Information according to Art. 14 GDPR of CRIF GmbH regarding the credit bureau and information services
I. Name and contact data of the responsible office as well as of the company's data protection officer
CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe, Germany, Telephone: + 49 721/255-110
The data protection officer of CRIF GmbH can be reached at the above address ("For the attention of Data Protection Department"), or by e-mail at: [email protected]
II. Data processing by CRIF GmbH
1. Purposes of data processing and valid interests that are pursued by CRIF GmbH or a third party
CRIF GmbH processes personal data in order to provide authorized recipients with information for assessment of the creditworthiness of individuals and legal entities. To this end, probability value are also calculated and transferred. CRIF GmbH makes the information available only if a legitimate interest in it has been credibly demonstrated and processing is permissible after consideration of all interests. There is a legitimate interest especially before engagement in business transactions involving a risk of financial default. The purpose of the creditworthiness check is to protect recipients against losses in credit business. The check simultaneously makes it possible to advise borrowers in order to protect them against excessive indebtedness. Data is also processed to support customers of CRIF GmbH in fraud and money laundering prevention, reputational and age verification, identity and address verification, customer care and monitoring, direct marketing or risk management, including KYC checks, sustainability and natural hazard risks, as well as pricing or conditioning. In addition to the aforementioned purposes, CRIF GmbH also processes personal data for internal purposes (e.g. assertion of legal claims and defence in legal disputes, general business management and optimisation of business processes as well as for the further development of services, products and scoring procedures, such as the use of machine learning, artificial intelligence and deep learning, ensuring IT security and IT operation). The legitimate interest in this results from the respective purposes and is otherwise of an economic nature (efficient task fulfilment, avoidance of legal risks).
2. Legal basis of data processing
CRIF GmbH processes personal data based on the stipulations of the EU General Data Protection Regulation. Processing is carried out either on the basis of consent pursuant to Art. 6 para. 1 letter a or on the basis of a balancing of interests pursuant to Art. 6 para. 1 letter f GDPR, insofar as processing is necessary to safeguard the legitimate interests of the controller or a third party and does not outweigh the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. A legitimate interest exists in particular before entering into business transactions with financial default risk.
Consent can be withdrawn towards the contracting partner at any time. This also applies to consent already given before GDPR came into force. A withdrawal of consent does not affect the legality of the personal data processed before the withdrawal.
3. Data sources
CRIF GmbH obtains its data from its contracting partners. These are companies located in the European Economic Area or in Switzerland and, where appropriate, in other third countries in the areas of trade, service provision, leasing, energy supply, telecommunications, insurance or debt collection as well as credit institutes, providers of financial and payment services and other contracting partners that use products of CRIF GmbH for the purposes indicated in Section II.1. In addition, CRIF GmbH processes information from generally accessible sources such as public directories and official notices (commercial registers, debtors' directories, insolvency notices) as well as from EURO-PRO Gesellschaft für Data Processing mbH, Lindenhof 1-3, 61279 Grävenwiesbach, Germany (EURO-PRO), (more detailed information on EURO-PRO can be found online at www.europro.de/datenschutz. Furthermore, CRIF GmbH also receives data from CRIF GmbH, Rothschildplatz 3/Top 3.06.B, A-1020 Vienna, Austria, and CRIF AG, Hagenholzstrasse 81, 8050 Zurich, Switzerland.
4. Categories of personal data that are processed
a) Personal data, e.g. surname (if applicable prior names that may be provided upon special request), first name, date of birth, place of birth, address, prior addresses, e-mail address(es), telephone number(s)
b) Information regarding the initiation and execution of a transaction in accordance with the contract (e.g. Giro accounts, instalment loans, credit cards, garnishment-exempt accounts, basic accounts)
c) Information regarding undisputed, past-due claims subject to repeated dunning or reduced to judgement and their resolution
d) Information on postal (non-) accessibility
e) Information on the characteristics of functionaries including the beneficial owner in companies, associations or foundations
f) Information on personal data, which we take over in the context of a self-disclosure requested by the data subject, e.g. surname, first name, address, e-mail address(es), telephone number(s), video recording in our credit agency database
g) Device-data
h) Information on bank details
i) Proof of income
j) Information on purchasing behaviour (e.g. shopping baskets)
k) Indications of abusive or other fraudulent behaviour such as misrepresentation of identity or creditworthiness in connection with contracts for telecommunications services or contracts with credit or financial institutions (credit or investment contracts, current accounts)
l) Information from public registries and official publications
m) Probability values
n) Information on the determination of risks from chronic and acute natural hazards (e.g. heavy rain, flooding, landslide, cyclone, forest fire, sea level rise, soil erosion, drought) at the respective address (company, business premises or real estate)
o) Information on the assessment of a company's sustainability efforts on the basis of regulatory criteria on the environment, social standards and corporate governance (ESG) and industry-standard indicators (e.g. annual CO2 emissions, energy efficiency ratio, average weekly working hours, degree of unionisation, number of fatal accidents at work p.a.)
