Coface Group and its subsidiaries and affiliates (“Coface”, “Coface Companies”), in relation to their business activity, process personal data within the meaning of Article 4(1) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”). The data are processed for purposes arising from legitimate interests pursued by the Coface Companies, in connection with their insurance, business information and debt collection activities. For this purpose, the Coface Companies may process the following personal data:
- data of individuals pursuing a business activity;
- data of individuals representing companies and other business enterprises, disclosed in public registers;
- data of individuals being contact persons of companies and other business enterprises, in connection with their professional function.
Who is the controller of personal data?
Depending on the purpose for which we process the data, the personal data controller will be one or more of the companies of the Coface Group in Austria (hereinafter referred to as the “Coface Austria”):
Compagnie francaise d'assurance pour le commerce exterieur SA Niederlassung Austria
T. +43/1/515 54-0
F. +43/1/512 44 15
Coface Austria Services GmbH
T. +43/1/515 54-0
F. +43/1/512 44 15
Data Protection Officer of Coface is:
If you have further questions on data protection for Coface Austria please feel free to contact:
Christine Haager / Coface Austria Compliance Manager
Compagnie Française d'Assurance pour le Commerce Extérieur SA Niederlassung Austria
A-1030 Vienna, Austria
T.: +43 1 51554-287
Why do we process personal data / what is the purpose of data processing?
Coface Austria processes personal data solely for the purposes according to Article 6 1b (to fulfill contractual obligations), according to Article 6 1c (to fulfill legal obligations, according to Article 6 1a (within framework of your consent) as well as Article 6 1f (to protect legitimate interests).
Kindly find enclosed a brief overview from the respective and most important provisions according to the main purpose of data processing:
- the conclusion and execution of contracts with customers and counterparties;
- the assessment of credibility of companies and other business enterprises, including the elaboration of reports and sharing such reports with our customers; to that end, Coface Austria shall process personal data of individuals pursuing business activity and natural persons representing companies and other business enterprises, whose data are disclosed in the public registers. The data originate (a) from public registers such as the Commercial register and (b) directly from the enterprises concerned;
- credit insurance – for that purpose, Coface Austria processes personal data of our customers’ debtors; the data are provided by our customers;
- consultation and data exchange with credit agencies (e.g. KSV 1870 in Austria) to identify creditworthiness and/or default risks, fulfillment of legal obligation such as anti-money laundering and counteracting financing of terrorism, in connection with obligations under the Austrian Anti-Money Laundering and Countering Financing of Terrorism law, e.g. Financial Markets Anti-Money Laundering Act and other legal provisions which impose on Coface the obligation to register or report certain events and to process personal data for that purpose
- marketing purposes also according to Article 21 GDPR;
For further and more detailed information concerning the GDPR please find attached the following Download Link:
EU General Data Protection Regulation (full text):
What personal data do we process and where do they come from?
Coface Austria process the following personal data according to Article 4 (1) and Article 2 of GDPR:
- registration and identification details of individuals pursuing business activity originating directly from individuals representing companies or other business enterprises or public registers, which are collected by us in connection with our insurance, business information or debt collection activities;
- financial data of companies or other business enterprises, originating directly from companies or other business enterprises or from contractors of these entities, collected by us in connection with our insurance, information or debt collection activities. The financial data may include credit rating and economic viability indicators, calculated automatically on the basis of other information held by us on the economic entity concerned;
- the contact details of the companies or other business enterprises and their employees, originating directly from those persons or from contractors of these entities, collected by us in connection with our insurance, business information or debt collection activities;
- data of individuals representing companies or other business enterprises, disclosed in the public registers;
Does automated decision-making take place, including profiling?
Companies and other business enterprises included in the Coface economic information system (including individuals representing these entities mentioned before) are subject to automated assessment (profiling) for the purposes related to the assessment of the payment risk in accordance with Article 22 of GDPR. Data processing is carried out for the purposes arising from the legitimate interests of the Coface Companies and data recipients. Any person whose data are processed in such way has the right to object at any time to such processing.
Who are the personal data recipients?
The Personal Data will be received, generally and in accordance with the GDPR Provisions, only by those bodies and entities or employees within Coface Austria who or which need them to fulfill contractual, legal and regulatory obligations and to serve legitimate interests. Furthermore, processors engaged by Coface Austria will receive Personal Data if and in so far as they required their respective services. All processors are or will be placed under a corresponding contractual obligation to handle the Personal Data confidentially and only process it within the framework of the contractual obligation and the provisions of the GDPR.
