ProCredit’s Approach to Data Protection
Banking in the digital age comes with significant opportunities for the ProCredit group and our clients, but at the same time it places significant responsibilities on us with respect to data, information and payment security. The ProCredit group is committed to investing in digital banking to provide its clients with a wide range of innovative service channels centred around user-friendly on-line banking. At the same time, the group is committed to its long-term, client-oriented, responsible approach to banking.
We therefore place great importance on ensuring the security of our clients’ data both in our systems and in the way our staff handle this private information every day. The topic is governed by group policies on IT infrastructure, business continuity and information security, including data security. These policies are aligned with the EU and German regulations and with industry best practices. Consequently, we apply the high standards both in terms of staff professionalism and in terms of IT system integrity in order to protect data. The protection and security of our clients’ personal data is of particular importance for the group.
Dealing with personal and confidential information is a central part of the ProCredit Code of Conduct and regular training is provided to all our staff on data security and privacy-related risks and procedures.
The ProCredit group is committed to compliance with the applicable data protection framework. It respects the privacy of its clients and staff. Our group regulator, the German Federal Financial Services Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “BaFin”) also puts emphasis on compliance with data protection laws. The topic is firmly in the focus of the compliance system established throughout the group.
Data Protection at group level
The ProCredit banks mainly process the customer data needed to offer banking services as well as their own employee data.
All ProCredit subsidiaries apply the highest standards in information security. The ProCredit Group Information Security Policy contains the following general data protection principles, which must be respected by each ProCredit institution:
Data protection principles
Personal data must be protected by appropriate technical and organisational measures and must be treated in accordance with the following wide-ranging principles:
1) Prohibition with Reservation of Authorisation. The collection, processing and use of personal data are only permissible in accordance with local data protection laws. Before personal data can be collected, processed and used, statutory permission, a legal obligation or the consent of the data subject is usually required.
2) Collection of data directly from the individual. Personal data is to be collected directly from the data subject unless there is a statutory permission or obligation to collect the data from third parties or if collection directly from the data subject would require a disproportionate amount of time and energy.
3) Data Economy and Data Avoidance. Personal data is to be collected, processed and used, and information systems are to be designed in accordance with the aim of collecting, processing and using as little personal data as possible. In particular, personal data is to be aliased or rendered anonymous to the extent possible and insofar as the effort involved is reasonable in relation to the desired level of protection. Personal data must deleted as soon as storage is no longer necessary or required by law.
4) Transparency. It must be clear to the data subject which of his or her personal data have been saved, processed or deleted and by whom as well as why it has been treated in this manner.
5) Appropriation. Personal data may only be collected and used for a specific purpose which must be set before the collection takes place and which has ideally been documented. The use of personal data for another purpose must be covered by a statutory permission or obligation or by the consent of the data subject.
6) Necessity. Personal data may only be collected, processed and used to the extent necessary to complete a task.
7) Commitment to Data Secrecy. Staff must be sworn to data secrecy. Persons employed in data processing are not to collect, process or use personal data without authorisation (confidentiality). Upon taking up their duties, such persons are required to give an undertaking to maintain such confidentiality. This undertaking continues to be valid after the termination of their activity.
In addition to the group-wide applicable policies and international best practices, all ProCredit banks ensure compliance with the locally applicable laws on data protection and banking secrecy. Compliance with group policies is audited on a regular basis, internally as well as externally by reputable audit firms.
Quipu GmbH, headquartered in Frankfurt am Main, Federal Republic of Germany (“Quipu”), is part of the ProCredit group providing dedicated IT support services. As ProCredit’s IT service provider, Quipu is able to react quickly to IT challenges and offers uniform solutions to the ProCredit banks, thus enabling the centralisation of many operations, but also standardisation and applicability of group-wide policies and standards in information security. Quipu supports the group in the implementation of high IT security standards including infrastructure standards, cyber vulnerability testing as well as access and security management. All events and complaints related to IT security and data protection are strictly monitored and acted upon.
The Quipu Processing Centre is responsible for card payments for the group and is certified according to established standards related to the security of card payments, quality management and IT service management (e.g. ISO 20000, ISO 9001, PCI-DSS, PCI CPP). It is regularly audited for compliance with these standards as required by Visa and MasterCard. In 2017 Quipu was granted ISO 27001 certification for the information security management of its Processing Centre and cloud services. These certifications testify that our clients’ card transactions are managed with the highest degree of security.
Data Protection at ProCredit Holding Level
ProCredit Holding (“PCH”) and its EU-based subsidiaries have implemented the new stringent requirements required for personal data protection set forth in the European General Data Protection Regulation (“GDPR”), which has been in force since 25 May 2018.
PCH has issued a Data Protection Standard which applies to all processing activities performed at the Holding level. It describes the legal environment for data processing in terms of legal justifications and principles to be observed. PCH has appointed a data protection officer who monitors compliance with the applicable data protection regulations. The Data Breach Reporting Committee established at PCH deals with all cases of reported data breaches. PCH keeps its staff informed about data protection issues and conducts regular staff training to ensure awareness of the importance of data protection. Staff are sworn to data secrecy.
When involving external service providers in its data processing activities, PCH ensures that the respective contracts comply with Article 28 of the GDPR on commissioned processing.
PCH keeps an inventory which reflects all of its data processing activities, mainly HR data and, to a limited extent and for strictly regulatory purposes, customer data provided by its subsidiaries.
PCH has implemented processes to handle without undue delay requests from data subjects for information, correction, erasure and blocking of data as well as reporting of data breaches to the supervisory authority and the eventual notification of the data subjects. PCH will promptly respond to queries from supervisory authorities.
PCH has implemented appropriate technical and organisational measures to protect the personal data under its control against unauthorised processing.
In case of questions or queries, you can contact the PCH data protection officer as follows:
by email at PCH.datenschutz@ProCredit-group.com or by phone on +49 69 95 14 370.
Our data protection declaration can be found on our website here.
Privacy protection notice regarding etracker
The data generated by etracker on behalf of the provider of this website is processed and stored by etracker solely in Germany and is thus subject to the strict German and European data protection laws and standards. In this regard, etracker has been independently checked, certified and awarded the ePrivacyseal data protection seal of approval.
The legal basis for the data processing is Art. 6 (1)(f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our legitimate interest is the optimisation of our online services and our website. As the privacy of our visitors is particularly important to us, the data that may possibly allow a reference to an individual person, such as the IP address, registration or device IDs, will be anonymised or pseudonymised as soon as possible. etracker does not use the data for any other purpose, combine it with other data or pass it on to third parties.
You can object to the outlined data processing at any time.
Further information on data protection with etracker can be found here.