2. Which data is processed and where does this data originate?
We process the personal data that we receive from you in the course of our business relationship with you. We also process data that we have legitimately received from credit agencies, debtor registers, and from publicly available sources (e.g. company register, register of associations, foundation and fund register, land register, media).
Personal data pursuant to Article 13 GDPR includes your personal details (name, address, contact details, date and place of birth, nationality, residency, etc.), identification data (e.g. identity document data), and authentication data (e.g. specimen signature).
Personal data pursuant to Article 14 GDPR includes data acquired in the fulfilment of our contractual obligations (e.g. data regarding payment transactions), information about your financial status (e.g. asset situation, credit history data, rating data, etc.), advertising and sales data, documentation data (e.g. advisory reports), registry data, image and sound data (e.g. video or telephone recordings), and information from your electronic dealings with the bank (e.g. apps, cookies, newsletters, etc.), processing results that are generated by the bank, and other comparable data for complying with legal and regulatory requirements.
3. For what purposes and on what legal basis is your data processed?
We process your personal data in accordance with the applicable regulations regarding data protection.
- To fulfil contractual obligations (Article 6 [1b] GDPR):
The processing of personal data (Article 4 No. 2 GDPR) is carried out for the provision and arrangement of bank transactions, financial services, and insurance and real estate transactions, in particular for the execution of our contracts with you and the execution of your orders and all activities required for the operation and management of a credit and financial services institution.
The purposes of data processing are based primarily on the specific product (e.g. security, account, loan, deposit, brokerage) and may include needs analyses, consulting, asset management services, and the execution of transactions. The specific details regarding the purpose of data processing can be found in the respective contract documents and terms and conditions.
- To comply with legal obligations (Article 6 [1c] GDPR):
Processing of personal data may be necessary for the purpose of complying with various legal obligations (e.g. based on the Banking Act [Bankwesengesetz; BWG], Financial Markets Anti-Money Laundering Act [Finanzmarkt-Geldwäschegesetz; FM-GwG], Securities Supervision Act [Wertpapieraufsichtsgesetz; WAG], Stock Exchange Act [Börsegesetz; BörseG], etc.) and regulatory requirements (e.g. of the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, etc.) to which Schoellerbank AG is subject as an Austrian credit institution.
Examples of such cases include:
- Reports to the Austrian Financial Intelligence Unit in certain cases of suspicion (Section 16 FM-GwG);
- Provision of information to the FMA pursuant to the WAG and the BörseG, e.g. in order to monitor compliance with the provisions regarding the market abuse of insider information;
- Provision of information to financial crime authorities within the framework of criminal proceedings for a deliberate financial crime;
- Provision of information to federal tax authorities pursuant to Section 8 of the Accounts Register and Inspection of Accounts Act (Kontoregister- und Kontoeinschaugesetz).
- Within the scope of your consent (Article 6 [1a] GDPR):
If you have granted us consent to process personal data, this data will only be processed in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent granted may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and promotional purposes if you no longer consent to processing in the future).
- To protect legitimate interests (Article 6 [1f] GDPR):
If necessary and within the framework of a balancing of interests, data may be processed in favour of Schoellerbank AG or a third party in order to protect legitimate interests of Schoellerbank AG or a third party. Situations in which data is processed to protect legitimate interests include the following:
- Consultation and data exchange with credit agencies (e.g. Kreditschutzverband von 1870 in Austria) to identify credit risks and default risks;
- Review and optimisation of procedures for analysing needs and approaching customers directly;
- Advertising or market and opinion research, provided that you have not objected to the use of your data in accordance with Article 21 GDPR;
- Measures for business management and the further development of products and services;
- Video surveillance for the collection of evidence of a crime or to verify withdrawals and deposits (e.g. at ATMs);
- Recordings of telephone calls and e-mail records;
- Measures to protect customers, employees, and the property of the bank;
- Measures to prevent and combat fraud;
- In the framework of legal proceedings.
4. Who will receive your data?
Within Schoellerbank AG, your data will be received by the offices or employees that need it for fulfilling contractual, legal, and regulatory obligations.
In addition, processors commissioned by us (especially IT and back-office service providers and service partners) will receive your data, insofar as they require it to provide their respective service. All processors are contractually obligated to keep your data confidential and only process it within the framework of rendering their services.
With regard to the transfer of data to other third parties, we would like to point out that as an Austrian credit institution, Schoellerbank AG is obligated to maintain banking secrecy pursuant to Section 38 BWG and therefore to maintain the confidentiality of all customer-related information and facts that are entrusted to us or made accessible to us on the basis of the business relationship. We are therefore only permitted to transfer your personal data if you have explicitly released us from our banking secrecy obligations for this purpose in writing in advance or we are obligated or authorised to do so by law and/or regulatory requirements. Recipients of personal data in this context may include:
- Public bodies and institutions (European Banking Authority, European Central Bank, Austrian Financial Market Authority, financial authorities, etc.) in the case of a legal or regulatory obligation.
