Data privacy

Version June 2022

Data protection STATEMENT and information provided in accordance with the EU General Data Protection Regulation (“GDPR“)

General Information

Addiko Bank AG, Canetti Tower, Canettistraße 5/12.OG, 1100 Vienna, Austria (“Addiko” or “we”) takes the protection of your personal data and the processing of this data in a manner compliant with data protection principles very seriously. In this data protection declaration, we will explain how we, as the controller for data processing activities, collect personal data about you, use it and in certain circumstances may pass it on to third parties; and how you may exercise your rights as a person affected. If you have any questions about our usage of your personal data, please contact us at one of the following contact addresses:

Do you have Addiko savings products and live in Austria?

Write to us at:
Addiko Bank AG
Postfach 345
A-1000 Vienna
Email: customer.service@addiko.at

Do you have Addiko savings products placed via www.weltsparen.de and live in Germany?

Your direct contact in Germany is our broker “Raisin DS GmbH”:

Raisin DS GmbH
Schlesische Straße 33/34
10977 Berlin
Email: kundenservice@weltsparen.de

Do you have Addiko savings products placed via Deutsche Bank ZinsMarkt?

Your direct contact is “Deutsche Bank”:

Deutsche Bank AG
Taunusanlage 12
D-60325 Frankfurt am Main
Contact: https://www.deutsche-bank.de/pk/service-und-kontakt/kontakt/kontakt.html/

If you would prefer to make contact directly with Addiko Bank, please write to us at:

Addiko Bank AG
Canetti Tower, Canettistraße 5/12.OG
A-1100 Vienna
Email: direct.deposit@addiko.com

Do we provide you with a different service, or are you one of our business partners?

Write to us at:
Addiko Bank AG
Canetti Tower, Canettistraße 5/12.OG
A-1100 Vienna
Email: holding@addiko.com

The contact information for our data protection officer is as follows:

Addiko Bank AG
attn. Data Protection Officer
Canetti Tower, Canettistraße 5/12. OG
A-1100 Vienna
E-Mail: dpo.at@addiko.com

Types of personal data and processing purposes

The data that you provide to us voluntarily and that we obtain from you within the framework of our business relationship (e.g. in conjunction with an application for a product, contact form, registration, direct communications with you online or by telephone, or as part of you using our services) comes under the following categories:

  • “Personal information” such as preferred form of address, title, name, contact information (telephone number, email address, postal address), date/place/country of birth, marital status, profession/employer information, nationality etc.
  • “Identification data” such as details of an official form of ID (passport, driver’s licence etc.), ID numbers
  • “Authentication data” such as specimen signature, PIN
  • Data from public registers
  • Data related to transaction processing, such as customer number, account data, payment instructions, transaction data
  • Data related to documentation, such as financial advice discussions
  • Financial status, such as credit scoring, ratings data etc.
  • Tax ID numbers
  • Images and recorded data, such as video or telephone recordings
  • Information from electronic interactions with Addiko (e.g. through our website, apps etc.), such as the IP address, username (where applicable), date and time of access, as well as technical data on the pages/objects viewed, browser and operating system used (combined log format); and when sending emails: email and IP address of the recipient and sender, numbers of recipients, subject of email, date and time received by the server;
  • File names of any attachments, message size, risk classification with respect to spam/sender status
  • Data to comply with statutory and regulatory requirements
  • Marketing and sales data

Data which we obtain from external sources

We may occasionally obtain personal data relating to you from external sources, e.g. data from publicly accessible registers (such as the Commercial Register, Register of (not-for-profit) Associations or the Land Registry), from information published on websites and the media, or when information about you is relayed to us by subsidiaries or business partners. In such cases we check that these third parties have obtained your consent or are in some other way legally entitled or obliged to disclose your personal data.

Data which we capture automatically – cookies and similar technologies

We are able to automatically capture certain data from your device when you visit our websites (www.addiko.at and www.addiko.com). This data may constitute personal data, such as IP address, device type, one-off device identification numbers, browser type and other technical data. We can also capture data on how your device interacted with our website, e.g. which pages were viewed and which links clicked on.

By capturing this data, we are better able to understand who is visiting our website, where the visitors come from and what content on our website they are interested in. We use this data for internal analysis purposes and for the purpose of improving the quality of our website and aligning it more closely to the interests of our visitors. We can also use the data for ensuring network and data security.

Some of this data is captured using cookies and similar technologies. You can find out more about this at: https://www.addiko.com/cookies-policy/.

The personal data is processed for the purposes of

  • developing and managing the business relationship
  • invoicing services
  • answering messages, complaints or queries about services that you send to us
  • verifying the correctness of the data we hold on you
  • complying with the statutory and regulatory obligations we have
  • providing services and/or information, in particular the Addiko Online Banking service
  • inviting you to events
  • organising these events
  • staging competitions you can take part in
  • carrying out surveys
  • running, administering, analysing and improving our website
  • providing technical user support
  • ensuring network and data security.

