Status: May 2018
We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of the data processing depend to a large extent on which products and services you have applied for or agreed with us. For the purpose of clear information and presentation, this information sheet has been designed in the form of a question and answer catalogue.
Who is responsible for data processing and whom can you contact?
Responsible for data processing is:
VakifBank International AG has appointed a Data Protection Officer who is available to answer any questions you may have regarding the processing of your personal data.
You can contact the data protection officer at the above address with the subject "Data protection" or by e-mail at firstname.lastname@example.org contact.
We process personal data that we receive from our customers in the course of the business relationship. In addition, we process - to the extent necessary for the provision of our service - personal data that we have received from third parties (e.g. SCHUFA) in a permissible manner (e.g. for the execution of orders, for the performance of contracts or on the basis of consent given by you). Furthermore, we process personal data that we have permissibly obtained from publicly accessible sources (e.g. debtors' registers, land registers, commercial and association registers, press, media, Internet) and are allowed to process.
Personal data includes:
Your personal data (first and last name, academic degree, address, contact data, date and place of birth, gender, nationality),Legitimation data (e.g. ID data) and authentication data (e.g. specimen signature),Order data (e.g. payment orders), data from the fulfilment of our contractual obligations (e.g. turnover data in payment transactions, credit lines, product data [e.g. deposit, lending business]),Information about your financial situation (e.g. creditworthiness data, scoring/rating data),Documentation data (e.g. advisory protocols),Data to fulfil legal and regulatory requirements (e.g. KYC information such as customer profile, documentation on the purpose of the transaction). (e.g. creditworthiness data, scoring/rating data),Documentation data (e.g. advisory protocols),Data to fulfil legal and regulatory requirements (e.g. KYC information such as customer profile, documentation on the purpose and type of business relationship, proof of origin of funds, PEP check),Tax-relevant data (e.g. tax ID, information on the church). Tax-relevant data (e.g. tax ID, information on church tax liability, FATCA status or CRS status), image and sound data (e.g. video recordings), information from your electronic communication with the bank (e.g. e-mails).
We process the aforementioned personal data in accordance with the provisions of data protection law (including the General Data Protection Regulation, DSG 2018, etc.) for the following purposes:
1. fulfilment of contractual obligations (Art 6 para 1b DSGVO)
The processing of personal data (Art. 4 No. 2 DSGVO) is carried out for the provision of banking transactions and financial services, in particular for the execution of our contracts with you and the execution of your orders as well as all activities necessary with the operation and administration of a credit and financial services institution.
The purposes of data processing depend primarily on the specific product (e.g. account, savings deposit, time deposit) and may include, among other things, advice, asset management and support as well as the execution of transactions.
The specific details on the purposes of data processing can be found in the contract documents and terms and conditions.
2. fulfilment of legal obligations (Art. 6 para. 1c DSGVO)
Processing of personal data may be necessary for the purpose of fulfilling various legal obligations (e.g. under the Banking Act, Financial Market Money Laundering Act, etc.) as well as regulatory requirements (e.g. of the European Central Bank, the European Banking Authority, the Austrian Financial Market Authority, etc.) to which VakifBank International AG as an Austrian credit institution is subject. Examples for such cases are:
- Reports to the Money Laundering Reporting Office in certain suspicious cases (Section 16 FM-GwG);
- Provision of information to federal tax authorities pursuant to section 8 of the Account Register and Account Inspection Act.
3. safeguarding legitimate interests (Art 6 para 1f DSGVO)
Where necessary, data may be processed beyond the actual performance of the contract in order to safeguard legitimate interests of us or third parties.
Examples of legitimate interest data processing include:
- Consultation of and data exchange with credit agencies (e.g. Austrian Credit Protection Association) to determine creditworthiness or default risks.
- Assertion of legal claims and defence in legal disputes
- Risk management and assessment in the Group
- Video surveillance for the collection of evidence in the case of robberies and fraud offences or for the proof of dispositions and deposits, e.g. at ATMs
- Measures to protect employees and customers as well as property of the bank;
- Measures to prevent and combat fraud (Fraud Transaction Monitoring);
4. within the scope of your consent (Art 6 para 1a DSGVO)
If you have given us consent to process your personal data, processing will only take place in accordance with and within the scope of the purposes specified in the declaration of consent. Consent given can be revoked at any time with effect for the future.
Within VakifBank International AG, only those departments and employees will have access to your data that need it to fulfil contractual, legal and regulatory obligations.
In addition, processors commissioned by us receive your data insofar as they require the data to fulfil their respective service. These are companies in the categories of credit services, IT services, logistics, printing services, telecommunications and debt collection. All processors are contractually obliged to maintain banking secrecy and to maintain confidentiality about all facts of which you become aware, must treat your data confidentially and may only process your data within the framework of the provision of services.Within the group of companies, your data may be forwarded for administrative reasons, for risk management due to legal or official obligations or because the processing of customer data is necessary.With regard to the forwarding of data to recipients outside the bank, it should first be noted that according to the General Terms and Conditions agreed between you and us, we are obliged to maintain secrecy about all customer-related facts and evaluations of which we become aware (banking secrecy). We may only pass on information about you if this is required by law, if you have consented or if we are authorised to provide banking information. Under these conditions, recipients of personal data may be, for example:
Public bodies and institutions (e.g. Deutsche Bundesbank, Bundesanstalt für Finanzdienstleistungsaufsicht, financial authorities) in the event of a legal or official obligation.Other credit and financial services institutions or comparable institutions to which we transfer personal data in order to carry out the business relationship with you.Further data recipients may be those bodies for which you have given us your consent to transfer data or for which you have released us from banking secrecy in accordance with your consent. Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary for the execution of your orders (e.g. payment and securities orders), is required by law (e.g. reporting obligations under tax law), you have given us your consent or within the framework of commissioned data processing. In this case, recipients are bound by the agreement of the EU standard contractual clauses to comply with the level of data protection in Europe.
