Privacy Policy B11 Card

In compliance with Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter, “GDPR”), Nexi Payments S.p.A. (hereinafter also “Nexi”), as the Data Controller, intends to provide certain information regarding the processing of your personal data (“Personal Data”) related to the installation and use of the B11 Card service.
Bank11 für Privatkunden und Handel GmbH, with its registered office at Hammer Landstraße 91 41460 Neuss, LEI 529900T9MJ6GH7X6QA19, is the company that publishes the app on the stores and is responsible for its distribution.
Nexi Payments S.p.A., with its registered office at Corso Sempione 55 20149 Milan (Italy), VAT No. 10542790968, is the card-issuing company, responsible for the technical and operational activities as well as for the actual processing of personal data related to the use of the app and the card service.
For the purposes of this privacy notice, Nexi Payments S.p.A. is identified as the Data Controller (the entity that determines the purposes and means of the processing), while Bank11 für Privatkunden und Handel GmbH acts as the distributor of the app and as an independent data controller solely with respect to the activities related to the distribution of the application.


B11 Card is the Credit Card (“Card”) issued by Nexi that allows the Cardholder to make payment transactions through the International Network whose brand name appears on the Card. The App B11 Card and the website are owned by Nexi Payments S.p.A., which is also the issuer and operator of the service.
Below is certain summary information on the processing of Personal Data related to the use of the App and the registration also on the website required to apply for the Card. In addition to this privacy policy and for detailed information on the processing of Personal Data relating to the issue and use of the Card, please refer to the specific privacy policy annexed to the contract, available at the following link: https://www.nexi.de/NRC/bank11/login.

1. TYPE AND SOURCE OF PERSONAL DATA PROCESSED
Nexi may collect Personal Data from you during the online Card application process and Personal Data acquired as a result of using the Card and through the use of the B11 Card App.
The App, which is available free of charge, can be installed without registering and involves the acquisition by Nexi, for security reasons, of the following information:

  1. App tracking (“tracker”) /operation data, information relating to the mobile device on which the App is installed and certain parameters relating to the Android or iOS operating system (e.g. log files, which may contain, for example, date and time of access, browser used), the transmission of which is necessary for the normal operation of the App. In particular, with regard to the authorisations required during the installation phase of the App, please note that, by way of example:
    • with reference to the IoS system, the required authorisations concern: device location, device camera to speed up the registration process, credential retrieval and profile photo editing, device photo to personalise the profile, fingerprint access and biometric access (FACE ID or a biometric recognition system to recognise your face);
    • with reference to the Android system, the required authorisations concern: device location, fingerprint and biometrics access, bluetooth, account, wi-fi status, audio record, internet, save, vibrate, read image data (pdf, images, etc.) information relating to the off-line and active status of the App;
  2. information about running applications to allow the App to collect and analyse information about other applications running on your device in order to identify any code that could potentially intercept and interfere with your information and operations;
  3. Wi-Fi connection information to allow the App to use information such as the name of the Wi-Fi network.

In addition, with regard to the onboarding process, our bank partners will send you an invitation code to access our App. Each invitation code is unique to each customer. When you access the App and complete the identification process, the correspondence between the utilizer of the code and the customer referred to us by our bank partners will be verified, and through your unique code we’ll retrieve some of your personal data from our bank partner. The retrieval of your personal data from our bank partners allows us to partially pre-fill the card application, making the process easier for you.
The App can send you push notifications related to the service if you have activated the sending of push notifications via your device’s operating system (Android or IoS). Tracking data not necessary for the operation of the service will be collected by means of certain trackers, which can only be activated with your explicit, specific and prior consent.

The App only tracks location data (the position of the device) with your explicit, specific and prior consent.
If you decide to proceed with registration, Nexi will also process Personal Data provided by you, such as identification data, contact data, multimedia data (photos and videos, in relation to the identification phase), location data (in relation to the use of certain functions) and also acquired by third parties, such as banks and merchants, both Italian and foreign, at which you can use or top-up the Card.


When verifying your identity, and more generally where required to comply with legal obligations, Nexi may process special categories of data, such as biometric data, as well as personal data relating to criminal convictions, offences and other security measures (so-called Judicial Data), for example in order to comply with measures of judicial authorities or obligations under anti-money laundering legislation.

2. PURPOSE AND LEGAL BASIS OF THE PROCESSING

The Personal Data acquired will be processed by Nexi for the following purposes:

  1. registration and creation of the account to enable the customer to follow up the request for the establishment and performance of the contract relating to the issue of the Card, as well as for the use of the App;
  2. comply with legal obligations (e.g. anti-money laundering legislation, PSD2 Directive on payment services, etc.);
  3. access control for IT and application security purposes on the App and monitoring and prevention of fraud risk.

The legal basis for the processing is therefore the need to perform the contractual relationship (point 1), compliance with Nexi’s legal obligations (point 2) and Nexi’s legitimate interest (point 3) so failure to provide Personal Data may make it impossible for Nexi to establish and manage the contractual relationship or to respond to your requests.

3. PROCESSING OF BIOMETRIC DATA

If you register, your identity will also be verified through biometric analysis of your facial features by detecting the unique characteristics that enable your identification, measuring them and transforming them into a numerical code that cannot, however, be traced back to the image originally captured.
In particular, a comparison will be made between the biometric template obtained from the image of your face obtained from the video transmitted during registration, the one obtained from the image in the identification document submitted by you and those obtained from the Card’s customers, in line with the provisions of anti-money laundering legislation, with particular reference to customer due diligence obligations and in the light of the provisions of the Bank of Italy’s measure of 30 July 2019 in this regard in relation to remote operations.


