noyb

Privacy Policy: CRIF - Access Project

1. Controller

The controller for the processing of personal data is the non-profit organization noyb - European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, info@noyb.eu (further called "noyb" / "we" / "us").

2. Scope of application

This Privacy Policy applies to persons who wish to participate in the project against CRIF and CRIF partners of noyb (hereinafter: the "Project") and visit and interact with the websites provided for this purpose (in particular the “CRIF Access Project” under https://classaction.noyb.eu/).

This declaration also covers all subsequent data processing in connection with participation in the project, such as the collection and evaluation of evidence, the verification of the eligibility of participating persons, representation before authorities and courts and the payment of sums of money obtained after successful litigation.

For other offers from noyb, the respective data protection information on these pages applies.

3. Data categories, purpose and legal basis

3.1.   Data categories
We process the following categories of data, which may vary depending on the individual case (e.g. depending on whether you register with an electronic ID or with a copy of your ID card):
  • Data provided by participating persons:
    • Master data (e.g. name, date of birth, address)
    • Identification data (e.g. ID card scans, electronic ID data)
    • Contact details (e.g. telephone number, e-mail address)
    • Communication content (e.g. when you send us an e-mail)
    • Other data provided by participating persons (e.g. information in forms)
  • Data technically recorded by noyb:
    • IP address of the respective access
    • Browser data (e.g. browser type, language settings)
    • Time stamp (e.g. the sending of legally relevant steps)
    • Selected language
  • Additional data researched by noyb or noyb partners:
    • Publicly available data (e.g. statistical data on population income, which is compared with the information provided by the participant)
    • Data provided by third parties (e.g. address corrections, IP assignments, blacklists)
  • Data actively provided by third parties:
    • Data from information in accordance with Article 15 GDPR, which noyb obtains in the course of the project in the name and on behalf of the participating person
    • Data that CRIF or CRIF partners submit as opposing parties in court or official proceedings or that arise in such proceedings
  • Data generated by noyb or noyb partners:
    • Data resulting from comparison processes (e.g. checking whether names in documents match or addresses exist, results of comparisons with data from peer groups, such as comparisons of the credit score attributed by CRIF with the scores of persons of the same gender and age group).
    • Scientific evaluation of the CRIF score of a participating person with regard to its accuracy.
3.2.   Legal basis
3.2.1. Contract initiation and fulfillment
noyb processes personal data of the participating persons primarily to carry out pre-contractual measures at the request of the data subject and to fulfill the contract in accordance with Article 6 (1) (b) GDPR in relation to the contract for participation in the project.
This includes, in particular, checking applications (i.e. checking information for plausibility and accuracy and filtering out questionable applications) and maintaining data quality. noyb also uses publicly available data and blacklists for this purpose (for example, to check or correct addresses or block IP addresses of bot networks).

3.2.2. Legal obligations
noyb is subject to various legal provisions that may make it necessary to process data in accordance with Article 6(1)(c) GDPR. In particular, there are accounting obligations under the Federal Fiscal Code if noyb asserts financial claims for participating persons and pays out sums of money. Likewise, noyb may receive orders from courts or authorities that may make it necessary to process personal data. Other cases are currently not foreseeable.

3.2.3. Legitimate interests
In some cases, data of the data subjects may also be processed on the basis of legitimate interests in accordance with Article 6(1)(f) GDPR. Specifically, this is done
  • for reasons of cyber security, in particular to prevent unauthorized access;
  • to detect and defend against hostile acts such as fraud or other criminal offenses or acts aimed at leaking information from the project to opponents or other third parties or otherwise impairing the project;
  • in the exceptional case of legal disputes between noyb and participating persons or between noyb and other third parties (proceedings against CRIF and CRIF partners are carried out, as set out above, for the performance of a contract pursuant to Article 6(1)(b) GDPR); should such disputes exceptionally involve the processing of "sensitive data" (i.e. data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, data concerning health or data concerning sex life or sexual orientation), the processing is based on Article 9(1)(f) GDPR (establishment, exercise or defense of legal claims).
3.3.   Purposes of processing
noyb is perusing the following purposes: Customization of the website (e.g. selection of language or country), communication, identification of the participant,   checking the conditions of participation for the project, evaluation of evidence, obtaining evidence for administrative or court proceedings, official or judicial assertion of claims by the participant in accordance with the contract for participation in the project, payment of recovered amounts, fulfilment of statutory accounting obligations, fulfilment of legal obligations to provide information, fulfilment of other legal obligations or compliance with official orders, assertion, exercise or defence of any legal claims between noyb and the participating person or noyb and third parties (with the exception of CRIF and CRIF partners), cybersecurity and recognition of and defence against fraud or hostile acts. 

