Data Protection Notice of KSV1870 Information GmbH pursuant to the GDPR

Data Protection Notice

We are issuing the following notice to confirm that the services provided by KSV1870 Information GmbH are in conformity with the law:

Terms used in the General Data Protection Regulation ('GDPR')

In accordance with the GDPR, the terms are defined as follows:

"personal data": any information relating to an identified or identifiable natural person ('data subjects');

"processing": any operation, whether or not performed by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data;

"controller": the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

"recipient": a natural or legal person, public authority, agency, etc., to which the personal data is disclosed, whether a third party or not;

"third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

"profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

"consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

The processing of personal data
(Information according to Articles 13 and 14 GDPR)

1. What is the lawful basis for processing personal data / purpose of data processing

KSV1870 Information GmbH (hereinafter: 'we' and 'us') is a company operating as a credit reference agency in accordance with the law. We have business licences in accordance with sec. 151 (list compilers and direct marketing companies), sec. 152 (credit reference agency), and sec. 153 (services in automatic data processing and information technology) of the Industrial Code (GewO). Our aim is to protect entrepreneurs against financial loss and promote their liquidity (creditor protection). For this purpose, we provide credit reports and create score models. In particular, credit reports include what are called personal profiles (PersonalProfileBusiness, PersonalProfileConsumer, and PersonalProfileFinancial) as well as the InfoPass, which provides a description of the applicant's solvency and can be used by him or her as a certificate. We process personal data for this purpose. The purpose of data processing is to minimise the risk of payment defaults as best possible.

2. Which personal data do we process?

For our credit reports and score models, we process the following personal data:

  • your full name;
  • your date of birth;
  • your complete address (street name, street number, postcode, city/town);
  • your former names;
  • your former address;
  • any business responsibilities, like your positions as defined under commercial law;
  • any interest held in companies;
  • general information that can be taken from the company or the land register;
  • any information on insolvencies;
  • any payment track records;
  • any other information which is publicly accessible or you provided us with that may be relevant to your credit standing.

3. Where does the data we process come from?

3.1. Notice in accordance with Article 14 GDPR 

The personal data we use to prepare credit reports and score models are taken from our databases (Business Database [BD] and CommercialCreditRecords [ComCR]). The data from the CommercialCreditRecords (ComCR) come from providers in the consumer goods and insurance industry; the data from the Business Database originates from publicly accessible sources (including company register, the Austrian Business Licence Information System, the Edicts Archive, etc.) and from our own manual research using business partners, licensed credit reference agencies and list compilers as well as the payment records of third parties. To the extent that our customers have access to the databases of Kreditschutzverband von 1870 (ConsumerCreditRecords [ConCR] and warning list), data stored in these databases can also be used to prepare credit reports and score models. These databases contain information about financing facilities, credit or leasing details, registered payment issues, personal account details, and/or personal loans, and/or business accounts, and/or commercial loans of natural persons. The ConCR data, for which Kreditschutzverband von 1870 acts as controller, is sourced from credit institutions, lending insurance companies, and leasing companies. The warning list data, for which Kreditschutzverband von 1870 acts as controller, is sourced from credit institutions.

3.2. Notice in accordance with Article 13 GDPR

We may also collect your data directly from you. We also process the personal data that you provide us with, for instance during a telephone call or in e-mail correspondence, if this data is needed to achieve the aforementioned purposes.

4. Lawful basis for data processing

Our customers order credit reports and score models so that they can better assess the risk that comes in (prospective) business relations. The main goal is to save them from having to grapple with the payment issues, non-payment, and payment defaults of (prospective) customers.

The following provisions of the GDPR form the lawful basis for such data processing:

  • Article 6(1)(a) (consent to the processing of personal data);
  • Article 6(1)(b) (necessary for performance of the contract);
  • Article 6(1)(f) (overriding interest consisting in achieving the aforementioned purposes).

5. Period of personal data storage

5.1. Your data is stored as long as needed to fulfil the above processing purposes or to ensure compliance with the legal retention periods, especially those set forth in sec. 152 Industrial Code (GewO), and to defend against any liability claims. 

5.2. Debt collection entries are no longer processed in the Business Database three years after payment and/or settlement of the claim.

