Information on data processing.

Responsible for data processing is the:

Bank Gutmann Aktiengesellschaft
1010 Vienna, Schwarzenbergplatz 16
Phone: +43-1-502 20-0, mail@gutmann.at

You can contact our data protection officer by post at the above address or by e-mail at: datenschutz@gutmann.at

We process personal data that we receive from you in the course of entering into and maintaining the business relationship or with your consent  . We also process data that we legitimately receive from publicly accessible sources (e.g. company register, register of associations, land register), from courts, authorities and other public bodies (e.g. public prosecutor's office, custody and criminal courts, tax authorities, court commissioner) and from group companies.
Personal data includes your personal details (e.g. name, address, contact details, date and place of birth, nationality, etc.), identification data (e.g. ID card data) and authentication data (e.g. specimen signature). In addition, this may also include order data (e.g. payment orders), data from the fulfillment of our contractual obligations (e.g. turnover data in payment transactions), documentation data (e.g. consultation protocols), image and sound data (e.g. video or telephone recordings), register data, data for customer relationship management (e.g. interests), information from your electronic traffic with us (e.g. cookies), processing results that we generate ourselves and data to fulfill legal and regulatory requirements.

We process your personal data in accordance with the provisions of the GDPR and the Data Protection Act:
for the fulfillment of contractual obligations:
The processing of personal data is carried out for the provision of banking transactions and financial services, in particular for the fulfillment of our contracts with you and the execution of your orders, for the implementation of pre-contractual measures and all activities required for the operation and administration of a credit and financial services institution.
The purposes of data processing depend primarily on the specific product (e.g. account, loan, securities, deposits) and may include needs analyses, advice, asset management and support as well as the execution of transactions.
The specific details on the purpose of data processing can be found in the respective contract documents and terms and conditions.
to fulfill legal obligations:
The processing of personal data may be necessary for the purpose of fulfilling various legal obligations (e.g. from the Banking Act - BWG, Financial Markets Money Laundering Act - FM-GwG, Securities Supervision Act 2018 - WAG 2018, Stock Exchange Act 2018, etc.) and regulatory requirements (e.g. the European Banking Authority, the Austrian Financial Market Authority, etc.).
Examples of such cases are
- Recording of telephone conversations and electronic communication in securities transactions in accordance with WAG 2018;
- Identification, transaction monitoring, reporting to the Money Laundering Reporting Office in certain suspicious cases in accordance with the FM-GwG;
- Monitoring of transactions to monitor market abuse regulations, provision of information to the Austrian Financial Market Authority in accordance with the WAG 2018 and the Stock Exchange Act 2018;
- Provision of information to federal tax authorities in accordance with the Account Register and Account Inspection Act   ;
- Providing information to public prosecutors and courts in criminal proceedings and to financial criminal authorities in financial criminal proceedings for intentional financial offenses;
- Notification of a design in accordance with the EU Notification Obligations Act, provided that a corresponding exemption from the confidentiality obligation has been granted;
- Data transfer to the deposit protection scheme.

for the protection of legitimate interests:
Where necessary, data may be processed beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties in the context of balancing interests in favor of the bank or a third party. In the following cases  , data processing is carried out to protect legitimate interests: 
- Testing and optimization of procedures for needs analysis and direct customer contact;
- Measures for business management and further development of services and products;
- Advertising and market and opinion research, unless you have objected to the use of your data in accordance with Article 21 GDPR;
- Measures to prevent and combat fraud, to combat money laundering, terrorist financing and to prevent and investigate criminal offenses;
- Certain telephone recordings (e.g. in the event of complaints);
- Measures to protect customers, employees and property (e.g. video surveillance);
- Ensuring IT security and digital operational resilience;
- Assertion, exercise or defense of legal claims in the context of legal prosecution.

within the scope of your consent:
If you have given us your consent to process your personal data, processing will only take place in accordance with the purposes and to the extent specified in the declaration of consent. Any consent given can be revoked at any time with effect for the future (e.g. you can object to the processing of your personal data for marketing and advertising purposes if you no longer consent to processing in the future).

Within the Gutmann Group, those companies, departments and employees receive your data that need it to fulfill contractual, legal and regulatory obligations as well as legitimate interests. In addition, processors commissioned by us (in particular service providers for IT, back office and service line) will receive your data if they require the data to provide their respective services. All processors are contractually obliged in accordance with the GDPR to treat your data confidentially and to process it only in the context of providing the service.
With regard to the disclosure of data to other third parties, we would like to point out that we are obliged to comply with banking secrecy in accordance with Section 38 of the Austrian Banking Act and are therefore obliged to maintain confidentiality regarding all customer-related information and facts that have been entrusted to us or made accessible to us as a result of the business relationship. We may therefore only pass on your personal data if you have expressly released us from banking secrecy in writing in advance or if we are obliged or authorized to do so by law or under supervisory law. Recipients of personal data in this context may be other credit and financial institutions or comparable institutions to which we transfer data in order to conduct the business relationship with you (depending on the contract, these may be, for example, correspondent banks, stock exchanges, custodian banks, companies affiliated with the bank, etc.). 
If there is a legal or regulatory obligation, public bodies and institutions   (e.g. European Banking Authority, Austrian Financial Market Authority, tax authorities, etc  .) may be recipients of your personal data.

