Data protection

Thank you for your interest in our website and our company. Although we carefully check external links, we are not liable for the content and security of these external links.

We protect your personal information as best we can when collecting, processing and during your visit to our website. Your data is protected by law. Below you will find explanations on the nature of the information collected when you visit our website and how they are used.

As of May 25, 2018, the General Data Protection Regulation, briefly GDPR, will apply in the European Union. It contains regulations regarding the processing and the protection of your personal data. This document provides you with the essential information regarding data protection in a summarized form.

What is GDPR?

The GDPR is a regulation of the European Union. It is directly applicable in every member state of the EU, hence also in Austria. Every natural person can refer to the GDPR if his/ her data is being processed.  Detailed information can be found here

What does the GDPR regulate?

The GDPR contains regulations on processing of you personal data. This includes for example your name, phone number, your account turnover or your hobbies – all of this is protected by the GDPR. The principles stipulated by the GDPR regulate how your personal data can be stored or processed. Detailed information can be found here.

Why is there still an Austrian data protection law (DSG 2018)?

Not only has the European Union adopted the GDPR, but it has introduced a complete data protection package. A part of this package was the new data protection guideline. What differs a guideline from a regulation? A guideline has to be translated into national law in order to become effective. Furthermore, the GDPR leaves room for the member states to manage certain aspects in more detail.

Austria is covered both by the “Datenschutz-Anpassungsgesetz 2018” (DSG or DSG 2018) as well as the GDPR. If appropriate for you, we will always consider the DSG 2018 as well for you.

Why is it important to protect my data?

Data protection is a basic right. Your right of data protection is anchored in the EU-Charter of Fundamental Rights the same way as your right to freedom and right to safety. The EU-Charter of Fundamental Rights is valid between you and state institutions.

Furthermore, it is legally accepted that the private and business sector also have to ensure a balanced relationship of interest between data processor and data subject – e.g. between you and your bank. These rules can be found in the GDPR and DSG 2018.

Personal data provide a lot of information about us: our hobbies, preferences and dreams may become apparent. Evidently, this is worth protecting. However, we are only able to improve our services for you individually, if we understand your preferences. A core element of data protection is to find a common ground on how your personal data can be processed in your interest under our supervision.

A core element of data protection is that we can together find a way in which we can process your data in your interest and under your supervision. Further information can be found here.

Is the bank secrecy law not valid anyhow in Austria?

Yes, all information provided to us over the course of our business relationship is protected by the Austrian bank secrecy law – acc. to § 38 BWG. The GDPR complements this law.

Good to know: The release of bank secrecy is only valid if conducted in written form – see §38 paragraph 2 point 5 BWG. “Written” means:

  • Signature by one’s own hand e.g. “ink and paper” or
  • Qualified electronic signature, e.g. “mobile signature”or
  • Strong client authentication in digital banking e.g. temporarily with password and TAC SMS; CardTAN or sIdentify-method in George

Where can I learn more about GDPR and DSG 2018?

(All links as of May 2018)

The text of the GDPR can be found here:

The text of the DSG 2018 can be found here:

The EU-Charter of Fundamental Rights:

Further information regarding your rights can be found on the following Homepages:

Österreichische Datenschutzbehörde

European Commission:

(All links as of May 2018)

In order to talk about data protection, it is important to clarify basic definitions. We have listed the corresponding Articles of the GDPR, so you can read up on them in case you are interested. Please note that we only show summarized versions of the text. The full text of GDPR can be found here:

What is “personal data”?

“Personal data” is all information that relates to an identifiable natural person („data subject“). An identifiable person is a natural person that can be identified directly or indirectly, by Name or identification number such as IBAN or account ID.

This information can be found in Art. 4 point 1 GDPR.

What is „data processing“?

The term “processing” covers every procedure in the context of personal data that is conducted with or without automated processing. This includes for instance collecting, capturing, organizing, sorting, storing adapting or changing, reading out, requesting, using, publishing (transmitting, spreading or another form of making data available), comparing, linking, limiting or deleting.

This information can be found in Art. 4 point 2 GDPR.

What is a “data controller”?

The term “data controller” comprises every natural or legal person, authority or institution that decides upon the purpose and way of processing personal data either alone or together with other institutions. We as a bank for instance are a data controller.

