Private policy ACREDIA Versicherung AG

Information on data processing pursuant to Articles 13 and 14 GDPR (EU General Data Protection Regulation)

Please note: The English translation of the original German text is provided as a convenience only. Although it was prepared with great care, we cannot guarantee its accuracy or completeness. Only the original German version is legally binding.

ACREDIA Versicherung AG (hereinafter: “ACREDIA” or “we”) is the leading credit insurer in Austria. ACREDIA is owned by a management holding company – 49% is held by Euler Hermes AG, Hamburg and 51% by Oesterreichische Kontrollbank AG (“OeKB”), Vienna. OeKB is a key financial and information service provider for Austria’s export economy and the Austrian capital market. The Euler Hermes Group (“Euler Hermes”) is the world’s largest credit insurer and belongs to the Allianz Group.

ACREDIA is solely active in the business-to-business (B2B) segment. All of ACREDIA’s customers are companies.

We are committed to the protection of your personal data. We handle your data with care and protect them against misuse. We keep your personal data confidential and only use them for the stated purposes.

We comply with the applicable regulations on protection, lawful handling and confidentiality of personal data and on data security, in particular the Austrian Data Protection Act (“DSG”), the EU General Data Protection Regulation (“GDPR”) and the Austrian Telecommunications Act (“TKG”).

General information
“What are personal data?” and definitions of other key data protection terms
Who is the controller and who can you contact?
Which data are processed?
What are the sources of the processed data?
For which purposes and on what legal basis are your data processed?
Who receives your data?
Why do data need to be shared for performance of the contract?
Are your data transmitted to a third country?
How long will we retain your data for?
What rights do you have?
Are you obliged to provide data?

General information

This Privacy Policy informs you about the processing of your personal data and your entitlements and rights under data protection law, in particular the EU General Data Protection Regulation (GDPR).

“What are personal data?” and definitions of other key data protection terms

For ease of understanding, an explanation is first given of a number of key data protection terms (Article 4 GDPR).

What are personal data?

Personal data are any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, either directly or indirectly, for example by reference to an identifier such as a name or identification number, e.g. IBAN or VAT identification number. Data of legal persons and registered business partnerships (e.g. companies in Austria with the legal form “OG” or “KG”) are not protected by the GDPR, unless the company name enables an individual to be identified. Data of companies that are not legal persons (e.g. sole proprietorships) are, however, protected by the GDPR as natural persons.

What does the processing of data comprise?

“Processing” means any operation performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), alignment or combination, restriction, erasure or destruction.

Who is a controller?

“Controller” means a natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of personal data. As an insurer, we are a controller, for example.

Who is a processor?

“Processor” means a natural or legal person that processes personal data on behalf of the controller. The processor works solely on the basis of the controller’s instructions, is not authorised to make decisions about the data and does not pursue its own business objectives with respect to the personal data.

Who is the controller and who can you contact?

The controller for processing of your data is:

Acredia Versicherung AG
Himmelpfortgasse 29
1010 Vienna, Austria
Telephone: +43 (0)50102-0
Email: office@acredia.at

If you have any queries concerning data protection, please do not hesitate to contact our data protection staff by sending a letter to the “Datenschutzbeauftragter” (Data Protection Officer) at the above address or by sending an email to datenschutz@acredia.at.

Which data are processed?

We primarily process data of our policyholders and their customers and of insurance intermediaries and assignees. Those data are required in particular for (pre-) contractual needs analysis and risk analysis, for providing advice and for drawing up and performing the contract with you.

We process the following personal data in particular:

form of address, title, name, position (“contact person”)
address, email address, telephone number and fax number (“contact details”)
company name and address, commercial register data, VAT identification number (“business partner”)
company name and address, commercial register data, VAT identification number, data for proof of identity, bank account details (“policyholder”)
turnover data, payment terms, data and measures for collection of receivables (“receivables data”)
commercial register data, company indicators, balance sheet data, payment record, affiliated companies, data for collection of receivables, insolvency information and credit reports (“creditworthiness data”)
content of the insurance contracts, documentation (“contract details”)
receivables data, insured event, measures for loss minimisation (“claim data”)
data from electronic services and use of the “ACREDIA website” (“online data”)
advertising and sales data (“marketing data”)
data processing results for fulfilment of contracts (“processing results”)
data for fulfilment of statutory and regulatory requirements

ACREDIA will only collect personal data that are necessary for entering into and performance of the business relationship with you or which ACREDIA is required to collect pursuant to statutory or regulatory provisions.

ACREDIA does not process any special categories of personal data (Article 9(1) GDPR).

What are the sources of the processed data?

We process personal data that you either disclose to us yourself, in particular in the scope of our business relationship, or that we obtain from third parties.

