Privacy and the security of transactions are core elements of cryptocurrencies, blockchain technology and its whole global movement. Bitpanda really appreciates the trust Clients have in us when trading cryptocurrencies and other digital assets on our platform.
For this reason, privacy and data security have an enormously high priority for the Bitpanda group. It is very important to us that you feel safe during your visit to our website and while using our services as well as over the course of all other business transactions with us. As soon as you make use of products and/or services of Bitpanda, you entrust us with the processing of your personal data. Bitpanda wants to give you the best possible experience with our platform to ensure that you enjoy the usage of our products and services now and in the future. That’s why we want to understand the user behaviour on our platform in order to continuously improve it.
Therefore, in this Privacy Notice, we want to transparently inform you which personal data we collect from you and why and who might receive it. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.
Regarding the terms used in this Privacy Notice, such as “Processing” or “Controller”, we refer to the definitions of the GDPR.
This Privacy Notice is drafted in English and German. In case of conflict the English version shall be the binding version.
Bitpanda GmbH and its direct and indirect subsidiaries (hereinafter referred to as "Bitpanda" or "Bitpanda Group" or "we") offer via its websites (e.g.: www.bitpanda.com, exchange.bitpanda.com) and its mobile applications (“Mobile App”) (together hereinafter referred to as "website" or “platform”) services and products related to buying and selling cryptocurrencies and other digital assets as well as payment and IT services.
This Privacy Notice applies to all services and products regarding our platform (our Broker together with associated products), this website and our Helpdesk; and provides an overview in regards to the main actors when providing our Platform.
For users from certain countries or depending on the used services, other legal entities in the Bitpanda Group might be involved as service or content providers, such as:
No, the products and services of Bitpanda are not directed to people under the age of 18 years. Only persons of legal age are permitted to use the services of Bitpanda and register for an account. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use Bitpanda’s platform and do not provide us with any personal data.
Bitpanda is aware that both the protection and the careful handling of your personal data are very important. Bitpanda will solely use the Personal Data provided by you in compliance with the applicable data protection laws and this Privacy Notice.
Generally, each company of the Bitpanda Group is a Controller pursuant to Art 4 para 7 GDPR and therefore responsible for the processing of personal data in connection with the services provided by the specific company (for the different services see Point 2). In some cases, entities of Bitpanda might act as Processor pursuant to Art 4 para 8 GDPR on behalf of each other.
Due to the high data security standards in the Bitpanda Group, Bitpanda considers it necessary to implement a group-wide uniform data protection strategy. Thus, Bitpanda GmbH acts as a central point of contact for all data protection issues concerning all services offered by the Bitpanda Group via the platform or the Mobile App.
If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact our privacy team: firstname.lastname@example.org Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.
If Bitpanda Group acts together with other parties as Joint Controller (e.g. processing data for jointly determined purposes within the Bitpanda Group), we provide those parties with personal data if applicable and based on at least one of the legal bases listed under Point 7. In case of a joint controllership, we transmit your personal data only based on a sufficient agreement with our partners (Art 26 GDPR). However, no sensitive payment data will be transmitted within the Bitpanda Group.
Bitpanda will only share your personal data with other third parties if a legal basis applies. This may be due to our contract with you, our legitimate interests, a legal obligation or your prior consent (withdrawable at any time).
This Privacy Notice also sets out the more specific data protection information in regards to Bitpanda GmbH’s subsidiaries such as Bitpanda Payments GmbH (provides different payment services via the platform) and Bitpanda Financial Services GmbH (service provider for the reception and transmission of orders regarding digital securities in accordance with the Austrian Securities Supervision Act 2018 - Wertpapieraufsichtsgesetz 2018 or “WAG”).
