A. Preliminary remarks

The operator takes the protection of your data seriously and complies with the laws on data protection, which serve to protect natural persons when processing personal data. Personal data is any information relating to an identified or identifiable natural person. Such data will only be processed to the extent necessary for the performance of the contract or for the provision and improvement of the platform and will only be processed to the extent that this is stated below, specified in a separate consent, ordered by an authority or court or otherwise provided for by law. the data will generally be processed by the operator in the member states of the European Union (EU) or the European Economic Area (EEA). In particular, the internet servers used by the operator for data processing are located in the member states of the EU. Your data may be transferred to technical service providers who process the data on behalf of the operator (hosting/support). Such processors process the data on the instructions of the operator and are also obliged to protect data. Data will only be transferred to a third country or an international organization if this is stated below, in a consent or otherwise separately.

B.Data processing

Your data can be processed form-dependent and form-independent.form-dependent is the data that you enter in a form on the platform.form-independent is the data that you leave on the operator’s servers when you visit the platform, even without entering it in a form.

I.Form-dependent
processingThe data that you enter in a form on the platform will be processed when the form is used, namely after the form has been sent. In particular, this may involve data for contacting the operator. Personal data that you send via a form provided for this purpose is transmitted to the operator’s servers in encrypted form.

1. contact
If you contact the operator via a form, the data you enter in the contact form will be transmitted to the operator in encrypted form. The data transmitted about you will only be used to process your request, including any follow-up questions. A reply will always be sent by email, which will also be encrypted if your email service provider supports this. The same applies if you contact the operator by email to an address provided on the platform instead of using a contact form. After final processing of your request, including the associated activities, your personal data that you have provided in the contact form or in an e-mail to the operator will be deleted. This does not apply as long as the data is still required for the execution of the contract, including the assertion, exercise or defense of legal claims (until such claims become time-barred, i.e. a maximum of four years) or if there are statutory retention obligations (tax and commercial law retention obligations, i.e. a maximum of ten years). As far as possible, however, further processing of the data will be restricted until then.

The operator may use Salesforce (Salesforce.com Germany GmbH /salesforce.com, Inc.) as a technical service provider and processor to process an inquiry that you submit as a (potential) debt collection client via the corresponding contact form or email address. The purpose of using Salesforce is to be able to process your request more quickly and in a more interest-oriented manner. In this context, the data provided may be transmitted to Salesforce in the USA, whereby the operator takes appropriate measures for data protection during data transmission (standard data protection clauses and certification of Salesforce under the Privacy Shield / TRUSTe Privacy Seal). Further information in connection with data protection at Salesforce, including Salesforce’s contact details, can be found at https://www.salesforce.com/de/company/privacy/

2.debtor portal
If you have received a request for payment from the operator in connection with a debt collection mandate, you can access a debtor portal via the platform. Access is encrypted using the access data provided to you in the payment request. You can use the debtor portal to view the current status of the debt collection process, update your data, initiate payments and request an installment payment or deferral of the debt. You can find out which data you need to enter in the relevant form in the debtor portal. Use of the debtor portal is voluntary. Instead of using the debtor portal, you can of course also contact the operator using the contact form, by e-mail, telephone, fax or post. Data that you transmit via the forms in the debtor portal will be stored for the respective debt collection process. The data relating to a debt collection process will be stored for as long as is necessary for the recovery of the claim, including the assertion, exercise or defense of legal claims (in principle for a maximum of 4 years from the completion of the debt collection process). The data will then be deleted. As long as statutory retention obligations prevent deletion (until the expiry of the retention obligations under tax and commercial law, i.e. a maximum of ten years), further processing of the data will be restricted.

3. miscellaneous
Data that you enter in other forms is transmitted to the operator’s servers, in particular search forms. Such data is only processed for the search and is no longer stored. The forms do not provide any personal data. You should therefore not enter such data.

II. form-independent processing
The data that the operator requires for the provision or improvement of the platform is processed independently of the form. In particular, this may involve cookies and statistical data. The data is always transmitted in encrypted form.

1.log files
In order to ensure the security and functionality of the platform (e.g. defense against attacks), an access log (log file) is created on the operator’s servers. Data about access to the platform is stored in the log file. This is the data that is transmitted to the server when your browser establishes a connection. This includes your IP address, the time of access, which address (URL) was accessed, whether the access was successful and the size of the data transmitted by the server. If your browser transmits the respective data, the previous address (referrer) and information about your operating system and browser (e.g. version) are also stored; you can prevent the transmission of this data via your browser settings if necessary. The log files are deleted at regular intervals and no later than two weeks after the data is collected. Prior to this, the log files can be statistically analyzed. The logged data is stored separately from other data that you leave on the platform and is not merged with it. The statistical analysis of the log files does not allow your person to be identified.

