Data Protection


Information on data processing according to Articles 13 and 14 of the EU General Data Protection Regulation (GDPR)

We would like to inform you about the processing of your personal data and the rights and entitlements that you are guaranteed under data protection law. The subject matter and scope of processing is largely determined by the products and services respectively agreed or by the individual products and services you have ordered.

Who is responsible for processing and who can you contact?

  • The person responsible for processing is:
    Wiener Privatbank SE Parkring 12
    1010 Vienna
    T: +43-1-53431-0
    F: +43-1-53431-710
  • The data protection officer of Wiener Privatbank SE is:
    Mag. Gertraud Wisiak
    Parkring 12 
    1010 Vienna Austria
    T: +43-1-53431-479
    F: +43-1-53431-710

Which data is processed and where is this data sourced?

The personal data is provided by you or by a sales partner you have authorised. In addition, we process data duly received from credit bureaus, lists of debtors (e.g. CRIF GmbH, KSV 1870 Holding AG) and from publicly accessible sources (e.g. company register, association register, land register, the media).

Personal data includes your personal details (name, address, contact details, date and place of birth, nationality, job-related information, etc.), identification (e.g. ID information) and authentication (e.g. specimen signature). Moreover, personal data may include contract data (e.g. payment orders), information from the performance of our contractual obligations (e.g. transaction data from payments), information about your financial status (e.g. credit standing, scoring and rating data, etc.), promotional and sales data, documentation data (e.g. customer support reports), register data, sound and image data (e.g. video and telephone recordings), information from your electronic correspondence with the bank (e.g. apps, cookies, etc.), processing results generated by the bank itself and data for ensuring compliance with statutory and regulatory requirements.

For what purposes is data processed and on the basis of which legal provisions is it processed?

Your personal data is processed in compliance with the provisions under data protection law (EU General Data Protection Regulation, Austrian Data Protection Act).

For compliance with contractual obligations (Art 6[1b] GDPR)

Personal data is processed (Art 4 number 2 GDPR) to provide and procure banking business, financial services and real estate business, especially for the performance of our contracts concluded with you and the execution of orders and discharge of all activities required for the operation and management of a credit and financial services institutions. The purposes of processing are primarily determined by the specific product and may include needs analyses, advice, asset management and administration as well as the execution of transactions.

For compliance with legal obligations (Art 6 [1c] GDPR)

Personal data may be processed for the purpose of ensuring compliance with various legal obligations (e.g. Banking Act, Financial Market Money Laundering Act, Securities Supervision Act, Stock Exchange Act, etc.) and prudential obligations (e.g. European Central Bank, European Banking Authority, Austrian Financial Market Authority, etc.) to which Wiener Privatbank SE, as an Austria credit institution, is subject. Examples for such cases are:

  • notification to the Financial Intelligence Unit of certain cases of suspected money laundering (sec. 16 Financial Market Money Laundering Act [FM-GwG]);
  • provision of information to fiscal prosecution authorities within the scope of tax litigation on account of intentional fiscal offences;
  • provision of information to the Financial Market Authority (FMA) in accordance with the Securities Supervision Act (WAG) and the Stock Exchange Act (BörseG), e.g. to monitor compliance with the provisions relating to the abuse of insider information in the market;
  • provision of information to the government's fiscal authorities pursuant to sec. 8 of the Account Register and Account Inspection Act (KontRegG).

Within the scope of your consent (Art 6 [1a] GDPR)

If you give us your consent to process your personal data, processing is performed in accordance with the purposes established in the letter of consent and the scope defined therein. Consent that has been given may be revoked at any time with future effect (e.g. you may object to having your personal data processed for marketing and promotional purposes if you no longer agree to having such data processed from a given point forward).

For the purposes of legitimate interests (Art 6 [1f] GDPR)

Where necessary, and in consideration of the interests of Wiener Privatbank SE or a third party, data processing may go beyond the actual performance of the contract for the purposes of our legitimate interests or the legitimate interests of a third party. In the following cases, data is processed for the purposes of legitimate interests:

  • consultation of and data exchange with credit bureaus (e.g. CRIF GmbH, KSV 1870 Holding AG) to determine credit and/or default risk
  • assessment and optimisation of procedures for needs analysis and direct customer communication
  • promotion or market and public opinion research, provided you do not object to the use of your data in accordance with Art 21 GDPR.
  • telephone recordings (e.g. orders)
  • action taken for purposes of business management and the advancement of products and


  • action taken to protect employees and customers as well as the bank's property
  • action taken for the sake of fraud prevention and control (frau transaction monitoring)
  • in legal proceedings

Who receives your data?

At Wiener Privatbank SE, the data is made available to the offices and employees who require the data to fulfil contractual, legal and prudential obligations and the purposes of legitimate interests. In addition, we provide your data to authorised processors (particularly IT and back office service providers), provided they require the data to perform their respective services. All processors are contractually obliged to keep your data confidential and to process the data only within the scope of the services they provide.

To meet statutory or prudential obligations your personal data may also be provided to public authorities and institutions (e.g. European Banking Authority, European Central Bank, Austrian Financial Market Authority, financial authorities, etc.). This also entails disclosure to third countries if FATCA and CRS notifications are necessary.

