1.3 The Customer is obliged to keep his personal data correct and up to date.
2.1 When using Bitpanda's services or interacting with Bitpanda the following personal data are processed:
(a) Contact data: e.g. when creating a new user account or communicating with Bitpanda (i.e. name, address, telephone number, email, birthdate, password in encrypted form) depending on the level of verification.
(b) Verification data: when an account is verified (i.e. screenshots of national identity documents, like passport, driving license ID card, and identification data from these documents, utility bill details for residence verification)
(c) Financial data: in the course of purchase and sale transactions (i.e. bank details payment service provider information, payment details, transaction-ID).
(d) Log data: during activities on the Website, (i.e. IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, IP-address, operating system, browser type, device type, unique device identification number).
(e) Company details if a business account is requested (i.e. commercial register report, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company).
(f) Details to and proof of funds: i.e. banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, if exceeding the daily/monthly or general limits on Bitpanda or upgrading to Bitpanda Plus “High Limit Service or OTC Service” (more info https://www.bitpanda.com/plus). In order to determine Customer's purpose for using the above-mentioned services or trading volume additional information on recent, past or planned business or personal activities of business or private Customers or other data to determine the Customer’s intentions, if necessary, can be processed, as requested by Bitpanda or provided by the Customer.
(g) Personal data provided to the support team when the Customer submits a request to Bitpanda's support team or any other member of the Bitpanda team.
2.2 The personal data are used for the purpose of performing the contract or in order to take steps at the request of the data subject prior to entering into a contract, verification of the Customer’s identity, prevention of fraud and misuse, risk management, payment processing and chargebacks, proof of purchase and selling, comparison during the course of business, to respond to Customer service and support requests, inform about important updates of Bitpanda's services and terms, and analyse and improve the website's quality and usage experience. The personal data listed above under 2.1 a), b), c), d), e), f) and g) are required for entering into and performance of the contract. If Customer fails to provide such data Bitpanda will not be able to provide its services to the Customer.
The basis for such processing is contract performance (Art 6 para 1 lit b GDPR), compliance with legal obligations to which Bitpanda is subject (Art 6 para 1 lit c GDPR), and Bitpanda's legitimate interests in measures regarding prevention of fraud and misuse of its services (e.g. for illegal purposes) and risk management when operating its business and interacting with Customers (Art 6 para 1 lit f GDPR). Upon the Customer's prior consent (Art 6 para 1 lit a GDPR) the personal data may be used for marketing, direct advertisement (see point 5 "Newsletters" below), and Website analysis and improvement (see point 4 "Cookies" below).
2.3 If Bitpanda will ask to provide any other personal data not described above, then such data and the purpose and legal basis for the collection and processing, will be communicated to the Customer at the point of collecting the personal data.
3.1 The Customer agrees, that for the purpose of the identity verification, personal data will be forwarded to one of the following verification provider which the Customer choses: IDnow GmbH, Auenstraße 100, 80469 Munich, Germany; verify- U AG, Peter-Sander-Straße 41a, 55252 Mainz-Kastel, Germany; WEBID SOLUTIONS GMBH, Friedrichstraße 88, 10117 Berlin, Germany; identity Trust Management AG, Lierenfelder Straße 51, 40231 D¨sseldorf, Germany. When selecting a Verification provider, the respective companies are clearly stated as IdentityTM, IDNow, WEBID and verify-U. Depending on the level of verification the following personal data may be transferred to the chosen verification provider first name, surname, address, birthdate, email address, telephone number. Only for the verification level „Gold“ or the „Gold verification“ the Customer's identity will be checked via a video-identification process. Without providing the personal data required for the respective level the verification is not possible.
3.2 For purposes of AML (anti-money-laundering) and CFT (Combating the Financing of Terrorism) Bitpanda conducts - based on its legitimate interest to prevent fraud and misuse of its services (Art 6 para 1 lit f GDPR) - an examination of politically exposed persons and sanctioned persons in the course of the Know-Your-Customer process for the level "Gold verification" only. Therefore, after completion of the video verification for level Gold Customer's name and date of birth – and in case of opening a company account the company's name and its companies register excerpt (including name, address and birth date of its owners, representative bodies, e.g. managing directors, and authorized proxies contained therein) - will be transferred to and checked by Factiva Limited, 1 London Bridge Street, London SE1 9GF, United Kingdom, against a register of politically exposed persons and sanctioned persons. Without the transfer and check of these data it is not possible to open an account with Bitpanda. Based on this check Factiva Limited informs Bitpanda whether the Customer is a politically exposed persons or sanctioned persons. For further information on the possible results and consequences of the due diligence process please see Bitpanda's Terms and Conditions.