Data will only be transferred to countries outside the EU or the EEA if this is necessary for the execution of your orders (e.g. transfer to a third country) or is required by law,  you have given us your express consent or as part of commissioned data processing. Any data transfer to third countries takes place exclusively within the framework of the provisions of Article 44 et seq. of the GDPR.
If processors are used in a third country, they are obliged to comply with the level of data protection in accordance with the GDPR on the basis of written instructions and suitable agreements in accordance with the GDPR (in particular EU standard contractual clauses).

We process your personal data, if necessary, for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) and beyond in accordance with the statutory retention and documentation obligations   , which result from the BWG, the FM-GwG, the WAG 2018, the Zahlungsdienstegesetz 2018, the Unternehmensgesetzbuch, the Bundesabgabenordnung and the Gemeinsamer Meldestandard-Gesetz, among others. For example, data required under the FM-GwG must be retained for a period of 10 years from the end of the business relationship.
In addition, the statutory limitation periods, which can be up to 30 years in certain cases (the general limitation period is three years) according to the German Civil Code, for example, must be taken into account when determining the storage period.

In accordance with the provisions of Articles 12 to 22 GDPR, you have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing and a right to data portability in accordance with the requirements of data protection law. You can address complaints to the Austrian Data Protection Authority at dsb@dsb.gv.at

As part of the business relationship, you must provide the personal data that is required for the establishment and execution of the business relationship and that we are legally obliged to collect. If you do not provide us with this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant for the fulfillment of the contract or that is not required by law and/or regulation.

As a matter of principle, we do not use automated decision-making to establish and conduct a business relationship. Should we use such a procedure in individual cases, you will be informed separately in advance.

Our website uses several cookies. A cookie is a small text file that is stored on your computer or mobile device when you visit a website. When you visit the Bank Gutmann website, you will be asked to accept or reject cookies. You can configure your web browser so that it refuses to accept certain or all cookies. However, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent.
We use three types of cookies:
- Saving the visitor settings
- Guarantee of the operational readiness of the website
- Collection of analysis data (about user behavior)

Every access to the content of our website is logged. We store this access data for operational purposes, for IT security purposes, for error analysis and for usage statistics. In any case, we log the requesting IP address and port, the user agent string of your browser, the date and time of access, the name of the retrieved file, the amount of data transferred, the referrer URL if available and (after successful login) your login name.
Online reporting also logs all successful and failed login attempts as well as all parameters of your query, such as account numbers and securities account numbers.
The website www.gutmann.at also uses PiwikPRO, a software program for the statistical analysis of user access. A cookie is used for this purpose. The information generated by this about the use of www.gutmann.at is stored on our server in Vienna, Austria. The IP address is anonymized immediately after processing and before it is stored. If you decide against tracking when accessing the Bank Gutmann website, your data will not be collected. 
The data is collected by us exclusively to optimize the website and to analyze user behavior and includes, among other things, the website accessed, the website from which the user accessed the website (referrer), the time spent on the website and the frequency with which the website is accessed. We expressly point out that we do not sell your data to third parties or market it in any other way.

As part of our due diligence obligations to prevent money laundering and terrorist financing, we are obliged by the FM-GwG to obtain and retain certain documents and information from persons when establishing the business relationship or on the occasion of an occasional transaction. This data, which is processed exclusively on the basis of the FM-GwG for the purposes of preventing money laundering and terrorist financing, may not be further processed in a way that is incompatible with these purposes. This personal data may not be processed for other purposes, such as for commercial purposes.
In accordance with the FM-GwG, we must, among other things, determine and verify the identity of the customer, the beneficial owners of the customer or any fiduciaries of the customer, assess the purpose pursued by the customer and the type of business relationship sought by the customer, obtain and verify information on the origin of the funds used, and continuously monitor the business relationship and the transactions carried out within its framework. In particular, we must retain copies of the documents and information received that are necessary for the fulfillment of the due diligence obligations described and the transaction documents and records that are necessary for the identification of transactions.
The data processing within the scope of the described due diligence obligations is based on a legal obligation. We are therefore not permitted to observe any objection by the customer to this data processing.
We must delete all personal data that we process or store exclusively on the basis of the FM-GwG for the purposes of preventing money laundering and terrorist financing after a retention period of 10 years, unless provisions of other federal laws require or authorize a longer retention period or the Austrian Financial Market Authority has specified longer retention periods by regulation.