Information on Data Protection and Data Processing
Thank you for your interest in our company and our website. Even though we carefully check external links, we cannot be held liable for their content and security.
We protect your personal information as best we can when collecting, processing and during your visit to our website. Your data is protected by law. Below you will find explanations on the nature of the information collected when you visit our website and how they are used.
Since 25 May 2018 onwards, the General Data Protection Regulation, also known as the GDPR, applies throughout the European Union. The GDPR stipulates the way in which personal data are to be processed and how they must be protected.
What is the GDPR?
The GDPR is a regulation of the European Union. It applies directly in all of the member states including Austria. Every person whose data are processed is able to refer to and invoke the GDPR.
What is regulated by the GDPR?
The GDPR contains legal provisions regarding the processing of your personal data. Whether it concerns your name, your telephone number, your bank account transactions or even your hobbies – all are protected by the GDPR. The principles which it stipulates regulate the ways in which your personal data are permitted to be saved and processed.
Why does the Austrian Data Protection Act continue to apply (DSG)?
The European Union hasn't just enacted the GDPR, it has also enacted a full “data protection package”. This package also included a new data protection directive. How does a directive differ from a regulation? In contrast to a regulation, it is necessary for a directive to be implemented into national law first. In addition to this, the GDPR provides the member states with the scope to structure certain aspects on a more detailed basis than the GDPR itself.
Both of these have taken place in Austria with the Data Protection Act (Datenschutzgesetz), in short DSG.
Why is the protection of my data so important?
Data protection is a fundamental right. The same as your right to liberty or security, your right to the protection of your data is anchored in the Charter of Fundamental Rights of the European Union. The EU Charter of Fundamental Rights covers your relationship with governmental institutions.
It is legally acknowledged, however, in both the private and commercial spheres, that there must also be a balancing of interests between the Data Processor and what are referred to as the “data subjects” – i.e. between you and your bank, for example. This is stipulated in both the GDPR and the DSG.
Our personal data contains a lot of information about us: it can also refer to our hobbies, our preferences and our aspirations. Such things are naturally worthy of protection. Yet we can only improve our individual service for you if we are aware of your preferences. A key element of data protection is that we work with you to find a way of being able to process your data in your interests and under your supervision.
Doesn't banking secrecy apply, anyway?
Yes, information of which we become aware due to the business relationship is protected by Austrian banking secrecy - according to Art. 38 of the Austrian Banking Act. The GDPR also applies.
Good to know: The banking confidentiality arrangements can only be dispensed with in writing – refer to Art. 38 para. 2, clause 5, Austrian Banking Act. In this case, “in writing means”:
- the provision of a handwritten signature on “ink and paper” for example, or
- a qualified electronic signature, e.g. in the form of a “mobile phone signature” or
- strong customer authentication in digital banking, for example CardTAN or s Identity in George.
Where can I find out more about the GDPR and the DSG?
(All links are valid as of March 2023)
A consolidated version of the GDPR is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
A consolidated version of the DSG is available here:
https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html
The EU Charter of Fundamental Rights:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT
Further information about your rights is available on the following websites:
Austrian Data Protection Authority https://www.dsb.gv.at/
European Commission:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
(All links are valid as of May 2024)
Before we can discuss the topic of data protection, it is important to clarify some basic terms. We have also included the references for the appropriate Articles of the GDPR so that you can read the definitions for yourself if you are interested. Please note that we only provide a summary, i.e. a shortened description of the legal text. The full legal text of the GDPR and the corresponding Articles is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
What is personal data?
Personal data means all information that refers to an identified or identifiable natural person, known as the “data subject”. E.g. the name of a person or an identification number such as an IBAN or account number.
For further details refer to Article 4 (1) GDPR.
What does the processing of data entail?
The term “processing” means any operation, with or without the use of automated processes, which is performed on personal data. This includes, for example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), the alignment or combination, restriction, erasure or destruction of the data.
For further details refer to Article 4 (2) GDPR.
What is meant by the term “Controller”?
The term “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, we, in our role as a bank.
For further details refer to Article 4 (7) GDPR.
What is meant by the term “Processor”?
The term “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.
For further details refer to Article 4 (8) GDPR.
Who is the data controller?
Responsible for the processing of your data:
Erste Group Bank AG
Am Belvedere 1
1100 Vienna
https://www.erstegroup.com/en/legal-information/imprint
Contact for requests relevant for data protection:
Erste Group Bank AG
0196 1905/AT Data Privacy Security Management
Am Belvedere 1
1100 Vienna
email: GDPR-Support@erstegroup.com
The fastest way to reach us is via an s Contact message in George: if two topics are displayed for you to choose from, click on "General Data Protection Regulation (GDPR)”. Otherwise, simply type "Data protection" in the subject line of your message.
Responsible supervisory authority for matters appertaining to data protection:
Austrian Data Protection Authority
Barichgasse 40-42,
1030 Vienna
Telephone: +43 1 52 152-0
email: dsb@dsb.gv.at
https://www.dsb.gv.at/
Who is the Data Protection Officer?
The Data Protection Officer at our company is Gregor König. If you have any questions, suggestions or causes for complaint regarding the processing of your data, you can contact him and his team at:
Gregor König – data protection officer
Erste Group Bank AG
Am Belvedere 1
1100 Vienna
email: datenschutz@erstegroup.com
What personal data is processed and how is it collected?
Which of your personal data we process depends on the scope of the business relationship between you and us.
Here you will find a list of the possible data that we collect directly from the data subjects or derive from the data collected. Please note: This does not necessarily mean that we actually process this data from you:
We collect your personal data in various places and on various occasions when you:
- visit our branches or use self-service devices.
- open or use one of our products.
- use our online services (websites, internet banking, apps).
- use our other services and contact options (e.g. 24-hour service, competitions, events)
For what purposes and on what legal basis will my personal data be processed?
