24You

The new online banking of Bank Austria.

BusinessNet

The online banking for companies.

Trust is important, especially when it comes to your personal data. That is why we see it as our obligation to exercise the utmost care in the handling of your personal data and to do everything we can to protect your information from misuse.

UniCredit Bank Austria AG adheres strictly to data protection laws in the collection and processing of your data. The following information explains in detail which data is collected when you visit our website and how we use this data.

This Privacy Policy applies to the websites of UniCredit Bank Austria AG (* .bankaustria.at, where the asterisk stands for a readable string). Individual pages may contain links to other providers within and outside the UniCredit Group, to which the privacy policy does not extend; meaning that we cannot assume any liability for this content.

1. Who is responsible for data processing and whom can you contact?

The entity responsible for data processing is: 

UniCredit Bank Austria AG
Rothschildplatz 1
1020 Wien
Telephone: 05 05 05-0
Fax: 05 05 05-56155
E-Mail:
info@unicreditgroup.at

 
The data protection officer at UniCredit Bank Austria AG is: 
Mag. Franz Zoufal
Rothschildplatz 1
1020 Wien
Telephone: 05 05 05-32836
Email:
datenschutz@unicreditgroup.at

 

2. Which data is processed and what are the sources of this data

We process the personal data that we receive from you as part of the business relationship. We also process data that we have legitimately received from credit agencies1, debtor registers2 and from publicly available sources (e.g. Commercial Register, Register of Associations, land register, media).

This personal data, pursuant to Art. 13 of the GDPR, includes:

  • Your personal details (name, address, contact details, date of birth, place of birth, nationality, etc.)
  • Identity verification data (such as identity card data) and authentication data (such as a sample signature)

In addition, this data may also include the following:

  • Order data (such as payment orders)
  • Data relating to the fulfilment of our contractual obligations (such as turnover information regarding payment transactions)
  • Information regarding your financial status (such as credit worthiness data, scoring or rating data, etc.)
  • Advertising and sales data
  • Documentation data (such as consulting records)
  • Register data
  • Image and sound data (such as video or telephone recordings)
  • Information from your electronic communication with the bank (such as apps, cookies, etc.)

This personal data, pursuant to Art. 14 of the GDPR, includes:

  • Data relating to the fulfilment of our contractual obligations (such as turnover information regarding payment transactions)
  • Information regarding your financial status (such as credit worthiness data, scoring or rating data, etc.)
  • Register data
  • Image and sound data (such as video or telephone recordings)
  • Information from your electronic communication with the bank (such as apps, cookies, etc.)
  • Processing results generated by the bank itself
  • Data for compliance with legal and regulatory requirements

1) CRIF GmbH
2) Kreditschutzverband von 1870

3. For what purposes and on what legal basis is the data processed?

We process your personal data in accordance with data protection regulations:

- for the fulfilment of contractual obligations (Section 6 Para. 1b DSGVO [Datenschutz Grundverordnung (General Data Protection Regulation (GDPR)]):
The processing of personal data (Art. 4 No. 2 of GDPR) is carried out for the provision and arrangement of banking,financial services and insurance, leasing and real estate business, in particular for the execution of our contracts with you and the execution of your orders and all activities required for the operation and management of a credit and financial services institution.

The purposes of data processing are based primarily on the specific product (such as account, credit, building society savings, securities, deposits, brokerage) and include, among other things:

  • Needs analyses
  • The provision of advice
  • Asset management and support
  • The execution of transactions

The specific details for the purpose of data processing can be found in the respective contract documents and terms and conditions.

- to comply with legal obligations (Section 6 Para 1c GDPR)
Certain statutory obligations, which UniCredit Bank Austria AG is subject to, may require the processing of personal data. Such obligations may arise from the provisions of the following laws:

  • Austrian Banking Act (BWG [Bankwesengesetz])
  • Austrian Financial Markets Money Laundering Act (FM-GwG [Finanzmarkt-Geldwäschegesetz])
  • Austrian Securities Supervision Act (WAG [Wertpapieraufsichtsgesetz])
  • Austrian Stock Exchange Act (BörseG [Börsengesetz]), etc.

Compliance with regulatory requirements may also be necessary, for example in relation to:

  • the European Central Bank
  • the European banking regulator
  • the Austrian Financial Market Authority (FMA), etc.

Examples of such cases:

  • Reports to the financial intelligence units in certain suspicious cases (§ 16 FM-GwG)
  • Providing information to the FMA according to the WAG and the BörseG, for example, to monitor compliance with the rules on market abuse of insider information
  • Providing information to financial crime authorities in the context of financial criminal proceedings due to wilful financial offence
  • Providing information to federal tax authorities in accordance with § 8 of the Account Register and Account Entry Act

- within the scope of your consent (Section 6 Para. 1a GDPR):
If you have granted us consent to process your personal data, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent given may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and advertising purposes if you no longer consent to processing in the future).

