DenizBank AG offers transparency, security and integrity regarding the handling of your personal data. We are committed to processing your data with the utmost care and to protecting them against any misuse. Due to the EU General Data Protection Regulation – which will enter into force on 25 May 2018 – and the Data Protection Adjustment Act 2018, special provisions will apply in addition to the existing statutory regulations with regard to the processing of personal data.
Below you will find an overview on the processing of your personal data. Moreover, we will explain which data are collected when you visit our website and how they are used. Besides, you will find information on your rights under the Data Protection Law.
Our privacy notices (pursuant to Articles 13 and 14 of the General Data Protection Regulation) provide you with detailed information. You may download the applicable versions or send us a request if you would like to receive them in paper form.
Contact details of the data controller and the data protection officer
Tel: +43 (0) 505-105/2000
Fax: +43 (0) 505-105/2029
Data protection officer:
Herr Berhan Felek, BSc.
Information on the data we process
We process the personal data obtained from you within the framework of our business relationship. If it is required for providing our services, we also process personal data we have legitimately received from other third parties (such as service providers, KSV1870 Holding AG, CRIF GmbH) (e.g. for executing orders, performing contracts or based on your declaration of consent). Personal data we have legitimately obtained from publicly available sources (e.g. land registers, company registers and registers of associations, press, media, or the internet) are rightfully processed as well.
Relevant personal data may include:
- Particulars (e.g. name, address/other contact details, date of birth, place of birth, nationality)
- Identification data (e.g. ID card data) and authentication data (e.g. specimen signature)
- Order data (e.g. payment orders, standing orders)
- Data for the fulfilment of statutory and regulatory requirements (e.g. MiFID II status)
- Legally relevant data in accordance with the KYC principle (e.g. customer profile, documentation about the purpose and nature of the business relationship, proof of source of funds, PEP check)
- Tax-related data (e.g. FATCA status and/or CRS status)
- Documentation data (e.g. MiFID II consultation records, memos)
- Video and telephone recordings
- Information derived from electronic communications with DenizBank AG (e.g. apps or cookies)
Information on the purpose and legal basis of the processing of personal data and their retention periods
The aforementioned personal data are processed in accordance with the data protection regulations. Moreover, our data processing is based on the justifications stipulated in Article 6 Section 1 GDPR only. The main purposes are as follows:
- Fulfilment of contractual obligations
Personal data is processed for the execution of banking transactions and for the brokerage of insurances, building society savings plans and private loans. These transactions and activities are carried out within the framework of the performance of the contracts entered into with you or for the implementation of any pre-contractual measures taken on your request. Apart from that, they are processed for the performance of all activities necessary for operating and managing a credit and financial services institution.
For specific details on the purpose of data processing, please refer to the respective contractual documents and our terms and conditions.
- Fulfilment of legal obligations or grounds of public interest
As a bank, we are subject to different legal obligations (e.g. Banking Act, Financial Market Anti-Money Laundering Act, Securities Supervision Act 2018, Payment Services Act and tax laws) and banking regulations (such as those stipulated by the European Central Bank, the European Banking Supervisors, the Austrian National Bank and the Financial Market Authority).
We may process your personal data for the following purposes (non-exhaustive list): creditworthiness assessment, identity check and verification, measures for the prevention of fraud and money laundering, compliance with the provisions concerning market abuse and insider information, compliance with the fiscal control and reporting obligations as well as risk assessment and control at the bank and within the group.
- Based on your consent
If you have given your consent to the processing of your personal data for specific purposes (e.g. for email advertising), the processing activity performed on the basis of your consent is deemed lawful. Your personal data will be processed exclusively for the purposes and within the scope defined in your declaration of consent. You may revoke your declaration of consent at any time with effect for the future. This also applies to declarations of consent given before entry into force of the GDPR (25 May 2018).
- Safeguarding of legitimate interests
If required for the safeguarding of our legitimate interests or those of third parties, we will process your data beyond the actual fulfilment of the contract based on the balancing of interests. Data processing for the safeguarding of legitimate interests occurs, for instance, in the following cases:
- Consultation of and data exchange with credit agencies (e.g. KSV1870, CRIF) in order to collect data relating to your creditworthiness
- Recording of telephone calls (e.g. in the context of complaint management)
- Assertion of legal claims, defence in the event of legal disputes, in the course of prosecution
- Safeguarding of the Bank's IT security and IT operations
- Prevention and investigation of criminal offences
- Measures concerning the safety of buildings and facilities and the protection of customers, employees and the Bank's property
- Measures for the prevention of and fight against fraud
- General business management measures and measures for the development of products and services.
