Status: May 2018
We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of the data processing depend to a large extent on which products and services you have applied for or agreed with us. For the purpose of clear information and presentation, this information sheet has been designed in the form of a question and answer catalogue.
Who is responsible for data processing and whom can you contact?
Responsible for data processing is:
VakifBank International AG has appointed a Data Protection Officer who is available to answer any questions you may have regarding the processing of your personal data.
You can contact the data protection officer at the above address with the subject "Data protection" or by e-mail at email@example.com contact.What data is processed and where does it come from?
We process the personal data that we receive from you within the scope of the business relationship. In addition, we process data that we have permissibly received from credit agencies, debtors' registers and publicly accessible sources (e.g. company register, land register, register of associations).
Personal data includes
Your personal details (name, address, contact details, date and place of birth, nationality, tax ID, FATCA status, etc.), legitimation data (e.g. ID data) and authentication data (e.g. specimen signature).
In addition, this may also include order data (e.g. transfer orders), data from the fulfilment of our contractual obligation (e.g. turnover data in payment transactions), information on your financial status (e.g. creditworthiness data), documentation data (e.g. advisory records), register data, image and sound data (e.g. video or telephone recordings) information from your electronic communications with the Bank (e.g. e-mails), processing results generated by the Bank itself as well as data for the fulfilment of legal and regulatory requirements.
We process the aforementioned personal data in accordance with the provisions of data protection law (including the General Data Protection Regulation, DSG 2018, etc.) for the following purposes:
1. fulfilment of contractual obligations (Art 6 para 1b DSGVO)
The processing of personal data (Art. 4 No. 2 DSGVO) is carried out for the provision of banking transactions and financial services, in particular for the execution of our contracts with you and the execution of your orders as well as all activities necessary with the operation and administration of a credit and financial services institution.
The purposes of data processing depend primarily on the specific product (e.g. account, savings deposit, time deposit) and may include, among other things, advice, asset management and support as well as the execution of transactions.
The specific details on the purposes of data processing can be found in the contract documents and terms and conditions.
2. fulfilment of legal obligations (Art. 6 para. 1c DSGVO)
Processing of personal data may be necessary for the purpose of fulfilling various legal obligations (e.g. under the Banking Act, Financial Market Money Laundering Act, etc.) as well as regulatory requirements (e.g. of the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, etc.) to which VakifBank International AG as an Austrian credit institution is subject. Examples for such cases are:
- Reports to the Money Laundering Reporting Office in certain suspicious cases (Section 16 FM-GwG);
- Provision of information to federal tax authorities pursuant to section 8 of the Account Register and Account Inspection Act.
3. safeguarding legitimate interests (Art 6 para 1f DSGVO)
Where necessary, data may be processed beyond the actual performance of the contract in order to safeguard legitimate interests of us or third parties.
Examples of legitimate interest data processing include:
- Consultation of and data exchange with credit agencies (e.g. Austrian Credit Protection Association) to determine creditworthiness or default risks.
- Assertion of legal claims and defence in legal disputes
- Risk management and assessment in the Group
- Video surveillance for the collection of evidence in the case of robberies and fraud offences or for the proof of dispositions and deposits, e.g. at ATMs
- Measures to protect employees and customers as well as property of the bank;
- Measures to prevent and combat fraud (Fraud Transaction Monitoring);
4. within the scope of your consent (Art 6 para 1a DSGVO)
If you have given us consent to process your personal data, processing will only take place in accordance with and within the scope of the purposes specified in the declaration of consent. Consent given can be revoked at any time with effect for the future.
Within VakifBank International AG only those departments and employees will receive your data which need them to fulfil contractual, legal and supervisory obligations as well as legitimate interests.
In addition, order processors commissioned by us (in particular IT service providers) receive your data insofar as they require the data for the fulfilment of their respective service. Our processors are contractually obliged to treat your data confidentially and to process it only in the context of providing the service.
In the event of a legal or regulatory obligation, public bodies and institutions (e.g. Austrian Financial Market Authority, etc.) may be recipients of your personal data.
Data transfer to countries outside the EU or the EEA (so-called third countries), e.g. to our parent company, T. Vakiflar Bankasi TAO, only takes place if this is necessary for the execution of your orders (e.g. payment orders), is required by law (e.g. reporting obligations under tax law), you have given us your consent to do so, within the scope of commissioned data processing and on the basis of a legitimate interest. In the case of commissioned data processing and transfer on the basis of a legitimate interest, recipients are obliged to comply with the level of data protection in Europe by agreeing on suitable guarantees.
With regard to the disclosure of data to other third parties we would like to point out that VakifBank International AG as an Austrian credit institution is obliged to observe banking secrecy according to § 38 BWG (Austrian Banking Act) and therefore to maintain secrecy about all customer-related information and facts which have been entrusted to us or made accessible to us due to the business relationship. We may therefore only pass on your personal data if you have expressly released us from banking secrecy in writing in advance or if we are obliged or authorised to do so by law or supervisory authority. Recipients of personal data in this context may be other credit and financial institutions or comparable institutions to which we transmit data in order to carry out the business relationship with you (depending on the contract, this may be e.g. correspondent banks, credit agencies, etc.).
