More and more banks are offering the so-called photo transfer service. Here, the account holder can take a photo of a bill he wants to pay with his smartphone. This bill is then paid immediately via the corresponding banking app.
The question quickly arises as to which data is processed where during the photo transfer and how this is to be assessed under data protection law. You can find out the answers here.
How does a photo transfer work?
If the relevant bank offers the photo transfer service, the customer can conveniently take a photo of the bill to be paid via the corresponding app on the smartphone. From this photo, an artificial intelligence extracts the relevant data. This data is then inserted in the appropriate place on the remittance slip. The customer does not notice much of this process, but only sees the completed transfer a few seconds after the photo is taken. They can check this briefly and then approve it with the appropriate TAN procedure, just like any manual transfer.
Where does the processing of the photo transfer take place?
If you look at a typical invoice, you will quickly notice that a lot of sensitive and personal data can be found here: Delivery and billing address, other contact data such as telephone number or email, and products ordered, which may also allow conclusions to be drawn about preferences. It is questionable where the processing of this data takes place. Processing could take place on the user's own terminal device, on the bank's servers, or on the servers of a third party.
In the privacy policy or the terms and conditions of the banks that offer the photo transfer, there is usually a note that the processing takes place via a third party as a processor (Art. 28 DSGVO) and the data from the photos are also processed on their servers and also stored temporarily. The customer must consent to this procedure before he can use the photo transfer service.
In most cases, however, this still does not clarify where the server of the processor providing the artificial intelligence is located. The vast majority of all banks use a provider that specifies servers in Munich as the processing location. The storage period varies between banks, but is usually 28 days. Among other things, this data is also used to train the artificial intelligence during the storage period.
Criticism under data protection law
In view of the storage period and the fact that the data is used for training purposes, the processing of the invoice photos by the third-party provider goes far beyond the mere reading of the relevant data. Customers should be aware of this and check which servers their own bank uses for this purpose.
It should also be noted, however, that banks regularly make only vague statements in their data protection declarations that processing takes place "at a service provider. There is a great need for improvement here. After all, most banks ultimately justify the lawfulness of the processing with the customer's consent to these vague statements.
Ultimately, the photo transfer remains a data-intensive undertaking. The question remains open as to why the banks are not already using more data-saving alternatives on a large scale, such as EPC QR codes, where the customer can display a completed transfer in the respective app by scanning a QR code.
Would you like advice on data protection processes in your company? Our team of experts will be happy to help!