Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR) on the processing of personal data
We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of the data processing depends largely on the products and services you have requested or which are agreed with you.
Who is responsible for data processing and whom can you contact?
Responsible for data processing:
Raiffeisen Bank International AG (hereinafter referred to as „Bank“ or „RBI“)
Am Stadtpark | 1030 Vienna | Austria
T: +431 71707-0
The Data Protection Officer of the Bank:
Am Stadtpark 9 | 1030 Vienna | Austria
T: +431 71707-610
Which data are processed and from which sources do they come?
We process the personal data that we receive from you as part of our business relationship. In addition, we process data that we have legitimately received from credit bureaus, information service providers, debtor directories (e.g. Kreditschutzverband von 1870) and from publicly available sources (e.g. business register, association register, land register or media) or that are provided legitimately by other companies affiliated with the bank.
Personal information includes your personal details and contact information (e.g. name, address, date and place of birth, nationality, etc.) or identity and travel document information (such as signature sample, ID information). In addition, this may include payment and clearing data (eg payment orders, turnover data in payment transactions), orders/order confirmations regarding financial instruments, credit data (eg type and amount of income, recurring payment obligations for children's education costs, loan repayments, rents), data on marketing and distribution, credit transactions, image and / or sound recordings (eg video and telephone recordings), electronic log and identification data (apps, cookies, etc.), financial identification data (data from credit, debit, prepaid cards) or AML (anti-money laundering) and compliance data and other data comparable to the above categories.
On our website www.raiffeisencertificates.com personal data are only registered and processed if you have actively provided it, for example during registration. Furthermore your IP address is stored in a log file.
We cooperate with different social networks. When using these services your browser is connected automatically with the respective network. It transmits your IP address and further information, like cookies, if you have previously visited the respective platform.
We avoid, if possible, this form of data transmission until you interact with one of these platforms. By clicking the respective symbol (eg LinkedIn or Facebook-Logo) you confirm, that you are willing to communicate with the particular platform and that your personal data, e.g. your IP-address, will be transmitted to this social network.
For which purposes and on which legal basis are data being processed?
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Austrian Data Protection Act 2018
to fulfill contractual obligations (Article 6 (1) (b) GDPR)
The processing of personal data (Art 4 No. 2 GDPR) is carried out for the provision and brokering of banking and financial services in particular for the performance of our contracts with you and the execution of your orders as well as for carrying out pre-contractual measures.
The purposes of the data processing are based primarily on the specific product (for example, account, securities account, credit, securities, deposits, brokerage, Company Research) and may, among others, contain execution of transactions, order routing as well as provision of information.
Specific details for the purpose of the data processing mentioned herein can be found in the respective contractual documents and terms and conditions.
to fulfill legal obligations (Article 6 (1) (c) GDPR)
The processing of personal data shall only be carried out for the purpose of fulfilling various legal obligations (such as the Banking Act, Financial Market Money Laundering Act, Securities Supervision Act, Stock Exchange Act, etc.) as well as due to regulatory requirements (eg the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, Financial Market Authorities of other EU member states etc.), which the Bank is subject to as an Austrian credit institution. Examples of such cases are:
- Reports to the Money Laundering Reporting Office in certain suspicious cases (§ 16 FM-GwG, Financial Market Anti-Money-Laundering Act)
- Providing information to the FMA according to the WAG (Securities Act) and the BörseG (Stock Exchange Act), e.g. to monitor compliance with the rules on market abuse of insider information
- Provision of information to financial penal authorities in the context of financial criminal proceedings for an intentional financial offense
- Provision of information to federal tax authorities acc. to § 8 of the Kontenregister und Konteneinschaugesetz (Account Register and Account Inspection Act)
- Recording of telephone conversations and electronic communication regarding customer orders
- Administer insider lists
- Assess and manage risks
- Credit check e.g. on lending
as part of your consent (Article 6 (1) (a) GDPR
If you have given us your consent to the processing of your personal data for specific purposes (eg, disclosure of data to recipients named in the consent, sending of newsletters), processing will only take place in accordance with the scope and for the purpose as set out in and agreed in the consent form. A given consent may be withdrawn at any time with effect for the future.