This information can be found in Art. 4 point 7 GDPR.

What is a “data processor”?

The term “data processor” comprises every natural or legal persons, authority or institution that processes personal data on behalf of a data controller.

This information can be found in Art. 4 point 8 GDPR.

Who is the data controller?

For processing your data the following entity is responsible:

Erste Group Bank AG
Am Belvedere 1, 1100 Vienna

Contact for requests relevant for data protection:

Erste Group Bank AG
Bonitäts- und Wirtschaftsdaten (Creditworthiness and Economic Data)
Data Protection Management Support Office
Am Belvedere 1, 1100 Vienna


Supervisory authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna

Phone: +43 1 52 152-0


Who is data protection officer?

The function of the data protections officer is assumed by Gregor König. In case of questions, remarks or complaints regarding the processing, you can contact him and his team here:

Gregor König – data protection officer
Erste Group Bank AG
Am Belvedere 1
1100 Vienna


What personal data is processed?

We process the following personal data on you, on the ultimate beneficial owner, on authorized signatories or on other representatives of your company:

  • Master and legitimation data of the contact persons representing your company, e.g. name, address, date of birth, telephone number, fiscal status, ID card data, ID card copy, bank details (IBAN) etc.
  • Customer relationship management, e.g. hobbies, interests, etc.
  • Product, service and contract data, e.g. product possession, disposition option, sales and transactions, use of digital banking and portals (cookies), advice records, etc.
  • Creditworthiness data, e.g. rating, warning list entries, etc.
  • Image and sound data, e.g. video records, recorded telephone conversations and your photo (if you have consented to the taking of your photo), etc.
  • Processing results to fulfil the contracts and consents
  • Data to satisfy legal and regulatory specifications

Please consider: The above is a general enumeration. We do not possess all of the data mentioned above. For a detailed, individual, overview, you have the right to access and may request the overview from us.

Where does the personal data we process come from?

Most of the personal data that we process about you has been provided by yourself, ultimate beneficial owners, authorized signatories or other representative of your company: for example when opening the account, taking out a loan, conducting security transactions, agreeing on an appointment, in a request on our websites, etc.

Apart from that, the data may come from the following sources:

  • Debtor directories, such as CRIF GmbH
  • Publicly available sources, e.g. company register, land register, insolvency file, register of associations
  • From other institutions of the Erste Group Bank AG, Erste Bank and Sparkasse for the risk control and consolidation in the credit institute group according to the Banking Act and the Capital Adequacy Regulation EU 575/2013

In addition, we may receive data from state authorities or from persons on behalf of the government such as criminal courts, prosecutions or court commissioners.

For which purposes and on the basis of which legal foundation are my personal data processed?

We are a credit institution according to section 1 subsection 1 Banking Act and article 4 subsection 1 number 1 of the Regulation (EU) 575/2013. Here, the designations “bank” and “credit institution” are synonymous. Within the scope of these activities, we process your personal data. This means in detail:

Processing for the contract performance

Depending on the type of contract concluded with you, we are allowed to offer certain services for you. There may for example be credit agreements or account agreements. For this purpose, we have to process your data. As versatile as our offer, as numerous are the underlying contracts. So the scope of the data processing is defined in the contractual documents and terms and conditions.

Processing to satisfy a legal obligation

We may also be required to process your personal data by legal regulations and purposes, e.g.:

  • Credit risk management: Banking Act; Capital Requirements Regulation EU 575/2013
  • Monitoring of insider trade, conflicts of interest and market manipulation: Securities Supervision Act 2018, Stock Exchange Act, Market Abuse Regulation EU 596/2014
  • Identity determination, transaction monitoring, suspect notifications: Financial Market Money Laundering Act and Funds Transfer Regulation EU 847/2015
  • Notifications in the account register and notifications of capital outflow: Account Register and Account Inspection Act, Capital Outflow Reporting Act
  • Recording of telephone conversations and electronic communication in securities transactions such as the acceptance, transfer and execution of customer orders according to the Securities Supervision Act 2018 or also in securities trade on one’s own account
  • Information in criminal proceedings to the prosecutions and courts as well as to authorities prosecuting tax offences due to intentional financial offences: Banking Act, Criminal Procedure Code, Law on Financial Crime