2. cookies
The platform may use so-called cookies. These are small text files or simple entries in a database that your browser stores. The data in the cookies can only be read again by the platform that stored them. Cookies are used to make websites more user-friendly and secure. If the cookies contain data relevant to security, the platform always uses so-called session cookies, for example to ensure that no other user can access the data you have entered in a form or stored in the debtor portal.session cookies are deleted at the end of each visit to the platform, for example when you close your browser. Other cookies are deleted no later than two months after the last use of the platform. Only pseudonymous identifiers and no other personal data are stored in the cookies. The cookies used by the platform do not cause any damage to your end device (e.g. computer / tablet), in particular they do not contain any viruses. You can prevent the storage of cookies by selecting the appropriate settings in your browser; in this case, however, you may no longer be able to use all the functions of the platform to their full extent. The same applies to the deletion of stored cookies.

C. Legal bases

The legal provisions for data protection can be found in particular in the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) If you have given your consent to the processing of your data, this is also the legal basis for data processing for the purposes to which you have consented (Art. 6(1)(a) GDPR). If the processing is necessary for the initiation or fulfillment of a contract (contract execution), this forms the legal basis (Art. 6 para. 1 letter b GDPR). In particular, this may involve the initiation of contracts with you as a debt collection client or the fulfillment of contracts that you have concluded with a debt collection client. Otherwise, the legal basis for data processing is the protection of the legitimate interests of the operator or the debt collection client (Art. 6 (f) GDPR), which may be the economic interest of the operator in the operation of the platform or the economic interest of the debt collection client in the collection of receivables. If the operator uses a processor, the legal basis is the contract on order processing between the operator and the service provider in accordance with Art. 28 GDPR in conjunction with the legal basis that otherwise applies to the processing of the data. The operator does not carry out automated decision-making including profiling within the meaning of Art. 22 GDPR.

D. Your rights

If you are affected by the processing of your personal data, you have rights vis-à-vis the data controller in accordance with data protection regulations. You can contact the operator at any time to assert these rights, e.g. by e-mail to the address given in the legal notice. The same applies to any questions regarding data protection by the operator. You can contact the operator’s data protection officer by email at: privacy@1159finance.com

Right of withdrawal: In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent to data processing at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to object: In accordance with Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. This also applies in particular to an objection to processing for the purpose of direct marketing.

Right to lodge a complaint: In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the statutory provisions. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI) is responsible at the operator’s registered office. The contact details can be found on the LDI website at https://www.ldi.nrw.de. Your right to lodge a complaint with another supervisory authority remains unaffected, and the right to lodge a complaint is without prejudice to any other legal remedies.

Right to information: In accordance with Art. 15 GDPR, you have the right to request information from the operator. In addition to further information, most of which you can already find in this declaration, the right to information includes in particular the right to a copy of your personal data that is the subject of processing. The restrictions under Section 34 BDSG also apply to the right to information.

Right to rectification: In accordance with Art. 16 GDPR, you have the right to obtain from the operator without undue delay the rectification of inaccurate personal data concerning you; taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure: In accordance with Art. 17 GDPR, you have the right to obtain from the operator the erasure of personal data concerning you. If the data does not have to be erased, you may request that further processing be restricted; in addition, the restrictions under Section 35 BDSG apply to the right to erasure. The right to erasure includes the so-called right to be forgotten.

Right to blocking: In accordance with Art. 18 GDPR, you have the right to request the operator to restrict the processing of your personal data. Thereafter, the data – apart from storage – may no longer be processed.

Right to data portability: In accordance with Art. 20 GDPR, you have the right to the portability of personal data concerning you that you have provided to the operator. Your right to erasure remains unaffected.

Right to notification: In accordance with Art. 19 GDPR, the operator shall notify all recipients to whom your personal data has been disclosed of any rectification or erasure of this data or restriction of processing, unless this proves impossible or involves a disproportionate effort. The operator will inform you of such recipients if you so request.

E. Protective measures

Taking into account the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risks to your rights and freedoms, the operator shall implement appropriate technical and organizational measures to ensure that the data processing is carried out in accordance with the statutory provisions, taking into account the state of the art and including, in particular, encryption of your data. In addition, your data is organizationally separated from other data. The equipment and systems on which the data is processed are protected against unauthorized access, both physically and digitally. By regularly testing and updating the software used, the operator prevents security gaps that could allow your data to be misused. Only those persons subordinate to the operator who require access to personal data in order to fulfill their duties are granted access to personal data, and only to the extent necessary in each case. The operator’s employees are instructed in advance on data processing and are obliged to maintain confidentiality, and the data is protected against loss by regular backups and can be restored at any time. The default settings of the systems ensure that only personal data whose processing is necessary for the respective processing purpose is processed. This ensures that data protection principles such as data minimization are implemented. In addition, the operator ensures the confidentiality, integrity, availability and resilience of the systems through technical and organizational measures. Compliance with data protection regulations is checked regularly and the measures are updated if necessary. On request, the operator can provide you with a more detailed description of the measures.