Data Protection Notice of KSV1870 Information GmbH pursuant to the GDPR

Data Protection Notice

To confirm that the services provided by KSV1870 Information GmbH are in conformity with the law, we would like to issue the following notice:

Terms used in the General Data Protection Regulation ('GDPR')

In accordance with the GDPR, the terms are defined as follows:

"personal data": any information relating to an identified or identifiable natural person ('data subjects');

"processing": any operation, whether or not performed by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, alignment or combination, restriction, erasure or destruction of data;

"controller": the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;

"recipient": a natural or legal person, public authority, agency, etc., to which the personal data is disclosed, whether a third party or not;

"third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

"processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

The processing of personal data
(Information according to Articles 13 and 14 GDPR)

1. What is our lawful basis for processing personal data / purpose of data processing

KSV1870 Information GmbH (hereinafter: 'we' and 'us') is a company operating as a credit bureau in accordance with the law. We have business licences in accordance with sec. 151 (list compilers and direct marketing companies), sec. 152 (credit bureaus), and sec. 153 (services in automatic data processing and information technology) of the Industrial Code (GewO). Our aim is to protect entrepreneurs against financial loss and promote their liquidity (creditor protection). For this purpose, we provide credit reports and create score models. In particular, credit reports include what are called personal profiles (PersonalProfileBusiness, PersonalProfileConsumer and PersonalProfileFinancial) as well as the InfoPass, which provides a description of the applicant's solvency and can be used by him or her as a certificate. We process personal data for this purpose. The purpose of data processing is to minimise the risk of payment defaults as best possible.

2. Where does the data processed by us come from?

2.1. Notice in accordance with Article 14 GDPR: The personal data we use to draw up credit reports and score models are taken from our databases (Business Database and CommercialCreditRecords [ComCR]). They contain data on the credit standing of companies, company officers and persons actively conducting business activities. The data from the CommercialCreditRecords (ComCR) come from providers in the consumer goods and insurance industry; the data from the Business Database originates from publicly accessible sources (including company register, the Austrian Business Licence Information System, the Edicts Archive, etc.) and from our own manual research using business partners, licensed credit bureaus and list compilers as well as the payment records of third parties. To the extent that our customers have access to the databases of KSV1870 Kreditschutzverband (ConsumerCreditRecords [ConCR] and warning list), data stored in these databases can also be used to draw up credit reports and score models. These databases contain information about financing facilities, credit or leasing details, registered payment issues, personal account details and/or personal loans and/or business accounts and/or commercial loans of natural persons. The data in the ConCR and the warning list comes from credit institutions, lending insurance companies and leasing companies.

2.2. Notice in accordance with Article 13 GDPR: We may also collect the data directly from you. We also process the personal data that you provide us with, for instance during a telephone call or in e-mail correspondence, if this data is needed to achieve the aforementioned purposes.

3. Which personal data do we process?

For our credit reports and score models, we process the following personal data:

  • your full name
  • your date of birth
  • your complete address (street name, street number, postcode, city/town)
  • your former names
  • your former address
  • any business records, like your positions as defined under commercial law
  • any interest held in companies
  • general information that can be taken from the company and the land registers
  • any information on insolvencies
  • any payment track records
  • any current and previous employments known
  • any other information which is publicly accessible or you provided us with that may be relevant to your credit standing

4. Lawful basis for data processing

Our customers order credit reports and score models so that they can better assess the risk that comes in (prospective) business relations. The main goal is to save them from having to grapple with the payment issues, non-payment and payment defaults of (prospective) customers.

The following provisions of the GDPR form the lawful basis for such data processing:

  • Article 6(1)(b) (necessary for performance of the contract);
  • Article 6(1)(f) (overriding interest consisting in achieving the aforementioned purposes).

5. Period of personal data storage

Your data is stored as long as needed to fulfil the above processing purposes or to ensure compliance with the legal retention periods, especially those set forth in sec. 152 Industrial Code (GewO), and to defend against any liability claims.

6. Potential recipients of personal data processed by us

In particular, your data may be transmitted to the following recipient and/or categories of recipients in the form of credit reports and score models:

  • persons and companies with a legal interest and authorised, specifically in light of the GDPR, to receive information
  • lawyers;
  • processors (Österreichische Post Aktiengesellschaft for postal services, KSV1870 Holding AG for IT services, Herold Business Data GmbH for master data research on companies, Atos-IT Solutions and Services GmbH for IT solutions);
  • companies of KSV1870 Group (Kreditschutzverband von 1870 when your account receivable must be filed in insolvency proceedings; KSV1870 Forderungsmanagement GmbH when your credit standing needs to be assessed in the scope of receivables management);
  • courts.

