Information on data processing according to Article 13 and 14
We hereby inform you about the processing of your personal data and your data protection claims and rights. The content and scope of the data processing depends largely on the products and services you have requested or agreed with you.
Who is the responsible data controller and who may you approach?
The responsible data controller is:
Raiffeisen Kapitalanlage-Gesellschaft m.b.H. (hereinafter the “Company“ or “Raiffeisen KAG“)
+43 1 71170-0
The Data Protection Officer is:
Data Protection Officer
Am Stadtpark 9, 1030 Vienna
+43 1 71707-8603
Which data are processed and from which source do they originate?
Data that you communicate to us:
We process those personal data which we receive from you in the framework of the account relationship or for which you have given your consent for processing. In addition, we process data that has been legitimately obtained from publicly available sources (such as company register, association register, land register or media) or that is legitimately submitted to us by other companies affiliated with the bank. In addition, we process data (tracking data) that occurs when you visit our website. We collect these automatically and usually either based on your input or via cookies.
Relevant personal data may include: your particulars and contact data (such as family name, address, date of birth and place of birth, nationality, etc.) or data relating to your ID or travel documents (such as a specimen of your signature, ID data). In addition, this may include payment and clearing data (for example, payment orders, sales data in payment transactions). Data on marketing and sales, image and/or audio recordings (e.g. video recordings, telephone recordings), electronic log and identification data (apps, cookies, etc.) or AML (Anti-Money Laundering) and compliance data as well as other data equivalent to the above categories.
For which purposes and on which legal basis are the data processed?
We process your personal data in accordance with the provisions laid down in the European General Data Protection Regulation (EU GDPR) and the Data Protection Act 2018.
• to perform contractual obligations (Article 6 (1) lit b GDPR)
The purpose of processing personal data (Article 4 (2) GDPR) is to manage capital investment funds within the framework of the 2011 Austrian Investment Fund Act (Investmentfondsgesetz 2011, InvFG) (investment business according to Section 1 (1) line 13 of the Austrian Banking Act (Bankwesengesetz, BWG)); to manage alternative investment funds (AIF) under the Austrian Alternative Investment Fund Managers Act (AIFMG) in connection with Section 3 (2) line 31 InvFG (Section 4 (1) AIFMG); to provide investment advice with regard to financial instruments (Section 5 (2) line 4 lit a InvFG 2011); to manage individual portfolios (Section 5 (2) line 3 InvFG 2011); to manage independent assets and all transactions tied to the management of capital investment funds, especially the performance of our contracts with you, the execution of your instructions, and the performance of pre-contractual measures.
The purpose of data processing is primarily limited to the specific product (e.g. capital investment fund [UCITS, AIF], brokerage) and may encompass portfolio management, portfolio support, consultation and marketing.
The specific details relating to the purpose limitation of data processing addressed here are specified in the individual contractual documentation and terms and conditions (where applicable).
• to fulfil legal obligations (Article 6 (1) lit c GDPR)
The processing of personal data may also be required for the purpose of fulfilling various legal requirements (such as under the Austrian Banking Act, the Act on Financial Markets Money Laundering, the Austrian Securities Supervision Act, the Austrian Investment Fund Act, the Alternative Investment Fund Manager Act, etc.) as well as on the basis of regulatory stipulations (e.g. by the European Central Bank, the European banking regulator, the Austrian Financial Market Authority, etc.) which govern Raiffeisen KAG as an Austrian credit institution. Examples of these include:
• suspicious activity reports to the Austrian Financial Intelligence Unit (Section 16 of the Financial Markets Anti-Money Laundering Act (FM-GwG))
• providing information to the FMA in accordance with the Securities Supervision Act (WAG)
• providing information to financial crime authorities within the framework of financial criminal proceedings for intentionally-committed financial crimes
• evaluation and control of risks
• within the framework of your consent (Article 6 (1) lit. a GDPR)
If you consented to our processing your personal data subject to a purpose limitation (e.g. forwarding data to the recipients named in the consent, subscription of newsletter), your data will be processed only in accordance with the purposes established in the declaration of consent and subject to the scope agreed therein. Any consent issued may be withdrawn anytime with future effect.
• to preserve legitimate interests (Article 6 (1) lit f GDPR) generally
Where required, data processing may be pursued in consideration of interests that benefit Raiffeisen KAG or third parties in order to preserve legitimate interests. The following cases constitute data processing that is required to preserve legitimate interests. Examples of these include:
• the review and optimization of processes to analyze requirements as well as the direct approach of customers
• certain telephone recordings (telephone conversations regarding fund management)
• measures to control business transactions and to improve services and products
• measures to protect customers and employees and the Company’s property
• measures to prevent and to combat fraud (Fraud Transaction Monitoring), to combat money laundering, the financing of terrorism and crimes that expose assets to risks
• data processing for the purpose of prosecution
• the enforcement of legal claims and the defense in the event of legal disputes
• guaranteeing IT security and IT operation of the Company
• preventing and solving criminal offences
• to preserve legitimate interests (Article 6 (1) lit f GDPR) in the marketing of our services
The analysis of data processed at the Company for the purpose of
• providing or transmitting individual information and offers of the company to you;
• developing services and products which target your specific interests and life situations; and
• improving the user experience of their service facilities like apps and more;
is based on our legitimate interest in the marketing of our services. Data will only be analyzed for this purpose until you object to it.