Processing due to a legitimate interest

There is also a legitimate interest in the data processing by us or third parties in the following cases:

  • Requests and data exchange to determine creditworthiness and default risks vis-à-vis credit agencies
  • Video monitoring to gather evidence in case of offences or to prove dispositions and payments, e.g. at ATMs — this particularly serves the protection of customers and employees
  • Measures for fraud prevention and fighting, fraud transaction monitoring
  • Data processing within the scope of prosecution
  • Data processing for product development for efficient processing in payment transactions
  • Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking
  • Calculation of your financing potential in order to use it for innovative online credit offers

The processing of personal data for direct marketing may also be a legitimate interest.

Processing on the basis of consent

If there is neither a contract nor a legal obligation or legitimate interest, the data processing may still be legitimate: i.e. in cases in which you have granted us your consent and/or approval. The scope and content of this data processing always result from the relevant consent. It is decisive that you can withdraw your consent at any time.

The withdrawal, however, does not affect the lawfulness of the processing based on this consent before its withdrawal. That means in other words that a withdrawal does not have any effect on the past.

Am I obliged to provide my personal data? What happens if I don’t want to do so?

For our business relationship, we need your personal data or the personal data of a representative of your company (ultimate beneficial owner, authorized signatories, etc.). If we do not know your name and your address, we are, for example, not able to pursue mail correspondence with you. If we are not able to check your identity, we are not allowed to establish a business relationship by law. So you see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process some personal data. If you do not consent, we may, unfortunately, possibly not be allowed to render or offer certain products or services.

Is there decision-making based on automated processing– e.g. profiling?

At the beginning or during our business relationship, we do not use any automated decision-making according to article 22 GDPR.

To whom do you transfer my personal data?

Your personal data may be transferred to:

  • Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erste Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests
  • Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.
  • Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision
  • Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider
  • The data may also be transferred to third parties if you have consented to the transmission

Are my personal data transferred to a third country?

Our processors may cooperate with sub- processors in third countries, e.g. in India. These sub-processors are obliged to comply with Austrian data protection and security standards.

How long are my personal data stored?

(All links as of May 2018)

Your personal data are at least stored for as long as it is necessary for the performance of their relevant purposes. Apart from that, it is legally prescribed for which period the data have to be stored. These storage obligations may even exist if you are no longer our customer. An overview of the legal storage obligations applicable in Austria is available here:

What security measures are adhered to in the context of data processing?

Data protection and data security is important to us. We have taken all technical and organizational measures in order to protect our data processing. This specifically includes protection of your personal data. They are protected from unauthorized or illegal processing, accidental loss, accidental destruction or damage. These measure, for example, include application of modern security software and encryption methods, physical access control and precautionary measures to prevent external and internal attacks.

Practical tips on how you may support in protecting your personal data can be found here.

Which Rights do I have?

The GDPR grants the following rights regarding your personal data or the personal data of the company representative or other representative of your company (ultimate beneficial owner, authorized signatories, etc.) of whom we process personal data. You are entitled to:

  • Access according to article 15 GDPR
  • Rectification according to article 16 GDPR
  • Erasure according to article 17 GDPR
  • Restriction of the processing according to article 18 GDPR
  • Data portability according to article 20 GDPR
  • Object according to article 21 GDPR
  • Decisions that are not exclusively based on an automated processing - including profiling according to article 22 GDPR

What does Right to Access mean?

This means you have the right to ask for confirmation as to whether we process your personal information. If this is the case, you also have the right to access this personal data and to the following information:

  • Processing purposes
  • Categories of personal data being processed
  • Recipients or categories of recipients to whom the personal data have been disclosed or are yet to be disclosed, in particular to recipients in third countries or to international organizations
  • If possible, the planned duration for which the personal data will be stored or, if that is not possible, the criteria for determining the duration
  • The right to rectify or erase your personal data; restriction or objection to this processing
  • Right to appeal to a supervisory authority
  • All available information on the origin of the personal data, if the data is not collected from the data subject
  • Whether there is automated decision-making including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information on the logic, scope and impact of such processing on the data subject

Further information can be found here.

What does Right to Rectification mean?

It is important to us that your data is always correct and complete. If you suspect that they are incorrect or incomplete, you can request that the data be corrected or completed. How to do that you can find here.