We are a bank organized according to Article 1 (1) of the Austrian Banking Act and Article 4 (1) 1 of the EU Capital Adequacy Regulation. In addition, we also act as mediator for other products and services, e.g. insurance and building society contracts. In the course of these activities, we process your personal data:
- Processing for the performance of a contract or of pre-contractual measures taken upon your request
The services we are called upon to provide for you will depend on the contract in question, e.g. loan agreement, account contract, leasing contract, insurance brokerage or an agreement on George. We will need to process your data so that you can, for instance, log in to George, manage your account online and carry out transactions. The scope of such data processing will be set forth in the contract documents and the General Terms and Conditions.
We analyse the stored data for our Internet banking system George and prepare it technically for better presentation. In addition to personal information, account balances, bookings and turnover data, this processing also includes the categorisation of account transactions and the indexing of this data for faster searching in George. This also affects data that you have uploaded to George Internet banking yourself.
- Processing to satisfy a legal obligation
We will need to process your data also on account of legal obligations, e.g. the Austrian Banking Act, the EU Capital Adequacy Regulation, the Securities Supervision Act, the Financial Markets Money Laundering Act and the EU Funds Transfer Regulation. This relates to:
• Risk management, especially credit risk and operational risk
• Complaint management and complaint handling, analysis of complaint cases
• Monitoring of insider trading, conflicts of interest and market manipulation
• Identity determination, transaction monitoring, reporting of suspicious activities, compliance with sanction regulations
• Reports to the account register and reporting of capital outflows
• Payment services, e.g. for the detection of unauthorised or fraudulent payment transactions
• Accounting, controlling and compliance with tax & fee regulations
• Recording of telephone conversations and electronic communication in the course of securities transactions
• Information to public prosecutors, law courts, tax penalty authorities
• Disclosure of information on the identity of shareholders
- Processing due to a legitimate interest
A legitimate interest for data processing by us or third parties exists in the following cases:- Promotion of new products, features and services
- To comply with non-legally binding official recommendations
- Measures to protect employees, customers and the Bank's property.
- Exercising or defending rights
- Data exchange for creditworthiness and default risks inquiries with an information bureau, for instance reports and queries regarding the warning list or the consumer credit record of the Kreditschutzverband von 1870 (Credit Protection Association of 1870)
- Preventing and combatting fraud as well as preventing money laundering and terrorist funding, including but not limited to:
- Suspected cases of fraud and attempted fraud and similar criminal offences pursuant to Sections 146 et seq. of the Austrian Criminal Code (StGB) that are detected during the business relationship or during its initiation will be recorded and processed in the Suspicious Transaction Data Base (STDB) for banking and financial institutions. This data base is kept by CRIF GmbH as processor. Banking and financial institutions using this data base solution can also receive data with which they can check, at the beginning of a business relationship with a customer, whether fraud attempts have been made in the past.
- Development of data models to detect suspicious behaviour patterns
- Documentation of past damage cases as a decision-making aid for entering into new or extended customer relationships.
- Improving data quality
- Ensuring the security of IT and of the Bank's IT operations
- Recording of telephone conversations, e.g. for complaint cases, documentation of legally relevant declarations (e.g. card blocking) or for training of our employees
- Video surveillance for enforcing our house rules, for the prevention of attacks, for collection of evidence in the case of criminal offences, protection of customers, employees and property, enforcement of and defence against legal claims or as evidence for dispositions and deposits, e.g. at cashpoints. Video recordings of such incidents can also be used for security training of our employees in individual cases after careful examination.
- Measures for business, sales and group management, such as customer segmentation, reorganisation and associated customer analyses, avoidance of advertising for products already in use. This also includes the development of data models for such measures.
- Measures for process and quality management: We collect data on our processes and services on an event-driven basis. We use these data to ensure the quality of our services, compliance with our service standards and the efficiency of our processes.
- Ongoing calculation of your financing potential
- Selection to evaluate satisfaction with the services and products we offer
- Product development using, inter alia, data models
- Creation of synthetic or anonymised data for testing purposes (in limited cases it may also be necessary to use real data for testing purposes).
- If you send us a file containing a digital signature or a digital seal, we will transmit this document to a validation service (e.g. signature verification service of “Rundfunk und Telekom Regulierungs-GmbH” – the radio and telecommunications regulatory company) for signature/seal verification.
- If we provide a document that contains your data with our digital signature, we will transmit the document to a trust service provider (e.g. A-Trust).
- In order to increase the quality across all advisory interactions and therefore keeping up to our purpose of bringing financial health to all clients, we defined a data driven process analyzing customer needs holistically.
To ensure a professional preparation and interaction we analyze the following data:
- Master data, such as name, date of birth, address
- Data of products and transactions
Based on this information we derive our clients’ actual financial status for the relevant financial needs: Monthly Cashflow (budget plan), Liquidity and Reserve, Building Wealth, Pre-caution, Protecting risks and Managing Debt. These objective criteria allow us to provide consistent service in the interest of our clients. Data will be deleted if its either older than 5 years or if the business relationship is dissolved.
- Processing on the basis of consent
If there is neither a contract nor a legal obligation or a legitimate interest, processing the data may still be lawful if you have given us your consent to do so. The scope and content of this data processing will invariably depend on the consent given in a certain case - for example, if you allow us to take your photo in the context of establishing your identity. You can withdraw your consent at any time for the future. The withdrawal of consent shall, however, not affect the lawfulness of processing before the withdrawal of consent. This means that withdrawal of consent shall not be effective for the past.
- Processing for statistical purposes
We also process your personal data for statistical purposes in accordance with Article 7 of the Austrian Data Protection Act.
- Will data other than those collected from me be processed?
Most of your personal data that we process will have been provided by you. However, your data may also originate from other sources:
For the categories of data and data processing mentioned above, the other explanations in this information sheet shall also apply (with the exception of the previous item 3., “For which purposes and on what legal basis are my personal data processed?”)
Am I obliged to provide my personal data? What will happen if I do not want to do so?
