With the following information, Inyova Impact Investing GmbH (hereinafter “Inyova” or “we”) provides customers with an overview of how their personal data is processed by Inyova and their rights under data protection law. What data is processed in detail and how it is used very much depends on the services requested or agreed in each case. Customers are also requested to disclose information to current and future authorised representatives and beneficial owners. These include beneficiaries in the event of death or authorised signatories, for example.
1. Data processing
Inyova has the status of a securities service provider authorised and licensed by the German Federal Financial Supervisory Authority (BaFin) and is subject to the associated auditing and quality requirements.
The responsible department for data processing is:
INYOVA IMPACT INVESTING GMBH
Inyova Impact Investing GmbH
You can reach the company’s data protection officer on:
+ 49 6151 3942 72
2. Processing of personal data
Inyova processes personal data that it receives from its customers in the context of the business relationship. This is the case when customers come into contact with Inyova (e.g. as an interested individual, an applicant or a customer and particularly when customers are interested in Inyova’s products and complete online agreement sections, sign up for online services or contact Inyova by email, phone or application, as well as when they use the products and services as part of an active business relationship). In all these cases, Inyova collects, stores, uses, transfers or deletes personal data.
To the extent necessary for the provision of the service, Inyova also processes personal data that it has received from other companies, such as IDnow GmbH, or from other third parties (Inyova’s other service providers) in a permissible manner (e.g. for the execution of orders, for the performance of agreements or based on consent given by customers). Beyond this, Inyova processes personal data that it has permissibly obtained from publicly accessible sources (e.g. land registers, commercial registers and registers of associations, Bundesanzeiger, press, media, internet) and that it is entitled to process.
In certain cases, Inyova collects personal data from potential customers and interested individuals.
To the extent necessary, Inyova shall also collect personal data from people who have no direct connection with it and who, for example, belong to one of the following groups of people:
Legal representatives (authorised signatories)
Customers’ beneficial owners
Representatives of legal entities
Employees of service providers or trading partners
2.1 Personal data may be collected, processed and stored during the conclusion and use of products / services.
Inyova processes the following personal data:
Identity information: e.g. first name and last name, ID card or passport number, nationality, place and date of birth, gender, photograph, IP address
Contact information: address, email address and phone number
Tax information: Tax identification number, tax status
Banking, financial, and transactional data: (e.g. bank details (IBAN), money transfers to the customer’s (custody) account, assets, investor profile communicated)
Data on habits and preferences: IP addresses, data concerning the use of Inyova’s products and services in relation to banking, financial and transactional data, data concerning interactions between the customer and Inyova (visits to Inyova’s website, face-to-face meetings, phone calls, chat histories, email traffic, surveys)
Data on sustainability preferences (e.g. hand print, foot print, exclusion criteria), blacklisted companies and wishlist of companies
Securities transaction: Information about knowledge and/or experience with financial instruments, the customer’s risk tolerance (MiFID status), information about education and profession (e.g. level of education, occupation, name of the employer, wages, financial situation including the ability to bear losses (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), marital status and family situation, tax information (e.g. information on church tax obligation), documentation data (e.g. declarations of suitability)
Interest rate, currency and liquidity management: Information about knowledge and/or experience with interest rate / currency products / financial investments (MiFID status), investment behaviour / strategy (scope, frequency, risk tolerance), occupation, financial situation (assets, liabilities, income, e.g. from employment / self-employment / business; expenses), foreseeable changes in financial circumstances (e.g. retirement age, children’s education), specific goals / significant concerns for the future (e.g. planned purchases, redemption of liabilities), tax information (e.g. information on church tax obligation), documentation data (e.g. declarations of suitability)
Customer contact information: Further personal data (e.g. information about the contact channel, date, occasion and result, (electronic) copies of correspondence and information about participation in direct marketing measures, as well as details of the customer’s interests and requirements that they have expressed to Inyova shall be generated in the context of the business initiation phase and during the business relationship, particularly through personal, over-the-phone or written contacts, initiated by the customer or by Inyova
Audiovisual data: Information from the video identification procedure, recordings of calls
Personal data relating to racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data relating to a natural person’s sex life or sexual orientation shall not be processed by Inyova as a matter of principle unless it doing so necessary for the payment of church tax or it is a copy of an identity document required by Inyova due to obligations under the German Money Laundering Act.
2.2 During visits to our website:
When the Inyova’s website is accessed, information is automatically sent to the Inyova’s website server by the browser used on the customer’s terminal device / computer. This information is temporarily stored in what is known as a ‘log file’. The following information is collected without the customer’s intervention and stored until it is automatically deletion:
The accessing computer’s (or terminal device’s) IP address
Date and time of access
The name and URL of the retrieved file
The website that access is gained from
The browser used and (if applicable) the operating system of the computer (or terminal device) used, as well as the name of the customer’s access provider
2.2.1 Registration Impact Investing Strategy
1) If you want to create a free impact investing strategy on our homepage, we ask you to register first with your name and email address. At this point we also ask for your consent to send you information to the email address you have given us. In the next step, you can create your investment strategy according to your personal ideas. If you like the strategy, you can open an account with us. To do this, we ask you for your personal data that is important to us and required by regulation, which we then process and store.
