Information on Data Protection and Data Processing
The General Data Protection Regulation, GDPR for short, has been in force throughout the European Union since May 25, 2018. It contains regulations regarding the processing and the protection of your personal data.
This document provides you with the essential information regarding data protection in a summarized form.
1. Who is the data controller?
Intermarket Bank AG
Am Belvedere 1, 1100 Vienna
https://www.intermarket.at/en/legal-notice
Contact for requests related to data protection:
Intermarket Bank AG
Am Belvedere 1, 1100 Vienna
Email: datenschutz@intermarket.at
2. Who is the data protection officer?
Mag. Aaron Marquart
Intermarket Bank AG
Am Belvedere 1, 1100 Vienna
Email: datenschutz@intermarket.at
3. Which items of personal data are processed and where do they come from?
We process the following personal data:
3.1. You are our customer
Most of the personal data we process about you were provided by you, for example at the start of our business relationship, upon scheduling an appointment, when submitting a request through a form or on our website, etc.
- Master data and authentication information, e.g. name, address, date of birth, telephone number, email address, tax status, identification data, a copy of your ID, etc.
- Product, service and contract data, e.g. type of product, disposition options, account movements and transactions, use of digital banking and portals (cookies), etc.
- Information about your economic situation, e.g. creditworthiness/balance sheet data, scoring or rating data, etc.
- Processing results to fulfil contracts and declarations of consent
- Data to satisfy legal and regulatory requirements
- Image and sound data, e.g. video recordings, recordings of telephone calls and your photo (if you have given consent to your photo being recorded), etc.
In addition, data may also come from the following sources:
- Publicly available sources, e.g. companies register, land register, insolvency database, register of associations, etc.
- Creditor protection associations, credit bureaus, rating agencies, e.g. KSV1870 Information GmbH, etc.
- Third parties involved in our business dealings, e.g. insurance companies, cooperation partners, etc.
- Other institutions affiliated in the network of Erste Group Bank AG, Erste Bank and Sparkassen for the purpose of risk control and consolidation in the affiliation of credit institutions in accordance with the Banking Act (Bankwesengesetz, BWG) and the Capital Requirements Regulation (EU) No 575/2013
We may also receive data from government authorities or from persons acting under government mandate such as criminal courts, public prosecutors, court commissioners.
3.2. You are a contact person in our business relationship (e.g. board member / managing director, holder of a commercial power of attorney, accountant)
Most of the personal data we process about you were provided by our customer or by you, for example at the start of our business relationship, upon scheduling an appointment, when submitting a request through a form or on our website, etc.
- Master data and authentication information, e.g. name, address, date of birth, telephone number, email address, tax status, identification data, a copy of your ID, etc.
- Data to satisfy legal and regulatory requirements
- Image and sound data, e.g. video recordings, recordings of telephone calls and your photo (if you have given consent to your photo being recorded), etc.
In addition, data may also come from the following sources:
- Publicly available sources, e.g. companies register, land register, insolvency database, register of associations, etc.
- Other institutions affiliated in the network of Erste Group Bank AG, Erste Bank and Sparkassen for the purpose of risk control and consolidation in the affiliation of credit institutions in accordance with the Banking Act (Bankwesengesetz, BWG) and the Capital Requirements Regulation (EU) No 575/2013
We may also receive data from government authorities or from persons acting under government mandate such as criminal courts, public prosecutors, court commissioners.
3.3. You have provided collateral for our business relationship
Most of the personal data we process about you were provided by our customer or by you, for example at the start of our business relationship, upon scheduling an appointment, when submitting a request through a form or on our website, etc.
- Master data and authentication information, e.g. name, address, date of birth, telephone number, email address, tax status, identification data, a copy of your ID, etc.
- IInformation about your financial situation, e.g. creditworthiness/balance sheet data, scoring or rating data, etc.
- Processing results to fulfil contracts and declarations of consent
- Data to satisfy legal and regulatory requirements
- Image and sound data, e.g. video recordings, recordings of telephone calls and your photo (if you have given consent to your photo being recorded), etc.
In addition, data may also come from the following sources:
- Publicly available sources, e.g. companies register, land register, insolvency database, register of associations, etc.