For our business relationship, we require many of your personal data, e.g. for re-order of a debit card that is to be sent to you. If we cannot verify your identity, the law will prohibit us from doing business with you. If we do not know your creditworthiness, we will not be allowed to grant you a loan. So you see we must process your personal data wherever it is required by contract or by law. If you do not want us to do so, we may unfortunately not be allowed to provide certain services. If we process your data only on the basis of your consent, you will not be obliged to give this consent and provide the data.
Is there any automated decision-making, including profiling?
If automated decision-making, including profiling, takes place in the course of a specific processing operation, you will be informed of this in advance.
When granting loans, we check your creditworthiness on the basis of the so-called credit scoring. In the process, the default risk of credit applicants is assessed with the help of statistical benchmark groups.
The calculated score enables us to forecast the probability with which a loan applied for is likely to be redeemed. The following data are used to calculate this score:
- Your master data, e.g. marital status, number of children, length of employment, employer, etc.
- Information on your general financial circumstances, e.g. income, assets, monthly expenses, liabilities, collaterals, etc.
- Data on payment behaviour, e.g. loan repayments, reminders, data from credit information bureaus
If the risk of default is too high, the credit application will be rejected and there may be an entry in the KSV 1870 KKE and an internal warning. If a credit application is rejected, this will be shown in the KSV 1870 KKE for 6 months (according to the Notification of the data protection authority).
To whom will my personal data be disclosed?
Your personal data may be disclosed to:
- Credit institutions, bodies and persons within the network of Sparkasse savings banks, Erste Bank and Erste Group who require the data for contractual, legal or regulatory duties as well as for legitimate interests. This applies in particular to risk management within Erste Group and to the management of credit risks when credit institutions within Erste Group have identical customers.
- Information bureaus like Kreditschutzverband von 1870 (Credit Protection Association of 1870)
- Public bodies and institutions as well as persons with a sovereign mandate, to the extent that we are legally required to do so or in order to protect our legitimate interests, e.g. the European Bank Supervisors, the European Central Bank, Financial Market Authority, the Austrian National Bank, tax authorities, etc.
- Processors and other service providers (controllers) commissioned by us, e.g. for IT, back office, legal and tax advice, chartered accountants and collection companies, to the extent they require the data for their tasks.
- Bank auditors and auditors of annual financial statements, insofar as this is necessary for the auditing activity
- Third parties, if this is mandatory for the fulfilment of the contract or legal provisions, e.g. the recipients of a bank transfer and their payment service provider.
- Validation services, e.g. Rundfunk und Telekom Regulierungs-GmbH (the radio and telecommunications regulation company), to the extent this is necessary to verify a digital signature or digital seal transmitted by you.
- Trust service providers, e.g. A-Trust, if we provide a document containing your data with our digital signature.
Disclosure to third parties may also take place if you have consented to the disclosure and for the period of your valid consent.
A list containing an overview of potential recipients can be found here.
Will my data be transferred to a third country?
Your personal data may be transferred to a third country in the following cases:
- this is necessary in order to assert, exercise or defend legal claims or there is a legal obligation, e.g. at the request of the authorities under a mutual legal assistance agreement.
- This is necessary for your contract or for pre-contractual measures, for instance, if funds are to be transferred to a third country
- Our processors and sub-processors may be located in third countries. Unless the transfer is based on an adequacy decision of the European Commission, we will transfer the data on the basis of appropriate or suitable safeguards. We will be happy to provide you with these on request.
- You will receive a special notification in other cases of data being transferred to a third country.
A list containing an overview of potential recipients in third countries can be found here.
For how long will my personal data be stored?
(All links are valid as of May 2024)
Your personal data will be stored for as long as is necessary for the respective purpose: this may be the duration of the customer relationship, pending legal proceedings or the existence of a claim, or if required by law. Retention may also be necessary if you have ceased to be our customer.
The essential legal provisions applicable to credit institutions include:
- the Austrian Companies Code, Article 212 (7 years)
- the Federal Tax Code, Article 132 (7 years or for the duration of tax proceedings);
- the Securities Supervision Act 2018, Article 33 (5 or 7 years by order of the Financial Market Authority).
- Financial Market Money Laundering Act, Article 21 (10 years from the end of the business relationship).
An overview of other statutory retention obligations applicable in Austria can be found here, for example:
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html
The Bank has a legitimate interest in retaining your personal data in the following cases:
- Applications for financing can be kept for up to 18 months after they have been made. This serves our legitimate interest in documenting a customer contact and our ability to process the application quickly when you come back to us.
- If you use George Store and do not complete the purchase, your personal data will be stored for 60 days. During this time, you can use the recovery link and complete the purchase
- When you use the George Store, metadata (e.g., log data, technical log data, date and timestamp) related to the completed purchase is stored for 60 days. We do this to identify potential operational issues arising from the purchase process. We also use this data to defend against potential legal claims and to perform maintenance.
- SWIFT messages are kept for 30 years for the purpose of preventing and combatting fraud and for the prevention of money laundering and terrorist funding.
- Data on receivables sold are kept for 30 years from the date of sale. This serves the Bank's legitimate interest of averting possible objections arising from the sale of receivables.
- Your personal data may also be retained to document past damage cases, as an aid to decision-making about entering into new or extended customer relationships. Specifically:
- 7 years in a damage case, if
- the amount of damage at the time the case was closed did not exceed 20,000 euros, or
- there is otherwise no interest in a business relationship due to special circumstances
- 12 years in a damage case if
- the amount of the loss at the time the case was closed was more than 20,000 euros, or
- insolvency proceedings have been instituted against your assets during our business relationship.
- 30 years in particularly serious, exceptional cases after detailed examination in each individual case.
- 7 years in a damage case, if
The retention period starts when the damage case has been closed, i.e. as soon as a debt/claim no longer exists or insolvency proceedings have been terminated or cancelled. In addition, data on past damage cases must be stored for regulatory purposes, e.g. the data are also used for our model to calculate defaults. However, only a limited group of people will have access to these data. They are no longer visible to account managers. The data will also not affect existing or future business relationships.
