What rights do I have?
The GDPR grants you the following rights regarding your personal data. You are entitled to:
- Access according to article 15 GDPR
- Rectification according to article 16 GDPR
- Erasure according to article 17 GDPR
- Restriction of processing according to article 18 GDPR
- Data portability according to article 20 GDPR
- Objection according to article 21 GDPR
- Decisions that are not exclusively based on an automated processing—including profiling according to Article 22 GDPR
What does the right of access mean?
You have the right to request confirmation from us as to whether we process your personal data. If this is the case, you also have the right to access this personal data as well as the following information:
- Purposes of the processing
- Categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data has been or will still be disclosed, especially in the case of recipients in third countries or in international organisations
- Where possible, the intended duration for which the personal data will be stored or, if this is not possible, the criteria for the determination of such a duration;
- The existence of the right for the rectification or erasure of your personal data; the restriction of, or objection to, this processing;
- The right to lodge a complaint with a supervisory authority
- All available information regarding the origin of the personal data if the data is not collected from the data subject
- Whether an automated form of decision-making including profiling exists, according to Article 22, paragraphs 1 and 4 GDPR and — at least in these cases — detailed information regarding the reasoning, scope and impact of such a method of processing for the data subject.
You can find out exactly how you can assert your right here.
What does the right to rectification mean?
We consider it to be important that your data are accurate and complete at all times. If you suspect that they may be incorrect or incomplete, you are able to request the rectification or completion of your data. You can find out how you can assert your right here.
What do the “Right to erasure” and the “Right to be forgotten” mean?
We attribute considerable importance to ensuring that your data are only processed as per the framework conditions of the GDPR and the DSG. If you are of the reasoned opinion that this is not the case, however, you can request the erasure of your personal data. The reasons for this can be as follows:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
Example: Your personal data must be erased if they were only collected for the completion of a purchase (= sole purpose) and you did not provide your consent for the data to be processed for any other purposes. In this case, the further processing of the data is no longer necessary following the completion of the purchase and the expiry of a retention obligation. The retention obligations can be found here.
- You withdraw your consent on which the processing was originally based according to Article 6, para. 1, letter a, GDPR or Article 9, para. 2, letter a, GDPR, and no other legal basis exists for the processing.
Example: You provided your consent to the processing of your personal data for the individual product offers of a third party (= sole purpose). As soon as you withdraw this consent, the personal data must be erased again. Exceptions: Other purposes or justifications for the processing exist and you are also in a customer relationship with the third-party provider, for instance.
- You lodge an objection to the processing according to Article 21, para. 1, GDPR, and no overriding legitimate reasons exist for the processing.
Example: You can lodge an objection, for instance, if somebody processes your personal data without your consent only because s/he claims s/he has a legitimate interest to do so (and no other form of justification exists). If you lodge an objection and there was, in fact, no legitimate interest, the personal data must be erased. The objection was a success.
- The personal data have been unlawfully processed.
Unlawfully (unfoundedly) processed personal data must be erased.
- The erasure of personal data is subject to a legal obligation according to the EU- or member state law to which the Controller is subject.
This means laws or other legal provisions which require an erasure of personal data.
- The personal data were collected in relation to information society services offered according to Article 8, para. 1, GDPR.
This relates to a special protection arrangement for the benefit of minors who make use of online services.
The was a brief summary of the right to erasure. This should not be confused with the “Right to be forgotten”.
The “right to be forgotten” refers to personal data that has been made public. It stipulates the following: If the person who originally published the data must erase this data (due to the existence of one of the aforementioned reasons for erasure), then they must also notify those persons who received the data on the grounds of the publication. In detail, this rule is very complicated. In this context, the GDPR makes particular reference to internet search engines.
You can find out how you can assert your right to erasure and your right to be forgotten here.
What does the right to the restriction of processing mean?
We attribute considerable importance to ensuring that your data are processed as per the framework conditions of the GDPR and the DSG. If you are of the opinion that this is not the case, however, you have the right to request the restriction of the processing of your personal data. This is only possible on the following legitimate grounds, however:
- You contest the accuracy of your personal data. You can request the restriction of processing of your personal data for a period that enables the Controller to verify the accuracy of the personal data.
People don't always share the same opinion. To ensure that the contested personal data are not immediately erased or have to be changed, their further processing can be restricted for the duration of the matter. It might be the case that the data were correct after all.
- The processing of personal data is unlawful. Instead of the erasure, however, you would prefer that “only” the use of the personal data is restricted.
The GDPR therefore provides you with a choice: If you do not want unlawfully processed data to be erased immediately, you can request that they continue to be saved, but are no longer used.
- Controllers no longer require your personal data for the processing. You require the data for the establishment, exercise or defence of legal claims, however.
If your personal data should actually have been erased, but you require them for your own defence or for the assertion of your rights, they can continue to be processed for these purposes.
- You have lodged an objection to the processing according to Article 21, para. 1, GDPR. As long as it is not yet certain that the legitimate reasons of the Controller override your interests, it is possible to request the restriction of processing.
To ensure that the contested personal data do not have to be immediately erased, their further processing can be restricted for the duration of the matter. It might be the case that the processing was legitimate after all.
You can find out how you can assert your right to the restriction of processing here.
What does the right to data portability mean?
Your personal data belongs to you. You therefore have the right to receive such data in a structured, common and machine-readable format. This relates to data which you have provided to us and which is processed automatically on the basis of your consent or the fulfilment of a contract. You can also request us to transfer this personal data directly to another Controller.
In which form will I receive the data?
We provide the data as an XML file. You can find out how you can assert your right here.
What important security instructions should I take into consideration?
The protection of your personal data and your money is just as important to you as it is to us. In this respect, please consider your right to data portability in the same way as you would a bank statement. Would you “simply” send your bank statement to someone else?
Please also remember that your financial data contain personal data of other persons: If you transfer money to someone else, their details can also be seen in the transaction data – in the same way as they are shown on a bank statement. These persons have rights and freedoms as well. Therefore, we will only transfer the data to persons other than you directly,
- if you expressly tell us to do so,
- if you release us from banking secrecy, and
- if it concerns financial services companies, solicitors’ offices, a notary public, tax consultants, chartered accountants or a public authority.
Please contact us beforehand if you wish to assert your right to data portability. Please also note the current security information at https://www.sparkasse.at/sicherheitscenter/sicherheit.
Our tip: You can also view and save your transaction data yourself in George at any time, for example, data concerning accounts, credit cards, financing arrangements or securities deposits. This means you maintain a current overview at all times.
What does the right to object mean?
Your data can be processed if a legitimate interest exists for their processing.
If such a legitimate interest is claimed, you must be informed of it. If you are then of the opinion that the legitimate interest does not exist, you can lodge an appropriate objection. This applies when your personal data are used for direct marketing purposes in particular. Insofar as Controllers are unable to demonstrate any legitimate grounds for the further processing, your personal data will not be processed any further after the objection. Except for processing for the purposes of direct marketing: in this case your objection is immediately valid.
You can find out how you can assert your right to object here.
What does the right not to be solely subject to a decision which is based on automated processing – including profiling – mean?
You will be informed separately prior to any automated decision-making processes according to Article 22, GDPR. In those instances, you have the right to obtain human intervention, to express your point of view and to contest the decision.