Privacy policy

Table of contents

Status: 17/08/2023

We hereby inform you about the processing of your personal data in accordance with Art. 13 and 14 GDPR, Section 21 (5) FM-GwG and the data protection claims and rights to which you are entitled. The content and scope of data processing depend largely on which products and services you apply for or agree with us.

1. Who is responsible for the data processing?

VakıfBank International AG

Prinz-Eugen-Straße 8-10/8. OG/17

1040 Vienna

Phone: +43 1 512 35 20

Fax: +43 1 512 35 20 - 199


VakifBank International AG has designated a Data Protection Officer (“DPO”) who is available to answer questions about the processing of your personal data. The DPO can be contacted via e-mail at

2. What data do we processed and where do these data come from?

Data processing in the context of account opening and account management

  • - Name and title
    - Address and second address
    - Date and place of birth
    - Nationality
    - E-mail address
    - Phone number
    - Residenc (currency status)
    - Profession
    - Identification data (e.g. ID card data)
    - Authentication data (e.g.,specimen signature)
    - Information on your financial status
    - Documentation data (e.g. counselling protocols)
    - Register data
    - Video and phone recordings
    - Information derived from our communication
    - Account data (IBAN, BIC, account number, type of account, account balance, turnover or order data)
    - Customer number
Data processing in the context of self-disclosure regarding tax residency (CRS, FACTA)
  • - Name and title
  • - Address
  • - Date, place and country of birth
  • - Indication of whether the person is a U.S. person
  • - Information on tax residency (country, tax identification number and justification in the absence of such)
Data processing as part of the Know Your Customer questionnaire
  • - Name and title
  • - Address
  • - Date and place of birth
  • - Nationality
  • - E-mail address
  • - Phone number
  • - Residenc (currency status)
  • - Employer (company, address)
  • - Profession
  • - Information on the background of the business relationship or domestic reference
  • - Information on the origin of current/future assets
  • - Information and documents as proof of income/assets
  • - Information on the intended use of the assets
  • - Indication of whether the account holder is a politically exposed person (PEP) and description of the exposure
Data processing in the context of opening and management of savings accounts
  • - Name and title
  • - Address
  • - Date and place of birth
  • - Nationality
  • - E-mail address
  • - Phone number
  • - Residenc (currency status)
  • - Profession
  • - Identification data (e.g. ID card data)
  • - Authentication data (specimen signature)
  • - Account data (account name, account number, account type, term, interest rate, control number, password, account balance, turnover or order data)
  • - Specimen signature (only for legitimised savings book)
  • - Customer number

Data processing in the context of opening and management of time deposit accounts

  • - Name and title of the account holder(s)
  • - Address
  • - Information on U.S. citizenship or tax liability / tax residency
  • - Date and place of birth
  • - Nationality
  • - Profession
  • - Marital status
  • - Phone number
  • - E-mail address
  • - Identification data (e.g. ID card data)
  • - Sound and image data as part of online identity verification
  • - Account data (account number, type of account, account balance or account balance, reference account, transactions or transfer transactions including related information)
  • - Type and origin of the funds

Data processing in the context of video-identification before opening a time deposit account

To make it easier for you to open a transfer account, we offer an online video-identification for the required identification. The video identification is conducted on our behalf and exclusively for our purposes by CRIF GmbH and WebID Solutions GmbH, who are obliged to comply with all applicable data protection regulations. We provide your personal data (name, date of birth, address, e-mail address, phone number and your preferred language). In the video-identification WebID employees take photos of you and your identification document (passport, ID card, driving license) via your camera. These are transmitted to us for identification and account opening.

Name and title of the borrower and guarantor

  • - First name, surname and title of the borrower and guarantors
  • - Account number
  • - Customer number
  • - Credit data (guarantee facility, term, processing fee, liability commission, expense reimbursement, debit interest, default interest)
  • - Pledge agreement for savings deposits: pledgee, passbook number, account number, account holder, password, legitimised person
  • - Pledge agreement life insurance: pledgee, life insurance policy, policyholder
  • - Mortgage: Debtor

We process personal data you disclose to us as well as data we obtained from credit reporting agencies, registers of debtors and publicly available sources (e.g., company register, land register, register of associations). If necessary for the provision of our services, we process personal data that we have received from third parties (e.g., KSV 1870) in a permissible manner (e.g., for the execution of orders, for the fulfilment of contracts or based on your consent).