Since 25 May 2018 onwards, the General Data Protection Regulation, also known as the GDPR, applies throughout the European Union. The GDPR stipulates the way in which personal data are to be processed and how they must be protected.
What is the GDPR?
The GDPR is a regulation of the European Union. It applies directly in all of the member states including Austria. Every person whose data are processed is able to refer to and invoke the GDPR.
What is regulated by the GDPR?
The GDPR contains legal provisions regarding the processing of your personal data. Whether it concerns your name, your telephone number, your bank account transactions or even your hobbies – all are protected by the GDPR. The principles which it stipulates regulate the ways in which your personal data are permitted to be saved and processed.
Why does the Austrian Data Protection Act continue to apply (DSG)?
The European Union hasn't just enacted the GDPR, it has also enacted a full “data protection package”. This package also included a new data protection directive. How does a directive differ from a regulation? In contrast to a regulation, it is necessary for a directive to be implemented into national law first. In addition to this, the GDPR provides the member states with the scope to structure certain aspects on a more detailed basis than the GDPR itself.
Both of these have taken place in Austria with the Data Protection Act (Datenschutzgesetz), in short DSG.
Why is the protection of my data so important?
Data protection is a fundamental right. The same as your right to liberty or security, your right to the protection of your data is anchored in the Charter of Fundamental Rights of the European Union. The EU Charter of Fundamental Rights covers your relationship with governmental institutions.
It is legally acknowledged, however, in both the private and commercial spheres, that there must also be a balancing of interests between the Data Processor and what are referred to as the “data subjects” – i.e. between you and your bank, for example. This is stipulated in both the GDPR and the DSG.
Our personal data contains a lot of information about us: it can also refer to our hobbies, our preferences and our aspirations. Such things are naturally worthy of protection. Yet we can only improve our individual service for you if we are aware of your preferences. A key element of data protection is that we work with you to find a way of being able to process your data in your interests and under your supervision.
Doesn't banking secrecy apply, anyway?
Yes, information of which we become aware due to the business relationship is protected by Austrian banking secrecy - according to Art. 38 of the Austrian Banking Act. The GDPR also applies.
Good to know: The banking confidentiality arrangements can only be dispensed with in writing – refer to Art. 38 para. 2, clause 5, Austrian Banking Act. In this case, “in writing means”:
- the provision of a handwritten signature on “ink and paper” for example, or
- a qualified electronic signature, e.g. in the form of a “mobile phone signature” or
- strong customer authentication in digital banking, for example CardTAN or s Identity in George.
Where can I find out more about the GDPR and the DSG?
(All links are valid as of March 2023)
A consolidated version of the GDPR is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
A consolidated version of the DSG is available here:
https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html
The EU Charter of Fundamental Rights:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT
Further information about your rights is available on the following websites:
Austrian Data Protection Authority https://www.dsb.gv.at/
European Commission:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
(All links are valid as of May 2024)
Before we can discuss the topic of data protection, it is important to clarify some basic terms. We have also included the references for the appropriate Articles of the GDPR so that you can read the definitions for yourself if you are interested. Please note that we only provide a summary, i.e. a shortened description of the legal text. The full legal text of the GDPR and the corresponding Articles is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
What is personal data?
Personal data means all information that refers to an identified or identifiable natural person, known as the “data subject”. E.g. the name of a person or an identification number such as an IBAN or account number.
For further details refer to Article 4 (1) GDPR.
What does the processing of data entail?
The term “processing” means any operation, with or without the use of automated processes, which is performed on personal data. This includes, for example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), the alignment or combination, restriction, erasure or destruction of the data.
For further details refer to Article 4 (2) GDPR.
What is meant by the term “Controller”?
The term “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, we, in our role as a bank.
For further details refer to Article 4 (7) GDPR.
What is meant by the term “Processor”?
The term “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.
For further details refer to Article 4 (8) GDPR.
Who is the data controller?
Responsible for the processing of your data:
Erste Group Bank AG
Am Belvedere 1
1100 Vienna
https://www.erstegroup.com/en/legal-information/imprint
Contact for requests relevant for data protection:
Erste Group Bank AG
0196 1905/AT Data Privacy Security Management
Am Belvedere 1
1100 Vienna
email: GDPR-Support@erstegroup.com
The fastest way to reach us is via an s Contact message in George: if two topics are displayed for you to choose from, click on "General Data Protection Regulation (GDPR)”. Otherwise, simply type "Data protection" in the subject line of your message.
Responsible supervisory authority for matters appertaining to data protection:
Austrian Data Protection Authority
Barichgasse 40-42,
1030 Vienna
Telephone: +43 1 52 152-0
email: dsb@dsb.gv.at
https://www.dsb.gv.at/
Who is the Data Protection Officer?
The Data Protection Officer at our company is Gregor König. If you have any questions, suggestions or causes for complaint regarding the processing of your data, you can contact him and his team at:
Gregor König – data protection officer
Erste Group Bank AG
Am Belvedere 1
1100 Vienna
email: datenschutz@erstegroup.com
What personal data is processed and how is it collected?
Which of your personal data we process depends on the scope of the business relationship between you and us.
Here you will find a list of the possible data that we collect directly from the data subjects or derive from the data collected. Please note: This does not necessarily mean that we actually process this data from you:
We collect your personal data in various places and on various occasions when you:
- visit our branches or use self-service devices.
- open or use one of our products.
- use our online services (websites, internet banking, apps).
- use our other services and contact options (e.g. 24-hour service, competitions, events)
For what purposes and on what legal basis will my personal data be processed?
We are a bank organized according to Article 1 (1) of the Austrian Banking Act and Article 4 (1) 1 of the EU Capital Adequacy Regulation. In addition, we also act as mediator for other products and services, e.g. insurance and building society contracts. In the course of these activities, we process your personal data:
- Processing for the performance of a contract or of pre-contractual measures taken upon your request
The services we are called upon to provide for you will depend on the contract in question, e.g. loan agreement, account contract, leasing contract, insurance brokerage or an agreement on George. We will need to process your data so that you can, for instance, log in to George, manage your account online and carry out transactions. The scope of such data processing will be set forth in the contract documents and the General Terms and Conditions.
