Privacy Policy

Data protection information in accordance with Art. 13, 14 GDPR 


First Data GmbH, Marienbader Platz 1, 61348 Bad Homburg (hereinafter "Fiserv"), hereby informs you about the processing of your personal data (Art. 4 No. 2 General Data Protection Regulation (hereinafter "GDPR")) by Fiserv and the rights to which you are entitled under data protection law in connection with the app TransactVerify. Fiserv specifically notes that your issuer may have privacy policies that apply in addition to these terms.


1.      Who is responsible for data processing and who can I contact?

The controller is First Data GmbH, Marienbader Platz 1, 61348 Bad Homburg, Germany.

The data protection officer of Fiserv can be contacted at

Fiserv uses the service provider Netcetera AG, 8040 Zurich, Switzerland (hereinafter “Netcetera”) for the operation of the authentication server for Mastercard Secure Code (3D-Secure)..


2.      What sources and data does Fiserv use?

2.1    Fiserv only processes data that is required to ensure the operation of the app.

2.2    During the registration, a connection is created via the credit card number entered in the app and the number of the app installation on your mobile device (the so-called emCertID). The credit card number and associated emCertID are transmitted to Fiserv and its service provider Netcetera. Fiserv and Netcetera are thus able to send you a push message to your mobile device during an online purchase, if necessary, via which you confirm the purchase and thus your identity. No data is stored in the app itself. The list of any cards already registered in the app is retrieved from the server each time the app is opened and discarded when the app is closed. In addition, the card numbers are only partially displayed (masked).

2.3    As part of the registration process, the user will be asked to initiate and confirm the sending of a code by letter, by 1-cent transaction or by SMS. In the case of a code by SMS, the last four digits of your card number, the expiry date of your card, your date of birth and your telephone number will be requested for identity verification. 

2.4    To use the optional card scanner function or the offline payment approval, the app also requires authorization to open the camera.


3.      What does Fiserv process your data for (purpose of processing) and on what legal basis?

Fiserv does not transfer data to any other countries than Germany and Switzerland. All data is provided by you, your employer or your card issuer. Data is stored up to 13 months (for example for legal disputes).

Fiserv processes your personal data for the following purposes and on the following legal basis:


Legal basis

Our legitimate interest

Recipients of the data

Display transactions

Legitimate Interest

Ensuring that transactions can only be seen by the right person and from the right device.



Display eStatements

Legitimate Interest

Fulfillment of contractual obligations

Ensuring that eStatements can only be seen by the right person and from the right device.

Operating mandatory service: Statements



Approve Transactions via 3D Secure

Fulfillment of contractual obligations

Operating mandatory service: 3D Secure



3D Secure registration

Fulfillment of contractual obligations

Operating mandatory service: 3D Secure



Display of card balance

Legitimate Interest

Operating service: card Balance




4.      Who receives my data?

4.1    Within Fiserv, those departments that require your data to fulfill Fiserv's contractual and legal obligations will receive it. 

4.2    Processors used by Fiserv (Art. 28 GDPR) may also receive data for these purposes. 

These are initially companies within the Fiserv group of companies to which Fiserv outsources the processing of services, e.g. operational and IT services, in particular FDR Limited, LLC, Zweigniederlassung Deutschland, 90459 Nuremberg (card application processing, cardholder support and correspondence, call center, fraud prevention, money laundering monitoring, processing of payment complaints and chargebacks), or sanctions list monitoring.

        Recipients outside the Fiserv Group are the following processors of Fiserv in accordance with Art. 28 GDPR: 

  • Netcetera AG, 8040 Zurich, Switzerland: Operation of the authentication server for Mastercard Secure Code (3D-Secure);
  • Deutsche Telekom Business Solutions GmbH, 53227 Bonn: Sending mTAN via SMS;


4.3   Information about you may be disclosed to other recipients outside Fiserv if this is permitted or required by law, if this is necessary for the performance of the card contract or if you have given your consent. Under these conditions, recipients of personal data may be, for example

  • Your employer (company credit card and employee salary card) 
  • If applicable, a credit institution with which your employer works in connection with the cards for its employees (in the case of company credit cards and employee salary cards);
  • Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, tax authorities, money laundering reporting offices, investigating authorities, Central Financial Transaction Investigation Unit (FIU)) in the event of a legal or official obligation;
  • Credit and financial services institutions or comparable institutions to which Fiserv transmits personal data for the execution of the card contract (e.g. your house bank);
  • Mastercard Europe SPRL, 1410 Waterloo, Belgium;
  • AWP P&C S.A. Niederlassung für Deutschland, 85609 Aschheim: Insurance (only if insurance is claimed to confirm your eligibility).

4.4 Other data recipients may be those bodies for which you have given Fiserv your consent to data transfer.


5.      How long will my data be stored?

If necessary, Fiserv processes and stores your personal data for the duration of the card contract. 

In addition, Fiserv is subject to various retention and documentation obligations arising from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Payment Services Supervision Act (ZAG) and the German Money Laundering Act (GwG), among others. The retention and documentation periods specified there are up to ten years.

Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§195 ff. of the German Civil Code (BGB), are generally 3 years, but in some cases can be up to 30 years.


6.      Is data transferred to a third country or to an international organization?

Personal data will only be transferred to third countries (countries outside the European Economic Area (EEA)) if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding corporate rules or EU standard data protection clauses) have been agreed or if you have given your consent to Fiserv.


7.      What data protection rights do I have?

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 of the German Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure. 

In addition, you have the right to lodge a complaint with the data protection supervisory authority in your federal state (Art. 77 GDPR in conjunction with Section 19 BDSG).

You can contact Fiserv's data protection officer at


8.      Do I have an obligation to provide data?

You only need to provide the personal data that is required for operating the app  

In particular, Fiserv is obliged under money laundering regulations to identify you, if the card contract is concluded between Fiserv and you, before concluding the card contract, for example by means of your official identification document and to collect your name, your place of birth, your date of birth, your nationality and your residential address, or, if the card contract is concluded between Fiserv and your employer, to collect at least your name and possibly other information before concluding the card contract. In order for Fiserv to be able to fulfill this legal obligation, Fiserv requires the information and any documents required under the German Money Laundering Act (GwG) and, if there are any changes in the course of the card contract, immediate notification of the change and any amended documents. If Fiserv does not receive the necessary information and documents, Fiserv may not conclude or continue the card contract.


Information about your right to object in accordance with Art. 21 General Data Protection Regulation (GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR, which Fiserv uses to assess creditworthiness. 

If you object, Fiserv will no longer process your personal data unless Fiserv can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.


Information on the processing of personal data in accordance with the EU Funds Transfer Regulation

The "Regulation (EU) 2015/847 of the European Parliament and of the Council of May 20, 2015 on information accompanying transfers of funds" (EU Funds Transfer Regulation) serves the purpose of preventing, detecting and investigating money laundering and terrorist financing in connection with transfers of funds. It obliges Fiserv to check and transmit information on the payer and the payee when executing money transfers. This information consists of the name and customer ID of the payer and payee and the address of the payer. In the case of transfers of funds within the European Economic Area, the payer's address may initially not be forwarded, but this information may be requested by the payee's payment service provider. Fiserv uses the data stored in its systems to provide the name and, where applicable, the address in order to comply with the legal requirements. The regulation ensures that the payer and payee can always be clearly identified from the payment transaction data records themselves. This also means that Fiserv must check payment data, answer queries from other