Who is the data controller?
Responsible for the processing of your data:
Contact for requests relevant for data protection:
Responsible supervisory authority for matters appertaining to data protection:
Austrian Data Protection Authority
Telephone: +43 1 52 152-0
Who is the Data Protection Officer?
The Data Protection Officer at our company (German title, Datenschutzbeauftragter) is . If you have any questions, suggestions or causes for complaint regarding the processing of your data, you can contact him and his team at:
– Data Protection Officer
Which of my personal data will be processed?
We process the following personal data:
- Master and legitimation data, e.g. name, address, date of birth, telephone number, fiscal status, ID card data, ID card copy, etc.
- Customer relationship management, e.g. hobbies, interests, etc.
- Product, service and contract data, e.g. product possession, disposition option, sales and transactions, use of digital banking and portals (cookies), advice records, etc.
- Creditworthiness data, e.g. rating, warning list entries, etc.
- Image and sound data, e.g. video records, recorded telephone conversations and your photo (if you have consented to the taking of your photo), etc.
- Processing results for the fulfilment of the contracts and consents
- Data to satisfy legal and regulatory specifications
Please note: The information listed above constitutes a general outline. We do not necessarily have all the above data in every case. You have the right of access to a detailed and individual listing which you are able to request from us. For this, please contact us.
Where do the personal data that are processed originate from?
Most of your personal data that we process has been provided by yourself: for example, when you opened your account, with a loan agreement, when making payments in George, when sending an enquiry, etc.
Apart from that, the data may come from the following sources:
- Debtor directories, such as KSV1870 Holding AG, CRIF GmbH
- Publicly available sources, e.g. the company register, land register, insolvency file, register of associations
- From other institutions of the Erste Group Bank AG, Erste Bank and Sparkassen for the risk control and consolidation in the credit institute group according to the Banking Act and the Capital Requirements Regulation EU 575/2013
In addition to this, we may also receive data from public authorities or from persons on behalf of the government, such as guardianship or criminal courts, public prosecutors or court commissioners. You have the right of access to a detailed list referring to your person.
For which purposes and on what legal basis are my personal data processed?
We are a credit institute according to section 1 subsection 1 Banking Act and Article 4, para. 1 number 1 of the Regulation (EU) 575/2013. Here, the designations “bank” and “credit institute” are synonymous. Within the scope of these activities, we process your personal data. This means in detail:
Processing for the contract performance
Depending on the type of contract concluded with you, we are permitted to render certain services for you. There may, for example, be loan agreements, account agreements, leasing agreements or the George agreement. The content of the George agreement, for example, is that you log in to George, manage your account online and are able to complete transactions. For this purpose, we have to process your data. Our offer is versatile, which means that there are several underlying contracts. Therefore, the scope of the data processing is defined in the contractual documents and terms and conditions.
Processing for the fulfilment of a legal obligation
Legal regulations and purposes may also make it necessary for us to process your personal data, e.g.:
- Credit risk management: Banking Act; Capital Requirements Regulation EU 575/2013
- Monitoring of insider trade, conflicts of interest and market manipulation: Securities Supervision Act 2018, Stock Exchange Act, Market Abuse Regulation EU 596/2014
- Identity determination, transaction monitoring, suspect notifications: Financial Market Money Laundering Act and Funds Transfer Regulation EU 847/2015
- Notifications in the account register and notifications of capital outflow: Account Register and Account Inspection Act, Capital Outflow Reporting Act
- Recording of telephone conversations and electronic communication in securities transactions such as the acceptance, transfer and execution of customer orders according to the Securities Supervision Act 2018 or also in securities trade on one’s own account
- Information in criminal proceedings to the prosecutions and courts as well as to authorities prosecuting tax offences due to intentional financial offences: Banking Act, Criminal Procedure Code, Law on Financial Crime
Processing due to a legitimate interest
A legitimate interest in the data processing by ourselves or third parties exists in the following cases:
- Requests and data exchange to determine creditworthiness and default risks vis-à-vis credit agencies such as KSV1870
- Video monitoring to gather evidence in case of offences or to prove dispositions and payments, e.g. at ATMs—this particularly serves the protection of customers and employees
- Measures for the prevention of and for fighting against fraud, fraud transaction monitoring
- Data processing within the scope of prosecution
- Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking
- Calculation of your financing potential for use in innovative online loan offers
The processing of personal data for the purpose of direct marketing may also constitute a legitimate interest.
