Data Protection Notice of KSV1870 Forderungsmanagement GmbH pursuant to the GDPR

To confirm that the services provided by KSV 1870 Forderungsmanagement GmbH are in conformity with the law, we would like to issue the following notice.

Terms used in the General Data Protection Regulation ('GDPR')

In accordance with the GDPR, the terms are defined as follows:

"personal data": any information relating to an identified or identifiable natural person ('data subjects');

"processing": any operation, whether or not performed by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data;

"controller": the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

"recipient": a natural or legal person, public authority, agency, etc., to which the personal data is disclosed, whether a third party or not;

"third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

The processing of your personal data

1. Which of your personal data we process in our receivables management
We process the personal data disclosed to us in order to collect debts (receivables management) and to protect the creditor's interests (creditor protection). In particular, these are

• master data/personal data (first name, family name, address, date of birth),
• communication data (e-mail address, telephone number),
• contract data (invoice number, contract date),
• data on accounts receivable (invoicing and value date, details on the account receivable), enforcement data, information from public registers and official announcements, where applicable payment information, probability figures relating to internal decision-making support, case history.

1.2. Where does the data come from?
Notice in accordance with Article 14 GDRP: We primarily receive your personal data when customers entrust us with a claim (your creditors). Additional relevant data is taken from public registers. Should further information be required at a later stage, we ask processors to support us in handling the case or use the services of companies duly authorised by a business license to collect the necessary data (especially address and credit data).

Notice in accordance with Article 13 GDPR: In individual cases, we collect the data directly from you. We also process the personal data that you provide us with, for instance during a telephone call or in e-mail correspondence, if this data is needed to achieve the aforementioned purposes.

1.3. How long do we retain this data?
This data is stored by us as long as needed to fulfil the processing purposes on the basis of storage periods recommended by the law or the authorities or for use in defending against any liability claims.

1.4. Purpose of data processing:
Processing is carried out for the implementation of debt collection within the meaning of sec. 118 Industrial Code ("GewO") and to protect the interests of creditors (creditor protection).

1.5. Potential recipients of personal data processed by us
To recover an account receivable, it may become necessary to transmit your data to the following recipients and/or categories of recipients:

• your creditors (our customers); 
• third parties (provided they have been empowered by you or they are authorised to represent you);
• (other) credit agencies;
• lawyers;
• processors (Kreditschutzverband von 1870, KSV1870 Holding AG, KSV1870 Information GmbH, Österreichische Post Aktiengesellschaft for postal dispatch, Tel-Commerce GmbH for the purpose of debt collection by telephone);
• companies of KSV1870 Group (Kreditschutzverband von 1870, when your account receivable must be filed in insolvency proceedings; KSV1870 Information GmbH, when your credit standing needs to be assessed in the scope of receivables management and for any inclusion in the Business Database or in the CommercialCreditRecords);
• third-party debtors;
• assignees;
• courts;
• debtor representatives (e.g. legal representatives of your choice).

In addition, we must point out to you that, for the purpose of creditor protection, payment records relating to uncontested accounts receivable which have not been paid despite becoming due and address data is transmitted to KSV1870 Information GmbH for legitimate use within the scope of the company's business license pursuant to sections 151 (list compiler), 152 (agency providing information about credit relations) and 153 (services in automated data processing and computer technology) of the Industrial Code 1994 (GewO 1994).

1.6. The following provisions form the lawful basis for such data processing:
The following provisions of the GDPR form the lawful basis for such data processing:

• Article 6(1)(b) (necessary for performance of the contract);
• Article 6(1)(f) (overriding interest consisting in achieving the aforementioned purposes);
• Art 6(1)(a) GDPR (data processing base on your consent).

1.7. Transmission of personal data
As previously explained, it may become necessary to transfer personal data processed by us to third parties whose services we use and who we provide with data. Personal data is forwarded exclusively on the basis of the GDPR and, as a rule, within the EU. If collection activities need to be undertaken outside the EU in individual cases, your data may be transmitted specifically to credit agencies or lawyers outside the EU. We will undertake such transmission only if the European Commission has issued a relevant adequacy decision and/or suitable guarantees have been provided or the transmission requires no approval.

1.8. Data security
We implement the technical and organisational measures required to protect the personal data we process, especially against unauthorised, illegal or accidental access by unauthorised persons, data tampering, loss or destruction. Our security measures are continuously improved to conform with the state of the art.

2. Your rights ("data subject rights")

2.1. Right to access in accordance with Article 15 GDPR
The fair and transparent processing of data is important to us. In accordance with Article 15(1) GDPR, you have the right to obtain a confirmation as to whether or not personal data is being processed and you have the right to access this information. The access report tells you which of your data we store for purposes of debt collection management.

2.2. Rectification
Data accuracy is our goal. According to Article 16 GDPR, you have the right to obtain, without undue delay, the rectification of any inaccuracy in your personal data and to request, with due consideration of the processing purposes, the completion of incomplete personal data - including by providing a supplementary declaration, Proof for this must be provided in writing so as to ensure transparent processing.

2.3. Objection and erasure requests
Your objections in accordance with Article 21 GDPR will be assessed individually and dealt with in accordance with the relevant standards..

In the event of erasure requests in accordance with Article 17 GDPR, an assessment is performed to establish whether the available data is no longer needed for the purposes it was collected for and this data is erased where appropriate.

2.4. Restrictions of processing
Article 18 GDPR also provides for the right to obtain restriction of processing where one of the following applies: 

• you contest the accuracy of the personal data, then processing is restricted for the period required by the controller to verify the accuracy of the personal data,
• the processing is unlawful, and you oppose erasure of the personal data and request the restriction of their use instead.
• we no longer need the personal data for processing purposes, but you yourself require the data for the establishment, exercise or defence of legal claims, or
• you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override your grounds.

Where processing has been restricted in accordance with the above, such personal data may only be processed, but not stored, with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

2.5. Data Protection Authority
If you are of the opinion that the processing of your data is in breach of data protection law or your rights under data protection law have been otherwise infringed, you have the right to file a complaint with the Data Protection Authority; the address of the Data Protection Authority is Barichgasse 40-42, 1030 Vienna.

2.6. Data protection officer
You can reach our data protection officer at ksv1870.datenschutzbeauftragter@ksv.at.