We analyse the stored data for our Internet banking system George and prepare it technically for better presentation. In addition to personal information, account balances, bookings and turnover data, this processing also includes the categorisation of account transactions and the indexing of this data for faster searching in George. This also affects data that you have uploaded to George Internet banking yourself.
- Processing to satisfy a legal obligation
We will need to process your data also on account of legal obligations, e.g. the Austrian Banking Act, the EU Capital Adequacy Regulation, the Securities Supervision Act, the Financial Markets Money Laundering Act and the EU Funds Transfer Regulation. This relates to:
• Risk management, especially credit risk and operational risk
• Complaint management and complaint handling, analysis of complaint cases
• Monitoring of insider trading, conflicts of interest and market manipulation
• Identity determination, transaction monitoring, reporting of suspicious activities, compliance with sanction regulations
• Reports to the account register and reporting of capital outflows
• Payment services, e.g. for the detection of unauthorised or fraudulent payment transactions
• Accounting, controlling and compliance with tax & fee regulations
• Recording of telephone conversations and electronic communication in the course of securities transactions
• Information to public prosecutors, law courts, tax penalty authorities
• Disclosure of information on the identity of shareholders
- Processing due to a legitimate interest
A legitimate interest for data processing by us or third parties exists in the following cases:- Promotion of new products, features and services
- To comply with non-legally binding official recommendations
- Measures to protect employees, customers and the Bank's property.
- Exercising or defending rights
- Data exchange for creditworthiness and default risks inquiries with an information bureau, for instance reports and queries regarding the warning list or the consumer credit record of the Kreditschutzverband von 1870 (Credit Protection Association of 1870)
- Preventing and combatting fraud as well as preventing money laundering and terrorist funding, including but not limited to:
- Suspected cases of fraud and attempted fraud and similar criminal offences pursuant to Sections 146 et seq. of the Austrian Criminal Code (StGB) that are detected during the business relationship or during its initiation will be recorded and processed in the Suspicious Transaction Data Base (STDB) for banking and financial institutions. This data base is kept by CRIF GmbH as processor. Banking and financial institutions using this data base solution can also receive data with which they can check, at the beginning of a business relationship with a customer, whether fraud attempts have been made in the past.
- Development of data models to detect suspicious behaviour patterns
- Documentation of past damage cases as a decision-making aid for entering into new or extended customer relationships.
- Improving data quality
- Ensuring the security of IT and of the Bank's IT operations
- Recording of telephone conversations, e.g. for complaint cases, documentation of legally relevant declarations (e.g. card blocking) or for training of our employees
- Video surveillance for enforcing our house rules, for the prevention of attacks, for collection of evidence in the case of criminal offences, protection of customers, employees and property, enforcement of and defence against legal claims or as evidence for dispositions and deposits, e.g. at cashpoints. Video recordings of such incidents can also be used for security training of our employees in individual cases after careful examination.
- Measures for business, sales and group management, such as customer segmentation, reorganisation and associated customer analyses, avoidance of advertising for products already in use. This also includes the development of data models for such measures.
- Measures for process and quality management: We collect data on our processes and services on an event-driven basis. We use these data to ensure the quality of our services, compliance with our service standards and the efficiency of our processes.
- Ongoing calculation of your financing potential
- Selection to evaluate satisfaction with the services and products we offer
- Product development using, inter alia, data models
- Creation of synthetic or anonymised data for testing purposes (in limited cases it may also be necessary to use real data for testing purposes).
- If you send us a file containing a digital signature or a digital seal, we will transmit this document to a validation service (e.g. signature verification service of “Rundfunk und Telekom Regulierungs-GmbH” – the radio and telecommunications regulatory company) for signature/seal verification.
- If we provide a document that contains your data with our digital signature, we will transmit the document to a trust service provider (e.g. A-Trust).
- In order to increase the quality across all advisory interactions and therefore keeping up to our purpose of bringing financial health to all clients, we defined a data driven process analyzing customer needs holistically.
To ensure a professional preparation and interaction we analyze the following data:
- Master data, such as name, date of birth, address
- Data of products and transactions
Based on this information we derive our clients’ actual financial status for the relevant financial needs: Monthly Cashflow (budget plan), Liquidity and Reserve, Building Wealth, Pre-caution, Protecting risks and Managing Debt. These objective criteria allow us to provide consistent service in the interest of our clients. Data will be deleted if its either older than 5 years or if the business relationship is dissolved.
- Processing on the basis of consent
If there is neither a contract nor a legal obligation or a legitimate interest, processing the data may still be lawful if you have given us your consent to do so. The scope and content of this data processing will invariably depend on the consent given in a certain case - for example, if you allow us to take your photo in the context of establishing your identity. You can withdraw your consent at any time for the future. The withdrawal of consent shall, however, not affect the lawfulness of processing before the withdrawal of consent. This means that withdrawal of consent shall not be effective for the past.
- Processing for statistical purposes
We also process your personal data for statistical purposes in accordance with Article 7 of the Austrian Data Protection Act.
- Will data other than those collected from me be processed?
Most of your personal data that we process will have been provided by you. However, your data may also originate from other sources:
For the categories of data and data processing mentioned above, the other explanations in this information sheet shall also apply (with the exception of the previous item 3., “For which purposes and on what legal basis are my personal data processed?”)
Am I obliged to provide my personal data? What will happen if I do not want to do so?
For our business relationship, we require many of your personal data, e.g. for re-order of a debit card that is to be sent to you. If we cannot verify your identity, the law will prohibit us from doing business with you. If we do not know your creditworthiness, we will not be allowed to grant you a loan. So you see we must process your personal data wherever it is required by contract or by law. If you do not want us to do so, we may unfortunately not be allowed to provide certain services. If we process your data only on the basis of your consent, you will not be obliged to give this consent and provide the data.
Is there any automated decision-making, including profiling?
