Privacy
Policy

Data Protection Clear 
and Transparent

With the following information, we provide you with details in accordance with Articles 13 and 14 of the GDPR regarding the collection and processing of your personal data by us, as well as your rights and claims under data protection law. The content and scope of data processing are primarily determined by the products and services you have requested or agreed upon. We process your personal data in full compliance with the relevant data protection regulations, particularly the Austrian Data Protection Act (DSG) and the EU General Data Protection Regulation (GDPR). Where data processing deviates from this information in individual cases, we provide separate information as part of the respective products or services.

Additional information about the cookies used can be found under Cookie Settings.

1. Who is responsible for data processing and whom can you contact?

1.1 The responsible party for processing your personal data is:

Austrian Anadi Bank AG (hereafter referred to as Anadi Bank)
Inglitschstraße 5A
9020 Klagenfurt am Wörthersee
Tel.: +43 (0)50202 0
Fax: +43 (0)50202 3000
Email: austrian@anadibank.com

1.2 Data Protection Officer

You can contact our data protection officers by email at datenschutz@anadibank.com or by mail at the above address.

2. Who is this privacy policy for?

This privacy policy applies to the collection, storage, use, transmission, or deletion of personal data from:

  • Prospective customers (including contest participants), applicants, and (former) customers of Anadi Bank, regardless of whether a banking service is provided directly by us or by one of our service providers – financial service providers, intermediaries – or product partners;
  • Persons who place individual orders outside of framework contracts;
  • All other persons who are in contact with our bank, such as financial service providers, authorized representatives, representatives, or employees of legal entities, or who are involved in transfers from or to Anadi Bank accounts.

3. What personal data or data categories are processed, and where do these data come from?

3.1 Personal data are all information that can directly or indirectly identify you or relate to you.

We process the following data in particular:

  • Personal details (e.g., first and last name, address, other contact details such as phone, email address; date and place of birth, nationality, marital status, gender);
  • Occupational group key (employed/self-employed);
  • Residential status (rent/ownership);
  • Identification data (e.g., copy of ID card or passport) and authentication data (e.g., signature sample, login data for online banking);
  • Financial data (e.g., income information, pay slips, value of pledged items and real estate);
  • Creditworthiness data (e.g., entries at credit agencies, warning list entries);
  • Order and transaction data (e.g., payment orders, transfers, deposits and withdrawals from your checking, savings, or credit card account);
  • Audio-visual data (e.g., recording your calls, photos and video recordings in branches or at ATMs);
  • Your interaction with Anadi Bank on social media such as LinkedIn. We follow public news, postings, likes, and responses to and about Anadi Bank on the internet as part of our corporate communication;
  • Data about your preferences and online behavior (e.g., information from your electronic communication with us via app or website, IP addresses, data about your visits to our website);
  • Advertising and sales data;
  • In connection with a reportable suspected case of alleged criminal data, additionally application data, company name, possibly company register and VAT number, ÖNACE code, data on the course of the suspected case. Furthermore, possibly IBAN, delivery address data, data on application repetitions/attempted fraud repetitions. Ultimately, information on persons/companies (in particular employers of the affected person) associated with the suspected case and information on persons involved in the suspected case under § 12 StGB.
  • Data required to fulfill legal and regulatory obligations (data to fulfill our compliance and anti-money laundering obligations, Know Your Customer), such as data on the origin of funds, marital status, information on the employer, pay slips, tax ID, FATCA status.
3.1.1 Sensitive data

Sensitive data are data about your health, ethnic origin, religious or political beliefs, as well as genetic or biometric data. We may process your sensitive data if:

  • You have given us your explicit consent;
  • The relevant national legal provisions require or allow it;
  • You instruct us, for example, to make a payment to a political party or religious institution;
  • You choose to use fingerprint recognition for identity verification when accessing mobile apps and performing certain processes in the apps.
3.1.2 Data from minors

We collect data from persons under the age of 14 only if they have a product with Anadi Bank or if you provide us with information about your own children in connection with a product you purchase. We obtain parental consent where required by national legal provisions.

3.2 We receive your personal data mostly directly from you in the course of our (upcoming or ongoing) business relationship.

