The personal data provided will only be processed and stored for as long as it is necessary for the fulfilment of the aforementioned purposes, in any case for the duration of the entire business relationship, as well as beyond that in accordance with the regulatory or statutory retention periods, the statutory warranty periods or contractually agreed guarantee periods or if another legally regulated reason or the settlement of the contractual relationship or legal disputes justifies the storage in individual cases.
Data will be erased after the purpose has been fulfilled and after the expiry of applicable statutory retention obligations or after the expiry of statutory warranty periods or contractually agreed guarantee periods, but not before the end of any legal disputes in which the data is required as evidence.
The main retention and documentation obligations for a credit institution arise, among other things, from the following statutory provisions:

• Austrian Fiscal Code § 132 BAO (7 years or for the duration of tax proceedings);
• Financial Market Anti-Money Laundering Act § 21 FM-GwG (10 years from the end of the business relationship).
• Austrian Commercial Code § 212 UGB (7 years)

An overview of the statutory retention obligations applicable in Austria can be found here:
https://www.wko.at/datenschutz/eu-dsgvo-speicher-und-aufbewahrungsfristen

Data is processed for the purpose of evaluating certain personal aspects. We use profiling in the following cases in particular:
Due to legal and regulatory requirements, we are obliged to prevent money laundering and the financing of terrorism (“AML”) as well as to combat fraud (fraud prevention). For this purpose, customer details, payment details and transactions are analyzed, whereby certain personal data is used to check whether a transaction could be fraudulent or AML-relevant or whether other AML-relevant anomalies can be identified. Based on the result of the check, a transaction may have to be rejected or a payment instrument blocked or the application for the issuing or opening of a product may be rejected. These measures also serve to protect you.
When granting a loan, your creditworthiness (credit check) may be assessed using a scoring system based on a mathematically and statistically recognized and proven procedure. Statistical comparison groups are used to calculate the default risk or the probability that a customer will meet their payment obligations in accordance with the contract. The following data, among others, can be used to calculate this score:

• Master data (e.g. marital status, number of children, profession, employer, length of employment)
• Financial circumstances (e.g. income, assets, expenses, existing liabilities, collateral)
• Payment behavior and experiences from the previous business relationship (e.g. credit history, dunning letters, ordinary business relationship)
• Information about your payment history that we have received from credit agencies
• Information on your payment behavior that you have provided to us in the course of onboarding or the ongoing business relationship or in another way (e.g. account statements, account history or other proof of creditworthiness)

The credit check (scoring) and the assessment of credit behavior and a high level of loans can be used as part of the assessment of creditworthiness. This involves an assessment of whether the customer is currently and will continue to meet their payment obligations under a contract. This enables us to make responsible credit decisions that are fair and well-founded. The scoring is based on a mathematically and statistically recognized procedure. The calculated values help us to decide when someone wants to purchase a product. They are also used in the ongoing management of credit and general default risk.
In the course of initiating the business relationship and subsequently also in the course of the ongoing business relationship, you may also be subject to a decision based solely on automated processing - including profiling - within the meaning of Art. 22 GDPR. In particular, the following automated decisions may be made

• Decision on the acceptance or rejection of an application to open a business relationship (credit check, AML reasons, fraud prevention)
• The decision on the amount of a loan granted
• The decision to carry out transactions or to block a payment instrument for reasons of creditworthiness, AML or fraud

If you are subject to a decision based solely on automated processing - including profiling - in accordance with Art. 22 GDPR, you have the right to request a review of the decision by an employee of DenizBank AG in accordance with Art. 22 para. 3 GDPR. To do so, you can contact ContactCenter@denizbank.at and explain your point of view as to why a different decision should have been made.

Art. 6 para. 1 lit. f GDPR serves as the legal basis for the aforementioned data processing for fraud prevention and credit checks. They serve a legitimate interest. Data processing to combat fraud and to check creditworthiness also serves to fulfill legal obligations to check creditworthiness, in particular under the Consumer Credit Act (§§ 7 f VKrG) and the Mortgage and Real Estate Credit Act (§ 9 ff HIKrG) and to combat fraud, in particular under the Banking Act, due to European legal requirements and the Financial Market Anti-Money Laundering Act, especially since fraud is one of the most common predicate offenses for money laundering (e.g. § 39 para. 2 BWG, § 5 ff FM-GwG; see e.g. FMA Circular Risk Analysis 03/2022, p.10 ) (Art 6 para 1 lit c GDPR).
Article 6 para. 1 lit. c GDPR serves as the legal basis for the aforementioned AML-relevant data processing, which arises in particular from the FM-GwG (Section 5 et seq. FM-GwG). They are required to fulfill a legal obligation.
In addition, Art. 22 para. 2 lit. a GDPR (necessary for the conclusion or performance of a contract between the data subject and the controller) serves as the basis for automated decision-making.