Overview: Purposes, Data Categories and Legal Bases

The following table provides a breakdown by processing purpose, categories of data processed for this purpose and the legal bases used:

Processing purposes pursued Categories of data processed for this purpose Legal basis
  • Customization of the website (e.g. selection of language or country)
  • IP address, browser data
  • Selected language setting
  • Article 6(1)(b) GDPR (contract initiation and fulfilment)
  • Communication
  • Contact details (names, e-mail, telephone number)
  • Contents of communication
  • Identification of the participant
  • Proof of identity (e.g. scan of an ID card or electronic identification)
  • Article 6(1)(b) GDPR (contract initiation and fulfilment)
  • Checking the conditions of participation for the project
  • Evaluation of evidence
  • Obtaining evidence for administrative or court proceedings
  • Official or judicial assertion of claims by the participant in accordance with the contract for participation in the project
  • Data collected in the registration form for the project (mandatory: date of birth, first and last name, address, e-mail, telephone number and optional: gender, information on income, assets and debts, overdrafts, debt collection, insolvencies and court proceedings, length of stay in Austria)
  • Data obtained from the opposing party, third parties or publicly available sources
  • Data disclosed in the course of official or court proceedings
  • Article 6(1)(b) GDPR (contract initiation and fulfilment)
  • Payment of recovered amounts
  • Bank details or other data on electronic means of payment
  • Article 6(1)(b) GDPR (performance of a contract)
  • Fulfilment of statutory accounting obligations
  • Fulfilment of legal obligations to provide information
  • Fulfilment of other legal obligations or compliance with official orders
  • Data visible in receipts for cash transactions or other receipts
  • Any other personal data covered by any valid legal request or legal order
  • Article 6(1)(c) GDPR (Legal obligation) in conjunction with § 22 of the Austrian Association Act and the provisions stated therein and with § 132 of the Federal Fiscal Code, other legal obligations or official orders
  • Assertion, exercise or defence of any legal claims between noyb and the participating person or noyb and third parties (with the exception of CRIF and CRIF partners)
  • Data processed in the relevant court or administrative proceedings
  • Article 6(1)(f) GDPR (legitimate interests)
  • Article 9(1)(f) GDPR (assertion, exercise or defence of legal claims, insofar as "sensitive" data are exceptionally processed)
  • Cybersecurity and recognition of and defence against fraud or hostile acts
  • Primary IP addresses, browser data, contact details and identification data, but also any other personal data that is relevant to the incident
  • Article 6(1)(f) GDPR (legitimate interests)

4. Origin of any personal data

4.1. Data sources
We collect data from the data subject themselves (Article 13 GDPR), that a data subject provides to us in the course of the request to participate in the project, in the context of the conclusion of the contract or in subsequent communication, or that we collect technically in connection with the visit to the website https://classaction.noyb.eu/.
In addition, we also collect personal data from third parties (Article 14 GDPR). These are, in particular, companies to which we address data protection claims on behalf and in the name of the data subject and which respond to us (for example by providing a copy of the data in accordance with Article 15 GDPR) or authorities or courts with which we enforce these claims. 
For the project, we also work together with research institutions or companies that carry out data evaluations for us (see point 5); these bodies provide us with both anonymised evaluations and specific evaluations (including scores) of individual participants.

We collect data from the providers of electronic identity verification procedures selected by the data subject as part of the identity verification process when the contract is concluded. These providers receive the information that you are now logging in with us as part of the identity verification process when the contract is concluded. noyb only receives a random user ID - and receives the ID data back from the provider. noyb also directly involves the Federal Ministry of the Interior, Herrengasse 7, 1010 Vienna as the provider of "ID Austria".  ID Austria can in turn be used to establish a connection with the eID provider chosen by the data subject.

4.2. Origin of non-personal, but subsequently assigned data
In certain cases, we get data from third party sources, that do not relate to any person, but that we may assign to existing personal data.
To show the correct country version and to prevent fraudulent behavior or other actions with the intention of causing harm, we collect IP assignments to individual countries or the fact that an individual IP address is stored on a backlist with corresponding providers. We currently obtain such information from MaxMind, Inc, 51 Pleasant Street, #1020, Malden, MA 02148, United States of America. There is no provision of data from noyb to  MaxMind. We only obtain regularly updated lists from MaxMind and compare these with the IP addresses received. This way an IP address can be matched e.g. with a specific country or a bot network.

In order to correct any typing errors or inaccuracies, we collect the spelling of address names from the relevant providers. At the moment, we obtain such information from the OpenStreetMap, which makes address data publicly available. Here, too, there is no data exchange; we only correct irregularities in the data provided by the person concerned using the publicly available address data (e.g. "Goldschlagstraße" instead of "Goldschlag-Straße").

