Data Protection Notice of Kreditschutzverband von 1870 pursuant to the GDPR

To confirm that the services provided by Kreditschutzverband von 1870 are in conformity with the law, we would like to issue the following notice:

Terms used in the General Data Protection Regulation ('GDPR')

In accordance with the GDPR, the terms are defined as follows:

"personal data": any information relating to an identified or identifiable natural person ('data subjects');

"processing": any operation, whether or not performed by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data;

"controller": the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

"recipient": a natural or legal person, public authority, agency, etc., to which the personal data is disclosed, whether a third party or not;

"third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

I. Processing the personal data of our members and of prospective members (information according to Article 13 DSGVO)

Kreditschutzverband von 1870 ("we", "us") is an association with privileged standing for the protection of creditors in accordance with sec. 266 Insolvency Code ("IO") and, in this capacity, is entitled to inform creditors during insolvency proceedings and to act as their authorised representative in insolvency proceedings (sec. 253 IO). In this capacity, we also support courts and insolvency administrators in order to fulfil our tasks as an association for the protection of creditors in the manner defined by the law.

1. Which data we process when members or prospective members send us an enquiry 
When members or prospective members send us an e-mail or call us by telephone, we process the personal data they specifically provide us with. When we are contacted by e-mail, we process the name of the sender, the sender's e-mail address and the content of the message and any attachments sent along with it. Let it be clear that we consider the unsolicited transmission of personal data in this manner to be an express consent allowing us to process this data in our effort to handle and accommodate requests submitted to us.

1.1. Purpose of this data processing
This data is stored and processed by us for the purpose of handling enquiries from members or prospective members.

1.2. Lawful basis for such data processing
The following provisions of the GDPR provide the lawful basis for this data processing: Article 6(1)(b) (necessary for performance of the contract) and Article 6(1)(f) (overriding legitimate interest consisting in achieving the aforementioned purposes).

2. Which data we process when someone is a member
In case of membership, we process personal data needed to provide our services to members or any personal data that members provide us with on a voluntary basis. Such information includes name, date of birth and address data, which we process in order to be able to present our members in insolvency proceedings or send you our member journal.

2.1. Purpose of this data processing
This data is processed by us so that we can provide our services to members.

2.2. Lawful basis for such data processing
The following provisions of the GDPR provide the lawful basis for this data processing: Article 6(1)(b) (necessary for performance of the contract) and Article 6(1)(f) (overriding legitimate interest consisting in achieving the aforementioned purposes).

3. Storage period for member and prospective member data
We retain the data of members and prospective members as long as needed to fulfil the aforementioned processing purposes on the basis of storage periods recommended by the law or the authorities or for use in defending against any liability claims.

II. The processing of personal debtor data
(Information according to Articles 14 GDPR)

1. Which debtor data do we process in connection with debtor representation in insolvency proceedings
With respect to personal debtor data, we process only such data as is disclosed to us by way of publication of edicts by the insolvency court and as disclosed do us by our clients for the purpose of representation in insolvency proceedings. In particular, these are: the debtors' name, date of birth and address data and data in connection with the receivables claimed in the insolvency proceedings.

1.2. Where does the data come from?
Insolvency data is taken from the Edicts Archive of the Austrian judiciary. Additional economically relevant data comes from public registers or licensed partners. Moreover, members send us their personal data themselves.

1.3. How long do we retain this data?
This data is stored by us as long as needed to fulfil the processing purposes on the basis of storage periods recommended by the law or the authorities or for use in defending against any liability claims.

1.4. Purpose of such data processing:
Operation as an association for the protection of creditors in accordance with sec. 266 Insolvency Code (IO); representation in insolvency proceedings (sec. 253 Insolvency Code); carrying on a trade (sec. 118 Industrial Code ["GewO"], sec. 152 GewO, sec. 129 GewO, sec. 153 GewO);

2. Processing debtor data in the ConsumerCreditRecords ("ConCR")
The ConCR is a database where information on specific financing facilities granted to natural persons, specific joint liabilities assumed by such persons and, where applicable, registered payment issues is stored.

We operate, have authorised access and are data protection controller as defined in point 7 of Article 4 GDPR of the ConsumerCreditRecords (ConCR). In addition, we also serve as the central information desk for the debtors concerned.

2.1. Who can access the ConCR?
Only banks, lending insurance companies and leasing companies with their registered office in the European single market can obtain access to the ConCR (persons with authorised access).

2.2. When is personal data processed in the ConCR?
Personal data is disclosed to the ConCR, and processed by us in this database, in connection with credit and leasing contracts involving amounts in excess of EUR 300 and rejected credit and/or leasing applications involving amounts in excess of EUR 7,000.

If, for example, a debtor is granted credit in the amount of EUR 1,000, his/her personal data is disclosed to the ConCR. The same applies if the debtor submits an application for credit in the amount of EUR 8,000 and this application is rejected.

