(updated on: July 17th 2018)
Data protection statement of BillPay GmbH
In this data protection statement, you will learn how BillPay collects and processes your personal information. You will also be informed as to what rights you have vis-a-vis BillPay and how you can exercise these rights. You can contact us at any time if you have any questions regarding data protection or the protection of your privacy by sending an email to: email@example.com.
BillPay is aware that the careful handling of your personal information is important to you. Therefore, your personal information will only be collected, processed, used, saved and, if necessary, transmitted in accordance with the relevant data protection provisions for the following purposes:
Information regarding the controller
The controller within the meaning of the German Data Protection Act responsible for data collection and processing in relation this website as well as with regard to the use of BillPay’s methods of payment is BillPay GmbH, a company of the Klarna Group, whose headquarters is located at Zinnowitzer Straße 1, 10115 Berlin. For further information, please refer to BillPay’s Impressum.
What information do we collect from you?
The information that we save and process comes from various sources. For example, the online seller in whose shop you have made purchases provides us with information about you and your order. If necessary, we may obtain further information about you from third parties such as information agencies. In addition, you naturally share information with us directly when you communicate with us or use our customer portal. In general, we may collect and process the following information concerning you:
- Personal and contact information. Name, title, date of birth, street, house number, postcode, city, email address, telephone number.
- Payment information. Billing information, bank account.
- Information about goods/services. Information about products you order such as shopping cart and order history.
- Financial information. Scores shares by information agencies.
- Historical information. Information about your previous purchases with BillPay and payment history.
- Device-related information. For example, the internet protocol address (IP address).
If the payment methods “on account” and “direct debit” of BillPay are selected, we will hold the payment claim. If you select certain payment methods, in particular “PayLater/Ratenkauf”, net-m privatbank 1891 AG, Odeonsplatz 18, 80539 Munich (hereinafter “net-m”) will be the holder of the claim (net-m payment method). In this case, BillPay will be responsible for settling the payment and the associated data processing for net-m as a technical service provider. You can find out whether the payment method you have chosen is an net-m payment method by referring to the general terms and conditions regarding payments methods. Information collected will generally only be used for the purposes of payment settlement and in this regard, to fulfil a contractual obligation with us. The individual processing steps are described below.
How do we use your information?
Payment settlement, payment reminders and debt collection
As the holder of the payment claim of your contractual obligation with the seller (e.g. purchase), we are equally entitled to collect information about you which is required to enforce this payment obligation. This also includes the processing of information for the purpose of payment reminders and debt collections. For this purpose, your information may also be shared with third-parties whom we engage. The legal basis for the processing of data in this respect is the need to fulfil the contractual payment obligation.
If you have selected an instalment plan via BillPay, your information will be sent to the partner company GiroSolution AG, Hauptstraße 27, 88699 Frickingen, and processed, saved and used by the latter in order to enable the first instalment payment. The legal basis for the processing of data in this respect is the need to fulfil the contractual payment obligation.
If you select BillPay payment methods, BillPay will check, taking into account any possible default risks, if your wish can be fulfilled or if another payment method can be offered with the agreement of the seller. For this purpose, BillPay will conduct its own identity and credit investigation after confirming the desired payment method. The legal basis for the processing of data in this respect is the need to fulfil the contractual payment obligation.
As part of this identity and credit investigation, the seller will share your information (last name, first name, title, street, house number, postcode, city, date of birth, email address, telephone number and, for purchases paid by direct debit, the bank account submitted, and any other personal details) as well as information connected with your order (e.g. shopping cart, order history, payment experiences, IP address, and personal information together with personal details) with BillPay.
BillPay shares personal information collected as part of this contractual relationship regarding the application procedure, execution and end of this business relationship, as well as information regarding breaches of contract or fraudulent conduct, with information agencies. The legal basis for the sharing of data is the need to fulfil the contractual payment obligation. The purpose of sharing information with the information agencies is also to meet statutory obligations to carry out investigations of the creditworthiness of customers (sections 505a and 506 of the German Civil Code (Bürgerliches Gesetzbuch).
