The rules of conduct for check and deletion periods for personal data set by German Credit Bureaux are summarised in the Code of Conduct of 25 May 2018.
I. Preliminary remark
The association "Die Wirtschaftsauskunfteien e.V.” (hereinafter “DW”) represents the interests of the large credit bureaux.
The companies that accede to these rules of conduct are obliged to comply with these from the point in time of accession. The association will document the accession of the company and disclose this in a suitable form.
Members include the companies Bisnode Deutschland GmbH, Creditreform Boniversum GmbH, CRIF Bürgel GmbH, IHD Gesellschaft für Kredit- und Forderungsmanagement mbH, infoscore Consumer Data GmbH, SCHUFA Holding AG and Verband der Vereine Creditreform e.V.
The purpose of the association is to bundle the interests of credit bureaux through a voluntary aggregation of companies and business associations that are active in this branch and to promote these interests through common goals. The association represents the interests of its members in that it takes positions on topics that are of importance to members’ activities towards the supervisory authorities, the German Federal States, ministries of state and political decision-makers.
Furthermore, one important concern of the association is to set quality standards for the branch. This primarily relates to data protection, which is of particularly great importance to credit bureaux.
The European General Data Protection Regulation (GDPR) has largely superseded the German Federal Data Protection Act (BDSG). When the GDPR came into force, its effects included the cancellation of regulations relevant to data processing carried out by German credit bureaux. This also includes the check and deletion periods previously included in Section 35 (2) 2) 4 of the BDSG (previous version). Through a review after four or three years, these periods were intended to ensure whether a longer storage duration was still required. As a rule, the deletion of matters that were no longer relevant was reached as a result. Conversely, however, the periods stipulated in Section 35 (2) 2) 4 of the BDSG (previous version) also recognised that in any case the storage carried out within the periods was necessary and served legitimate interests. Although the GDPR retains the principle of necessity in Art. 5 (1) e), it does not include any defined check periods. However, in order to actually ensure the necessity review, Recital 39 nevertheless assumes that the controller provides corresponding periods.
To clarify, it must be pointed out that the precise deletion provided in the following text also includes deletion on the effective date following a weekend.
These rules of conduct do not preclude a special review in an individual case on application by the data subject (as per Art. 17, 21 of the GDPR).
Consequently, in agreement with its members, and in the interests of legal certainty when processing data permissibly drawn on to check creditworthiness, the Association DW has formulated the periods detailed below for a review of the necessity to delete personal data stored for master data. The periods stipulated here create uniform standards and establish a voluntary obligation of the members to comply with the rules set in this document and to align themselves on these rules of conduct.
The rules of conduct specified here will offer data subjects a guarantee that
- data protection issues will continue to be very important in the credit bureaux branch, including after the GDPR came into force on 25 May 2018,
- storage of their personal data in compliance with data protection law, because it is aligned on necessity, will be carried out by bringing the legitimate interests of data subjects and the controller into harmony, and
- there will also continue to be transparency for them with regard to the check and deletion periods practised by credit bureaux and that fair processing will be carried out as a result.
The rules of conduct specified here relate to the processing of personal data by member companies in Germany; these rules do not make any statement about storage and deletion periods for the processing of personal data outside Germany.
These rules of conduct do not contain any rules about the material authorisation to store personal data. The rule for storage and deletion periods also does not indicate the legality of the storage of data.
The following deletion and storage periods apply notwithstanding whether the underlying data was collected and stored on a legal basis or on the basis of consents.
The rules of conduct will be expanded step-by-step to cover additional circumstances with data protection relevance.
II. Check and deletion periods for personal data
1. Personal data about due, outstanding and undisputed debts: a) Personal data about due and undisputed debts will remain stored as long as the settlement of these has not been reported; the necessity of continued storage will be reviewed three years (precisely) after the occurrence of the relevant incident (e.g. first registration of the debt of balance update).
b) Personal data will be deleted precisely three years after the settlement of the debt.
Notwithstanding this, an individual review will be carried out whether the storage of the data is still necessary on application by the data subject (Art. 17 (1) a) of the GDPR).
2. Personal data which is based on entries in the debtor book or publications about (consumer or regular) insolvency proceedings: a) Data from the debtor books of the central courts of execution (entries pursuant to Section 882c (1) 1) 1 – 3 ZPO) will be deleted three years precisely after entry in the debtor book, however, prematurely, if the central court of execution proves/reports a deletion to the credit bureau.
b) Information about (consumer or regular) insolvency proceedings or discharge of residual debt proceedings will be deleted precisely three years after the end of insolvency proceedings or the issue of the discharge of residual debt.
Information about
- the rejection of an insolvency application due to lack of assets,
- the cancellation of security measures or
- the refusal of the discharge of residual debt
will be deleted after precisely three years.
3. Personal data about continuing obligations (contractual data),
that are at risk of financial default due to an advance payment: a) Information about disruption-free contractual data about credit relationships that are documented with the debt thus established (in particular loans, financing assistance, contracts for delivery in instalments or part-payments), will remain stored until the outstanding debt thus established has been settled; if the settlement of these is reported, the personal data will be deleted precisely three years afterwards.
b) Information about disruption-free contractual data about accounts that are documented without the establishing debt (e.g. current accounts, credit cards, telecommunications accounts or energy accounts), will remain stored as long as the accounts exist; if the termination of these accounts is reported, the information will be deleted.
c) Information about contracts for which the evidence review is legally stipulated (such as for exemption from execution accounts or basic accounts), remain stored as long as these exist; if their termination is reported, the information will be deleted.
d) Information about securities will be deleted as soon as the termination of the security is reported.
e) Trading accounts that are kept on the credit side will be deleted after precisely three years, after all debts have been repaid.
