Information on Data Protection and Data Processing
Thank you for your interest in our company and our website. Even though we carefully check external links, we cannot be held liable for their content and security.
We protect your personal information as best we can when collecting, processing and during your visit to our website. Your data is protected by law. Below you will find explanations on the nature of the information collected when you visit our website and how they are used.
- the provision of a handwritten signature on “ink and paper” for example, or
- a qualified electronic signature, e.g. in the form of a “mobile phone signature” or
- strong customer authentication in digital banking, for example CardTAN or s Identity in George.
Since 25 May 2018 onwards, the General Data Protection Regulation, also known as the GDPR, applies throughout the European Union. The GDPR stipulates the way in which personal data are to be processed and how they must be protected.
What is the GDPR?
The GDPR is a regulation of the European Union. It applies directly in all of the member states including Austria. Every person whose data are processed is able to refer to and invoke the GDPR.
What is regulated by the GDPR?
The GDPR contains legal provisions regarding the processing of your personal data. Whether it concerns your name, your telephone number, your bank account transactions or even your hobbies – all are protected by the GDPR. The principles which it stipulates regulate the ways in which your personal data are permitted to be saved and processed.
Why does the Austrian Data Protection Act continue to apply (DSG)?
The European Union hasn't just enacted the GDPR, it has also enacted a full “data protection package”. This package also included a new data protection directive. How does a directive differ from a regulation? In contrast to a regulation, it is necessary for a directive to be implemented into national law first. In addition to this, the GDPR provides the member states with the scope to structure certain aspects on a more detailed basis than the GDPR itself.
Both of these have taken place in Austria with the Data Protection Act (Datenschutzgesetz), in short DSG.
Why is the protection of my data so important?
Data protection is a fundamental right. The same as your right to liberty or security, your right to the protection of your data is anchored in the Charter of Fundamental Rights of the European Union. The EU Charter of Fundamental Rights covers your relationship with governmental institutions.
It is legally acknowledged, however, in both the private and commercial spheres, that there must also be a balancing of interests between the Data Processor and what are referred to as the “data subjects” – i.e. between you and your bank, for example. This is stipulated in both the GDPR and the DSG.
Our personal data contains a lot of information about us: it can also refer to our hobbies, our preferences and our aspirations. Such things are naturally worthy of protection. Yet we can only improve our individual service for you if we are aware of your preferences. A key element of data protection is that we work with you to find a way of being able to process your data in your interests and under your supervision.
Doesn't banking secrecy apply, anyway?
Yes, information of which we become aware due to the business relationship is protected by Austrian banking secrecy - according to Art. 38 of the Austrian Banking Act. The GDPR also applies.
Good to know: The banking confidentiality arrangements can only be dispensed with in writing – refer to Art. 38 para. 2, clause 5, Austrian Banking Act. In this case, “in writing means”:
Where can I find out more about the GDPR and the DSG?
(All links are valid as of March 2021)
A consolidated version of the GDPR is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
A consolidated version of the DSG is available here:
https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html
The EU Charter of Fundamental Rights:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT
Further information about your rights is available on the following websites:
Austrian Data Protection Authority https://www.dsb.gv.at/
European Commission (in English only):
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
(All links are valid as of March 2021)
Before we can discuss the topic of data protection, it is important to clarify some basic terms. We have also included the references for the appropriate Articles of the GDPR so that you can read the definitions for yourself if you are interested. Please note that we only provide a summary, i.e. a shortened description of the legal text. The full legal text of the GDPR and the corresponding Articles is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
What is personal data?
Personal data means all information that refers to an identified or identifiable natural person, known as the “data subject”. E.g. the name of a person or an identification number such as an IBAN or account number.
For further details refer to Article 4 (1) GDPR.
What does the processing of data entail?
The term “processing” means any operation, with or without the use of automated processes, which is performed on personal data. This includes, for example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), the alignment or combination, restriction, erasure or destruction of the data.
For further details refer to Article 4 (2) GDPR.
What is meant by the term “Controller”?
The term “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, we, in our role as a bank.
For further details refer to Article 4 (7) GDPR.
What is meant by the term “Processor”?
The term “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.
For further details refer to Article 4 (8) GDPR.
- Access according to article 15 GDPR
- Rectification according to article 16 GDPR
- Erasure according to article 17 GDPR
- Restriction of processing according to article 18 GDPR
- Data portability according to article 20 GDPR
- Objection according to article 21 GDPR
- Decisions that are not exclusively based on an automated processing—including profiling according to Article 22 GDPR
- Purposes of the processing
- Categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data has been or will still be disclosed, especially in the case of recipients in third countries or in international organisations
- Where possible, the intended duration for which the personal data will be stored or, if this is not possible, the criteria for the determination of such a duration;
- The existence of the right for the rectification or erasure of your personal data; the restriction of, or objection to, this processing;
- The right to lodge a complaint with a supervisory authority
- All available information regarding the origin of the personal data if the data is not collected from the data subject
- Whether an automated form of decision-making including profiling exists, according to Article 22, paragraphs 1 and 4 GDPR and — at least in these cases — detailed information regarding the reasoning, scope and impact of such a method of processing for the data subject.