2) Information on the processing of personal data when registering via our homepage.
When you register via our homepage, we collect the following data from you:
- First and last name
- e-mail address
- Date of birth
- Place of birth
- Contact details
If extended data collection is required, we also collect the following data (to provide pre-contractual information):
3) For the purpose of identification we use a commissioned service provider (IDNow GmbH). After you have filled out the account opening application, you will receive a personal ID code from us, which we usually send to you by SMS to the mobile phone number you have provided. You will then be able to complete the video identification process at IDNow. You will be asked by IDNow staff to compare your ID (identity card or passport) with the data you provided when you registered. Photos will be taken of your ID during the procedure. In addition, the contract with us is legally signed during this procedure, which is done via a digital button during the identification procedure. IDNow also gains access to your personal data during the identification process.
As with all our commissioned service providers, we have also concluded an order processing contract with IDNow GmbH in accordance with Art. 28 DSGVO. You can find the data protection information of our service provider at https://www.idnow.io/de/datenschutzerklaerung/.
4) After the identification procedure has been successfully completed, IDNow will send us the information, which we will then store securely in your digital customer file in accordance with legal requirements. You will then receive the final signed contract documents from us by e-mail.
5) We delete the data accruing in this context after the storage is no longer necessary, the purpose for processing the data no longer applies or – in the case of statutory retention obligations – we restrict the processing.
6) We only collect the data from you that we need for the above-mentioned purposes. The legal basis, insofar as the processing takes place for the purpose of initiating or executing a contract, is Art. 6 para. 1 lit. b DSGVO. If this is not the case, the processing of your personal data is carried out to protect the legitimate interests of Inyova according to Art. 6 para. 1 p. 1 lit. f, to fulfil legal obligations according to Art. 6 para. 1 p. 1 lit. c or in case of consent according to Art. 6 para. 1 p. 1 lit. a DSGVO.
7) Recipients or categories of recipients of the data
Within Inyova, access to your data is granted to those offices that need it to fulfil our contractual and legal obligations as well as for legitimate interest. Processors appointed by us (Art. 28 DSGVO) may also receive data for these purposes. These processors are companies in the categories of IT services, telecommunications, marketing, accounting.
Companies in the categories of legal and tax advice, debt collection companies and audits may also receive data for these purposes.
We will only pass on your data to third parties for their own use if we have been given permission to do so or if this is provided for by contractual and/or legal regulations. Third parties in the above sense are public bodies/authorities and private companies.
In addition, we may, to the extent legally permissible, transfer your personal data to authorities (e.g. social insurance institutions, tax authorities or law enforcement agencies) and courts in Germany and abroad in order to fulfil legal obligations or in the interests of the company.
Is there a transfer to third countries in the course of processing?
Duration of data storage
The personal data collected by us within the scope of the contract will be stored for the duration of the business relationship and then deleted, unless we are obliged to store it for a longer period – pursuant to Article 6 para. 1 p. 1 lit. c DSGVO due to storage and documentation obligations (e.g. from HGB, StGB or AO) – or if there is a legitimate interest in storing it pursuant to Article 6 para. 1 p. 1 lit. f DSGVO, e.g. during the current statute of limitations, which is usually three years, but can also be up to 30 years in certain cases, – or you have consented to storage beyond this in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO.
As soon as the storage of the data is no longer required for the aforementioned storage purposes or in the event of a revocation of your consent, your data will be deleted immediately.
Your rights as a data subject:
You have the following rights as a data subject of this data processing, which you can exercise against us and/or our service providers:
- Right to information,
- Right to correction or deletion,
- Right to restriction of processing,
- Right to object to processing,
- Right to data portability.
You are welcome to contact us at firstname.lastname@example.org to exercise your data protection rights.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data in our company.
2.3 Supplier data
Inyova collects personal data from its suppliers in the course of working with them to ensure a smooth business relationship. Inyova collects the data of the contacts within the organisation (e.g. name, phone number and email address). Inyova also collects bank details so it can make payments to the suppliers.
2.4 Purpose and means of digital data processing on the website
2.4.1 Our website
Ensuring that a smooth connection is established to the website www.inyova.de
Ensuring that our website is user friendly
Evaluating system security and stability, and for other administrative purposesSSL or TLS encryption
SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If the SSL or TLS connection is activated, the data that you transmit to us cannot be read by third parties.
- What are cookies?
Our website uses so-called cookies to store user-specific data. Cookies are small files that are stored on your computer by our website and contain certain user data about you, such as language or personal page settings. When you visit our site again, your browser sends the “user-related” information back to our site. Thanks to the cookies, our website knows who you are and offers you your usual standard setting. A cookie consists of a name and a value.
