Data Protection Notice of Kreditschutzverband von 1870 pursuant to the GDPR

We are issuing the following notice to confirm that the services provided by Kreditschutzverband von 1870 are in conformity with the law:

Terms used in the General Data Protection Regulation ("GDPR")

In accordance with the GDPR, the terms are defined as follows:

"personal data": any information relating to an identified or identifiable natural person ("data subjects");

"processing": any operation, whether or not performed by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data;

"controller": the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

"recipient": a natural or legal person, public authority, agency, etc., to which the personal data is disclosed, whether a third party or not;

"third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

"consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

 

Data Protection Notice of Kreditschutzverband von 1870 pursuant to the GDPR

I. Processing the personal data of creditors in insolvency proceedings, of our members, and of prospective members (information according to Article 13 DSGVO)

Kreditschutzverband von 1870 ("we", "us") is an association with privileged standing for the protection of creditors in accordance with sec. 266 Insolvency Code ("IO") and, in this capacity, is entitled to inform creditors during insolvency proceedings and to act as their authorised representative in insolvency proceedings (sec. 253 IO). In this capacity, we also support courts and insolvency administrators in order to fulfil our tasks as an association for the protection of creditors in the manner defined by the law.

1. The data we process when members or prospective members send us an enquiry

When members or prospective members write to us or call us by telephone, we process the personal data they specifically provide us with. When we are contacted by e-mail, we process the name of the sender, the sender's e-mail address, and the content of the message as well as any attachments sent along with it. It should be noted that we consider the unsolicited transmission of personal data in this manner to be an express consent allowing us to process this data in our effort to handle and accommodate requests submitted to us.

1.1. Purpose of this data processing

We store and process this data for the purpose of handling enquiries from members or prospective members.

1.2. Lawful basis for this data processing

The following provisions of the GDPR provide the lawful basis for this data processing: Article 6(1)(b) (necessary for performance of the contract) and Article 6(1)(f) (overriding legitimate interest consisting in achieving the aforementioned purposes).

2. The data we process when creditors send us an enquiry or instruct us to represent them in insolvency proceedings

When creditors submit an enquiry using means of telecommunication or instruct us to represent them in insolvency proceedings, we process the personal data they specifically provide us with. If we are contacted directly, we process the master data and the content of the message (particularly all the information related to the insolvency claim to be filed) as well as any attachments. It should be noted that we consider the unsolicited transmission of personal data in this manner to be an express consent allowing us to process this data in our effort to handle and accommodate enquiries submitted to us and for the purpose of order management.

2.1. Purpose of this data processing

We store and process this data for the purpose of handling enquiries and orders from creditors.

2.2. Lawful basis for this data processing

The following provisions of the GDPR provide the lawful basis for this data processing: Article 6(1)(b) (necessary for performance of the contract), Article 6(1)(f) (overriding legitimate interest consisting in achieving the aforementioned purposes), operation as an association for the protection of creditors in accordance with sec. 266 Insolvency Code; for representation in insolvency proceedings according to sec. 253 IO; for the provision of services in automatic data processing and information technology services in accordance with sec. 153 Industrial Code.

In these activities, there exists an overriding legitimate interest in data processing as it allows for the filing, representation, and assertion of creditors' claims and interests in insolvency proceedings as well as for the protection of creditors against loss and the minimisation of a loss of receivables and the risk of a loss of receivables.

3. Which data do we process when someone is a member?

In case of membership, we process personal data needed to provide our services to members or any personal data that members provide us with on a voluntary basis. Such information includes name, date of birth, and address data, which we process in order to be able to present our members in insolvency proceedings or send you our member journal.

3.1. Purpose of this data processing

We process this data so that we can provide our services to members.

3.2. Lawful basis for this data processing

The following provisions of the GDPR provide the lawful basis for this data processing: Article 6(1)(b) (necessary for performance of the contract) and Article 6(1)(f) (overriding legitimate interest consisting in achieving the aforementioned purposes).

4. Storage period for creditor, member, and prospective member data

We retain the data of creditors, members, and prospective members as long as needed to fulfil the aforementioned processing purposes on the basis of storage periods recommended by the law or the authorities or for use in defending against any liability claims.

