In a nutshell:
In general, our websites may be used anonymously. Providing personal data is purely voluntary and you will always be informed if and for what purpose we want to store your data. Personal data are data that enable us to identify you personally and/or to contact you, such as your name, address, or e-mail address.
1. Who we are and how you can reach us
The controller of the processing of personal data on this website is:
2. What data we do (not) process, for what purpose, for how long and on what legal basis
2.1. Anonymous use of our website
You may use our website anonymously. When you visit our website, your device tells our web server your IP address so that communication is possible. Your IP address may be used to identify you. However, we do not store your IP address. You remain completely anonymous to us when visiting our website.
2.2. Logging and evaluation in case of attacks
Error messages – usually caused by attack attempts – are recorded and evaluated for reasons of security. Only the following data that may allow identification are used with respect to the recording of error messages: Your IP address, date and time, exact name (URL) of the requested data file(s), HTTP status code, volume of data transferred, referrer (web address from which the page was requested), browser identification string that is sent from your browser (User Agent String). Such data shall be deleted after 30 days if they are no longer useful (possibly for evidence).
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR1. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are ensuring of the functionality and security of our website as well as defence against attacks and other abuses.
2.3. Data processing upon use of the account chooser (selection of the bank when using yes®)
If you use yes®, for example to identify yourself with a merchant via your online banking, you will be directed to the yes® Account Chooser. Here you select your bank participating in yes® and are then forwarded to this bank. To ease the choice of your bank, we will provide a selection of regional banks based upon your anonymized IP- adress.To avoid having to select your bank in the future, your selection will be saved in your browser. To make this possible, a so-called cookie, a text file, with the BIC (worldwide bank code) of your bank is stored in your browser. This cookie does not contain any further information. You can delete the cookie at any time via your browser or by clicking the following link (https://accounts.yes.com/cookie). If the cookie is deleted, you must select your bank again the next time you use yes®. If you don’t want to save the aforementioned cookie and choose your bank manually each time you use yes®, simply click the following link: https://accounts.yes.com/cookie.
2.4. Data processing upon contact
If you call us or send us a message, for example via the contact form or by e-mail, we need your e-mail address, your postal address or a telephone number if you want us to reply to you. You may also use a pseudonym instead of your name. We will use this data as well as data and time of your contact exclusively to handle your request unless it is recognizable as a business-related inquiry. In the event of a business contact, we will use your data for customer and prospective customer care, in particular in order to contact you individually (as far as this is legally permitted) – if necessary after researching further data –, to present you offers and clarify your need for our services and/or the possibility of cooperation when we consider this to be in your interest. Your data will normally not be passed on to third parties. If we find that we are not competent to deal with your inquiry and furthermore are unable to help you (e.g. if you write to us but your inquiry concerns the yes® specific service of your bank), we will endeavour to forward your inquiry to the right contact or at least to tell you the right contact, unless this is clearly not in your interest. We will delete your data as soon as it is no longer needed for the respective purpose, i.e. usually three months after the last contact with you; however, for reasons of proportionality, we collectively delete all inquiries that are due for deletion only once a quarter. If you have any further questions, please contact us again within three months. In case we process your data for the purpose of customer and prospective customer care, we will delete your data as soon as you object to the processing or by 31 March of the second calendar year after your last business-related communication or expression of interest.
The legal basis for the data processing is Art. 6 para. 1 subpara. 1 letters b and f GDPR. The legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR is to fulfil your request or, by forwarding your request, to ensure that your request will be fulfilled or, when processing your data for the purpose of customer and prospective customer care, to promote the use of our services and corresponding advertising.
Exceptions: We are required to retain business and commercial letters and other tax-relevant documents in order to fulfil our commercial and tax law archiving obligations; we will usually delete them by 31 March of the seventh calendar year following their creation, and in the case of booking receipts of the eleventh calendar year following their creation.
The storage period of your data may differ from the above mentioned periods due to legal archiving and limitation periods, for example due to §§ 195 ff. BGB4.
If your request is for a special purpose (job application), only the explanations in the respective section for that special purpose apply to data processing in this context. You may receive these separately.
2.5. Data processing upon job applications
When you apply for a job with us, we will process the information we receive from you during the application process, e.g. by letter of application, CV, references, correspondence, telephone or verbal information. In addition to your contact details, your education, work experience and skills are of particular relevance to us; without this information, we will not be able to determine your suitability and will not be able to take your application into account. We will only judge you by your suitability for the respective job so that you do not have to send us a photo or give us information about your family situation, etc. Since most of our jobs are security-relevant and in many positions, especially in the technical area, application documents alone are not sufficient to assess your suitability, we also for example want to look at source code created by you; for this reason, we usually conduct background checks on applicants on the Internet. However, we limit ourselves to public information in professional networks, code repositories, technical platforms such as for discussing problems. We would be pleased if you would point out representative work to us by stating your user name. We do not persist the information mentioned above.
