Information according to Art. 14 GDPR of CRIF GmbH regarding the credit bureau and information services
I. Name and contact data of the responsible office as well as of the company's data protection officer
CRIF GmbH, Leopoldstr. 244, 80807 Munich, Tel.: +49 40 89803-0
The data protection officer of CRIF GmbH can be reached at the above address ("For the attention of Data Protection Department"), or by e-mail at: firstname.lastname@example.org
II. Data processing by CRIF GmbH
1. Purposes of data processing and valid interests that are pursued by CRIF GmbH or a third party
CRIF GmbH processes personal data in order to provide authorized recipients with information for assessment of the creditworthiness of individuals and legal entities. To this end, probability value are also calculated and transferred. CRIF GmbH makes the information available only if a legitimate interest in it has been credibly demonstrated and processing is permissible after consideration of all interests. There is a legitimate interest especially before engage-ment in business transactions involving a risk of financial default. The purpose of the creditworthiness check is to protect recipients against losses in credit business. The check simultaneously makes it possible to advise borrowers in order to protect them against excessive indebtedness. Data are also processed for purposes of fraud prevention, money laundering prevention, integrity assessment, identity and age verification, address location, customer service and customer monitoring, direct marketing or risk management incl. KYC check, sustainability and natural hazard risks as well as tariff classification and as-sessing conditions. In addition to the aforementioned purposes, CRIF GmbH also processes personal data for internal purposes (e.g. assertion of legal claims and defence in legal disputes, general business management and optimisation of business processes as well as for the further development of services, products and scoring procedures, such as the use of machine learning, artificial intelligence and deep learning, ensuring IT security and IT operation). The legitimate interest in this results from the respective purposes and is otherwise of an economic nature (efficient task fulfilment, avoidance of legal risks).
2. Legal basis of data processing
CRIF GmbH processes personal data based on the stipulations of the EU General Data Protection Regulation. Processing is carried out based on consent and point (f) of Art. 6 (1) GDPR, in so far as such processing is necessary in order to preserve the legitimate interests of the controller or a third party, and these interests do not outweigh the basic rights and basic freedoms of the data subject that require the protection of personal data. A legitimate interest exists in particular before entering into business transactions with financial default risk.
Consent can be withdrawn towards the contracting partner at any time. This also applies to consent already given before GDPR came into force. A withdrawal of consent does not affect the legality of the personal data processed before the withdrawal.
3. Data sources
CRIF GmbH obtains its data from its contracting partners. These are companies located in the European Economic Area or in Switzerland and, where appro-priate, in other third countries in the areas of trade, service provision, leasing, energy supply, telecommunications, insurance or debt collection as well as credit institutes, providers of financial and payment services and other contracting partners that use products of CRIF GmbH for the purposes indicated in Section II.1. In addition, CRIF GmbH processes information from generally accessible sources such as public directories and official notices (commercial registers, debtors' directories, insolvency notices) as well as from EURO-PRO Gesellschaft für Data Processing mbH, Lindenhof 1-3, 61279 Grävenwiesbach (EURO-PRO), (more detailed information on EURO-PRO can be found online at www.europro.de/datenschutz. Furthermore, CRIF GmbH also receives data from CRIF GmbH, Rothschildplatz 3/Top 3.06.B, A-1020 Vienna, Austria, and CRIF AG, Hagenholzstrasse 81, 8050 Zurich, Switzerland.
4. Categories of personal data that are processed
a) Personal data, e.g. surname (if applicable prior names that may be provided upon special request), first name, date of birth, place of birth, address, prior addresses, e-mail address(es), telephone number(s)
b) Information regarding the initiation and execution of a transaction in accordance with the contract (e.g. Giro accounts, instalment loans, credit cards, garnishmentexempt accounts, basic accounts)
c) Information regarding undisputed, past-due claims subject to repeated dunning or reduced to judgement and their resolution
d) Information on postal (non-) accessibility
e) Information on the characteristics of functionaries including the beneficial owner in companies, associations or foundations
f) Information on personal data, which we take over in the context of a self-disclosure requested by the data subject, e.g. surname, first name, ad-dress, e-mail address(es), telephone number(s), video recording in our credit agency database
h) Information on bank details
i) Proof of income
j) Information on purchasing behaviour (e.g. shopping baskets)
k) Indications of abusive or other fraudulent behaviour such as misrepresentation of identity or creditworthiness in connection with contracts for telecommunications services or contracts with credit or financial institutions (credit or investment contracts, current accounts)
l) Information from public registries and official publications
m) Probability values
n) Information on the determination of risks from chronic and acute natural hazards (e.g. heavy rain, flooding, landslide, cyclone, forest fire, sea level rise, soil erosion, drought) at the respective address (company, business premises or real estate).
o) Information on the assessment of a company's sustainability efforts on the basis of regulatory criteria on the environment, social standards and corporate governance (ESG) and industry-standard indicators (e.g. annual CO2 emissions, energy efficiency ratio, average weekly working hours, degree of unionisation, number of fatal accidents at work p.a.).
5. Categories of recipients of personal data
Recipients are contracting partners of the sectors of industry and commerce indicated in section II.3. In countries outside the European Economic Area, data are transmitted according to the requirements of the European Commission. CRIF GmbH may transfer your personal data to EURO-PRO Gesellschaft für Data Processing mbH, Lindenhof 1-3, D-61279 Grävenwiesbach (EURO-PRO) for the purpose of address identification. The legal basis for these transmissions is point (b) and point (f) of Art. 6 (1) DSGVO. EURO-PRO processes the data received and also uses them to provide its contractual partners in the European Economic Area and in Switzerland and, where appropriate, in other third countries (provided there is a decision on adequacy by the European Commission) with address information of natural persons. More detailed information on the activities of EURO-PRO can be found in the EURO-PRO information sheet or online at www.europro.de/datenschutz.".