5.3. Obvious illiquidity

The data entered with regard to the obvious illiquidity of natural persons, which had been established by decision of the enforcement court and made public in the Edicts Archive, is erased from the Business Database after expiration of the required storage period in the public register (Edicts Archive – sec. 71a[2b] Enforcement Code [EO]. The data entered with regard to the obvious illiquidity of legal persons is erased from the Business Database after a period of 5 years.

5.4. Storage period for insolvency data

Data on the insolvency proceedings of natural persons who have been granted residual debt relief is processed in the Business Database in accordance with the storage period in the public register (Insolvency Records – sec. 256 IO) and erased after expiration of the period applicable for the type of residual debt relief granted. 

In all other cases (e.g. closure of the proceedings due to insufficiency of funds), data on the insolvencies of natural persons not granted residual debt relief and on rejected insolvency proceedings is erased after a maximum period of 7 years. 

Data on the insolvency proceedings of legal persons is erased 5 years after fulfilment of the reorganisation plan. In all other cases (i.e. no discharge of debt or dismissed insolvency proceedings), insolvency data is no longer processed after a period of 7 years.

With regard to the right of data subjects to erasure (on request) (Article 17 GDPR) and to object (Article 21 GDPR), see point 10.3.

6. Potential recipients of the personal data that we process

In particular, your data may be transmitted to the following recipient and/or categories of recipients in the form of credit reports and score models:

  • persons and companies with a legal interest and authorised, specifically in light of the GDPR, to receive information
  • processors (Post Business Solutions GmbH for postal dispatch, KSV1870 Holding AG for IT services, Bernd Karl Zulus, MBA, update of company information, hpc DUAL Österreich GmbH for electronic postal service, Eviden Austria GmbH for balance sheet processing, Pan Business Lists Private Limited for balance sheet processing, Wolfgang Schnitzer for address management, feibra GmbH for postal services);
  • companies of KSV1870 Group (Kreditschutzverband von 1870 when your account receivable must be filed in insolvency proceedings; KSV1870 Forderungsmanagement GmbH when your credit standing needs to be assessed in the scope of receivables management);
  • courts and Data Protection Authority.

7. Transmission of personal data

It may become necessary to transfer personal data that we process to third parties whose services we use and who we provide with data. Personal data is forwarded exclusively on the basis of the GDPR and, as a rule, within the EU. If activities outside the EU need to be undertaken in individual cases, your data may be transmitted to recipients outside the EU. We will undertake such transmissions only if a relevant adequacy decision has been issued by the European Commission and/or suitable guarantees have been provided or the transmission requires no approval.

8. Information on data processing within the scope of score calculation

We profile data when drawing up score models. This involves makes predictions about future events using collected information and experience from the past (probability of a payment irregularity). The result obtained through this data processing is a score.

Scores are generally calculated based on specific information and/or processed data (variables that are introduced) on a data subject. In addition, non-personal data can also be used when calculating the score. Information and data that belong to special categories of personal data within the meaning of Article 9(1) GDPR are not taken into account in the calculation.

In the data subject access report acc. to Article 15 GDPR, KSV1870 Information GmbH and Kreditschutzverband von 1870 fully disclose the data processed on a person.

Scores can help contracting partners in their decision-making when they are considering whether to enter into, continue, or terminate a contract and can be used for risk management; in this case, the (prospective) business partner directly undertakes the risk evaluation of a potential loss of receivables and the assessment of credit standing themselves. These scores are transmitted to third parties only after express consent has been obtained or if these scores have no significant influence on the decision-making process.

Customers of KSV1870 Information GmbH can therefore request credit standing information and scores on an ad-hoc basis in order to better assess the default risk associated with a (prospective) business relationship. If the customer has access to the databases of Kreditschutzverband von 1870 (ConCR and warning list), information from these can also be taken into account as required for the score. Entries stored about a person are assigned to statistical groups of people for whom similar entries have been made in the past. The procedure employed is referred to as "logistic regression" and is a sound, tried-and-tested mathematical-statistical method used to forecast risk probabilities. 

The following scores are assigned to natural persons if the abovementioned requirements are met:

RiskIndicator

When calculating the RiskIndicator, which is determined on the basis of the information available in the Business Database, the following data types (variables) can be taken into account, if available, and have a positive, negative, or neutral influence:

  • Payment method – positive or negative influence, depending on the appraisal of payment behaviour;
  • Evaluation – positive or negative influence, depending on the appraisal of the current financial situation;
  • Real estate ownership – positive influence if real estate is owned, otherwise neutral;
  • Credit standing of the firm/company where the person who owns the company holds a position – positive or negative influence, depending on the credit standing of the firm(s);
  • Credit standing of the firm/company where the person holds a senior position – positive or negative influence, depending on the credit standing of the firm(s);
  • Insolvency/obvious illiquidity/restructuring process of the firm/company in which the person holds a position – negative influence if yes, otherwise neutral;
  • Unresolved payment issues – negative influence if there have been cases, otherwise neutral;
  • Resolved payment issues – negative influence if there have been cases, otherwise neutral;
  • Ongoing insolvency/obvious illiquidity/restructuring process – negative influence, otherwise neutral;
  • Concluded insolvency/obvious illiquidity/restructuring process – negative influence if there are such cases, otherwise neutral;
  • Ongoing debt recoveries – negative influence, otherwise neutral;
  • Concluded debt recoveries – negative influence is such cases have occurred, otherwise neutral;
  • Age of person (younger people usually have a higher risk);
  • Statistical reference value for urban/rural (major cities usually have a higher risk);
  • Risk of a statistical reference group;
  • Identity confirmation (multiple confirmations has a positive effect).

The variables "payment method" and "evaluation" are determined by a human (employee) and entered manually.

The influence of variables on the RiskIndicator score varies. If a variable has not been entered, it has no influence on the RiskIndicator score.

The RiskIndicator "financial" (if the client is authorised) indicates the probability of a payment irregularity over a period of twelve months based on the information available in the CommercialCreditRecords, ConsumerCreditRecords, and the warning list.

9. Data security

We implement the technical and organisational measures required to protect the personal data we process, especially against unauthorised, illegal, or accidental access by unauthorised persons, data tampering, loss, or destruction. Our security measures are continuously improved to comply with the state of the art.

10. Your rights ("data subject rights")

10.1. Right to access in accordance with Article 15 GDPR

Fair and transparent processing of data is important to us. In accordance with Article 15(1) GDPR, you have the right to obtain confirmation as to whether or not personal data is being processed, and you have the right to access such information. This right of access allows you to establish which of your data is stored by us for the purpose of operating as a credit reference agency and list compiler. 

 10.2. Right to rectification

Data accuracy is our goal. According to Article 16 GDPR, you have the right to obtain, without undue delay, the rectification of any inaccuracy in your personal data and to request, with due consideration of the purposes of the processing, the completion of incomplete personal data – including by providing a supplementary notice. Proof for this must be provided in writing so as to ensure transparent processing.

10.3. Objection and erasure requests

Furthermore, Article 21 GDPR gives you the right to object to the processing of personal data concerning you based on Article 6(1)(e) or (f) GDPR at any time on grounds relating to your particular situation.

Your objection in accordance with Article 21 GDPR will be assessed individually and dealt with in accordance with the relevant standards.

Furthermore, you have the right to erasure of processed personal data concerning you on the basis of Article 17 GDPR. In the event of erasure requests in accordance with Article 17 GDPR, an assessment is performed in each individual case to establish whether the available data is no longer needed for the purposes it was collected for and this data is erased where appropriate.

10.4. Restriction of processing

Article 18 GDPR also provides for the right to have processing restricted where one of the following applies:

  • you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful, and you oppose erasure of the personal data and request the restriction of their use instead;
  • we no longer need the personal data for processing purposes, but you yourself require the data for the establishment, exercise, or defence of legal claims;
  • you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override your grounds.

Where processing has been restricted in accordance with the above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

10.5. You can address these requests to us

If you wish to exercise your rights, please let us know. Our contact details are: KSV1870 Information GmbH, company register no. 308571g, 1120 Vienna, Wagenseilgasse 7.

10.6. Data Protection Authority

If you believe that your data is being processed in breach of data protection law or your rights under data protection law have been otherwise infringed, you also have the right to file a complaint with the Data Protection Authority of the Republic of Austria; the address of the Data Protection Authority is Barichgasse 40-42, 1030 Vienna.

10.7. Data protection officer

You can reach our data protection officer "Putz & Rischka, Rechtsanwälte KG" at ksv1870.datenschutzbeauftragter@ksv.at and by regular mail at Reisnerstraße 12, 1030 Wien.

 

We will be happy to
advise you
+43 50 1870-1000
Send us an
e-mail

Check credit standing instantly

640,000 companies – payment track record, insolvency, company register and more. Same-day instant check and reliable payment.