to safeguard legitimate interests (Article 6 (1) (f) GDPR) in general
If necessary, data processing may be carried out to protect legitimate interests of the Bank or third parties. In the following cases, data processing takes place to safeguard legitimate interests. Examples of such cases are:
- Consultation and exchange of data with credit bureaus (for example Österreichischer Kreditschutzverband 1870) for the determination of creditworthiness or default risks
- Review and optimization of needs analysis and direct customer approach procedures
- Video surveillance to protect customers and employees
- Certain phone records (regarding orders; additionally for quality assurance or complaint cases)
- Measures for business management and further development of services and products
- Measures to protect customers and employees as well as to secure the property of Raiffeisen Bank International and to prevent, contain and investigate criminally relevant conduct.
- Bank areas that are publicly accessible are monitored (in particular cash desks, safe rooms, foyers, corridors, staircases, elevator areas, interior / exterior entrance areas, facades, garage) as well as automated cash dispensers (also outside the bank building)
- Certain phone records (for quality assurance or complaint cases)
- Measures for controlling business and further development of services and products
- Measures to protect customers and employees as well as the property of the Bank
- Measures in Fraud Transaction Monitoring, against anti-money laundering, terrorist financing and offending crime as well as prevention of market abuse At the same time, data evaluations (among others in payment transactions) are carried out. These measures also serve for your protection.
- Data processing for law enforcement purposes
- Asserting legal claims and defense in legal disputes
- Ensuring the IT security and IT operations of the Bank
- Prevention and investigation of criminal offenses
to safeguard legitimate interests (Article 6 (1) (f) GDPR) in the marketing of our services
The evaluation of your data processed at RBI for the purpose of
- providing you with individual information and offers from RBI and the companies listed below, whose products and services RBI arranges or provides, as well as
- developing services and products that are tailored to your interest and life situation, is based on our legitimate interest for the marketing of our services. The evaluation of the data for this purpose takes place only as long as you have not objected to this.
The following data, which either RBI itself has collected itself or which you have transmitted to RBI, will be evaluated:
Personal data / master data
Gender, title, name, date of birth, country of birth, citizenship, family status, tax status, education, occupation, employer, credentials such as driving license data, income data, address and other contact information such as telephone number or e-mail address and postal address, geographical location information, securities risk class according to investor profile, housing situation such as rent or property and kind of real estate, family relationships, number of persons in the household, household bills, internal ratings, such as the assessment of the revenue and expenditure situation and the asset and liability situation by RBI.
Product and service data of RBI
Data on the services of RBI which you use including
- debits and credits and arrears on accounts and loans
- interest rates and charges or charges charged in connection with these services, - payment behavior, including the options you can use to place your order,
- payment transactions incoming and outgoing, recipients and senders, payment orders transmitting intermediaries, amount, purpose and payment references, payer references,
- Savings and securities transactions and custody accounts, including details of securities held
Data from services, website and communication
Data relating to the use of electronic services and websites, functions of the websites and apps as well as e-mail messages between you and RBI, information about viewed websites or content and links accessed, including external websites, content response time or download errors, and the usage period of websites and information on the use and subscriptions of newsletters of RBI. This information is collected by way of using automated technologies, such as cookies or web beacons (counting pixels used to register e-mails or websites), or web-tracking (recording and analysis of surfing behavior) on the website and using external service providers or software (for example Google Analytics).
Online queried account and custody account data
Data on information about accounts and depots requested online via service providers, data of these service providers, content and purpose and frequency of queries and content of the given information.
Technical data of end-user-devices
Information about devices and systems used for accessing websites or portals and apps or other means of communication, such as internet protocol addresses or types and versions of operating systems and web browsers, and additional device identifications and advertising identifications or location information and other comparable data on devices and systems.
Who receives my data?
Within the Bank, those units or employees receive your data, as required by them to fulfill their contractual, legal and / or regulatory obligations and legitimate interests. In addition, contractors (especially IT and back-office service providers) will receive your data as long and to the extent as they need the data to perform their respective service. All processors are contractually obliged to treat your data confidentially and to process the data for the provision of the respected services.
