1. Who is responsible for data processing and who can you contact?
The entity responsible for data processing is:
Palais Rothschild, Renngasse 3
1010 Vienna, Austria
Companies Register No. 103232m
You can contact the Data Protection Officer at:
Data Protection Officer
Palais Rothschild, Renngasse 3
1010 Vienna, Austria
2. Which data is processed and where does this data originate?
We process the personal data that we receive from you in the course of our business relationship with you. We also process data that we have legitimately received from credit agencies, debtor registers, and from publicly available sources (e.g. company register, register of associations, foundation and fund register, land register, media).
Personal data pursuant to Article 13 GDPR includes your personal details (name, address, contact details, date and place of birth, nationality, residency, etc.), identification data (e.g. identity document data), and authentication data (e.g. specimen signature).
Personal data pursuant to Article 14 GDPR includes data acquired in the fulfilment of our contractual obligations (e.g. data regarding payment transactions), information about your financial status (e.g. asset situation, credit history data, rating data, etc.), advertising and sales data, documentation data (e.g. advisory reports), registry data, image and sound data (e.g. video or telephone recordings), and information from your electronic dealings with the bank (e.g. apps, cookies, newsletters, etc.), processing results that are generated by the bank, and other comparable data for complying with legal and regulatory requirements.
3. For what purposes and on what legal basis is your data processed?
We process your personal data in accordance with the applicable regulations regarding data protection.
- To fulfil contractual obligations (Article 6 [1b] GDPR):
The processing of personal data (Article 4 No. 2 GDPR) is carried out for the provision and arrangement of bank transactions, financial services, and insurance and real estate transactions, in particular for the execution of our contracts with you and the execution of your orders and all activities required for the operation and management of a credit and financial services institution.
The purposes of data processing are based primarily on the specific product (e.g. security, account, loan, deposit, brokerage) and may include needs analyses, consulting, asset management services, and the execution of transactions. The specific details regarding the purpose of data processing can be found in the respective contract documents and terms and conditions.
- To comply with legal obligations (Article 6 [1c] GDPR):
Processing of personal data may be necessary for the purpose of complying with various legal obligations (e.g. based on the Banking Act [Bankwesengesetz; BWG], Financial Markets Anti-Money Laundering Act [Finanzmarkt-Geldwäschegesetz; FM-GwG], Securities Supervision Act [Wertpapieraufsichtsgesetz; WAG], Stock Exchange Act [Börsegesetz; BörseG], etc.) and regulatory requirements (e.g. of the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, etc.) to which Schoellerbank AG is subject as an Austrian credit institution.
Examples of such cases include:
- Reports to the Austrian Financial Intelligence Unit in certain cases of suspicion (Section 16 FM-GwG);
- Provision of information to the FMA pursuant to the WAG and the BörseG, e.g. in order to monitor compliance with the provisions regarding the market abuse of insider information;
- Provision of information to financial crime authorities within the framework of criminal proceedings for a deliberate financial crime;
- Provision of information to federal tax authorities pursuant to Section 8 of the Accounts Register and Inspection of Accounts Act (Kontoregister- und Kontoeinschaugesetz).
- Within the scope of your consent (Article 6 [1a] GDPR):
If you have granted us consent to process personal data, this data will only be processed in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent granted may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and promotional purposes if you no longer consent to processing in the future).
- To protect legitimate interests (Article 6 [1f] GDPR):
If necessary and within the framework of a balancing of interests, data may be processed in favour of Schoellerbank AG or a third party in order to protect legitimate interests of Schoellerbank AG or a third party. Situations in which data is processed to protect legitimate interests include the following:
- Consultation and data exchange with credit agencies (e.g. Kreditschutzverband von 1870 in Austria) to identify credit risks and default risks;
- Review and optimisation of procedures for analysing needs and approaching customers directly;
- Advertising or market and opinion research, provided that you have not objected to the use of your data in accordance with Article 21 GDPR;
- Measures for business management and the further development of products and services;
- Video surveillance for the collection of evidence of a crime or to verify withdrawals and deposits (e.g. at ATMs);
- Recordings of telephone calls and e-mail records;
- Measures to protect customers, employees, and the property of the bank;
- Measures to prevent and combat fraud;
- In the framework of legal proceedings.
4. Who will receive your data?
Within Schoellerbank AG, your data will be received by the offices or employees that need it for fulfilling contractual, legal, and regulatory obligations.
In addition, processors commissioned by us (especially IT and back-office service providers and service partners) will receive your data, insofar as they require it to provide their respective service.
These processors resp. their processor may be located in third countries. The transfer of their data to these third countries takes place either on the basis of an adequacy decision of the European Commission or the application of EU standard contractual clauses, as well as appropriate and adequate safeguards.
All processors are contractually obligated accordingly to treat your data confidentially and to process it only within the scope of the service provision.
With regard to the transfer of data to other third parties, we would like to point out that as an Austrian credit institution, Schoellerbank AG is obligated to maintain banking secrecy pursuant to Section 38 BWG and therefore to maintain the confidentiality of all customer-related information and facts that are entrusted to us or made accessible to us on the basis of the business relationship. We are therefore only permitted to transfer your personal data if you have explicitly released us from our banking secrecy obligations for this purpose in writing in advance or we are obligated or authorised to do so by law and/or regulatory requirements.
Recipients of personal data in this context may include:
- Public bodies and institutions (European Banking Authority, European Central Bank, Austrian Financial Market Authority, financial authorities, etc.) which may also be located in a third country within the meaning of the provisions of the GDPR, where there is a legal or regulatory obligation or in order to fulfil a contractual obligation.
- Other credit and financial institutions or comparable entities to which we transfer data in order to execute the business relationship with you (depending on the relevant contract, this may include correspondent banks, stock exchanges, custodian banks, SWIFT, credit agencies, etc. that may also be located in a third country as defined in the provisions of the GDPR).
- Other members of UniCredit Group in order to fulfil legal obligations (e.g. risk management, solvency, liquidity).
5. How long will your data be stored?
As far as it is necessary, we will process your personal data for the duration of the entire business relationship (from the initiation of a contract to its execution and up until the termination) and pursuant to statutory retention and documentation obligations as defined in the Uniform Commercial Code (Unternehmensgesetzbuch; UGB), the Federal Fiscal Code (Bundesabgabenordnung; BAO), the Banking Act (BWG), the Financial Markets Anti-Money Laundering Act (FM-GwG), and the Securities Supervision Act (WAG).
Moreover, the statutory limitation periods, which for example, in some cases can last up to 30 years (the general limitation period is three years) according to the Austrian Civil Code (Allgemeines Bürgerliches Gesetzbuch; ABGB), must be taken into consideration for the retention period.
6. What data protection rights do you have?
As a data subject, your rights regarding your personal data include the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to data portability pursuant to Article 20 GDPR, and the right to object pursuant to Article 21 GDPR.
In addition, you have the right to lodge a complaint with the Data Protection Authority pursuant to Article 77 GDPR. Complaints can be submitted to the Austrian Data Protection Authority, Barichgasse 40-42, A-1030 Vienna (and online at www.dsb.gv.at).
7. Are you obligated to provide data?
Pursuant to Article 13 GDPR, we hereby inform you that within the scope of the business relationship, you must provide the personal data that is necessary to establish and maintain the business relationship, as well as the information that we are legally required to collect. If you do not provide us with this data, as a rule we will have to refuse to conclude the contract or to execute orders, or we will no longer be able to fulfil an existing contract and must therefore terminate it.
In this context, we explicitly note that, under its duties of due diligence in the prevention of money laundering and terrorist financing in connection with the Financial Markets Anti-Money Laundering Act, Schoellerbank AG is obligated to collect and store extensive documents and information from customers upon the establishment of a business relationship or in connection with a one-time transaction. If you do not provide the data and documents required pursuant to Section 5 ff FM-GwG, we are not permitted to enter into or continue the business relationship requested by you.
However, you are not obliged to grant consent for data processing regarding data that is not relevant for the fulfilment of the contract or is not required according to the law or for regulatory purposes.
8. Does automatic decision-making, including profiling, take place?
We do not use automated decision-making as defined in Article 22 GDPR to reach a decision on the establishment and execution of the business relationship.
A credit check (credit scoring) is performed for loan applications. The default risk of loan applicants is evaluated using statistical comparison groups. The computed score is intended to facilitate a projection regarding the likelihood that a prospective loan will be paid back. The following data is used in the calculation of this score:
- Information about the applicant’s general financial position (e.g. income, salary, assets, liabilities, collateral, etc.), which we also compare with the information you provide in the current investor profile pursuant to the WAG.