3. For which purposes and on what legal basis are my data processed?

Your data are processed to provide banking transaction and financial services to fulfill the contracts concluded with you as customer (Article 6(1) (b) GDPR) and to comply with our legal obligations as a bank (Article 6(1) (c) GDPR), such as the reporting of certain suspicious cases to the money laundering office (Sec. 16 FM-GwG) and the provision of information to the federal tax authorities (Sec. 8 of the Austrian Account Register and Inspection Act).

If necessary, we process your data not exclusively for the performance of contract but for our legitimate interests or those of a third party (Article 6(1) (f) GDPR). E.g.
  • - Consultation of and data exchange with credit reporting agencies (e.g., Austrian Credit Protection Agency – KSV1870) to determine credit and default risks
  • - Assertion of legal claims and defense in legal disputes
  • - Risk management and assessment within VakifBank Group
  • - Video surveillance to collect evidence in case of robberies or fraud offences or to proof withdrawals and deposits (e.g., at ATMs)
  • - Measures to protect employees and customers of VakifBank International AG
  • - Measures to prevent and combat fraud (Fraud Transaction Monitoring)

If you consent to the processing of your personal data (e.g., for marketing activities or the placing of technically not required cookies), we process these data only for the purposes defined and agreed upon in your declaration of consent. You can withdraw your consent at any time for free, effective as of that date.

4. Customer information as per Sec. 21(5) FM-GwG

Credit institutions shall delete all personal data processed or stored exclusively on the basis of the FM-GwG for the purpose of preventing money laundering and terrorist financing after a retention period of 10 years from the termination of the business relationship, unless other federal laws require or entitle to a longer retention period, or the Financial Market Authority (FMA) has set longer retention periods by decree.

Personal data used by the bank solely based on the Austrian Financial Markets Anti-Money Laundering Act for the purposes of prevention of money laundering and terrorism financing are not further processed in a way that is incompatible with those purposes. Therefore, such personal data are not processed for any other purposes (e.g., commercial purposes).

5. Is there an automated decision-making mechanism, including profiling?

We do not use automated decision-making pursuant to Art. 22 GDPR to reach a decision on the establishment and implementation of the business relationship.

When a loan is granted, a credit assessment (credit scoring) is carried out. In this process, the default risk of credit applicants is assessed with the help of statistical comparison groups. The calculated score value is intended to enable a forecast of the probability with which an applied-for loan is likely to be repaid. To calculate this score value, your master data (e.g. marital status, number of children, length of employment, employer, etc.), information on your general financial circumstances (e.g. income, assets, monthly expenses, amount of liabilities, collateral, etc.) and payment history (e.g. proper loan repayments, reminders, data from credit agencies) are used. If the risk of default is too high, the credit application is rejected and, if necessary, an entry is made in the small loan record kept by KSV 1870 and an internal warning is issued. If a credit application is rejected, this is visible in the small loan record kept by KSV 1870 for 6 months in accordance with the decision of the data protection authority.

6. Who receives my data?

Within VakifBank International AG only those units and employees are provided with your data that need it to fulfill contractual, legal, and regulatory obligations and pursue legitimate interests. Moreover, commissioned processors (especially IT-service providers) will receive your data if needed to provide their services. All processors are under the obligation to treat your data confidentially and to process them exclusively for providing the contracted services. In the context of legal or regulatory obligations, public bodies, public institutions (e.g., Austrian Financial Market Authority, tax offices) as well as bank auditors may receive your personal data.

If you open a time deposit account online, we forward your personal data to CRIF GmbH as our processor to perform video-identification. CRIF GmbH forwards to us the results and all the data you disclose.