This occurs primarily through:

  • Initiation and conclusion of contracts for our individual services or products;
  • Utilization of our services or use of our products and apps;
  • Prospective customer inquiries;
  • Submission of applications;
  • Visiting our website;
  • Inquiries (e.g., via contact form, phone, or letter);
  • Participation in contests.

3.3 We also collect your personal data from other sources, but only if they are absolutely necessary for providing our service.

These other sources include in particular:

  • Insolvency files;
  • Credit agencies (e.g., KSV and CRIF GmbH) and lawfully maintained debtor registers;
  • Suspicion database for banks and financial institutions (CRIF GmbH);
  • Publicly accessible sources (e.g., company register, association register, land register, media, internet);
  • Payment institutions authorized to provide account information services (e.g., Tink Germany GmbH);
  • Transfers to or from you;
  • Intermediaries;
  • Court commissioners in the settlement of estates;
  • Guardianship and criminal courts;
  • Police and public prosecutors.

4. For what purposes and on what legal basis are the data processed?

We process your personal data in accordance with the provisions of the GDPR and the DSG to achieve the following purposes and based on the following legal grounds:

4.1 To fulfill contractual obligations or to carry out pre-contractual measures (Art. 6 para. 1 lit b GDPR):

The processing of personal data takes place to provide and mediate banking services (current accounts, loans, securities, and savings contracts, building savings, etc.), financial services, as well as leasing and insurance transactions, in particular to execute our contracts with you and fulfill your orders, as well as all activities required for the operation and management of a credit institution.

The purposes of data processing are primarily based on the specific product (e.g., current account, loan, investments, mediation, etc.) and may include needs analysis, consulting, and the execution of transactions.

You can find detailed information on data processing and the collected data in the respective contract documents and terms and conditions.

4.2 To fulfill legal obligations (Art. 6 para. 1 lit c GDPR):

The processing of personal data may be necessary to fulfill various legal obligations (e.g., from the Banking Act, Financial Market Anti-Money Laundering Act, Stock Exchange Act, Securities Supervision Act) and regulatory requirements (e.g., from the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority) to which Anadi Bank is subject as an Austrian credit institution. This includes, for example:

  • Risk management, in particular credit risk and operational risk;
  • Complaint management and complaint handling, analysis of complaint cases;
  • Monitoring of insider trading, conflicts of interest, and market manipulation;
  • Identity verification, transaction monitoring, suspicious activity reports, compliance with sanction regulations;
  • Reports to the account register and reports of capital outflows;
  • Payment services, e.g., to detect unauthorized or fraudulent payment transactions;
  • Accounting, controlling, and compliance with tax regulations;
  • Recording telephone conversations and electronic communication in securities transactions;
  • Information to the public prosecutor's office, courts, tax authorities;
  • Disclosure of information about the identity of shareholders.

In particular, Anadi Bank is obligated as a credit institution to prevent money laundering and terrorist financing to obtain and update information, data, and documents at the beginning of the business relationship, during the relationship, and during a non-business-related occasional transaction, as well as to continuously monitor the business relationship and transactions (especially Financial Market Anti-Money Laundering Act "FM-GwG").

Additionally, Anadi Bank is required to determine the tax residency(ies) of its customers and verify or collect tax self-disclosures from customers (natural persons and legal entities) (Common Reporting Standard Act "GMSG"). If a tax residency is determined in another state participating in the automatic exchange of information to combat tax evasion, the credit institution must report certain data (e.g., residency state(s), tax identification number(s), account balances/values at the end of the year or account closure, gross earnings, and proceeds, and for legal entities, the controlling person(s) of the customer, if applicable) to the Austrian tax authorities, who will forward this data to the relevant foreign tax authorities.

Customer objections to processing for these purposes cannot be considered by the bank due to legal obligations. We retain this data in accordance with legal obligations (10 years after the end of the business relationship or after the time of an occasional transaction for data under § 21 FM-GwG or longer as legally required or mandated by the financial market authority).

