As of May 25, 2018, the General Data Protection Regulation, briefly GDPR, will apply in the European Union. It contains regulations regarding the processing and the protection of your personal data. This document provides you with the essential information regarding data protection in a summarized form. For detailed explanations, please refer to (german):

https://www.sparkasse.at/erstebank/wir-ueber-uns/datenschutz-sicherheit

Your account manager will be willingly prepared to print the information out for you.

1. Who is the data controller?

Allgemeine Sparkasse OÖ Bank AG
Promenade 11-13, 4020 Linz

https://www.sparkasse.at/oberoesterreich/wir-ueber-uns/Impressum

Contact for requests relevant for data protection:

Erste Bank der oesterreichischen Sparkassen AG
Bonitäts- und Wirtschaftsdaten (Creditworthiness and Economic Data)
Data Protection Management Support Office
Am Belvedere 1 
1100 Vienna

Email: DataProtectionManagement0642@erstebank.at

2. Who is the data protection officer?

Gregor König
Erste Group Bank AG
Am Belvedere 1
1100 Vienna

Email: datenschutz@erstegroup.com

3. Which personal data are processed an where do they come from?

We process the following personal data:

• Master and legitimation data, e.g. name, address, date of birth, telephone number, fiscal status, ID card data, ID card copy, etc.
• Customer relationship management, e.g. hobbies, interests, etc.
• Product, service and contract data, e.g. product possession, disposition option, sales and transactions, use of digital banking and portals (cookies), advice records, etc.
• Creditworthiness data, e.g. rating, warning list entries, etc.
• Image and sound data, e.g. video records, recorded telephone conversations and your photo (if you have consented to the taking of your photo), etc.
• Processing results to fulfil the contracts and consents
• Data to satisfy legal and regulatory specifications

Most of the personal data that we process about you has been provided by yourself: for example when opening the account, taking out the credit, when making payments in George, agreeing on an appointment, in a request on our websites, etc.

Apart from that, the data may come from the following sources:

• Debtor directories, such as KSV1870 Holding AG, CRIF GmbH
• Publicly available sources, e.g. company register, land register, insolvency file, register of associations
• From other institutions of the Erste Group Bank AG, Erste Bank and Sparkasse for the risk control and consolidation in the credit institute group according to the Banking Act and the Capital Adequacy Regulation EU 575/2013

In addition, we may receive data from state authorities or from persons on behalf of the government such as guardianship or criminal courts, prosecutions, court commissioners. For a detailed list referring to your person, you may exercise your right to information. 

4. For which purposes and on the basis of which legal foundation are my personal data processed?

We are a credit institution according to section 1 subsection 1 Banking Act and article 4 subsection 1 number 1 of the Regulation (EU) 575/2013. Here, the designations “bank” and “credit institution” are synonymous. Within the scope of these activities, we process your personal data. This means in detail:

Processing for the contract performance
Depending on the type of contract concluded with you, we are allowed to render certain services for you. There may for example be credit agreements, account agreements, leasing agreements or the George agreement. The content of the George agreement, for example, is that you log in to George, manage your account on-line and are able to complete transactions. For this purpose, we have to process your data. As versatile as our offer, as numerous are the underlying contracts. So the scope of the data processing is defined in the contractual documents and terms and conditions.

Processing to satisfy a legal obligation
We may also be required to process your personal data by legal regulations and purposes, e.g.:

• Credit risk management: Banking Act; Capital Requirements Regulation EU 575/2013
• Monitoring of insider trade, conflicts of interest and market manipulation: Securities Supervision Act 2018, Stock Exchange Act, Market Abuse Regulation EU 596/2014
• Identity determination, transaction monitoring, suspect notifications: Financial Market Money Laundering Act and Funds Transfer Regulation EU 847/2015
• Notifications in the account register and notifications of capital outflow: Account Register and Account Inspection Act, Capital Outflow Reporting Act
• Recording of telephone conversations and electronic communication in securities transactions such as the acceptance, transfer and execution of customer orders according to the Securities Supervision Act 2018 or also in securities trade on one’s own account
• Information in criminal proceedings to the prosecutions and courts as well as to authorities prosecuting tax offences due to intentional financial offences: Banking Act, Criminal Procedure Code, Law on Financial Crime

Processing due to a legitimate interest
There is also a legitimate interest in the data processing by us or third parties in the following cases:

• Requests and data exchange to determine creditworthiness and default risks vis-à-vis credit agencies such as KSV1870
• Video monitoring to gather evidence in case of offences or to prove dispositions and payments, e.g. at ATMs—this particularly serves the protection of customers and employees
• Measures for fraud prevention and fighting, fraud transaction monitoring
• Data processing within the scope of prosecution
• Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking
• Calculation of your financing potential in order to use it for innovative online credit offers

The processing of personal data for the purpose of direct marketing may also be a legitimate interest.

