Information on Data Protection and Data Processing
Thank you for your interest in our company and our website. Even though we carefully check external links, we cannot be held liable for their content and security.
- the provision of a handwritten signature on “ink and paper” for example, or
- a qualified electronic signature, e.g. in the form of a “mobile phone signature” or
- strong customer authentication in digital banking, for example CardTAN or s Identity in George.
Since 25 May 2018 onwards, the General Data Protection Regulation, also known as the GDPR, applies throughout the European Union. The GDPR stipulates the way in which personal data are to be processed and how they must be protected.
What is the GDPR?
The GDPR is a regulation of the European Union. It applies directly in all of the member states including Austria. Every person whose data are processed is able to refer to and invoke the GDPR.
What is regulated by the GDPR?
The GDPR contains legal provisions regarding the processing of your personal data. Whether it concerns your name, your telephone number, your bank account transactions or even your hobbies – all are protected by the GDPR. The principles which it stipulates regulate the ways in which your personal data are permitted to be saved and processed.
Why does the Austrian Data Protection Act continue to apply (DSG)?
The European Union hasn't just enacted the GDPR, it has also enacted a full “data protection package”. This package also included a new data protection directive. How does a directive differ from a regulation? In contrast to a regulation, it is necessary for a directive to be implemented into national law first. In addition to this, the GDPR provides the member states with the scope to structure certain aspects on a more detailed basis than the GDPR itself.
Both of these have taken place in Austria with the Data Protection Act (Datenschutzgesetz), in short DSG.
Why is the protection of my data so important?
Data protection is a fundamental right. The same as your right to liberty or security, your right to the protection of your data is anchored in the Charter of Fundamental Rights of the European Union. The EU Charter of Fundamental Rights covers your relationship with governmental institutions.
It is legally acknowledged, however, in both the private and commercial spheres, that there must also be a balancing of interests between the Data Processor and what are referred to as the “data subjects” – i.e. between you and your bank, for example. This is stipulated in both the GDPR and the DSG.
Our personal data contains a lot of information about us: it can also refer to our hobbies, our preferences and our aspirations. Such things are naturally worthy of protection. Yet we can only improve our individual service for you if we are aware of your preferences. A key element of data protection is that we work with you to find a way of being able to process your data in your interests and under your supervision.
Doesn't banking secrecy apply, anyway?
Yes, information of which we become aware due to the business relationship is protected by Austrian banking secrecy - according to Art. 38 of the Austrian Banking Act. The GDPR also applies.
Good to know: The banking confidentiality arrangements can only be dispensed with in writing – refer to Art. 38 para. 2, clause 5, Austrian Banking Act. In this case, “in writing means”:
Where can I find out more about the GDPR and the DSG?
(All links are valid as of March 2023)
A consolidated version of the GDPR is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
A consolidated version of the DSG is available here:
https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html
The EU Charter of Fundamental Rights:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT
Further information about your rights is available on the following websites:
Austrian Data Protection Authority https://www.dsb.gv.at/
European Commission:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
(All links are valid as of March 2023)
Before we can discuss the topic of data protection, it is important to clarify some basic terms. We have also included the references for the appropriate Articles of the GDPR so that you can read the definitions for yourself if you are interested. Please note that we only provide a summary, i.e. a shortened description of the legal text. The full legal text of the GDPR and the corresponding Articles is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
What is personal data?
Personal data means all information that refers to an identified or identifiable natural person, known as the “data subject”. E.g. the name of a person or an identification number such as an IBAN or account number.
For further details refer to Article 4 (1) GDPR.
What does the processing of data entail?
The term “processing” means any operation, with or without the use of automated processes, which is performed on personal data. This includes, for example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), the alignment or combination, restriction, erasure or destruction of the data.
For further details refer to Article 4 (2) GDPR.
What is meant by the term “Controller”?
The term “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, we, in our role as a bank.
For further details refer to Article 4 (7) GDPR.
What is meant by the term “Processor”?
The term “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.
For further details refer to Article 4 (8) GDPR.
- Processing for the performance of a contract or of pre-contractual measures taken upon your request
The services we are called upon to provide for you will depend on the contract in question, e.g. loan agreement, account contract, leasing contract, insurance brokerage or an agreement on George. We will need to process your data so that you can, for instance, log in to George, manage your account online and carry out transactions. The scope of such data processing will be set forth in the contract documents and the General Terms and Conditions.
- Processing to satisfy a legal obligation
We will need to process your data also on account of legal obligations, e.g. the Austrian Banking Act, the EU Capital Adequacy Regulation, the Securities Supervision Act, the Financial Markets Money Laundering Act and the EU Funds Transfer Regulation. This relates to: - Processing due to a legitimate interest
A legitimate interest for data processing by us or third parties exists in the following cases:- Measures to protect employees, customers and the Bank's property.
- Exercising or defending rights
- Data exchange for creditworthiness and default risks inquiries with an information bureau, for instance reports and queries regarding the warning list or the consumer credit record of the Kreditschutzverband von 1870 (Credit Protection Association of 1870)
- Preventing and combatting fraud as well as preventing money laundering and terrorist funding, including but not limited to:
- Suspected cases of fraud and attempted fraud and similar criminal offences pursuant to Sections 146 et seq. of the Austrian Criminal Code (StGB) that are detected during the business relationship or during its initiation will be recorded and processed in the Suspicious Transaction Data Base (STDB) for banking and financial institutions. This data base is kept by CRIF GmbH as processor. Banking and financial institutions using this data base solution can also receive data with which they can check, at the beginning of a business relationship with a customer, whether fraud attempts have been made in the past.