4.3 Within the scope of your consent (Art. 6 para. 1 lit a GDPR):

If you have given us consent to process your personal data, the processing will only be carried out according to the purposes and extent agreed upon in the declaration of consent. Consent can be revoked at any time with effect for the future (e.g., you can object to the processing of your personal data for marketing and advertising purposes if you no longer agree to processing in the future). The revocation of consent does not affect the lawfulness of data processed up to the point of revocation.

4.4 To safeguard legitimate interests (Art. 6 para. 1 lit f GDPR):

If necessary, data processing can be carried out to safeguard the legitimate interests of Anadi Bank or a third party, beyond the actual fulfillment of the contract, within the framework of balancing interests. Data processing for the protection of legitimate interests occurs in the following cases:

  • Consultation of and data exchange with credit agencies (e.g., Austrian Credit Protection Association 1870, Credify Information Services GmbH) to determine creditworthiness and default risks;
  • If it is necessary to check your identity or creditworthiness within the framework of our business relationship, we will transmit the necessary data to CRIF GmbH, Rothschildplatz 3/Top 3.06.8, 7020 Vienna, which will process the transmitted data as an independent controller for its purposes as a credit agency and address publisher, as described at https://www.crif.at/datenschutz/;
  • Fraud prevention and combating, as well as preventing money laundering and terrorist financing, specifically, for example:
    • The "Suspicion Database (VDB) for Banks and Financial Institutions" records and processes suspicion cases of fraud and attempted fraud under §§ 146 ff StGB and similar offenses detected during the business relationship or at its initiation. This database is managed by CRIF GmbH as a processor. If credit and financial institutions use this database solution, they can also receive data to check before establishing and during a business relationship with customers whether fraud attempts have been made in the past.
    • Development of data models to detect suspicious behavior patterns.
  • Review and optimization of procedures for needs analysis and direct customer approach;
  • Existing customer advertising or market and opinion research, unless you have objected to the use of your data under Art. 21 GDPR;
  • Video surveillance for the preventive protection of persons/property on the property, to collect evidence in the event of criminal offenses, or to document dispositions and deposits (e.g., at ATMs); this is primarily for the protection of customers and employees;
  • Telephone recordings (e.g., in providing securities services and handling complaints);
  • Measures for business and risk management and further development of services and products;
  • Measures to protect employees and customers, as well as the property of Anadi Bank;
  • Measures for fraud prevention and combating (Fraud Transaction Monitoring);
  • In the context of legal prosecution and defense in legal disputes;
  • Ensuring IT security and IT operations of Anadi Bank;
  • Measures for building and system security.

5. Who receives your data?

5.1 Within our bank

Within Anadi Bank, only those departments or employees who need your data to fulfill contractual, legal, and regulatory obligations, as well as legitimate interests, receive it.

5.2 Outside our bank

  • Authorized processors: (e.g., IT and back-office service providers, service providers for handling account changes or marketing activities) who perform certain data processing tasks on our behalf. These processors receive your data only after signing a contract that meets data protection requirements, particularly confidentiality, compliance with our instructions, data processing exclusively based on and according to the contract, and adherence to specific technical and organizational security measures.
  • Public authorities and institutions: e.g., Financial Market Authority, Austrian National Bank, European Central Bank, tax authorities, tax offices, judicial and law enforcement authorities (police, public prosecutors, courts, lawyers, notaries), and auditors, to the extent we are legally or regulatorily obligated or authorized to do so.
  • Independent contractors, brokers, and business partners: We may share your personal data with independent contractors, brokers, or business partners acting on our behalf or jointly offering products and services, such as insurance or other credit and financial institutions. These contractors are registered under national legal provisions and have the necessary authorization from the respective supervisory authorities.
  • Other third parties: e.g., other credit and financial institutions, such as banks and exchanges, financial services companies, and payment service providers, credit protection associations, consultants, including lawyers or collection agencies, to fulfill contracts (e.g., for transfers or payment services) based on your written consent, or as legally required or permitted under our legitimate interests. Further data transfer to third parties, e.g., for sending advertising information by these third parties, can only occur with your consent.

