IBV Wohnungsunternehmen Erich Ross GmbH & Co.KG and ADRIA Vermögensverwaltung Erich Ross Gmbh & Co.KG
transmits personal data collected within the scope of this tenancy agreement related to the application for this tenancy agreement to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden for the purpose of checking the creditworthiness of the prospective tenant prior to conclusion of the tenancy agreement as well as data concerning non-contractual or fraudulent behaviour during the contractual relationship.
The legal bases for these transfers are Articles 6(1)(b) and 6(1)(f) of the General Data Protection Regulation (GDPR). Transmission on the basis of Art. 6(1)(f) GDPR may only take place if this is necessary to safeguard the legitimate interests of IBV Wohnungsunternehmen Erich Ross GmbH & Co.KG and ADRIA Vermögensverwaltung Erich Ross GmbH & Co.KG or third parties and does not outweigh the interests or the fundamental rights or freedoms of the data subject which require the protection of personal data.
SCHUFA processes data, and uses data, for the purpose of scoring in order to provide its contractual partners in the European Economic Area and in Switzerland as well as other third countries (if a European Commission adequacy decision is available) with information for the assessment of the creditworthiness of natural persons, among other things. Additional information on SCHUFA’s activities can be found in the SCHUFA Information Sheet or online at www.schufa.de/datenschutz .
1. Name and contact details for the controller and the company
Data Protection Officer:
SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Tel.: +49 (0) 6 11-92 78 0
The SCHUFA data protection officer may be reached at the address listed above, attention Data Protection Department or by e-mail at firstname.lastname@example.org.
2. Data processing by SCHUFA
2.1 Purposes of data processing and legitimate interests pursued by SCHUFA or a third party
SCHUFA processes personal data in order to provide authorised recipients with information for assessing the creditworthiness of natural and legal persons. Scores are also calculated and transmitted for this purpose. It only makes this information available if a legitimate interest in such information has been credibly presented in a specific case and processing is lawful based on a weighing of interests. There is a legitimate interest in particular prior to entry into transactions that carry a financial risk of default. The creditworthiness check serves to protect recipients from losses in the lending business and at the same time makes it possible to protect borrowers from excessive indebtedness by providing advice. In addition, this data is processed for fraud prevention, legitimacy checks, money laundering prevention, identity and age checks, address identification, customer service or risk management as well as setting rates and conditions. SCHUFA will inform you of any changes to the purposes for which data is processed in accordance with Art. 14(4) GDPR.
2.2 Legal bases for data processing
SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation. Processing is carried out on the basis of consent and on the basis. of Art. (1)(f) GDPR, insofar as processing is necessary in pursuit of the legitimate interests of the data controller, or of a third party, and does not outweigh the legitimate interests or fundamental rights and freedoms of the data subject. Consents can be withdrawn at any time vis-à-vis the respective contractual partner. This also applies to any consent granted before the effective date of the GDPR. The withdrawal of the consent does not affect the lawfulness of personal data processing performed prior to such withdrawal.
2.3 Origin of data
SCHUFA receives its data from its contractual partners. These comprise institutions, financial companies and payment service providers domiciled in the European Economic Area and in Switzerland as well as in other third countries (provided that the European Commission has issued a corresponding adequacy decision) that bear a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies) as well as other contractual partners who use SCHUFA products for the purposes specified under Section 2.1, in particular from the (mail order) trade, e-commerce, service, rental, energy supply, telecommunications, insurance or collection sectors. In addition, SCHUFA processes information from generally accessible sources such as public directories and official announcements (debtor directories, insolvency announcements).
2.4 Categories of personal data processed (personal data, payment behaviour and loyalty)
- Personal data, e.g. name (or previous name, if applicable, which may be disclosed upon separate request), first name, date of birth, place of birth, address, previous addresses
- Information on the initiation and execution of a transaction in accordance with the contract (e.g., current accounts, instalment credits, credit cards, accounts exempt from garnishment, basic accounts)
- Information on claims that are undisputed, due for payment and repeatedly dunned or claims reduced to judgement and their settlement
- Information on abusive or other fraudulent conduct such as identity or credit fraud
- Information from public registers and official notices
2.5 Categories of recipients of personal data
Recipients are contractual partners within the meaning of Section 2.3 domiciled in the European Economic Area, in Switzerland and, if applicable, in other third countries (provided that a corresponding European Commission adequacy decision is available for the respective partner). Additional recipients may include external contractors of SCHUFA according to Art. 28 GDPR as well as external and internal SCHUFA bodies. SCHUFA is also subject to the statutory powers of intervention on the part of state authorities.