When you visit our website for the first time (with the help of a so-called “cookie banner” or “cookie consent tool”) you will be asked which cookies you would like to allow. Cookies that are not essential to provide the services of this website are only used after you have given your consent. However, this decision is stored in a cookie for the purpose of proving and implementing your setting. You can view and change your cookie settings here at any time: [insert LINK]
- By objecting to the use of the respective cookies by US providers such as e.g. Google, Facebook, Twitter, YouTube, LinkedIn etc., you also consent to your data being processed in the USA in accordance with Article 49 Paragraph 1 Clause 1 Letter a GDPR.
- Whether cookies are set in each case and what data is stored in them under what other circumstances is also explained in more detail in our notes on the tools, plug-ins and services used.
- First-Party and Third-Party Cookies
There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, third-party cookies are created by partner websites or their tools/plug-ins/services (e.g. Google Analytics). Each cookie must be evaluated individually, since each cookie stores different data. The expiry time of a cookie also varies from a few minutes to a few years. Cookies are not software programs and do not contain viruses, Trojans or other “pests”. Cookies also cannot access information on your PC.
- What types of cookies are there?
1) Essential cookies
These cookies are necessary to ensure basic functions of the website. For example, when the user puts a product in the shopping cart, then surfs on other pages and later goes to the checkout. These cookies do not delete the shopping cart, even if the user closes their browser window.
Essential cookies used:
|yova_sti||tracking lead source||30 days|
|yova_pti||tracking lead source||30 days|
|moove_gdpr_popup||tracking GDPR cookie||7 days|
2) Functional cookies
These cookies are not absolutely necessary, but they increase the functionality of the website. This includes, for example, information such as user names, language selection, form data entered once, font size, etc.
Functional cookies used:
3) Performance or marketing cookies
These cookies come from external advertising companies, among others, and are used to collect information about the websites visited by the user, e.g. B. to create target group-oriented advertising for this.
Other cookies collect information about user behaviour on the website and whether users receive error messages (if so, which ones?) in order to improve the content and structure of the website. Loading times or the behaviour of the website with different browser types are also measured with these cookies.
Performance cookies used:
|Google Tag Manager||Marketing||none|
|Google Analytics 4||Marketing/Performance||1 day|
|Facebook Pixel Code||Marketing||1 day|
|Quora Pixel Code||Marketing||1 day|
You can set your web browser so that the storage of cookies on your end device is generally prevented or you are asked each time whether you agree to the setting of cookies. Once cookies have been set, you can delete them at any time. How this works is described in the help function of the web browser you are using. A general deactivation of cookies may lead to functional restrictions.
2.4.3 Google Analytics
- 1) General information
We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043 USA. Google Analytics uses so-called “cookies”, which enable the analysis of how you use the website. The data collected in this way is used by Google to provide us with an evaluation of the visit to our website and the usage activities there. This data can also be used to provide other services related to the use of our website and the Internet.
- 2) Categories of data processed
As part of the service, usage and user-related information such as IP address, location, time or frequency of visits to our website is recorded.
- 3) Legal Basis
The legal basis is Article 6 Paragraph 1 Clause 1 Letter f GDPR. Our legitimate interest lies in the analysis, optimization and economic operation of our website. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.
The legal basis for setting the cookie is your consent in accordance with Article 6 Paragraph 1 Clause 1 Letter a GDPR. You can find details on this under “Cookies” above.
- 4) Deactivation of data collection by Google Analytics
You can revoke your consent to the storage of cookies at any time. In this regard, we refer to the previous notes on “Cookies” and the rights to which you are entitled.
You can also prevent the storage of cookies by setting your browser software accordingly; we would like to point out to you however that in this case you will if applicable not be able to use all functions of this website in full.
You can also prevent the data generated by the cookie and related to your use of the website (including your IP address) being sent to Google and the processing of this data by Google by using the browser plug-in available under the following link. Download and install in: http://tools.google.com/dlpage/gaoptout?hl=de.
- 5) IP anonymization
We have implemented Google Analytics IP address anonymization on this website. The IP is anonymized or masked as soon as the IP addresses arrive in the Google Analytics data collection network and before the data is stored or processed. As a result, IP addresses are further processed in abbreviated form, which means that they cannot be linked to individuals.
You can find more information on IP anonymization at: https://support.google.com/analytics/answer/2763052?hl=de.
- 6) Cross-device analysis
This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out using a user ID. You can deactivate the cross-device analysis of your usage in your customer account under “My data”, “Personal data”.
- 7) Provider’s data protection
It cannot be ruled out that the processing will be carried out by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Note our information on data transfers to the USA.
2.4.4 Google conversion tracking
Inyova uses what is known as ‘conversion tracking’ in the context of using the Google Ads service. When customers click on an ad placed by Google, a conversion tracking cookie is placed on his/her computer / device. These cookies shall cease to be valid after 30 days and do not contain any personal data and are therefore not used for personal identification purposes. The information obtained using the conversion cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. User data is processed with pseudonyms as part of Google’s marketing services. This means that Google, for example, does not store and process the user’s name or email address; instead, it processes the relevant data in a cookie-related manner within pseudonymous user profiles. In other words, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about users by Google marketing services is transmitted to Google and stored on Google’s servers in the USA.