We would like to point out that, as an Austrian credit institution, we are legally obliged to maintain banking secrecy concerning all customer-related information you entrust to us in the course of the business relationship. Therefore, we may only disclose your personal data if you have expressly and in writing released us from banking secrecy in advance, or if we are legally or regulatorily obliged or authorized to do so.

6. Are your data transferred to a third country?

Your personal data may be transferred to a third country outside the European Union (EU) or the European Economic Area (EEA) in the following cases:

  • If necessary to assert, exercise, or defend legal claims or if there is a legal obligation, e.g., in response to an official request under a mutual legal assistance agreement;
  • If required for your contract or pre-contractual measures, e.g., when a transfer to a third country is made;
  • If legally required (e.g., tax reporting obligations);
  • If you have given us your consent for this;
  • Based on our legitimate interests;
  • Our processors and sub-processors may be located in third countries. If the transfer is not based on an adequacy decision of the European Commission, we transfer the data based on appropriate or adequate safeguards (e.g., binding corporate rules or the conclusion of EU standard data protection clauses). Upon request, we will provide you with a copy of these appropriate safeguards if we process or have your data processed in third countries.

7. How long do we store your data?

We process your personal data as long as necessary for the duration of the entire business relationship (from initiation and processing to the termination of a contract) or as long as you have given your active consent. After achieving or fulfilling the processing purpose, we delete your personal data unless there are legal retention and documentation obligations, which arise from, among others, the Austrian Commercial Code (UGB), the Federal Fiscal Code (BAO), the Banking Act (BWG), the Securities Supervision Act (WAG), and the Financial Market Anti-Money Laundering Act (FM-GwG). According to § 21 FM-GwG, data can be stored up to 10 years after the end of the business relationship or the time of an occasional transaction. Furthermore, statutory limitation periods, which can be up to 30 years in certain cases according to the General Civil Code (ABGB) (the general limitation period is 3 years), must be considered.

8. What data protection rights do you have?

The GDPR grants you several rights regarding your personal data. You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), deletion (Art. 17 GDPR), or restriction of processing of your stored data (Art. 18 GDPR), a right to object to data processing based on our legitimate interests (Art. 21 GDPR), as well as a right to data portability (Art. 20 GDPR). Additionally, you have the right to revoke any given consent at any time without cause, whereby the revocation does not affect the lawfulness of data processing carried out up to the point of revocation, and the right to request a review of automated decisions by a person and to present your point of view (Art. 22 GDPR). To exercise these rights, please contact our data protection officers (see point 1 of this document). You can address any complaints to the Austrian Data Protection Authority (www.dsb.gv.at), Barichgasse 40-42, 1030 Vienna.

9. Am I obligated to provide data? What happens if I do not want to?

For our business relationship, we depend on many of your personal data, e.g., to send you a reordered debit card. If we cannot verify your identity, the law prohibits us from continuing the business relationship. If we do not know your creditworthiness, we are not allowed to grant you a loan. You see: Where it is required by a contract or legal provision, we must process your personal data. If you do not want this, it may be that we cannot provide certain services. In all other cases, we process your data only with your consent – and this is, of course, entirely voluntary. You are not obligated to provide your data in these cases.

10. Is there automated decision-making including profiling?

If automated decision-making, including profiling, takes place in specific processing, you will be informed in advance.

In the case of credit granting, a creditworthiness check (credit scoring) is performed. Using statistical comparison groups, the risk of default for loan applicants is assessed. The calculated score value is intended to predict the likelihood of the requested loan being repaid. To calculate this score, your personal data (e.g., marital status, number of children, duration of employment, employer), information on general financial circumstances (e.g., income, assets, monthly expenses, amount of liabilities, securities), and payment behavior (e.g., proper loan repayments, reminders, data from credit agencies) are used. If the risk of default is too high, the loan application may be rejected, possibly leading to an entry in the small loan evidence file maintained by KSV 1870 and the inclusion of an internal warning. If a loan application is rejected, this will be visible in the small loan evidence file maintained by KSV 1870 for 6 months, according to the decision of the Data Protection Authority.

11. Web Hosting

To operate our website, we use the services of the web host ANEXIA® Internetdienstleistungs GmbH (https://anexia.com/). The hosting services enable the provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services.