The following data which the company autonomously collected or which you transmitted to the Company, will be analyzed for this:
Personal data / master data
Gender, title, family name, date of birth, country of birth, nationality, marital status, tax status, vocational training, profession, employer, proof of identity e.g. driver’s license data, income data, address and other contact data e.g. telephone number or e-mail address and postal address, GPS information, securities risk class according to investor profile, living situation as in renter or owner of an apartment or house, family relationships (excluding the personal data of these data subjects), number of persons living in the same household, information disclosed during a consultation e.g. hobbies and interests or planned purchases and car, household invoices, internal rating categories like the analysis of income and expenses situation and asset and liabilities situation by the Company.
Data from services, website and communication (also refer to “additional information for using our website”)
Data for the use of electronic services and Internet pages; functionalities of the Internet pages and apps and e-mail messages between yourself and the Company; information about reputable Internet sites or content and prompted links inclusive of third-party websites; information about response times to content or download errors and the period of use of Internet sites and information on the use of and about the subscription to Company newsletters. This information will be recorded using automated technology like cookies or via web tracking (recording and analyzing the surfing behavior) on the website and using third-party service providers or software (for example, Google Analytics).
Data on user-generated content (also refer to “additional information for using our website”)
Information uploaded to Internet sites or apps of the Company, such as comments or personal posts and photos or videos or similarly.
Who receives my data?
Within the Company, those offices or employees will receive your data who require them to fulfill contractual, legal and/or regulatory obligations and legitimate interests. Moreover, commissioned data processors under contract will receive your data (especially IT and back-office service providers) only if these data are required for them to perform their respective service. All data processors are bound by contract to treat your data confidentially and to process them exclusively in the context of their service delivery performance.
If a legal or regulatory obligation applies, public agencies and institutions (European Banking Supervisors, European Central Bank, Austrian National Bank, Austrian Financial Market Supervisory Authority, financial authorities, etc.) and our bank’s auditor and annual auditors may be the recipients of your personal data.
With regard to forwarding data to other third parties we wish to point out that the Company, as an Austrian credit institution, is obliged to observe banking secrecy obligations pursuant to Section 38 BWG and therefore is obliged to maintain secrecy on all customer-related information and facts which were entrusted to us or made accessible to us by virtue of the account relationship. We therefore may only forward your personal data if you explicitly released us in writing and in advance from the banking secrecy obligation or if we are obliged or authorized by law or due to regulatory provisions to do so. The recipients of personal data in this context may include other credit institutions or financial institutions or similar establishments. We transfer data which we require from you for the performance of the account relationship. Depending on the individual agreement, these recipients may include, for example, correspondent banks, stock exchanges, custodian banks or other undertakings affiliated with the Company (by virtue of official or statutory obligation).
Additional data recipients may include those departments for which you issued the respective consent to us (consent to the processing of data, exemption from banking secrecy obligation).
What is the storage period for my data?
We process your personal data, insofar as is necessary, for the duration of the entire account relationship (from initiation to processing until termination of a contract) and, beyond this, according to statutory retention and documentation obligations as stipulated, among others, by the Austrian Business Code (UGB), the Austrian Federal Fiscal Code (BAO), the Austrian Banking Act (BWG), the Austrian Financial Markets Anti-Money Laundering Act (FM-GwG), the Austrian Investment Fund Act and the Austrian Securities Supervision Act (WAG).
Moreover, the storage period must take into consideration the statutory periods of limitation which, according to the Austrian Civil Code (Allgemeines Bürgerliches Gesetzbuch, ABGB) may be up to 30 years in certain cases (the most commonly referred to period of limitation in practice is 3 years).
Which data protection rights do I have?
You have the right of access to your information, the right to rectification, the right to erasure or the right to restrict the processing of your personal data, the right to object to the processing as well as the right to data portability in accordance with the requirements stipulated under data protection laws. Complaints may be lodged with the Austrian Data Protection Authority, Wickenburggasse 8, 1080 Vienna, www.dsb.gv.at.
Am I obliged to provide data?
Within the context of the account relationship you must provide such personal data as is necessary for the account relationship to commence and to be performed, the collection of which we are obliged to pursue by law. If you do not provide said data to us, we will reject the formation of the contract or the performance of the contract in general, or will no longer be able to perform the existing contract and consequently, will have to terminate it. However, you are not obliged to issue your consent to the processing of data which are irrelevant or not required by law or regulatory provisions in relation to the fulfilment of the contract.
Is there any automated decision-making?
To substantiate and perform the account relationship, we do not use fully-automated decision-making methods in principle as laid down in Article 22 GDPR. Should we apply these methods in the individual case, we will inform you separately of this, provided this is required by law.