The information agencies process the information received for the purpose of profiling (scoring) so that they can give information regarding inter alia the credit assessments of natural persons to contractual partners in the European Economic Area and Switzerland as well as potentially other third countries (if the the European Commission has issued a decision that it finds the third country concerned to have suitable data protection mechanisms). Your data may be shared with the following information agencies:
CRIF Bürgel GmbH, Radlkoferstraße 2,
D-81373 Munich, tel.: +49 40 89803-0, fax: -777/ 778
You can find more information about the activity of CRIF Bürgel GmbH in the fact sheet as per Art. 14 DSGVO or online at
Creditreform Boniversum GmbH, Hellersbergstraße 11,
D-41460 Neuss, tel.: +49 (0)2131-109-501, fax: -557
You can find more information about the activity of Creditreform Boniversum GmbH in the fact sheet as per Art. 14 DSGVO or online at
SCHUFA Holding AG, Kormoranweg 5,
(You can obtain information about the information saved concerning you from SCHUFA Holding AG, Verbraucherservice, Postfach 5640, 30056 Hannover)
You can find more information about the activity of SCHUFA in the SCHUFA fact sheet as per Art. 14 DS-GVO or online at
Regis24 GmbH, Wallstraße 58,
D-10719 Berlin, tel.: +49 (0)30 44350-240, fax: -249
You can find more information about the activity of Regis24 GmbH in the fact sheet as per Art. 14 DSGVO or online at
Bisnode Deutschland GmbH, Robert-Bosch-Straße 11,
D-64293 Darmstadt, tel.: +49 (0)6151 380-0, fax: -360
You can find more information about the activity of Bisnode Deutschland GmbH at
Arvato Infoscore Consumer Data GmbH, Rheinstraße 99,
You can find more information about the activity of Arvato infoscore Consumer Data GmbH in the fact sheet as per Art. 14 GDPR or online at
CRIF GmbH, Diefenbachgasse 35/1,
A-1150 Vienna, tel.: +43 (0)1 897 42 440, fax: +43 (0)1 897 42 431
You can find more information about the activity of CRIF GmbH in the fact sheet as per Art. 14 DSGVO or online at
Bisnode Austria Holding GmbH, Geiselbergstraße 17,
A-1110 Vienna, tel.: +43 (0)1 58861-0, fax: +43 (0)1 58861-3444
You can find more information about the activity of Bisnode Austria Holding GmbH at
CRIF AG, Hagenholzstrasse 81,
CH-8050 Zurich, Tel.: +41 (0)44 913 50 58
Bisnode D&B Schweiz AG, Grossmattstrasse 9,
CH-8902 Urdorf, Tel.: +41 (0)44 735 61 11, Fax: +41 (0)44 735 61 61
Experian Information Solutions, Inc., Postbus 16604,
2500 BP Den Haag
Regarding Switzerland, an EU adequacy decision pursuant to Art. 45 para. 3 GDPR has been adopted. Consequently, the level of data protection available in Switzerland is also adequate.
BillPay is part of Klarna Group. Therefore, other Group companies, in particular Klarna Bank AB (publ), Sveavägen 46, 113 43 Stockholm, Sweden (“Klarna”), may also be included in the credit investigation described above. As a result, the findings of a credit investigation may be shared to a limited extent with Klarna in order to improve the findings and processed by Klarna for its own future credit investigations. Conversely, the credit investigation and any decisions made on the basis of its result may, in some cases, be undertaken entirely by Klarna for the further performance of the contract. In this case, the relevant positive and negative payment experiences will first be transferred to Klarna and then deleted after the transaction is completed. The legal basis for sharing this information is the legitimate administrative interest of BillPay to compare and harmonise the decisions of the credit investigation with Group companies.
The decision to permit you to use the payment methods of BillPay is an automated decision made on a case-by-case basis in accordance with Art. 22 German General Data Protection Regulation (Datenschutz-Grundverordnung, DSGVO). This automatic decision is required for BillPay to assume and enforce the payment claim against you. If the score obtained for your creditworthiness is below a predefined limit, you will not be offered any BillPay payment methods. This will not involve any human judgement or decision-making. You have the right, if the use of BillPay payment methods is not permitted, to contact BillPay and to present your position and to argue for a change of decision. For this purpose, please contact firstname.lastname@example.org.
For the purpose of preventing fraud, your information will also be analysed using certain parameters for patterns of improper or fraudulent conduct. External tools may be used for this purpose. In this case, your information will be transmitted on the basis of an order processing agreement. Information regarding conduct in breach of contract may also be shared with the aforementioned information agencies. Legal basis for processing is our legitimate interest in preventing fraud in the use of our services.
BillPay has hired the services, particularly as processor for fraud prevention through device fingerprinting, of ThreatMetrix Inc., 160 W. Santa Clara Street, Suite 1400, San Jose, 95113 California, USA. For these purposes, your IP address is processed in the USA and linked to other non personal data to generate a device fingerprint which can be used to recognize your device when you use BillPay again. An adequate level of protection is guaranteed through an agreement signed with ThreatMetrix Inc., which includes standard contractual clauses pursuant to Art. 46 II c) and Art. 93 II GDPR.
General data analysis
We analyse the customer information collected to improve our services and plan the prepared resources. The legal basis for the processing of data in this regard is our legitimate interest in the further development and improvement of our services as well as in part the need to fulfil the contract.
Communication with you
We may also use the contact information you submit to contact you by telephone or email and to inform you about BillPay’s services which you have previously selected or services similar to these. If you do not wish to be contacted, you can inform us of this at any time and without incurring any separate costs by writing to email@example.com.
