ProCredit’s Approach to Data Protection
Banking in the digital age comes with significant opportunities for the ProCredit group and our clients, but at the same time places significant responsibilities on us with respect to data, information and payment security. The ProCredit group is committed to investing in digital banking to provide its clients with a wide range of innovative service channels centered around user-friendly on-line banking. At the same time, the Group is committed to its long-term, client-oriented, responsible approach to banking.
We therefore place great importance on ensuring the security of our clients’ data both in our systems and in the way our employees handle this private information every day. The topic is governed through group policies on IT infrastructure, business continuity and information security, including data security. These policies are aligned with the EU and German regulations and with industry best practices. In these terms, we apply the high standards in terms of employee professional and in terms of IT systems to protect data. Protection and security of our clients’ personal data is of particular importance for the Group.
Dealing with personal and confidential information is a central part of the ProCredit Code of Conduct and regular training is provided to all our employees on data security and privacy related risks and procedures.
The ProCredit Group is committed to compliance with the applicable data protection framework. It respects the privacy of its clients and employees. Our group regulator, the German Federal Financial Services Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – “Bafin”) also puts emphasis on compliance with data protection laws. The topic is firmly in focus of the compliance system established throughout the group.
Data Protection at Group Level
The ProCredit banks mainly process the customer data needed to offer banking services as well as their own employee data.
All ProCredit subsidiaries apply the highest standards in information security. The ProCredit Group Information Security Policy contains the following general data protection principles, which need to be respected by each ProCredit institution:
Data protection principles
Personal data needs to be protected by adequate technical and organisational measures and must be treated in accordance with the following wide-ranging principles:
1) Prohibition with Reservation of Authorisation. The collection, processing and use of personal data are only permissible in accordance with local data protection laws. Before personal data can be collected, processed and used, statutory permission, a legal obligation or the individual’s consent is usually required.
2) Collection of data directly from the individual. Personal data shall be collected directly from the individual unless there is a statutory permission or obligation to collect the data from third parties or if collection directly from the individual would require a disproportionate amount of time and energy.
3) Data Economy and Data Avoidance. Personal data is to be collected, processed and used, and information systems are to be designed in accordance with the aim of collecting, processing and using as little personal data as possible. In particular, personal data is to be aliased or rendered anonymous as far as possible and as far as the effort involved is reasonable in relation to the desired level of protection. Personal data shall be deleted as soon as its storage is no longer necessary or required by law.
4) Transparency. It shall be clear to the individual which of his or her personal data has been saved, processed or deleted and by whom and why it has been treated in this manner.
5) Appropriation. Personal data may only be collected and used for a specific purpose, which has been set before the collection took place and has ideally been documented. The use of personal data for another purpose must be covered by a statutory permission or obligation or the consent of the individual.
6) Necessity. Personal data may only be collected, processed and used to the extent necessary to complete a task.
7) Commitment to Data Secrecy. Employees shall be sworn to data secrecy. Persons employed in data processing shall not collect, process or use personal data without authorisation (confidentiality). On taking up their duties, such persons shall be required to give an undertaking to maintain such confidentiality. This undertaking shall continue to be valid after the termination of their activity.
In addition to the group-wide applicable policies and international best practice, all ProCredit banks ensure compliance with the local applicable laws on data protection and banking secrecy. Compliance with group policies is audited on a regular basis, internally as well as externally by reputable audit firms.
Quipu GmbH, headquartered in Frankfurt am Main, Federal Republic of Germany (“Quipu”), is part of the ProCredit group providing dedicated IT support services. As ProCredit’s IT service provider, Quipu is able to react quickly to IT challenges and offers uniform solutions to the ProCredit banks, thus enabling the centralization of many operations, but also standardization and applicability of group wide policies and standards in information security. Quipu supports the group to implement high IT security standards including infrastructure standards, cyber vulnerability testing as well as access and security management. All events and complaints related to IT security and data protection are strictly monitored and acted upon.
The Quipu Processing Centre is responsible for card payments for the group and is certified according to established standards related to the security of card payments, quality management and IT service management (e.g. ISO 20000, ISO 9001, PCI-DSS, PCI CPP). It is regularly audited for compliance with these standards as required by Visa and MasterCard. In 2017 Quipu received ISO 27001 certification for its information security management of the Processing Centre and the cloud services. These certifications testify that our clients’ card transactions are managed with the highest degree of security.
Data Protection at PCH Level
PCH and its EU based subsidiaries have implemented the new stringent requirements required of personal data protection by the European General Data Protection Regulation (“GDPR”), which applies as of May 25, 2018.
PCH has issued a Data Protection Standard, which applies to all processing activities performed at the holding level. It describes the legal environment for data processing in terms of legal justifications and principles to be observed. PCH has appointed a data protection officer who monitors compliance with the applicable data protection regulations. The Data Breach Reporting Committee established at PCH will deal with all cases of reported data breaches. PCH informs its staff about data protection issues and conducts regular trainings to ensure the awareness on the importance of data protection among its employees. Staff is sworn to data secrecy.
When involving external service providers into its data processing activities, PCH ensures that the respective contracts comply with Article 28 of the GDPR on commissioned processing.
PCH keeps an inventory reflecting all of its data processing activities, mainly HR data and to a limited extent and for strictly regulatory purposes customer data provided by its subsidiaries.
PCH has implemented processes to handle without undue delay requests of data subjects for information, correction, erasure and blocking of data as well as reporting of data breaches to the supervisory authority and the eventual notification of the data subjects. PCH will promptly respond to queries from supervisory authorities.
PCH has implemented adequate technical and organizational measures to protect personal data under its control against unauthorized processing.
In case of questions or queries, you can reach PCH’s data protection officer as follows:
via email under email@example.com or via phone under +49 69 95 14 370.
Our website-specific data protection declaration can be found here.
Privacy protection notice
The provider of this website uses the services of etracker GmbH, Hamburg, Germany (www.etracker.com) to analyse usage data. Here, cookies are used which enable the statistical analysis of the use of this website by its visitors as well as the display of usage-relevant content or advertising. Cookies are small text files that are stored by the Internet browser on the user’s device. etracker cookies do not contain any information that could identify a user.
The data generated with etracker is processed and stored by etracker solely in Germany by commission of the provider of this website and is thus subject to strict German and European data protection laws and standards.In this regard, etracker was checked, certified and awarded with the ePrivacyseal data protection seal of approval.
The data is processed on the legal basis of Art. 6 Section 1 lit f (legitimate interest) of the EU General Data Protection Regulation (GDPR).Our legitimate interest is the optimization of our online offer and our website. As the privacy of our visitors is very important to us, etracker anonymizes the IP address as early as possible and converts login or device IDs into a unique key with which, however,no connection to any specific person can be made with. etracker does not use it for any other purpose, combine it with other data or pass it on to third parties.
You can object to the outlined data processing at any time provided it is related to your person. Your objection has no detrimental consequences for you.
Further information on data protection with etracker can be found here.