The Google marketing services we use include the online advertising program ‘Google Ads’. In particular, we use the remarketing function within the Google Ads service. In the case of Google Ads, each Ads customer receives a different ‘conversion cookie’. Cookies cannot, therefore, be tracked using Ads customers’ websites. The information obtained using the conversion cookie is used to compile conversion statistics for Ads customers who have opted to use conversion tracking. The Ads customers find out the total number of users who clicked on their ad and were forwarded to a page featuring a conversion tracking tag. However, the Ads customers do not receive any information that can be used to identify users personally.
2.4.5 Google Ads (formerly “Google AdWords”) conversion tracking
- We use Google Ads (formerly Google AdWords) as an online marketing measure to advertise our products and services. We want to make more people aware of the high quality of our offers on the Internet and, for this purpose, adapt our advertising offer to their interests and needs. As part of our advertising measures through Google Ads, we use conversion tracking from Google Inc. on our website. In Europe, however, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services.Google Ads (formerly Google AdWords) is the in-house online advertising system from Google Inc. We are convinced of the quality of our offer and want as many people as possible to get to know our website. Of course, we also want to get a precise overview of the cost-benefit factor of our advertising campaigns. That’s why we use the Google Ads conversion tracking tool.But what exactly is a conversion? A conversion occurs when you change from a purely interested website visitor to an acting visitor. This always happens when you click on our ad and then perform another action, such as visiting our website. We use Google’s conversion tracking tool to record what happens after a user clicks on our Google Ads ad. For example, we can see whether products are being purchased, services are being used or whether users have signed up for our newsletter.We use Google Ads to draw attention to our offer on other websites. The aim is that our advertising campaigns really only reach those people who are interested in our offers. With the conversion tracking tool, we see which keywords, ads, ad groups and campaigns lead to the desired customer actions. We see how many customers interact with our ads on a device and then convert. This data enables us to calculate our cost-benefit factor, measure the success of individual advertising measures and consequently optimize our online marketing measures. In addition, we can use the data obtained to make our website more interesting for you and adapt our advertising offer even more individually to your needs.
As soon as you complete an action on our website, Google recognizes a previously set cookie and saves your action as a so-called conversion. As long as you surf our website and the cookie has not yet expired, we and Google will recognize that you have found us via our Google Ads ad. The cookie is read and sent back to Google Ads with the conversion data. It is also possible that other cookies are used to measure conversions. Google Ads conversion tracking can be further refined and improved with the help of Google Analytics.
At this point we would like to point out that we have no influence on how Google uses the collected data. According to Google, the data is encrypted and stored on secure servers. In most cases, conversion cookies expire after 30 days and do not transmit any personal data. The cookies named “Conversion” and “_gac” (used in connection with Google Analytics) have an expiry date of 3 months.
You have the option not to participate in Google Ads conversion tracking. If you deactivate the Google conversion tracking cookie via your browser, you block conversion tracking. In this case, you will not be included in the statistics of the tracking tool. You can change the cookie settings in your browser at any time. Each browser works a little differently.
The legal basis for the processing of your data is our legitimate interest in drawing attention to our attractive offers on external websites in accordance with Article 6 Paragraph 1 Sentence 1 lit.
The legal basis for setting the cookie is your consent in accordance with Article 6 Paragraph 1 Clause 1 Letter a GDPR. You can find details on this under “Cookies”.
2.4.6 Facebook pixel
Inyova uses the ‘Facebook pixel’ of the social network ‘Facebook’, 1601 South California Avenue, Palo Alto, CA 94304, USA, within its website. What are known as ‘tracking pixels’ are integrated on the web pages. When customers visit our site, a direct connection is established between the browser of the customer and the Facebook server by means of the tracking pixel. Facebook thereby receives, amongst other, the information from the browser of the customer that our site was called up from his/her device. If the customer is a Facebook user, Facebook can assign the visit to our site to the user account of the customer. We would like to point out that we, as the operators of this website, are not aware of the content of the data transmitted or the purposes for which it is used by Facebook. We can only choose what segments of Facebook users (such as age, interests) to display our ads to. By accessing the pixel from the browser of the customer, Facebook can also see whether a Facebook ad was successful, e.g. led to an online agreement. This allows us to track the effectiveness of Facebook ads for statistical and market research purposes.
Please click here if you do not wish to have data collected using the Facebook pixel: https://www.facebook.com/settings?tab=ads#_=_. Alternatively, you can disable the Facebook pixel on the Digital Advertising Alliance site at the following link: http://www.aboutads.info/choices/.
2.4.7. Data processing by LinkedIn Insight Tag
Our website uses LinkedIn Corporation’s “LinkedIn Insight Tag” conversion tool. This tool creates a cookie in your web browser, which allows the collection u. following data: IP address, device and browser properties and page events (e.g. page views). This data is encrypted, anonymized within seven days and the anonymized
Data will be deleted within 90 days.
