Information on data protection

Depending on whether you are a creditPass user or a private person, you will find relevant information on data protection here. Please click on one of the links below to find out more:

Informationen für creditPass-Kunden (Abfrager)
Information on data protection for creditPass customers

The collection, processing and use of personal data (e.g. negative features, score) are subject to the European General Data Protection Regulation (GDPR) from May 25, 2018 and are thereby standardized across the EU. This is intended on the one hand to ensure the protection of personal data within the European Union and on the other hand to guarantee the free movement of data within the European internal market.


The following points can be listed as a rough overview:


1) Duty to provide information before obtaining information (Art. 14 EU GDPR):


If personal data is used to obtain scoring using address data, the respondent must be informed of this before (!) The time the data is collected. In online shops, we recommend a link to the data protection information, which is available on every subpage. A possible text could be as follows:

“We transmit your data (name, address and, if applicable. date of birth) for the purpose of checking your creditworthiness, obtaining information for assessing the risk of non-payment on the basis of mathematical-statistical methods using address data, and verifying your address (checking for deliverability) via creditPass to CRIF GmbH Niederlassung Hamburg, Friesenweg 4, Haus 12, 22763 Hamburg; Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss; Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf; infoscore Consumer Data GmbH, Rheinstraße 99, 76532 Baden-Baden; SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden. The legal bases for these transfers are Article 6 Paragraph 1 Letter b and Article 6 Paragraph 1 Letter f of the GDPR. The data exchange with also serves to fulfill legal obligations to carry out credit checks (§ 505a and 506 of the German Civil Code). CRIF GmbH processes the data received and also uses them in order to provide its contractual partners in the European Economic Area and in Switzerland as well as, if applicable, other third countries (insofar as an adequacy decision of the European Commission exists in respect of these) with information, inter alia, for assessing the creditworthiness of natural persons. Transfers based on these provisions may only be made if this is necessary to safeguard the legitimate interests of our company or third parties and the interests of the fundamental rights and freedoms of the data subject, which require the protection of personal data, do not outweigh the interests of the data subject. Detailed information on the credit bureaus i. S. d. Art. 14 European General Data Protection Regulation (“EU GDPR”), ie information on the business purpose, for the purposes of data storage, the data recipients, the right to information, the right to deletion or correction, etc. can be found under the following link:

(Unused credit agencies / links should not be listed here! The creditPass team will be happy to provide you with the texts recommended by the credit agencies on request.)


The main concern here is that the data subject is informed about the transmission, the recipient, the type of data transmitted and their use in the relevant customer documents (e.g. terms and conditions, order form, application form, information page on data protection, etc.) . It is best to have this information actively confirmed (e.g. by clicking / ticking). Even if only negative information is used, it is advisable to inform the person concerned about this before obtaining the information.

In the case of electronic media (e.g. data protection information in the online shop, etc.), we recommend setting a direct link so that the customer can easily see further information:

“Further information, including about the various providers and the possibility of self-assessment, is available at:

When using IdentChecks from SCHUFA , it is necessary to obtain a declaration of consent before the test (in online shops, e.g. by opting in). For this purpose, the SCHUFA recommends the following text:

“I consent to my personal data being transmitted to SCHUFA for the purpose of checking my identity. The SCHUFA then transmits the degree of correspondence between the personal data stored by it and the personal data I have provided in percentages. the[FIRMA] can thus use the match rates transmitted to see whether a person is stored in the SCHUFA database at the address I have given and is over 18 years old. There will be no further exchange of data or the transmission of deviating addresses or any storage of my data in the SCHUFA database. For reasons of proof, only the fact that the address has been checked is stored by SCHUFA. You can find more information at “


2) Proof of legitimate interest ( Art. 6 GDPR)


