Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR) on the processing of personal data
We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of the data processing depends largely on the products and services you have requested or which are agreed with you.
Who is responsible for data processing and whom can you contact?
Responsible for data processing:
RSC Raiffeisen Service Center GmbH (hereinafter referred to as „RSC“)
Mooslackengasse 25, 1190 Wien, AUSTRIA
The entity is part of the RBI Group. Inquiries for Data Protection please send to:
Group Data Privacy Office
Am Stadtpark 9
Contact data of the Data Protection Officer:
Am Stadtpark 9, 1030 Wien
Which data are processed and from which sources do they come?
We process the personal data that we receive from you as part of our business relationship. In addition, we process data that we have legitimately received from credit bureaus, debtor directories (Kreditschutzverband 1870) and from publicly available sources (e.g. business register, association register, land register or media) or that are provided legitimately by other companies affiliated with RSC.
Personal information includes your personal details and contact information (e.g. name, address, date and place of birth, nationality, etc.) or identity and travel document information (such as signature sample, ID information). In addition, this may include image and / or sound recordings (e.g. video and telephone recordings), electronic log and identification data (apps, cookies, etc.), identification data and other data comparable to the above categories.
For which purposes and on which legal basis are data being processed?
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Austrian Data Protection Act 2018.
- to fulfill contractual obligations (Article 6 (1) (b) GDPR)
The processing of your personal data takes place for the fulfillment of mutual obligations arising from employment contracts and other contractual relationships arising from business activities, insofar as this is required on the basis of laws, standards of collective law or employment contract obligations. This also includes automation-supported and archived text documents (including correspondence) in these matters. Without these data we can not conclude or maintain a contract with you.
Specific details for the purpose of the data processing mentioned herein can be found in the respective contractual documents.
- to fulfill legal obligations (Article 6 (1) (c) GDPR)
The processing of personal data shall be carried out for the purpose of fulfilling various legal obligations (for example, data relevant to tax and tax law, data relevant under social security law, data relevant to employment law, accounting-related data, and in general for compliance with recording, information and reporting obligation) as well as due to regulatory requirements (e.g. storage of qualifications of employees, implementation of compliance controls). Other data processing obligations result from standards of collective law (such as collective agreements and works agreements).
- as part of your consent (Article 6 (1) (a) GDPR
If you have given us your consent to the processing of your personal data for specific purposes (e.g. disclosure of data to recipients named in the consent), processing will only take place in accordance with the scope and for the purpose as set out in and agreed in the consent form. A given consent may be withdrawn at any time with effect for the future.
- to safeguard legitimate interests (Article 6 (1) (f) GDPR) in general
If necessary, data processing may be carried out to protect legitimate interests of RSC or third parties. In the following cases, data processing takes place to safeguard legitimate interests. Examples of such cases are:
- Consultation and exchange of data with credit bureaus (for example Österreichischer Kreditschutzverband 1870)
- Review and optimization of needs analysis and direct customer approach procedures
- General infomails and newsletters on services, products and related market information
- Video surveillance to collect evidence in case of crime or to prove transactions and deposits (such as ATMs) - especially to protect customers and employees
- Certain phone records (for quality assurance or complaint cases)
- Measures for business management and further development of services and products
- Measures to protect customers and employees as well as to secure the property of RSC Raiffeisen Service Center and to prevent, contain and investigate criminally relevant conduct.
- Data processing for law enforcement purposes
- Asserting legal claims and defense in legal disputes
- Ensuring the IT security and IT operations of the Bank
- Prevention and investigation of criminal offenses
Who receives my data?
Within RSC, those units or employees receive your data, as required by them to fulfill contractual, legal and / or regulatory obligations and legitimate interests. In addition, contractors (especially IT and back-office service providers) will receive your data as long and to the extent as they need the data to perform their respective service. All processors are contractually obliged to treat your data confidentially and to process the data for the provision of the respected services.
If there is a legal or regulatory obligation, public authorities and institutions as well as our auditors may be recipients of your personal information.