With the help of this technology, visitors to this website can be shown personalized advertisements on LinkedIn. It is also possible to create anonymous reports on the performance of the advertisements and information on website interaction. For this purpose, the LinkedIn Insight tag is integrated on this website, which establishes a connection to the LinkedIn server if you visit this website and are logged into your LinkedIn account at the same time.
LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymized). The direct identifiers of LinkedIn members are deleted from LinkedIn after seven days. The remaining pseudonymised data will then be deleted within 90 days.
The data collected by LinkedIn cannot be determined by us as the website operator
assigned to individuals. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it as part of its own use advertising measures. Details can be found in LinkedIn’s data protection declaration at https://www.linkedin.com/legal/privacy-policy#choices-oblig./span>
- Legal basisLinkedIn Insight is used on the basis of Article 6 (1) (f) GDPR. The website operator has a legitimate interest in effective advertising measures, including social media. If a corresponding consent was requested (e.g. consent to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 Para. 1
lit. a GDPR; the consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission.
Details can be found here: https://www.linkedin.com/legal/l/dpa and
- Objection to the use of LinkedIn Insight TagObject to the analysis of usage behavior and targeted advertising by LinkedIn under the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Furthermore, LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To prevent LinkedIn from linking data collected on our website to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.
- Order processing
We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.
3. Purpose of processing and legal basis
Inyova processes the aforementioned personal data in accordance with the provisions set out in the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):
3.1 For the purpose of fulfilling contractual obligations (Article 6 (1) (b) of the GDPR):
Personal data processing is carried out for the provision of financial services in the context of the performance of Inyova’s agreements with its customers or for the performance of pre-contractual measures taken at the customers’ request. The purposes of data processing primarily depend on the specific product (see 2.) and may include (among other things) needs analyses, advice, asset management, investment support, and the execution of transactions. Customers can find further details on the purpose of data processing in the relevant contractual documents and terms and conditions.
Inyova processes the personal data of individuals within its suppliers’ organisations so it can obtain services from them. It also stores financial data so that it can pay for its suppliers’ services.
3.2 In the context of balancing of interests (Article 6 (1) (f) of the GDPR):
To the extent necessary, Inyova shall process customer data beyond the actual performance of the agreement to safeguard Inyova’s or third parties’ legitimate interests. Examples:
Exercising legal claims and defence during legal disputes
Ensuring Inyova’s IT security and IT operations
Preventing crime, and particularly preventing fraud
Conducting video surveillance for safeguarding domiciliary rights, for collecting evidence in the case of robberies and fraud offences
Measures for building and plant security (e.g. access controls)
Measures to ensure domiciliary rights
Measures for business management and further developing services and products
Ensuring a smooth connection is established to the website
Ensuring that Inyova’s website is convenient to use
Evaluating system security and stability, and
For other administrative purposes
In no case does Inyova use data to draw conclusions about the customer in question as an individual.
3.3 Based on the customer’s consent (Article 6 (1) (a) of the GDPR):
Insofar as the customer has given Inyova consent to process personal data for certain purposes (e.g. transfer of data within the network or to use their data for certain advertising purposes), the lawfulness of this processing is given based on the consent. Any consent given can be revoked at any time. The revocation is only effective for the future. Processing that took place before the revocation is not affected by the revocation. If Inyova would like to use the customer’s personal data for purposes other than those mentioned above, Inyova shall inform the customer accordingly and, if necessary, obtain the customer’s consent.
3.4 Based on legal requirements (Article 6 (1) (c) of the GDPR) or in the public interest (Article 6 (1) (e) of the GDPR):
As a financial services provider, Inyova is also subject to various legal obligations. This means that legal requirements (e.g. German Banking Act, German Money Laundering Act, German Securities Trading Act, tax laws) as well as banking supervisory requirements (e.g. of the European Central Bank, the European Banking Authority, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority (BaFin)) must be met. The purposes of processing include (but are not limited to) verifying identity and age, preventing fraud and money laundering, ensuring compliance with sanctions and embargo provisions, responding to official enquiries from a competent governmental body or judicial authority, abiding by tax law monitoring and reporting obligations, and assessing and managing risks at Inyova.
4. Recipients of personal data belonging to customers
Within Inyova, access to the customer’s data is granted to those offices that need it to fulfil contractual and legal obligations. Service providers and vicarious agents employed by Inyova may also receive data for these purposes if they comply with banking secrecy and Inyova’s written instructions under data protection law.
With regard to the disclosure of data to recipients outside Inyova, it should first be noted that Inyova is obligated to maintain secrecy about all customer-related facts and evaluations that it becomes aware of.
Inyova may only pass on information about customers if doing so is required by law, if the customer has given their consent, and if processors commissioned by Inyova guarantee compliance with banking secrecy and the specifications set out in the General Data Protection Regulation / German Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be (for example):
Public bodies and institutions (e.g. Deutsche Bundesbank, the Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities, the Federal Central Tax Office) if a legal or regulatory obligation exists
Other credit and financial services providers, comparable institutions and processors to whom Inyova transfers personal data to carry out the business relationship with the customers. These companies are also legally or contractually obligated to treat personal data with the necessary care
Service providers who support Inyova, for example in the following activities: Supporting / maintaining EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data destruction, purchasing / procurement, credit processing service, recovery, customer management, letter shops, marketing, media technology, reporting, research, risk controlling, expense reporting, telephony, video identification, website management, securities services, share register, fund management, auditing services, payment transactions
Members of certain regulated professions such as lawyers, notaries or auditors
Other data recipients may be those bodies that the customers have given their consent to data transfer for
Note: Under no circumstances shall personal data be sold to third parties.