If automated decision-making, including profiling, takes place in the course of a specific processing operation, you will be informed of this in advance.
When granting loans, we check your creditworthiness on the basis of the so-called credit scoring. In the process, the default risk of credit applicants is assessed with the help of statistical benchmark groups.
The calculated score enables us to forecast the probability with which a loan applied for is likely to be redeemed. The following data are used to calculate this score:
- Your master data, e.g. marital status, number of children, length of employment, employer, etc.
- Information on your general financial circumstances, e.g. income, assets, monthly expenses, liabilities, collaterals, etc.
- Data on payment behaviour, e.g. loan repayments, reminders, data from credit information bureaus
If the risk of default is too high, the credit application will be rejected and there may be an entry in the KSV 1870 KKE and an internal warning. If a credit application is rejected, this will be shown in the KSV 1870 KKE for 6 months (according to the Notification of the data protection authority).
To whom will my personal data be disclosed?
Your personal data may be disclosed to:
- Credit institutions, bodies and persons within the network of Sparkasse savings banks, Erste Bank and Erste Group who require the data for contractual, legal or regulatory duties as well as for legitimate interests. This applies in particular to risk management within Erste Group and to the management of credit risks when credit institutions within Erste Group have identical customers.
- Information bureaus like Kreditschutzverband von 1870 (Credit Protection Association of 1870)
- Public bodies and institutions as well as persons with a sovereign mandate, to the extent that we are legally required to do so or in order to protect our legitimate interests, e.g. the European Bank Supervisors, the European Central Bank, Financial Market Authority, the Austrian National Bank, tax authorities, etc.
- Processors and other service providers (controllers) commissioned by us, e.g. for IT, back office, legal and tax advice, chartered accountants and collection companies, to the extent they require the data for their tasks.
- Bank auditors and auditors of annual financial statements, insofar as this is necessary for the auditing activity
- Third parties, if this is mandatory for the fulfilment of the contract or legal provisions, e.g. the recipients of a bank transfer and their payment service provider.
- Validation services, e.g. Rundfunk und Telekom Regulierungs-GmbH (the radio and telecommunications regulation company), to the extent this is necessary to verify a digital signature or digital seal transmitted by you.
- Trust service providers, e.g. A-Trust, if we provide a document containing your data with our digital signature.
Disclosure to third parties may also take place if you have consented to the disclosure and for the period of your valid consent.
A list containing an overview of potential recipients can be found here.
Will my data be transferred to a third country?
Your personal data may be transferred to a third country in the following cases:
- this is necessary in order to assert, exercise or defend legal claims or there is a legal obligation, e.g. at the request of the authorities under a mutual legal assistance agreement.
- This is necessary for your contract or for pre-contractual measures, for instance, if funds are to be transferred to a third country
- Our processors and sub-processors may be located in third countries. Unless the transfer is based on an adequacy decision of the European Commission, we will transfer the data on the basis of appropriate or suitable safeguards. We will be happy to provide you with these on request.
- You will receive a special notification in other cases of data being transferred to a third country.
A list containing an overview of potential recipients in third countries can be found here.
For how long will my personal data be stored?
(All links are valid as of May 2024)
Your personal data will be stored for as long as is necessary for the respective purpose: this may be the duration of the customer relationship, pending legal proceedings or the existence of a claim, or if required by law. Retention may also be necessary if you have ceased to be our customer.
The essential legal provisions applicable to credit institutions include:
- the Austrian Companies Code, Article 212 (7 years)
- the Federal Tax Code, Article 132 (7 years or for the duration of tax proceedings);
- the Securities Supervision Act 2018, Article 33 (5 or 7 years by order of the Financial Market Authority).
- Financial Market Money Laundering Act, Article 21 (10 years from the end of the business relationship).
An overview of other statutory retention obligations applicable in Austria can be found here, for example:
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html
The Bank has a legitimate interest in retaining your personal data in the following cases:
- Applications for financing can be kept for up to 18 months after they have been made. This serves our legitimate interest in documenting a customer contact and our ability to process the application quickly when you come back to us.
- If you use George Store and do not complete the purchase, your personal data will be stored for 60 days. During this time, you can use the recovery link and complete the purchase
- When you use the George Store, metadata (e.g., log data, technical log data, date and timestamp) related to the completed purchase is stored for 60 days. We do this to identify potential operational issues arising from the purchase process. We also use this data to defend against potential legal claims and to perform maintenance.
- SWIFT messages are kept for 30 years for the purpose of preventing and combatting fraud and for the prevention of money laundering and terrorist funding.
- Data on receivables sold are kept for 30 years from the date of sale. This serves the Bank's legitimate interest of averting possible objections arising from the sale of receivables.
- Your personal data may also be retained to document past damage cases, as an aid to decision-making about entering into new or extended customer relationships. Specifically:
- 7 years in a damage case, if
- the amount of damage at the time the case was closed did not exceed 20,000 euros, or
- there is otherwise no interest in a business relationship due to special circumstances
- 12 years in a damage case if
- the amount of the loss at the time the case was closed was more than 20,000 euros, or
- insolvency proceedings have been instituted against your assets during our business relationship.
- 30 years in particularly serious, exceptional cases after detailed examination in each individual case.
- 7 years in a damage case, if
The retention period starts when the damage case has been closed, i.e. as soon as a debt/claim no longer exists or insolvency proceedings have been terminated or cancelled. In addition, data on past damage cases must be stored for regulatory purposes, e.g. the data are also used for our model to calculate defaults. However, only a limited group of people will have access to these data. They are no longer visible to account managers. The data will also not affect existing or future business relationships.
What rights do I have?
The GDPR grants you the following rights regarding your personal data. You are entitled to:
- Access according to article 15 GDPR
- Rectification according to article 16 GDPR
- Erasure according to article 17 GDPR
- Restriction of processing according to article 18 GDPR
- Data portability according to article 20 GDPR
- Objection according to article 21 GDPR
- Decisions that are not exclusively based on an automated processing—including profiling according to Article 22 GDPR
What does the right of access mean?