We transmit your personal data to carry out the business relationship with you eg. to internal offices, as well as external partner institutions required for our services or public authorities.
We transfer your personal information to companies affiliated with the company for legal obligations.
Other data recipients may be those for which you have given us your consent.
Is there a data transfer to a third country or to an international organization?
A transfer of data to third countries (outside the European Economic Area - EEA) will only take place if this is necessary for the execution of your orders or if so required by law or if you have given us your explicit consent.
In addition, data may be transferred to RSC's processors in third countries or their subcontractors in third countries. These are obliged to comply with European data protection and security standards. Information about this can be obtained from us.
If so required by law, we will separately provide you with further details.
How long will my data be stored?
We process your personal data, as far as necessary, for the whole duration of the entire business relationship (beginning with the conclusion of a contract, its execution and ending with its termination) as well as in accordance with the mandatory storage and documentation obligation as required by law, in particular pursuant to the following Austrian legal provisions: the Companies Code (Unternehmensgesetzbuch, UGB) and the Federal Fiscal Code (Bundesabgabenordnung, BAO).
Moreover, the data storage is also subject to the statutory limitation periods, eg under the Austrian General Civil Code (Allgemeines Bürgerliches Gesetzbuch, ABGB) and may in certain cases last up to 30 years.
Data from the video-surveillance of RSC at the Headquater in Austria will be deleted after 72 hours if no longer required for the purposes of video surveillance.
Which data protection rights do I have?
You have the right to access, rectification, erasure or restriction of the processing of your stored data, a right to object to processing and a right to data portability in accordance with the requirements of data protection law.
Complaints can be addressed to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, www.dsb.gv.at.
Am I obliged to providing data?
As part of the business relationship, you must provide us with all personal information that is necessary to enter into and to maintain the business relationship with you, and also those data that we are required by law to collect. If you do not provide us with these data, we will generally decline either to conclude or to complete the contract, or we will be unable to execute an existing contract or we would be forced to terminate such contract. However, you are not obliged to give your consent to the processing of data if such data is not necessary for the performance of a contract or is not required by law or regulation.
Is there automated decision-making?
In general, we do not use fully automated decision-making within the meaning of Article 22 GDPR in order to establish and/or to conduct a business relationship. If we should use such procedures on a case-by-case basis, we will inform you accordingly by separate notice as so provided for by law.
Stand 29. 05. 2018
Our website only uses technically necessary cookies.
Technically necessary cookies are small files that are necessary for the basic functions of the website. They are used to ensure that the website is displayed correctly, functions technically and that the respective levels communicate with each other correctly.
You can block or delete these cookies, but then you run the risk that some parts of the website will not function properly.
Record on the web server
Every time a user accesses our website and every time a file is retrieved or attempted to be retrieved from the server, data about this process is stored in a log file. For us it is not directly recognizable, which user called upon which data. We also do not try to collect this information. This would only be possible in legally regulated cases and with the help of third parties (e.g. Internet service providers). In detail, the following data record is stored for each retrieval: The IP address, the name of the downloaded file, the date and time of the download, the amount of data transferred, the message as to whether the download was successful and the message as to why a download may have failed, the name of your Internet service provider, if applicable the operating system, the browser software of your computer and the website from which you are visiting us.
The legal basis for the processing of personal data is our legitimate interest (in accordance with Art 6 (1) (f) GDPR). This is to detect, prevent and investigate attacks on our website.
In addition, we process your personal data in special cases on the basis of the legitimate interests of us or legitimated third parties for legal proceedings or on behalf of legally authorized authorities or courts.
We generally store data for a period of three months to guarantee the security of our homepage. A longer storage only takes place as far as this is necessary to investigate determined attacks on our website or to pursue legal claims.
For the above-mentioned purposes, we have your personal data processed by the following service providers: Raiffeisen Informatik GmbH, GRZ IT Center GmbH, Raiffeisen Informatik Center Steiermark GmbH.