When you use our payment initiation services, we will only process your personal data with your consent or due to a contractual obligation towards you and we will not request any data from you other than those necessary to provide this service. Furthermore, we won’t use, access or store any data for purposes other than for the performance of the payment initiation service as explicitly requested by you. All personal data which is necessary to provide the payment service (especially your security credentials) is not accessible by any other party other than Bitpanda Payments and only transmitted by us through safe and efficient channels. After the performance of the service Bitpanda Payments will not store your sensitive payment data.Bitpanda Payments offers the following services (hereinafter referred to as "payment services"):
When you use our financial services, we will only process your personal data with a valid legal basis (Art 6 GDPR) and we will not request any data from you other than those necessary to provide this service
Financial Services offers the following services (hereinafter referred to as "financial services"):
We process the personal data that we receive from you within the scope of the business relationship and your usage of our Website or Mobile App (Platform) and payment services. Furthermore, we might process data we receive within the Bitpanda Group and data we have received from credit agencies, debtor directories, business analysis providers (e.g. Credit Information Services, Business and financial information companies, Security companies, etc..), and from publicly accessible sources (e.g.: commercial register, register of associations, land register, media, sanctions lists).
For users of Bitpanda Custody, we want to point out two specific data categories:
All processing is performed in accordance with applicable data protection legislation. This includes, inter alia, the EU General Data Protection Regulation (GDPR), the E-Privacy Directive and the national implementing acts (e.g. the Austrian Data Protection Act). Generally, we process your personal data based on one of the legal bases listed below.
If we ask you to provide any personal data not described in point 7, then such data and the purpose and legal basis for the collection and processing, will be communicated to the Client at the point of collecting the personal data.
Additionally we adhere to international standards that help trace and combat illicit activities in the financial sphere, such as those set by the Financial Action Task Force (FAFT). We process your personal data
7.1. For the performance of contractual obligations (Art 6 para 1 lit b GDPR):
Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The following data processing operations, for example, are covered by such contractual obligations:
7.2. For compliance with legal obligations (Art 6 para 1 lit c GDPR):
Processing of personal data might also be necessary for complying with various legal obligations (e.g. 5. AMLD, ZaDiG 2018, GewO 1994, FATF Travel Rule etc.). The following data processing operations, for example, are covered by such legal obligations:
7.3. To protect legitimate interests (Art 6 para 1 lit f GDPR):
Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Bitpanda or a third party. The following data processing operations are covered by such a legitimate interest:
7.4. Based on your consent (Art 6 para 1 lit a GDPR):
If you have given us your consent to process your personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. For example, with your consent we are processing data for the following purposes:
Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.
7.5. Processing for other purposes:
As a general principle of Bitpanda, we only process personal data for the purposes for which they were collected. In exceptional cases, however, we might process your personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about this purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to file a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.
This term stems from Art 9 GDPR and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data (Art 9 para 1 GDPR). In general, Bitpanda does not process such categories of personal data, with twofold exceptions being for the purposes of identity verification, and fraud prevention as per Art 9 para 2 lit g GDPR and §21 (6) FmGwG the Financial Market Money Laundering Act (FmGwG) respectively.
During your onboarding you may be asked to complete identity verification via auto-ident procedures in which, in addition to the actual verification data (e.g. screenshots of ID documents and identification data from these, residence, status of politically exposed persons, video data, etc.), biometric data (e.g. personal data resulting from specific technical processing in connection with the physical, physiological or behavioural characteristics of a person and enabling the unique identification of a person, e.g. facial images, dactyloscopic data) is also collected. Such processing of biometric data takes place on the basis of your express consent, which you may revoke at any time, and on the basis of substantial public interest as outlined in Art 9 GDPR. Therefore, we also process and store the provided biometrical data on the grounds of public interest for the purposes of fraud prevention (§21 (6) FmGwG).
The biometric data will be processed solely by our service providers and will be erased completely within 3 years after performing the identification. Bitpanda only receives the positive or negative verification result alongside other verification data and does not process biometric data from Clients itself at any time.
The protection and confidentiality of your personal data is important to Bitpanda Group. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties and in general limited to the recipients in the following four groups:
9.1. Data transfer within the Bitpanda Group:
Within the Bitpanda Group, your personal data will be shared between companies: if there is a legal basis as described above. This happens for internal administrative purposes to conduct internal administrative activities efficiently. Our employees treat your data with the highest security standards and also only have access on a need-to-know basis. In all these cases only those offices or employees will receive your personal data who need it to fulfil the contractual and legal obligations and legitimate interests.
