SCHUFA Holding AG Data Privacy Information (under Article 13 GDPR)

Last updated: January 2019

1. Principles

Data privacy and data security for our contractual partners and for consumers have always had high priority for our company. For this reason the protection of your personal data during all our business processes is very important and of special concern to us. We respect personal privacy as a matter of course. As a rule our website can be used without the need for personal data to be entered. However, we may need your personal data to be able to provide our services. When we do this, we collect, process and use personal data to the extent allowed by law and necessary for handling or if you have given your consent.

2. Name and contact data for the controller responsible for processing as well as for the company data protection officer

In our function as controller we, SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, take all the measures required by law to protect your personal data. You can contact our company data protection officer at the above address c/o Abteilung Datenschutz or by e-mail at .

3. Purpose of data processing, lawfulness and legitimate interests pursued by SCHUFA Holding AG as well as categories of personal data and categories of recipients

3.1. Visits to our website

Whenever you visit our website the browser you are using on your terminal device automatically sends information to the server of our website which is then stored temporarily in a so-called log file. We have no influence over this. The following information is then recorded without any action on your part and is stored until it is erased automatically:

  • The IP address of the requesting Internet-enabled device
  • The date and time of access
  • The name and URL of the retrieved file
  • The website/application from which access has been made (referrer URL)
  • The browser you are using and any operating system on your Internet-enabled computer as well as the name of your access provider

We use the IP address of your terminal device as well as the other data listed above for the following purposes:

  • Guarantee that the connection is established smoothly
  • Guarantee that our website can be used with ease
  • Evaluation of system security and stability

The data are stored for a period of 31 days and then erased automatically. We also use so-called cookies, tracking tools and social media plug-ins for our website. The precise processes which are used and how your data are used are explained in detail in chapter 7.

3.2 Processing of online inquiries data obtained from data subjects

We collect, process and use personal data to the extent that this is necessary to deal with your request. Personal data will be collected, processed and used by us to the extent necessary to process your request, for example to the extent necessary to process your request to initiate and conduct a conciliation procedure. We also use your personal data as part of this process to update our SCHUFA data inventory. More information about SCHUFA procedures can be found at schufa.de/datenschutz.

3.3 Processing of data relating to the use of contact forms for interested companies, registration forms for SCHUFA events, SCHUFA webinars and as part of marketing campaigns

We collect, process and use personal data where this is necessary for the purpose of providing the services we offer and for making contact as requested or the purpose of providing the services or information requested by you. We also use your data to provide you with offers by letter or by telephone relating to our products or the products of our cooperation partners.

3.4 Processing of media contact data

We collect, process and use personal data where this is necessary in order to provide information published by our company or to make contact with you as requested. We also use your data to inform you by e-mail or telephone about company innovations, such as by sending press releases. When we make contact with you we always bear in mind the relevance of our message and the key topic fields of your journalism.

3.5 Processing of data for sweepstakes

In the framework of sweepstakes, we use your data to provide information to winners and to advertise our offers. Detailed information is available in any conditions of participation in each sweepstake.

3.6 Processing of applicant data (e.g. when using our application form or at career fairs, etc.)

We collect, process and use personal data to the extent that this is necessary to deal with your application and or to make contact with you as requested.

3.7 Processing of data for advertising purposes, market research and opinion polling

3.7.1 Advertising purposes of SCHUFA Holding AG and third parties

If you have entered into a contract with us or we have listed you as a prospective customer, we process your address data and the criteria of advertising selection on the basis of Art. 6 (1) a) or f) GDPR in order to send you such information and offers from us and other companies. If you do not wish this to happen, you can object to the use of your data for advertising purposes at any time.

3.7.2 Use of data for market research and opinion polling

We also process your data for market research and opinion polling purposes. We use such data exclusively in anonymized form for statistical purposes and only for SCHUFA Holding AG. The answers you provide in surveys are not disclosed to third parties or published. We do not store answers to our survey questions with your e-mail address or with any other personal data. You have the right to object to the use of data for all or certain market research and opinion polling purposes at any time without incurring any other than basic rate charges for the telecommunication costs involved. A text message sent to the following contact data (e.g. by e-mail, fax, letter) is sufficient for this purpose. You will also, of course, find an unsubscribe link in all survey e-mails.

