Data privacy at credi2

Status: 11.02.2022

1. Privacy policy for the credi2 website

Insofar as personal data are processed on the website of credi2, Credi2 GmbH, Mariahilfer Straße 41-43/B6, A-1060 Vienna is responsible for the processing.

Credi2 processes personal data exclusively within the framework of the legal requirements of the General Data Protection Regulation (GDPR), the Data Protection Act (DSG), the data protection regulations of the Telecommunications Act (TKG 2021) and other relevant laws and regulations as amended from time to time.

1.1 Visiting our website – provision of content

Visiting the website www.credi2.com is generally possible without providing personal data. We only store technical access data without personal reference.

When you access our website, the browser used on your end device sends certain information to the server of our website for technical reasons, for example your IP address. We process this information to provide you with the website content that you have accessed. To ensure the security of the IT infrastructure used to provide the website, this information is also temporarily stored in a so-called web server log file.

For this purpose, we process so-called HTTP data, which are technically generated when the website is opened via the Hypertext Transfer Protocol (Secure) (HTTP(S)). This includes the IP address, type and version of your Internet browser, the operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.

The legal basis of the processing is our legitimate interest (Article 6 para 1 lit f GDPR). Our legitimate interest is the provision of the content of the website accessed by you.

The data is stored in server log files in a form that allows the identification of the data subjects for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). In the event of a security-relevant event, server log files are stored until the elimination and complete clarification of the security-relevant event.

2. Use of cookies

Within the framework of the web presence of credi2, so-called cookies are used to make the visit to our website as attractive as possible, to enable the use of certain functions and to increase user-friendliness. Cookies are small files that are stored by the website on your hard drive and allow the recognition of the Internet browser.

We only use cookies,

if you have consented to this, or
if the cookie is set for the sole purpose of transmitting a message over an electronic communications network, or
if the setting of the cookie is absolutely necessary so that a service expressly requested by you can be made available.

2.1 Cookie settings

Insofar as the use of certain cookies and comparable technologies requires the consent of the user, we will only use such cookies when you if you have previously given your consent to this. When you call up our website, we display a so-called “cookie dashboard” for this purpose, in which you can declare your consent to the use of cookies and comparable technologies on this website by pressing a button.

This “Cookie Dashboard” is always accessible to you via the “Cookie Settings” in the footer area of the website. By pressing the button provided for this purpose, you have the option of consenting to the use of the cookies and comparable technologies described in detail in the “Cookie Dashboard”. Alternatively, you have the option to make an individual selection of cookies and comparable technologies.

In the “cookie dashboard” of this website, you also have the option to individually adjust or revoke the selection you have made at a later time. We store your consent and, if applicable, your individual selection of cookies and comparable technologies in the form of a separate cookie (“opt-in cookie”) on your terminal device in order to be able to determine whether you have already given your consent when you call up the website again.

For the integration of the “Cookie Dashboard” we use OneTrust LLC, 1200 Abernathy Rd. Nem Bkdg, 600, Altanta, Georgia 30328, USA. The agreement with OneTrust ensures that the data in connection with the configuration of the “Cookie Dashboard” and the “Opt-In Cookie” are stored exclusively on servers in Germany and are not transferred to the USA. All data in connection with the configuration of the “cookie dashboard” and the “opt-in cookie” will be stored for a period of 3 years from your first visit to our website or the change of your selection or configuration in the “cookie dashboard” and then deleted.

Essential cookies cannot be disabled via the cookie management function of this website. However, you can generally disable these cookies in your browser at any time.

The legal basis of the processing for the “Opt-In Cookie” as well as for absolutely necessary cookies is § 165 para 3 TKG 2021 or Article 5 para 3 of the DIRECTIVE 2002/58/EC as well as our legitimate interest (Article 6 para 1 lit f GDPR).

Our legitimate interest is to provide you with the content you have accessed on the website and to manage the cookie consents you have given to this website.

For all other cookies, the legal basis of the processing is your consent (Article 6 (1) (a) GDPR). You can revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation.

2.2 Cookies from credi2 (“First Party Cookies”)

We use so-called “session cookies”, which are required in particular to assign the entries you make on our website to you for the entire duration of the use of our website. These cookies are automatically deleted from your hard drive after the end of the use of our website (end of the session).