 

II. The processing of personal debtor data (information according to Article 14 GDPR)

1. Which debtor data do we process when representing creditors in insolvency proceedings?

With respect to personal debtor data, we process only such data as is disclosed to us by the insolvency courts when they publish edicts and as disclosed to us by our clients for the purpose of representation in insolvency proceedings. In particular, these are: name, date of birth, and address data of the debtors, and data in connection with the receivables claimed in the insolvency proceedings.

1.1. Where does the data come from?

Insolvency data is taken from the Edicts Archive of the Austrian judiciary. Additional economically relevant data comes from public registers or licensed partners. Moreover, members send us their personal data themselves. In ongoing insolvency proceedings, additional data can come from the insolvency administrator, the insolvency court, the debtor themselves, or from other creditors.

1.2. How long do we retain this data?

We store this data as long as needed to fulfil the processing purposes on the basis of storage periods recommended by the law or the authorities or for use in defending against any liability claims.

1.3. Purpose of this data processing

Operation as an association for the protection of creditors in accordance with sec. 266 IO; representation in insolvency proceedings according to sec. 253 IO; carrying on a trade as a collection agency according to sec. 118 Industrial Code ("GewO"), as a credit reference agency in accordance with sec. 152 GewO, as a security company (private investigators, security trade) in accordance with sec. 129 GewO, for the provision of services in automated data processing and information technology in accordance with sec. 153 GewO.

In these activities, there exists an overriding legitimate interest in data processing as it allows for the filing, representation, and assertion of the creditors' claims and interests in insolvency proceedings as well as for the protection of creditors against loss and the minimisation of a loss of receivables and the risk of a loss of receivables.

1.4. Potential recipients

This data can be disclosed to the following potential recipient categories:

Insolvency courts, insolvency administrators, represented creditors, the debtor's creditors, the creditor's and the debtor's legal representatives, credit reference agencies.

Where the debtor's creditors are domiciled in a third country, data may, occasionally in individual cases, be disclosed to a recipient in a third state.

1.5. Processing does not involve any automated decision-making.

2. Processing of debtor data in the ConsumerCreditRecords ("ConCR")

The ConCR is a database where information on specific financing facilities granted to natural persons, specific joint liabilities assumed by such persons and, where applicable, registered payment issues is stored.

We operate, have authorised access, and are the data protection controller as defined in point 7 of Article 4 GDPR of the ConsumerCreditRecords (ConCR). In addition, we also serve as the central information desk for the data-subject debtors.

2.1. Who can access the ConCR?

Only banks, lending insurance companies, and leasing companies with their registered office in the European single market can obtain access to the ConCR (parties with authorised access).

2.2. When is personal data processed in the ConCR?

In connection with credit and leasing contracts for amounts in excess of EUR 300.00 and rejected credit and/or leasing applications for amounts that are specifically in excess of EUR 7,000.00, personal data is disclosed to the ConCR and processed by us in this database.

If, for example, a debtor is granted credit in the amount of EUR 1,000.00, personal data of this debtor is disclosed to the ConCR. The same applies if the debtor's application for credit in the amount of EUR 8,000.00 is rejected.

2.3. Which personal data is processed in the ConsumerCreditRecords (ConCR)?

Personal data is processed in the ConCR only in the aforementioned circumstances.

The following personal data is processed:

  • full name,
  • date of birth,
  • complete address (street name, street number, postcode, city/town),
  • account number,
  • former names,
  • former address,
  • any existing ConCR number.

In addition, the following information is processed in the ConCR:

Credit or leasing details: lender/lessor, surety, type of credit/type of leasing, credit amount/leasing amount, currency, maturity, credit facility enhancement, start data for payment of instalments, amount of instalments, date on which credit/leasing was granted;

Rejection of loan and leasing applications; where applicable, payment issues: 3rd reminder, acceleration of due date, legal action, enforcement, statement of assets, write-off/irrecoverability; 

Reason for fulfilment of the credit/leasing contract: full payment, down payment, in- and out-of-court settlement, transfer of receivables, out-of-court composition, payment plan, residual debt relief, reorganisation plan, restructuring).. 