You have the right to request confirmation from us as to whether we process your personal data. If this is the case, you also have the right to access this personal data as well as the following information:
- Purposes of the processing
- Categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data has been or will still be disclosed, especially in the case of recipients in third countries or in international organisations
- Where possible, the intended duration for which the personal data will be stored or, if this is not possible, the criteria for the determination of such a duration;
- The existence of the right for the rectification or erasure of your personal data; the restriction of, or objection to, this processing;
- The right to lodge a complaint with a supervisory authority
- All available information regarding the origin of the personal data if the data is not collected from the data subject
- Whether an automated form of decision-making including profiling exists, according to Article 22, paragraphs 1 and 4 GDPR and — at least in these cases — detailed information regarding the reasoning, scope and impact of such a method of processing for the data subject.
You can find out exactly how you can assert your right here.
What does the right to rectification mean?
We consider it to be important that your data are accurate and complete at all times. If you suspect that they may be incorrect or incomplete, you are able to request the rectification or completion of your data. You can find out how you can assert your right here.
What do the “Right to erasure” and the “Right to be forgotten” mean?
We attribute considerable importance to ensuring that your data are only processed as per the framework conditions of the GDPR and the DSG. If you are of the reasoned opinion that this is not the case, however, you can request the erasure of your personal data. The reasons for this can be as follows:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
Example: Your personal data must be erased if they were only collected for the completion of a purchase (= sole purpose) and you did not provide your consent for the data to be processed for any other purposes. In this case, the further processing of the data is no longer necessary following the completion of the purchase and the expiry of a retention obligation. The retention obligations can be found here.
- You withdraw your consent on which the processing was originally based according to Article 6, para. 1, letter a, GDPR or Article 9, para. 2, letter a, GDPR, and no other legal basis exists for the processing.
Example: You provided your consent to the processing of your personal data for the individual product offers of a third party (= sole purpose). As soon as you withdraw this consent, the personal data must be erased again. Exceptions: Other purposes or justifications for the processing exist and you are also in a customer relationship with the third-party provider, for instance.
- You lodge an objection to the processing according to Article 21, para. 1, GDPR, and no overriding legitimate reasons exist for the processing.
Example: You can lodge an objection, for instance, if somebody processes your personal data without your consent only because s/he claims s/he has a legitimate interest to do so (and no other form of justification exists). If you lodge an objection and there was, in fact, no legitimate interest, the personal data must be erased. The objection was a success.
- The personal data have been unlawfully processed.
Unlawfully (unfoundedly) processed personal data must be erased.
- The erasure of personal data is subject to a legal obligation according to the EU- or member state law to which the Controller is subject.
This means laws or other legal provisions which require an erasure of personal data.
- The personal data were collected in relation to information society services offered according to Article 8, para. 1, GDPR.
This relates to a special protection arrangement for the benefit of minors who make use of online services.
The was a brief summary of the right to erasure. This should not be confused with the “Right to be forgotten”.
The “right to be forgotten” refers to personal data that has been made public. It stipulates the following: If the person who originally published the data must erase this data (due to the existence of one of the aforementioned reasons for erasure), then they must also notify those persons who received the data on the grounds of the publication. In detail, this rule is very complicated. In this context, the GDPR makes particular reference to internet search engines.
You can find out how you can assert your right to erasure and your right to be forgotten here.
What does the right to the restriction of processing mean?
We attribute considerable importance to ensuring that your data are processed as per the framework conditions of the GDPR and the DSG. If you are of the opinion that this is not the case, however, you have the right to request the restriction of the processing of your personal data. This is only possible on the following legitimate grounds, however:
- You contest the accuracy of your personal data. You can request the restriction of processing of your personal data for a period that enables the Controller to verify the accuracy of the personal data.
People don't always share the same opinion. To ensure that the contested personal data are not immediately erased or have to be changed, their further processing can be restricted for the duration of the matter. It might be the case that the data were correct after all.
- The processing of personal data is unlawful. Instead of the erasure, however, you would prefer that “only” the use of the personal data is restricted.
The GDPR therefore provides you with a choice: If you do not want unlawfully processed data to be erased immediately, you can request that they continue to be saved, but are no longer used.
- Controllers no longer require your personal data for the processing. You require the data for the establishment, exercise or defence of legal claims, however.
If your personal data should actually have been erased, but you require them for your own defence or for the assertion of your rights, they can continue to be processed for these purposes.
- You have lodged an objection to the processing according to Article 21, para. 1, GDPR. As long as it is not yet certain that the legitimate reasons of the Controller override your interests, it is possible to request the restriction of processing.
To ensure that the contested personal data do not have to be immediately erased, their further processing can be restricted for the duration of the matter. It might be the case that the processing was legitimate after all.
You can find out how you can assert your right to the restriction of processing here.
What does the right to data portability mean?
Your personal data belongs to you. You therefore have the right to receive such data in a structured, common and machine-readable format. This relates to data which you have provided to us and which is processed automatically on the basis of your consent or the fulfilment of a contract. You can also request us to transfer this personal data directly to another Controller.
In which form will I receive the data?
We provide the data in a common machine-readable format. You can find out how you can assert your right here.
What important security instructions should I take into consideration?
The protection of your personal data and your money is just as important to you as it is to us. In this respect, please consider your right to data portability in the same way as you would a bank statement. Would you “simply” send your bank statement to someone else?
Please also remember that your financial data contain personal data of other persons: If you transfer money to someone else, their details can also be seen in the transaction data – in the same way as they are shown on a bank statement. These persons have rights and freedoms as well. Therefore, we will only transfer the data to persons other than you directly,
- if you expressly tell us to do so,
- if you release us from banking secrecy, and
- if it concerns financial services companies, solicitors’ offices, a notary public, tax consultants, chartered accountants or a public authority.
Please contact us beforehand if you wish to assert your right to data portability. Please also note the current security information at https://www.sparkasse.at/sicherheitscenter/sicherheit.