2.3. Which personal data is processed in the ConCR?
Personal data is processed in the ConCR only in the aforementioned circumstances. If these circumstances arise, we process the following personal data:

  • full name
  • date of birth
  • complete address (street name, street number, postcode, city/town)
  • account number
  • former names
  • former address
  • any existing ConCR number.

In addition, the following information is processed in the ConCR:

  • Credit or leasing details: lender/lessor, type of credit/type of leasing, credit amount/leasing amount, maturity, credit facility enhancement, start data for payment of instalments, amount of instalments, date on which credit/leasing was granted;
  • Where applicable, payment issues: 3rd reminder, acceleration of due data, legal action, enforcement, statement of assets, write-off, lack of traceability, insolvency status (block);
  • Reason for fulfilment of the credit/leasing contract: full payment, partial payment, in- and out-of-court settlement, composition, payment plan, recovery rate, residual debt relief/earnings arrestment procedure, compulsory composition, annotation of the final decision issued by a court, annotation of the contestation (block), annotation of the non-final decision, self-exclusion (block), administration (block), data block for verification of identity and tracing of data subjects (duplicate block, personal block, clarification block, block due to lack of traceability).

2.4. What happens with the data processed in the ConCR?
The data stored in the ConCR is not made public. This data can only be retrieved by persons with authorised access rights if there is a legitimate lawful interest (e.g.: new business opportunity or existing contractual relationship with the debtor concerned). The relevant retrieved data is only used for the specific purpose of the ConCR by persons with access rights.

2.5. Potential recipients of the personal data processed in the ConCR
As previously explained, data entered in the ConCR may only be retrieved by persons with access rights. Where data on the debtors concerned is processed in the ConCR, it may be received by other persons with access rights if there is a lawful interest. Such potential recipients belong to the following categories: banks, lending insurance companies and leasing companies with their registered office in the European single market.
In addition, we use processors to process data in the ConCR. 
These processors are:
KSV1870 Information GmbH, Wagenseilgasse 7, 1120 Vienna
KSV1870 Holding AG, Wagenseilgasse 7, 1120 Vienna 
 

2.6. The purpose of data processing in the ConCR
The purpose of data processing is to minimise the risk of credit default as best possible. The objective is to ensure that loans exceeding the loan applicant's repayment capacities are not taken out from different banks. Furthermore, data processing is also carried out to ensure that (prospective) lenders do not incur liabilities beyond their means. Data processing can help banks, in particular, to identify cases with insufficient credit standing and the individual loan application can be rejected if necessary. This may protect prospective loan applicants from becoming overindebted.

2.7. Storage period for debtor data in the ConCR
When an application for a loan is rejected due to inadequate credit standing, the personal data of the debtor concerned is erased no later than six months after the rejection.

Once the non-existence of a debt has been determined by a court of law, all related entries in the ConCR are erased without undue delay.

When credit or leasing debt is paid off completely without any payment issues and the credit or leasing contract ends accordingly, the data is erased no later than 90 days after complete repayment.

When credit or leasing debt is paid off completely after a payment issue and the credit or leasing contract ends accordingly, the data is erased no later than five years after complete repayment of the debt unless a court of law finally establishes that no debt issue exists. In that case, the data is erased no later than 90 days after complete repayment of the debt or, if the court of law issues its determination after this period, without undue delay once the final determination is issued by the court of law.

In all other cases, the data is erased seven years after redemption of the debt or occurrence of a debt-discharging incident.

3. Processing debtor data in the warning list of the Austrian banks
The warning list of the Austrian banks ("warning list") is a database where specific information on the personal accounts and/or personal loans and business accounts and/or commercial loans of natural persons is stored. In particular, this includes information on payment issues and behaviour in breach of contract.

We provide this warning list. We also serve as the central information desk for the debtors concerned. With respect to the data processing activities carried out in connection with the operation of this warning list (e.g. collection, storage, organisation of data, etc.), we are the data protection controller as defined in point 7 of Article 4 GDPR. 

3.1. Who has access to the warning list?
Only banks can obtain access to the warning list.

3.2. When is personal data processed in the warning list?
Personal data is processed in the warning list when the debtors concerned have overdrawn their accounts without authorisation by issuing checks in breach of contract or using their ATM or credit card in breach of contract or when an account and/or credit account existing with them is terminated and/or the due date is accelerated or it is turned over for prosecution and the receivable is not fully paid up within the period set in the letter setting out the due date (letter terminating the account).

Where debtors resort to such acts, their personal data is processed in the warning list; however, if the amount involved is under EUR 1,000, no entry is made in the warning list.

3.3. Which personal data is processed in the warning list?
Personal data is only processed in the warning list if the aforementioned circumstances arise. In the event that these circumstances arise, we process the following personal data:

  • full name
  • date of birth
  • complete address (street name, street number, postcode, city/town)
  • account number
  • former names
  • former address
  • any existing identification number

In addition, the following information is processed in the warning list:

  • sort code,
  • unpaid amount at the time of entry,
  • where applicable: a reasoned contestation of the receivable based on the merits,
  • where applicable: information on the conclusion of a redemption agreement,
  • where applicable: point in time at which redemption occurred, and an indication whether redemption resulted from full repayment.