Recipients of personal data may also be CRIF GmbH, Rothschildplatz 3/Top 3.06.B, A-1020 Vienna, Austria, and CRIF AG, Hagen-holzstrasse 81, 8050 Zurich, Switzerland. The CRIF companies in Austria and Switzerland process the transmitted data for the operation of their credit reporting and address trading business. More detailed information on data processing at CRIF GmbH in Austria can be found at: https://www.crif.at/datenschutz/), for CRIF AG in Switzer-land the data protection information can be found at: https://www.crif.ch/dsgvo/.
Further recipients can be external contractors of CRIF GmbH according to Art. 28 GDPR as well as external and internal CRIF offices. Many systems and technologies are shared within the CRIF group. This enables CRIF GmbH to offer its contractors a more secure and uniform service. Therefore, within CRIF group those companies and departments will have access to your data which they need to fulfil the contractual and legal obligations of CRIF GmbH or to fulfil their respective functions within CRIF group. In addition, data will be passed on within the CRIF group in compliance with the legal framework for the purpose of enriching and updating the data stock.
CRIF GmbH cooperates with technical service providers in order to provide their services for their contractual partners. If they process personal data of data subjects outside the European Union, this may result in the data being transferred to a country with a lower data protection standard than the European Union. In such cases CRIF GmbH will ensure that the service providers in question guarantee an equivalent level of data protection by contract or otherwise. CRIF GmbH is also subject to the legal powers of intervention of state authorities.
6. Duration of data storage
CRIF GmbH stores information on persons only for a certain length of time. Necessity is the primary criterion for how long this time is. The storage periods are indicated in a Code of Conduct of the association "Die Wirtschaftsauskunfteien e. V.". The code can be viewed on the Internet at www.crif.de/en/code-of-conduct. According to this code, the basic storage duration of data relating to a person is three years to the day after the person's debt has been settled. The following information, for example, is different to this and is deleted:
a) Data from debtor lists/records of central courts competent for execution are deleted after three years to the day, but are deleted prematurely if it is verified to CRIF GmbH that the data have been deleted by the central court competent for execution.
b) Information on consumer/bankruptcy proceedings or proceedings for the discharge of residual debt is deleted exactly six month to the day after completion of the bankruptcy proceedings or discharge from residual debt. In special individual cases, earlier deletion is also possible.
c) Information on the rejection of a bankruptcy application for lack of assets, the cancellation of stipulations imposed regarding the provision of collateral or the disallowance of discharge of residual debt is deleted after three years to the day.
d) Previous addresses are stored for exactly three years to the day. After this, a check is made to find out whether it is necessary to continue storing the data for a further three years. Following this, they are deleted to the day exactly unless longer storage is necessary for the purpose of identification.
III. Rights of the data subject
In relation to CRIF GmbH, every person concerned has the right to information according Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR and the right to limitation of data processing according Art. 18 GDPR. Moreover, persons concerned have recourse to the supervisory authority that is responsible for CRIF GmbH, namely the Bavarian Data Protection Authority. Consent can be withdrawn towards the contracting partner in question at any time.
According to Art. 21 (1) GDPR, it is possible to object to data processing for reasons arising from the special situation of the person concerned (for example witness protection, women’s shelter). The objection can be made informally and is to be addressed to CRIF GmbH, Data Protection, Leo-poldstr. 244, 80807 Munich.
IV. Profile development (scoring)
Before entering into business transactions with a financial risk, business partners would like to be able to estimate as reliably as possible whether the obliga-tions to pay can be fulfilled. By providing information and by means of so-called probability values (scores), CRIF GmbH helps companies to make decisions and to quickly process everyday credit transactions.
Based on collected information and experience from the past, a prognosis is made of future events (“scoring”). At CRIF GmbH, probability values are pri-marily calculated based on the information on a data subject that CRIF GmbH has stored and that can be shown in future as part of the information provided in accordance with Art. 15 GDPR. In addition, address data are used. Based on the stored entries relating to a person and the other data, the person is assigned to statistical groups of people who have demonstrated similar payment behavior in the past (“score calculation”). Machine learning methods, such as logistic regression, are used to develop the statistical model of such an assignment ("score model"). The machine learning procedures used by CRIF GmbH are well-founded, mathematical-statistical methods for the prognosis of risk probabilities or fulfilment probabilities that have been tried and tested in practice for many years.
CRIF GmbH uses the following data to calculate scores, whereby not every kind of data is used for every individual score calculation: date of birth, sex, shopping basket value, address data and duration of residence, previous payment problems, public negative attributes such as nonissuing of debtor’s asset disclosure, creditor satisfaction ruled out, creditor satisfaction not demonstrated, debt collection proceedings and debt collection monitoring procedures.
The probability if a person will repay a mortgage loan does not need necessarily to correspond with the probability if the person will pay an invoice for a mail order purchase on time. For this reason, CRIF GmbH offers its contractual partners a variety of industry-specific score models. Scores are constantly changing given that the information stored about a person by CRIF GmbH is subject to change as well. For example, new information is added whereas other information is deleted in line with applicable retention periods. In addition, information itself changes over time (e.g. the duration of a business relationship), so that changes may occur even without considering new information.
Please note: CRIF GmbH itself does not make any decisions; it only supports its affiliated contractual partners by providing information for their respective decisionmaking process. The specific contractual partner is solely responsible for risk assessment and evaluating creditworthiness due to the circumstance that only the contractual partner has access to a wide variety of additional information. This applies even if he relies solely on the information and score values supplied by CRIF GmbH.
You can also visit our website www.crif.de/en/privacy to read the latest status of our information sheet according to Art. 14 GDPR.