The personal data provided will only be processed and stored for as long as it is necessary for the fulfilment of the aforementioned purposes, in any case for the duration of the entire business relationship, as well as beyond that in accordance with the regulatory or statutory retention periods, the statutory warranty periods or contractually agreed guarantee periods or if another legal reason or the settlement of the contractual relationship or legal disputes justifies the storage in individual cases.
Data will be erased after the purpose has been fulfilled and after the expiry of applicable statutory retention obligations and after the expiry of statutory warranty periods or contractually agreed guarantee periods, but not before the end of any legal disputes in which the data is required as evidence.
The main retention and documentation obligations for a credit institution arise, among other things, from the following statutory provisions:

• Austrian Fiscal Code § 132 BAO (7 years or for the duration of tax proceedings);
• Financial Market Anti-Money Laundering Act § 21 FM-GwG (10 years from the end of the business relationship).
• Austrian Commercial Code § 212 UGB (7 years)

An overview of the statutory retention obligations applicable in Austria can be found here:
https://www.wko.at/datenschutz/eu-dsgvo-speicher-und-aufbewahrungsfristen

As a credit institution, DenizBank AG is exposed to an increased risk potential with regards to possible criminal offenses that could be committed against DenizBank AG. For this reason, it is necessary to monitor the buildings and branches of DenizBank AG by video recording in order to protect our employees, our customers, our business premises and to prevent fraud and criminal offenses in general. This affects the interior as well as the immediate exterior area around the buildings, branches or ATMs of DenizBank AG.

Art. 6 para. 1 lit. f GDPR serves as the legal basis for the aforementioned data processing in the context of video recordings. They serve a legitimate interest of DenizBank AG.

Video recordings of indoor areas (branches and head office) are deleted after a maximum of 30 days. Retention for 30 days is necessary as this is the only way to ensure that any criminal offenses can be investigated.
Video recordings that cover the outdoor area and thus, to a lesser extent, public areas, are deleted after 72 hours at the latest.

DenizBank AG records all telephone conversations that are subject to the Securities Supervision Act (WAG) (e.g. concerning transactions in connection with financial instruments such as securities, futures contracts, swaps, forward transactions, derivative contracts, etc.) for documentation purposes and to fulfill regulatory obligations. Furthermore, all other telephone conversations with employees of the Priority Banking departments are also recorded, as these conversations may contain WAG-relevant facts and the client may also place orders in such conversations. You will be expressly informed of the recording at the beginning of such a call.
If telephone orders were also placed with DenizBank in the course of a recorded telephone call, these recordings may subsequently be processed for the purpose of ensuring that an order is executed correctly.
Furthermore, DenizBank AG may record telephone calls with the Customer Care Center for quality assurance and documentation purposes. Such recording will only take place if you expressly consent to it. You will be asked for your consent at the beginning of the respective telephone call.

Art. 6 para. 1 lit c GDPR, § 33 WAG 2018 and Art. 76 of the DelReg (EU) 2017/565 serve as the legal basis for the recording of telephone calls, which are subject to the WAG. They are required to fulfill a legal obligation. Furthermore, for the recording of telephone calls with the Priority Banking departments or for parts of telephone calls with the Priority Banking department that do not have any direct WAG-relevant content, Art. 6 para. 1 lit. f GDPR serves as the legal basis. They serve a legitimate interest of DenizBank AG, as DenizBank AG must be able to prove to its supervisory authorities at any time that the provisions of the WAG are being complied with. However, this proof is only possible to the extent required if all telephone calls made by the departments relevant to the WAG are recorded in full.
Processing to ensure that an order is executed correctly is based on DenizBank's legitimate interest in ensuring the proper execution of orders. Art. 6 para. 1 lit. A GDPR serves as the legal basis for the recording of telephone calls by the Customer Care Center (consent of the data subject).

There is a statutory retention period of up to 7 years for recordings of telephone calls that are subject to the WAG. A copy of the recording of such telephone conversations with customers is available on request for a period of five years and, if requested by a competent authority, for a period of up to seven years (free of charge). Recordings are automatically deleted at the end of the retention period unless there are specific reasons that make longer processing necessary. The retention period generally applies to all telephone calls made by the Priority Banking departments.
Recordings of telephone calls with the Customer Care Center are stored for as long as consent is not revoked, but for a maximum of 7 years.

DenizBank AG may also process your data for its own advertising purposes, whereby we will never pass on your data to third parties for advertising purposes without your consent. This does not apply to processors (service providers) which we use to fulfill the processing purposes listed here and which are contractually obliged to process data only for the purposes specified by us. The advertising purposes are limited to products of DenizBank AG and products of cooperation partners of DenizBank AG (e.g. insurance or loan brokerage). The aim of this processing is to be able to offer suitable products (e.g. by post or personal contact) as part of good customer service. For this purpose, we may process data relating to the business relationship (e.g. existing products) and address data.
Contact data will not be used for promotional calls or promotional electronic mail unless consent has been given to the use of personal data for promotional calls and promotional electronic mail.