For all credit information obtained via creditPass, every request must be based on a legitimate interest. A legitimate interest is given, for example, to avoid payment defaults or cases of fraud (e.g. when ordering in an online shop, when the customer “goes to the checkout” and selects a risky payment method). On the other hand, the question of whether there is a legitimate interest if the customer, for example, is disputed. would like to pay in advance or have deposited appropriate securities, i.e. there is no risk in the business relationship or a credit check takes place before it is clear whether there is a risk (e.g. before selecting the desired payment method). In any case, an active declaration of consent should be obtained from the customer (e.g. checkbox for online shops). When used for marketing purposes, a legitimate interest cannot be assumed!
It is also important to ensure that the legitimate interest of the person concerned is not violated despite a legitimate interest. An interest worthy of protection exists z. B. if the respondent demonstrates that the use of his data affects him adversely in his particular personal (societal, social, economic, legal or family) situation.
To prove the legitimate interest, random checks are carried out at regular intervals, during which it must be proven what the legitimate interest in the information was. This can be done, for example, by means of a copy of an order form, an application form or an invoice.


3) Automated individual decisions (Art. 22 GDPR)


Decisions that have legal consequences for the person concerned or that significantly affect them may not be based solely on automated processing of personal data that is used to evaluate individual personality traits.
However, automated individual decisions are permitted in the following cases:
The request of the person concerned is granted or a negative decision is flanked by procedural rights that protect the consumer, ie the person concerned is informed that a rejection has been made on the basis of automated processing of personal data. At the request of the person concerned, the main reasons for this decision must be communicated and explained!

Against this background, it makes sense generally not to reject a contractual relationship in a fully automated manner, but to always switch a clerk in between.
If an automated decision cannot be circumvented (e.g. check in the background of online shops), the person concerned must be informed accordingly (e.g. “Due to an automated credit check on your person, we are unfortunately unable to offer you the desired payment method. Please select a different payment method.”


4) Reporting of data to credit agencies (Art. 6 GDPR)


This point applies in particular to customers who use Creditreform Boniversum or SCHUFA, as there is usually a registration requirement. Even if the provision of Section 28a Para. 1 BDSG ceases to exist in the course of the GDPR, its principles exist within the scope of the balancing of interests of Art. 6 Para. 1 lit. f) GDPR.


In the event that personal data are submitted to a credit agency, in addition to the data protection regulations, the special regulations of the credit agencies (see participation agreements or contract documents) must be observed. For example, there are also duties of instruction for those who have registered according to the relevant rules.


The following texts are recommended by the credit bureaus:


Creditreform Boniversum:
“Within the scope of what is legally permissible and taking into account your respective interests worthy of protection, we can send your address data to Creditreform Boniversum GmbH, Hellersbergstr. 11, 41460 Neuss and in return receive and use your creditworthiness data from Creditreform Boniversum GmbH. “


“We would like to point out that we transfer data about the non-contractual processing of due and undisputed claims to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, insofar as the above-mentioned claim is not balanced and the transfer of the data to safeguard our legitimate interests or that of a third party is required. You can find more information about SCHUFA at “



5) Obligation to provide information after obtaining credit information (Art. 15 GDPR)


In principle, the querying party, as the “responsible body”, has to provide the data subject with information on request about the data stored about his or her person, also insofar as it relates to the origin of this data, the recipient or the categories of recipients to whom the data is passed on and the Purpose of storage. In this regard, with the goal of more transparency, an expansion can be expected.
If so-called “profiling” is used, there are extended disclosure obligations. For example, the person concerned must be given information about the score values collected or stored in the last six months. This information includes the individual case-related and generally understandable explanation of the occurrence and meaning of the score.
If the data are taken over unchanged from the credit bureaus, you can usually also be referred directly to the respective credit bureaus.


6) Compliance with deletion periods (Art. 17 GDPR)


In principle, personal data, i.e. in particular the detailed information received for credit reports, should be deleted as soon as possible after the purpose on which the information is provided, in accordance with the principle of data economy and avoidance, provided that there are no other legal obligations to the contrary (e.g. information obligations / obligation to provide information ). It should also be noted that, depending on the purpose, the information obtained from information may not be used for purposes other than the original. A repeated use of the data or a later other use z. B. for the purpose of marketing campaigns is not allowed.

