Information on Data Protection and Data Processing

Since 25 May 2018 onwards, the General Data Protection Regulation, also known as the GDPR, applies throughout the European Union. The GDPR stipulates the way in which personal data are to be processed and how they must be protected. 

What is the GDPR?

The GDPR is a regulation of the European Union. It applies directly in all of the member states including Austria. Every person whose data are processed is able to refer to and invoke the GDPR. 

What is regulated by the GDPR?

The GDPR contains legal provisions regarding the processing of your personal data. Whether it concerns your name, your telephone number, your bank account transactions or even your hobbies – all are protected by the GDPR. The principles which it stipulates regulate the ways in which your personal data are permitted to be saved and processed. 
 

Why does the Austrian Data Protection Act continue to apply (DSG)?

The European Union hasn't just enacted the GDPR, it has also enacted a full “data protection package”. This package also included a new data protection directive. How does a directive differ from a regulation? In contrast to a regulation, it is necessary for a directive to be implemented into national law first. In addition to this, the GDPR provides the member states with the scope to structure certain aspects on a more detailed basis than the GDPR itself.

Both of these have taken place in Austria with the Data Protection Act (Datenschutzgesetz), in short DSG.

Why is the protection of my data so important?

Data protection is a fundamental right. The same as your right to liberty or security, your right to the protection of your data is anchored in the Charter of Fundamental Rights of the European Union. The EU Charter of Fundamental Rights covers your relationship with governmental institutions.

It is legally acknowledged, however, in both the private and commercial spheres, that there must also be a balancing of interests between the Data Processor and what are referred to as the “data subjects” – i.e. between you and your bank, for example. This is stipulated in both the GDPR and the DSG.

Our personal data contains a lot of information about us: it can also refer to our hobbies, our preferences and our aspirations. Such things are naturally worthy of protection. Yet we can only improve our individual service for you if we are aware of your preferences. A key element of data protection is that we work with you to find a way of being able to process your data in your interests and under your supervision. 

Doesn't banking secrecy apply, anyway?

Yes, information of which we become aware due to the business relationship is protected by Austrian banking secrecy - according to Art. 38 of the Austrian Banking Act. The GDPR also applies.

Good to know: The banking confidentiality arrangements can only be dispensed with in writing – refer to Art. 38 para. 2, clause 5, Austrian Banking Act. In this case, “in writing means”:

• the provision of a handwritten signature on “ink and paper” for example, or
• a qualified electronic signature, e.g. in the form of a “mobile phone signature” or
• strong customer authentication in digital banking, for example CardTAN or s Identity in George.

Where can I find out more about the GDPR and the DSG?

(All links are valid as of March 2023)

A consolidated version of the GDPR is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504

A consolidated version of the DSG is available here:
https://data-protection-authority.gv.at/data-protection-laws/relevant-data-protection-laws.html

The EU Charter of Fundamental Rights:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT

Further information about your rights is available on the following websites:

Austrian Data Protection Authority https://www.dsb.gv.at/

European Commission:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

(All links are valid as of May 2024)

Before we can discuss the topic of data protection, it is important to clarify some basic terms. We have also included the references for the appropriate Articles of the GDPR so that you can read the definitions for yourself if you are interested. Please note that we only provide a summary, i.e. a shortened description of the legal text. The full legal text of the GDPR and the corresponding Articles is available here:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504
 

What is personal data?

Personal data means all information that refers to an identified or identifiable natural person, known as the “data subject”. E.g. the name of a person or an identification number such as an IBAN or account number.

For further details refer to Article 4 (1) GDPR.

What does the processing of data entail?

The term “processing” means any operation, with or without the use of automated processes, which is performed on personal data. This includes, for example, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure (by transmission, dissemination or otherwise making available), the alignment or combination, restriction, erasure or destruction of the data.

For further details refer to Article 4 (2) GDPR.

What is meant by the term “Controller”?

The term “Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For example, we, in our role as a bank.

For further details refer to Article 4 (7) GDPR.

What is meant by the term “Processor”?

The term “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller.

For further details refer to Article 4 (8) GDPR.