Who is responsible for the processing of personal data?
The processing of your data is the responsibility of
Erste Group Immorent GmbH
Am Belvedere 1
Contact for data protection related inquiries:
Erste Group Immorent GmbH
Am Belvedere 1
Responsible supervisory authority for data protection agenda:
Austrian data protection supervisory authority
Telephone: +43 1 52 152-0
Who is the data protection officer?
The position of Data Protection Officer, is assumed by Barbara Chuda. For questions, suggestions or complaints on the processing of your data, please contact:
Ing. Barbara Chuda – Data Protection Officer
Erste Group Services GmbH
Am Belvedere 1
What personal data is processed?
We process the following personal data:
- Master and credential data, eg Name, address, date of birth, phone number, tax status, ID card details, ID card copy etc.
- Contract data, eg. beginning of rental, commitment, etc.
- Data for compliance with legal and regulatory requirements
Please keep in mind: this is just a general list. We do not always have all of the above data. For a detailed, individual installation, you are entitled to information and can request it from us. Who you need to contact can be found here.
Where does the personal data we process come from?
Most of your personal data that we process, you have provided to us yourselves (for example, at the conclusion of the contract by handing over a copy of identity card).
In addition, the data may come from the following sources:
- Debt directories, such as eg. KSV1870 Holding AG, CRIF GmbH
- Publicly accessible sources, eg. commercial register, land register, bankruptcy file, club register
- From other institutions of the Erste Group Bank AG, Erste Bank and Sparkassen Group for risk management in the banking association pursuant to §30 (7) Banking Act
In addition, we may receive data from governmental agencies or from sovereigns such as: guardianship- or criminal courts, prosecutors, court commissioners. For a detailed statement on information concerning you, you have the “right to access”.
For which purposes and on the basis of which legal basis are my personal data processed?
We are a financial institution under § 1 (2) Banking Act and Article 4 (1) (1) of Regulation (EU) 575/2013. The processing of personal data for the purpose of direct mail is not carried out by us!
Processing for the contract performance
As contractually agreed, we provide certain services that result from the contract, such as. Leasing rate calculations, prescriptions, etc. - this requires the processing of your data.
Processing to satisfy a legal obligation
We may also be required to process your personal data by legal regulations and purposes, e.g.:
- Credit risk management: Banking Act
- Identification, transaction monitoring, suspicious transaction reports: Financial Market Money Laundering Act
- Recording of telephone conversations
- Information in criminal proceedings against the public prosecutor's offices and courts as well as against financial criminal authorities for intentional financial offenses: Banking Act, Criminal Procedure Code, Financial Criminal Law
Processing due to a legitimate interest
There is also a legitimate interest in the data processing by us or third parties in the following cases:
- Requests and data exchange to determine creditworthiness and default risks vis-à-vis credit agencies
- Measures for fraud prevention and fighting, fraud transaction monitoring
- Data processing within the scope of prosecution
- Recording of telephone conversations, e.g. for complaints or for the documentation of so-called declarations relevant for the transaction, e.g. card blocking
The processing of personal data for direct marketing may also be a legitimate interest.
Am I obliged to provide my personal data? What happens if I don’t want to do so?
For our business relationship, we need your personal data or the personal data of a representative of your company (ultimate beneficial owner, authorized signatories, etc.). If we do not know your name and your address, we are, for example, not able to pursue mail correspondence with you. If we are not able to check your identity, we are not allowed to establish a business relationship by law. So you see: In cases in which it is required for the business relationship based on a contract or a legal regulation, we have to process some personal data. If you do not consent, we may, unfortunately, possibly not be allowed to render or offer certain products or services.
Is there decision-making based on automated processing– e.g. profiling?
At the beginning or during our business relationship, we do not use automated decision-making under Article 22 GDPR. When lending, we check the credit rating using so-called credit scoring. The default risk of credit seekers is assessed using statistical comparison groups.
The calculated score value enables an estimate on the probability that a requested loan is repaid. The following data is used to calculate this score:
- Your master data, e.g. Marital status, number of children, duration of employment, employer
- Information on general financial conditions, e.g. Income, assets, monthly expenses, liabilities, collateral.
- Data on payment behavior, e.g. loan repayments, reminders, data from credit bureaus
If the default risk is too high, the loan application will be rejected and there may be an entry in the KSV1870 small loan certificate and an internal warning. If a loan application has been rejected, this can be seen in the small loan certificate at KSV1870 for 6 months, in accordance with the decision of the Data Protection Authorities.
To whom do you transfer my personal data?
Your personal data may be transferred to:
- Credit institutions, departments and persons (employees and vicarious agents) within the Sparkasse group, Erste Bank and Erste Group Bank AG who need these data for the contractual, legal or supervisory performance of duties as well as for the protection of legitimate interests
- Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Supervisor, European Central Bank, Austrian Financial Market Supervision, financial authorities, etc.
- Third parties commissioned by us, e.g. for IT and back office services as well as bank auditors if they need them for their task. Third parties are contractually obliged to treat your data confidentially and to only process them within the scope of the service provision
- Third parties if this is binding for the contract performance or due to legal regulations, e.g. of the recipient of a bank transfer and their payment service provider.
Are my personal data transferred to a third country?
Our processors can work with subcontractors in third countries, eg. in India. These sub-service providers are obliged to comply with Austrian data protection and security standards.
For a list of service providers currently working in third countries and information on the basics on which the transfer is based, please contact us.
How long are my personal data stored?
(All links as of May 2018)
Your personal data are at least stored for as long as it is necessary for the performance of their relevant purposes. Apart from that, it is legally prescribed for which period the data have to be stored. These storage obligations may even exist if you are no longer our customer. An overview of the legal storage obligations applicable in Austria is available here:
What security measures are adhered to in the context of data processing?
(All links as of May 2018)
Data protection and data security is important to us. We have taken all technical and organizational measures in order to protect our data processing. This specifically includes protection of your personal data. They are protected from unauthorized or illegal processing, accidental loss, accidental destruction or damage. These measure, for example, include application of modern security software and encryption methods, physical access control and precautionary measures to prevent external and internal attacks.
Practical tips on how you may support in protecting your personal data can be found here.
What about cookies and web analytics?
Cookies: Cookies are used in various locations on our website. Cookies are small text files that recognize users when they use the website again. However, no personal details, such as name or address, are stored. They cannot be identified by the information in question.
Web analytics: For an anonymous, statistical evaluation of the flow of visitors to the websites, we transfer personal data to the service provider Webtrekk GmbH. You can prevent this forwarding of your data.