Data recipients

We may pass on your personal data to the following categories of recipients:

  • Our employees, who require it to comply with contractual and legal obligations as well as legitimate interests; subsidiary banks; customer advisors; external service providers (e.g. IT service providers) and business partners that provide us with data processing services or process personal data in some other way for the purposes described in this data protection declaration or who will be notified to you if we capture your personal data. You will find a list of our current subsidiary banks at https://www.addiko.com/the-banking-network/. We can provide you with a list of our current service providers and partners upon request. All recipients are obliged to treat your data with the utmost confidentiality and only to process it for the purposes of providing a service.
  • Public authorities, such as supervisory or security authorities, or public offices, courts or other third parties (e.g. the European Banking Authority, European Central Bank, Austrian Financial Market Authority, tax offices, the US Internal Revenue Service, bank auditors, deposit protection institutes etc.), where disclosure is necessary (i) because of existing laws and regulations, (ii) to exercise, safeguard or defend our statutory rights or (iii) to protect your legitimate interests or the legitimate interests of another person.
  • Potential purchasers (and representatives and advisors thereof), were the sale, merger or take-over of our company (or part of it) planned, where we would inform the purchaser that your personal data may only be used for the purposes stated in this data protection declaration.
  • Another person, where you have consented to the disclosure.

Legal basis for the processing of personal data

The legal basis for the capture and processing of personal data depends on the specific context in which we capture it.

To fulfil contractual obligations (Art. 6(1)(b) of the GDPR)

Your personal data is processed in order to initiate and process contracts with you, and to execute your instructions as part of our banking services.

The specific purpose of the data processing will be notified to you in the relevant contract documentation and terms and conditions and is thus dependent on the specific service or product (we currently offer Addiko Tagesgeld (overnight deposits) and Addiko Festgeld (term deposits).

To fulfil statutory obligations (Art. 6(1)(c) of the GDPR)

In some areas we are obliged by law to process your personal data. These laws include the Austrian Banking Act, the Financial Markets Anti-Money Laundering Act, Common Reporting Standards Act, Securities Supervision Act and Stock Exchange Act. Alternatively, we may be obliged as a result of regulatory stipulations (issued, for example, by the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, the US Internal Revenue Service etc.). They cover such requirements as:

  • Verification and reporting to combat money laundering and the financing of terrorism (section 16 of the Financial Markets Anti-Money Laundering Act): this calls for us to verify the identity of customers, beneficial owners or any trustors of customers, to assess the purpose and type of business relationship desired by the customer and to obtain information on the origin of the funds deployed, as well as to continuously monitor the transactions in the course of the business relationship; and to store copies of the information received that is necessary to show that due diligence obligations have been met, as well as the receipts and recordings of transactions necessary to identify them
  • Identification of tax residency in another state that participates in the automatic exchange of information to help combat tax evasion, and notification of the same to the Austrian tax authorities for communicating to the relevant foreign tax authorities in accordance with the Common Reporting Standards Act
  • Provision of information to the FMA, based on mandatory monitoring requirements and in accordance with the Securities Supervision Act and the Stock Exchange Act, on possible markets manipulation due to insider information
  • Capture and notification of data to the US Internal Revenue Service in cases where FATCA applies
  • Provision of information to the investigatory authorities in respect of criminal proceedings relating to premeditated financial crime
  • Provision of information to the federal tax authorities (section 8 of the Account Register & Inspection Act)
  • Reporting of customer and account data to the deposit protection scheme.

Based on your consent (Art. 6(1)(a) of the GDPR)

If we have your consent, Addiko processes your data in line with the consent given (e.g. for sending newsletters, Investor Relations News). You may withdraw your consent – which will then affect future transactions/interactions – at any time.

To safeguard legitimate interests (Art. 6(1)(f) of the GDPR)

We may, additionally, process your data on the basis of the legitimate interests of Addiko or a third party. These legitimate interests cover, in particular:

  • Measures to prevent and combat fraud (fraud transaction monitoring)
  • Consulting and exchanging information with credit reference agencies ( e.g. Österreichischer Kreditschutzverband 1870) to determine credit and default risks
  • Video surveillance and other protection measures that can provide evidence of fraud or criminal activities, and protect Addiko’s employees, customers and property
  • Marketing and other measures to improve and further develop our products and services (in particular their supply and quality), such as questionnaires, surveys, market and opinion research, as well as the, in part, automated processing of your data to assess certain personal characteristics (profiling) where you have not refused to give permission to processing for this direct marketing purpose, as provided for in Art. 21(2) of the GDPR
  • Measures connected to the prosecution of illegal acts.

Mandatory provision of certain data

If data that is required to be able to complete or process a contract (e.g. data for opening an account, authentication data for payment transfers etc.) or that we are legally obliged to collect (e.g. for money laundering checks) is not provided, it will not be possible to perform/provide the contract or the services required and an existing contract may have to be terminated.

International transfer of data

Your personal data may be transmitted to, and processed in, countries outside the EU/EEA which have not (yet) been judged by the EU Commission to provide an appropriate level of data protection and which possibly do not offer the same high levels of protection. Personal data may be made available to local authorities or courts due to local laws and regulations.