A data transfer to third countries outside of the EU / EEA, especially to our parent company Vakiflar Bankasi TAO in Turkey, only takes place if

  • - it is necessary to execute your orders (e.g., payment orders),
  • - it is required by law (e.g. reporting obligations under tax law),
  • - you have given us your consent to do so, or
  • - it is necessary in the context of a Data Processing Agreement.

Where a data transfer to third countries takes place and no adequacy decision of the European Commission as per Article 45 GDPR exists for the respective third country, such data transfer is based on appropriate safeguards as per Article 46 GDPR, such as standard contractual clauses (SCC) of the European Commission.

7. For how long will my data be stored?

If necessary, we store your personal data for the duration of the entire business relationship (from pre- contractual first contacts to contract execution and contract termination). We store your data beyond the end of our business relationship to fulfill legal retention or documentation requirements based on the Austrian Company Code (UGB), the Austrian Federal Tax Code (BAO), the Austrian Financial Markets Anti-Money Laundering Act (FM-GwG), and the Austrian Banking Act (BWG). The storage or documentation periods specified in the relevant laws are up to 10 years. Additionally, the statutory limitation periods according to the Austrian General Civil Code (ABGB), which in certain cases can be up to 30 years (the general limitation period is 3 years), must be considered for the storage period.

8. What data protection rights do I have?

The GDPR grants data subjects the following rights:

As per Article 15 GDPR you have the right to access the personal data processed by the controller as well as the purposes of the processing, the categories of personal data concerned, the categories of recipients to whom the personal data have been or will be disclosed, the envisaged storage period, the information on the existence of the right to request rectification or erasure, the right to restriction of data processing or to object to such processing, the information on the right to lodge a complaint with a supervisory authority, the source of personal data (in case VakifBank International AG did not collect the data), about data transfers to a third country or an international organization and the existence of automated decision-making including profiling and meaningful information about the logic involved.

As per Article 16 GDPR you have the right to rectification of inaccurate data without undue delay and to have incomplete personal data completed by VakifBank International AG.

As per Article 21 GDPR you have the right to object at any time to processing of personal data based on public interests or our legitimate interests if you think that the data processing is unlawful.

As per Article 17 GDPR you have the right to erasure of your personal data if the processing is not necessary for exercising the right of freedom of expression and information, for compliance with legal obligations, for reasons of or archiving purposes in the public interest, or for the establishment, exercise or defence of legal claims.

As per Article 18 GDPR you have the right to restriction of processing of your personal data if the accuracy of the personal data is contested by the you, the processing is unlawful, VakifBank International AG no longer needs the personal data and you oppose to the erasure, because you need the data for the establishment, exercise or defence of legal claims. You have the right to restriction also if you have objected to processing personal data.

As per Article 20 GDPR you have the right to receive your personal data that you provided to us, in a structured, commonly used, and machine-readable format or to request transmission of those data to another controller.

As per Article 7(3) GDPR you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the data processing until the time of receipt of the withdrawal. After receiving a withdrawal of consent, we will no longer process personal data for the purpose the consent has been given for.

As per Article 77 GDPR you have the right to lodge a complaint with a supervisory authority (Austria: Data Protection Authority, Barichgasse 40-42, 1030 Wien, You may contact the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

9. Am I obliged to provide data?

In the context of our business relationship, you are obliged to provide such personal data that are necessary to establish and manage the business relationship and which we are required to collect by law. If you fail to provide such data, we must refuse to enter into a contract with you or to execute an order or we will no longer be able to perform an existing contract and must therefore terminate it. However, you are not obliged to consent to the processing of data other not relevant for the performance of the contract and/or that are required under legal or regulatory provisions.

10. Amendment of the Privacy Notice

Please note that changes to the legal situation, technical developments, changes to our range of services and organizational changes may require an amendment or update of this Privacy Notice.

We reserve the right to amend this Privacy Notice, particularly in case of changes in the legal situation or changes in the banking processes and products.

The current version of the Privacy Notice will be published on this website, stating the date of amendment.