We collect the following categories of personal data in particular:

data that you actively disclose to us

information that we lawfully receive from third parties, especially credit agencies (e.g. KSV1870 or CRIF GmbH), and from public sources (e.g. commercial register, land register, insolvency records) or that are lawfully transmitted to us (e.g. by Acredia Services GmbH or by companies belonging to the Euler Hermes Group)

If you disclose personal data to us, we assume that you are entitled to share those data with us.

For which purposes and on what legal basis are your data processed?

ACREDIA processes your personal data in compliance with the applicable laws and regulations.

Processing for fulfilment of (pre-) contractual obligations

Personal data are processed for the conclusion and fulfilment of the insurance contract (point (b) of Article 6(1) GDPR), in particular for

assessment of the risk to be assumed by us
processing of requests and generation of offers
assessment of whether and under which conditions the insurance contract can be concluded or an amendment to the contract can be made
drawing up and renewing the contract
assessment, underwriting and monitoring of insurance sums
customer care
invoicing
claim processing and loss minimisation

Please see the respective contract documents and insurance terms and conditions for the specific details of the purpose of the data processing referred to here.

Processing for fulfilment of legal obligations

The processing of personal data may be necessary for fulfilment of legal obligations (point (c) of Article 6(1) GDPR), such as regulatory requirements and retention obligations under company law and tax law, for compliance with sanctions, for prevention of money laundering and financing of terrorism and pursuant to the Austrian Securities Supervision Act of 2018 (“WAG”), the Austrian Stock Exchange Act (“BörseG”) and the EU Market Abuse Regulation.

Processing for legitimate interests

Furthermore, in the case of overriding interests of ACREDIA or a third party, data processing may be conducted beyond fulfilment of the contract to safeguard our legitimate interests or the legitimate interests of third parties (point (f) of Article 6(1) GDPR) if necessary.

We or a third party have a legitimate interest in data processing in the following cases, for example:

obtaining credit reports to determine our risk
measures to secure receivables and minimise the risk of bad debt
balancing of risks assumed by us (reinsurance)
review and optimisation of methods for needs analysis and for direct customer contact
advertising or market research and opinion research if you have not objected to the use of your data
ensuring IT security and IT functionality
generation of statistics
measures to combat and prevent fraud, money laundering and terrorism and to ensure compliance with sanctions
prevention and investigation of crimes
measures for business management and enhancement of products and services

To assess our risk, we are entitled in particular to process information about the commercial activity, creditworthiness and solvency of companies as “data subjects”^[1]. That information forms the basis for our credit decision, i.e. the decision on whether and how high an insurance sum is underwritten by us. We are permitted to process personal data of companies without their knowledge and consent if a legitimate interest in knowledge of the data can be demonstrated and there is no reason to assume that the company concerned has a legitimate interest in excluding the collection, storage or modification of said data. It constitutes a legitimate interest, for example, if said data are relevant to assessment of the risk that we are to assume for a policyholder, for example before conclusion of a contract between the policyholder and the company concerned for better assessment of its risk. If personal data are stored for our own purposes without the knowledge of the company concerned for the first time, Acredia Services GmbH will inform the company concerned by sending a formal letter headed “Information pursuant to Article 14 GDPR (EU General Data Protection Regulation)”.

Processing on the basis of your consent

We will obtain your consent if none of the aforementioned legal bases apply
(point (a) of Article 6(1) GDPR). ACREDIA requires your consent for the following purposes in particular:

marketing purposes, such as sending our electronic newsletter and sending emails and messages through the online system
tracking of user behaviour on the “ACREDIA website”
sharing of any data disclosed by you for the purpose of risk assessment if you apply for conclusion of an insurance contract (for details, please see the “Acredia Services GmbH and members of the Euler Hermes Group” subsection under the “Who receives your data?” section)

If you have consented to the processing of your personal data, processing will only be conducted for the purpose specified in the declaration of consent and to the agreed extent. You may withdraw your consent at any time with effect for the future.

Who receives your data?

ACREDIA

Only those units and staff of ACREDIA will receive your personal data that require that information for fulfilment of contractual, statutory or regulatory obligations and for legitimate interests.

Processing by contracted service providers

In addition, we work together with selected external service providers. They will receive your personal data if those data are required for fulfilment of their task. Our processors include IT service providers in particular. All processors are contractually required to keep your personal data confidential and only to use them for provision of the respective service.