What do „Right to Erasure“ and „Right ot be Forgotten“ mean?

We attach great importance to your data being processed only within the framework of the GDPR and the DSG 2018. However, if you believe that this is not the case, you can request the erasure of your personal data. The reasons can be:

  • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

Example: Your personal data must be deleted if it was collected exclusively for the purpose of processing a purchase (= sole purpose) and you have not consented to this data being processed for other purposes. In this case, it is no longer necessary to process the data after completion of the purchase and after expiry of the retention period which can be found here.

  • You revoke the consent on which the processing is based, pursuant to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing.

Example: You have agreed that your personal data may be processed for individual third-party product offerings (= sole purpose). Once you revoke this consent, your personal information must be deleted. Exceptions: other purposes or justifications for processing exist and you are, for example, also in a customer relationship with the third party.

  • You object to the processing, according to Article 21 (1) GDPR, and there are no legitimate reasons for the processing.

For example, you may object if, someone processes your personal information without your consent simply because he believes that he / she has a legitimate interest in it (and there is no justification otherwise). If you object and there was no legitimate interest, the personal data must be deleted. The objection was successful.

  • The personal data were processed unlawfully.

Illegally ("without reason") processed personal data must be deleted.

  • The deletion of personal data is subject to a legal obligation under EU law or the law of the Member States of those responsible.

This means laws or other legal regulations that require the deletion of personal data.

  • The personal data were collected in relation to the society for information services offered pursuant to Article 8 (1) of the GDPR.

This is a special protection rule in favor of minors using online services.

In short, that was the right to erasure. This should not be confused with the "right to be forgotten".

The "right to be forgotten" refers to publicly-made-available personal information. It states: If the person who originally published the data needs to delete this data (because of one of the reasons for deletion mentioned above), then it must additionally inform those persons who received the data as a result of the publication, that deletion is required. This rule is quite complicated. The GDPR refers, in particular, to internet search engines in this regard.

If you want to assert you right, please have a look here.

What does right to restriction of processing mean?

We find great importance to always process your data within the framework of the GDPR and the DSG 2018. However, if you believe that this is not the case, you have the right to request that your personal data be restricted. However, this only applies to the following legitimate reasons:

  • You deny the accuracy of your personal information. For the duration of time necessary for those responsible to verify the accuracy of their personal information, you may request that processing be restricted.

You do not always agree with the accuracy of the data. However, in order for the contentious personal data not to be deleted or changed immediately, further processing may be restricted for the duration of the matter. Maybe it turns out that the data was accurate.

  • The processing of personal data is unlawful. Instead of deleting, you "only” want to restrict the use of personal data.

The GDPR gives you the right to vote: If you do not want unauthorized processed data to be deleted right away, then you can request that it be saved but no longer used.

  • Persons responsible no longer need your personal data for processing. However, you need the information to assert, exercise or defend your rights.

If your personal information should be deleted, but you need it for your own defence or enforcement, it may be processed for that purpose.

  • You have objected to the processing under Article 21 (1) GDPR. As long as it is not certain whether the legitimate reasons of the person responsible outweigh your interests, the restriction of processing may be required.

In order to avoid disputed personal data being deleted immediately, further processing may be restricted for the duration of the matter. Maybe it turns out that the processing was justified.

If you want to assert your right, please have a look here.

What does right to data portability mean

Your personal information is yours. You therefore have the right to receive this data in a structured, common and machine-readable format. This concerns data that you have provided to us and that is processed automatically on the basis of your consent or due to a contract fulfillment. You may also request that we transfer this personally identifiable information directly to another entity.

In which format do I receive this data?

We provide the data as an .XML file. Further information can be found here.

What important safety instructions should I take note of?

The protection of your personal data and your money is just as important to us as it is to you. Therefore, please consider your right to data portability as an account statement. Would you send it "just like that" to someone else?

Please also remember that your financial data contains personal data of other persons: If you have transferred money to someone, this is also evident in the transferred data - as well as on a bank statement. These people also have rights and freedoms. Therefore, we will only transmit your data to other persons than you only if,

  • you specifically instruct us to do so
  • you release us from banking secrecy and
  • the beneficiary is another financial company, law firm, notary, tax consultancy or business trustee or a public authority.