Credit information should be deleted immediately after the expiry of any retention requirements or blocked for further use in the meantime. In order to avoid multiple inquiries from existing customers, it can often be useful to create customer classes (e.g. your own blacklists or whitelists based on your own payment experience – of course, in compliance with the relevant data protection guidelines!). The person concerned also has (if no other legal obligations prevail) the “right to be forgotten” and can therefore request the deletion of their personal data.





Important NOTE:


Unfortunately, despite the standardization through the GDPR, there are no clear guidelines, much is still subject to the pure interpretation of the corresponding laws. This page only reproduces the information available to creditPass to the best of its knowledge. Nevertheless, it can happen that incorrect, outdated or incomplete information emerges. CreditPass GmbH assumes no liability for the statements on this page. If in doubt, please ask your lawyer or the credit agency you trust.

Informationen für Privatpersonen (Abgefragte)
Information on data protection for private individuals

If creditworthiness information has been obtained about you, you as the person concerned have the right to information about the details of the creditworthiness query and how it came about from the responsible body (the person who queried you, possibly also directly to the body storing the data, i.e. the credit agency) a possibly negative decision of your application. This right to information cannot be excluded by general terms and conditions or a contract. In the case of automated decisions, including profiling, you can always request meaningful information about the logic involved, as well as the scope and intended effects of such processing (Art. 15 GDPR).


According to the general goal of more transparency in the processing of personal data according to Art. 12 GDPR, access to the data and related decisions must be easily possible under the appropriate conditions (e.g. reasoned inquiries).


In general, as a natural person, you also have the right to provide information about the data stored about you at the various credit agencies. You can find the contact details here .




If you have been queried by one of our customers via creditPass, the creditPass team will be happy to answer any further questions you may have.


Important NOTE:


All of the information provided is for guidance only and does not constitute legal advice and does not claim to be complete. CreditPass GmbH assumes no liability for content and recommendations. If in doubt, contact a lawyer. You can find information on suitable lawyers in your area at (a service of the German Lawyers’ Association DAV)

Informationen zur Nutzung der creditPass-Homepage
Data protection information for website use Status: May 2018
1. General; Responsible person


This data protection declaration informs you about the processing of your personal data when using the website (the ” website “).

The person responsible within the meaning of the EU General Data Protection Regulation ( EU GDPR ) and other national data protection laws in the context of the use of the website is creditPass GmbH (hereinafter: creditPass), Mehlbeerenstr. 2, 82024 Taufkirchen b. Munich, Germany, email: , phone: +49 (0) 89 – 273747-210, fax: +49 (0) 89 – 273747-250 (” creditPass “, ” we “, ” us “) . You can find more information about us in the legal notice .

We take the protection of your personal data very seriously. We treat your personal data with confidence and in accordance with the statutory data protection regulations and this data protection declaration.

In the following we explain to you what data we collect when you use our website, for what purposes and in what way we use this data and what rights you are entitled to.

Please note that the website may contain links to the websites of other providers, over which we have no influence and for which this data protection declaration does not apply.

Insofar as we also act as a service provider for you, regardless of how you use the website, the corresponding data protection notices apply within the framework of the respective contractual agreements.


2. Processing of your data


We only collect and use your personal data insofar as this is necessary to provide a functional website and our content and services.


a) Visiting the website


aa) As usual with most websites, our system automatically collects data and information from the computer system of the calling computer each time the website is accessed and temporarily saves it in a log file. The data stored in this context includes, in particular, the following data:

  • IP address of the requesting computer,
  • Name and URL of the accessed file,
  • Date and time of access,
  • Time zone difference to Greenwich Mean Time (GMT),
  • Access status / HTTP status code,
  • amount of data transferred in each case,
  • Identification data of the browser used, including language and version of the browser software, operating system and interface of the requesting computer,
  • URL of the referring website, if access was via a link, and additional search term, if access was via a search engine,
  • Name of your internet access provider.