Acredia Services GmbH and members of the Euler Hermes Group

If you apply for conclusion of an insurance contract, you consent to us sharing all data disclosed by you, as well as any data provided in the future, with Acredia Services GmbH, Himmelpfortgasse 29, 1010 Vienna, Austria, for the purpose of risk assessment and with Euler Hermes SA, 56 Avenue des Arts, 1000 Brussels, Belgium, for the purpose of risk assessment by companies belonging the Euler Hermes Group (a list of companies belonging to the Euler Hermes Group (“Euler Hermes”) is available here). That consent to sharing of data is essential for conclusion and performance of the insurance contract.

Why do data need to be shared for performance of the contract?

Acredia Services GmbH assesses and monitors creditworthiness and risks associated with companies that are customers of ACREDIA policyholders, for which ACREDIA underwrites insurance sums. The data are therefore processed for the purpose of risk assessment; that processing forms the basis for credit decisions made by ACREDIA, according to which insurance sums are underwritten.

The data are likewise shared with Euler Hermes for the purpose of risk assessment; the shared data form the basis for credit decisions by Euler Hermes with respect to its insurance contracts.

Sharing of the data with Acredia Services GmbH and Euler Hermes is necessary for the operation of a central, group-wide information system for the coordinated, mutual exchange of information between ACREDIA, Acredia Services GmbH and Euler Hermes. That group-wide information system enables identification, monitoring and management of the insurance risks assumed by ACREDIA and Euler Hermes and is a prerequisite for providing insurance cover commensurate with the risks. The use of that group-wide information system is the necessary technical and commercial basis for making assessments and decisions in order for ACREDIA to provide policyholders with its products and services.

The consent to sharing of data may be withdrawn by the data subject at any time. However, if consent is withdrawn, Acredia Services GmbH and Euler Hermes will no longer be able to perform the relevant creditworthiness and risk assessments. As a result, ACREDIA and Euler Hermes will not be able to reach any credit decisions concerning the company in question and will not be able to underwrite any insurance sums. The lawfulness of data processing prior to withdrawal of consent is unaffected.

Sharing of data with third parties

We will only share your personal data with third parties insofar as it is necessary for fulfilment of the contract, for legitimate interests, as required by regulatory or statutory provisions or on the basis of your consent. Recipients of your personal data may, for example, include reinsurers, insurance intermediaries, Acredia Services GmbH, companies belonging to the Euler Hermes Group, credit agencies, assignees, authorities and courts. Like the staff of ACREDIA, those recipients are required to comply with data protection.

Why do data need to be shared for performance of the contract?

The data are likewise shared with Euler Hermes for the purpose of risk assessment; the shared data form the basis for credit decisions by Euler Hermes with respect to its insurance contracts.

Sharing of data with third parties

Are your data transmitted to a third country?

If personal data are transmitted abroad, we will ensure compliance with the applicable laws and regulations. ACREDIA will only transmit your personal data to a third country outside the European Union (“EU”) or the European Economic Area (“EEA”) insofar as it is necessary for fulfilment of the contract, for legitimate interests, as required by regulatory or statutory provisions or on the basis of your consent. In addition, the European Commission must have established that said third country offers an adequate level of data protection, or other suitable and appropriate safeguards (e.g. EU standard contractual clauses) must be implemented to ensure the transmission of your data to the respective third country is in compliance with data protection law.

Examples of the processing of personal data outside the European Economic Area:

transmission of personal data to our reinsurer in Switzerland
measures to collect outstanding receivables from debtor companies that have their registered office outside the European Economic Area
data processing for the purpose of risk assessment by companies belonging to the Euler Hermes Group that have their registered office outside the EEA

How long will we retain your data for?

ACREDIA will process your personal data insofar as they are required and for the duration necessary for the purposes for which they were collected (e.g. for the duration of the business relationship, from steps prior to entering into the contract and performance of the contract through to termination of the insurance contract). In addition, we will process your personal data in accordance with the statutory retention and documentation obligations and for as long as required for the establishment, clarification and defence of legal claims.

The statutory retention and documentation obligations are based, for example, on the Austrian Company Code (“UGB”), the Austrian Federal Fiscal Code (“BAO”), the Austrian Insurance Supervision Act (“VAG2016”) and the Austrian Financial Market Anti-Money Laundering Act (“FM-GWG”). In addition, ACREDIA takes into account the statutory limitation periods of between three and thirty years.

What rights do you have?

You may obtain information at any time about the stored personal data concerning yourself, as well as information about the purpose of the processing and its legal basis, the data categories, the recipients, the duration of storage and the source of the personal data concerning yourself that are processed by us.

If your data are not (or no longer) correct, you may obtain rectification of the data. If your data are incomplete, you may obtain their completion. Furthermore, you have the right to erasure of unlawfully processed data. Please note that this only applies to incorrect, incomplete or unlawfully processed personal data. If it is unclear whether the processed data are incorrect or incomplete or are unlawfully processed, you may obtain restriction of the processing of your data until final resolution of that question. Please note that you can only obtain either rectification/completion of your data or their erasure.