Processing on the basis of consent
If there is neither a contract nor a legal obligation or legitimate interest, the data processing may still be legitimate in cases in which you have granted us your consent and/or approval. The scope and content of this data processing always result from the relevant consent. It is decisive that you can withdraw your consent at any time.
The withdrawal does not affect the lawfulness of the processing that has already occurred on the basis of this consent before its withdrawal. In other words, that means that a withdrawal does not have any effect on the past.
Am I obliged to provide my personal data? What happens if I do not wish to do so?
For our business relationship, we require a significant amount of your personal data. If we do not know your name and your address, we will not be able to send you a debit card (ATM card) that you may have ordered, for example. If we are not able to check your identity, we are not allowed to establish a business relationship by law. If we do not know your creditworthiness, we are not allowed to grant you a loan. As you can see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process your personal data. If you do not provide your consent, it may unfortunately be the case that we are not allowed to provide or offer certain products or services. If we are only permitted to process your data on the basis of your consent, you are not obliged to grant this consent or to provide the data.
Is there any decision-making which is based on an automated form of processing such as profiling, for example?
At the beginning or during our business relationship, we do not use any automated decision-making according to article 22 GDPR. When granting credits, we will check the creditworthiness by means of the so-called credit scoring. In this connection, the default risk of credit applicants is evaluated by means of statistical comparative groups.
The calculated score value allows for a prognosis with which probability an applied credit will presumably be paid back. For the calculation of this score value, the following data are used:
- Your master data, e.g. marital status, number of children, duration of the employment, employer, etc.
- Information about your general financial circumstances, e.g. income, assets, monthly expenses, liabilities, securities, etc.
- Data on the payment behaviour, e.g. credit repayments, reminders, data from credit agencies
If the default risk is too high, the credit application will be rejected and there may be an entry in the small credit evidence of KSV1870 as well as an internal warning. If a credit application was rejected, this will be visible in the small credit evidence (“Kleinkreditevidenz”) with KSV1870 for a period of 6 months, according to the notification of the Data Protection Authority.
To whom do you transmit my personal data?
Your personal data may be transmitted to:
- Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erst Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests
- Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.
- Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision
- Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider.
The data may also be transmitted to third parties if you have consented to the transmission.
Are my personal data transferred to a third country?
(All links are valid as of May 2018)
Our processors may cooperate with sub-processors in third countries, e.g. in India. These sub-processors are obliged to comply with Austrian data protection and security standards.
You can request us to provide you with a list of the processors that currently operate in third countries and information about the principles on which the transfer is based.
If you make use of a service provided by Mastercard, your personal data can also be processed for such purposes in the USA. Mastercard undertakes to comply with binding internal data protection provisions - refer to Article 47, paragraph 2, letter b, Article 47, GDPR. These rules have been approved by the responsible data protection authority in Belgium and are available here: https://www.mastercard.us/content/dam/mccom/en-us/documents/mastercard-bcrs-february-2017.pdf (in English). General information on the binding internal data protection provisions is also available here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en#bindingcorporaterules (English).
For how long are my personal data stored?
(All links are valid as of May 2018)
In all cases, your personal data will be stored for as long as it is necessary for the fulfilment of the relevant purposes. In addition to this, the period for which we must store your data is also legally stipulated. These storage obligations may also exist if you are no longer one of our customers. An overview of the legal storage obligations applicable in Austria is available here:
What security measures are complied with during the processing of the data?
We consider data protection and data security to be very important. We have applied every technical and organisational measure to secure our data processing. This relates to the protection of your personal data in particular. We shall protect your data against unauthorised or unlawful processing, unintentional loss, unintentional destruction or unintentional damage. These measures encompass, for example, the use of the latest security software and encryption procedures, physical access control measures and precautions for the deterring and prevention of external and internal incursions.
Some practical tips on how you contribute to the protection of your personal data, for instance, are available here https://www.sparkasse.at/sicherheitscenter/sicherheit.