Processing on the basis of consent
If there is neither a contract nor a legal obligation or legitimate interest, the data processing may still be legitimate: i.e. in cases in which you have granted us your consent and/or approval. The scope and content of this data processing always result from the relevant consent. It is decisive that you can withdraw your consent at any time.

The withdrawal does, however, not affect the lawfulness of the processing based on this consent before its withdrawal. That means in other words that a withdrawal does not have any effect on the past.

5. Am I obliged to provide my personal data? What happens if I don't want to do so?

For our business relationship, we need many of your personal data. If we do not know your name and your address, we are, for example, not able to send you a debit card (ATM card) that you may have ordered. If we are not able to check your identity, we are not allowed to establish a business relationship by law. If we do not know your creditworthiness, we are not allowed to grant you a credit. So you see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process your personal data. If you do not consent, we may, unfortunately, possibly not be allowed to render or offer certain products or services.

If we are only allowed to process your data based on your consent, you are not obliged to grant this consent and to provide the data.

6. Is there decision-making based on automated processing – e.g. profiling?

At the beginning or during our business relationship, we do not use any automated decision-making according to article 22 GDPR. When granting credits, we will check the creditworthiness by means of the so-called credit scoring. In this connection, the default risk of credit applicants is evaluated by means of statistical comparative groups.

The calculated score value allows for a prognosis with which probability an applied credit will presumably be paid back. For the calculation of this score value, the following data are used:

• Your master data, e.g. marital status, number of children, duration of the employment, employer, etc.
• Information on the general financial circumstances, e.g. income, assets, monthly expenses, liabilities, securities, etc.
• Data on the payment behaviour, e.g. credit repayments, reminders, data from credit agencies

If the default risk is too high, the credit application will be rejected and there may be an entry in the small credit evidence of KSV1870 as well as an internal warning. If a credit application was rejected, this will be visible in the small credit evidence (“Kleinkreditevidenz”) with KSV1870 for a period of 6 months, according to the notification of the Data Protection Authority.

7. To whom do you transmit my personal data?

Your personal data may be transmitted to:

• Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erst Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests
• Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.
• Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision
• Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider.

The data may also be transmitted to third parties if you have consented to the transmission.

8. Are my personal data transferred to a third country?

Our processors may cooperate with sub- processors in third countries, e.g. in India. These sub-processors are obliged to comply with Austrian data protection and security standards. Details can be found here (german): 

https://www.sparkasse.at/oberoesterreich/wir-ueber-uns/datenschutz-sicherheit

9. How long are my personal data stored?

Your personal data are at least stored for as long as it is necessary for the performance of the relevant purposes. Apart from that, it is legally prescribed for which period the data have to be stored. These storage obligations may even exist if you are no longer our customer. An overview of the legal storage obligations applicable in Austria is available here:

https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html

10. Which rights do I have?

The GDPR grants the following rights regarding your personal data. You are entitled to:

• Access according to article 15 GDPR
• Rectification according to article 16 GDPR
• Erasure according to article 17 GDPR
• Restriction of the processing according to article 18 GDPR
• Data portability according to article 20 GDPR
• Object according to article 21 GDPR
• Decisions that are not exclusively based on an automated processing—including profiling according to article 22 GDPR

Detailed and important information regarding the right to data portability is available here: https://www.sparkasse.at/oberoesterreich/wir-ueber-uns/datenschutz-sicherheit/en/privacy

No matter which right you want to assert, you can send us your application in 3 ways in any case:

• By letter, please sign in person and enclose a copy of your identity card, to
  Erste Bank der oesterreichischen Sparkassen AG
  Bonitäts- und Wirtschaftsdaten (Creditworthiness and Economic Data)
  Data Protection Management Support Office
  Am Belevedere 1
  1100 Vienna
• In person in a Sparkasse subsidiary or
• By email, only with qualified electronic signature, to DataProtectionManagement0642@erstebank.at

We kindly ask for your understanding that in case of doubt, we will request more information regarding your identity. This also serves your protection, to only give authorised persons access to our data.

If you do not receive a timely answer to an application or if you are of the opinion that we have not handled your application legitimately or if you think that your right to data protection has been violated, you may also lodge a complaint with the responsible supervisory authority:

Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna

Telephone: 01/52 152-0
Email: dsb@dsb.gv.at

https://www.dsb.gv.at

Last update: 27th April 2018

Imprint:
Media owner, producer, publisher and editing: Allgemeine Sparkasse OÖ Bank AG
Postal address : Promenade 11-13, 4020 Linz