bb) We cannot assign the data to specific persons. Personal user profiles are also not created. The data is processed exclusively for the purpose of enabling the use of the website (connection establishment), for internal system-related purposes (technical administration, system security) and for statistical purposes, e.g. to better tailor the website to your needs through anonymous analysis of general user behavior to be able to. The storage in log files takes place in order to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

Insofar as the processing of the data when visiting the website involves personal data, the corresponding processing of this data is based on Art. 6 Para. 1 p. 1 lit. f EU GDPR. Our legitimate interest also follows from these purposes.


b) Contact by email or contact form


aa) A contact form is available on the website that can be used to contact us electronically. If you send us an inquiry in this way, the data entered in the input mask will be transmitted to us and saved. These data are:

  • company
  • Surname
  • e-mail address
  • phone
  • Type of service and use
  • content of the message


At the time the message is sent, the following data is also stored:

  • Date and time of the request


Alternatively, you can contact us using the email address provided. In this case, the user’s personal data transmitted with the email will be saved.

The data is used exclusively for the purpose of processing contact requests and serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

bb) The legal basis for processing this personal data is Art. 6 Para. 1 p. 1 lit. f EU GDPR (legitimate interests). The legitimate interest arises from the fact that we can only carry out the action requested by the user (e.g. answering inquiries) by processing the user’s data accordingly. If the contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 Para. 1 lit. b EU GDPR.


c) newsletter


aa) You can subscribe to a free newsletter on our website. When you register for the newsletter, your email address will be transmitted. The collection of the user’s email address is used to deliver the newsletter. The data is only stored as long as the subscription to the newsletter is active and then deleted. You can cancel the subscription at any time. There is a corresponding link in every newsletter for this purpose.

bb) The legal basis for the processing of the data after the user has registered for the newsletter is Art. 6 Para. 1 lit. a EU GDPR. The legal basis for sending the newsletter as a result of the product range is Section 7 Para. 3 UWG.


d) Data transfer to third parties


The personal data collected as part of the use of the website will not be passed on to third parties or transmitted in any other way without your consent, unless otherwise expressly described in this data protection declaration. This does not apply to the transmission of personal data to state institutions and authorities as well as private rights holders on the basis of legal regulations or judicial or official decisions, as well as the transfer to state institutions and authorities in the event of attacks on our legal interests for the purposes of legal or criminal prosecution.

The legal basis for this processing of your personal data is Art. 6 Para. 1 p. 1 lit. c EU GDPR (fulfillment of a legal obligation).


e) Use of cookies


aa) Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be clearly identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can also be identified after changing pages. The user data collected by technically necessary cookies are not used to create user profiles.

bb) The legal basis for the processing of personal data using cookies results from Art. 6 Para. 1 lit. f EU GDPR (legitimate interest). The legitimate interest lies in the purpose of simplifying the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For this it is necessary that the browser is recognized even after changing pages.


f) Analysis tools


aa) We use the following third-party software solutions for statistical analysis of visitor access and optimization of our website:

– Google Analytics ( )

– Google reCaptcha


With these services we can evaluate the use of our website and collect valuable information about the needs of the users in order to continuously increase the user-friendliness of our online offer and its quality on this basis. In order to be able to carry out these analyzes, aggregated and anonymous statistical data are collected. These data are connection and movement data without personal reference, which are related to the browser used, the number of page views and visits, the navigation behavior and the length of time each visitor spent on a website. In the course of the collection and processing process, the anonymized IP address of the visitor may also be considered.

The evaluation of this data serves in particular to measure the attractiveness of certain areas of the website and to measure the range of our offer.

bb) Opt-out : You can prevent the use of the aforementioned tools by making the appropriate settings in your browser software; we would like to point out, however, that in this case you may not be able to use all functions of this website to their full extent.

cc) Google Analytics

The website uses Google Analytics, a web analysis service from Google Inc. (Google). Google Analytics uses so-called “cookies”, text files that are stored on your computer and that enable your use of the website to be analyzed. The information generated by the cookie about your use of the website is usually transmitted to a Google server in the USA and stored there. However, if IP anonymization is activated on the website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The full IP address is only transmitted to a Google server in the USA and shortened there in exceptional cases. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

This website uses IP anonymization in the aforementioned sense.