Compliance with statutory obligations
We also process your information if this is required to fulfil statutory obligations such as the storage of business documents or to fulfil a statutory obligation to share or otherwise disclose information. The legal basis in this respect is the need to fulfil a legal obligation.
Data processing in relation to the website
Personal information is processed in our website if this is required for the comfortable and error-free functionality of the website and the use of its features such as the processing of an inquiry. The scope of the data processing also depends on which features of the website you use. Unless otherwise stated below, the legal basis of the processing is our legitimate interest in the provision of the website and the respective features.
When simply visiting our website, we save data about the connection (server log files). This information will be sent to us by your browser. This information is required for technical purposes to ensure the functionality of the website. This may comprise the following information:
- Time stamp of access (date and time)
- The amount of data transmitted
- Referrer (website from which you come to us)
- The browser used
- The operating system used
- Your IP address
The data processing is based on our legitimate interest to provide the website and to ensure and improve its functionality. The server log files continue to be saved after your visit ends in order to recognise and prevent any improper use.
You can register for a customer account to manage your payments. To register, the password to be defined by you must be transmitted. This will only be used to process and settle your payment and to implement the features of your account. The legal basis for this is that it is required in order to perform the contract.
If you use the contact from on our website to send us an inquiry, we will collect the following information for this purpose: Last name, first name and your email address as well as, if necessary, personal information which you voluntarily disclose in your inquiry. We use your information solely to respond to your inquiry. The legal basis for the processing in this respect is our legitimate interest in ensuring the functionality of the account and responding to your inquiry. If your inquiry directly intends to conclude a contract, the legal basis is the necessity for the pre-contractual obligation.
If you would like to apply to us, you can do so centrally via the website of Klarna AB https://www.klarna.com/careers/locations/berlin/. Further details of the applicable rules can be found in the applicable data protection statement of Klarna AB.
To optimise the user experience on this website, BillPay uses the services of the content delivery network (“CDN”) of Akamai Technologies AB, Hemvärnsgatan 9, 17154 Solna, Sweden and the latter’s parent company Akamai Inc., 150 Broadway, Cambridge, 02142 MA, USA. For this purpose, the web content requested from BillPay websites is routed over the Akamai server network. As a general rule, servers in proximity to the site user’s place of retrieval are used. By way of exception (for instance, in the event of attack, where site users are found outside the EU or should congestion be experienced within the EU), content can be directed over servers outside the EU, in particular servers in the United States. During utilisation of the CDN, both your IP address and data regarding your Internet use will, for technical reasons, be processed and analysed for fraud prevention purposes by Akamai. Both Akamai Technologies AB and Akamai Inc. fully comply with data protection requirements in all contract implementation. We have entered into agreements with both Akamai Technologies AB and Akamai Inc. including standard contractual clauses pursuant to Art 46 II c) and Art. 93 II GDPR in order to guarantee an adequate level of protection.
Description of the individual legal bases of processing
The following provisions apply to the legal bases of the individual processing activities described above.
|Reason for processing||Legal basis||Explanation||Processing activity||Automated decision on case-by-case basis|
|GDPR||Art. 22 I, II No. a), III|
|Contract performance||Art. 6 Para. 1 b)||Data will only be processed to the extent required to perform and fulfil the rights and obligations arising from the contract. Unless expressly specified otherwise, BillPay will only process data to this extent.||
payment reminders and debt collection,
Communication with you,
Data processing in relation to the website,
|legitimate interest||Art. 6 Para. 1 f)||Data will be processed if BillPay has a legitimate interest to do so and there are no apparent conflicting, predominant interests on your part. The specific nature of the interest is described in this data protection statement in the description of the processing of data.||
General data analysis,
Cookies or similar storage technology,
|legal obligation||Art. 6 Para. 1 c)||Data will be processed if this is required to fulfil German or European statutory obligations.||
Compliance with statutory obligations,
With whom can we share your information?
In certain circumstances, BillPay will also share your information with selected third parties. We always take appropriate legal, technical and organisational measures to ensure that your data is treated securely and that an appropriate level of protection is maintained when transferring your data to selected third parties. This involves the following specific categories of recipient:
Companies of the Klarna Group. BillPay may share your personal information with other companies of the Klarna Group. This will be done if there is an administrative interest in sharing the information. In all other cases, the companies can be involved as subcontractors (see next paragraph).
Subcontractors. BillPay may share your personal information with subcontractors and other third parties involved in the provision of services in order to fulfil the contractual obligations with you or for other purposes described in this data protection statement. This is always done on the basis of an order processing agreement in accordance with the DSGVO.
Sellers. BillPay also shares your personal information with the online seller with whom you made your purchase, provided this is required for payment settlement or the transaction with the online seller. The processing of personal information shared with the online seller is subject to the data protection provisions of the seller.