 

3.4. What happens with the data processed in the warning list?
The data stored in the warning list is not made public. It may only be retrieved by banks if there is a legitimate lawful interest (e.g.: new business opportunity or existing contractual relationship with the debtor concerned). The bank also only uses the retrieved data for the specific purpose of the warning list.

3.5. Potential recipients of the personal data processed in the warning list
As previously explained, data entered in the warning list may only be retrieved by banks. If the data of the debtor concerned is processed in the warning list, banks may obtain such data if there is a lawful interest.
In addition, we use processors to process data in the warning list. Personal data is transmitted to them as well. These processors are:
KSV1870 Information GmbH, Wagenseilgasse 7, 1120 Vienna
KSV1870 Holding AG, Wagenseilgasse 7, 1120 Vienna 
 

3.6. Purpose of data processing in the warning list
The purpose of processing data is to ensure creditor protection and to minimise risk by calling attention to customer behaviour that is in breach of contract. Banks should have the possibility of notifying each other of customers failing to adhere to agreements with other banks and/or to single out customers who have become delinquent in their debt repayment to a bank.

3.7. Storage period for personal debtor data in the warning list
In the case of customers who are in breach of contract, data is stored for a period of three or seven years after repayment or after any other debt-discharging incident.

In the absence of repayment or a debt-discharging incident, data is stored for a period of 30 years.

4. The following provisions provide the lawful bases for such data processing:

  • sec. 7 Consumer Credit Act (VKrG),
  • sec. 9 Mortgage and Real Estate Loan Act (HIKrG),
  • sec. 39 Austrian Banking Act (BWG) (due diligence obligations for managing directors of a credit institution in connection with the risk of banking transactions and banking operations),
  • sec. 22a Austrian Banking Act (BWG) (measures to contain systemic risk),
  • sec. 75 Austrian Banking Act (BWG) (Central Credit Register indication of credit risk),
  • Capital Requirements Regulation (CRR EU/575/2013),
  • Article 6(b) (processing required for pre-contractual measures), and
  • Article 6(f) GDPR (processing is necessary for the purposes of the legitimate interest pursued by the controller or by a third party which is to accomplish the aforementioned processing purposes).

III. Common provisions for the processing of personal data of members or prospective members and debtors

1. Transmission of personal data
In our capacity as an association for the protection of creditors, it may become necessary to transfer personal data processed by us to third parties whose services we use and whom we provide with data. Personal data is forwarded exclusively on the basis of the GDPR and within the EU.

2. Data security
We implement the technical and organisational measures required to protect the personal data we process, especially against unauthorised, illegal or accidental access by unauthorised persons, data tampering, loss or destruction. Our security measures are continuously improved to the state of the art.

3. Data subject rights

3.1. Right to access in accordance with Article 15 GDPR
The fair and transparent processing of data is important to us. In accordance with Article 15(1) GDPR, data subjects have the right to request a confirmation on whether or not personal data about them is being processed, and they have the right to access such information. This access report informs data subjects about which of their data we store for the purposes of membership, insolvency representation as well as the ConCR and the warning list of the Austrian banks.

3.2. Rectification
Data accuracy is our goal. According to Article 16 GDPR, data subjects have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning them and to request, giving due consideration to the purposes of the processing, completion of incomplete personal data, including by providing a supplementary declaration, Proof for this must be provided in writing so as to ensure transparent processing. We forward enquiries from data subjects regarding the data processed in the ConCR and the warning list of the Austrian banks to the respective bank institutions for evaluation and rectification. Data subjects can also contact the bank institutions directly.

3.3. Objection and erasure requests from data subjects
Objections from data subjects in accordance with Article 21 GDPR will be assessed individually and dealt with in accordance with the relevant standards..

In the event of erasure requests in accordance with Article 17 GDPR, an assessment is performed to establish whether the available data is no longer needed for the purposes it was collected for and this data is deleted where appropriate.

3.4. Restrictions of processing
Article 18 GDPR also provides for the right to obtain restriction of processing where one of the following applies: 

  • the accuracy of the personal data is contested by the data subject, for a period enabling us to verify the accuracy of the personal data,
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
  • we no longer need the personal data for processing purposes, but the data subject requires the data for the establishment, exercise or defence of legal claims, or
  • the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds of the controller override those of the data subject.

Where processing has been restricted in accordance with the above, such personal data may only be processed - but not stored - with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

3.5. Data Protection Authority
If the data subject is of the opinion that the processing of their data is in breach of data protection law or their rights under data protection law have been otherwise infringed, you have the right to file a complaint with the Data Protection Authority; the address of the Data Protection Authority is Barichgasse 40-42, 1030 Vienna.

3.6. Data protection officer
You can reach our data protection officer at ksv1870.datenschutzbeauftragter@ksv.at.