Personal data will only be processed and retained for as long as necessary for the fulfilment of the aforementioned purposes and, in any case, for the duration of the entire business relationship as well as beyond this period in compliance with the supervision requirements or statutory retention periods, the statutory warranty periods or contractual guarantee periods or whenever there are any other lawful reasons that justify the retention on a case-by-case basis.
Your data will be deleted upon fulfilment of the purpose as well as upon termination of the statutory retention periods, the statutory warranty periods or the contractual guarantee periods. In case of legal disputes, however, when the data are needed as evidence, they will not be deleted before the disputes are settled. The retention and documentation obligations result, inter alia, from the Commercial Code, the Federal Tax Code, the Banking Act, the Financial Market Anti-Money Laundering Act and the Securities Supervision Act 2018. The statutory limitation periods pursuant to the Civil Code of Austria (ABGB) are to be considered as regards the retention and storage periods. The ABGB stipulates a general limitation period of up to 30 years (from the date of damage/occurrence of the damage) and, in certain cases, a special limitation period of three years (from the date on which the damage and the injuring party are known). Where processing is based on your consent, the data will not be deleted until you have revoked your consent.
Information on the disclosure of your data
Within the Bank, only those departments and/or employees that require your data for the fulfilment of our contractual, statutory and supervisory obligations as well as for our legitimate interests will be given access to your data. Apart from that, we may disclose your personal data to processors (service providers) if these comply with the data protection requirements stipulated in writing in the order processing agreements and if these are bound by confidentiality obligations. In case we commission a processor, we remain responsible for the protection of your personal data.
As regards the disclosure of data to recipients outside the Bank, we point out that as a bank, we are obliged not to disclose any customer-related information confided or made available to us due to the business relationship (banking secrecy according to § 38 BWG, Austrian Banking Act). We are not entitled to disclose your personal data unless required by legal and/or supervisory provisions. Besides, we may disclose your personal information if you have given your consent or released us from our secrecy obligation in writing. Within the scope of supervisory and/or statutory obligations, your data may also be disclosed to public authorities and institutions (e.g. Financial Market Authority, European Banking Supervisors).
Where this is strictly necessary for the aforementioned purposes, we will disclose your personal data to the categories of recipients mentioned below. However, this only occurs to the extent necessary. (For detailed information, please refer to our separate privacy notices pursuant to Articles 13 and 14 GDPR).
- Parent company
- Our branch offices
- Information services providers
- Financial institutions, financial companies and financial services providers
- Society for Worldwide Interbank Financial Telecommunication (S.W.I.F.T.)
- Insurance companies
- Building societies
- (Supervisory) authorities
- Austrian National Bank
- Ministry of Finance
- Administrative authorities, courts and public corporations
- External legal representatives, notaries, tax consultants, auditors and annual auditors
- US tax authorities
- Pension authorities
- Creditor protection associations
- IT services providers
- Other service providers and partners
- Collection agencies for the purpose of debt recovery
It is possible that some of the aforementioned recipients are established outside Austria or outside the European Union or that some of them process your personal data outside Austria and/or outside the European Union. The level of data protection in these countries may not exactly be equal to the level in Austria and/or the EU member states. In this respect, we would like to point out that we do not use processors outside the European Union unless the European Commission has taken an adequacy decision with regard to the third country concerned, or unless we have agreed upon appropriate safeguards (e.g. standard contractual terms) or binding internal data protection regulations with the processor. Hence, we take all measures necessary to ensure that all recipients provide an appropriate level of data protection.
Information on automated decision-making and profiling
Generally, we do not use automated decision-making processes for the establishment and implementation of our business relationships. Should we use these processes in individual cases, we will inform you accordingly if required by law.
The processing of your personal data is partially automated with the objective of evaluating certain personal aspects (profiling). We use profiling in the fight against money laundering and terrorism financing, for example, but also for being able to appropriately inform and advise you on products.
