Who is the data controller?
For processing your data the following entity is responsible:
Erste Group Bank AG
Am Belvedere 1, 1100 Vienna
Contact for requests relevant for data protection:
Erste Group Bank AG
Bonitäts- und Wirtschaftsdaten (Creditworthiness and Economic Data)
Data Protection Management Support Office
Am Belvedere 1, 1100 Vienna
Austrian Data Protection Authority
Phone: +43 1 52 152-0
Who is data protection officer?
The function of the data protections officer is assumed by Gregor König. In case of questions, remarks or complaints regarding the processing, you can contact him and his team here:
Gregor König – data protection officer
Erste Group Bank AG
Am Belvedere 1
What personal data is processed?
We process the following personal data on you, on the ultimate beneficial owner, on authorized signatories or on other representatives of your company:
- Master and legitimation data of the contact persons representing your company, e.g. name, address, date of birth, telephone number, fiscal status, ID card data, ID card copy, bank details (IBAN) etc.
- Customer relationship management, e.g. hobbies, interests, etc.
- Product, service and contract data, e.g. product possession, disposition option, sales and transactions, use of digital banking and portals (cookies), advice records, etc.
- Creditworthiness data, e.g. rating, warning list entries, etc.
- Image and sound data, e.g. video records, recorded telephone conversations and your photo (if you have consented to the taking of your photo), etc.
- Processing results to fulfil the contracts and consents
- Data to satisfy legal and regulatory specifications
Please consider: The above is a general enumeration. We do not possess all of the data mentioned above. For a detailed, individual, overview, you have the right to access and may request the overview from us.
Where does the personal data we process come from?
Most of the personal data that we process about you has been provided by yourself, ultimate beneficial owners, authorized signatories or other representative of your company: for example when opening the account, taking out a loan, conducting security transactions, agreeing on an appointment, in a request on our websites, etc.
Apart from that, the data may come from the following sources:
- Debtor directories, such as CRIF GmbH
- Publicly available sources, e.g. company register, land register, insolvency file, register of associations
- From other institutions of the Erste Group Bank AG, Erste Bank and Sparkasse for the risk control and consolidation in the credit institute group according to the Banking Act and the Capital Adequacy Regulation EU 575/2013
In addition, we may receive data from state authorities or from persons on behalf of the government such as criminal courts, prosecutions or court commissioners.
For which purposes and on the basis of which legal foundation are my personal data processed?
We are a credit institution according to section 1 subsection 1 Banking Act and article 4 subsection 1 number 1 of the Regulation (EU) 575/2013. Here, the designations “bank” and “credit institution” are synonymous. Within the scope of these activities, we process your personal data. This means in detail:
Processing for the contract performance
Depending on the type of contract concluded with you, we are allowed to offer certain services for you. There may for example be credit agreements or account agreements. For this purpose, we have to process your data. As versatile as our offer, as numerous are the underlying contracts. So the scope of the data processing is defined in the contractual documents and terms and conditions.
Processing to satisfy a legal obligation
We may also be required to process your personal data by legal regulations and purposes, e.g.:
- Credit risk management: Banking Act; Capital Requirements Regulation EU 575/2013
- Monitoring of insider trade, conflicts of interest and market manipulation: Securities Supervision Act 2018, Stock Exchange Act, Market Abuse Regulation EU 596/2014
- Identity determination, transaction monitoring, suspect notifications: Financial Market Money Laundering Act and Funds Transfer Regulation EU 847/2015
- Notifications in the account register and notifications of capital outflow: Account Register and Account Inspection Act, Capital Outflow Reporting Act
- Recording of telephone conversations and electronic communication in securities transactions such as the acceptance, transfer and execution of customer orders according to the Securities Supervision Act 2018 or also in securities trade on one’s own account
- Information in criminal proceedings to the prosecutions and courts as well as to authorities prosecuting tax offences due to intentional financial offences: Banking Act, Criminal Procedure Code, Law on Financial Crime
Processing due to a legitimate interest
There is also a legitimate interest in the data processing by us or third parties in the following cases:
- Requests and data exchange to determine creditworthiness and default risks vis-à-vis credit agencies
- Video monitoring to gather evidence in case of offences or to prove dispositions and payments, e.g. at ATMs — this particularly serves the protection of customers and employees
- Measures for fraud prevention and fighting, fraud transaction monitoring
- Data processing within the scope of prosecution
- Data processing for product development for efficient processing in payment transactions
- Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking
- Calculation of your financing potential in order to use it for innovative online credit offers
The processing of personal data for direct marketing may also be a legitimate interest.
Processing on the basis of consent
If there is neither a contract nor a legal obligation or legitimate interest, the data processing may still be legitimate: i.e. in cases in which you have granted us your consent and/or approval. The scope and content of this data processing always result from the relevant consent. It is decisive that you can withdraw your consent at any time.
The withdrawal, however, does not affect the lawfulness of the processing based on this consent before its withdrawal. That means in other words that a withdrawal does not have any effect on the past.
Am I obliged to provide my personal data? What happens if I don’t want to do so?
For our business relationship, we need your personal data or the personal data of a representative of your company (ultimate beneficial owner, authorized signatories, etc.). If we do not know your name and your address, we are, for example, not able to pursue mail correspondence with you. If we are not able to check your identity, we are not allowed to establish a business relationship by law. So you see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process some personal data. If you do not consent, we may, unfortunately, possibly not be allowed to render or offer certain products or services.
Is there decision-making based on automated processing– e.g. profiling?
At the beginning or during our business relationship, we do not use any automated decision-making according to article 22 GDPR.
To whom do you transfer my personal data?
Your personal data may be transferred to:
- Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erste Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests
- Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.
- Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision
- Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider
- The data may also be transferred to third parties if you have consented to the transmission
Are my personal data transferred to a third country?
Our processors may cooperate with sub- processors in third countries, e.g. in India. These sub-processors are obliged to comply with Austrian data protection and security standards.
How long are my personal data stored?
(All links as of May 2018)
Your personal data are at least stored for as long as it is necessary for the performance of their relevant purposes. Apart from that, it is legally prescribed for which period the data have to be stored. These storage obligations may even exist if you are no longer our customer. An overview of the legal storage obligations applicable in Austria is available here:
What security measures are adhered to in the context of data processing?
Data protection and data security is important to us. We have taken all technical and organizational measures in order to protect our data processing. This specifically includes protection of your personal data. They are protected from unauthorized or illegal processing, accidental loss, accidental destruction or damage. These measure, for example, include application of modern security software and encryption methods, physical access control and precautionary measures to prevent external and internal attacks.
Practical tips on how you may support in protecting your personal data can be found here.