The legal basis for general data processing for advertising purposes is Article 6(1)(f) GDPR. They serve a legitimate interest of DenizBank AG.
Art. 6 para. 1 lit. A GDPR serves as the legal basis for marketing by telephone or electronic mail (consent of the data subject).

For advertising purposes, we only process data that is already collected due to an existing contractual relationship and which therefore must be processed for reasons already stated in this privacy policy (e.g. to fulfill a contract or due to a legal obligation). Erasure can therefore only take place after expiry of the respective retention periods listed above.
However, regardless of other retention periods, processing for advertising purposes will only take place during an active business relationship and only as long as you have not objected to the processing or withdrawn your consent.
You can object to the processing at any time, e.g. by e-mail to ContactCenter@denizbank.at or by post to Thomas-Klestil-Platz 1, 1030 Vienna, Austria, and you can also revoke or change your consent in the DenizBank AG app or via your online banking access in the settings.

We may transmit personal data collected within the scope of the contractual relationship regarding the application, execution and termination of the business relationship as well as data on non-contractual behavior to the consumer credit register (“Konsumkreditevidenz”) and the “Warnliste” both operated by Kreditschutzverband von 1870 (KSV), Wagenseilgasse 7, 1120 Vienna, Austria. The legal basis for this transfer is Article 6 para. 1 lit. f of the GDPR (legitimate interest). The data exchange with KSV also serves to fulfill legal obligations to carry out creditworthiness checks. The data transmitted will subsequently be processed by KSV as the independent controller. You can find more information at https://www.ksv.at/datenschutzerklaerung-kreditschutzverband-1870-dsgvo.

In the course of issuing debit cards, we must also pass on data to the international card organization “Mastercard” (Mastercard International Incorporated, Mastercard Europe SA) and it may also be necessary (e.g. to process complaints) for data to be passed on to licensees and acceptance partners associated with Mastercard.
The transfer is required in accordance with Art. 6 para. 1 lit. b GDPR to fulfill the contractual relationship with you. Further information on data processing by Mastercard can be found at

• https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf
• https://www.mastercard.at/de-at/datenschutzbestimmungen.html

If and insofar as it is required for the aforementioned purposes, we will also transfer your personal data to the extent necessary to the following recipients or categories of recipients:

• Parent company
• Financial institutions, banks, payment service providers
• Austrian National Bank
• Ministry of Finance
• Administrative authorities, courts and public corporations
• External legal representatives, notaries, tax consultants, auditors and accountants
• US tax authorities
• Creditor protection associations
• IT service providers
• Other service providers and cooperation partners
• Debt collection agencies for debt recovery
• Cooperation partners in the course of brokerage activities

Some of the recipients mentioned above may be located outside Austria or outside the European Union or process personal data outside Austria or outside the European Union. The level of data protection in these countries may not correspond to that of Austria or the member states of the European Union. In this context, we may point out that we only use processors outside the European Union if an adequacy decision has been issued by the European Commission for the third country in question, if we have agreed suitable guarantees (e.g. current standard contractual clauses), if suitable guarantees are in place, e.g. binding corporate rules or if express consent has been given. In such cases, we take all measures to ensure that all recipients offer an appropriate level of data protection.

In accordance with Art. 15 GDPR, you can request information about your personal data processed by us. In particular, you can request information about the processing purposes, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, about a transfer to third countries or to international organizations and about the existence of automated decision-making including profiling and, if applicable, information about its details.

In accordance with Art. 16 GDPR, you can request the immediate correction of incorrect or the completion of your personal data stored by us.

In accordance with Art. 17 GDPR, you can request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.

In accordance with Art. 18 GDPR, you can request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful, we no longer need the data and you refuse erasure because you need it to assert, exercise or defend legal claims. You also have the right under Art. 18 GDPR if you have objected to the processing pursuant to Art. 21 GDP.

In accordance with Art. 20 GDPR, you can request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you can request that it be transferred to another controller.

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters. The supervisory authority responsible for the registered office of DenizBank AG is:

In accordance with Art. 7 para. 3 GDPR, you can withdraw your consent at any time. To do so, you can contact ContactCenter@denizbank.at. As a result, we will stop the relevant data processing.

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR on grounds relating to your particular situation or if the objection is directed against direct marketing. In the case of direct marketing, you have a general right to object, which we will implement without you having to specify a particular situation. You can contact ContactCenter@denizbank.at for this purpose.

If you are subject to a decision based solely on automated processing - including profiling - in accordance with Art. 22 para. 2 lit. a GDPR, you have the right to request a review of the decision by an employee of DenizBank AG in accordance with Art. 22 para. 3 GDPR. To do so, you can contact ContactCenter@denizbank.at and explain your point of view as to why a different decision should have been made.

We are committed to protecting your privacy and treating your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to the technological progress.