12. Collection of Access Data and Log Files

When using our website, your internet browser automatically transmits certain usage data for technical reasons, which are then compiled into server log files. These include, among others:

  • Date and time of access;
  • URL (address) of the referring website;
  • Retrieved file;
  • Amount of data transmitted;
  • IP address;
  • Browser type and version;
  • Operating system.

We use this information exclusively for the technical administration of our website and to prevent illegal activities related to our website. Log file information is stored for a maximum of 3 months for security reasons (e.g., to investigate abuse or fraud) and then deleted. Data that must be retained for evidence purposes are exempt from deletion until the respective incident is fully resolved.

13. SSL Encryption

For security reasons and to protect the transmission of confidential content, such as your inquiries, we use SSL encryption. You can recognize an encrypted connection by the address line of the browser changing from "http://" to "https://" and the lock symbol in your browser line. When SSL encryption is activated, the data you transmit to us cannot be read by third parties.

14. Contact

If you contact us via our website (contact form, callback agreement, complaint management), your information will be processed to handle the contact request and its processing. Your data will be stored on our server and forwarded via email to the relevant departments or employees who need it to complete the task. We generally delete all inquiries if they are no longer necessary after three months.

14.1 Co-Browsing

This website uses TeamViewer Engage, a technology from TeamViewer Germany GmbH (https://www.teamviewer.com/de/). TeamViewer Engage enables co-browsing and other complementary functions on this website.

We use TeamViewer Engage to provide our customers with the best possible consulting and support experience on this website and the associated services.

Co-browsing is a web-based, download-free screen-sharing technology. If the user agrees, TeamViewer Engage allows an authorized and trained employee of our company to connect to the user's session on the website. When employees connect, it helps them understand the user's concerns better to find more targeted solutions quickly.

Through co-browsing, the following information is continuously transmitted and processed: mouse movements, scrolling behavior, clicks, form inputs (sensitive inputs are excluded from transmission by default), position on the website, visited subpages, time on the page, browser, operating system, type of device, screen resolution, anonymized IP address, location of access (city/nation). Depending on how co-browsing is used, personal data may become visible. Co-browsing sessions may also be recorded, which could also include personal data. The processing is based on Art. 6 (1) lit a and b GDPR.

15. Cookies

Our website uses cookies on several pages. Cookies are information transmitted from our web server or third-party web servers to your web browser and stored there for later retrieval. We use "session cookies," which are only stored for the duration of the current visit to our website. A session cookie stores a randomly generated unique identification number, a so-called session ID. Session cookies are deleted when you close the browser.

We also use cookies that are permanently stored on your computer unless you delete them.

This allows the browser to be recognized the next time you visit our website and makes navigation on our site easier. You will be informed about the use of cookies within the scope of this privacy policy.

If you do not want cookies to be stored on your computer, you are asked to deactivate the corresponding option in your browser's system settings. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies may lead to functional limitations of this online offer.

You can object to the use of cookies used for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative https://optout.networkadvertising.org/ and additionally via the website https://www.youronlinechoices.com/at/praferenzmanagement.

16. Online Presence in Social Media

We maintain online presences within social networks and platforms to communicate with customers, prospects, and users active there and to inform them about our services. Currently, you can find us on the following social media platforms:

  • Facebook
  • LinkedIn
  • YouTube

When you access the respective networks and platforms, the business terms and the data processing guidelines of the respective operators apply.

Unless otherwise stated in our privacy policy, we process the data of users who communicate with us within the social networks and platforms, e.g., write posts on our online presences or send us messages.

17. Google Remarketing/Marketing Services

We use marketing and remarketing services (hereinafter referred to as "Google Marketing Services") provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google").