The personal data for which Coface Austria is the controller may be therefore made available to:
- our customers, in the form of reports, for legitimate purposes of those entities related to the verification of business contractors;
- other companies from the Coface Group, including all Coface subsidiaries, for legitimate purposes related to the flow of data within the group of individuals representing companies and other business enterprises.
- Public Bodies and various institutions may also be recipients of personal data if a legal or regulatory obligation arises.
What is the period of the personal data processing and storage?
Coface will retain Personal Data for the duration of the business relationship and as long as required or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time Coface have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which Coface are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).
Moreover, with regard to the duration of storage, we must respect the statutory limitation periods which, e.g. in accordance with the Austrian Civil Code (“Allgemeines Bürgerliches Gesetzbuch – ABGB”), can amount to 30 years in general (only 3 years in certain cases).
Data subjects rights and means of their execution
All persons whose data are processed by Coface Austria (Data subjects) have the right to request access to their personal data, the right to rectification, erasure or restriction of processing of such data, the right to object to the processing (in cases justified in GDPR) and the right to lodge a complaint with the supervisory authority (Austrian Data Protection Authority – Österreichische Datenschutzbehörde, www.dsb.gv.at). Persons whose personal data are processed in marketing purpose has right to object.
Where the processing is based on given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Obligations to Provide Personal Data to Coface Austria
Coface Austria is only obliged to request Personal Data which are required for the assumption and performance of the business relationship and which Coface Austria is obliged by all the respective Legal Provisions to collect. If Coface Austria is not getting this information Coface Austria has to refuse to conclude a contract or to execute certain kind of orders. Coface Austria might no longer be able to perform an existing contract and will be forced thereto to terminate such a contract.
Contact details with regard to the personal data processing
All matters relating to the processing of personal data by Coface Austria should be addressed by email to:
By Email: email@example.com.
Identification of requesting person
When providing any information containing personal data, Coface Austria may only provide such information to the data subject (or its legal representative). Therefore Coface Austria will require providing information and documents to sufficiently identify data subject before sending him/her such information.
Frequently Asked Questions on the GDPR
On this page you’ll find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the GDPR.
The GDPR will replace the current EU Data Protection Directive 95/46/EC and will be directly applicable in all EU and EEA Member States as of 25 May 2018.
The GDPR will significantly change the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties. For example, companies must:
- Implement programmatic measures to ensure and actively demonstrate compliance
- Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
- Conduct data protection impact assessments of high risk processing activities
- Implement privacy by design and by default
- Implement data breach notification
Coface is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.
Coface has established an enterprise-wide GDPR programme, with key executive sponsorship, that covers its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU are under review, including applications and databases, policies, processes, and procedures to ensure that our employees, partners, and vendors process personal data in compliance with GDPR requirements.
Coface leverages a network of country compliance officers and a Group Compliance team to ensure sustainable compliance with the GDPR going forward.
The GDPR not only applies to organizations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The GDPR may require updates to certain data privacy provisions of client agreements to reflect the changes required by the GDPR. If changes in documentation we have in place with you are needed, we will contact you to provide any new privacy terms or notices that are required.
The GDPR’s territorial scope of application is wider and may apply to organizations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Coface is reviewing all of its processing activities involving individuals in the EU to determine if the broader territorial scope applies. If applicable, Coface will take the necessary actions, which may include updating Terms and Conditions of business, to reflect the changes required by the GDPR.
We are working through all our policies and procedures and making updates where necessary to comply with the GDPR.
Coface Privacy Notice will be available for download by clicking on the link below.
Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
We have been actively reviewing our client documentation in light of GDPR and engaging with clients as required. We have drafted Coface Privacy Notice, available shortly for download by clicking on the link below, to inform individuals of their rights and how Coface processes personal information in its provision of services.
Downloads & contact
ESSENTIAL GDPR DOCUMENTS FOR COFACE CLIENTSCoface Privacy Notice: DOWNLOAD
USEFUL GDPR EXTERNAL RESOURCESEuropean Commission:
EU General Data Protection Regulation (full text):
CONTACT USif you have additional queries on GDPR implementation, you can:
- If you have questions on data protection for Coface Austria please contact Christine Haager by email at: firstname.lastname@example.org; or
- write to Coface, Branch Austria, Marxergasse 4c, 1030 Vienna, Austria; or
- write to Data Protection Office / Group Compliance, 1 Place Costes et Bellonte - 92270 Bois-Colombes - FRANCE; or
- contact your Account Manager.