3.3 In case Customer uses the "Bitpanda support tool" provided by Zendesk Inc, 1019 Market St., San Francisco, CA 94103, USA, or submitting a support request to "[email protected]" Customer's personal data (e-mail address, name, IP-address and the additional data submitted directly by the Customer to handle the support request) are transferred to and processed by Zendesk, Inc in the USA. Zendesk, Inc is certified under the EU/US Privacy Shield. The USA is a country for which an adequate level of data protection has not been determined. Subject to local provisions Customer's personal data may be accessed by authorities of such country in accordance with local laws and regulations.
3.4 Further, Bitpanda may share the personal data with
(a) our employees who need them to fulfill contractual and legal obligations and legitimate interests, its subsidiary Pantos GmbH, Vienna, Austria, for the purpose of processing the Initial Coin Offerings ("Pantos ICO") or to perform crowdsales and to its subsidiary Bitpanda UK Limited, London, United Kingdom, for the purpose of processing payments made by the Customer required to complete the transaction. A list of Bitpanda's current group companies is available here:
(c) affiliate marketing partners if Customer registers to the "Bitpanda Affiliate Program". In the context of the registration Customer is informed about the affiliate partners to whom the personal data (first name, last name, company name, web URL, address, contact number, email address, and any other personal data directly transferred to the affiailite partner by the Customer) will be sent. Without the transfer of the information to the affiliate partner the participation in the affiliate program is not possible.
(d) to any competent law enforcement body, regulatory, government agency, court or other third party where disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
(f) to any other person with Customer's consent to the disclosure.
4.1 During the use of the Website, personal data may be collected through automatic data collection methods, such as cookies. Cookies are small data files which are saved to the Customer's computer or device and allow an analysis of the Customer’s usage behaviour on the Website. The personal data collected are computer or device information, including IP address, operating system, browser type, device type, unique device identification number, and data which represent the usage behaviour on the Website (e.g. the time spent on the Website, which pages were accessed or links clicked). These data are collected by Bitpanda to analyse and evaluate the effectiveness of Website and to improve its quality for a better Customer experience.
4.4 On behalf of Bitpanda, Google will use this information to evaluate the usage of the Website for reports about the Website activity and to fulfil further services towards the Website owners concerning the activity on the Website and internet. The Customer's IP address acquired from Google Analytics, will not be merged with other data from Google.
4.6 The Customer can disable cookies to be saved with specific browser settings; thereby the Customer might not be able to use all the offered functions on the Website to their full extent. Furthermore, the Customer can disable the collected website specific data (IP address) through cookies to be send and processed by Google, by downloading and installing the following browser plugin (http://tools.google.com/dlpage/gaoptout?hl=de).
5.1 Upon Customer's consent his email address, name, last login date, register date will be passed on to UAB "MailerLite", Paupio g. 28, LT-11341 Vilnius, Lithuania in order to receive per email newsletters and information from Bitpanda and its subsidiary Pantos GmbH regarding Bitpanda's and Pantos GmbH's events, new products, services and app features.
6.1 Bitpanda erases the Customer's personal data in principal 1 year after termination of the contractual relationship or before if the data is not required for the purpose for which they were collected anymore. A longer retention may be necessary due to guarantee, warranty, statute of limitations (e.g. the limitation period for damages of 3 years or in specific cases the general limitation period of 30 years according to the Austrian General Civil Code (ABGB)) and statutory retention periods (e.g. under commercial or tax law) applicable to Bitpanda, or for the duration of any legal disputes in which the data are required as evidence or for as long as there are other legitimate interests in retention.
7.1 In accordance with applicable law, the Customer has the right to access, correct, request deletion of his personal data, to object to the processing of his personal data, and to dataportability of his personal data, to request restriction of the processing of his personal data. To exercise these rights the Customer can send an email to [email protected] or a letter to Bitpanda GmbH, Campus 2, Jakov-Lind-Straße 2, 1020, Austria. Bitpanda does not use personal data for automated decisions within the meaning of Art 22 GDPR (i.e. decisions producing legal effects concerning data subjects, or otherwise significantly affecting them, based solely on automated processing of personal data, including profiling).
7.2 The Customer has the right to file a complaint to the competent data protection authority, when he believes his data protection rights have been violated.
8.2 Further, by checking the respective separate box the Customer can consent that his email address name, last login date, register date will be sent to UAB "MailerLite" in order to receive marketing communication as described in point 5 above.
The Customer has the right to withdraw his consents at any time via mail to Bitpanda GmbH, Campus 2, Jakov-Lind-Straße 2, 1020, Austria, or via E-Mail to [email protected]. The withdrawal of his consent does not affect the lawfulness of processing based on consent before its withdrawal.