Our tip: You can also view and save your transaction data yourself in George at any time, for example, data concerning accounts, credit cards, financing arrangements or securities deposits. This means you maintain a current overview at all times.
What does the right to object mean?
Your data can be processed if a legitimate interest exists for their processing.
If such a legitimate interest is claimed, you must be informed of it. If you are then of the opinion that the legitimate interest does not exist, you can lodge an appropriate objection. This applies when your personal data are used for direct marketing purposes in particular. Insofar as Controllers are unable to demonstrate any legitimate grounds for the further processing, your personal data will not be processed any further after the objection. Except for processing for the purposes of direct marketing: in this case your objection is immediately valid.
You can find out how you can assert your right to object here.
What does the right not to be solely subject to a decision which is based on automated processing – including profiling – mean?
You will be informed separately prior to any automated decision-making processes according to Article 22, GDPR. In those instances, you have the right to obtain human intervention, to express your point of view and to contest the decision.
What information do I have to provide?
We do not want your financial data to fall into the wrong hands. We kindly ask for your understanding that in case of doubt, we will request more information regarding your identity.
How can I submit the request?
No matter which right you wish to assert, please submit your request (with reference to your account-holding bank) in one of the five ways:
- by s Contact message in George: If two topics are displayed for you to choose from, please click on "General Data Protection Regulation” (GDPR). Otherwise, simply type "Data protection" in the subject line of your message
- via our web form for exercising data subject rights
- by email, ideally with qualified electronic signature, to GDPR-Support@erstegroup.com
- by letter, please sign in person and enclose a copy of your identity card, to
Erste Group Bank AG
0196 1905/AT Data Privacy Security Management
Am Belvedere 1
1100 Vienna - personally in one of the Bank's branches
Please draft your request as accurately as possible – so that we can process it as quickly as possible. Please comply with the special instructions regarding your right to data portability.
How long will it take to process my request?
We will provide you with the corresponding information about the measures as soon as possible, and within one month following the receipt of your request.
The deadline can be extended by another 2 months if necessary due to the complexity and the number of requests. We will be certain to inform you of a possible extension to the deadline within one month of the receipt of your request, however.
How will my request be processed?
Financial matters are confidential – and unfortunately, emails are not always trustworthy. In terms of security, emails are more like a postcard than a letter. Since we would never wish to send your banking details on a postcard, we will provide you with the information by post, s Contact or s Box (our own online data hosting service).
Please always make sure that you refer to the security information at https://www.sparkasse.at/sicherheitscenter/wichtige-sicherheitstipps.
What should I take into consideration with the right to data portability?
- Please remember that your financial data contain personal data of other persons: If you transfer money to friends or family members, their details can also be seen in the transaction data – in the same way as they are shown on a bank statement.
- Therefore, we will only transfer data directly to others if you
- expressly tell us to do so,
- absolve us from the banking confidentiality agreement, and
- if it concerns financial services companies, solicitors’ offices, a notary public, tax consultants, chartered accountants or a public authority. Please contact us beforehand if you wish to assert your right to data portability.
- Before you assert your right to data portability: Did you know that you can also view your transaction data in George and can save them there yourself?
Does it cost me anything to assert my rights?
No, such requests are settled at no cost. Exception: We are only authorised to demand an appropriate payment if requests are obviously unsubstantiated or found to be excessive. In this case, the administration costs for the notification, rejection or completion of the requested measure are considered.
What are the possibilities for lodging a complaint?
If you have any complaints, questions or recommendations on the topic of data protection, our Data Protection Officer will be pleased to assist you. We believe that an amicable solution can be found for almost any problem.
If you do not receive a timely answer to a request, you are of the opinion that your right to data protection has been infringed, or you do not believe we have handled your request lawfully, you can also lodge a complaint with the responsible supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria
Telephone: +43 1 52 152-0
email: dsb@dsb.gv.at
https://www.dsb.gv.at/
In addition to this, any person to suffer tangible or intangible damage due to an infringement of the GDPR of Article 1 or Article 2 1 of the principal part of the DSG, is entitled to claim compensation from Controllers or Processors in accordance with Article 82, GDPR. In detail, the general conditions of civil law apply in such cases. Please note that the Austrian Data Protection Authority is not responsible for claims for compensation, but the local district court of your parish which is responsible for matters of civil law. Requests and lawsuits can also be submitted to the district court in the parish of which the defendant has their usual place of residence, head office or subsidiary office. You can find out the responsible court here: https://www.justiz.gv.at/
Last update: June 2024
We use cookies to analyse the access of our website and to create content and offers that meet your needs. In your browser settings you can choose to be asked for your consent before using a cookie or generally block the use of cookies. On our page "Data processing for online services" you will find more information and the possibility to object to the use of cookies.
We use video surveillance in many of our areas to ensure increased security. These areas are marked accordingly.
We use video surveillance for these purposes:
- To enforce our house rules and to prevent attacks
- To protect customers, employees and the property of the bank
- To enforce and defend against legal claims
- To collect evidence in the event of criminal offenses
- For evidence of withdrawals and deposits (at ATMs and in branches)
Storage duration of the video recording:
- We store the recordings for 90 days and then delete them.
- Longer storage is possible, if necessary, e.g. if proceedings are ongoing (in the event of suspected fraud)
Responsible for video surveillance:
Erste Group Bank AG
(Area of Erste Campus)
Am Belvedere 1
1100 Vienna
Note:
If a tenant of Erste Campus claims a legitimate interest, we can also pass on the video recordings to them. A list of tenants can be found under Campus Mieter | Erste Group Bank AG.
Contact for requests regarding data protection:
Erste Group Bank AG
0196 1905/AT Data Privacy Security Management
Am Belvedere 1
1100 Vienna
E-Mail: GDPR-Support@erstegroup.com
You can reach the person responsible for data protection at:
Erste Group Bank AG
0196 0358/Data Protection Office
Am Belvedere 1
1100 Vienna
E-Mail: datenschutz@erstegroup.com