Your data will initially be processed exclusively for the purpose of the application procedure. If your application is successful, it will be used in your personnel file and for the execution and termination of the employment relationship and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after the notification of rejection in order to defend ourselves against possible legal claims. If you receive cost reimbursements or other tax-relevant transactions (e.g. invitation to a meal), the corresponding accounting documents will usually be kept until March 31 of the eleventh calendar year after payment at the latest, in the case of commercial and business letters and other tax-relevant documents of the seventh calendar year after their creation in order to fulfil the commercial and tax retention obligations.
The legal basis for data processing in the application procedure and as part of the personnel file are Section 26 para. 1 sentence 1 BDSG and Art. 6 para. 1 subpara. 1 letter b GDPR and, if you have given your consent, Art. 6 para. 1 subpara. 1 letter a GDPR. For background checks during job application, the legal basis is Section 26 para. 1 sentence 1 BDSG5 and Art. 6 para. 1 subpara. 1 letters b and f and, if applicable, Art. 9 para. 2 letter e GDPR, with the legitimate interests of ensuring operational safety and selecting suitable applicants. The legal basis for data processing after a refusal is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interest in this case is the defence against legal claims. The legal basis for the retention under commercial and tax law is Art. 6 para. 1 subpara. 1 lit. c GDPR in connection with Sections 147 AO, 257 HGB.
In general, we do not need to have any special categories of personal data within the meaning of Art. 9 GDPR for the application process such as information about your health, religion, ethnic origin, sexual orientation. We ask you not to send us any such information from the outset. If such information exceptionally is relevant to the application process, we will process it together with your other applicant data. This may include, for example, information about a severe disability which you may voluntarily provide us with and which we must then process in order to fulfil our special obligations with regard to severely disabled persons. In these cases, processing serves the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection.The legal basis for data processing is then Art. 9 para. 2 lit. b GDPR, Sections 26 para. 3 BDSG, 164 SGB IX6.
2.6. Data processing upon analysis
To continuously improve our service, we measure the frequency of search entries, which banks are selected, and whether bank selection has been successfully completed or canceled when you use our yes® Account Chooser. We use the specialized service provider Mixpanel for this purpose. The user behavior is transmitted anonymously, so that neither a cookie is set for recognition nor the IP address is stored.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR is the improvement of the yes® service.
2.7. Data processing for access to specifications and providing information regarding updates
To access our specifications, we need your email address to send you information about important updates. Your information will not be shared with third parties and we will only use it to send you information about updates (additions, changes, etc.) to the specifications and to give you access. You will first receive an email with a link that you must click to confirm that you wish to receive updates and activate access (“double opt-in”). This way, we prevent anyone from ordering updates on your behalf. Only after this confirmation do we save your registration to receive the updates and access the specifications. We will also save your confirmation to verify that you have registered. For the purpose of sending you information about updates and granting you access, we will retain your information until you withdraw your consent or the service is terminated. You may revoke your consent to receive update information at any time via a link included in any email. We store your consent for the purpose of proving consent by 31 March of the fourth calendar year following the last date on which information was sent.
To give you actual access to the specifications, we store a cookie with a personal code in your browser. This cookie is valid for two years and gives you access to the specifications. You can delete the cookie at any time via your browser or on the website https://yes.com/docs/cookie. If the cookie is deleted, you will need to log in again to access the specifications.
For the processing for the purpose of accessing the specifications and sending updates, the legal basis is Art. 6 para. 1 para. 1 letter a GDPR. For processing for the purpose of proof of consent, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with Art. 5 para. 2 GDPR, Art. 7 para. 1 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 para. 1 letter f GDPR. The legitimate interest in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR is the proof of your consent, i.e. the defence against legal claims. For the processing for the purpose of granting access to the specifications and providing information regarding updates, in particular for setting the cookie, the legal basis is Art. 6 para. 1 para. 1 letters b and f GDPR, the legitimate interest for this is restricting access to the specifications to authorized persons and sending updates (changes, additions, etc.).