5. Categories of recipients of personal data
Recipients are contracting partners of the sectors of industry and commerce indicated in section II.3. In countries outside the European Economic Area, data are transmitted according to the requirements of the European Commission. CRIF GmbH may transfer your personal data to EURO-PRO Gesellschaft für Data Processing mbH, Lindenhof 1-3, D-61279 Grävenwiesbach, Germany (EURO-PRO) for the purpose of address identification. The legal basis for these transmissions is point (b) and point (f) of Art. 6 (1) DSGVO. EURO-PRO processes the data received and also uses them to provide its contractual partners in the European Economic Area and in Switzerland and, where appropriate, in other third countries (provided there is a decision on adequacy by the European Commission) with address information of natural persons. More detailed information on the activities of EURO-PRO can be found in the EURO-PRO information sheet or online at www.europro.de/datenschutz.".
Recipients of personal data may also be CRIF GmbH, Rothschildplatz 3/Top 3.06.B, A-1020 Vienna, Austria, and CRIF AG, Hagen-holzstrasse 81, 8050 Zurich, Switzerland. The CRIF companies in Austria and Switzerland process the transmitted data for the operation of their credit reporting and address trading business. More detailed information on data processing at CRIF GmbH in Austria can be found at: https://www.crif.at/datenschutz/), for CRIF AG in Switzerland the data protection information can be found at: https://www.crif.ch/dsgvo/
Further recipients can be external contractors of CRIF GmbH according to Art. 28 GDPR as well as external and internal CRIF offices. Many systems and technologies are shared within the CRIF group. This enables CRIF GmbH to offer its contractors a more secure and uniform service. Therefore, within CRIF group those companies and departments will have access to your data which they need to fulfil the contractual and legal obligations of CRIF GmbH or to fulfil their respective functions within CRIF group. In addition, data will be passed on within the CRIF group in compliance with the legal framework for the purpose of enriching and updating the data stock.
CRIF GmbH cooperates with technical service providers in order to provide their services for their contractual partners. If they process personal data of data subjects outside the European Union, this may result in the data being transferred to a country with a lower data protection standard than the European Union. In such cases CRIF GmbH will ensure that the service providers in question guarantee an equivalent level of data protection by contract or otherwise. CRIF GmbH is also subject to the legal powers of intervention of state authorities.
6. Duration of data storage
CRIF GmbH only stores information about individuals for a certain period of time. The decisive criterion for determining this period for the purposes listed above is necessity. The storage periods are set out in detail in a Code of Conduct of the association "Die Wirtschaftsauskunfteien e. V.", which can be viewed on the Internet at www.crif.de/code-of-conduct. CRIF GmbH has signed up to these rules of conduct approved by the supervisory authorities.
III. Rights of the data subject
In relation to CRIF GmbH, every person concerned has the right to information according Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR and the right to limitation of data processing according Art. 18 GDPR. In addition, it is possible to contact the supervisory authority responsible for CRIF GmbH, the Landesamt für Datenschutz und Informationsfreiheit in Baden-Württemberg, Postfach 10 29 32, 70025 Stuttgart. Consent can be withdrawn towards the contracting partner in question at any time.
According to Art. 21 (1) GDPR, it is possible to object to data processing for reasons arising from the special situation of the person concerned (for example witness protection, women’s shelter). The objection can be made informally and is to be addressed to CRIF GmbH, Data Protection, Victor-Gollancz-Str. 5, 76137 Karlsruhe, Germany.
IV. Profile development (scoring)
Before entering into business transactions with a financial risk, business partners would like to be able to estimate as reliably as possible whether the obligations to pay can be fulfilled. By providing information and by means of so-called probability values (scores), CRIF GmbH helps companies to make decisions and to quickly process everyday credit transactions.
This involves making a forecast of future events ("scoring") based on available information and past experience. At CRIF GmbH, probability values are primarily calculated based on the information on a data subject that CRIF GmbH has stored and that can be shown in future as part of the information provided in accordance with Art. 15 GDPR. Based on the stored entries relating to a person and the other data, the person is assigned to statistical groups of people who have demonstrated similar payment behavior in the past (“score calculation”). Machine learning methods, such as logistic regression, are used to develop the statistical model of such an assignment ("score model"). The machine learning procedures used by CRIF GmbH are well-founded, mathematical-statistical methods for the prognosis of risk probabilities or fulfilment probabilities that have been tried and tested in practice for many years.
The probability if a person will repay a mortgage loan does not need necessarily to correspond with the probability if the person will pay an invoice for a mail order purchase on time. For this reason, CRIF GmbH offers its contractual partners a variety of industry-specific score models. Scores are constantly changing given that the information stored about a person by CRIF GmbH is subject to change as well. For example, new information is added whereas other information is deleted in line with applicable retention periods. In addition, information itself changes over time (e.g. the duration of a business relationship), so that changes may occur even without considering new information.
Please note: CRIF GmbH itself does not make any relevant decisions within the meaning of Art. 22 GDPR. It merely supports its affiliated contractual partners with its information in their decision-making process regarding the conclusion, execution or termination of a contractual relationship. The risk assessment and evaluation of creditworthiness is carried out solely by the recipient of the information (CRIF's affiliated contractual partner), as only the latter has access to a large amount of additional information.
You can also visit our website www.crif.de/en/privacy to read the latest status of our information sheet according to Art. 14 GDPR.
Status 02/2025