You will only be able to proceed with registration in the event of (i) a match between the biometric templates obtained from the video you submitted and the document you transmitted and (ii) a mismatch between the biometric template referred to you and to other Nexi’s customers.
The processing of your biometric data is carried out pursuant to Article 6(1)(c) of the GDPR, as it is necessary for compliance with legal obligations to which the controller is subject and pursuant to Article 9(2)(g) of the GDPR, for reasons of substantial public interest under Union and Member State law concerning the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (see EU Directive 2015/849, Legislative Decree 231/2007, and the Bank of Italy Measure of 30 July 2019 – ‘Provisions on Customer Due Diligence for the prevention of money laundering and terrorist financing’). The provision of such data is necessary for the aforementioned purposes and, in their absence, it will not be possible to accept the registration request. In general, biometric data will only be stored for as long as is necessary to carry out the activities and fulfil the purposes mentioned above. At the end of such processing, the data will be definitively erased from any paper and/or electronic filing system.

4. PARTIES WHO MAY HAVE ACCESS TO THE DATA

For the pursuit of the purposes described above, your personal data will be processed by employees of Nexi authorised to do so and by external companies supporting Nexi in the provision of the service (by way of example but not limited to: parties that carry out printing, transmission, enveloping, transport and sorting of communications to customers services, parties providing IT services, carrying out filing of the documentation relating to customer relations, identification support etc.), designated, depending on the purposes, as autonomous Data Controllers or Data Processors pursuant to Article 28 of the GDPR, subject to the signing of a specific contract.

You can receive more information about the Data Processors and the persons who may have access to your Personal Data by contacting Nexi at the contact details set out in paragraph 7 below.

In addition, Nexi, for some activities, needs to communicate or share personal data with other companies of the Group to which Nexi belongs. By way of example and without limitation, such intra-group communication may take place with reference to activities related to anti-money laundering and prevention of terrorism financing regulations (pursuant to Legislative Decree No. 231 of 21 November 2007, as amended) or for administrative-accounting purposes.

We may also disclose your data to Supervisory and Control Authorities and Bodies in the exercise of their functions and, in general, to persons entitled to request the data in the performance of their duties.

5. TRANSFER OF DATA ABROAD

Your personal data is stored by Nexi within the territory of the European Economic Area and is not disseminated.

Nexi reserves the right to disclose the Personal Data to recipients that may be established outside the European Economic Area, in third countries, in order to pursue the processing purposes indicated above, always in compliance with the rights and safeguards provided for by the applicable privacy laws (e.g. Chapter V of the GDPR). In particular, transfers may be based on an adequacy decision or on Standard Contractual Clauses issued by the European Commission. For further information on the transfer of Personal Data, including a copy of the measures taken, if applicable, you can write to the contact details given in section 7 below.

6. DATA RETENTION

In the event of activation of the Card, the Personal Data shall be stored for the entire duration of the contractual relationship with Nexi and, after its termination, in compliance with the applicable legal and regulatory obligations relating to banking, tax, accounting and administrative matters (in general, for 10 years from the date of termination of the contractual relationship), as well as, in the event of any disputes, until the time limit for bringing legal actions and/or appeals has been exhausted. Upon expiry of these time limits, the Personal Data will be permanently erased from any paper and/or electronic filing system of Nexi.

Data concerning the real-time localisation of your device will be processed for the time strictly necessary to perform the requested service, after which it will be anonymised and processed in aggregate form for statistical purposes only.

Biometric data will only be stored for as long as is necessary to carry out the activities and fulfill the purposes set out in paragraph 3. At the end of such processing, the data will be definitively erased from any Nexi paper and/or electronic filing system.

Nexi also informs you that, after a maximum of 90 days have elapsed since you provided your data without the registration process having been concluded and without any contractual agreement having been formalised, your Personal Data will be erased from our files.

7. RIGHTS OF THE DATA SUBJECT

By contacting the Data Protection Officer (DPO) at dpo@nexigroup.com at any time, you can request access to your Personal Data, their rectification, completion or erasure, the restriction of processing in the cases provided for in Article 18 GDPR, as well as object to the processing pursuant to Article 21 GDPR in cases of legitimate interest.
In addition, you can exercise your right to portability under Article 20 of the GDPR, i.e. the right to receive your Personal Data in a structured, commonly used and machine-readable format, as well as, if technically feasible, to transmit it to another data controller without hindrance.
Finally, you have the right to lodge a complaint with the Italian Data Protection Authority (https://www.garanteprivacy.it/), including the authority of your place of residence.

8. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is Nexi Payments S.p.A. with registered office in Milan, Corso Sempione 55. The Data Protection Officer may be contacted by writing to the e-mail address dpo@nexigroup.com, or by sending a written request to Nexi Payments S.p.A., office of the Data Protection Officer, Corso Sempione 55, 20149 Milan.

For further information and clarifications on the processing of Personal Data and on the exercise of your rights, please consult the complete privacy policy relating to the B11 Card, also available in the Cardholders Portal at the following link: https://www.nexi.de/NRC/bank11/login.

Last update: 02/10/2025