Blocking notices: data blocks for verification of the identity and tracing of data subjects (duplicate block, personal block, block due to lack of traceability), special blocks (e.g. if an entry is contested by the data subject), general block (e.g. if a data subject appointed a legal guardian for an adult person or took on such a role), information block (persons with insolvency information), clarification block (review to establish the validity of an existing entry).

2.4. What happens with the personal data processed in the ConCR?

The data stored in the ConCR are not publicly accessible. This data can only be retrieved by parties with authorised access if there is a legitimate lawful interest (e.g. new business opportunity or existing contractual relationship with the data-subject debtor). The individual party with authorised access will use the retrieved data only for the specific purpose of the ConCR.

2.5. Potential recipients of the personal data processed in the ConCR

As previously explained, data entered in the ConCR may only be retrieved by parties with authorised access. Where data on the data-subject debtors is processed in the ConCR, it may be received by other parties with authorised access if there is a lawful interest. Such potential recipients belong to the following categories: banks, lending insurance companies and leasing companies with their registered office in the European single market.

In addition, we use processors to process data in the ConCR.

These processors are the following:

  • KSV1870 Information GmbH, Wagenseilgasse 7, 1120 Vienna
  • KSV1870 Holding AG, Wagenseilgasse 7, 1120 Vienna

2.6. Purpose of data processing in the ConCR

The purpose of data processing is to minimise the risk of credit default as best possible. The objective is to ensure that loans exceeding the loan applicant's repayment capacities are not taken out from different banks. Furthermore, data processing is also carried out to ensure that (prospective) lenders do not incur liabilities beyond their means. Through data processing, banks in particular are able to identify cases with insufficient credit standing in a targeted manner and the individual loan application can be rejected where necessary. This can protect prospective loan applicants from becoming overindebted.

2.7. Storage period for debtor data in the ConCR

When an application for a loan is rejected due to inadequate credit standing, the personal data of the data-subject debtor is erased no later than six months after the rejection.

Once the non-existence of a debt has been finally determined by a court of law, all related entries in the ConCR are erased without undue delay.

When credit or leasing debt is paid off completely without the occurrence of any payment issues and the credit or leasing contract ends accordingly, the data is erased no later than 90 days after complete repayment.

When credit or leasing debt is paid off completely after a payment issue and the credit or leasing contract ends accordingly, the data is erased no later than five years after complete repayment of the debt unless a court of law finally establishes that no debt issue exists. In that case, the data is erased no later than 90 days after complete repayment of the debt or, if the court of law issues its determination after this period, without undue delay once the final determination is issued by the court of law.

In all other cases, the data is erased no later than seven years after redemption of the debt or occurrence of a debt-discharging event. 

Master data (personal data) is erased once no changes have been made in the ConCR with regard to a person over a period of 7 years. With regard to the right of data subjects to erasure (on request) (Article 17 GDPR) and to object (Article 21 GDPR), see point 3.3.

2.8. Information on data processing within the scope of score calculation

We profile data when drawing up score models. This involves making predictions about future events on the basis of collected information and experience from the past (probability of a payment issue). The result obtained through this data processing is a score.

Scores are generally calculated based on specific information and/or processed data (variables that are introduced) concerning a data subject. Information and data that pertain to special categories of personal data within the meaning of Article 9(1) GDPR are not taken into account in the calculation.

In the data subject access report acc. to Article 15 GDPR, Kreditschutzverband von 1870 fully discloses the data on a person processed in the ConCR.

Scores can help contracting partners in their decision-making when they are considering whether to enter into, continue, or terminate a contract and can be used for risk management; in this case, the (prospective) business partner directly undertakes the risk evaluation of a potential loss of receivables and the assessment of credit standing themselves. These scores are transmitted to third parties only after express consent has been obtained or if these scores have no significant influence on the decision-making process. The contract partner of Kreditschutzverband von 1870 (parties with authorised access) can therefore request credit standing information and scores on an ad-hoc basis in order to better assess the default risk associated with a (prospective) business relationship. 

The following scores are assigned to natural persons if the abovementioned requirements are met: 

The ConCR score is computed on the basis of the information stored and processed for a specific data subject.