- Creditor protection associations, credit bureaus, rating agencies, e.g. KSV1870 Information GmbH, etc.
- Other institutions affiliated in the network of Erste Group Bank AG, Erste Bank and Sparkassen for the purpose of risk control and consolidation in the affiliation of credit institutions in accordance with the Banking Act (Bankwesengesetz, BWG) and the Capital Requirements Regulation (EU) No 575/2013
3.4. You are a debtor (= party liable to pay) for our factoring customer’s accounts receivable
We may process the following personal data about your company or other representatives/contact persons:
- Master data and authentication information, e.g. name, address, date of birth, telephone number, email address, tax status, identification data, a copy of your ID, etc.
- Transaction data, e.g. terms of delivery and payment, invoice data, payment information, etc.
- Information about your financial situation, e.g. creditworthiness/balance sheet data, scoring or rating data, etc.
- Processing results to fulfil contracts and declarations of consent
- Data to satisfy legal and regulatory requirements
- Image and sound data, e.g. video recordings, recordings of telephone calls and your photo (if you have given consent to your photo being recorded), etc.
The personal data we process about you may come from the following sources:
- Our customer, e.g. transmission of receivables ledger files, invoices, etc.
- Disclosure by you (e.g. correspondence, telephone call)
- Publicly available sources, e.g. companies register, land register, insolvency database, register of associations, etc.
- Creditor protection associations, credit bureaus, rating agencies, e.g. KSV1870 Information GmbH, etc.
- Third parties involved in our business dealings, e.g. insurance companies, etc.
- Other institutions affiliated in the network of Erste Group Bank AG, Erste Bank and Sparkassen for the purpose of risk control and consolidation in the affiliation of credit institutions in accordance with the Banking Act (Bankwesengesetz, BWG) and the Capital Requirements Regulation (EU) No 575/2013
We may also receive data from government authorities or from persons acting under government mandate such as criminal courts, public prosecutors, court commissioners.
3.5. You have no direct business relationship with us (and have given consent to data processing)
Most of the personal data we process about you were provided by you, for example when submitting a request through a form or on our website, as a recipient of our newsletter or event invitations, etc.
- Master data, e.g. name (company/individual), address, telephone number, email address, etc.
- Image and sound data, e.g. video recordings, recordings of telephone calls and your photo (if you have given consent to your photo being recorded), etc.
4. For what purposes and on what legal basis are my personal data processed?
We are a credit institution pursuant to section 1 (1) of the Banking Act (Bankwesengesetz, BWG) and a financial institution pursuant to point (26) of Article 4 (1) of Regulation (EU) No 575/2013. We process your personal data within the scope of these activities. Specifically, this means:
Processing for the performance of a contract
Depending on the type of contract concluded with our partners, we are allowed to provide certain services to them. The contract in question may be, for example, a factoring agreement, an e-discounting agreement, a cooperation agreement, etc.
The purposes of data processing depend mainly on the specific product and may include, among other things, needs assessment, consulting and the execution of transactions. For more details, please refer to your contract documents and our terms and conditions.
Processing for compliance with a legal obligation
We are also required to process your personal data to comply with legal regulations and to fulfil legal purposes, such as:
- Credit risk management: Banking Act (Bankwesengesetz, BWG), Capital Requirements Directive (EU) No 575/2013
- Monitoring of insider dealing, conflicts of interest and market manipulation: Securities Supervision Act 2018 (Wertpapieraufsichtsgesetz, WAG), Stock Exchange Act (Börsegesetz, BörseG), Market Abuse Regulation (EU) No 596/2014
- Identification, transaction monitoring, suspicious activity reports: Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz, FM-GwG) and Funds Transfer Regulation (EU) No 847/2015
- Provision of information to public prosecutor’s offices and courts in criminal proceedings and to financial crime authorities in connection with wilful financial crimes:
Banking Act, Code of Criminal Procedure (Strafprozessordnung, StPO), Financial Crime Act (Finanzstrafgesetz, FinStrG)
Processing based on legitimate interests
We or third parties have a legitimate interest in the processing of data in the following cases:
- Enquiries and data exchange with credit bureaus, such as KSV1870, to determine credit risks and default risksEnquiries and data exchange with credit bureaus, such as KSV1870, to determine credit risks and default risks
- Measures to prevent and combat fraud, fraud transaction monitoring
- Data processing for prosecution purposes
- Recordings of telephone conversations, e.g. in the case of complaints
- The processing of personal data for direct marketing purposes may also be a legitimate interest.