In addition, we use so-called “persistent cookies” (permanent cookies), which can remain on your hard drive for a longer period of time, from one hour to a maximum of 90 days, and which serve to automatically recognize you on a subsequent visit. These cookies are stored on your hard drive and delete themselves after the specified time, i.e. after a maximum of 90 days from your visit to the website.

Our cookies do not collect personal information that can directly identify you, so your privacy is protected.

2.3 Cookies from other providers (“Third Party Cookies”)

Cookies are also used by some contractual partners (so-called “third-party cookies”). Through the use of cookies, credi2 receives information about which information on the credi2 website interests the respective user. These cookies are stored by the respective contractual partner on the hard disk of the user’s computer and delete themselves after a certain period of time (see below in detail). From the point of view of credi2, the use is anonymous. A conclusion on the identity of the user is not drawn.

We use cookies from the following service providers for the following services:

2.3.1 Google Analytics

We use Google Analytics for ongoing quality control and improvement of our offer.

The credi2 website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies as described above in the sense of point 2.3. Processing through the setting of cookies and the subsequent processing for the analysis of website use by users (see below in more detail) only takes place after you have given your express consent. The information generated by the cookie about the use of the website will be transmitted to and stored by Google on servers in the United States.

When giving your consent, you will be clearly informed that with your active consent your personal data described in more detail below may be transferred to the USA and you will be informed about the corresponding risks, that government authorities may have access to your data, that you cannot enforce your data subject rights and that therefore the level of protection and your rights with regard to your data are not comparable to those in the EU. Accordingly, the data transfer to the USA is permissible pursuant to Article 49 (1) lit a GDPR. If you do not give your active consent to the data transfer to the USA, no data will be transferred.

We would also like to point out that on this website Google Analytics has been extended by the code “gat._anonymizeIp();” in order to ensure anonymous collection of IP addresses (so-called IP masking) by Google Analytics. This means that your IP address is shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

On behalf of credi2, Google will use this information on the basis of your consent and thus in accordance with Article 6 para 1 lit a GDPR to evaluate the use of the website, to compile reports on website activity and to provide other services related to website and internet use to credi2. The storage period of the cookies set in the context of the use of Google Analytics is generally 38 months, unless you revoke your consent before then. The IP address of the user transmitted within the scope of Google Analytics will not be merged with other Google data.

Credi2 also uses Google Analytics to evaluate data from Google Ads for statistical purposes. If you do not want this, you can deactivate this via the Display Preferences Manager

The user can also prevent the collection of data generated by the cookie and related to the use of the website (including the IP address) to Google and the processing of this data by Google, without prejudice to the consent given, by downloading and installing the appropriate browser plugin.

You can find more information on the terms of use and data protection of Google Analytics at https://marketingplatform.google.com/about/analytics/terms/de/ and

https://policies.google.com/technologies/partner-sites

2.3.2 Use of Google Remarketing

Depending on their consent, we also use the remarketing function of Google.

With remarketing, Google sets cookies in your browser to deliver free product listings. We use this function to serve interest-based, personalised advertising on third-party websites that also participate in Google’s advertising network. The legal basis is Article 6 para 1 lit a GDPR. This option is limited to a maximum of 18 months, unless you revoke your consent before then.

For more information, please see Google’s privacy policy (https://policies.google.com/technologies/partner-sites). You can prevent interest-based

advertising via the following link https://adssettings.google.com/authenticated or alternatively via https://optout.networkadvertising.org/?c=1 or manage the use of device identifiers via the device settings.

To permanently deactivate this function, Google also offers a browser plug-in for the most common internet browsers via https://www.google.com/settings/ads/plugin also offers a browser plugin.

2.3.3 LinkedIn Insight Tag

We use the so-called conversion tracking with LinkedIn Insights Tag, a tool of LinkedIn Ireland, Wilton Place, Dublin 2, Ireland, on our website. For this purpose, the LinkedIn Insight Tag is integrated on our pages and a cookie is set on your end device by LinkedIn. In this way, LinkedIn is informed that you have visited our web pages. Processing only takes place after you have given your consent (Art 6 para 1 lit a GDPR). The information generated by the cookie about the use of our website is usually transmitted to a server in the USA and stored there.

When giving your consent, you will be clearly informed that with your active consent your personal data (see below in more detail) may be transferred to the USA and you will be informed about the corresponding risks, that government authorities may have access to your data, that you cannot enforce your data subject rights and that therefore the level of protection and your rights with regard to your data are not comparable to those in the EU. Accordingly, the data transfer to the USA is permissible pursuant to Article 49 (1) lit a GDPR. If you do not give your active consent to the data transfer to the USA, no data will be transferred.