If a company acts as a service provider for Bitpanda Payments or Financial Services, we contractually oblige this company to ensure the confidentiality and security of your personal data that they process on our behalf.
9.2. Data transfer to Processors
To a limited extent, we also transmit personal information to Processors. Such include, inter alia, service providers for video authentication services, IT services, Client support, improvement of our website, monitoring of defective business cases, application management. Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal requirements. We contractually oblige these Processors to ensure the confidentiality and security of your personal data that they process on our behalf.
9.3. Data transfer to public bodies and institutions:
We might also transfer your personal data might be disclosed to public bodies and institutions (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.
9.4. Data transfer to other third parties:
Bitpanda will only share your personal data with other third parties if a legal basis applies. This may be due to our contract with you, our legitimate interests, a legal obligation or your prior consent (withdrawable at any time).
We want to especially highlight five types of third parties that we might have to share data with:
Bitpanda will process your personal data in general within the European Economic Area. In some circumstances it might be the case that it is processed also outside the European Economic Area. If this is the case, we will rely on appropriate data transfer mechanisms according to Art 44 et seq GDPR. This might be, inter alia:
Regardless of where your personal data is processed, it will be processed in accordance with the provisions in the Privacy Notice, including the technical and organisational measures outlined in point 17.
Bitpanda maintains social media presence on different platforms (see below) in order to communicate with its active Clients, prospective Clients and interested social media users about Bitpanda’s services, products and other news. For your own use of such social media platforms, the general terms and conditions, as well as the privacy policies and practises (e.g. processing outside of the European Economic Area) of these operators, apply. We would like to point out that user data may also be processed outside the European Union. This can result in risks for users due to different legal frameworks (e.g. it could make it more difficult to enforce data subject rights).
Facebook Insights: Bitpanda maintains a Facebook Fanpage (“Fanpage”) and uses the associated analytic tool “Facebook Insights”. With this tool, Bitpanda receives anonymous statistical evaluations about its Fanpage (e.g. number of visitors, frequency, target groups, etc.). For the processing of personal data in this context Bitpanda and Facebook Ireland Limited (“Facebook”) are joint controllers (Art 4 para 7 GDPR) and therefor jointly responsible for the data processing. A corresponding agreement is in place between Bitpanda and Facebook in accordance with 26 para 1 GDPR, which can be accessed via this link. However, Bitpanda does not store any of this data, the data is solely stored by Facebook and processed via Insights. For all questions and inquiries regarding Facebook Insight, Facebook acts as single point of contact and can be contacted via this link.
If you would like to receive more information in regards to our existing product, related news or new launches, you might want to read our newsletter. We will only send newsletters and other electronic notifications to you if you are subscribed. This will only be the case:
If you need a break from our newsletter or do not want to receive it anymore, you may unsubscribe at any time. This, you can either do via your Bitpanda account or via an unsubscribe link at the end of a newsletter email.
We retain and process your personal data only as long as absolutely necessary. This means for the duration of the entire business relationship (from initiation through performance to termination of a contract), and after that for how long applicable legal retention periods stipulate. Beyond this we retain your data only for a longer period, in accordance with statutory retention and documentation obligations or to defend legal claims. When we perform payment initiation services for you, we will not store the sensitive payment data obtained thereby.
Statutory retention periods applicable to Bitpanda are, inter alia:
Therefore, your personal data will only be kept as long as absolutely necessary per the conditions above, after which it will be erased from our systems.