- Development of data models to detect suspicious behaviour patterns
- Documentation of past damage cases as a decision-making aid for entering into new or extended customer relationships.
- Improving data quality
- Ensuring the security of IT and of the Bank's IT operations
- Recording of telephone conversations, e.g. for complaint cases, documentation of legally relevant declarations (e.g. card blocking) or for training of our employees
- Video surveillance for enforcing our house rules, for the prevention of attacks, for collection of evidence in the case of criminal offences, protection of customers, employees and property, enforcement of and defence against legal claims or as evidence for dispositions and deposits, e.g. at cashpoints. Video recordings of such incidents can also be used for security training of our employees in individual cases after careful examination.
- Measures for business, sales and group management, such as customer segmentation, reorganisation and associated customer analyses, avoidance of advertising for products already in use. This also includes the development of data models for such measures.
- Measures for process and quality management: We collect data on our processes and services on an event-driven basis. We use these data to ensure the quality of our services, compliance with our service standards and the efficiency of our processes.
- Ongoing calculation of your financing potential
- Selection to evaluate satisfaction with the services and products we offer
- Product development using, inter alia, data models
- Creation of synthetic or anonymised data for testing purposes (in limited cases it may also be necessary to use real data for testing purposes).
- If you send us a file containing a digital signature or a digital seal, we will transmit this document to a validation service (e.g. signature verification service of “Rundfunk und Telekom Regulierungs-GmbH” – the radio and telecommunications regulatory company) for signature/seal verification.
- If we provide a document that contains your data with our digital signature, we will transmit the document to a trust service provider (e.g. A-Trust).
- In order to increase the quality across all advisory interactions and therefore keeping up to our purpose of bringing financial health to all clients, we defined a data driven process analyzing customer needs holistically.
To ensure a professional preparation and interaction we analyze the following data:- Master data, such as name, date of birth, address
- Data of products and transactions
Based on this information we derive our clients’ actual financial status for the relevant financial needs: Monthly Cashflow (budget plan), Liquidity and Reserve, Building Wealth, Pre-caution, Protecting risks and Managing Debt. These objective criteria allow us to provide consistent service in the interest of our clients. Data will be deleted if its either older than 5 years or if the business relationship is dissolved.
- Processing on the basis of consent If there is neither a contract nor a legal obligation or a legitimate interest, processing the data may still be lawful if you have given us your consent to do so. The scope and content of this data processing will invariably depend on the consent given in a certain case - for example, if you allow us to take your photo in the context of establishing your identity. You can withdraw your consent at any time for the future. The withdrawal of consent shall, however, not affect the lawfulness of processing before the withdrawal of consent. This means that withdrawal of consent shall not be effective for the past.
- Processing for statistical purposes
We also process your personal data for statistical purposes in accordance with Article 7 of the Austrian Data Protection Act.
Who is the data controller?
Responsible for the processing of your data:
Erste Bank der oesterreichischen Sparkassen AG
Am Belvedere 1
1100 Vienna
https://www.sparkasse.at/erstebank-en/about-us/imprint
Contact for requests relevant for data protection:
Erste Group Bank AG
0196 1905/AT Data Privacy Security Management
Am Belvedere 1
1100 Wien
Email: GDPR-Support@erstegroup.com
The fastest way to reach us is via an s Contact message in George: if two topics are displayed for you to choose from, click on "General Data Protection Regulation (GDPR)”. Otherwise, simply type "Data protection" in the subject line of your message.
Responsible supervisory authority for matters appertaining to data protection:
Austrian Data Protection Authority
Barichgasse 40-42,
1030 Vienna
Telephone: +43 1 52 152-0
Email: dsb@dsb.gv.at
https://www.dsb.gv.at/
Who is the Data Protection Officer?
The Data Protection Officer at our company (German title, Datenschutzbeauftragter) is Gregor König. If you have any questions, suggestions or causes for complaint regarding the processing of your data, you can contact him and his team at:
Gregor König – Data Protection Officer
Erste Group Bank AG
Am Belvedere 1
1100 Vienna
Email: datenschutz@erstegroup.com
For what purposes and on what legal basis will my personal data be processed?
We are a bank organized according to Article 1 (1) of the Austrian Banking Act and Article 4 (1) 1 of the EU Capital Adequacy Regulation. In addition, we also act as mediator for other products and services, e.g. insurance and building society contracts. In the course of these activities, we process your personal data:
• Risk management, especially credit risk and operational risk
• Complaint management and complaint handling, analysis of complaint cases
• Monitoring of insider trading, conflicts of interest and market manipulation
• Identity determination, transaction monitoring, reporting of suspicious activities, compliance with sanction regulations
• Reports to the account register and reporting of capital outflows
• Payment services, e.g. for the detection of unauthorised or fraudulent payment transactions
• Accounting, controlling and compliance with tax&fee regulations
• Recording of telephone conversations and electronic communication in the course of securities transactions
• Information to public prosecutors, law courts, tax penalty authorities
• Disclosure of information on the identity of shareholders
Will data other than those collected from me be processed?
Most of your personal data that we process will have been provided by you. However, your data may also originate from other sources: