Information on data protection
We hereby inform you about the processing of your personal data by us and the claims and rights you are entitled to under data protection law. The content and scope of processing mainly depends on the products and services requested by and/or agreed with you.
Please also forward this information to current and future authorised representatives and persons authorised to sign on your behalf, beneficial owners and any co-obligors under a loan. Those include, e.g. beneficiaries in the event of death, persons authorised to act as Prokurist, or guarantors and/or collateral providers.
1. Who is responsible for the data processing and who can I turn to?
Austrian Anadi Bank AG (hereinafter Anadi Bank)
Domgasse 5 9020 Klagenfurt am Wörthersee
Tel.: +43 (0)50202 0
Fax: +43 (0)50202 3000
Data protection officer: firstname.lastname@example.org
2. Which data and data categories are processed and from which sources are they taken?
We process the personal data which we received from you in the context of our business relationship or as a prospective customer (e.g. from promotional competitions, at events). Furthermore, we process data which we lawfully received from credit reporting agencies (e.g. CRIF GmbH, Diefenbachgasse 35, 1150 Vienna, www.crif.at, Credify Informationsdienstleistungen GmbH, Gumpendorfer Straße 21, 1060 Wien, www.credify.at/datenschutz), registers of debtors (Kreditschutzverband von 1870, Wagenseilgasse 7, 1120 Vienna, payment institutions entitled to provide banking data analysis services (e.g. FinTecSystems GmbH, Gottfried-Keller-Strasse 33, 81245 Munich, Germany, https://fintecsystems.com/) and publicly available sources (e.g. company register, register of associations, land register, media) and which we are allowed to process.
Your personal data are:
- your particulars (name, address, other contact details [telephone, e-mail address.], date of birth, place of birth, gender, nationality, marital status, etc.),
- occupational classification (employed/self-employed),
- residential status (tenant/owner),
- identification data (e.g. ID card data) and authentication data (e.g. specimen signature),
- tax ID, FATCA status.
In addition, personal data may include
- order data (e.g. disbursement of the loan, payment transactions),
- data from the fulfilment of our contractual obligations (e.g. turnover data in the context of payment transactions),
- information on your financial status (e.g. self-certification, creditworthiness data, scoring and rating data),
- advertising and sales data, documentation data (e.g. consultation records),
- register data,
- audio and visual data (e.g. video or telephone recordings),
- information from your electronic communications with Anadi Bank (e.g. Internetbanking, cookies, apps),
- processing results generated by Anadi Bank itself,
- but also data accruing for the fulfilment of statutory and regulatory requirements (e.g. regulatory reporting),
- as well as other data comparable to the categories listed above.
3. For which purposes and based on which legal grounds are my data processed?
We process your personal data in accordance with the provisions under data protection law (in particular in accordance with the European General Data Protection Regulation (GDPR) and the 2018 Austrian Data Protection Amendment Act (Datenschutz-Anpassungsgesetz).
To fulfil our contractual obligations (Article 6 (1b) GDPR):
Personal data are processed (Article 4 (2) GDPR) for the execution or provision of banking transactions (checking-account, loan, securities and savings contracts, building saving schemes, etc.), financial services as well as leasing and insurance transactions, and for brokering such transactions and services; in particular, they are processed for the performance of the contracts we have entered into with you and for the execution of your orders as well as all activities necessary for the operation and management of a credit institution. The purposes of data processing first and foremost depend on the specific product (e.g. checking-account, loan, investments, brokerage) and can include, among other things, needs analyses, advice and the execution of transactions. For specific details on the purposes of data processing, you can refer to the respective contractual documents and the General Terms of Business.
To fulfil our legal obligations (Article 6 (1c) GDPR):
The processing of data might be necessary due to various legal obligations (e.g. under the Austrian Banking Act, the Austrian Financial Markets Anti-Money Laundering Act, the Austrian Stock Exchange Act, the Austrian Securities Supervision Act) and regulatory requirements (imposed by, e.g., the European Central Bank, European Banking Authority, Austrian Financial Market Authority) which Anadi Bank, as an Austrian bank, is required to comply with.
- Submitting notifications to the Financial Intelligence Unit in certain suspected cases (section 16 Austrian Financial Markets Anti-Money Laundering Act);
- Providing information to authorities in charge of financial crime matters in proceedings dealing with an intentional financial offence;
- Providing information to law-enforcement authorities pursuant to the relevant provisions of the Austrian Code of Criminal Procedure;
- Providing information to federal tax authorities pursuant to section 8 Account Register and Account Inspection Act;
- Providing information to the Austrian Financial Market Authority pursuant to the Stock Exchange Act, the Securities Supervision Act or the Market Abuse Regulation to monitor compliance with the provisions on market abuse of inside information.
Within the scope of your consent (Article 6 (1a) GDPR):
If you have given consent to the processing of your personal data, we will process these data only for such purposes and to such extent as defined and agreed in the declaration of consent. You can withdraw your consent with effect for the future at any time (e.g. you can object to the processing of your personal data for marketing and advertising purposes, if you do not consent to this anymore). The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
For the purposes of legitimate interests pursued (Article 6 (1f) GDPR):
In the context of balancing interests to the benefit of ANADI BANK or a third party, data may, as far as necessary, be processed not only for the very performance of the contract but also for the purposes of legitimate interests pursued by us or by third parties. In the following cases, data are processed for the purposes of legitimate interests pursued:
- Consultation of and data exchange with credit reporting agencies (e.g. österreichischer Kreditschutzverband 1870, CRIF GmbH, Credify Informationsdienstleistungen GmbH) to determine credit and default risks;
- Assessment and optimisation of procedures for needs analyses and direct customer contact;
- Advertisements or market and opinion research, unless you have objected to the use of your data pursuant to Article 21 GDPR;
- Video surveillance for the collection of evidence data in the case of criminal offences or as evidence of account-operating instructions and cash deposits (e.g. at cash machines); video surveillance serves the main purpose of protecting customers and employees;
- Telephone recordings (e.g. when providing investment services and in case of complaints);
- Measures for business and risk management and the further development of services and products;
- Measures to protect employees and customers as well as the property of Anadi Bank;
- Measures to prevent and combat fraud (fraud transaction monitoring);
- Measures of legal action and defence in case of legal disputes;
- Ensuring IT security and the IT operations of Anadi Bank;
- Measures to protect buildings and systems.
4. Who receives my data?
Your data will be provided to those employees or departments of Anadi Bank which need your data to fulfil contractual, legal and supervisory obligations and pursue legitimate interests. Moreover, processors commissioned by us (in particular IT and back office service providers) will receive your data if they are necessary for the fulfilment of the respectively agreed service. All processors are contractually obligated to treat your data as confidential and to process them only to the extent necessary to fulfil their service obligations. With respect to data transfer to other third parties, please note that Anadi Bank as a credit institution is obligated to observe banking secrecy under section 38 Banking Act, i.e. ANADI BANK is obligated to keep confidential all customer-related information and facts entrusted or made accessible to us based on the business relationship. Thus, we may only transfer your personal data if you have expressly released us, in advance and in writing, from our obligation to observe banking secrecy or if we are obligated or authorised to do so under legal and/or regulatory provisions. In this context, the following entities, among others, could receive personal data:
- other credit institutions and financial institutions or similar entities to which we transfer your data to carry out our business relationship (depending on the contract, these could be correspondent banks, exchanges, custodian banks, credit reporting agencies
(e.g. österreichischer Kreditschutzverband 1870, CRIF GmbH, Credify Informationsdienstleistungen GmbH), etc. );
- public authorities and institutions (e.g. European Banking Authority, European Central Bank, Austrian Financial Market Authority, fiscal authorities, etc.) in the case of legal or regulatory obligations.
5. Will my data be transferred to a third country or an international organisation?
Transfers of data to countries outside of the EU or EEA (so-called third countries) will only be carried out to the extent necessary for executing your orders (e.g. payment and securities orders) or as required under legal provisions (e.g. reporting obligations under tax law), or if you consented to such transfers or under a data processing agreement. If service providers in third countries are employed, they are obligated, not only by written instructions given to them but also by agreeing to the EU standard contractual clauses, to comply with the European level of data protection.
6. For how long will my data be stored?
Where necessary, we process your personal data for the duration of our entire business relationship (from contract negotiations to its execution until the termination of the contract) and beyond that pursuant to legal retention or documentation requirements, based, in particular, on the Austrian Business Code, the Austrian Federal Tax Code, the Austrian Banking Act, the Austrian Securities Supervision Act and the Austrian Financial Markets Anti-Money Laundering Act. With respect to the storage period, we also have to comply with legal limitation periods, which can - for example pursuant to the Austrian Civil Code - be 30 years in certain cases (the general limitation period is 3 years).
7. What data protection rights do I have?
You have, at any time, a right to access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR) or restriction of processing of your stored data (Article 18 GDPR), a right to object to processing (Article 21 GDPR) as well as a right to data portability (Article 20 GDPR) pursuant to the requirements of data protection law. For the assertion of such rights, please contact our data protection officer (see clause 1 of this document). If you have any complaints, you may contact the Austrian Data Protection Authority (www.dsb.gv.at), Barichgasse 40-42, 1030 Vienna.
8. Am I obligated to provide data?
In the context of our business relationship you have to provide those personal data which are required for establishing and executing the business relationship or which we are required to collect by law. We are obligated, in particular pursuant to anti-money laundering provisions, to identify you before entering into a business relationship with you, for example based on an appropriate ID document (e.g. passport) and thus to collect and store your name, place of birth, date of birth, nationality and your address. If you do not provide us with these data, we will usually have to refuse to enter into a contract with you or to execute an order or we will no longer be able to perform an existing contract and must thus terminate it. However, you are not obligated to consent to the processing of other data that are not relevant to the execution of the contract and/or that are not required under legal or regulatory provisions.
9. Is automated decision-making and profiling executed?
When granting loans, the customer's creditworthiness is checked (credit scoring). We assess the default risk of people seeking loans with the help of statistical peer groups. The aim of the calculated score value is to enable a prognosis of how likely it is that the loan applied for will be paid back. To calculate that score value, we use your master data (e.g. marital status, number of children, duration of employment, employer, etc.), data on your general financial situation (e.g. income, assets, monthly spending, amount of liabilities, collateral, etc.) and data on your payment behaviour (e.g. loans being duly repaid, reminders, data from credit reporting agencies). If the default risk is too high, ANADI BANK will decline the application for a loan and this might lead to an entry in the credit database Kleinkreditevidenz of KSV 1870 as well as to an internal warning note. Loan applications that have been declined can be viewed in the credit database Kleinkreditevidenz of KSV 1870 for a duration of 6 months pursuant to a decision of the Austrian Data Protection Authority.
10. Information on data processing under the Austrian Financial Markets Anti-Money Laundering Act
The Austrian Financial Markets Anti-Money Laundering Act obligates Anadi Bank, in the context of duties of due diligence for the prevention of money laundering and terrorist financing, to obtain, and retain, certain documents and information from persons when establishing a business relationship or carrying out an occasional transaction.
According to the Austrian Financial Markets Anti-Money Laundering Act, Anadi Bank must identify and verify, among other things, the identity of customers, of customers’ beneficial owners, or of any settlors of the customer. Furthermore, it has to assess the objective pursued by the customer and the type of business relationship desired by the customer and to obtain and verify information and, if necessary, proof of the source of the funds used and to continuously monitor the business relationship and the transactions carried out in its context. Anadi Bank is obligated to, in particular, make copies of the documents and information received, which are necessary for the described due diligence obligations, and to retain said copies and the supporting evidence and records of transactions which are necessary to identify transactions.
The Austrian Financial Markets Anti-Money Laundering Act grants Anadi Bank the legal authorisation within the meaning of the EU General Data Protection Regulation to use said customer data in the context of complying with the duties of due diligence for the prevention of money laundering and terrorist financing, which Anadi Bank is obligated by law to comply with and which serve public interests. The data processing operations performed within the framework of the described due diligence processes are based on a legal obligation imposed on the bank. For this reason, the bank is not permitted to comply with any customer’s withdrawal of consent for such processing of data.
All personal data processed and/or stored by ANADI BANK only on the basis of the Austrian Financial Markets Anti-Money Laundering Act for the purposes of the prevention of money laundering and terrorist financing must be deleted by ANADI BANK after a retention period of 5 years unless a longer retention period is required or permitted under the provisions of other federal laws or longer retention periods have been specified by the Financial Market Authority.
Personal data used by ANADI BANK only on the basis of the Austrian Financial Markets Anti-Money Laundering Act for the purposes of the prevention of money laundering and terrorist financing shall not be further processed in a way that is incompatible with those purposes. These personal data shall not be processed for any other purposes, for example, commercial purposes.
Due to legal and regulatory requirements, we are obligated to combat money laundering, terrorist financing and offences endangering assets. In this context, data (e.g. regarding payment transactions) will be evaluated. These measures are also taken for your own safety. In order to being able to inform and advise you on products and services in a targeted manner, we use evaluation tools which facilitate customised communication and advertising, including opinion and market research.
11. Information on data processing under the Austrian Common Reporting Standard Act
The Austrian Common Reporting Standard Act obligates ANADI BANK to identify the tax residency/residencies of its customers and, in this context, to verify the data of its customers (natural and legal persons) or, as the case may be, to obtain self-certification for tax purposes from its customers. If tax residency is identified in another jurisdiction participating in the automatic exchange of information for the fight against tax evasion, ANADI BANK must report certain data to the Austrian fiscal authorities which shall transfer those data to the competent fiscal authorities abroad.
12. Web hosting
We use the services of a web host for operating our website. The hosting services enable us to provide the following services: Infrastructure and platform services, computing capacity, memory capacity and database services, security services and technical maintenance services.
13. Collection of access data and log files
If you use our website, your internet browser automatically transfers certain usage data due to technical reasons, from which server log files are created.
Such are, for example:
- date and time of access,
- URL of the referring website,
- accessed file,
- amount of data transmitted,
- IP adress,
- browser type and version,
- operating system.
We use this information solely for the purposes of the technical administration of our website and protection against unlawful activities in connection with our website. Log file information will be stored for a maximum of 3 months for security reasons (e.g. for the clarification of misuse or fraud) and will then be deleted. Data which have to be retained for evidentiary purposes will not be deleted until the respective incident has been clarified.
14. SSL encryption
For reasons of security and to protect the transfer of confidential content, such as your enquiries, we us SSL encryption. You will recognise an encrypted connection when the address line of the browser changes from “http://” to “https://” and by the lock symbol in the browser line. If SSL encryption is activated, the data you transfer to us cannot be read by third parties.
If you contact us via our website (contact form, callback agreement, complaint management), your data will be processed for handling and processing your contact inquiry.
Your data will be stored on our server and sent by e-mail to the departments and/or employees needing the data to complete the task.We generally delete all enquiries after three months if they are no longer required.
The chat feature of our website enables real-time communication with our staff from the Customer Care Center. The following data are stored during a chat session:
- chat record (text)
- the name stated
- date, time, duration
- session ID
- session type
Chat-related information is stored for a duration of 3 months and is deleted afterwards.
If you use the co-browsing feature, we can support you in a live demonstration on the website and during Internetbanking. Through this feature, content within one browser window can be jointly viewed by parties that are physically apart. We can neither view nor access information outside of this browser window. No personal data have to be transferred for using the co-browsing feature. You can end the co-browsing session at any time. We will not store any data.
Cookies are used at various points on our website. Cookies are information which is transferred by our web server or the web servers of third parties to your web browser where it is saved for future retrieval.
We use session cookies which are only stored on our website for the duration of your current visit. A session cookie stores a random unique identification number, a so-called session ID. Session cookies are deleted when you close your browser.
If you do not want cookies to be saved on your computer, we ask you to deactivate the respective option in your browser settings. Cookies that were saved can be deleted in your browser settings. The deactivation of cookies may limit the functionality of this online offer.
17. Online presence in social media
We are present online on networks and platforms to communicate with customers, prospective customers and users to inform them about our services. You currently find us on the following social media platforms:
The general terms and conditions and data processing policies of the respective networks and platforms apply for your visits.
Unless otherwise specified in our data privacy statement, we process data of users if they communicate with us within the social networks and platforms, e.g. comment on our pages or send us messages.
18. Measuring reach with Google Analytics
Google evaluates the information on our behalf to compile reports on the activities within our online offers and to execute further services for us in connection with our online offers and with web usage. This makes it possible to create pseudonymised user profiles of the users based on the processed data. The IP address transferred from your browser will not be merged with other data from Google. You can prevent the storage of cookies through a corresponding setting of your browser software; you can also prevent Google from obtaining the data generated by the cookie and related to your use of our online offer and from processing this data, by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=de.
Further information on the use of data by Google as well as setting and opt-out options is available at Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“How Google uses information from sites or apps that use our services”), https://policies.google.com/technologies/ads (“Advertising”), https://adssettings.google.com/authenicated ("Control the information Google uses to show you ads").
When visiting our website, you have the option to deny consent to the collection of data through Google Analytics by clicking on “Cookie Settings” in the information bar and then select the relevant option. In this case, a so-called opt-out cookie is created on your browser with the result that Google Analytics no longer collects any session data. However, if you delete your cookies, the opt-out cookie is deleted as well, and you have to activate it once again.
19. Google Remarketing / Marketing services
We use Google Marketing and Remarketing services (hereinafter “Google Marketing services”) of Google LLC, 600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”).
The Google Marketing services enable us to show you better-targeted ads for our online offer, which means we only present you with ads that are of potential interest to you. For example, if you see ads for products for which you showed interest on other websites, this is called “remarketing”. For these purposes, a code will be executed by Google immediately when you visit our and other websites where Google Marketing services are activated, and so-called (re)marketing tags (invisible graphics or code, also called “web beacons”) are embedded in the website. With their help, an individual cookie is stored on your device. In this file it will be noted which websites the user visited, which content was of interest to the user and which offers were clicked on; furthermore, technical information regarding browsers and operational systems, referring websites, duration of visit and further information on the use of the online offer are recorded. The IP-address of the user is also collected; in the context of Google Analytics, we state that the IP address will be shortened by Google within member states of the European Union or other states which are party to the Agreement on the European Economic Area, and the full IP address will only be transferred to a server of Google in the USA and shortened there in exceptional cases. The IP address will not be merged with user data within other offers of Google. The information stated above may, on the part of Google, also be linked to such information from other sources. If the user subsequently visits other websites, ads matching the user’s interests might be displayed.
Your data are processed in a pseudonymised manner in the context of Google Marketing services. This means that Google does not store and process, for example, your name or e-mail address but the cookie-based relevant data within a pseudonymised user profile. This means, from the perspective of Google, that the adverts are not managed and displayed for a concrete identified person but for the cookie owner, no matter who the cookie owner is. This does not apply if Google is expressly allowed to process the data without this pseudonymisation process. The information on the users collected by Google Marketing services is transferred to Google and stored on Google servers in the USA.
If you would like to object to interest-based adverts by Google Marketing services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.
When visiting our website, you have the option to deny consent to the collection of data through Google Marketing services by clicking on “Cookie Settings” in the information bar and then select the relevant option. In this case, a so-called opt-out cookie is created on your browser with the result that Google Marketing services no longer collects any session data. However, if you delete your cookies, the opt-out cookie is deleted as well, and you have to activate it once again.
20. Google ReCaptcha
21. Measuring reach with PIWIK Pro
We use PIWIK Pro to measure reach. The data are processed at ARZ Allgemeines Rechenzentrum GmbH, Tschamlerstraße 2, 6020 Innsbruck.
With respect to the use of PIWIK Pro, the following data are collected and stored:
- browser type and browser version,
- operating system and country of origin,
- date and time of server request,
- number of visits,
- length of time spent on the website, and
- external links clicked on.
The IP address will be anonymised before it is stored.
If you subscribe to a newsletter on our website, we process personal data such as your e-mail address and your target group selection based on your consent. In order to subscribe to the newsletter, you merely have to state your e-mail address; the selection of a target group is optional.
Our newsletters include information on our products, offers, campaigns, current events and our company.
