Data protection

General information on the processing of personal data by the Coface

The Coface Companies, in relation with their business activity, process personal data within the meaning of Article 4(1) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”). The data are processed for purposes arising from legitimate interests pursued by the Coface Companies, in connection with their insurance, business information and debt collection activities. For this purpose, the Coface Companies may process the following personal data:
  • data of individuals pursuing a business activity,
  • data of individuals representing economic operators, disclosed in public registers;
  • data of individuals being contact persons of enterprises, in connection with their professional function.

Who is the controller of personal data?

Depending on the purpose for which we process the data, the personal data controller will be one or more of the companies of the Coface Group in Austria:
Coface Central Europe Holding GmbH
 Marxergasse 4c
 1030 Wien, Austria
 T. +43/1/515 54-0
 F. +43/1/512 44 15
hereinafter referred to as “Coface Central Europe”.
Email: dataprotection-austria@coface.com

Why do we process personal data / what is the purpose of data processing?

Coface Central Europe processes personal data for the following purposes:
  • the conclusion and execution of  contracts with customers and counterparties;
  • the assessment of credibility of economic operators, including the elaboration of reports and sharing such reports with our customers; to that end, Coface Central Europe shall process personal data of individuals pursuing business activity and natural persons representing economic operators, whose data are disclosed in the public registers. The data originate (a) from public registers such as the Commercial register and (b) directly from the enterprises concerned;
  • credit insurance  – for that purpose, Coface Central Europe processes personal data of our customers’ debtors. The data are provided by our customers.
  • fulfillment of legal obligation such as anti-money laundering and counteracting financing of terrorism, in connection with obligations under the Austrian Anti-Money Laundering and Countering Financing of Terrorism law, e.g.  Financial Markets Anti-Money Laundering Act and other legal provisions which impose on Coface the obligation to register or report certain events and to process personal data for that purpose
  • marketing purposes

What personal data do we process and where do they come from?

Coface Central Europe process the following personal data:
  • registration and identification details of individuals pursuing business activity originating directly from entrepreneurs or public registers, which are collected by us in connection with our insurance, factoring or debt collection activities;
  • financial data of enterprises, originating directly from enterprises or from contractors of these enterprises, collected by us in connection with our insurance, information or debt collection activities. The financial data may include credit rating and economic viability indicators, calculated automatically on the basis of other information held by us on the economic entity concerned;
  • the contact details of the enterprises and their employees, originating directly from those persons or from contractors of these enterprises, collected by us in connection with our insurance, factoring or recovery activities;
  • data of individuals representing economic operators, disclosed in the public registers;

Does automated decision-making take place, including profiling?

Be informed that the personal data of entrepreneurs included in the Coface economic information system are subject to automated assessment (profiling) for the purposes related to the assessment of the payment risk in accordance with Art. 22 of GDPR. Data processing is carried out for the purposes arising from the legitimate interests of the Coface Companies and data recipients. Any person whose data are processed in such way has the right to object to such processing.

Who are the personal data recipients?

The personal data for which is the Coface Central Europe are the controller may be made available to:
  • our customers, in the form of reports, for legitimate purposes of those entities related to the verification of business contractors;
  • other companies from the Coface Group, including Coface Central Europe and foreign companies, for legitimate purposes related to the flow of data within the group of entrepreneurs.

What is the period of the personal data processing?

Coface will retain Personal Data for as long as required or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time Coface have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which Coface are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Data subjects rights and means of their execution

All persons whose data are processed by Coface Central Europe (Data subjects) have the right to request access to their personal data, the right to rectification, erasure or restriction of processing of such data, the right to object to the processing (in cases justified in GDPR) and the right to lodge a complaint with the supervisory authority. Persons whose personal data are processed in marketing purpose has right to object.
Where the processing is based on given consent to the processing of your personal data for one or more specific purposes, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Contact details with regard to the personal data processing

All matters relating to the processing of personal data by Coface Central Europe should be addressed to:
By Email: dataprotection-austria@coface.com

Identification of requesting person

When providing any information containing personal data, Coface Central Europe may only provide such information to the data subject (or its legal representative). Therefore Coface Central Europe may require to provide information and documents to sufficiently identify data subject before sending him/her such information.

Frequently Asked Questions on the GDPR

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
On this page you’ll find answers to commonly asked questions, relevant documentation, links to useful external resources, and contact details should you need additional information on the GDPR.

What is the GDPR?

The GDPR will replace the current EU Data Protection Directive 95/46/EC and will be directly applicable in all EU and EEA Member States as of 25 May 2018.

The GDPR will significantly change the EU data protection regulatory landscape, setting stricter requirements, reaching more companies, and imposing potentially higher penalties.  For example, companies must:

  • Implement programmatic measures to ensure and actively demonstrate compliance
  • Implement appropriate technical and organisational measures to protect the rights of individuals when designing a processing system and processing data
  • Conduct data protection impact assessments of high risk processing activities
  • Implement privacy by design and by default
  • Implement data breach notification

How is Coface preparing for the GDPR?

Coface is committed to the protection of personal data we collect and process, with rigorous policies, controls, and compliance oversight to ensure that data is held and used appropriately.

Coface has established an enterprise-wide GDPR programme, with key executive sponsorship, that covers its impacted subsidiaries and affiliates. Data processing activities that involve data about individuals in the EU are under review, including applications and databases, policies, processes, and procedures to ensure that our employees, partners, and vendors process personal data in compliance with GDPR requirements.

Coface leverages a network of country compliance officers and a Group Compliance team to ensure sustainable compliance with the GDPR going forward.

How will I be affected as a client of Coface?

The GDPR not only applies to organizations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

The GDPR may require updates to certain data privacy provisions of client agreements to reflect the changes required by the GDPR.  If changes in documentation we have in place with you are needed, we will contact you to provide any new privacy terms or notices that are required.

I am a client of Coface outside the EU. How will I be affected?

The GDPR’s territorial scope of application is wider and may apply to organizations that are not based in the EU but offer goods or services to individuals in the EU and/or monitor the behaviour of individuals in the EU. Coface is reviewing all of its processing activities involving individuals in the EU to determine if the broader territorial scope applies.  If applicable, Coface will take the necessary actions, which may include updating Terms and Conditions of business, to reflect the changes required by the GDPR.

Can I see your data privacy policies?

We are working through all our policies and procedures and making updates where necessary to comply with the GDPR.

Coface Privacy Notice will be available shortly for download by clicking on the link below.

Is there a need for 'explicit' or 'unambiguous' consent - and what is the difference?

Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Can I update my documentation now to incorporate GDPR compliant clauses?

We have been actively reviewing our client documentation in light of GDPR and engaging with clients as required. We have drafted Coface Privacy Notice, available shortly for download by clicking on the link below, to inform individuals of their rights and how Coface processes personal information in its provision of services.

Downloads & contact


Coface Privacy Notice (May 2018)


European Commission:
EU General Data Protection Regulation (full text):


if you have additional queries on GDPR implementation, you can:
  • reach out to your Coface Client Relationship Manager; or
  • contact Coface Central Europe Holding GmbH by email at: dataprotection-austria@coface.com; or
  • write to Coface Central Europe Holding GmbH, Marxergasse 4c, 1030 Vienna, Austria.