I consent to SCHUFA Holding AG processing and using my personal data for its own market research and opinion polling purposes.

3.7.3 Right to object

You have the right to object to the use of your personal data for all or certain advertising purposes at any time without incurring any other than basic rate charges for the telecommunication costs involved. A text message sent to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany or to or by telephone on +49 (0)234 9761200 or by fax to +49 (0)611 9278359 is sufficient for this purpose.

If you object, the relevant contact address will be locked to prevent it being used for further advertising-related data processing. We point out that, in exceptional cases, advertising material may still be sent after you have lodged your objection. This is technically due to the required lead time for advertisements and does not mean that we are not responding to your objection. We appreciate your understanding in this matter.

4. Lawfulness

SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation (including with the assistance of service providers). The basis for processing is consent and Art. 6 (1) b) and f) GDPR where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract or if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interest of fundamental rights and freedoms of the data subject which require protection of personal data. Processing operations carried out by SCHUFA within the scope of a legal obligation to which it is subject are carried out in accordance with Art. 6(1)(c) GDPR. We process your address data and criteria for advertising selection on the basis of Art. 6 (1) f) GDPR in order to be able to send you information and offers from us and other companies. If you do not wish this to happen, you can object to the use of your data for advertising purposes at any time. You can withdraw your consent to SCHUFA at any time. This also applies to consent given before the GDPR came into effect. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to such withdrawal.

5. Categories of personal data

5.1 We process the data required within the framework of online enquiries by data subjects. This includes the following categories:

Personal data, such as name (possibly also including previous names which may be notified on separate application), first name, date of birth, place of birth, address, previous addresses and communication data, official identification data.

5.2 We process the necessary data relating to the use of contact forms for interested companies, registration forms for SCHUFA events, for SCHUFA webinars and contact forms as part of marketing campaigns. This includes the following categories:

  • Personal master data (title, first name, family name, address, function in company, company master data)
  • Communication data
  • Usage data
  • Handling data
  • Marketing data (e.g. consent)

5.3 We process the following data for sweepstakes:

  • Personal master data
  • Communication data
  • Consent data

5.4 We process the following data when managing applicants:

  • Personal master data (name, first name, address)
  • Communication data
  • Other data taken from application documents (e.g. enrolment certificates, references, information about marital status, etc.)

5.5 We process the following data on media contacts

  • Personal master data (name, first name)
  • Corporate data (medium, address)
  • Communication data (e-mail address, telephone, area of responsibility, position)

6. Categories of recipients of personal data

All information which you provide to us by making entries on these websites is stored on a server located in a country in the European Union (EU) and is redirected to the responsible functions within the company where your inquiries and wishes are processed. If your personal data are used to update the SCHUFA data inventory, these data are also made available to contract partners within the framework of SCHUFA’s services. More information about SCHUFA procedures can be found at schufa.de/datenschutz.

The service providers we use may also receive data from us to fulfil stipulated purposes. Such service providers may be companies which fall within the categories of IT services, printing services, marketing, sales or telecommunications.

When conducting conciliation proceedings, we send all required personal data to the SCHUFA ombudsman.

7. Online presence and website optimisation

7.1 Cookies – General information

Cookies are small files created automatically by your browser which are stored on your terminal device (laptop, tablet, smartphone or similar) when you visit our website. Cookies do not cause any damage to your terminal device and do not contain viruses, Trojans or any other malware. Information is stored in the cookie in connection with the specific terminal device used.

Some cookies may be used without your consent, others require your consent. Cookies which do not require your consent are those which are needed for you to use our online services or which are used for IT security purposes (essential cookies). The legal basis for the processing of these data is Article 6 (1) f) GDPR. Cookies which can only be used with your consent are those which help to make our online services more user-friendly for you (preference cookies) In this respect, we use cookies, for example, to determine whether you have already visited parts of our website or have already logged in to your customer account. We also use temporary cookies which are stored on your terminal device for a specific period of time in order to enhance user-friendliness. If you return to our website to use our services, we can automatically recognise your previous visit and the entries and settings you have made so that you do not have to make these entries and settings again.