The following types of data (variables) can, if available, be factored into the score value computation and, as the case may be, have a positive, negative, or neutral effect.

  • Old borrowers – the larger (i.e. the older), the better
  • Maximum term of the open contracts – the shorter, the better
  • Monthly burden – the risk increases with a burden of up to EUR 500 per month; as of EUR 500, the risk decreases again
  • Number of institutional groups – from two upwards, worse
  • Province, first digit of the postal code – rural better than urban
  • Maximum term of contracts over the past 12 months – the longer the term, the worse
  • Age of youngest open mortgage loan – the lower (i.e. the younger), the worse
  • Most frequent type of loan – KR (overdraft limit) is good, anything else is bad
  • Monthly burden of a person as co-obliged party – the risk increases with a burden of up to EUR 500 per month; as of EUR 500, the risk decreases again
  • Number of co-debtors involved in the open enquiry – the fewer, the better
  • Number of open credit lines – one is bad, anything else is good
  • Number of open credit card contracts – credit card is good
  • Number of instalments already paid out of the total instalments payable for instalment loans – the higher, the better

3. Processing debtor data in the warning list of the Austrian banks

The warning list of the Austrian banks ("warning list") is a database where specific information on the personal accounts and/or personal loans and business accounts and/or commercial loans of natural persons is stored. In particular, this includes information on payment issues and behaviour in breach of contract. 

We maintain the warning list. We also serve as the central information desk for the data-subject debtors. With respect to the data processing activities carried out in connection with the operation of this warning list (e.g. collection, storage, organisation of data, etc.), we are the data protection controller as defined in point 7 of Article 4 GDPR.

3.1. Who has access to the warning list?

Only banks can obtain access to the warning list.

3.2. When is personal data processed in the warning list?

Personal data is processed in the warning list when the data-subject debtors have overdrawn their accounts without authorisation by issuing checks in breach of contract or using their ATM or credit card in breach of contract or when an account and/or credit account existing with them is terminated and/or the due date is accelerated or it is turned over for prosecution and the receivable is not fully paid up within the period set in the letter setting out the due date (letter terminating the account).

Where debtors resort to such acts, their personal data is processed in the warning list; however, if the amount involved is under EUR 1,000.00, no entry is made in the warning list.

3.3. Which personal data is processed in the warning list?

Personal data is only processed in the warning list if the aforementioned circumstances arise.

The following personal data is processed:

  • full name,
  • date of birth,
  • complete address (street name, street number, postcode, city/town),
  • account number,
  • former names,
  • former address,
  • any existing identification number.

In addition, the following information is processed in the warning list:

  • sort code,
  • unpaid amount at the time of entry,
  • where applicable: a reasoned contestation of the receivable based on the merits,
  • where applicable: information on the conclusion of a repayment agreement,

where applicable: point in time at which repayment occurred, and an indication whether the receivable has been fully or partly repaid.

3.4. What happens with the data processed in the warning list?

The data stored in the warning list is not publicly accessible. It may only be retrieved by banks if there is a legitimate lawful interest (e.g. new business opportunity or existing contractual relationship with a data-subject debtor). The bank also only uses the retrieved data for the specific purpose of the warning list.

3.5. Potential recipients of the personal data in the warning list

As previously explained, data entered in the warning list may only be retrieved by banks with authorised access.

In addition, we use processors to process data in the warning list. Personal data is transmitted to them as well. The processors are the following:

  • KSV1870 Information GmbH, Wagenseilgasse 7, 1120 Vienna
  • KSV1870 Holding AG, Wagenseilgasse 7, 1120 Vienna
  • "COCONET" Computer-Communication-Network GmbH, Mozartgasse 7, 2301 Neu-Oberhausen 

3.6. Purpose of data processing in the warning list

The purpose of processing data is to ensure creditor protection and to minimise risk by calling attention to customer behaviour that is in breach of contract. Banks should have the possibility of notifying each other of customers failing to adhere to agreements with other banks and/or to single out customers who have become delinquent in their debt repayment to a bank.