5. Data transfer to the USA or other third countries
The European Commission and US President Joe Biden have agreed on a new transatlantic data protection framework (EU-US Data Privacy Framework). This came into force on 10 July 2023. With the EU-US Privacy Shield, the use of tracking/analytics and marketing tools from the USA is permitted again.
In particular, note the further information on the tools and services we use in this data protection information regarding data transmission to the USA.
If other service providers from a third country are used, they are obliged to comply with the data protection level in Europe in addition to written instructions through the agreement of the EU standard contractual clauses. If you require a hard copy of these Terms or information as to their availability, you may contact Inyova in writing.
Many tools and services use so-called “cookies”. Typically, with their use, data transmissions to the USA with US providers such as Google, Facebook, Twitter, YouTube, LinkedIn, Instagram, etc. along. If you do not want this, make sure not to give the corresponding consent that we obtain when you visit the website.
Data transmission to Switzerland: For the provision of services to you, personal data is processed by the parent company of Inyova Impact Investing GmbH, Inyova AG in Switzerland. For Switzerland, there is an adequacy decision (Art. 45 Para. 3 GDPR) of the European Commission. This means that your personal data may be lawfully processed in Switzerland, as they enjoy adequate protection in Switzerland that is comparable to that in the European Union.
6. Data storage period
Inyova processes and stores personal data belonging to customers for as long as doing so is necessary for the fulfilment of contractual and legal obligations. It should be noted that the business relationship is a continuing obligation that is intended to last for several years. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted, unless further processing is (temporarily) necessary for the following purposes:
Fulfilment of retention periods under commercial and tax law. These include obligations arising from the German Commercial Code, the German Tax Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The retention and documentation periods stipulated therein range from two to ten years.
Preservation of evidence under the statute of limitations. According to Section 195 et seq. of the German Civil Code (BGB), these limitation periods may be up to 30 years, with the regular limitation period being three years.
An indefinite retention period shall apply to applicants with whom an agreement is not subsequently concluded, but applicants retain the right to object to data storage and erasure at any point in time.
7. Protection of personal data
Inyova shall take reasonable and adequate measures that protect stored and processed information from misuse, loss or unauthorised access. Inyova has taken a number of technical and organizational measures for this purpose.
If you suspect that your personal information has been misused, lost or accessed without authorisation, please notify us as soon as possible.
8. Data protection rights under the General Data Protection Regulation
Every data subject has a right of access under Article 15 of the GDPR, a right to rectification under Article 16 of the GDPR, a right to erasure under Article 17 of the GDPR, a right to restriction of processing under Article 18 of the GDPR, a right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. The restrictions according to Sections 34 and 35 of the German Federal Data Protection Act apply to the right of access and the right to erasure.
The right of access includes information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or is being disclosed, the planned duration of storage, the existence of a right to rectification, erasure, restriction of processing, objection or data portability, the existence of a right to lodge a complaint, the origin of your data if it was not collected by Inyova, and the existence of automated decision-making including profiling, as well as any meaningful information regarding details of the same.
The customer may (at any time) request that incorrect personal data be rectified immediately, or that personal data collected by Inyova be completed.
The customer may request that their personal data that Inyova stores about them be erased insofar as processing is unnecessary for exercising the right to freedom of expression and information, for fulfilling a legal obligation, for reasons of public interest or for establishing, exercising or defending legal claims. Inyova shall delete this data if none of the cases mentioned above apply. Inyova shall usually also include the customer’s name in the list of people who do not wish to be contacted. In this way, Inyova minimises the chance that customers will be contacted in the future if their data is collected separately under other circumstances.
Under certain circumstances, the customer may request that Inyova restrict processing of their personal data. This means that Inyova shall only store the customer’s data in the future and cannot carry out any further processing activities until: (i) one of the conditions listed below has been cleared, (ii) the customer has given their consent, or (iii) further processing is necessary to assert, exercise or defend legal claims, to protect the rights of others, or if doing so is necessary due to legitimate public interest of the EU or a Member State. The customer may request that Inyova restrict processing of their personal data under the following circumstances:
If the customer disputes the accuracy of the personal data that Inyova processes about them. In this case, Inyova’s processing of the customer’s personal data shall be restricted until the accuracy of the data has been verified.
If the customer objects to Inyova’s processing of their personal data in accordance with Inyova’s legitimate interests. In this case, the customer may request that the data be restricted while Inyova reviews its reasons for processing the customer’s personal data.
If Inyova’s processing of the customer’s data is unlawful, but the customer prefers to restrict Inyova’s processing instead of having the data deleted.