We process your personal data, insofar as necessary, for the duration of the entire business relationship (from the initiation and processing to the termination of a contract) and beyond that in accordance with the statutory retention and documentation obligations.If the data are no longer required for the fulfilment of contractual or statutory obligations, they are regularly deleted, unless their - temporary - further processing is required for the following purposes:
Fulfilment of retention periods under commercial and tax law: These include the German Commercial Code, the German Fiscal Code, the German Banking Act and the German Money Laundering Act. The retention and documentation periods specified there are two to ten years.
preservation of evidence within the framework of the statute of limitations. According to sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.
The GDPR gives you the following rights as a data subject of a processing of personal data:
In accordance with Art. 15 DSGVO, you can request information about your personal data processed by us. In particular, you can request information about the processing purposes, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, about a transfer to third countries or to international organisations, as well as about the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
In accordance with Art. 16 DSGVO, you can immediately request the correction of incorrect or the completion of your personal data stored by us.
Pursuant to Art. 17 DSGVO, you may request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.
Pursuant to Article 18 of the GDPR, you may request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data and you object to their deletion because you need them to assert, exercise or defend legal claims. You also have the right under Art. 18 DSGVO if you have objected to the processing in accordance with Art. 21 DSGVO.
Pursuant to Art. 20 DSGVO, you may request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you may request that it be transferred to another controller.
Pursuant to Art. 77 DSGVO, you have the right to complain to the competent data protection supervisory authority (State Commissioner for Data Protection and Freedom of Information
Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: email@example.com).
You may revoke your consent to the processing of personal data at any time in accordance with Article 7 (3) of the GDPR. This also applies to the revocation of declarations of consent given to us before the applicability of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.
Within the scope of our business relationship, you must provide those personal data that are necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will usually have to refuse the conclusion of the contract or the execution of the order or will no longer be able to perform an existing contract and may have to terminate it.
In particular, we are obliged under money laundering regulations to identify you prior to the establishment of the business relationship, for example on the basis of your identity card, and to collect and record your name, place of birth, date of birth, nationality and residential address. In order for us to be able to comply with this legal obligation, you must provide us with the necessary information and documents in accordance with Section 4 (6) of the Money Laundering Act and notify us immediately of any changes that occur in the course of the business relationship. If you fail to provide us with the necessary information and documents, we may not enter into or continue the business relationship requested by you.
We do not use automated decision-making pursuant to Art. 22 DSGVO to reach a decision on the establishment and implementation of the business relationship.
When a loan is granted, a credit assessment (credit scoring) is carried out. In this process, the default risk of credit applicants is assessed with the help of statistical comparison groups. The calculated score value is intended to enable a forecast of the probability with which an applied-for loan is likely to be repaid. To calculate this score value, your master data (e.g. marital status, number of children, length of employment, employer, etc.), information on your general financial circumstances (e.g. income, assets, monthly expenses, amount of liabilities, collateral, etc.) and payment history (e.g. proper loan repayments, reminders, data from credit agencies) are used. If the risk of default is too high, the credit application is rejected and, if necessary, an entry is made in the small loan record kept by KSV 1870 and an internal warning is issued. If a credit application is rejected, this is visible in the small loan record kept by KSV 1870 for 6 months in accordance with the decision of the data protection authority.
To optimise our website offer, we use so-called "cookies". This information explains what cookies are, what they are used for and how you can adjust your cookie management settings.
What is a cookie?
Cookies are text files that can be stored on the hard drive of your device (e.g. computer, tablet and mobile phone) depending on the settings when you visit a website or click on an advertisement. Cookies are managed by your internet browser. Only the publisher of the cookies can read or adapt the information they contain.
Cookies are used to identify your device on which they are stored and are time limited.
What are the cookies used by our website used for?
There are two different types of cookies that can be stored on your device when you visit our website. The purpose of these cookies is described below.
1. technical cookies
Technical cookies are strictly necessary for visiting our website and accessing the various products and services. They are used to:
a) optimise the presentation of the website according to the settings views of your device (language used, screen resolution, operating system, etc.);
b) store certain information relating to forms you have completed on our website;
(c) implement certain security measures.
These cookies are necessary in order to provide you, as a website visitor, with the expressly requested services. In the event that cookies are deactivated, you may experience difficulties in accessing the website you have requested.
2. cookies to measure the volume of visitors
Visitor volume cookies are used by us and/or our technical service providers to measure the number of visitors accessing the various content and how you use the website. These cookies are also used to optimise the user-friendliness of the website. The information collected is only used to compile anonymous statistics, which at no time contain personal information about individual visitors.
For this purpose, we may use analysis tools from the following provider and the corresponding cookies: Google Analytics
Due to the activation of IP anonymisation on this website, the IP address is truncated by Google within member states of the European Union (EU) or in other contracting states to the Agreement on the European Economic Area and transmitted to a Google server in the USA and stored there. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, Google takes appropriate measures to ensure an equivalent level of data protection to that in the EU.
Your user data is stored on Google's server for a maximum of 26 months, after which it is automatically deleted.