shares in this article
Online banking can be very practical – among other things, because you can save payment recipients and don’t have to write down long sequences of numbers with every new transfer. The photo transfer service, which many banks now offer, takes care of all the copying of data for customers in online banking when paying bills: the customer only has to take a photo of a bill with his cell phone, an artificial intelligence (AI) then fills it in automatically the digital transfer form.
Why are photo transfers more problematic than regular transfers?
The problem: If the customer enters his data manually in the transfer form, only the data necessary for the transfer is transmitted to the payment institute – the IBAN of the recipient, the name of the recipient, the transfer amount and a reason for the transfer (usually a payment number for invoices). In this way, the bank can process the transfer, but does not know exactly what the customer bought or what their billing or delivery address is. On the other hand, if the customer photographs the entire bill in order to have the necessary data evaluated by the AI connected to the app, the AI analyzes all the data from the bill. In doing so, the customer has passed on a lot of data that has no meaning for the transfer process itself. What happens to this data? Where are they evaluated at all – is a third-party provider or a potentially data protection-critical US cloud provider involved in the work of the AI?
Sparkasse declares that the data will be sent to a “service provider”.
In order to answer these questions, the information portal Heise has investigated the data protection security of photo transfers.
Heise started his search with the Sparkasse app, which has an integrated photo transfer service. When using the function for the first time, the user is apparently informed that a “service provider” is involved in the service. The data protection guidelines of the company Star Finanz are also referred to in the app stores. This developed the Sparkasse app and names Gini GmbH as the service provider for the photo transfers in its data protection guidelines. In addition to the bank (the savings bank), two other companies are involved in the photo transfer service.
Gini GmbH has a monopoly as a service provider for photo transfers
According to the Star Finanz data protection guidelines, the photo of the invoice is sent from the Sparkasse app to Gini GmbH, which evaluates the data and then sends the information relevant to the transfer anonymously back to the app. The customer checks the data and confirms the payment order, then this information is sent back to Gini GmbH for the quality check of the AI. The photo and the data read out would be kept by Gini GmbH for a maximum of 28 days and then deleted, according to Star Finanz’s data protection guidelines. The entire cooperation with the Munich company will be processed in accordance with Article 28 GDPR.
“An invoice for you. An open book for our AI.”
Gini GmbH is based in Munich and, according to Heise, is also responsible for the photo transfer service at all other banks – so it has a data monopoly. Gini GmbH not only offers photo transfers, but also other services, including an insurance optimization service. Here, users take a photo of their insurance bill and upload it to the company’s app, whereupon suggestions are made for optimizing the contract. Gini GmbH advertises this on its website as follows: “An invoice for you. An open book for our AI.”
Heise conducted further investigations and found out from Gini GmbH that the servers of Gini GmbH in Munich are operated in a data center of Mivitec GmbH. According to Gini GmbH, it works without a US cloud provider. Heise also writes that the data center is ISO-certified by TÜV Rheinland.
EPC QR code: Alternative to photo transfer
After contacting Gini GmbH, Heise explained that they had worked “comparatively thoroughly” – which is initially a good conclusion. However, Heise also reports that this cannot be said about the credit institutions, which kept their information rather brief. In addition, as part of its investigation, Heise had to point out to ING Bank that the data protection regulations contained incorrect information (it initially said that the photos would be evaluated directly on the customer’s mobile phone without a third party – although ING also works with Gini GmbH ). As a result, the data protection guidelines were tacitly corrected. However, this is legally questionable.
Ultimately, every online banking user has to decide for themselves whether they want to use photo transfers or not. If you are unsure whether you want to forward all the information contained in an invoice to the bank and Gini GmbH, you can use the so-called EPC QR codes instead. These are QR codes printed on invoices in which only the data required for a transfer is encrypted. All other data cannot be obtained from the code. Such codes can be scanned with the apps of the various credit institutions and the data contained therein can be entered directly into the transfer form. The likelihood of transposed digits occurring here is even lower than with photo transfers. But: There are not yet such QR codes on all invoices.
Editorial office finanzen.net
Leverage must be between 2 and 20
No data
Image sources: WAYHOME studio / shutterstock.com, OrthsMedienGmbH / Shutterstock.com