When there is no longer a need for Inyova to process the customer’s personal data, but the customer needs the data to assert, exercise or defend legal claims.
The customer may request receipt of their personal data that they provided to Inyova in a structured, commonly used and machine-readable format or transfer to another controller.
If a decision to conclude or perform an agreement has only been made in an automated process (Art. 22 of the GDPR) and this decision has a legal effect on the customer or the customer is significantly affected in a similar way, the customer may request that Inyova carry out a manual review again after they have explained their position to Inyova and requested the manual review. If such a decision is made, Inyova shall also inform the customer separately of the reason for and the scope and intended effects of such data processing.
The customer also has a right to lodge a complaint (according to Article 77 of the GDPR in conjunction with Section 19 of the German Federal Data Protection Act). The customer may contact the data protection officer in this regard on email@example.com.
In addition, the customer can contact the supervisory authority of their usual place of residence or workplace, or Inyova’s company headquarters for this purpose.
Inyova shall cease the relevant activities when the customer objects. This shall apply with the exception that Inyova can demonstrate that it has overriding legitimate grounds for processing that override the customer’s interests or that the data is processed to assert, exercise or defend a legal claim.
9. Obligation to provide data
In the context of the joint business relationship, the customer must provide such personal data as is required for establishing and performing a business relationship and fulfilling the associated contractual obligations or that Inyova is legally obligated to collect. Without this data, Inyova shall generally have to refuse to conclude the agreement or execute the order, or shall no longer be able to execute an existing agreement and may have to terminate it. In particular, Inyova is obligated under anti-money laundering regulations to identify the customer before the business relationship is established (e.g. by means of an ID card) and to collect and record the customer’s name, place of birth, date of birth, nationality, residential address and identification data. For Inyova to be able to comply with this statutory obligation, the customer must provideInyova with the necessary information and documents in accordance with Section 11 (6) of the German Money Laundering Act and immediately inform it of any changes arising in the course of the business relationship. If the customer fails to provide Inyova with the necessary information and documents, Inyova may not enter into or continue the business relationship requested by the customer.
10. Automated decision-making
As a matter of principle, Inyova does not use fully automated decision-making processes according to Article 22 of the GDPR to establish and implement the business relationship. If Inyova uses these processes in individual cases, customers shall be informed to this effect separately, insofar as is required by law.
To some extent, Inyova processes customers’ data automatically with the aim of assessing certain personal aspects (proﬁling). In so doing, Inyova uses proﬁling in the following case, for example:
Due to legal requirements, Inyova is obligated to combat money laundering and fraud. Data evaluations (e.g. in payment transactions) are also carried out. These measures also serve to protect customers.
If you register for our newsletter, we use the data required for this or separately provided by you in order to inform you regularly by e-mail about innovations, products or special offers that are of interest to you
The legal basis for this is your consent in accordance with Article 6 Paragraph 1 Clause 1 Letter a GDPR. We use the data collected in this way exclusively for sending the newsletter.
Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to the contact option specified in this data protection declaration or via a link provided for this purpose in the newsletter.
After you have unsubscribed, we will delete your e-mail address from the newsletter account, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we will inform you in this declaration.
13. (Online) application
Purpose and legal basis of processing
We process your personal data to establish an employment relationship in compliance with Article 6 (1) sentence 1 lit. b GDPR i. V. m. Art. 88 GDPR. The processing is carried out exclusively for the purpose of assessing your suitability, qualifications and professional performance with regard to the position for which you are applying.
We also process your personal data for specific purposes (e.g. for longer storage) if you have given us your consent to data processing within the meaning of Article 6 (1) sentence 1 lit. V. m. Art. 7 DSGVO have given.
We may be obliged to process your personal data in accordance with Article 6 Paragraph 1 Clause 1 Letter c GDPR. There may be various legal obligations in this regard (e.g. obligations under the German Commercial Code; the Tax Code; to store tax-relevant data; under the Social Code; under the General Equal Treatment Act; or other relevant regulations).
Type of data categories processed
We process personal data that we collect as part of the application process, e.g. B. through letter of application, CV, certificates, correspondence, telephone or oral information from you.
The following categories of data may be affected:
- Personal details (surname, first name, date of birth)
- Address data (address, place of residence)
- Contact details (telephone no., e-mail address)
- Application data (cover letter, certificates, CV)
- Special personal data (health data such as illnesses and disabilities)
- Recipients or categories of recipients of the data
Our human resources department and accounting department have access to your data, as does the specialist department for the position you applied for. Our administrators and processors have the technical ability to access data processed by IT. They are strictly bound by our instructions and may not process the data for their own purposes. In certain cases we have to disclose your personal data to third parties, such as our bank if you receive a reimbursement or the post office if we communicate with you by letter.
Furthermore, third parties may receive data for specific purposes if this is required by law as part of your application (e.g. notification to the Federal Employment Agency).
Duration of data storage
Your personal data will be stored for as long as is necessary to fulfill our contractual and legal obligations in the application process. If your application is successful, your personal data will be stored in your personnel file and used to implement and terminate the employment relationship.
