Privacy Information on Fraud Prevention Pool (FPP) of CRIF Bürgel GmbH

1. Name and contact details for the controller/ participants in FPP / recipients of information

CRIF Bürgel GmbH, Leopoldstraße 244, 80801 München is data controller. Participants in FPP are only telecommunications (TC) service provider. CRIF Bürgel GmbH will provide information to the authorised recipients upon request.

2. Description of FPP procedure

The FPP operates according to the principle of reciprocity. According to this principle, only the participant who also process information to the FPP can receive information from the FPP. Processing of personal data to other companies is only possible on the bases of consent of the data subject.

When processing an order for the provision of a TC service for private individuals and companies that are not registered, FPP subscribers shall provide the FPP with the following inventory data in particular: Type of service, order or customer number, date of order, title, first name, last name, possibly trade/freelancer indicator, trade name, date of birth, street and house number, postal code and city as well as bank details and e-mail address. In the case of registered companies, the following inventory data in particular will be transmitted instead of the title, first name and surname, trade/freelancer indicator and trade name: Company, register number, register location and register name. During the term of the contract between the TC service provider and the customer, the FPP subscriber shall report to the FPP in particular the following data and characteristics: Change in inventory data, termination of the contract, blocking due to conspicuous usage behavior and the associated risk of non-payment, blocking due to unknown address, blocking due to insolvency proceedings, blocking due to suspected fraudulent name and/or address, blocking due to non-payment, activation stop due to behavior in violation of the contract. Other FPP subscribers will only receive information from the database if they have received an application from the same person/company for the provision of a TC service or if a customer relationship already exists with the person/company. In the case of a new request, FPP information may contain, for example: no data stored, number/contract date of contractual relationships of a certain period, references to previous blockings, information on payment experiences, payment features relevant to creditworthiness. In the case of an existing customer relationship, FPP information may contain, for example: Correction and/or deletion of inventory data, information on blocking, payment experiences, payment features relevant to creditworthiness and information that the person/company has become a customer of other FPP participants.

With the FPP, CRIF Bürgel GmbH also supports the recognition of conspicuous circumstances by calculating probability values (scoring). For this purpose, among other things, the inquiry behavior of the person concerned with business partners of CRIF Bürgel GmbH is examined for potential conspicuousness. In addition to inquiries of the past three years, which originate from the inquired data subject on the basis of CRIF Bürgel GmbH's knowledge of known manipulation patterns, this calculation can also include e.g. address data, age and/or gender in the score calculation.

The significance of a concrete FPP score value for the respective business partner of CRIF Bürgel is always decided by the business partner himself on the basis of the respective risk structure. For more information about the score on FPP visit www.crifbuergel.de/faq-scorewissen.

The FPP procedure does not affect the assessment of the creditworthiness check and the credit scoring in the CRIF Bürgel credit reference procedure.

You may find more detailed information about the operations of CRIF Bürgel GmbH in the CRIF Bürgel GmbH Fact Sheet or online at
www.crifbuergel.de/en/privacy.

3. Purposes of the FPP

The task of the FPP is to provide CRIF Bürgel GmbH contractual partners with information to protect them from bad debt losses, as well as for age verification and identity checks and for customer care. At the same time, the FPP is intended to give customers of telecommunications service providers the opportunity to have their own personal information registered via the respective service provider after an identity theft has taken place, thus protecting the customer from further misuse or from further consequences. CRIF Bürgel GmbH also uses the FPP information for the purpose of creating profiles (scoring) to provide its contractual partners in the European Economic Area and in Switzerland and, where applicable, third countries (if there exists an adequacy decision of the European Commission in respect of these) with information, among other things, for assessing the creditworthiness of natural persons.

4. Legal basis for the operation of the FPP

Legal ground for processing within the framework of the mutual exchange of information for the aforementioned purposes is Article 6(1)(b) and Article 6(1)(f) of the GDPR. Transfers based on Article 6(1)(f) of the GDPR may only take place insofar as this is necessary to safeguard the legitimate interests of the telecommunications service provider or third parties and does not override the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The exchange of data with CRIF Bürgel GmbH also serves to fulfil statutory obligations to carry out creditworthiness checks on customers (Sections 505a and 506 of the German Civil Code). Furthermore, information exchange of personal data from the FPP with non-TC service providers may take place on the basis of consents pursuant to Art. 6(1)(a) GDPR. The enrolments of victims of identity theft are also carried out in accordance with Art. 6(1)(a) GDPR.

5. Duration of data storage

CRIF Bürgel GmbH stores information about persons only for a certain period. The decisive criterion for determining this duration is the necessity of processing for the purposes described above. The storage periods are specified in detail in the "Rules of Conduct for the Verification and Deletion Periods of Personal Data by the German Credit Reporting Agencies", which can be viewed on the Internet at www.crifbuergel.de/code-of-conduct/.

According to this code, the basic storage duration of data relating to a person is three years to the day from the time of the completion of the reason for notification.

The following information, for example, is different to this and is deleted:

  • Data from debtor lists/records of central courts competent for execution are deleted after three years to the day, but are deleted prematurely if it is verified to CRIF Bürgel GmbH that the data have been deleted by the central court competent for execution.
  • Information on consumer/bankruptcy proceedings or proceedings for the discharge of residual debt is deleted exactly three years to the day after completion of the bankruptcy proceedings or discharge from residual debt. In special individual cases, earlier deletion is also possible.
  • Information on consumer/bankruptcy proceedings or proceedings for the discharge of residual debt is deleted exactly three years to the day after completion of the bankruptcy proceedings or discharge from residual debt. In special individual cases, earlier deletion is also possible.
  • Previous addresses are stored for exactly three years to the day. After this, a check is made to find out whether it is necessary to continue storing the data for a further three years. Following this, they are deleted to the day exactly unless longer storage is necessary for the purpose of identification.
  • The enquiry data in the FPP transmitted by the business partners for the aforementioned purposes under point 3 are stored for three years to the day and shown on the data copy (in accordance with Art. 15 GDPR) of the data subject.

6. Rights of the data subject

In relation to CRIF Bürgel GmbH, every person concerned has the right to information according Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR and the right to limitation of data processing according Art. 18 GDPR. Moreover, persons concerned have recourse to the supervisory authority that is responsible for CRIF Bürgel GmbH, namely the Bavarian Data Protection Authority. Consent can be withdrawn towards the contracting partner in question at any time.

Consent can be withdrawn towards the contracting partner at any time.

The company data protection officer of CRIF Bürgel GmbH can be contacted at the following address: CRIF Bürgel GmbH, Leopoldstraße 244, 80807 Munich, FAO Data Protection department or by email to datenschutz@crifbuergel.de.

According to Article 21 (1) GDPR, it is possible to object to data processing for reasons arising from the special situation of the person concerned (for example witness protection, women’s shelter). The objection can be made informally and is to be addressed to CRIF Bürgel GmbH, Data Protection, Leopoldstraße 244, 80807 Munich.

Version May 2021