With respect to data disclosure to other third parties, we would like to point out that Wiener Privatbank SE, as an Austrian credit institution, is obliged to maintain banking secrecy pursuant to sec. § 38 Banking Act (BWG) and thus obliged to keep confidential all customer-related information and facts that it is entrusted with or to which it gains access as a result of the business relationship. We are thus permitted to disclose your personal data only if you expressly release us from banking secrecy beforehand in writing or if we are obliged or authorised to disclose such data under statutory and/or prudential rules. In this connection, the recipients of personal data may be other credit and financial institutions or comparable institutions whom we transmit data to for purposes of our business relationship with you (depending on the contract, these may be correspondent banks, stock markets, depositary counts banks, credit bureaus, etc.).

How long is your data stored?

We process your personal data as necessary over the duration of the entire business relationship (from initiation, performance all the way to termination of the contract) and, over and beyond this, in accordance with the statutory retention and documentation duties arising out of the Commercial Code (UGB), der Fiscal Code (BAO), the Banking Act (BWG), the Financial Market Money Laundering Act (FM-GwG) and the Securities Supervision Act (WAG). This retention period also needs to take into account the statutory limitation periods, which, according to the General Civil Code, for example, may extend up to 30 years in certain cases (the general limitation period is 3 years).

Which data protection rights are you entitled to?

You have the right to access your stored date, the right to rectification, erasure or restriction of processing of your stored data, the right to object to the processing and a right to data portability in accordance with the requirements under data protection law.

If you are of the opinion that, in processing your data, we are in breach of Austrian or European data protection law, we ask you to contact us to allow us to resolve your concerns.

Furthermore, you may also address any complaints you may have to the competent data protection authority.

For Austria: Datenschutzbehörde, Wickenburggasse 8-10, 1080

Are you obliged to provide the data?                                             

Within the scope of the business relationship you are obliged to provide the personal data needed to take up and implement the business relationship and the data we are legally obliged to collect. Should you not provide this data to us, we will not be able to enter into the contract with you or to perform the contract or we will be obliged not to continue performing any existing contract and terminate such contract as a result. However, you are not obliged to consent to the processing of any data that is not relevant for the fulfilment of the contract or any data that is not required by the law and/or for prudential purposes.

Is the decision-making process automated and does it include any profiling?

We do not use any automated decision-making in accordance with Article 22 GDPR to decide whether to establish or implement a business relationship.

For loans and credit, a manual credit check (based on ratings) is carried out. Your master data (e.g. marital status, period of employment, etc.), information on your general financial circumstances (e.g. income, assets, monthly expenses, obligations, collateral, etc.) and your payment track record (e.g. proper credit repayment, reminders, information from credit bureaus) are used to assign a rating. If the default risk is too high, the credit application is rejected, an entry is made in the micro-credit records kept by KSV 1870, if so required, and an internal warning is put on file. Once a credit application is rejected, this information is available in the micro-credit records kept by KSV 1970 for a period of 6 months in accordance with the notice submitted by the data protection authority.

Amending this information sheet

Please note that we reserve the right to amend the information on data processing whenever there is need. You will always find the latest version of this information sheet on our website at

Information on data processing in accordance with sec. 21(5) Financial Market Money Laundering Act (FM-GwG)

The credit institution is obliged under the Financial Market Money Laundering Act (FM-GwG) and in line with its commitment to due diligence for the prevention of money laundering and terrorist financing to obtain and retain specific documents and information from persons whenever it establishes a business relationship or implements a transaction from time to time.

In accordance with the Financial Market Money Laundering Act (FM-GwG), the credit institution is obliged to establish and verify, among other things, the identity of customers, the beneficial owner of customers or any trustees of the customer, to evaluate the purpose pursued by customers and the type of business relationship sought by customers, to obtain and verify information on the origin of the funds used and to continuously monitor the business relationship and the transactions performed within the scope of this business relationship. In particular, the credit institution is obliged to retain copies of the documents and information received and required for the performance of the described due diligence and of the transaction documents and records required for the detection of transactions. The Financial Market Money Laundering Act (FM-GwG) grants the credit institution the legal authority, within the meaning of the Data Protection Act, to use the above-referenced data from customers to perform its due diligence with a view to preventing money laundering and terrorist financing, obligations to which the institution is legally bound and which serve the public interest. Data processing within the scope of the due diligence described above is based on the bank's legal obligation. Therefore, the bank cannot recognise the customer's objection to this data processing. The credit institution is obliged to delete all personal data processed and saved by it exclusively on the basis of the Financial Market Money Laundering Act (FM-GwG) for purposes of preventing money laundering and terrorist financing as soon as a 5-year retention period has expired, unless the provisions of other federal acts require otherwise or authorise a longer retention period or the Financial Market Authority has established longer retention periods by way of an ordinance. Personal data processed solely on the basis of the Financial Market Money Laundering Act (FM-GwG) for purposes of preventing money laundering and terrorist financing must not be processed in a manner that is incompatible with these purposes. This personal data may not be processed for other purposes, such as commercial purposes.