- to safeguard legitimate interests (Section 6 Para. 1f GDPR):
If necessary, within the framework of balancing of interests of UniCredit Bank Austria AG or a third party, data may be processed, by us or by third parties, beyond the actual fulfilment of the contract, in order to safeguard legitimate interests. In the following cases, data are processed to safeguard legitimate interests:

  • Consultation of and data exchange with credit agencies (e.g. Austrian Credit Protection Association1870) for the identification of credit risks and default risks
  • Review and optimisation of needs analysis and direct customer approach procedures
  • Advertising or market and opinion research, provided that you have not objected to the use of your data in accordance with Art. 21 of the GDPR
  • Video surveillance for collecting proof in case of offences or evidence of transactions and deposits (e.g. at ATMs); these especially serve to protect the customers and employees
  • Telephone records (such as in the event of complaints)
  • Measures for business management and further development of services and products
  • Measures for protecting employees and customers and the property of the bank
  • Measures for the prevention and combating of fraud (Fraud Transaction Monitoring)
  • In the framework of prosecution
4. Who has access to your data?

Within UniCredit Bank Austria AG, your data is received by those offices or employees that need it for fulfilling contractual, legal and regulatory duties and for legitimate interests. Furthermore, data processing companies commissioned by us (especially IT service providers, back-office service providers and service line) receive your data, as long as they need them for fulfilling their respective service. Accordingly, all the data processing companies are contractually obligated to keep your data confidential and to process it only in the context of service provision.

The public authorities and institutions, (such as European Banking Authority, European Central Bank, Austrian Financial Market Authority, tax authorities, etc.) and the UniCredit S.p.A. as our parent company, can be recipients of your personal data, if there is a legal or regulatory obligation.

Notice of bank secrecy: In view of forwarding data to other third parties, we must point out that as an Austrian credit institution, UniCredit Bank Aus-tria AG is obligated to comply with banking secrecy according to § 38 of the BWG and therefore to maintain confidentiality regarding all the customer related information and facts, which have been entrusted or made accessible to us because of the business relationship. Therefore, we can share your personal data only if you have explicitly released us from banking secrecy in advance, in writing or if we have a legal or regulatory obligation or authorisation for it.

In this context, recipients of personal data can be other credit and financial institutions or similar institutions to which we send the data in order to maintain the business relationship with you (depending on the contract this can be for example, correspondent banks, stock exchanges, custodian banks, credit service agencies etc.).

5. How long will your data be stored and processed?

As far as it is necessary, we process your personal data for the duration of the entire business relationship (from the initiation, performance until the termination of a contract) and furthermore, we process it according to the legal safekeeping and documentation obligations. These are set out, among others, in:

  • the Austrian Commercial Code (UGB)
  • the Federal Fiscal Code (BAO)
  • the Austrian Banking Act (BWG)
  • the Financial Markets Money Laundering Act (FM-GwG)
  • the Austrian Securities Supervision Act (WAG)

Moreover, the statutory limitation periods, which for example, in some cases can last up to 30 years (the general limitation period is 3 years) according to the General Civil Code (ABGB [allgemeine Verjährungsfrist]), must be taken into consideration for the safekeeping period.

6. Which data protection rights are you entitled to?

At any time, you have:

  • the right to obtain information, correction, deletion or of the processing of your stored data
  • the right to object to processing
  • the right to data portability in accordance with the requirements of data privacy laws, which you can address to the data protection officer of UniCredit Bank Austria AG.

You can also submit complaints to the Austrian Data Protection Authority: www.dsb.gv.at

7. Are you obliged to provide data?

According to Art. 13 of the GDPR, we hereby inform you that in the context of the business relationship, you must provide personal data which is necessary to establish and maintain the business relationship, as well as the information which we are legally required to collect. If you don’t provide this information to us, in principle we have to reject the conclusion of the contract or the performance of the order or we will not be able to fulfil an existing contract any longer and we must consequently terminate it. However, you are not obliged to grant consent for processing of any data that is not relevant or not required for legally and/or in regulatory terms for fulfilling the contract.

8. Is there automatic decision making including profiling?

We do not use automated decision-making as defined under Article 22 GDPR to reach a decision on the establishment and conduct of the business.

A credit assessment (credit scoring) is made for loan disbursement. The default risk of credit seekers is assessed with the help of statistical comparison groups. The calculated score should make it possible to predict how likely it is that the credit that has been applied for will be repaid. The following data is used in the calculation of this score:

  • Your master data (such as marital status, number of children, duration of employment, employer, etc.)
  • Information regarding your overall financial situation (such as income, assets, monthly expenses, total liabilities, collaterals etc.)
  • Data on payment history (such as proper loan repayments, warnings, information on credit service agencies)

If the default risk is too high, the credit application is rejected, if applicable, an entry is made in the consumer loan register maintained by KSV 1870 and an internal warning notice is received. If a credit application has been rejected, it is visible for 6 months in the consumer loan register maintained by KSV 1870 in accordance with the decision of data protection authorities. 

9. Cookies, retargeting and web analytics

To make the user experience of our website as convenient as possible, we use so-called cookies. Cookies are small text files which enable the system to recognise a returning user. You can block the installation of cookies by activating a corresponding setting in your browser software.