Double opt-in and recording:
Your newsletter subscription is carried out in a so-called double opt-in process. This means that after your registration you will receive an e-mail where you are asked to confirm your subscription. This confirmation is necessary so that no one can subscribe with e-mail addresses that do not belong to them. All newsletter subscriptions are recorded so that we can evidence the subscription process pursuant to legal requirements. This includes saving the time of subscription and of confirmation as well as the IP address.
• Statistical analyses:
Each newsletter is accompanied by statistical analyses. In the context of such processing request, information regarding your IP address and the time of access are collected. With this information, we can make our newsletter more exciting and relevant and measure the success of our marketing campaigns. The statistical surveys include the following information:
- if the newsletters are opened,
- when they are opened, and
- which links are clicked on.
The evaluations serve the purpose to recognise the reading habits of our subscribers and to tailor our content to their preferences or to send different content in accordance with the interests of our subscribers.
You may cancel our newsletter at any time, i.e. withdraw your consent. A link for cancelling the newsletter can be found at the end of each newsletter. If you have subscribed to our newsletter and then cancelled it, your personal data will be deleted.
Internetbanking makes it possible to execute bank transactions via the Internet. When you opt for our Internetbanking service, we will send you your personal logon details. You first have to authenticate yourself with these logon details to get access to your personal banking data. This authentication and all further data transfers are executed through an encrypted https connection. The data are processed at ARZ Allgemeines Rechenzentrum GmbH, Tschamlerstraße 2, 6020 Innsbruck.
Data editing and categorisation of turnover
Your data will be automatically analysed and prepared for an improved presentation. This includes the full indexing of your data and categorisation of turnover. Categorisation of turnover means the allocation of turnover to individual categories in the case of electronic payment.
23. Internetbanking app for mobile phones and tablets
The Internetbanking app comprises the entire range of features of the Interentbanking platform within one app.
Use of push notifications
The Interentbanking app uses push notifications. This makes it possible for information from the Interentbanking app to be displayed directly on your mobile phone / tablet. The push notification system of your operating system is used for this purpose. The possibility cannot be ruled out that the provider of the operating system of your mobile phone / tablet receives these data and transfers them to the USA.
Please note that you might not receive push notifications in case of a service disruption. Should the push notification service break down due to the occurrence of unforeseen events, ANADI BANK shall not be held liable if ANADI BANK has taken corresponding security measures in accordance with standard banking practice. If push notifications are deleted on your mobile phone / tablet, they can still be accessed in the Interentbanking app.
Access to functions
The Internetbanking app uses numerous functions of your mobile phone / tablet. The Internetbanking app will use the camera (to record QR codes, invoices), the network connection (to use the web content), the location (only for queries regarding the location of branches and cash dispensers), the system tools (for push notifications), the memory (to execute the Interentbanking application), the “deactivation of standby mode” and “vibration alarm control”. This access is necessary in order for the functions of the Internetbanking app to be used. Please note that you give your agreement to the use of the functions by downloading or updating the app. Any revocation of certain functions is only possible with heavy restrictions on the use of the Internetbanking app and / or by not using the online bank app. Access to the functions occurs only if this is absolutely necessary for the execution of a particular action by the Interentbanking app.
Use of Google Maps
For the location of branches or cash dispensers and the representation of these on an interactive map, we use the “Google Maps API” map service from Google Inc., which has its registered office in the USA. Through the use of Google Maps, information concerning the use of the app is transmitted to Google servers in the USA and stored there. As part of its own data privacy statement, Google undertakes not to pass on information to third parties, although it does make certain exceptions. Accordingly, data gathered in this way may be transmitted to third parties if this is required by law in the USA, or insofar as the data are processed by third parties on behalf of Google. The Terms of Service of Google Maps are available at https://www.google.com/intl/de_US/help/terms_maps.html.
The TresorTAN app is an alternative option to transmit transaction authorization numbers (TANs) for the signing of transactions. The TresorTAN app is a separate application you have to download and install for your respective devices. When using the TresorTAN signing, an encrypted TAN is provided directly in the TresorTAN app. You will be alerted to this through a push notification. The TresorTAN app will provide a recap of the key transaction data, making it possible to review the order to be placed. The TresorTAN can only be used for one specific transaction.
Version: November 2020