3.1 Categories of personal data

Your personal data is processed for the purposes listed below, in each case stating the legal basis and, if the data was not collected from you, with a corresponding reference to the data source:

• Personal information: In particular, title, first and last names, date of birth, place of birth, place of residence, nationalities, beneficial ownership information, business address, telephone number and e-mail address, company function and compliance-related documents (including copy and photos/screenshots of your identity card/passport on the occasion of the identification or video identification process under money laundering law, from which the type, number, issuing authority and date of issue and expiry can be seen);
• Sensitive data: Where relevant and legally permissible, the personal data collected by MEPS in some cases also includes special categories of personal data, i.e. your biometric data as part of the identification process under money laundering law, which also includes photos/screenshots of you as well as audio and video recordings of the legitimisation process during the video identification procedure;
• Register data: Those personal data from publicly accessible registers, public administration sources or other third-party sources (e.g. service providers and anti-fraud agencies), such as information on members of the representative body and beneficial owners of legal entities and partnerships;
• Financial information/transactions: This includes banking data and financial flows;
• Internal/external identifiers: Are assigned by Markant or third parties;
• Correspondence: Details of interactions between MEPS and you, including any correspondence, both written and verbal.

3.2. Purpose of processing & legal basis

Your personal data will be processed for the purposes set out below, in each case specifying the legal basis and, where the data has not been collected from you, indicating the source of the data:

• Customer onboarding procedure:
  (Categories of personal data concerned: Personal information, register data, financial information, internal/external identifiers, correspondence)
  • In order to confirm your identity, evaluate the initiation of a contract and with a view to concluding a contract with you, MEPS processes personal data provided to MEPS by interested parties as part of the contract initiation process, by existing contractual partners (collection from a third party) or by Markant Group companies on behalf of MEPS. The legal basis for this is the implementation of pre-contractual measures (art. 6(1)(b) GDPR).

• Compliance, risk management and prevention:
  (Categories of personal data concerned: Personal information, sensitive data, register data, financial information/transactions, internal/external identifiers, correspondence)​​​​​​​
  • To carry out legal and regulatory compliance checks, in particular as part of the customer admission procedure and regular compliance checks from a money laundering perspective. The legal basis for this is the fulfilment of legal obligations (art. 6(1)(c) GDPR). The legal basis for the photos/screenshots of you processed as part of the video identification procedure and the audio and video recording of the legitimisation process is your consent (art. 6(1)(a) GDPR);
  • To comply with ongoing regulatory and compliance obligations of MEPS (e.g. money laundering regulations), including the recording and monitoring of communications, the application of a risk classification of ongoing business relationships, disclosure to financial supervisory authorities and other regulatory and governmental bodies or in their proceedings, as well as for the investigation or prevention of criminal offences. This may include profiling based on the processing of personal data, e.g. by analysing how and from which geographical location MEPS services and products are used. The legal basis for this is the fulfilment of legal obligations (art. 6(1)(c) GDPR);
  • To prevent and detect criminal offences, including criminal activities, misuse of services and products and the security of Markant IT systems, architectures and networks. The legal basis for this is the legitimate interest of MEPS (art. 6(1)(f) GDPR);
  • To respond to actual or potential proceedings, requests or investigations by the competent authorities or judicial authorities. The legal basis for this is the legitimate interest of MEPS in responding to these enquiries (art. 6(1)(f) GDPR).

• Contract fulfilment and processing:
  (Categories of personal data concerned: Personal information, register data, financial information/transactions, internal/external identifiers, correspondence)​​​​​​​
  • For the fulfilment and processing of the contract concluded with you, including the collection of contractual services. The legal basis for this is the fulfilment of the contract (art.   6(1)(b) GDPR).
  • For the provision of services and products to you and for their proper fulfilment, e.g. by ensuring that MEPS can identify you and provide payment services as part of Markant central settlement. The legal basis for this is the implementation of pre-contractual measures and contractual fulfilment (art.   6(1)(b) GDPR).

• Customer relationship management:
  (Categories of personal data concerned: Personal information, register data, financial information/transactions, internal/external identifiers, correspondence)​​​​​​​
  • To manage your business relationship with MEPS, including communication with you regarding the services and products you have purchased from MEPS and to handle customer service-related questions and complaints. The legal basis for this is the legitimate interest of MEPS in ensuring efficient administration, communication and customer service in the context of your business relationship with MEPS (art. 6(1)(f) GDPR).

• Product development and improvement:
  (Categories of personal data concerned: Personal information, internal/external identifiers)​​​​​​​
  • For measures to improve MEPS services and products and the technology used by MEPS, including reviewing and updating MEPS systems and processes. The legal basis for this is the legitimate interest of MEPS in improving and maintaining the Markant information architecture (art. 6(1)(f) GDPR).

• Other purposes:
  (Categories of personal data concerned: Personal information, sensitive data, register data, financial information/transactions, internal/external identifiers, correspondence)​​​​​​​
  • To carry out transaction analyses and statistical analyses and similar analyses. The legal basis for this is the legitimate interest of MEPS in carrying out the analyses (art. 6(1)(f) GDPR);
  • To exercise MEPS' obligations and/or rights towards you or third parties and to respond to actual or potential proceedings, requests or investigations by the competent authorities or judicial authorities. The legal basis for this is the legitimate interest of MEPS in the assertion or defence of legal claims (art. 6(1)(f) GDPR);
  • For the collection of data to ensure the security of buildings, premises, employees, visitors, property and information located on or accessible from the premises, to prevent and, if necessary, investigate unauthorised access to secure premises (e.g. keeping building access logs and video surveillance recording to prevent, detect and investigate theft of equipment or assets of MEPS, visitors or employees). The legal basis for this is MEPS' legitimate interest in protecting the aforementioned assets (art. 6(1)(f) GDPR).