7. Transmission of personal data

It may become necessary to transfer personal data processed by us to third parties whose services we use and who we provide with data. Personal data is forwarded exclusively on the basis of the GDPR and, as a rule, within the EU. If activities outside the EU need to be undertaken in individual cases, your data may be transmitted to recipients outside the EU. We will undertake such transmission only if a relevant adequacy decision has been issued by the European Commission and/or suitable guarantees have been provided or the transmission requires no approval.

8. Profiling

We perform a profiling when drawing up score models. This involves makes predictions about future events on the basis of collected information and past experience. As a rule, our scores are calculated on the basis of the information on a data subject that we store. To the extent that the customer has access to the databases of Kreditschutzverband von 1870 (ConCR and warning list), information from these can also be taken into account for the score as required. Based on the entries stored about a person, this person is assigned to statistical groups of people for whom similar entries have been made in the past. The procedure employed is referred to as "logistic regression" and is a sound, tried-and-tested mathematical-statistics method used to forecast risk probabilities.

The following types of data is used to calculate scores. Not every type of data is used in every single score calculation:

  • general data (date of birth, addresses, for example)
  • previous payment records
  • data from public registers (insolvency information, company register, land register)
  • ConCR score issued by Kreditschutzverband von 1870 (if the customer is entitled to use it)
  • warning list of Kreditschutzverband von 1870 (if the customer is entitled to use it)

The following scores can be assigned to natural persons:

  • the RiskIndicator (assessment of the probability of a payment issue on the basis of the information available in the databases mentioned above to which the customer has authorised access)
  • the ConCR score (probability of a payment issue on the basis of information stored in the ConCR of Kreditschutzverband von 1870))

The scores help the contractual partners make decisions and feed into their risk management. Only a direct business partner can evaluate the risk and assess credit standing, because only they have extensive additional information – e.g. from a credit application. This is true even if the business partner relies solely on our score. In themselves, these scores are by no means sufficient grounds to refuse to conclude a contract.

9. Data security

We implement the technical and organisational measures required to protect the personal data we process, especially against unauthorised, illegal or accidental access by unauthorised persons, data tampering, loss or destruction. Our security measures are continuously improved to the state of the art.

9. Your rights ("data subject rights")

9.1. Right to access in accordance with Article 15 GDPR

The fair and transparent processing of data is important to us. In accordance with Article 15(1) GDPR, you have the right to obtain a confirmation on whether or not personal data is being processed and you have the right to access such information. This right of access allows you to establish which of your data is stored by us for the purpose of operating as a credit bureau and list compiler.

 9.2. Rectification

Data accuracy is our goal. According to Article 16 GDPR, you have the right to obtain, without undue delay, the rectification of any inaccuracy in your personal data and to request, with due consideration of the purposes of the processing, the completion of incomplete personal data - including by providing a supplementary notice, Proof for this must be provided in writing so as to ensure transparent processing.

9.3. Objection and erasure requests

Your objections in accordance with Article 21 GDPR will be assessed individually and dealt with in accordance with the relevant standards.

In the event of erasure requests in accordance with Article 17 GDPR, an assessment is performed to establish whether the available data is no longer needed for the purposes it was collected for and this data is deleted where appropriate.

9.4. Restrictions of processing

Article 18 GDPR also provides for the right to have processing restricted where one of the following applies: 

  • you contest the accuracy of the personal data, then processing is restricted for a period required by the controller to verify the accuracy of the personal data,
  • the processing is unlawful, and you oppose erasure of the personal data and request the restriction of their use instead.
  • we no longer need the personal data for processing purposes, but you yourself require the data for the establishment, exercise or defence of legal claims, or
  • you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override your grounds.

Where processing has been restricted in accordance with the above, such personal data may only be processed, but not stored, with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a member state.

9.5. Data Protection Authority

If you are of the opinion that the processing of your data is in breach of data protection law or your rights under data protection law have been otherwise infringed, you have the right to file a complaint with the Data Protection Authority; the address of the Data Protection Authority is Barichgasse 40-42, 1030 Vienna.

9.6.Data protection officer

You can reach our data protection officer at ksv1870.datenschutzbeauftragter@ksv.at