Google Marketing Services allow us to display ads for our online offer more precisely to show you only ads that potentially match your interests. For example, if ads for products you were interested in on other websites are shown, this is called "remarketing." For these purposes, when you access our and other websites on which Google Marketing Services are active, Google immediately executes a code and integrates so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") into the website. With their help, an individual cookie is stored on your device. In this file, it is noted which websites the user visited, what content he is interested in, and which offers he clicked on, as well as technical information about the browser and operating system, referring websites, visit time, and other information about the use of the online offer. The IP address of the users is also recorded, whereby we inform within the scope of Google Analytics that the IP address is shortened within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases is completely transmitted to a Google server in the USA and shortened there. The IP address is not merged with user data within other Google offers. The information mentioned above may also be combined by Google with such information from other sources. If the user subsequently visits other websites, ads tailored to his interests can be displayed accordingly.

Your data will be pseudonymized in the context of Google Marketing Services. This means that Google does not store and process, e.g., your name or email address, but processes the relevant data cookie-related within pseudonymous user profiles. This means that from Google's perspective, the ads are not managed and displayed for a specifically identified person but for the cookie owner, regardless of who this cookie owner is. This does not apply if you have expressly allowed Google to process the data without this pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the USA.

For more information on data usage for marketing purposes by Google, please visit the overview page https://policies.google.com/technologies/ads, and the privacy policy of Google is available at https://policies.google.com/privacy.

If you wish to object to interest-based advertising through Google Marketing Services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/authenticated. You have the option to object to the collection by Google Marketing Services when visiting our website by clicking on the "Cookie Settings" on the displayed information bar and then making the appropriate selection. In this case, a so-called opt-out cookie will be stored in your browser, resulting in Google Marketing Services no longer collecting session data. If you delete your cookies, this also means that the opt-out cookie is deleted and therefore needs to be activated again.

18. CAPTCHA.EU

To prevent automated entries and to protect our online forms, we use the CAPTCHA.eu service from Captcha GmbH, Muthgasse 2, 1190 Vienna. Data such as the IP address (the last 4 digits are deleted before storage), type and model of the device, browser type, referrer website, mouse movements, and time intervals between keystrokes are collected and transmitted to CAPTCHA.eu. Cookies or local storage values are placed on the device but are not further processed. This data processing serves to protect against misuse by bots and spam. The data is stored for a maximum of 6 months.

You can find the privacy policy of Captcha GmbH at https://www.captcha.eu/dsgvo-user__de/.

19. Reach Measurement with PIWIK Pro

We use PIWIK Pro for reach measurement. Data processing is carried out at ARZ Allgemeines Rechenzentrum GmbH, Tschamlerstraße 2, 6020 Innsbruck.

  • Browser type and version;
  • Operating system and country of origin;
  • Date and time of the server request;
  • The number of visits;
  • The duration of the visit on the website;
  • The activated external links.

The IP address is anonymized before storage.

20. Newsletter

If you give us your marketing consent, we process personal data such as your email address and your target group selection based on the consent you have given. We use the newsletter sending service CleverReach (https://www.cleverreach.com/) for sending newsletters.

20.1 Newsletter Content

Our newsletters contain information about our products, offers, promotions, current events, and our company.

20.2 Statistical Evaluations

Statistical evaluations are carried out for each newsletter. In the course of this retrieval, information about your IP address and the time of retrieval is collected. This information is used to make the content of the newsletters more engaging and relevant and to measure the success of marketing campaigns. Statistical surveys include determining

  • whether the newsletters are opened,
  • when they are opened,
  • and which links are clicked.

The evaluations are used much more to recognize the reading habits of our subscribers and to adapt our content to them or to send different content according to the interests of our subscribers.

20.3 Cancellation/Revocation

You can cancel the receipt of our newsletter at any time, i.e., revoke your consent. You will find a link to cancel the newsletter at the end of each newsletter. If you have registered for the newsletter and canceled this registration, you will not receive any further newsletters until you give us your marketing consent again.

21. Internet Banking

Internet banking enables the completion of banking transactions over the internet. When opening internet banking, you will receive your personal access data from us. To access your personal bank data, you must first authenticate yourself with these access data. This authentication and all other data transmissions take place via an encrypted https connection. Data processing is carried out at ARZ Allgemeines Rechenzentrum GmbH, Tschamlerstraße 2, 6020 Innsbruck.

22. Internet Banking App for Mobile Phone and Tablet

The internet banking app provides the full functionality of the internet banking platform within an app.