You can prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of the website to their full extent. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading the browser plug-in available under the following link and install: .

As an alternative to the browser plug-in or within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent Google Analytics from collecting data on the website in the future (this opt-out cookie only works in this browser and only for the website, delete your cookies in your browser, you have to click this link again):

You can find more information about Google Analytics here: , , intl / de / policies / privacy /

dd) Google reCAPTCHA

In order to protect input forms on our site, we use the “reCAPTCHA” service from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043 USA, hereinafter “Google”. By using this service, a distinction can be made as to whether the relevant input is of human origin or whether it is improperly made through automated machine processing.

To our knowledge, the referrer URL, the IP address, the behavior of the website visitors, information about the operating system, browser and length of stay, cookies, display instructions and scripts, the input behavior of the user and mouse movements in the area of the “reCAPTCHA” checkbox are sent to “Google ” transfer.

Google uses the information obtained in this way, among other things, to digitize books and other printed matter and to optimize services such as Google Street View and Google Maps (e.g. house number and street name recognition).

The IP address transmitted as part of “reCAPTCHA” will not be merged with other Google data, unless you are logged into your Google account at the time of using the “reCAPTCHA” plug-in. If you want to prevent this transmission and storage of data about you and your behavior on our website by “Google”, you must log out of “Google” before you visit our site or use the reCAPTCHA plug-in.

The use of the “reCAPTCHA” service is based on the Google Terms of Use:

ee) The legal basis for the aforementioned processing of your personal data using the above-mentioned analysis tools is Art. 6 Para. 1 p. 1 lit. f EU GDPR justified (legitimate interests). The legitimate interest here is that it is important for us to understand whether and how (often) the website is used in order to operate our website.


3. Subcontracting services relating to the website


For the operation of the website and the services offered on the website (e.g. newsletter dispatch), we may use external service providers who process your personal data on our behalf. These service providers process the data exclusively in accordance with our instructions. The legal basis for this data processing is Art. 6 Para. 1 p. 1 lit. b) EU GDPR (fulfillment of contracts and pre-contractual measures) and Art. 28 EU GDPR (order processing).


4. Duration of retention of your personal data


Unless the other provisions of this data protection declaration result in a shorter storage period, we only save your personal data obtained by us in connection with the use of the website for as long as is necessary to process your inquiries to us, then only to the extent and insofar as we are obliged to do so due to mandatory statutory retention requirements. If we no longer need your data for the purposes described above, they will only be stored during the respective statutory retention period and not processed for other purposes.


5. Your rights


You have the right to request information from us about the personal data we have stored about you at any time. Insofar as the legal requirements are met, you also have the right to correct, delete or restrict the processing of the relevant data and the right to object to the processing of your data by us. If you have given your consent to the use of personal data, you can revoke this at any time.

If you make use of these rights or if you would like to revoke a given declaration of consent to the processing and use of your personal data in whole or in part, please contact the email address or the postal address creditPass GmbH, Mehlbeerenstr. 2, 82024 Taufkirchen b. Munich, Germany to us.

If you want to contact us by email, we would like to point out that the content of unencrypted emails can be viewed by third parties. We therefore recommend that you send confidential information encrypted or by post.

If you are of the opinion that the processing of your personal data by us violates the applicable data protection law, you can complain to the competent data protection supervisory authority.


6. Data security


CreditPass maintains current technical measures to ensure data security, in particular to protect your personal data from the dangers of data transfers and from third parties becoming aware of it. These are adapted to the current state of the art.


7. Change of the data protection declaration


From time to time it may be necessary to change this data protection declaration, for example due to further developments on our website or legal changes. We therefore reserve the right to change the data protection declaration at any time with effect for the future. We therefore recommend that you read this data protection declaration again at regular intervals.