Information agencies. Information is also shared with information agencies to the extent described above for the purpose of identity and credit investigations as well as to prevent fraud.
State agencies. To fulfil statutory obligations, information is shared with the relevant state agencies.
What we will NOT do with your information. BillPay will not sell your personal information to third parties for marketing purposes.
Where do we save your personal information?
Your information will only be processed and stored within the European Economic Area. In certain circumstances, your may be transmitted by a company of the Klarna Group to a service provider or subcontractor in countries outside of the EU/European Economic Area and stored there. In this case, you will be informed about this separately in this data protection statement. BillPay will then take appropriate contractual, technical and organisational measures to ensure that your data is handled securely and that a level of protection is guaranteed which is commensurate with the data protection requirements within the EU/European Economic Area.
For how long do we save your personal information?
We delete your personal information as soon as the legal basis for the processing of your information no longer exists and there are no statutory obligations to store this information.
Your rights regarding your personal information
You have various rights in relation to the processing of your information by BillPay.
Access under Art. 15 GDPR: In any case, you can request information about your stored data free of charge.
Rectification under Art. 16 GDPR: If BillPay has saved incorrect information about you, you have the right in principle for the error to be corrected. However, on the basis of the existing risk of misuse, the correction of data must be done via the online seller with whom you made your purchase. In exceptional cases, BillPay may also make corrections directly. This requires proof of identity and that the change requested be correct. As an online seller, you may request the correction of incorrect information at any time. To do this, please write to the contact address specified in this data protection statement.
Erasure under Art. 17 GDPR: In addition, you may have the right to block or delete your data. However, this right exists only if BillPay has no statutory obligation to store this data or another legal basis for the processing exists.
Restriction of processing under Art. 18 GDPR: You have the right to obtain restriction of processing of your personal data when one of the reasons given in Art. 18 GDPR applies, in particular, upon request, instead of an erasure of your data.
Data portability under Art. 20 GDPR: You can also request your data in a structured, customary and machine-readable format.
If you would like to request information, please write to:
To exercise your other rights, to ask questions about the collection, processing or use of personal information, to contest a particular automated decision or to withdraw consent which you have previously given, please write to:
You have the right to file a complaint with the competent supervisory authority at any time.
Most of the cookies we use are ‘session cookies’ for the technical functionality of the website. These are deleted automatically after the end of your visit. Other technical cookies remain saved on your computer until you delete them. These cookies enable us to recognise your browser the next time you visit our website.
We also use the following web analysis and tracking cookies. These are used to analyse users’ behaviour on our website and thereby to improve the presentation and provision of our services. These web analysis and tracking cookies are only used if you give us permission to do so. The legal basis for this processing is your consent. The individual cookies are as follows.
You can withdraw your consent at any time by blocking it in your browser settings or by using the following methods to deactivate cookies. However, blocking cookies may mean that the features of the website can no longer be used at all or can only be used in part.
This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on users’ computers, to help the website analyse how users use the website. The information generated by the cookie about the use of this website by users is usually transferred to a Google server in the USA and stored there. IP anonymisation has been activated on this website so that the IP addresses of users of Google within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area are first shortened. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate the use of the website by the users, to compile reports on the website activities and to provide the website operator with additional services associated with the use of the website and the Internet. The IP address transmitted by your browser for the purposes of Google Analytics is not combined with other Google data. In addition to blocking all cookies, users can prevent Google from collecting the data generated by the cookie and relating to their use of the website (including their IP address) and the processing this data by Google by downloading and installing the browser plug-in available at the following link.
If this website is used through browsers on mobile devices, users can click the following link to prevent Google Analytics from collecting data within this website:
Disable Google Analytics for this browser.
By clicking on the link above, a cookie will be placed on your device to prevent Google Analytics from collecting data. However, deactivation will only be valid within this browser and only for this domain and only as long as this cookie is stored in this browser and valid. If you delete the cookies in this browser, you must click the link again to deactivate Google Analytics.
Google is based in the USA and thus under Art. 44 GDPR in a so-called “third country”. Google is certified under the data protection framework known as “EU-US Privacy Shield”, whereby a European data protection level is considered guaranteed.
Opposition to processing
If the processing of your data is based on the granting of consent, a predominant interest of BillPay or is done in the public interest or in the exercise of official powers, you have the right at all times to oppose the processing. In the case of data processing for the purpose of direct advertising, this will be done unless you oppose it. Otherwise this applies only if BillPay is unable to demonstrate any reasons worthy of protection which outweigh your interests.
In addition to the contacts mentioned in Para. VIII., you can also contact the operational data protection officer in writing if you have any questions regarding the collection, use, processing or sharing of your personal information as well as if you would like to request any information, the correction, blocking or deletion of your personal information:
External operational data protection officer
c/o HK2 Comtection GmbH