If there is a legal or regulatory obligation, public authorities and institutions (eg European Banking Authority, European Central Bank, Austrian National Bank, Austrian Financial Market Supervisory Authority, Financial Market Authorities of other EU member states, tax authorities, etc.) as well as our Bank and auditors may be the recipients of your personal data. With regard to a data transfer to other third parties, we would like to point out that RBI as an Austrian bank is obliged to observe banking secrecy in accordance with § 38 BWG and therefore is obliged to keep confidentiality regarding to all customer-related information and facts that have been entrusted to us or made available due to the business relationship. RBI may only disclose such personal information, if you have exempted us in writing and expressly from banking secrecy, or if the Bank is legally obliged by law to such a disclosure. The recipients of personal data in this context may be other credit and financial institutions or similar entities. We disclose to such recipients only those data as we need in order to conduct the business relationship with you. Depending on the respective contract, these recipients may be e.g. correspondent banks, stock exchanges, custodian banks, credit bureaus or other companies affiliated with the Bank (due to regulatory or legal obligation).
Further recipients can be those institutions for which you have granted us permission to transmit the respective personal data (consent for data processing, exemption from banking secrecy).
A transfer of data to countries outside of the EU or EEA (so called third countries) will only take place if this is necessary for the performance of our contractual obligations, or if so required by law or if you have given us your explicit consent or for the purposes of processing by a processor. If personal data is transmitted to a country where no adequacy decision by the EU Commission is available, the data receiving corporations will – in addition to instructions in writing – be obligated to comply with the data protection standards of the GDPR by appropriate safeguards (eg EU standard data protection clauses). You will be able, at request, to receive copies of those.
How long will my data be stored?
We process your personal data, as far as necessary, for the whole duration of the entire business relationship (beginning with the conclusion of a contract, its execution and ending with its termination) as well as in accordance with the mandatory storage and documentation obligation as required by law, in particular pursuant to the following Austrian legal provisions: the Companies Code (Unternehmensgesetzbuch, UGB), the Federal Fiscal Code (Bundesabgabenordnung, BAO), the Banking Act (Bankwesengesetz BWG), the Financial Market Money Laundering Act (Finanzmarkt-Geldwäschegesetz, FM-GwG) and the Securities Supervision Act (Wertpapieraufsichtsgesetz, WAG).
Moreover, the data storage is also subject to the statutory limitation periods, e.g. under the Austrian General Civil Code (Allgemeines Bürgerliches Gesetzbuch, ABGB) and may in certain cases last up to 30 years (the most relevant limitation period in practice is 3 years).
Which data protection rights do I have?
You have the right to access, rectification, erasure or restriction of the processing of your stored data, a right to object to processing and a right to data portability in accordance with the requirements of data protection law. These rights can be exercised under datenschutz(at)rbinternational.com.
Complaints can be addressed to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria, www.dsb.gv.at.
You can withdraw your consent to personal data processing towards us at any time. This also applies to declarations of consent provided to us before the GDPR entered into force (before 25th May 2018). Please be aware that consent withdrawal only takes effect for the future. It does not affect the lawfulness of the data processing and data transfer on the basis of the consent before its withdrawal.
You have the right to object, in particular, on grounds relating to your particular situation, at any time to processing of personal data which is based on point (f) of Article 6 (1) (data processing to safeguard legitimate interests). In case you object, we will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
In individual cases we process your personal data for the purpose of direct marketing. You have the right to object to this processing as far as your personal data is concerned. In case you object to the processing of personal data for the purpose of direct marketing, we will no longer process your personal data for this purpose.
Am I obliged to providing data?
As part of the business relationship, you must provide us with all personal information that is necessary to enter into and to maintain the business relationship with you, and also those data that we are required by law to collect. If you do not provide us with these data, we will generally decline either to conclude or to complete the contract, or we will be unable to execute an existing contract or we would be forced to terminate such contract. However, you are not obliged to give your consent to the processing of data if such data is not necessary for the performance of a contract or is not required by law or regulation.
Is there automated decision-making?
We do not use automated decision-making within the meaning of Article 22 GDPR in order to establish and/or to conduct a business relationship. A profiling within the meaning of Article 4 No 4 GDPR does not take place.
By using all technical and organizational possibilities available to us, we make special efforts to store your personal data in a way that third parties cannot access them. When communicating via e-mail full data security cannot be guaranteed; we therefore recommend using ordinary mail for transmitting confidential information.