Creditsafe Nederland B.V.

This document describes how Creditsafe, uses and shares personal data we receive about your business.

Understanding what personal data we hold and how we use it is important as the data protection law governs the way this data can be used and what rights you have.

This document answers the following questions:

1. Who is the responsible Controller for the Data? Who can I turn to?
2. Which categories of Data does Creditsafe process for which purposes?
3. Where does the data originate from? 
4. What is the legal basis for processing the data?
5. Who do we share your data with? Where is personal data stored?
6. Is data transferred to a recipient outside the European Union or the European Economic Area (i.e. a so-called third country) or an international organization?
7. How long does Creditsafe keep the data?
8. What are my rights as a Data Subject? Where can I raise a complaint?
9. Do I have an obligation to share or update data?
10. Is there any automated decision-making?
11. Is my data used for Profiling and/or Scoring?

Name and address of Data Controller:

Creditsafe Nederland B.V.

Jan Pieterszoon Coenstraat 10

2595 WP Den Haag

E-mail: customerservice@creditsafe.nl

Website: www.creditsafe.com/nl/nl.html

Telephone: +31(0)70-38 44 600

You can reach our Data Protection Officer as follows:

Jan Pieterszoon Coenstraat 10

2595 WP Den Haag

E-mail: customerservice@creditsafe.nl

Website: www.creditsafe.com/nl/nl.html

Telephone: +31(0)70-38 44 600

We save and process personally identifiable information to provide our clients with information about the financial situation and creditworthiness of natural and legal persons as well as to verify whether they can be reached under the addresses they have provided.

Information is only provided if the respective contracting party has substantiated a legitimate interest in obtaining the information (for example, in the course of an envisaged business transaction which entails the granting of credit or for which there is a risk of default) and provided that there is no outweighing interest of the individual. The aim of a creditworthiness check is not only to avoid losses in the (trade) credit business but also to protect borrowers from over-indebtedness. In addition, the data is also used for risk control, due diligence, identity verification, prevention of money laundering and fraud or for customer account management, customer service or direct marketing.

We process the following categories of personal data:

• Data on Individuals for example: name, given name, date of birth, place of birth, residential address, previous addresses, business address, business email-addresses and phone/fax numbers
• Information on debts, payment behavior and settlement of claims
• Creditworthiness and financial information, entries in the register of defaulting debtors, information on insolvency proceedings and other hard negative criteria as well as credit scores.

Special categories of personal data in the sense of the Art 9 GDPR (e.g. nationality, ethnic origin, health data or data on political or religious attitudes) are neither stored nor taken into account in the calculation of credit scores. Also, the assertion of data subjects’ rights according to the GDPR has no influence on the credit scores.

The data comes from public sources such as the commercial register, insolvency publications and the register on defaulting debtors, which is kept at central enforcement courts and also from contractual business partners of Creditsafe. Information on payment behavior and special payment agreements is provided by business partners of Creditsafe, such as other credit rating agencies and client companies that provide us with trade payment information. In addition, verifiable information you as the data subject decide to provide can be used to update your credit reference information.

We purchase data on the creditworthiness of natural persons from Call Credit Limited.

The legal basis for the processing of personal data is Art. 6 (1) (f) GDPR, which permits processing for the protection of the legitimate interests of the controller or third parties. In particular, such a legitimate interest exists in the case of assessing the default risk in a business relationship, to reduce the risk of fraud, so that companies know their trading partners and to meet regulatory obligations.

For the processing of personal data of our clients, or prospective clients, the legal basis is Article 6 (1) (b) where the processing is necessary for the performance of a contract.

In addition, personal data is also processed by us for the fulfillment of legal documentation obligations under the GDPR. 

Recipients of the personal data are contractual partners of Creditsafe, which assess the creditworthiness of the potential customers before establishing a business relationship with default risk.

In addition, we also transfer personal data to third parties which process the data on our behalf as a service providers bound by contracts pursuant to data protection law.

Finally, personal data is also transmitted to members of the Creditsafe Group of companies and other credit reporting agencies.

We also transfer personal data for marketing purposes to third parties, as long as you have not objected against the processing of your data for marketing purposes.

Personal data is stored on Creditsafe servers in the UK, or in our Cloud provider servers in the EU. 

Where personal data is provided to contractors or group companies outside the European Union or the European Economic Area, i.e. to so-called third countries, this takes place taking into account the requirements of the GDPR to recipients in countries with adequate data protection levels (Art. 45 GDPR) or to those recipients with whom EU standard contractual clauses have been concluded (Art. 46 (2) (c) GDPR).

We store personal data only for as long as necessary to achieve the purposes described above.  In line with the data retention policies of national registries, we retain information about companies for 20 years after their dissolution, unless there is a business justification for continued use. We may hold data in an archived form for research and development, analytics and analysis, for audit purposes, and as appropriate for establishment, exercise or defence or legal claims. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements and industry standards.

According to Art. 15 GDPR you have the right to obtain information regarding all data we stored about you.

In the event that you discover outdated or incorrect information about yourself, you have the right in accordance with Art. 16 GDPR to have it updated and corrected by us at any time. However, if the information has come from an external source, e.g. public records we may refer you to the source to have the data rectified.

Furthermore, in accordance with Art. 17 GDPR, you may also have the right to have your personal data deleted provided that we have no right or authority to further process the data.

Under the conditions set out in Art. 18 GDPR, you have the right to restrict processing of your personal data.

In accordance with Article 20 GDPR, you have the right to request that you obtain the information you provided to us in a structured, common and machine-readable format, or that this information should be transmitted to another third party.

You are entitled to the right of objection pursuant to Art. 21 GDPR. This right gives you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data. If you object we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms (e.g. to assert or defend ourselves against legal claims)

Please direct any inquiries about your rights as a data subject to the contact address mentioned in point 1.

In addition, you can contact our supervisory authority, the Autoriteit Persoonsgegevens, Bezuidenhoutseweg 30, 2594 AV DEN HAAG.

You do not have to provide any data when we ask you. However, if you do not provide any information, your information will not be taken into account when determining scores.

In principle, we do not make any automated decisions within the meaning of Art. 22 GDPR on the conclusion of a legal transaction or its terms (such as offered payment methods, payment conditions or interest), but support our contractual partners only with information to assist in the relevant decision making. The risk assessment and assessment of the creditworthiness of a person or a company for a particular transaction is carried out solely by the contractual partners of Creditsafe.

The information provided by us often includes so-called creditworthiness assessments (scores), which uses information and assessments from the past to generate a forecast of solvency and payment default probabilities. The scoring is based on the information we have on file for the respective person or entity. On the basis of this data, address-related information, for companies additionally industry information mathematical-statistical calculations (in particular logistic regression methods) are applied to assign the person or entity to groups of people or groups of companies that had similar characteristics in the past.

The following categories of data are used for the scoring, whereby not every type of data is included in each calculation: data on the size, industry affiliation and age of a company as well as number of employees, payment behaviour and defaulting payments, debtor registrations and information on insolvency proceedings, balance sheet data, corporate links, contingent liabilities, age, address-related data (publicity of address and name at the address), address data (information on non-conforming payment behaviour in the address environment), information from contractual partners of Creditsafe.