Necessary Cookies: Cookies, which are necessary for the basic functions of the website, are used by us because of contract performance obligations.
Functional Cookies: Cookies, which allow us to analyze the use of the website, are used by us on the basis of legitimate interest.
Some Cookies are saved on your terminal until you delete them. They enable us to recognize your browser the next time you visit us. Most of the Cookies we use are deleted after your visit on our website (so called Session Cookies). Cookies can be blocked, deactivated or deleted. Therefore, a variety of different tools are available (including browser controls and settings). You can find information hereto in the “help area” of the web browser you use. If all Cookies used by us are deactivated, upon others the display of the website may be limited.
b) Google Analytics
On our behalf Google will use this information, to evaluate the use of the website, to create reports about the website activities and to provide us with other services related to the use of the website and the internet. You can prevent the general storage of Cookies by adjusting your browser software accordingly. However we point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent Google from collecting your data in connection with Google Analytics by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de
You have the option to subscribe to our newsletter through our website. For this, we require your e-mail address and your declaration that you consent to the subscription of the newsletter. The consent to the processing of data and forwarding of electronic mail can be withdrawn anytime without having to meet specific formal requirements by using the unsubscribe link forwarded to you by e-mail. You may request the above link by letter sent to Raiffeisen Kapitalanlage-Gesellschaft m.b.H., Mooslackengasse 12, 1190 Vienna, or by e-mail sent to email@example.com. Your withdrawal does not affect the lawfulness of any data processing and data forwarding carried out by virtue of a consent that was issued prior to the receipt of said withdrawal. Immediately after we will erase your data tied to the forwarding of the newsletter.
d) My portfolio, consultant web
Certain areas of the website are available to registered users only. By sending the online registration form you confirm that the data that you provided is complete and correct or that you answered the questions asked in the form truthfully. The password-protected online access is only available to our institutional clients, portfolio management clients or consultants of the Raiffeisen Banking Group. You must request your access separately through our homepage or your personal advisor.
You may cancel the online access anytime. To do so, please send your cancellation to the following e-mail address: firstname.lastname@example.org, or by letter sent to Raiffeisen Kapitalanlage-Gesellschaft m.b.H., Mooslackengasse 12, 1190 Vienna. Your withdrawal does not affect the lawfulness of any data processing and data forwarding carried out by virtue of a consent that was issued prior to the receipt of said withdrawal. Immediately after we will erase your data tied to logging on to our homepage.
e) Contact form
On our website there is contact form. If you use this, you can enter information about yourself (gender, title, name), your company (company, function), your accessibility (telephone number, e-mail address), as well as the type of interest or details of your concern. Please send your cancellation to the following e-mail address: email@example.com or by letter to Raiffeisen Kapitalanlage-Gesellschaft m.b.H., Mooslackengasse 12, 1190 Vienna. The revocation does not affect the legality of the data processing and transfer on the basis of the consent until revocation. We will immediately delete your data in connection with the request, unless other retention periods apply.
f) Google Maps
On our website we use the service Google Maps API. This service is a service of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By integrating the service on our website, at least the following data are transmitted to Google, Inc.: IP address, time of visit of the website, screen resolution of the visitor, URL of the website (referrer), the identification of the browser (user agent) and search terms. The data transfer is independent of whether you have a Google account that you are logged in or whether you do not have a Google user account. If you are logged in, the data will be assigned with your account. If you do not wish assignment to your profile, you must log out before activating the button. Google, Inc. stores this data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles, whereby you must contact Google Inc. to exercise this right. For more information about the purpose and scope of data collection and processing by Google, Inc., please contact www.google.at/intl/de/policies/privacy/. We do not process the affected data.
g) Record on the webserver
Every time a user accesses our website and every time a file is retrieved or attempted to be retrieved from the server, data about this process is stored in a log file. For us it is not directly recognizable, which user called upon which data. We also do not try to collect this information. This would only be possible in legally regulated cases and with the help of third parties (e.g. Internet service providers). In detail, the following data record is stored for each retrieval: The IP address, the name of the downloaded file, the date and time of the download, the amount of data transferred, the message as to whether the download was successful and the message as to why a download may have failed, the name of your Internet service provider, if applicable the operating system, the browser software of your computer and the website from which you are visiting us.
The legal basis for the processing of personal data is our legitimate interest (in accordance with Art 6 (1) (f) GDPR). This is to detect, prevent and investigate attacks on our website. In addition, we process your personal data in special cases on the basis of the legitimate interests of us or legitimated third parties for legal proceedings or on behalf of legally authorized authorities or courts.
We generally store data for a period of three months to guarantee the security of our homepage. A longer storage only takes place as far as this is necessary to investigate determined attacks on our website or to pursue legal claims.
For the above-mentioned purposes, we have your personal data processed by the following service providers: Raiffeisen Informatik GmbH, Raiffeisen e-force GmbH, RBI Group IT GmbH.