The LinkedIn Insight tag allows us to collect data about visits to our website, including URL, referrer URL, IP address, device and browser properties (user agent), and timestamp. IP addresses are shortened or (if used to reach members across devices) hashed. Your direct identifier is removed within seven days to pseudonymize the data, unless you withdraw your consent before then. This remaining pseudonymized data is then deleted within 180 days.

We do not receive personally identifiable information from LinkedIn, only reports and communications (which do not identify you) about website audience and ad performance. LinkedIn also provides retargeting for website visitors, so we can use this data to display targeted ads outside of the website without identifying you. LinkedIn also uses data to improve the relevance of ads and reach members across devices. LinkedIn members can also control the use of their personal data for advertising purposes in their account settings on LinkedIn.

3. Facebook Fanpage

For the processing of personal data in connection with our Facebook Fanpage, there is a joint responsibility pursuant to Art 26 GDPR between Credi2 GmbH and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). Through the so-called “Page Controller Addendum”, the necessary agreement regarding this data processing was concluded. You can find the entire addendum here.

Additionally, you can find Facebook’s privacy policy here.

We use our Facebook Fanpage to inform about us and our products or services and, of course, to contact and communicate with users as well as in the context of contract initiation and customer care and support (e.g. via “Reviews”).

In addition, Facebook provides us with various statistical analyses (so-called “Page Insights”) in anonymous form in order to better adapt our offers to your interests (see the types of data in the following table). Page Insights are aggregated data in the form of statistics that help us understand how

visitors and users interact with our Facebook Page. These statistics are generated and provided by Facebook. As the operator of this Facebook page, we have no influence on the generation and presentation of these statistics. We cannot turn off this function or prevent the generation and processing of the data. We use the statistical evaluations, such as the distribution by age and gender, for an adapted approach and the preferred visiting times of the users for a time-optimized planning of our posts.

Our legal basis for processing in joint responsibility with Facebook is our legitimate interest (Art 6 para 1 lit f GDPR) in the processing of data for analysis and marketing purposes described above, as well as in the information and interaction opportunities with Facebook users. With regard to the processing purposes of contract initiation, customer care and customer support, our legal basis is the implementation of pre-contractual measures or the fulfilment of existing contracts for our services and products in accordance with Article 6 para 1 lit b GDPR.

Data Categories:

No.	Affected parties	Data types	Storage / Deletion	Receiver / Source
1	People who use Facebook and visit the fan page	Statistical data (anonymized) of different categories such as total number of page views, post interactions, video views, post reach, comments, shared content, responses, share of men and women, origin related to country and city, language, views and clicks in the shop, clicks on route planners as well as clicks on phone numbers.	Until the deletion of the user’s Facebook account; log entries after 6 months.	Facebook
2	People who have liked or subscribed to the fan page	Statistical data (anonymized) of different categories such as total number of page views, “Like” comments, subscribed information, page activities, post interactions, video views, post reach, comments, shared content, responses, share of men and women, origin related to country and city, language, calls and clicks in the shop, clicks on route planners and clicks on phone numbers.	Until the deletion of the user’s Facebook account; log entries after 6 months.	Facebook

The data will only be stored by us as long as it is necessary for the achievement of the respective purpose or within the framework of legal retention periods.

To exercise your data subject rights in connection with shared responsibility for our Facebook Fan Page, please see either Facebook Policy or Facebook Insight Terms for more information.

As only Facebook has full access to user data, we recommend that you contact Facebook Ireland Ltd. directly if you wish to make information requests or ask other questions about your data subject rights (e.g. right to erasure, rectification or data portability). If you need assistance with this or have any other questions, please feel free to contact us at the email address datenschutz@credi2.com.

If you no longer wish to have the data processing described here in the future, please cancel the connection of your user profile to our Facebook page by clicking on “I no longer like this page” and/or “Do not subscribe to this page”.

Facebook Ireland, pursuant to the “Shared Responsibility Agreement” (see here: www.facebook.com/legal/terms/page_controller_addendum), agrees to assume primary responsibility under the GDPR for the processing of Insights Data and to comply with all obligations under the GDPR with respect to the processing of Insights Data (including, without limitation, Articles 12, 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR).