3.7. Storage period for personal debtor data in the warning list

In the case of customers who are in breach of contract, data is stored for a period of three years after full payment of the debt and, in all other cases (partial repayment), for a period of no more than seven years after any other debt-discharging event.

In the absence of repayment or a debt-discharging event, data is stored for a period of 30 years.

With regard to the right of data subjects to erasure (on request) (Article 17 GDPR) and to object (Article 21 GDPR), see point III 3.3.

4. The following provisions provide the lawful basis for such data processing:

  • Sec. 7 Consumer Credit Act (VKrG),•           
  • Sec. 9 Mortgage and Real Estate Loan Act (HIKrG);
  • Sec. 39 Austrian Banking Act (BWG) (due diligence obligations for managing directors of a credit institution in connection with the risk of banking transactions and banking operations);
  • Sec. 22a Austrian Banking Act (BWG) (measures to contain systemic risk);
  • Sec. 75 Austrian Banking Act (BWG) (Central Credit Register indication of credit risk);
  • Capital Requirements Regulation (CRR EU/575/2013);
  • Article 6(b) (processing required for pre-contractual measures); 
  • Article 6(f) GDPR (processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party which is to accomplish the aforementioned processing purposes).

 

III. Common provisions for the processing of personal data of creditors, members, or prospective members and debtors

1. Transmission of personal data

In our capacity as an association for the protection of creditors, it may become necessary to transfer personal data that we have processed to third parties whose services we use and whom we provide with data. Personal data is forwarded exclusively on the basis of the GDPR and within the EU.

2. Data security

We implement the technical and organisational measures required to protect the personal data we process, especially against unauthorised, illegal, or accidental access by unauthorised persons, data tampering, loss, or destruction. Our security measures are continuously improved to comply to the state of the art.

3. Data subject rights

3.1. Right of access in accordance with Article 15 GDPR

Fair and transparent processing of data is important to us. In accordance with Article 15(1) GDPR, you have the right to obtain confirmation as to whether or not personal data about you is being processed, and you have the right to access such information. This access report informs you about the data on you that we store for the purposes of membership, insolvency representation, as well as in the ConCR and the warning list of the Austrian banks.

3.2. Right to rectification

Data accuracy is our goal. According to Article 16 GDPR, you have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning them and to request, giving due consideration to the purposes of the processing, completion of incomplete personal data, including by providing a supplementary declaration. Proof for this must be provided in writing so as to ensure transparent processing. 

We forward enquiries from data subjects regarding the data processed in the ConCR and the warning list of the Austrian banks to the respective bank institutions for evaluation and, as the case may be, rectification. Data subjects can also contact the bank institutions directly.

3.3. Objection and erasure requests from data subjects

Furthermore, Article 21 GDPR gives you the right to object to the processing of personal data on you based on Article 6(1)(e) or (f) GDPR at any time on grounds relating to your particular situation.

Your objection in accordance with Article 21 GDPR will be assessed individually and dealt with in accordance with the relevant standards.

Furthermore, you have the right to erasure of processed personal data concerning you on the basis of Article 17 GDPR. In the event of erasure requests in accordance with Article 17 GDPR, an assessment is performed in each individual case to establish whether the available data is no longer needed for the purposes it was collected for, and, where appropriate, this data is erased.

3.4 Restriction of processing

Article 18 GDPR also provides for the right to have processing restricted where one of the following applies: 

  • you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data,
  • the processing is unlawful, and you oppose erasure of the personal data and request the restriction of their use instead,
  • we no longer need the personal data for processing purposes, but you yourself require the data for the establishment, exercise, or defence of legal claims, or
  • you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override your grounds.

Where processing has been restricted in accordance with the above, such personal data may only be processed – but not stored – with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

3.5. Data Protection Authority

If you believe that your data is being processed in breach of data protection law or your rights under data protection law have been otherwise infringed, you also have the right to file a complaint with the Data Protection Authority of the Republic of Austria. Their address is 1030 Vienna, Barichgasse 40-42. 

3.6. Data protection officer

You can reach our data protection officer, "Putz & Rischka, Rechtsanwälte KG", at ksv1870.datenschutzbeauftragter@ksv.at and by regular mail at: Reisnerstraße 12, 1030 Wien.