22.1 Use of Push Notifications

The internet banking app uses push notifications. This allows information from the internet banking app to be displayed directly on your mobile phone/tablet. The push notification system of your operating system is used for this. It cannot be excluded that the provider of the operating system of your mobile phone/tablet receives this data and therefore transfers it to the USA.

Please note that push notifications may fail due to a disruption. Push notifications remain accessible in the internet banking app even if they have been deleted on the mobile phone/tablet.

22.2 Access to Functions

The internet banking app uses many functions of your mobile phone/tablet. The internet banking app accesses the camera (for capturing QR codes, invoices), network connection (for using web content), location (only for location queries in the branch finder), system tools (for push notifications), and storage (to run the internet banking application). Accesses are made to use the functions of the internet banking app. Please note that you grant permission to use the functions by downloading or updating the app. Revocation of certain functions is only possible with significant restrictions or by not using the internet banking app. Access to functions occurs only when necessary for the execution of a specific action by the internet banking app.

22.3 Use of Google Maps

To locate branches and display them on an interactive map, we use the "Google Maps API" mapping service from Google Inc., based in the USA. By using Google Maps, information about the use of the app is transferred to Google's servers in the USA and stored there. Google commits under its privacy policy not to disclose information to third parties, but exceptions are made. The data collected may be transferred to third parties if required by law in the USA or if third parties process the data on behalf of Google. The terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html.

Detailed information can be found in Google's Privacy Center: Transparency and Choices https://policies.google.com/privacy?hl=de#infochoices and Privacy Policy https://www.google.com/policies/privacy/.

22.4 TresorTAN App

The TresorTAN app is an alternative way to deliver transaction numbers (TAN) for signing orders. The TresorTAN app is a standalone application that you must download and install for your device. When using TresorTAN signing, a TAN is encrypted and made available in the TresorTAN app. You will be notified via push notification. The transaction-specific data is displayed again in the TresorTAN app. Based on this data, the order can be reviewed again. The TresorTAN is only valid once for the specific order.

As of October 2023

23. Hotjar

We use Hotjar to better understand our users' needs and to optimize the offering and experience on this website. Using Hotjar's technology, we gain a better understanding of our users' experiences (e.g., how much time users spend on which pages, which links they click, what they like and dislike, etc.), and this helps us tailor our offering to user feedback. Hotjar works with cookies and other technologies to collect data about user behavior and their devices, in particular, the device's IP address (collected and stored only in anonymized form during your website use), screen size, device type (unique device identifiers), browser information, location (country only), preferred language for displaying our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

For more information, see the section "about Hotjar" on Hotjar's help page.

24. Use of the alugha Video Player

This website uses the alugha video player, an embedding function provided by Alugha GmbH, O7, 17, 68161 Mannheim, Germany, for displaying and playing videos (more information can be found at https://alugha.com).

In providing the video player, the Matomo analytics tool is used to measure video performance, diagnose errors, and provide performance reports to website operators. Alugha has implemented data protection configurations to ensure the highest level of data protection and anonymization. This includes, among other things, the omission of tracking cookies, the standard anonymization of user IPs, and storing data exclusively on alugha servers within the European Union.

The data collected by alugha during video use is made available to us as website operators. At no point is it possible to individually assign the collected information to individual users/viewers. Alugha does not sell or transmit this data to third parties.

Details about the data collected by Matomo can be found here:

Data usage evaluation is based on legitimate interests under Art. 6 para. 1 lit. f GDPR, which include the proper provision of our services by alugha.

Comprehensive data protection information on alugha, including terms of use and privacy policy, can be found at the following links:

If personal data is processed, it is done in accordance with applicable data protection regulations. Users can assert their data protection rights at any time in accordance with legal requirements.

25. Adobe Fonts

We integrate fonts ("Fonts") from Adobe (Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA) on our website. Adobe is certified under the EU-US Privacy Shield.
For more information on Adobe Typekit Web Fonts, visit https://www.adobe.com/de/privacy/policies/typekit.html.

Adobe's privacy policy can be found at https://www.adobe.com/de/privacy/policy.html.