Processing based on consent
If there is neither a contract nor a legal obligation nor a legitimate interest, the processing of data may still be legitimate in cases where you have given your consent or approval to processing.
The scope and content of such data processing always depend on the specific consent given. Please note that you can withdraw your consent at any time.
However, the withdrawal of consent does not affect the lawfulness of processing based on such consent before its withdrawal. Generally speaking, this means that withdrawal does not have any effect on the past.
5. Am I obliged to provide my personal data? What happens if I don’t want to do so?
In many cases, we need your personal data for the purpose of our business relationship.
If we are unable to check your creditworthiness or your identity, we are forbidden by law to establish a business relationship with you.
We have to process your personal data wherever this is necessary for the purpose of the business relationship on the basis of a contract or a legal regulation. If you want to avoid this, we may unfortunately not be allowed to provide or offer certain products or services.
If we are only allowed to process your data based on your consent, you are not obliged to give such consent and provide your data.
6. Do you use decision-making based on automated processing - e.g. profiling?
We do not use automated decision-making as referred to in Article 22 of the GDPR to make decisions on establishing and maintaining business relationships.
7. To whom are my personal data transferred?
Your personal data may be transmitted to:
- Credit institutions, departments and persons (employees and vicarious agents) within the network of Sparkassen, Erste Bank and Erste Group Bank AG who need these data to perform contractual, legal or supervisory duties and to safeguard their legitimate interests
- Public bodies and institutions if we are legally obliged to do so, e.g. European Banking Authority, European Central Bank, Austrian Financial Market Authority, financial authorities, etc.
- Third parties contracted by us, e.g. for IT and back office services, as well as bank auditors if they need such data for their task; third parties are bound by contract to treat your data confidentially and to process them only in the context of providing their service
- Third parties if this is required to perform the contract or to comply with legal regulations, e.g. the recipient of a bank transfer and their payment service provider.
We may also transfer your data to other third parties if you have given your consent to such a transfer.
8. Are my personal data transferred to a third country?
Our processors may work with sub- processors in third countries, e.g. in India. These sub-processors are required to comply with Austrian standards of data protection and security.
9. How long are my personal data stored?
Your personal data are stored for at least as long as it is necessary to fulfil the relevant purposes. Beyond this period, the law prescribes for how long we have to retain your data. These retention requirements may continue to apply even if you are no longer our customer.
An overview of the statutory retention periods applicable in Austria is available here, for example (in German): Austrian Economic Chambers
https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html
10. What rights do I have?
The GDPR provides the following rights with regard to your personal data. You have the right to:
- access according to Article 15 of the GDPR,
- rectification according to Article 16 of the GDPR,
- erasure according to Article 17 of the GDPR,
- restriction of processing according to Article 18 of the GDPR,
- data portability according to Article 20 of the GDPR,
- object according to Article 21 of the GDPR,
- decisions that are not based solely on automated processing, including profiling, according to Article 22 of the GDPR.
No matter which right you want to assert, you can send us your request in one of two ways:
- by letter, personally signed and accompanied by a copy of your ID, sent to
Intermarket Bank AG
c/o data protection officer
Am Belevedere 1, 1100 Vienna - by email, with a qualified electronic signature, sent to datenschutz@intermarket.at
Please understand that in case of doubt, we may ask for further information on your identity. This is also for your own protection to ensure that only authorised persons have access to your data.
If you do not receive a timely answer to a request or if you feel that we have not handled your request in a lawful manner or if you consider that your right to data protection has been infringed, you may also lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority
Wickenburggasse 8, 1080 Vienna
Telephone: +43 1/52 152-0
Email: dsb@dsb.gv.at
https://www.dsb.gv.at