Data protection information according to Article 13, 14 GDPR
With the following information, we would like to inform you about the processing of your personal data and give you an overview of your rights according to the EU General Data Protection Regulation (GDPR). Please note that not all parts of the following information will apply to you, as the question of which data is processed in detail and how it is used depends largely on the agreed services.
I. Who is responsible for data processing
Verantwortlich für die Datenverarbeitung ist
Düsseldorfer Straße 15
II. What data do we use and where does it come from?
In the context of the business relationship, we process the following personal data relating to you
- Personal details (name, address and other contact details, date of birth)
- E-mail address
- Legitimation data (e.g. ID-Document data)
- Information about your financial situation (e.g. creditworthiness data, scoring or rating data, origin of assets)
- Credit-relevant data (e.g. income and expenditure)
- Advertising and sales data (incl. advertising scores)
- Documentation data (e.g. counseling protocol)
- as well as other data that is comparable to the categories mentioned above
We usually obtain the aforementioned personal data directly from you in the course of our business relationship. In addition, we process – insofar necessary for the provision of our services – personal data which we obtain from publicly accessible sources (e.g. debtors’ registers, land registers, commercial and association registers, press, internet) or which is transmitted to us by other companies of the group or by other third parties.
III. What do we process your data for (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the EU Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Within the scope of our business relationship, you must provide the necessary personal data, as without the presence of this data we will not be able to conclude, execute, and terminate a contract with you.
1. Fulfilment of contractual obligations (Article 6 para. 1 p. 1 lit. b GDPR)
The processing of your data is carried out for the provision and mediation of our services within the framework of the implementation of our contracts with our customers or for the implementation of pre-contractual measures, which are carried out upon request.
2. Consent (Article 6 para. 1 p.1 lit. a GDPR)
The processing of your personal data for specific purposes (e.g. forwarding of data within the group, evaluation of payment transaction data for branding purposes, photographs within the scope of events, newsletter dispatch) is lawful provided that you have consented to this processing. Consent granted can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the application of the GDPR, i.e. prior to 25 May 2018. We would like to point out that the revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.
3. Assessment of interests (Art. 6 para. 1 p.1 lit. f GDPR)
Where necessary, we will process your data beyond the scope of the fulfilment of the contract to protect the legitimate interests of us or third parties. Examples:
- Consultation of and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness or default risks in the credit business and the need for garnishment protection or basic account.
- Examination and optimization of procedures for demand analysis for the purpose of direct customer contact, further development of services and products as well as market and opinion research, insofar as you have not objected to the use of your data.
- Advertising or market and opinion research insofar as you have not objected to the use of your data.
- Assertion of legal claims and defense in legal disputes
- Ensuring IT security and IT operations
- Prevention and investigation of criminal offenses
- Measures for business management and further development of services and products
- We send promotional information on the basis of our legitimate interest (exception for existing customers of § 7 III UWG and/or Article. 6 para. 1 p. 1 lit. f GDPR).
- Your data will be deleted once it is no longer required to accomplish the purpose for which it was collected.
- We would like to point out that you can, at any time, object free of charge to the future processing of your data under the legal requirements pursuant to Art. 21 DSGVO. The objection can be made in particular against the processing for purposes of direct advertising within the context of Section 7 III of the German Unfair Competition Act (UWG).
- The objection can be submitted to us without any formalities.
4. Legal requirements (Article 6 para. 1 sentence 1 lit. c GDPR) or public interest (Article 6 para. 1 sentence 1 lit. e GDPR)
In addition, we are subject to various legal obligations, i.e. statutory requirements (e.g. German Banking Act, Money Laundering Act, Securities Trading Act, tax laws).
IV. Data access: Who can access my data?
Within the company, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also access data for these purposes. These are in particular the following companies: IT services, logistics, printing services, telecommunication, debt collection, consulting as well as sales and marketing.
In the event that data transfer to third parties outside our company is necessary, it will only take place if it is required by legal provisions, the customer has consented or there is a legitimate interest.
Further data recipients may be those bodies for which you have granted us your consent to transfer data to or for which you have released us from the obligation of confidentiality under the agreement or consent or to which we are authorized to transfer personal data based on a balancing of interests.
V. Data transfer to a third country or to an international organization
Data is transferred to bodies in countries outside the European Union (so-called third countries) insofar as
- it is necessary for the execution of your orders
- it is required by law (e.g. reporting obligations under tax law) or
- you have consented.
VI. How long will my data be stored?
We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations.
If the data is no longer required for the fulfillment of contractual or legal obligations, it is routinely deleted, unless its – temporary – further processing is necessary for the following purposes:
- Fulfillment of retention obligations under commercial and tax law, which may result, for example, from: Commercial Code (HGB), Fiscal Code (AO), Banking Act (KWG), Money Laundering Act (GwG), and Securities Trading Act (WpHG). The periods specified for storage and documentation in these Acts is normally two to ten years.
- preservation of evidence within the framework of the statutory limitation provisions. According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
VII. What data protection rights do I have?
As an affected person you have
- the right to information according to Article 15 GDPR (with the restrictions according to §§34 and 35 BDSG-Neu)
- the right of rectification under Article 16 of the GDPR
- the right to deletion according to Article 17 GDPR (with the restrictions according to §§34 and 35 BDSG-neu)
- the right to restriction of processing under Article 18 of the GDPR
- the right to data transferability under Article 20 of the GDPR
- and the right to object under Article 21 of the GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.
There is also a right of appeal to a responsible data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG-neu).
VIII. Is there an obligation to provide data?
Within the scope of our business relationship, you must provide the personal data that is required for the establishment, implementation, and termination of a business relationship and for the fulfillment of the associated contractual obligations or which we are legally obliged to collect. We would like to point out that without the presence of this data we will not be able to conclude, execute, and terminate a contract with you.
IX. Does automated decision-making take place?
Eine automatisierte Entscheidungsfindung i.S.d. Art. 22 DSGVO zur Begründung und Durchführung der Geschäftsbeziehung wird grundsätzlich nicht eingesetzt. Sollten wir diese Verfahren in Einzelfällen einsetzen, werden wir Sie hierüber und über Ihre diesbezüglichen Rechte gesondert informieren, sofern dies gesetzlich vorgegeben ist.
X. Is profiling taking place?
We do not use automated profiling as part of the business relationship.
XI. Information about your right to object according to Article 21 GDPR.
1. Right to object on a case-by-case basis
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) and Article 6(1)(f) of the GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
2. Right to object to processing of data for direct marketing purposes
In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct advertising. If you object, no further data processing for direct advertising purposes will take place.
3. Addressee for an opposition
The objection can be sent to us without any formalities.