2.6 Data retention
SCHUFA stores information about persons only for a certain period of time.
Necessity is the decisive criterion for determining the respective retention period. SCHUFA has set standard periods for reviewing the necessity of further retention or deletion of personal data. Based on these standard periods, the basic retention period for personal data is three years exactly from the date of completion. This notwithstanding, the following data is deleted:
- Information about queries, twelve months to the day
- Information about fully-compliant contract data on accounts that are documented without a legitimate claim (e.g. current accounts, credit cards, telecommunications accounts or energy accounts), information on contracts for which evidence verification is required by law (e.g. accounts that are exempt from garnishment, basic accounts) and guarantees and trading accounts held on the credit-side immediately after notification of termination.
- Data from debtor registers of the central enforcement courts, three years to the day, however at an earlier time if SCHUFA receives verification of earlier deletion by the central enforcement court.
- Information on consumer/insolvency proceedings or residual debt discharge proceedings three years to the day after the end of the insolvency proceedings or the grant of residual debt discharge. Deletion may be earlier in the case of specific cases subject to special consideration.
- Three years to the day in the case of information on the rejection of an insolvency petition for lack of assets, the removal of the security measures or the refusal of a discharge of residual debt.
- Personal prior addresses are retained three years to the day; thereafter, the necessity of continued retention is verified for a further three years. This data is then deleted on a daily basis unless a longer retention period is required for identification purposes.
3. Rights of data subjects
In relation to SCHUFA, every data subject has the right of access pursuant to Art. 15 GDPR, the right of rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR and the right to restrict processing pursuant to Art. 18 GDPR. SCHUFA has set up a Private Customer Service Center for requests by data subjects which can be reached in writing at SCHUFA Holding AG, Private Customer Service Center, PO Box 10 34 41, 50474 Cologne, Germany, by telephone at +49 (0) 6 11-92 78 0 and via an online form at www.schufa.de. In addition, it is also possible to contact the supervisory authority responsible for SCHUFA, the Commissioner for Data Protection for the State of Hessen. Consents can be withdrawn at any time vis-à-vis the respective contractual partner.
Under Art. 21(1) GDPR, data processing may be objected to for reasons arising from the particular situation of the data subject.
An objection can be submitted informally and is to be addressed to
SCHUFA Holding AG, Privatkunden ServiceCenter, PO Box 10 34 41, 50474 Cologne.
4. Profile formation (scoring)
A SCHUFA report can be supplemented by a so-called “score”. Scoring is the process of forecasting future events on the basis information that has been collected and past experience. In general, SCHUFA calculates all scores on the basis of information stored by SCHUFA about a data subject; such information is also disclosed in a request for access pursuant to Art. 15 GDPR. In addition, SCHUFA takes the provisions of section 31 Federal Data Protection Act (BDSG) into account when computing a score. An assignment is made to statistical groups of persons who had similar entries in the past on the basis of stored entries about the person concerned. The method in use is called a “logistic regression” and represents a well-founded mathematical-statistical method for predicting risk probabilities that has long been tried and tested in practice.
The following types of data are used by SCHUFA to calculate scores, whereby not every data type is also included in every individual score calculation: General data (e.g. date of birth, gender or number of addresses used in business transactions), previous payment defaults, credit activity last year, credit usage, credit history length and address data (only if little personal credit-relevant information is available). Certain information is neither saved nor taken into account when scores are calculated, for example: Information on nationality or special categories of personal data such as ethnic origin or information on political or religious attitudes in accordance with Art. 9 GDPR. Similarly, the assertion of rights under the GDPR, e.g. reviewing information stored at SCHUFA in accordance with Art. 15 GDPR, has no influence on the score calculation.
The scores calculated in this manner aid contractual partners in decision-making and are incorporated into their risk management. The risk assessment, and the assessment of creditworthiness, is performed solely by the direct business partner, since only this business partner is in possession of significant additional information - for example from a credit application. This is the case even if it relies solely on the information and score values supplied by SCHUFA. However, by itself a SCHUFA score does not provide sufficient grounds to reject conclusion of a contract.
Additional information on credit scoring or the identification of unusual information is available at www.scoring-wissen.de.