We also use cookies to record statistically how our website is used and to optimise our offer for you and to show you information which is tailored to you specifically (marketing and statistics cookies). The legal basis for the processing of data with cookies subject to consent is Article 6 (1) a) GDPR. These data include page requests, length of time during which the website was visited, origin, country, etc. We analyse these statistical data in order to improve our offer and to review acceptance of particular websites. Invisible GIFs are only used to position elements on the website. No other functions are linked with the invisible GIFs used. These cookies are stored by your browser and usually erased when you close your browser. Most browsers accept cookies automatically. However, you can also configure your browser to not store any cookies on your computer or to always notify you before a new cookie is created. If, however, you disable cookies altogether, you may find that you are unable to use all the functions on our website. The period for which cookies are stored depends on their purpose and is not the same for all cookies.

We recommend that you log out completely after using computers that are configured to accept cookies and which are also used by other people.

You can check the cookies we use and manage the consent you may have given to us at any time quickly and simply here.

8. Period of data storage

We usually only store your data for as long as this is necessary for the purpose for which the data are being processed (e.g. handling the matter which is of concern to you or meeting statutory retention periods).

We store data for the purpose of carrying out the contract until the statutory or, where applicable, contractual guarantee and warranty rights have expired. Upon expiry of this period, we retain the information required under commercial and tax law relating to the contractual relationship for the periods stipulated by law. During this period (usually 10 years from the time at which the contract is made) the data are processed again solely for the purpose of inspection by tax authorities.

As a rule, all data associated with conducting conciliation procedures is stored for up to 10 years.

The period for which we store data for advertising purposes is not subject to rigid principles and is based on whether storage is required for advertising purposes or not. We adhere to the principle that data for advertising use is erased four years after the contract is terminated or four years after the end of marketing efforts. Objections to advertising are not erased.

We store data which we process during the recruitment process for up to six months after the end of the application process.

In special well-founded cases, we store data for longer periods of time as well, for example if they are required by a public authority or if the data are required for legal reasons, e.g. as evidence in a court case.

9. Recipients outside the EU

We transmit your data to recipient contractual and business partners based in other third countries (provided that a corresponding adequacy decision has been made by the European commission). When conducting conciliation procedures, no personal data collected as part of any such procedure is transferred to third countries. SCHUFA is also subject to the powers of intervention held by state agencies.

10. Your rights

10.1 Overview

In addition to your right to withdraw your consent to us you also have the following rights, subject to the legal requirements in each case:

  • Right of access to your personal data stored by us under Art. 15 EU GDPR
  • Right to rectification of inaccurate personal data concerning you or to have accurate but incomplete personal data completed under Art. 16 EU GDPR
  • Right to erasure of your personal data stored by us under Art. 17 EU GDPR
  • Right to restriction of processing of your personal data under Art. 18 EU GDPR
  • Right to data portability under Art. 20 EU GDPR

SCHUFA has set up a private customer service centre to deal with your concerns which can be contacted in writing at SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, Germany, or by telephone on +49 (0)611 92780 and by using an online contact form. You can also contact the supervisory authority which is responsible for SCHUFA: the Hesse Data Protection Officer.

10.2 Right to object

Where the requirements stated in Art. 21 (1) GDPR apply, you can object to data processing on grounds relating to the data subject’s particular situation (e.g. women’s refuge, witness protection). Objection may be made informally and must be sent to SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, Germany.

The above general right to object applies to all the processing purposes in this data privacy information subject to processing on the basis of Art. 6 (1) f) GDPR. In contrast to the special right of objection to the processing of data for advertising purposes, we are only required by the GDPR to implement such a general objection if grounds of overriding importance are given (e.g. potential risk to life or health). You can also contact the supervisory authority which is responsible for SCHUFA: the Hesse Data Protection Officer.

11. Information security

All the data transmitted by you personally are transmitted using the generally customary and secure SSL (Secure Socket Layer) standard. SSL is a secure and tried-and-tested standard which, for example, is also used for online banking. One of the distinguishing features of a secure SSL connection is the “s” at the end of http (i.e. https://. . .) in your browser’s address bar or the lock symbol at the bottom of your browser.