3. Voluntary provision of your data
You are not obliged to provide us with personal data. If you do not provide us with certain information that we need to handle your request (for example a way to contact you if you want an answer from us), we may not be able to do so. In the context of special procedures (e.g. when using the yes® Account Chooser) it may be necessary for you to provide us with certain information because otherwise we will not be able, for example, to redirect you to the bank log-in website. However, we will always point this out to you in the specific situation.
4. Recipients of the data
Your personal data will remain in our area of responsibility, except in special exceptional cases (e.g. in the event that we forward an inquiry erroneously addressed to us to the right contact), in which we expressly inform you, however, to whom your data will be sent. In some cases it may be necessary to pass on your data to external advisors, for example in the case of legal disputes to lawyers (legal basis Art. 6 para. 1 subpara. 1 letter f GDPR; purpose and legitimate interest: establishment, exercise or defence of legal claims). Our administrators have the possibility to access data processed by IT. We list further recipients of your data in the notes on the respective data processing. In certain cases, we may need to disclose your personal data to third parties so that you can obtain the desired service (e.g. reimbursement of costs in an application procedure), in particular to vicarious agents such as tax accountants, banks and other payment service providers as well as postal service providers.
In certain areas, such as web hosting, e-mail hosting, ticket system, analysis and Customer Relationship Management (CRM), we use specialized service providers:
Microsoft Ireland Operations Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Atlassian Pty Ltd, Level 6, 341 George St, Sydney NSW 2000, Australia
Pipedrive Inc, 460 Park Ave South, New York, NY 10016, USA;
Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, California 94111, USA.
These are strictly bound to our instructions by an agreement on commissioned data processing and may not process the data for their own purposes. Processing by these data processors and their data processors takes place only in the EU with the exception of the following corporations which are certified Privacy Shield participants and provide an adequate data protection level as ascertained by the EU-commission in an adequacy decision:
Privacy Shield Participation:
Privacy Shield Participation:
Privacy Shield Participation:
Privacy Shield Participation:
Privacy Shield Participation
5. Automated decision making, profiling
Automated decision making or profiling does not take place.
6. Your rights
You have a right of access, to rectification or erasure, restriction of processing, to object to processing and to data portability under the respective statutory preconditions with regard to the personal data concerning you. In particular, you have the right to object to the processing of your data for advertising purposes at any time without incurring costs other than the transmission costs according to the basic rates of your provider (e.g. the costs of an e-mail = usually none). If data processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until the withdrawal or of the processing on another legal basis. If you want to exercise these rights, you can simply write to firstname.lastname@example.org. If we call you, you can of course also tell us directly in the conversation.
You also have the right to complain to a data protection supervisory authority about our processing of your personal
data, for example to the German supervisory authorities which are responsible for us. You will find a list of
supervisory authorities by clicking on the following link:
If you have any questions or requests regarding data protection, please feel free to contact us by mail to email@example.com any time.
7. Your right to object to processing
To the extent that processing of your personal data is based on Art. 6 para. 1 subpara. 1 lit. e or f GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. If your objection is made for reasons arising from your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of or for the establishment, exercise or defence of legal claims. If your objection is directed against direct marketing, including profiling, insofar as it is connected with such direct marketing, we will no longer process your personal data for these purposes.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended from time to time. ↩
Fiscal Code of Germany in the version promulgated on 1 October 2002 (Federal Law Gazette [Bundesgesetzblatt] I p. 3866; 2003 I p. 61), last amended by Article 17 of the Act of 17 July 2017 (Federal Law Gazette I p. 2541), as amended from time to time. ↩
Commercial Code in the revised version published in the Bundesgesetzblatt (BGBl., Federal Law Gazette), Part III, Section 4100-1, Book 1, as amended by Article 11 of the Act of 18 July 2017 (Federal Law Gazette Part I p. 2745), Book 2, as amended by Article 3 of the Act of 22 December 2015 (Federal Law Gazette Part I p. 2567), and Book 5, as amended by Article 5 of the Act dated 5 July 2016 (Federal Law Gazette Part I p. 1578), as amended from time to time. ↩
Civil Code in the version promulgated on 2 January 2002 (Federal Law Gazette [Bundesgesetzblatt] I page 42, 2909; 2003 I page 738), last amended by Article 4 para. 5 of the Act of 1 October 2013 (Federal Law Gazette I page 3719), as amended from time to time. ↩
Federal Data Protection Act of 30 June 2017 (Federal Law Gazette I p. 2097), as amended from time to time. ↩
Social Code, Book IX, of 23 December 2016 (Federal Law Gazette I p. 3234), last amended by Article 5 of the Act of 8 July 2019 (Federal Law Gazette I p. 1025), as amended from time to time. ↩