GDPR Compliance

Malevolent GmbH is fully committed to the General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG). Data protection is embedded into every aspect of our operations.

Our GDPR Commitments

Data minimisation — we only collect what is strictly necessary

Purpose limitation — data is never used beyond its stated purpose

Storage limitation — data is deleted once its purpose is fulfilled

Data security — all data is encrypted in transit and at rest

Data subject rights — we honour all GDPR rights within statutory deadlines

Processor agreements — all third-party processors are bound by GDPR-compliant DPA agreements

Data breach response — we notify authorities within 72 hours of any breach

No third-country transfers without adequate safeguards

GDPR in Debt Collection

Debt collection involves processing personal data of debtors under Art. 6(1)(b) and (f) GDPR. Malevolent GmbH acts as either a data controller or data processor depending on the contractual arrangement with the creditor client.

Debtors are informed of our processing activities in our debtor-facing privacy notice, served at the time of first contact. We do not process debtor data beyond what is strictly necessary for the recovery mandate.

We do not sell or share debtor data with third parties except where legally required (e.g. court proceedings) or where it is necessary to fulfil the recovery mandate (e.g. tracing agents, legal enforcement officers).

Data Protection Officer

Malevolent GmbH has appointed a Data Protection Officer (DPO) in accordance with Art. 37 GDPR. The DPO can be contacted for any data protection related enquiries.

contact@malevolent.online

For full details of how we process your personal data, please review our Privacy Policy.