example.org. In addition, the customer can contact the supervisory authority of their usual place of residence or workplace, or Inyova’s company headquarters for this purpose.
Inyova shall cease the relevant activities when the customer objects. This shall apply with the exception that Inyova can demonstrate that it has overriding legitimate grounds for processing that override the customer’s interests or that the data is processed to assert, exercise or defend a legal claim.
Obligation to provide data
In the context of the joint business relationship, the customer must provide such personal data as is required for establishing and performing a business relationship and fulfilling the associated contractual obligations or that Inyova is legally obligated to collect. Without this data, Inyova shall generally have to refuse to conclude the agreement or execute the order, or shall no longer be able to execute an existing agreement and may have to terminate it. In particular, Inyova is obligated under anti-money laundering regulations to identify the customer before the business relationship is established (e.g. by means of an ID card) and to collect and record the customer’s name, place of birth, date of birth, nationality, residential address and identification data. For Inyova to be able to comply with this statutory obligation, the customer must provideInyova with the necessary information and documents in accordance with Section 11 (6) of the German Money Laundering Act and immediately inform it of any changes arising in the course of the business relationship. If the customer fails to provide Inyova with the necessary information and documents, Inyova may not enter into or continue the business relationship requested by the customer.
As a matter of principle, Inyova does not use fully automated decision-making processes according to Article 22 of the GDPR to establish and implement the business relationship. If Inyova uses these processes in individual cases, customers shall be informed to this effect separately, insofar as is required by law.
To some extent, Inyova processes customers’ data automatically with the aim of assessing certain personal aspects (proﬁling). In so doing, Inyova uses proﬁling in the following case, for example:
- Due to legal requirements, Inyova is obligated to combat money laundering and fraud. Data evaluations (e.g. in payment transactions) are also carried out. These measures also serve to protect customers.
Information about your right to object according to Article 21 of the General Data Protection Regulation (GDPR)
Individual right to object
You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6 (1) (e) of the GDPR (data processing in the public interest) and Art. 6 (1) (f) of the GDPR (data processing based on balancing of interests); this also applies to profiling under the terms of Art. 4 (4) of the GDPR. If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling and legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal claims.
Right to object to data processing for advertising purposes
In individual cases, we process your personal data for the purpose of carrying out direct advertising. You have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising. If you object to processing for the purposes of direct advertising, we shall no longer use your personal data for these purposes.
The objection can be made without any formalities and should, if possible, be sent by email to email@example.com.