- Other credit and financial institutions or comparable entities to which we transfer data in order to execute the business relationship with you (depending on the relevant contract, this may include correspondent banks, stock exchanges, custodian banks, SWIFT, credit agencies, etc. that may also be located in a third country as defined in the provisions of the GDPR).
- Other members of UniCredit Group in order to fulfil legal obligations (e.g. risk management, solvency, liquidity).
5. How long will your data be stored?
As far as it is necessary, we will process your personal data for the duration of the entire business relationship (from the initiation of a contract to its execution and up until the termination) and pursuant to statutory retention and documentation obligations as defined in the Uniform Commercial Code (Unternehmensgesetzbuch; UGB), the Federal Fiscal Code (Bundesabgabenordnung; BAO), the Banking Act (BWG), the Financial Markets Anti-Money Laundering Act (FM-GwG), and the Securities Supervision Act (WAG).
Moreover, the statutory limitation periods, which for example, in some cases can last up to 30 years (the general limitation period is three years) according to the Austrian Civil Code (Allgemeines Bürgerliches Gesetzbuch; ABGB), must be taken into consideration for the retention period.
6. What data protection rights do you have?
As a data subject, your rights regarding your personal data include the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to data portability pursuant to Article 20 GDPR, and the right to object pursuant to Article 21 GDPR.
In addition, you have the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR. Complaints can be submitted to the Austrian Data Protection Authority, Barichgasse 40-42, A-1030 Vienna (and online at www.dsb.gv.at).
7. Are you obligated to provide data?
Pursuant to Article 13 GDPR, we hereby inform you that within the scope of the business relationship, you must provide the personal data that is necessary to establish and maintain the business relationship, as well as the information that we are legally required to collect. If you do not provide us with this data, as a rule we will have to refuse to conclude the contract or to execute orders, or we will no longer be able to fulfil an existing contract and must therefore terminate it.
In this context, we explicitly note that, under its duties of due diligence in the prevention of money laundering and terrorist financing in connection with the Financial Markets Anti-Money Laundering Act, Schoellerbank AG is obligated to collect and store extensive documents and information from customers upon the establishment of a business relationship or in connection with a one-time transaction. If you do not provide the data and documents required pursuant to Section 5 ff FM-GwG, we are not permitted to enter into or continue the business relationship requested by you.
However, you are not obliged to grant consent for data processing regarding data that is not relevant for the fulfilment of the contract or is not required according to the law or for regulatory purposes.
8. Does automatic decision-making, including profiling, take place?
We do not use automated decision-making as defined in Article 22 GDPR to reach a decision on the establishment and execution of the business relationship.
A credit check (credit scoring) is performed for loan applications. The default risk of loan applicants is evaluated using statistical comparison groups. The computed score is intended to facilitate a projection regarding the likelihood that a prospective loan will be paid back. The following data is used in the calculation of this score:
- Information about the applicant’s general financial position (e.g. income, salary, assets, liabilities, collateral, etc.), which we also compare with the information you provide in the current investor profile pursuant to the WAG.
9. What cookies and web analytics tools do we use?
We automatically determine your IP address when you visit our web site at www.schoellerbank.at. We use this information to observe the activities on our web site. We register the usage behaviour of visitors to the web site in order to improve our Internet presence on an ongoing basis.
We also use so-called cookies to make our offerings as convenient as possible for you. Cookies are small text files that facilitate user identification.
These cookies include cookies that are prerequisite for the usage, cookies that are used statistically to analyze the usability of the page control elements, and cookies for comfort settings that enable you to make the best possible use of our website . Further information on these cookies can be found below. The information stored does not contain any personal data and cannot be traced back to individuals.
You can prevent the installation of cookies by changing the appropriate settings in your browser configuration.
As a matter of principle, UniCredit Bank Austria AG only sets cookies on its website with the user's consent. This does not apply to cookies required for operational reasons, without the use of which the website cannot be displayed correctly.
You can centrally manage and deactivate your cookie settings for statistics and comfort settings if necessary. Please note that in the case of deactivation, not all functions of our website will be fully available.
If you would like to receive one of the newsletters we offer, we need a valid e-mail address as well as a few pieces of additional information from you that enable us to verify that you are the owner of the provided e-mail address or that the owner of the e-mail address consents to receiving the newsletter. No other data is collected. You can revoke your consent for the storage of this data, the e-mail address, and the use of this information for sending the newsletter at any time.
Cookies are a prerequisite for the usage of the online banking of Schoellerbank. Via cookies the link between device (browser) and user code is ensured; However, these cookies can be deleted by appropriate settings in your browser software, automatically by date or when closing the browser. After deleting the cookies, the link between the browser and your user code is no longer available. Therefore, the next time you log on to this browser, it will again prompt you to register the browser with a new name and re-associate it with your user code.
10. How do we protect the security of your data?
The security of your data is our highest priority. Our stated goal is to take all required technical and organisational measures to ensure the security of our data processing and to process your personal data in a way that ensures that it is protected against access by unauthorised third parties.
Our IT infrastructure meets the highest international security standards – we use state-of-the-art security software and coding and encryption methods. In addition, we ensure the security of your data by using risk-mitigating measures and preventive precautions.