If we are currently unable to offer you employment, we will process your data on the basis of our legitimate interests in accordance with Article 6 (1) sentence 1 lit. f GDPR for up to 6 months after the rejection was sent in order to be able to defend ourselves against any legal claims.
If you consent to the storage of your data beyond the prescribed period, the period can be correspondingly longer (max. two years).
In this case, a “recognition data record” is also saved. We need this data record in order to be able to recognize a renewed application from you. This contains the following data:
- Name first Name
- birth date
- E-mail address
- applicant number
and will be permanently deleted after 24 months.
If the data is no longer required for the fulfillment of contractual or legal obligations, it will be deleted, unless the storage is required due to legal retention periods (e.g. to fulfill commercial and tax retention periods of ten years).
14. Social media
We maintain publicly accessible profiles on social networks. You can find the individual social networks we use below.
Social networks can usually analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. Like buttons or advertising banners). Visiting our social media profile triggers numerous data protection-related processing operations.
If you are logged into your social media account and visit our social media profile, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be recorded if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address.
With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, you can be shown interest-based advertising inside and outside of the respective social media profile. If you have an account with the respective social network, interest-based advertising can be displayed on all devices on which you are logged in or were logged in.
Notice of Risks
We would like to point out that the respective providers may process user data outside of the European Union. This can result in risks for users, because e.g. B. the enforcement of user rights could be made more difficult. With regard to US providers who offer guarantees of a secure level of data protection through, for example, EU standard contractual clauses, we would like to point out that they undertake to comply with the data protection standards of the EU.
Purpose of Processing/Legal Basis
Our own processing of personal data on our social media presence is based on our legitimate interests in accordance with Article 6 Paragraph 1 Sentence 1 lit to find the publication and to communicate with the customers, interested parties and users active there. We have no influence on any further processing by the provider.
The legal basis for setting the aforementioned cookies is your consent in accordance with Article 6 Paragraph 1 Clause 1 Letter a GDPR. You can find details on this under “Cookies” or “Social Media Plugins” above.
If you visit one of our social media presences (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit.
Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely based on the corporate policy of the respective provider.
In principle, you can exercise your rights both against us as well as the operator of the respective social media portal.
However, we would like to point out that these can be asserted most effectively with the operators. Only the operators have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, feel free to contact Inyova.
The data collected directly by us via the social media profile will be deleted from our systems as soon as the purpose for storing it no longer applies, you request us to delete it, you revoke your consent to storage or the purpose for storing the data no longer applies. Saved cookies remain on your end device until you delete them. Mandatory legal provisions – especially retention periods – remain unaffected.
We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their data protection declaration, see below).
Provider data protection
For a detailed description of the respective forms of processing and the possibility of objection (opt-out), we refer to the data protection declarations and information provided by the providers of the respective social media networks, over which we have no influence and which apply when the respective sites are accessed.
Existing social media profiles
Furthermore, when using our fan page, Facebook provides us with statistical data of different categories (so-called “Insights data”), which we can call up accordingly. These Page Insights are aggregated data that help us understand how people interact with our Page. This includes: the total number of page views, likes, page activity, post interactions, video views, post reach, comments, shared content, replies, proportion of males and females, country and city origin, language, views and clicks in the shop, Clicks on route planners and clicks on phone numbers.
Learn more about Insights Data, including: to exercise your rights, you can get it at: https://www.facebook.com/legal/terms/information_about_page_insights_data.
According to Art. 26 GDPR, the fan page operator and Facebook are jointly responsible.
A corresponding agreement was made with the fan page operators (available at: https://www.facebook.com/legal/terms/page_controller_addendum).
Facebook assumes primary responsibility according to the GDPR for the processing of Insights data and will fulfill all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR ) fulfill.
You can reach Facebook’s data protection officer via the general contact form at https://www.facebook.com/help/contact/540977946302970 or for insights data at https://www.facebook.com/help/contact/308592359910928
Service Provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; website: www.twitter.com; Data protection declaration: https://twitter.com/de/privacy, (settings) https://twitter.com/personalization
Service Provider: TikTok Technology Limits (“TikTok Ireland”), 10 Earlsfort Terrace, Dublin, D02 T380, Ireland; Data protection declaration: https://www.tiktok.com/legal/privacy-policy-eea?lang=de
15. Modification clause
Information about your right to object according to Article 21 of the General Data Protection Regulation (GDPR)
1. Individual right to object
You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6 (1) (e) of the GDPR (data processing in the public interest) and Art. 6 (1) (f) of the GDPR (data processing based on balancing of interests); this also applies to profiling under the terms of Art. 4 (4) of the GDPR. If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling and legitimate grounds for processing that override your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal claims.
2. Right to object to data processing for advertising purpose
In individual cases, we process your personal data for the purpose of carrying out direct advertising. You have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising. If you object to processing for the purposes of direct advertising, we shall no longer use your personal data for these purposes.
The objection can be made without any formalities and should, if possible, be sent by email to firstname.lastname@example.org.