|Right of access (Art 15 GDPR)||You have the right to request confirmation from us as to whether we are processing personal data concerning you and to receive a copy of the personal data concerning you which is undergoing processing. This right can also be exercised directly from either the web or mobile application from our Privacy and Terms section.|
|Right to rectification (Art 16 GDPR)||You can at any time request to rectify incorrect data and provide supplementary information to an incomplete record.|
|Right to erasure (Art 17 GDPR)||You can at any time ask us to delete the personal data we have stored about you, which we will act upon unless there is an overriding exception. We will not be able to comply with your request if we still need to process the data in relation to the purposes for which we collected them in the first place (e.g. you are still in an active business relationship with us). Another case where we might deny your request is if you withdraw your consent on which the processing was based but there is another legal basis or overriding legitimate interest on our side for that. The most important case where we cannot delete your data is when we are required to retain it for compliance with a legal obligation under European Union or Member state law that we are subject to. In any other case, we will gladly follow-up on your request.|
|Right to restriction of processing (Art 18 GDPR)||You have the right to ask us to restrict the processing of your personal data where one of the following conditions applies: |
|Right to data portability (Art 20 GDPR)||You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.|
|Right to object (Art 21 GDPR)||You have the right to object on grounds relating to your particular situation to the processing of your personal data at any time if the processing is based on our legitimate interests. We will stop processing your data for this purpose unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims. In regards to personal data processed for direct marketing purposes, you can object at any time by contacting us via the listed contact points. Your objection does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal|
|Right to withdraw consent (Art 7(3) GDPR)||You have the right to at any time withdraw your consent for processing, upon which we will stop processing your personal data based on this legal basis unless a different legal basis is applicable. The withdrawal does not affect the lawfulness of processing your personal data based on legitimate interests before your withdrawal.|
|Right to not be subject to automated decision-making (Art 22 GDPR)||Bitpanda does not use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR (e.g. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling).|
To exercise one of the above-mentioned rights you can approach us either via our Support or simply send an email to email@example.com or a letter to Bitpanda GmbH, Stella-Klein-Löw Weg 17, 1020 Vienna, Austria. Please note that for such requests we require further identification data from you (e.g. copy of Passport, ID card, etc), in order to ensure that your personal data is only shared with you.
Bitpanda does not use personal data for automated decision-making including profiling within the meaning of Art 22 GDPR (e.g. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling).
You have the right to file a complaint to the competent supervisory authority, if you think your rights have been violated under the GDPR. In Austria, this is the Data Protection Authority (Datenschutzbehörde).
How do I give my consent and how can I withdraw my consent?You have the right to withdraw your consent at any time to the Bitpanda Financial Services GmbH, Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, or via email to firstname.lastname@example.org. Please keep in mind that we might not be able to provide all our services to you anymore, if you withdraw your consent. The withdrawal of your consent does not affect the lawfulness of processing your personal data based on consent before your withdrawal.
Bitpanda offers its own Bitpanda Technology Solution (BTS) This allows the offer of Bitpanda products to customers of certain partners. For this, the infrastructure of Bitpanda is used. Furthermore, to provide the service it is necessary that personal data is transferred between Bitpanda and their partners. Point 17 is only applicable to the data processing of customers of BTS partners.
Bitpanda will receive any personal data which is necessary to open a verified account and process them in its role as Controller. Among this data will be name, address, verification data and KYC data (please refer to point 5 and 6). Furthermore, Bitpanda is required to share personal data with the concerned BTS partner, when it is necessary for providing the service (please refer to point 6).
For the fulfilment of the service, it is necessary to process personal data for the performance of the contract. Furthermore, the processing of, for example, KYC data is necessary due to a legal obligation (please refer to point 7).
We won’t receive any data which is not necessary for providing the services of Bitpanda. In other words, all data, which is solely necessary for the main service of the partner, won't be transferred to Bitpanda.
Current Bitpanda Technology Solution Customers
|Lydia Solutions SAS||14 Avenue de l’Opéra, 75001 Paris||Link|
|Plum Fintech CY Limited||Panteli Katelari 21, 1097, Nikosija, Cyprus||Link|
|Plum Money CY Limited||47 28th October Avenue, Office 202, 2414, Nikosija, Cyprus||Link|
|N26 Bank GmbH||Klosterstraße 62, 10179 Berlin, Germany||Link|
|Hype S.p.A.||Piazza Gaudenzio Sella, 1 - 13900 - Biella||Link|
|P.F.C. Technology AB.||Hälsingegatan 49, 113 31 Stockholm, Box 55983, 102 16 Stockholm||Link|
The security of data is very important to Bitpanda and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.
We have implemented the following technical and organisational measures for example:
Please also make sure that you use the two-factor authentication (2FA) for your Bitpanda account, keep your access data confidential and protect your computer against unauthorised access.