After execution as per the preceding rules, the aforementioned data must be deleted immediately on application by the data subject.
4. Other data:
a) Person-related previous addresses will remain stored for precisely three years, subsequently, the necessity of continued storage for a further three years will be reviewed. Subsequently, these addresses will be deleted on the precise date, if a longer storage period is not required for the purposes of identification.
b) Information about the misuse of an account or a card by the legal account holder will be deleted after precisely three years.
c. has appropriate financial and personnel resources depending on the number, size and complexity of the companies to be monitored, as well as the risk content of the data processing, and has proven this to the satisfaction of the competent supervisory authority;
d) Disclosures about third-party enquiries will be stored for at least one year, however, for a maximum of three years precisely. After the end of a year disclosures about these enquiries must be deleted on an application of the data subject.
e) The necessity for continued storage of data, which relates to a person, taken from other public/publicly accessible sources will be reviewed after three years at the latest. In cases with completion, such as an amendment in or deletion from the commercial register, the personal data will be deleted after three years.
III. Reviewing compliance with the deletion periods set here
The companies that accede to these rules of conduct guarantee that compliance with the check and deletion periods set here can be reviewed at any time. The Association DW shall – regardless of the tasks and authorisations of the relevant company Data Protection Officers and competent supervisory authorities – appoint a position accredited by the competent supervisory authority as per Art. 41 (1) of the GDPR to monitor compliance with these rules of conduct. At the choice of the Association DW this position may involve an external position that holds the required accreditation or an appropriate position within the Association.
1. DW will appoint a control position for the monitoring, which, a. must have demonstrated its independence and specialist knowledge with regard to the object of the monitoring to the satisfaction of the competent supervisory authority;
b. has proven to the satisfaction of the competent supervisory authority that its tasks and obligations do not lead to a conflict of interests;
c. has appropriate financial and personnel resources depending on the number, size and complexity of the companies to be monitored, as well as the risk content of the data processing, and has proven this to the satisfaction of the competent supervisory authority;
d. uses its own employees to carry out the core tasks of the monitoring and not subcontractors;
e. has provided a concrete contact and their contact details to the competent supervisory authority for monitoring purposes;
f. provided an internal monitoring position within the Association is involved, is organisationally separate up to the level below the management board inclusive from the other areas of the Association; in this case DW shall ensure that the internal monitoring position can act free of instructions and is protected from any sanctions within the scope of the fulfilment of its tasks.
2. The control position tasked to monitor these rules of conduct fulfils the tasks and obligations detailed below: a. Continuous monitoring as well as an annually rotating review of an appropriate number of the acceded companies depending on the risk content of the data processing and identified focal points of complaints, as well as a case-specific review of the relevant acceded company (in particular in the event of complaints with regard to alleged non-compliance with these rules of conduct by an acceded company).
b. Regular and case-specific monitoring of the suitability of these rules of conduct. This includes a conceptual review of whether these rules of conduct are practicable, sufficiently precise and have been formulated comprehensively, cover the need for regulation and are accepted in practice.
c. Case-specific requirement to provide information without delay about the actions taken and their justification both to the management board of the affected company and also to the data protection supervisory authority with competence for the affected company. The control position will be enabled to have a direct reporting path to the management board of the acceded companies.
d. The control position is entitled to all the investigation authorisations required to fulfil the tasks. The acceded companies shall provide the information required for this purpose on demand. The position shall receive access to all personal data, processing procedures and other information that is necessary to fulfil its tasks. In addition, the acceded companies shall allow the position access to the business premises, including all data processing facilities. The control position may also conduct investigations in the form of data protection reviews. The investigation authorisations also exist towards processors of the acceded companies, as well as towards third parties in accordance with Art. 4 (10) of the GDPR.
e. The control position shall document its investigation activities and shall take, if required, suitable actions towards the acceded companies to ensure compliance with the rules of conduct set here and that DW – in coordination with the competent supervisory authority – further develops these rules.
f. In the event of any breaches of these rules of conduct by an acceded company the control position shall take suitable actions with the aim of preventing the identified breach and avoiding any recurrence. The position shall treat all information about companies and natural persons (including data subjects and complainants) in confidence and keep this information secret. The control position shall be authorised to forward information to the competent supervisory authority insofar as such forwarding is required to fulfil its tasks and obligations. The position shall inform the management board of the affected company, as well as the supervisory authority with competence for the company, in the event any breaches of these rules of conduct are identified about the actions taken and their justification, without undue delay.
g. The control position has the right to exclude acceded companies from these rules of conduct in the event of repeated breaches, or in the case of non-remedy of identified breaches of these rules of conduct.
IV. Miscellaneous
- Reservation clause
These rules of conduct, as well as the monitoring rules set in Section III., apply subject to legal amendments that affect their regulatory content or any rulings to the contrary at European level (European Data Protection Commission, European Court of Justice).
- Evaluation
These rules of conduct apply until 25 May 2024. Two years before expiry at the latest the Association DW shall submit a written evaluation report to the competent supervisory authority.
If the supervisory authority does not raise any objections, these rules of conduct shall be renewed for a further six years.