In the course of the granting of credits, we assess your creditworthiness (credit assessment) using a scoring system. This system uses recognised and proven mathematical and statistical procedures. We use statistical comparison groups in order to calculate the default risk and/or the probability of the customers' fulfilment of their contractual payment obligations. If the default risk is too high, the credit application will be rejected. Where applicable, KSV1870 will make an entry into the Konsumentenkreditevidenz (KKE, Consumer Credit Register). Moreover, we may create an internal warning. Whenever a credit application is rejected, this will be visible in the KKE maintained by KSV1870 for a period of 6 months in accordance with the Data Protection Authority's notification. If decisions are made without human interaction on the basis of scoring, you have the option to request a natural person's intervention into the handling process. However, this is only possible for legitimate reasons on a case-by-case basis.
Information on data security
Appropriate technical and organisational measures have been implemented in order to ensure the protection and security of your personal data. These technical and organisational measures protect your personal data against access by unauthorised third parties. They include, in particular, an authorisation concept as well as procedural, organisational and digital protective measures concerning our IT infrastructure.
These measures are updated on a continuous basis using state-of-the-art technology. Besides, they are checked within the framework of regular audits.
The data you enter on this website are collected and transmitted to the responsible departments or employees within the Bank. The banking secrecy and the confidentiality of your data remain unaffected.
Information on the collection of personal data when visiting our website
When using our website for informational purposes only, i.e. when you neither sign up nor otherwise transmit any information, we only collect the personal data transmitted to our server by your browser. If you want to browse our website, we will collect the data mentioned below (these are needed for technical reasons in order for us to be able to display our website and to ensure its stability and security (the legal basis is thus provided under Art. 6 Sec. 1 lit f GDPR)): IP address; date and time of the request; time zone difference compared to the Greenwich Mean Time (GMT); contents of the request (specific page); access status/HTTP status code; transferred data volume; referrer URL; browser; operating system and its user interface; language and version of the browser software.
Information on the use of analytics and cookies
To be able to customise our website according to your individual interests and needs, we cooperate with several service providers (Webtrekk, Google) in order to collect data by means of cookies. Cookies are small text files saved on your computer/device by the browser. Cookies allow us to recognise your browser when you revisit our website. However, data such as your name or address will not be collected or retained in this context.
Our websites do not use any technologies that, with the objective of determining your identity or email address, connect information generated by cookies with your personal user data. We undertake not to analyse these cookies with regard to your identity.
Apart from Webtrekk and Google Analytics, our websites use the following analysis tools: Remarketing, Display Network Impression Reporting, DoubleClick Campaign Manager, Google Analytics reports on the performance according to demographic features and interests. Moreover, we use the UserID function in order to be able to track interaction data. This UserID is anonymised and encrypted and will not be related to other data.
The Google tracking codes of this website use the "_anonymizeIp()" function by means of which IP addresses are shortened before they are processed. A direct reference to persons can thus be excluded. Your IP address will previously be shortened by Google within the European Union Member States or the other Signatory States of the Agreement on the European Economic Area.
Google will use this information on our behalf to analyse your use of the website, to gather reports about the website activities and to provide us with further services related to the use of the website and the internet. The IP address transferred from your browser within the framework of Google Analytics will not be merged with other Google data. In exceptional cases, when personal data are transferred to the USA, Google adheres to the EU-US Privacy Shield framework: https://www.privacyshield.gov/EU-US-Framework. The legal basis that permits the use of Google Analytics is Art. 6 Sec. 1 lit f GDPR.
You can change the settings of your browser software to keep the cookies from being saved. Apart from that, you have the right and option to reject our cookies. If you disable the cookies, you may not be able to use all the functions of this website.
Information on your rights
Each person whose data are or were processed by us has the following rights, provided that these are not subject to statutory limitations or do not infringe any statutory provisions:
- Right to receive information on whether personal data are processed and, if so, on the nature of the data and the extent of their processing
- Right to rectification, completion and/or deletion of the personal data
- Right to restrict the processing of personal data
- Right to transfer personal data
- Right to object to a processing activity (under certain conditions)
- Right to revoke the declaration of consent at any time. This revocation does not affect the lawfulness of the processing activities that occurred as a result of the consent up to the date of its revocation.
As regards the rights to rectification and deletion, the restrictions stipulated in § 4 Section 2 of the Data Protection Adjustment Act 2018 shall apply. Moreover, the person concerned has the right to file a complaint with the Data Protection Authority:
Supervisory authority responsible for monitoring compliance with data protection regulations in Austria:
Version as of March 2019