In particular, your data may be transmitted to our subsidiary banks in Serbia, Montenegro, and Bosnia and Herzegovina as well as to external service providers and partners in the US and Serbia in order to fulfil one of the purposes described here. This means that we may process your personal data, if we have captured it, in one of these countries.

We have, however, taken appropriate security measures and precautions to ensure your personal data will be protected in accordance with this data protection declaration. This includes using the standard contract clauses of the European Commission for the transmission of personal data. We can provide further details of the appropriate security measures and precautions upon request.

Data retention

We store your personal data for the duration of our business relationship provided this is necessary for the purposes of the business relationship; and for as long as our legal obligations (e.g. retention and documentation obligations in accordance with the Federal Fiscal Code, Austrian Commercial Code, Austrian Banking Act, Financial Markets Anti-Money Laundering Act, Securities Supervision Act), applicable retention periods (such as the general retention period of 3 years, through to 30 years in certain cases as set out in the Austrian Civil Code) or other legitimate interests dictate that we must retain the data (e.g. as evidence for the assertion of legal claims).

As soon as no legitimate reasons for continuing to store the personal data remain it will either be deleted or anonymised. If this is not possible (because, for example, your personal data is stored in back-up archives) we will store your personal data securely and ensure it cannot be used in any further processing activities until such time as it can be deleted.

Rights of data subjects

The Regulation provides for a data subject’s right to information, rectification, erasure, restriction of or an objection to processing, data portability and the right to lodge a complaint with the relevant supervisory authority (in Austria: the Austrian Data Protection Authority).

If we process your personal data based on your consent you can withdraw this consent at any time. You can also withdraw the consent you gave by clicking on a consent confirmation button in a cookie banner by changing the relevant setting in your browser. The withdrawal of your consent has no ramifications for the lawfulness of processing prior to the withdrawal of consent.

If personal data is processed for direct marketing purposes and the basis for processing has not been provided through your consent, you have the right to object to the processing of your personal data for the purposes of such marketing at any time; this also applies to profiling where this is linked to direct marketing.

Please write to us at the (email) addresses below if you wish to exercise these rights. We will examine your request and answer accordingly.

Do you have Addiko savings products and live in Austria?

Write to us at:
Addiko Bank AG
Postfach 345
A-1000 Vienna
Email: customer.service@addiko.at

Do you have Addiko savings products placed via www.weltsparen.de and live in Germany?

Your direct contact in Germany is our broker “Raisin DS GmbH”:

Raisin DS GmbH
Schlesische Straße 33/34
10977 Berlin
Email: kundenservice@weltsparen.de

Do you have Addiko savings products placed via Deutsche Bank ZinsMarkt?

Your direct contact is “Deutsche Bank”:

Deutsche Bank AG
Taunusanlage 12
D-60325 Frankfurt am Main
Contact: https://www.deutsche-bank.de/pk/service-und-kontakt/kontakt/kontakt.html/

If you would prefer to make contact directly with Addiko Bank, please write to us at:

Addiko Bank AG
Canetti Tower, Canettistraße 5/12.OG
A-1100 Vienna
Email: direct.deposit@addiko.com

Do we provide you with a different service, or are you one of our business partners?

Write to us at:
Addiko Bank AG
Canetti Tower, Canettistraße 5/12.OG
A-1100 Vienna
Email: holding@addiko.com

You can also unsubscribe to the marketing communications which we may send you. To do this, please send a reply email to the marketing emails we send you, with “RE” in the subject field. In order to discontinue receiving other types of marketing communications (e.g. by post or phone) please contact us at Addiko Bank AG – Postfach 345 – 1000 Vienna or email: customer.service@addiko.at or phone: 0800 800 707.

You can unsubscribe to Newsletters or Investor Relations News at any time via email to investor.relations@addiko.com or by post (Addiko Bank AG – Postfach 345 – 1000 Vienna).

AUTOMATED DECISION-MAKING INCLUDING PROFILING

Automated decision-making means that a decision which may have legal implications for you or otherwise affect you considerably has been taken on the basis of a computer-aided calculation (using software algorithms) without being checked by one of our people. We do not deploy automated decision-making as defined in Art. 22 of the GDPR. We process your data in part using automated procedures in order to analyse certain personal characteristics (profiling) and, as a result, to be able to offer you the best possible services. We use analytical tools that allow us to roll out demand-oriented communications and advertising, in order to be able to inform you about products in a targeted way.

Updates to this data protection declaration

We may update this data protection declaration from time to time in the light of new legal, technical or business developments. We will use appropriate measures to inform you of the changes made, depending on their importance. For every significant change to the data protection declaration we will ask you for your consent where and to the extent this is required by the relevant data protection laws. You will find the “Date last updated” at the start of this data protection declaration.

Subsidiary banks

You will find a list of our current subsidiary banks at https://www.addiko.com/the-banking-network/.