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was originally based according to Article 6, para. 1, letter a, GDPR or Article 9, para. 2, letter a, GDPR, and no other legal basis exists for the processing.
- You lodge an objection to the processing according to Article 21, para. 1, GDPR, and no overriding legitimate reasons exist for the processing.
- The personal data have been unlawfully processed.
- The erasure of personal data is subject to a legal obligation according to the EU- or member state law to which the Controller is subject.
- The personal data were collected in relation to information society services offered according to Article 8, para. 1, GDPR.
- You contest the accuracy of your personal data. You can request the restriction of processing of your personal data for a period that enables the Controller to verify the accuracy of the personal data.
- The processing of personal data is unlawful. Instead of the erasure, however, you would prefer that “only” the use of the personal data is restricted.
- Controllers no longer require your personal data for the processing. You require the data for the establishment, exercise or defence of legal claims, however.
- You have lodged an objection to the processing according to Article 21, para. 1, GDPR. As long as it is not yet certain that the legitimate reasons of the Controller override your interests, it is possible to request the restriction of processing.
- if you expressly tell us to do so,
- if you release us from banking secrecy, and
- if it concerns financial services companies, solicitors’ offices, a notary public, tax consultants, chartered accountants or a public authority.
What rights do I have?
The GDPR grants you the following rights regarding your personal data. You are entitled to:
What does the right of access mean?
You have the right to request confirmation from us as to whether we process your personal data. If this is the case, you also have the right to access this personal data as well as the following information:
You can find out exactly how you can assert your right here.
What does the right to rectification mean?
We consider it to be important that your data are accurate and complete at all times. If you suspect that they may be incorrect or incomplete, you are able to request the rectification or completion of your data. You can find out how you can assert your right here.
What do the “Right to erasure” and the “Right to be forgotten” mean?
We attribute considerable importance to ensuring that your data are only processed as per the framework conditions of the GDPR and the DSG. If you are of the reasoned opinion that this is not the case, however, you can request the erasure of your personal data. The reasons for this can be as follows:
Example: Your personal data must be erased if they were only collected for the completion of a purchase (= sole purpose) and you did not provide your consent for the data to be processed for any other purposes. In this case, the further processing of the data is no longer necessary following the completion of the purchase and the expiry of a retention obligation. The retention obligations can be found here.
Example: You provided your consent to the processing of your personal data for the individual product offers of a third party (= sole purpose). As soon as you withdraw this consent, the personal data must be erased again. Exceptions: Other purposes or justifications for the processing exist and you are also in a customer relationship with the third-party provider, for instance.
Example: You can lodge an objection, for instance, if somebody processes your personal data without your consent only because s/he claims s/he has a legitimate interest to do so (and no other form of justification exists). If you lodge an objection and there was, in fact, no legitimate interest, the personal data must be erased. The objection was a success.
Unlawfully (unfoundedly) processed personal data must be erased.
This means laws or other legal provisions which require an erasure of personal data.
This relates to a special protection arrangement for the benefit of minors who make use of online services.
The was a brief summary of the right to erasure. This should not be confused with the “Right to be forgotten”.
The “right to be forgotten” refers to personal data that has been made public. It stipulates the following: If the person who originally published the data must erase this data (due to the existence of one of the aforementioned reasons for erasure), then they must also notify those persons who received the data on the grounds of the publication. In detail, this rule is very complicated. In this context, the GDPR makes particular reference to internet search engines.
You can find out how you can assert your right to erasure and your right to be forgotten here.
What does the right to the restriction of processing mean?
We attribute considerable importance to ensuring that your data are processed as per the framework conditions of the GDPR and the DSG. If you are of the opinion that this is not the case, however, you have the right to request the restriction of the processing of your personal data. This is only possible on the following legitimate grounds, however:
People don't always share the same opinion. To ensure that the contested personal data are not immediately erased or have to be changed, their further processing can be restricted for the duration of the matter. It might be the case that the data were correct after all.
The GDPR therefore provides you with a choice: If you do not want unlawfully processed data to be erased immediately, you can request that they continue to be saved, but are no longer used.
If your personal data should actually have been erased, but you require them for your own defence or for the assertion of your rights, they can continue to be processed for these purposes.
To ensure that the contested personal data do not have to be immediately erased, their further processing can be restricted for the duration of the matter. It might be the case that the processing was legitimate after all.
You can find out how you can assert your right to the restriction of processing here.
What does the right to data portability mean?
Your personal data belongs to you. You therefore have the right to receive such data in a structured, common and machine-readable format. This relates to data which you have provided to us and which is processed automatically on the basis of your consent or the fulfilment of a contract. You can also request us to transfer this personal data directly to another Controller.