5. Data recipients and data transfers

5.1. Categories of recipients and specific recipients already known
We transfer personal data of the data subjects to the following recipients and categories of recipients:
  • Various providers of electronic identity verification procedures (e.g. eID, bank ID procedure) receive the information that you are now logging in with us as part of the identity verification process when the contract is concluded. noyb itself only transmits a random user ID and receives the ID data back. Currently we use the “ID Austria” function by the Austrian Ministry for the Interior, Herrengasse 7, 1010 Vienna, Austria. ID Austria may forward you to other European eIDAS providers, if you select or use such a provider;
  • Our SMS gateway (OnlineCity.IO ApS Buchwaldsgade 50, 5000 Odense, C Denmark, as processor (Article 4(8) GDPR)), is a part of the verification phone numbers provided by the data subject. OnlineCity.IO forwards the SMS message between our systems and your mobile operator;
  • Our newsletter provider (dialog-Mail eMarketing Systems GmbH, Nußgasse 31, 3434 Wilfersdorf, as processor (Article 4(8) GDPR)) in connection with communication via email;
  • Companies whose activities we investigate as part of the project or against whom we assert certain data protection claims on behalf of and in the name of the data subject (e.g. data subject rights such as information or deletion or claims for damages or injunctive relief), as well as possibly their contractors (e.g. law firms);
  • Authorities or courts before which we enforce such claims (foreseeably the Austrian Data Protection Authority, the Civil Court or the Commercial Court in Vienna, the Higher Regional Court in Vienna or the Austrian Supreme Court);
  • Universities, researchers or other research institutions or companies with which we cooperate in connection with the evaluation of data received, for example to be able to technically trace data processing by a company under investigation or to gain statistical insights into this (the specific provider is not yet known), which act as our processor (Article 4(8) GDPR);
  • Banking institutions or other payment service providers in connection with the payment of recovered funds to the data subject;
Where necessary, law firms acting on behalf of noyb in connection with the project.

5.2. Technical service providers from noyb
  •  We use Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany as a technical service provider (server infrastructure); they do not act as processors within the meaning of Article 4(8) GDPR, given that Hetzner does not have access to the data.
  • In individual exceptional cases, our Backend Support (foundata GmbH, Steinhäuserstraße 20, 76135 Karlsruhe, Germany) may have access to data to find problems and help us solve them.

6. No data transfers to third countries

All data processing by noyb takes place within the European Economic Area (EEA). In certain cases, systems used by you (e.g. of the eIDAS provider, email provider or mobile operator you may use) could process your data outside of the EEA.

7. Necessity of data provision

The provision of the data marked with a star (*) in the online form is necessary in order to conclude the contract between noyb and the data subject regarding participation in the project and so that noyb can properly fulfil the contract. The provision of some data in the registration form (e.g. gender, income and assets) is optional. We may not be able to analyse your data without these parameters.

8. Storage duration

We generally store the data mentioned in point II. for three years after the following circumstances occur:
  • noyb has fulfilled the contract with the data subject;
  • all related court and administrative proceedings (including enforcement proceedings) have been concluded with legal effect and
  • any sums of money obtained have been paid out to the person concerned.
In the event that you or we terminate the contract for participation in the project before these conditions are met, we will store your data for three years after the termination takes effect for reasons of evidence.

Insofar as a payment of disputed sums of money is made to the persons concerned, we store personal data contained in our accounting documents in accordance with the provisions applicable pursuant to Section 22 of the Austrian Non-Profit Association Act (“VereinsG”) and Section 132 of the Federal Tax Code (“BAO”) for a period of seven years, starting at the end of the calendar year in which the documents were created.

9. Rights of data subjects

Data subjects have the following rights vis-à-vis noyb in relation to their personal data:

  • Information about processed data (Article 15 GDPR);
  • Correction of incorrect data (Article 16 GDPR);
  • Erasure, in particular if the data are no longer necessary to achieve the purpose or are processed unlawfully (Article 17 GDPR)
  • Restriction of processing, in particular if the accuracy of the data is contested while we verify the accuracy of the data or if the data subject needs the data for the establishment, exercise or defense of legal claims (Article 18 GDPR);
  • Data portability regarding data you have provided yourself (Article 20 GDPR) and
  • Revocation of any consent given; it should be noted that the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation
  • There is no automated decision in individual cases (Article 22 GDPR), which is why the rights mentioned in Article 22 GDPR do not apply.
Such requests or questions in this regard should be sent to crifprojekt@noyb.eu . This also applies to data processing carried out by a processor on our behalf in accordance with Article 4(8) GDPR. We have not appointed a data protection officer, as we are not legally obliged to do so under Article 37(1) GDPR.

Data subjects have the right to lodge a complaint with the competent supervisory authority (Article 77 GDPR) if they consider that noyb has infringed their rights under the GDPR. In Austria, the Data Protection Authority, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at, is responsible.

10. Anonymous statistics and evaluations

For future projects, we want to track the user experience participants and further optimise our software and offerings to make participation as easy as possible. We use anonymous statistics for this purpose and record, for example, which functions are clicked on and how often, or at which point participants cancel the process. 

Given that we do not assign this information to any specific participating persons, it does not fall under the GDPR, but we still want to provide information about these statistics and evaluations.