To help us analyse and improve the structure and navigation of our internet site, so we can better meet the requirements of our customers and offer them advertising which is customised to suit their individual needs, we have contracted various service providers (Adobe Analytics [Omniture], Adform,Tealium, Adwords [Google Adwords], FinanceQuality [Netzeffekt]) who use cookies to track visits to the websites of www.bankaustria.at; however, this procedure is not implemented within the scope of our Bank Austria OnlineBanking, BusinessNet and SmartBanking services. In this context, our service providers only receive anonymous data and are not able to link this information to you personally.

UniCredit Bank Austria AG receives the results in the form of statistical evaluations which we use to assess whether the design of our website meets the needs of our visitors.

You can centrally manage and, if necessary, disable your cookie for settings for statistics and personalised advertising:

Privacy Center

We have contracted Emarsys as our service provider in order to develop an improved, individualised execution of our newsletter. By linking different communication channels and by using cookies, records can be compiled which then enable us to provide subscribers to our newsletter with information about current products and other offers tailored to meet their needs. The records compiled are only used for analytical assessments and are not transferred to unauthorised third parties.

Additional information for internet banking: Cookies are a prerequisite for the usage of the internet banking services of UniCredit Bank Austria AG. For the first login on a new device (browser), as well at the latest every 90 days for each following login, it is additionally necessary to enter a TAN due to a legal requirement. Via cookies the link between device (browser) and user code is ensured; However, these cookies can be deleted by appropriate settings in your browser software, automatically by date or when closing the browser. After deleting the cookies, the link between the browser and your user code is no longer available. Therefore, the next time you log on to this browser, entering a TAN will again prompt you to register the browser with a new name and re-associate it with your user code.

You still have the option of objecting to the compiling of these records and can decide not to avail of the services detailed above:

deactivate the collection of your data by Adobe SiteCatalyst
deactivate retargeting by Google
deactivate retargeting by Sizmek
deactivate retargeting by Adform


In this case, please note that by exercising your right to object, you may not be able to fully use all our website functions. By using this website you agree to the processing of data collected about you by our service providers.

10. Google Maps
The UniCredit Bank Austria website uses Google Maps, in particular during searches for branch offices. Google Maps is operated by Google Inc. By using this website, you agree to allow Google, its representatives or third-party providers, to collect, process and to use data which is collected automatically or entered by you.
You can find a summary here of the data which is transferred when using Google Maps: https://www.google.com/intl/de_ALL/policies/privacy/ – in addition to the IP address, other items are also included, such as smartphone GPS data, if one is used for the search, or details of the search activity.
11. You Tube Videos

The UniCredit Bank Austria website integrates Youtube videos stored at www.youtube.com, which are therefore playable on the website. Youtube is operated by Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The videos are integrated with the "Extended Data Protection Mode", which means that no data about you as a user is transmitted to Youtube if you do not actively play the videos. If you actively click on the video, data is transmitted to Google Inc.
In this case, whether you are logged into your Google account makes a difference. If you are not logged into a Google account, Google Inc. stores data with unique identifiers associated with the browser, app, or device that you are using. Google Inc. can thereby ensure, for example, that your language settings are retained for all browser sessions. If you are logged into a Google account, Google Inc. also collects data, which are stored in your Google account and considered personal data.

For more information, please refer to the data protection declaration of Google: https://www.google.com/intl/de_ALL/policies/privacy/

12. Social Media - Twitter, XING, LinkedIn

UniCredit Bank Austria AG collaborates with the following providers of social media networks:
Twitter Inc., San Francisco, California, United States, XING SE, Hamburg, Germany, and LinkedIn Inc., Sunnyvale, California, United States.
In the course of this collaboration, when using the respective service, your browser will automatically connect to the service provider selected (such as LinkedIn). In this case, data such as your IP address, cookies and other information will be transmitted to the respective service provider if you have previously visited its website. Where possible, we will prevent this data transfer from taking place and it will only occur if you interact with the social media network. If you are logged into the social media network concerned, it can assign your visit to our website to your user account.

In addition, we use plugins for various platforms (such as the LinkedIn symbol). By clicking on the respective symbol, you agree to allow communication with the respective platform, including the transfer of information (such as your IP address) to the service provider concerned. For further information on how your data is used in such cases, kindly read the Data Protection Declaration of the service provider you have connected to.

You can find the Data Protection Declaration of Twitter here: https://twitter.com/en/privacy
You can find the Data Protection Declarations of XING here: https://privacy.xing.com/en/privacy-policy
You can find the Data Protection Declarations of LinkedIn here: https://www.linkedin.com/legal/privacy-policy?_l=en_EN

13. Data Security

The security of your data is our highest concern. Our stated aim is to take all technical and organisational measures required to ensure that our data processing is carried out in a secure manner and to process your personal data in such a way that it is protected from access by unauthorised third parties.
We make sure our IT infrastructure complies with the highest international security standards by using the most up-to-date security software, codes and encryption procedures.
In addition we enhance the security of your data by using risk minimisation measures and preventive safeguards. Furthermore, all of our users have the option to obtain information about current topics at no charge and without obligation by using the purpose-built security portal