In which form will I receive the data?
We provide the data as an XML file. You can find out how you can assert your right here.
What important security instructions should I take into consideration?
The protection of your personal data and your money is just as important to you as it is to us. In this respect, please consider your right to data portability in the same way as you would a bank statement. Would you “simply” send your bank statement to someone else?
Please also remember that your financial data contain personal data of other persons: If you transfer money to someone else, their details can also be seen in the transaction data – in the same way as they are shown on a bank statement. These persons have rights and freedoms as well. Therefore, we will only transfer the data to persons other than you directly,
Please contact us beforehand if you wish to assert your right to data portability.
What does the right to object mean?
Your data can be processed if a legitimate interest exists for their processing.
If such a legitimate interest is claimed, you must be informed of it. If you are then of the opinion that the legitimate interest does not exist, you can lodge an appropriate objection. This applies when your personal data are used for direct marketing purposes in particular. Insofar as Controllers are unable to demonstrate any legitimate grounds for the further processing, your personal data will not be processed any further after the objection. Except for processing for the purposes of direct marketing: in this case your objection is immediately valid.
You can find out how you can assert your right to object here.
What does the right not to be solely subject to a decision which is based on automated processing – including profiling – mean?
You will be informed separately prior to any automated decision-making processes according to Article 22, GDPR. In those instances, you have the right to obtain human intervention, to express your point of view and to contest the decision.
- By letter, please sign in person and enclose a copy of your identity card, to
ERSTE Immobilien Kapitalanlagegesellschaft m.b.H.
Am Belvedere 1
1100 Wien
Tel.: +43 (0)5 0100 - 11632
Fax: +43 (0)5 0100 9 - 11632 - In person
- by email, ideally with qualified electronic signature, to service@ersteimmobilien.at
- Please remember that your financial data contain personal data of other persons: If you transfer money to friends or family members, their details can also be seen in the transaction data – in the same way as they are shown on a bank statement.
- Therefore, we will only transfer data directly to others if you
- expressly tell us to do so,
- absolve us from the banking confidentiality agreement, and
- if it concerns financial services companies, solicitors’ offices, a notary public, tax consultants, chartered accountants or a public authority. Please contact us beforehand if you wish to assert your right to data portability.
- Before you assert your right to data portability: Did you know that you can also view your transaction data in George and can save them there yourself?
What information do I have to provide?
We do not want your financial data to fall into the wrong hands. We kindly ask for your understanding that in case of doubt, we will request more information regarding your identity.
How can I submit the request?
No matter which right you want to assert, please send us your application preferably in one of 3 ways:
Please draft your request as accurately as possible – so that we can process it as quickly as possible. Please comply with the special instructions regarding your right to data portability.
How long will it take to process my request?
We will provide you with the corresponding information about the measures as soon as possible, and within one month following the receipt of your request.
The deadline can be extended by another 2 months if necessary due to the complexity and the number of requests. We will be certain to inform you of a possible extension to the deadline within one month of the receipt of your request, however.
How will my request be processed?
Financial matters are confidential – and unfortunately, emails are not always trustworthy. In terms of security, emails are more like a postcard than a letter. Since we would never wish to send your banking details on a postcard, we will provide you with the information by post.
What should I take into consideration with the right to data portability?
Does it cost me anything to assert my rights?
No, such requests are settled at no cost. Exception: We are only authorised to demand an appropriate payment if requests are obviously unsubstantiated or found to be excessive. In this case, the administration costs for the notification, rejection or completion of the requested measure are considered.
What are the possibilities for lodging a complaint?
If you have any complaints, questions or recommendations on the topic of data protection, we will be pleased to assist you. We believe that an amicable solution can be found for almost any problem.
If you do not receive a timely answer to a request, you are of the opinion that your right to data protection has been infringed, or you do not believe we have handled your request lawfully, you can also lodge a complaint with the responsible supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria
Telephone: +43 1 52 152-0
Email: dsb@dsb.gv.at
https://www.dsb.gv.at/
In addition to this, any person to suffer tangible or intangible damage due to an infringement of the GDPR of Article 1 or Article 2 1 of the principal part of the DSG, is entitled to claim compensation from Controllers or Processors in accordance with Article 82, GDPR. In detail, the general conditions of civil law apply in such cases. Please note that the Austrian Data Protection Authority is not responsible for claims for compensation, but the local district court of your parish which is responsible for matters of civil law. Requests and lawsuits can also be submitted to the district court in the parish of which the defendant has their usual place of residence, head office or subsidiary office. You can find out the responsible court here: https://www.justiz.gv.at/
Last update: March 2021
We use cookies to analyse the access of our website and to create content and offers that meet your needs. In your browser settings you can choose to be asked for your consent before using a cookie or generally block the use of cookies. On our page "Data processing for online services" you will find more information and the possibility to object to the use of cookies.