Data protection

ProCredit’s Approach to Data Protection

Banking in the digital age comes with significant opportunities for the ProCredit group and our clients, but at the same time it places significant responsibilities on us with respect to data, information and payment security. The ProCredit group is committed to investing in digital banking to provide its clients with a wide range of innovative service channels centred around user-friendly online banking. At the same time, the group is committed to its long-term, client-oriented, responsible approach to banking.

We therefore place great importance on ensuring the security of our clients’ data both in our systems and in the way our staff handle this private information every day. The topic is governed by group policies on IT infrastructure, business continuity and information security, including data security. These policies are aligned with the EU and German regulations and with industry best practices. Consequently, we apply the high standards both in terms of staff professionalism and in terms of IT system integrity in order to protect data. The protection and security of our clients’ personal data is of particular importance for the group.

Dealing with personal and confidential information is a central part of the ProCredit Code of Conduct and regular training is provided to all our staff on data security and privacy-related risks and procedures.

The ProCredit group is committed to compliance with the applicable data protection framework. It respects the privacy of its clients and staff. Our group regulator, the German Federal Financial Services Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin”) also puts emphasis on compliance with data protection laws. The topic is firmly in the focus of the compliance system established throughout the group.

 

 

Data Protection at group level

The ProCredit banks mainly process the customer data needed to offer banking services as well as their own employee data.

All ProCredit subsidiaries apply the highest standards in information security. The ProCredit Group Information Security Policy contains the following general data protection principles, which must be respected by each ProCredit institution.

 

 

Data protection principles

Personal data must be protected by appropriate technical and organisational measures and must be treated in accordance with the following wide-ranging principles.

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”)

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”)

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of the data subject (“storage limitation”)

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)

In addition to the group-wide applicable policies and international best practices, all ProCredit banks ensure compliance with the locally applicable laws on data protection and banking secrecy. Compliance with group policies is audited on a regular basis, internally as well as externally by reputable audit firms.

Quipu GmbH, headquartered in Frankfurt am Main, Federal Republic of Germany (“Quipu”), is part of the ProCredit group providing dedicated IT support services. As ProCredit’s IT service provider, Quipu is able to react quickly to IT challenges and offers uniform solutions to the ProCredit banks, thus enabling the centralisation of many operations, but also standardisation and applicability of group-wide policies and standards in information security. Quipu supports the group in the implementation of high IT security standards including infrastructure standards, cyber vulnerability testing as well as access and security management. All events and complaints related to IT security and data protection are strictly monitored and acted upon.

The Quipu Processing Centre is responsible for card payments for the group and is certified according to established standards related to the security of card payments, quality management and IT service management (e.g. ISO 20000, ISO 9001, PCI-DSS, PCI CPP). It is regularly audited for compliance with these standards as required by Visa and MasterCard. In 2017 Quipu was granted ISO 27001 certification for the information security management of its Processing Centre and cloud services. These certifications testify that our clients’ card transactions are managed with the highest degree of security.

 

 

Data Protection at ProCredit Holding Level

ProCredit Holding (“PCH”) and its EU-based subsidiaries have implemented the new stringent requirements required for personal data protection set forth in the European General Data Protection Regulation (“GDPR”), which has been in force since 25 May 2018.

PCH has issued a Data Protection Standard which applies to all processing activities performed at the Holding level. It describes the legal environment for data processing in terms of legal justifications and principles to be observed. PCH has appointed a data protection officer who monitors compliance with the applicable data protection regulations. The Data Breach Reporting Committee established at PCH deals with all cases of reported data breaches. PCH keeps its staff informed about data protection issues and conducts regular staff training to ensure awareness of the importance of data protection. Staff are sworn to data secrecy.

When involving external service providers in its data processing activities, PCH ensures that the respective contracts comply with Article 28 of the GDPR on commissioned processing.

PCH keeps an inventory which reflects all of its data processing activities, mainly HR data and, to a limited extent and for strictly regulatory purposes, customer data provided by its subsidiaries.

PCH has implemented processes to handle without undue delay requests from data subjects for information, correction, erasure and blocking of data as well as reporting of data breaches to the supervisory authority and the eventual notification of the data subjects. PCH will promptly respond to queries from supervisory authorities.

PCH has implemented appropriate technical and organisational measures to protect the personal data under its control against unauthorised processing.

In case of questions or queries, you can contact the PCH data protection officer as follows:

by email at PCH.datenschutz@ProCredit-group.com or by phone on +49 69 95 14 370.

Our data protection declaration can be found on our website here.

 

The provider of this website uses the services of etracker GmbH, Hamburg, Germany (www.etracker.com) to analyse usage data. etracker does not use cookies by default. 

The data generated by etracker on behalf of the provider of this website is processed and stored by etracker solely in Germany and is thus subject to the strict German and European data protection laws and standards. In this regard, etracker has been independently checked, certified and awarded the ePrivacyseal data protection seal of approval.
The legal basis for the data processing is Art. 6 (1)(f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our legitimate interest is the optimisation of our online services and our website. As the privacy of our visitors is particularly important to us, the data that may possibly allow a reference to an individual person, such as the IP address, registration or device IDs, will be anonymised or pseudonymised as soon as possible. etracker does not use the data for any other purpose, combine it with other data or pass it on to third parties.

You can object to the outlined data processing at any time.

Further information on data protection with etracker can be found here.