If you are of the opinion that the processing of your personal data violates data protection law or that your data protection rights have been violated in any other way, you have the right to complain to the supervisory authority (see point 8 of this privacy policy).

If we are contacted by a data subject or a supervisory authority under the GDPR regarding the processing of Insights Data and Facebook’s obligations under this “Shared Responsibility Agreement”, we are contractually obliged to provide Facebook with all relevant information without undue delay, but no later than within 7 calendar days. Facebook will respond to data subject requests in accordance with Facebook’s obligations under this “Shared Responsibility Agreement”.

4. LinkedIn

For the processing of personal data in connection with our LinkedIn company page, there is an independent responsibility in the sense of Art. 4 No. 7 GDPR of Credi2 GmbH and the LinkedIn Corporation (“LinkedIn”). Further information on the processing of personal data when using LinkedIn can be found here.

Additionally, you can find LinkedIn’s privacy policy here.

We use our LinkedIn company page to inform about us and our job postings and to get in touch with applicants. Furthermore, we use it to inform about us and our products or services and to contact and communicate with users. In addition, LinkedIn provides us with various statistical analyses in anonymous form in order to better adapt our website to your interests. Credi2 job postings are published via our LinkedIn company page.

Our legal basis for the use of the LinkedIn company page is our legitimate interest (Art 6 para 1 lit f GDPR).

In the course of an application procedure, the application documents sent by you are processed (in accordance with Art 6 Para 1 lit b GDPR).

Data Categories:

No.	Affected parties	Data types	Storage / Deletion	Receiver / Source
1	People who use LinkedIn and visit the company page	Statistical, technical data (anonymised) about user behaviour on the company website	30 days after closing the LinkedIn account	LinkedIn
2	People who have subscribed to the company page	Statistical, technical data (anonymised) about user behaviour on the company website	30 days after closing the LinkedIn account	LinkedIn
3	Applicants	Depending on what is specified in the application (at least: name, address, contact details, curriculum vitae, educational background).	From the end of the application process or from the rejection of an application 7 months (§ 15 para 1, § 29 para 1 Equal Treatment Act (GlBG) as well as § 7k para 1 in connection with para 2 Z 1 (BEinstG)) and DSB decision DSB-D123.085/0003-DSB/2018 with regard to application documents as well as 3 years (§ 15 para 1, § 29 para 1 GlBG) from the rejection of the application with regard to documents from the application process (e.g. minutes of the job interview) and the rejection.	None

The data will only be stored by us as long as it is necessary for the achievement of the respective purpose or within the framework of legal retention periods.

Applicant data is stored for 7 months from the end of the application process or from the rejection of an application (pursuant to § 15 para 1, § 29 para 1 GlBG as well as § 7k para 1 in connection with para 2 Z 1 BEinstG and DSB decision DSB-D123.085/0003-DSB/2018) with regard to application documents as well as for 3 years (§ 15 para 1, § 29 para 1GlBG) from therejection of the application with regard to documents from the application process (e.g.interview) and the rejection.

To exercise your data subject rights in connection with the use of the LinkedIn company page, you can find more detailed information either under LinkedinFrontend Privacy or under Linkedin Privacy as well as in point 8. of this Privacy Policy.

5. BNPL Infoservice

If you wish to be regularly informed about news in the field of BNPL, we require a valid e-mail address, your name and the name of your employer. If you decide to subscribe to our free information service, you will receive information about BNPL such as blog articles, whitepapers and current studies from us regularly. The processing of your personal data is based on your consent (Art. 6 para. 1 lit. a GDPR). Processing is only carried out in accordance with the purposes and to the extent agreed in our privacy policy. Consent given can be revoked at any time. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation. As In order to be able to check whether you are the owner of the specified e-mail address or whether its owner agrees to receive the newsletter, we send an automated e-mail to the specified e-mail address after the first registration step (so-called double opt-in). Only after confirmation of the newsletter registration via a link in the confirmation e-mail do we include the specified e-mail address in our distribution list.

6. Inquiries and customer contact via the website

If you contact us via the contact options provided on the website, we process the personal data you provide (name, e-mail address, telephone number and enquiry data) in order to answer your enquiry about the cooperation options of the credi2 platform, to send information material about this product or to maintain a usual customer contact.

In the aforementioned cases, the processing of your data is necessary for the implementation of pre-contractual measures or for the fulfilment of the contract in accordance with Article 6 para 1 lit b GDPR and is therefore lawful.