We process your personal data, as far as necessary, for the duration of the entire business relationship (from the initiation and processing to the termination of a contract) as well as beyond that in accordance with the statutory retention and documentation obligations (inter alia in accordance with the Austrian Commercial Code (UGB), the Federal Fiscal Code (BAO), the Financial Market Money Laundering Act (Fm-GwG), the Banking Act (BWG)). In addition, the statutory limitation periods, which can be up to 30 years in certain cases (the general limitation period is 3 years) according to the General Civil Code (ABGB), must be taken into account in the storage period.
The GDPR gives you the following rights as a data subject of a processing of personal data:
In accordance with Art. 15 DSGVO, you can request information about your personal data processed by us. In particular, you can request information about the processing purposes, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, about a transfer to third countries or to international organisations, as well as about the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
In accordance with Art. 16 DSGVO, you can immediately request the correction of incorrect or the completion of your personal data stored by us.
Pursuant to Art. 17 DSGVO, you may request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.
Pursuant to Article 18 of the GDPR, you may request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data and you object to their deletion because you need them to assert, exercise or defend legal claims. You also have the right under Art. 18 DSGVO if you have objected to the processing in accordance with Art. 21 DSGVO.
Pursuant to Art. 20 DSGVO, you may request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you may request that it be transferred to another controller.
Pursuant to Art. 7 (3) DSGVO, you may revoke your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.
In accordance with Art. 77 DSGVO, you have the right to complain to a supervisory authority (Austria: Data Protection Authority, Wickenburggasse 8, 1080 Vienna). As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters for this purpose."
Within the framework of the business relationship, you must provide all those personal data that are necessary for the establishment and execution of the business relationship and for the collection of which there is a legal obligation. If you do not provide us with this data, we will usually have to refuse the conclusion of the contract or the execution of the order or will no longer be able to perform an existing contract and consequently have to terminate it. However, you are not obliged to give consent to data processing with regard to those data that are not relevant for the performance of the contract or are not required by law and/or regulation.
We do not use automated decision-making pursuant to Art. 22 DSGVO to reach a decision on the establishment and implementation of the business relationship.
When a loan is granted, a credit assessment (credit scoring) is carried out. In this process, the default risk of credit applicants is assessed with the help of statistical comparison groups. The calculated score value is intended to enable a forecast of the probability with which an applied-for loan is likely to be repaid. To calculate this score value, your master data (e.g. marital status, number of children, length of employment, employer, etc.), information on your general financial circumstances (e.g. income, assets, monthly expenses, amount of liabilities, collateral, etc.) and payment history (e.g. proper loan repayments, reminders, data from credit agencies) are used. If the risk of default is too high, the credit application is rejected and, if necessary, an entry is made in the small loan record kept by KSV 1870 and an internal warning is issued. If a credit application is rejected, this is visible in the small loan record kept by KSV 1870 for 6 months in accordance with the decision of the data protection authority.
To optimise our website offer, we use so-called "cookies". This information explains what cookies are, what they are used for and how you can adjust your cookie management settings.
What is a cookie?
Cookies are text files that can be stored on the hard drive of your device (e.g. computer, tablet and mobile phone) depending on the settings when you visit a website or click on an advertisement. Cookies are managed by your internet browser. Only the publisher of the cookies can read or adapt the information they contain.
Cookies are used to identify your device on which they are stored and are time limited.
What are the cookies used by our website used for?
There are two different types of cookies that can be stored on your device when you visit our website. The purpose of these cookies is described below.
1. technical cookies
Technical cookies are strictly necessary for visiting our website and accessing the various products and services. They are used to:
a) optimise the presentation of the website according to the settings views of your device (language used, screen resolution, operating system, etc.);
b) store certain information relating to forms you have completed on our website;
(c) implement certain security measures.
These cookies are necessary in order to provide you, as a website visitor, with the expressly requested services. In the event that cookies are deactivated, you may experience difficulties in accessing the website you have requested.
2. cookies to measure the volume of visitors
Visitor volume cookies are used by us and/or our technical service providers to measure the number of visitors accessing the various content and how you use the website. These cookies are also used to optimise the user-friendliness of the website. The information collected is only used to compile anonymous statistics, which at no time contain personal information about individual visitors.
For this purpose, we may use analysis tools from the following provider and the corresponding cookies: Google Analytics
Due to the activation of IP anonymisation on this website, the IP address is shortened by Google within member states of the European Union (EU) or in other contracting states of the Agreement on the European Economic Area and transmitted to a Google server in the USA and stored there. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, Google takes appropriate measures to ensure an equivalent level of data protection to that in the EU.
Your user data is stored on Google's server for a maximum of 26 months, after which it is automatically deleted.