MEPS uses both automated and manual methods to process your personal data for the above purposes. Automated methods are combined with manual methods. These systems can analyse your data, for example, to identify patterns that are manually checked and interpreted by humans. There is no automated decision-making in accordance with art.   22 GDPR.

4. Markant websites, social media and tracking

For more details on how MEPS processes your personal data when you visit Markant websites, on social media or when using tracking technologies and other methods (e.g. cookies, pixels, tags), please refer to the Privacy Notice "Markant websites, social media and tracking".

5. Access to and disclosure of personal data

5.1. Within the Markant Group

MEPS shares personal data with other Markant Group companies that process your data on behalf of and at the request of MEPS. Furthermore, MEPS usually passes on personal data to the group parent company Markant AG (Markant AG), which is also a contractual partner of the European Centralised Invoicing and Settlement Agreement, in order to ensure a consistent standard of service and to provide you with services and products.

Companies of the Markant Group that receive your personal data may be, for example

• Markant AG
• National companies of Markant AG
• Service companies of Markant AG

5.2. Outside the Markant Group

MEPS also shares your personal data with external third parties for the purposes specified in this Privacy Notice. These third parties include the following categories of recipients:

• Payees, intermediaries, other financial institutions and correspondent banks
• Lawyers, auditors and similar specialised consultants who provide legal, auditing or consultancy services
• IT hardware, software, outsourcing providers (including providers of video identification procedures and data services)
• Service providers for dispatch, print jobs, data destruction and storage of digital files
• Marketing and communication companies

• Public bodies and institutions such as the Federal Financial Supervisory Authority (BaFin), the Financial Intelligence Unit (FIU), Bundesanzeiger Verlag GmbH, law enforcement authorities and data protection authorities.

MEPS would like to point out that MEPS works with processors who have concluded a Data Processing Agreement with MEPS and have thus undertaken in writing to comply with data protection regulations.

5.3. Cross-border data transfers

The personal data transmitted within or outside the Markant Group is processed in particular in Switzerland, in the countries of the European Economic Area (EEA) and in the USA if MEPS uses service providers or sales partners for the provision of MEPS services, for the provision and maintenance of MEPS products and for sales and marketing, among other things. However, worldwide processing is conceivable.

When transferring personal data outside the EEA, MEPS will include the standard data protection clauses issued by the European Commission (where applicable) for the transfer of personal data outside the EEA in MEPS contracts with these recipients (these are the clauses issued in accordance with art. 46(2) GDPR). You can request a copy of these standard data protection clauses at datenschutz(at)markant.com

For transfers of your personal data from the EEA to Switzerland, MEPS bases the transfers on the adequacy decision of the EU Commission on Switzerland, which can be accessed here.

Further information about the rules on data transfers outside the EEA, including the safeguards on which MEPS relies, can be found on the European Commission's website here.

6. Storage period

MEPS will only process and store your personal data for as long as necessary to fulfil the relevant purpose or in accordance with legal, regulatory or internal requirements. In certain cases, your personal data may be stored and processed beyond the termination of the business relationship, in particular for compliance purposes, to fulfil legal and regulatory requirements or if this is in the legitimate interest of MEPS.

As a rule, MEPS stores your personal data for a period of up to ten years after the end of the business relationship on the basis of statutory provisions and taking into account the statutory limitation period during which claims can be asserted against MEPS. After this period has expired, MEPS will only continue to store your personal data if there is a legal obligation to retain it, if there are still outstanding claims or complaints that make further storage reasonably necessary, or if this is required for regulatory reasons.

7. Your data protection rights

If the applicable requirements are met and no exceptions apply, you have the following rights:

• Right of access (art.   15 GDPR)
• Right to rectification and updating of your personal data if it is incorrect (art.   16 GDPR)
• Right to erasure ("right to be forgotten", art.   17 GDPR)
• Right to restriction of data processing (art.   18 GDPR)
• Right to data portability (art.   20 GDPR)
• Right to object: If MEPS processes your data on the basis of Art. 6(1)(f) GDPR (art.   21(1) GDPR) or if MEPS processes your data for direct marketing purposes (art.   21( 2) GDPR), you can declare your objection form-free at any time by sending a message todatenschutz(at)markant-payment.com or by clicking on the unsubscribe link in the corresponding e-mail. In the event of cancellation, your data will no longer be processed for the corresponding purposes with effect for the future.

If the data processing is based on your consent, you can revoke your consent at any time with effect for the future.

Please note the following information:

In order to process an enquiry, MEPS will usually ask you to prove your identity and/or provide information that will help MEPS to better understand your enquiry. If MEPS does not fulfil your request, MEPS will explain the reasons why.

To exercise your rights, you can contact datenschutz(at)markant-payment.com or the address given in Section I.

You also have the right to lodge a complaint with the competent data protection authority. The contact details of the German data protection authorities can be found here.

8. Status of this Privacy Notice

This Privacy Notice was last updated in July 2025. MEPS reserves the right to amend it from time to time. MEPS will make any changes or updates to this Privacy Notice available to you here.

Please note that this English translation of our Privacy Notice is for informational purposes only. In case of any inconsistencies between the English and the German version, the German version shall be legally binding and shall prevail.

Please visit the MEPS website regularly to familiarise yourself with the Privacy Notice.