For the management of your above-mentioned data, we use a customer data management system that is operated by a service provider commissioned by us as a data protection law processor within the EU. We do not pass on your data to other companies and there is also no transfer of your personal data to a third country or an international organisation.

We will delete your data if you request this or if there is no longer a valid customer relationship, unless we are authorised or obliged to store it for a longer period of time due to statutory retention obligations.

7. Processing of applicants’ data

You have the option of applying to us by e-mail. In the course of an application procedure, the application documents sent by you will be processed. The legal basis for this is the implementation of pre-contractual measures that take place at the request of the data subject (Art 6 para 1 lit b GDPR).

The information you provide will be processed for the purpose of handling your contact. It will not be passed on to third parties.

We store your applicant data for the purpose of defending any legal claims for discrimination upon the establishment of an employment relationship for a period of 6 months as well as an appropriate period of a follow-up of one month from the end of the application process or from the rejection of an application (pursuant to § 15 para 1, § 29 para 1 GlBG as well as § 7k para 1 in conjunction with para 2 Z 1 BEinstG and DSB decision DSB-D123.085/0003-DSB/2018) with regard to their application documents and for a period of 3 years for the purpose of defending any legal claims for harassment when establishing an employment relationship (pursuant to § 15 para 1, § 29 para 1 GlBG) from the rejection of the application with regard to documents from the application process (e.g. minutes of the job interview) and the rejection.

8. PEP & Sanctions Check

The careful selection of employees is very important to our company. Additional security measures are required, especially in the banking sector. In order to meet the highest security standards, we carry out a PEP & Sanctions Check after a successful application but before future employees are hired. Within the scope of the PEP & Sanctions Check, we examine whether a person is a politically exposed person as defined in Section 2 (6) of the Financial Market Money Laundering Act (FM-GwG) and whether economic and/or legal restrictions have been imposed on a person. In order to ensure that the highest security standards are maintained during the period of employment, we conduct an annual PEP & Sanctions Check for each employee.

We work for clients in the financial sector who are subject to the provisions of DIRECTIVE (EU) 2015/849 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing in relation to their activities. In order to comply with their legal obligations, these principals require us to conduct a PEP & Sanctions Check on applicants prior to entering into employment contracts. Without carrying out the PEP & Sanctions Check, we would not be able to provide our services to our clients. The processing of this personal data is therefore necessary to protect our legitimate interests as well as the legitimate interests of our clients and to comply with legal obligations by our clients. The legal basis for the processing is therefore our legitimate interest pursuant to Art 6 para 1 lit f GDPR.

We process the following categories of data for this purpose:

a) Name
b) Address
c) Date of birth
d) the presence of a politically exposed person, and
e) Existence of economic and/or legal restrictions against a person.

As part of the query, we pass on your data (name, address, date of birth) to CRIF GmbH, Rothschildplatz 3/Top 3.06.B, A-1020 Vienna and CRIF AG, Hagenholzstrasse 81, CH-8050 Zurich, and obtain the above-mentioned information from the PEP & Sanctions Check from these sources.

With regard to the transfer of personal data to Switzerland, there is a legally valid adequacy decision of the European Commission of 26.07.2000 (file number C(2000) 2304) by which it was established that Switzerland ensures an adequate level of protection with regard to the protection of personal data transferred from the EU to Switzerland.

The results of the PEP Check will be stored by us for documentation purposes and deleted three years after termination of the employment relationship, unless there are longer retention obligations under labour law, company law or tax law.

9. Rights of the user

Upon written or textual request, information about the personal data stored about the user can be obtained. It is possible to have the personal data corrected or deleted by the responsible bodies as well as to object to the data processing, to demand a restriction of the processing and to assert the right to data portability. Excluded from the deletion is only data that is still required for the processing of the contractual relationship or for the enforcement of existing rights and claims, as well as data that must be retained due to legal provisions. However, the processing of the latter data will be restricted if necessary.

Your requests can be sent by e-mail to datenschutz@credi2.com or in writing to Credi2 GmbH, Mariahilfer Straße 41-43/B6, A-1060 Vienna. You can also contact our data protection officer directly by e-mail: datenschutz@credi2.com

10. Adjustment

This privacy policy is part of the web offer www.credi2.com. Credi2 reserves the right to modify it from time to time and to adapt it to technical and legal developments

Hauptinhalt

Data Privacy