Even if your personal data are correct and complete and are lawfully processed by us, you have the right to obtain erasure of the data in specific cases duly justified by you. Furthermore, you may withdraw your consent to processing of your personal data with effect for the future if your consent is the legal basis for the data processing.

You may receive the personal data that you have provided to us in a structured, commonly used and machine-readable format or require that we transmit those data to another controller.

If your personal data is processed to protect our legitimate interests or the legitimate interests of third parties, you have the right to object, on grounds relating to your particular situation, at any time to the processing of this data. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of, or for the establishment, exercise or defence of legal claims.

You may exercise any of the relevant rights (Articles 15 to 21 GDPR) by sending a letter to the “Datenschutzbeauftragter” (Data Protection Officer) at Acredia Versicherung AG, Himmelpfortgasse 29, 1010 Vienna, Austria. The letter must be personally signed and/or bear the authorised signature of the company. As proof of your identity, we require a copy of your personal ID document/passport and/or an extract from the commercial register. You may also send a scanned copy of those documents by email to datenschutz@acredia.at.

Thank you for your understanding that in case of doubt we will require further details concerning your identity. That protects you by ensuring that only authorised persons have access to your data. We regret that we must therefore reject any requests for information without proof of identity and cannot provide information by telephone.

We will inform you accordingly about the relevant measures without undue delay and by no later than within a month of receipt of your request.

Are you obliged to provide data?

By default, our contracts state that, in the scope of the business relationship, you will provide us with the data that are necessary for entering into and performing the business relationship or that ACREDIA is required to collect pursuant to statutory or regulatory provisions.

If you do not provide the required data to us, we will have to decline conclusion of the contract or performance of the relevant service or will be unable to perform an existing contract and will therefore have to terminate the contract. Please note that the above would not be deemed contractual non-fulfilment on our part.

You are not obliged to provide us with data that are not needed for fulfilment of the contract or for our legitimate interests or the legitimate interests of third parties and that are not required by statutory or regulatory provisions.

If we process your data on the basis of your consent, you may withdraw that consent at any time, with the result that we will stop processing your data for the purposes stated in the declaration of consent following receipt of the withdrawal of consent.

Is automated decision-making (including profiling) conducted?

As a credit insurer, ACREDIA’s main task is to protect its policyholders against bad debt of their customers. To perform our credit assessments faster and more efficiently, we use automated data processing methods to assess the creditworthiness of our policyholders and their customers and in some cases generate automated credit decisions, including the processing of data using profiling (Article 22 GDPR).

We check the creditworthiness of companies on the basis of information they have provided themselves (self-disclosure about their economic and financial position), taking into account other information such as commercial register data, balance sheet data, payment record, affiliated companies, data for collection of receivables, media monitoring, insolvency information and credit reports.

We calculate a rating. The likelihood of a company fulfilling its payment obligations is calculated. The automatically generated results of the calculation are based on appropriate, recognised mathematical/statistical methods and are supplemented by the know-how of the ACREDIA experts. The ACREDIA experts have the authority to modify automatically generated decisions.

In some cases, we also use automated data processing methods to determine our obligation to make claim payments.

If we use such a method in your case, we will notify you if required by law. You have the right to require a personal review of the automated individual decision. If you have any objections to automated decision-making, please make use of our contact details to inform us of your objections.

How do we protect your data?

We take the security of your data in our systems very seriously. We have taken suitable technical and organisational measures to secure our data processing, in particular for the protection of your personal data. We protect your data against unauthorised or unlawful processing, accidental loss, accidental destruction or accidental damage. The measures taken by us include, for example, the use of modern security software and encryption methods, physical access controls and precautions to prevent external and internal attacks. In addition, all staff of ACREDIA, processors and third parties that we share your data with are required to keep all customer information and facts confidential which solely come to their knowledge on the basis of their work.

Is it possible to lodge a complaint?

If you have any complaints, questions or comments, please do not hesitate to contact our data protection staff.

In addition, you may lodge a complaint with the Austrian Data Protection Authority if you believe that the processing of your personal data is unlawful:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Telephone: +43 (0)1 52152-0
Email: dsb@dsb.gv.at
www.dsb.gv.at

Will this Privacy Policy be updated?

ACREDIA will review and update this Privacy Policy on an ongoing basis, especially in the event of any technical or legal changes or in connection with offering new products or services. We therefore kindly request that you peruse this information regularly.

Version dated October 2020

^[1] For details, please see the explanation in the “What are personal data?” chapter and other key data protection terms under “What are personal data and who is a data subject?”.