Please contact us in advance if you would like to transfer your data to third parties so that we can clarify all the details.

Our tip: Note that you can always use your transaction data in George e.g. of accounts, credit cards, financings or securities accounts and store it independently. So you always have an up-to-date overview.

What does the Right of Objection mean?

Your data may be processed if there is a legitimate interest.

If such a legitimate interest is asserted, you must be informed. If you then believe that the ground for legitimate interest does not exist, you can object to it. This applies in particular if your personal data is used for direct mail. If responsible persons can prove no legitimate reasons for further processing, your personal data may no longer be processed after the objection.

How to claim your right of opposition can be found here.

What does the right to, not being solely subjected to automated individual decision making (including profiling), mean?

We do not use automated decision-making under Art. 22 DSGVO for decisions on the establishment and implementation of the business relationship, see here. The right to object to this is therefore not applicable.

What information do I have to give?

In order to prevent that your financial data falls into the wrong hands or that your data is deleted against your will, we need to authenticate your identity for each request. We kindly ask for your understanding that in case of doubt, we will request more information regarding your identity. This also serves your protection, to only give authorised persons access to your data.

How can I submit the application?

No matter which right you want to assert, please send us your application preferably in one of the 4 ways:

  • By letter, please sign in person and enclose a copy of your identity card, to Erste Group Bank AG
    Bonitäts- und Wirtschaftsdaten (Creditworthiness and Economic Data)
    Data Protection Management Support Office
    Am Belvedere 1
    1100 Vienna
  • In person in a branch
  • By email, ideally with qualified electronic signature, to or
  • By s Kontakt to your account manager or by selecting „Datenschutz Grundverordnung / DSGVO“ from „Let's talk about …“.

Please write your request as precise as possible – so that we can process it quickly. Please note the special instructions for Right for data portability.

How long does the processing of my request take?

We will provide you with the relevant information without delay but in any event within one month of receipt.

In case of complexity and high number of request, the deadline maybe extended by another two months if necessary.

How is my application processed?

Financial affairs are a matter of trust – unfortunately, emails are not always trustworthy. Emails are more like a postcard when it comes to security. Since we do not want to send your bank details on a postcard, we will send you the information by post.

Please always observe the safety instructions at

What needs to be taken into account when it comes to the right to data portability?

  • Please remember that your financial data contains personal data of other persons: If you transfer money to relatives or acquaintances, it is also reflected in the transferred data – as well as on a bank statement.
  • We only send the data directly to others if you
    • you specifically instruct us to do so
    • you release us from banking secrecy and
  • the beneficiary is another financial company, law firm, notary, tax consultancy or business trustee or a public authority.

Before you exercise your right to data portability: Did you know that in George you can view your transaction data anyway and save it yourself?

Does it cost me anything if I assert my rights?

No, the applications are done free of charge. Exceptions: Only if the request are manifestly unfounded or excessive, we are entitled to demand a reasonable fee. This takes into account the administrative costs of notifying, refusing or implementing the requested measure.

Are there any possibilities to complain?

For all complaints, questions and suggestions on data protection, our data protection officer is reachable. We are convinced that a common solution to almost any problem can be found.

If you do not receive a timely answer to an application or if you are of the opinion that we have not handled your application legitimately or if you think that your right to data protection has been violated, you may also lodge a complaint with the responsible supervisory authority:

Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna
Telephone: 01/52 152-0

In addition, any person who has suffered material or immaterial damage as a result of a data breach of the GDPR shall be entitled to claim damages against the person responsible or the processor of the GDPR. In detail, the general provisions of civil law apply. Please note that the Austrian data protection authority is not responsible for claims of damages, but the local state court of your municipality. However, petitions and lawsuits may also be filed with the regional court in whose district the defendant has their habitual residence, registered office or branch office. Which court is competent, can be found here:

Status: 28. August 2019

Owner, writer, publisher and editor: Erste Group Bank AG,
Address: Am Belvedere 1, 1100 Vienna


We use cookies to analyze the access of our website and to create content and offers that meet your needs. In your browser settings you can choose to be asked for your consent before using a cookie or generally block the use of cookies. On our page "Data processing for online services" you will find more information and the possibility to object to the use of cookies.