Data Protection and Privacy

Trust is important, especially when it comes to your personal data. That is why we see it as our obligation to exercise the utmost care in the handling of your personal data and to do everything we can to protect your information from misuse.

FactorBank AG adheres strictly to data protection laws in the collection and processing of your data. The following information explains in detail which data is collected when you visit our website and how we use this data.

This Privacy Policy applies to the websites of FactorBank (*, where the asterisk stands for a readable string). Individual pages may contain links to other providers within and outside the UniCredit Group, to which the privacy policy does not extend; meaning that we cannot assume any liability for this content

Contact us

1. Who is responsible for data processing and whom can you contact?

The entity responsible for data processing is:
FactorBank AG
Rothschildplatz 4
1020 Vienna
Telephone: 01 50678
Fax: 01 50678 150

The data protection officer at FactorBank AG is:
Alexander Dolezal
Rothschildplatz 4
1020 Vienna
Telefon: 01 50678 68

2. Which data is processed and what are the sources of this data

We process the personal data that we receive from you within the scope of our business relationship. We also process data that we have legitimately received from credit agencies1), debtor registers2) and from publicly available sources (such as commercial register, register of associations, land register, media).

This personal data includes:

  • Your personal details (name, address, contact details, date of birth, place of birth, nationality, etc.)
  • Identity verification data (such as identity card data) and authentication data (such as a sample signature)

In addition, this data may also include the following:

  • Order data (such as payment orders)
  • Data relating to the fulfilment of our contractual obligations (such as turnover information regarding payment transactions)
  • Information regarding your financial status (such as credit worthiness data, scoring or rating data, etc.)
  • Advertising and sales data
  • Documentation data (such as consulting records)
  • Register data
  • Image and sound data (such as video or telephone recordings)
  • Information from your electronic communication with the bank (such as apps, cookies, etc.)
  • Processing results generated by the bank itself
  • Data for compliance with legal and regulatory requirement

1) CRIF GmbH
2) Kreditschutzverband von 187

3. For what purposes and on what legal basis is the data processed?

We process your personal data in accordance with data protection regulations:

- for the fulfilment of contractual obligations (Section 6 Para. 1b DSGVO [Datenschutz Grundverordnung (General Data Protection Regulation (GDPR)]): The processing of your data (personal data, Section 4 (2) GDPR is necessary to handle banking transactions, provide financial services and to process insurance, leasing and property transactions with you. We also require this data for the implementation of contracts we have concluded with you. As well as for executing your orders. In addition, we process personal data as part of the activities we must carry out to maintain the ongoing operation and administration of a credit and financial services institution.

The purposes of data processing are based primarily on the specific product (such as account, credit, building society services, securities, deposits, procurements) and include, among other things:

  • Needs analyses
  • Advisory services
  • Wealth management and consulting
  • Processing of transactions

The specific details for the purpose of data processing can be found in the respective contract documents and terms and conditions.

- to comply with legal obligations (Section 6 Para 1c GDPR) Certain statutory obligations, which UniCredit Bank Austria AG is subject to, may require the processing of personal data. Such obligations may arise from the provisions of the following laws:

  • Austrian Banking Act
  • Austrian Financial Markets Money Laundering Act
  • Austrian Securities Supervision Act (SSA)
  • Austrian Stock Exchange Act

Compliance with regulatory requirements may also be necessary, for example in relation to:

  • the European Central Bank
  • the European banking regulator
  • the Austrian Financial Market Authority (FMA), etc.

Examples of such cases:

  • Providing reports to the money laundering unit in certain suspicious cases (Section 16 FM-GwG [Finanzmärkte Geldwäsche Gesetz (Financial Markets Money Laundering Act (FMMLA))]
  • Providing information to the FMA in accordance with the SSA and the Stock Exchange Act, for example, to monitor compliance with the rules on market abuse with insider information
  • Providing information to financial crime prosecutors in the context of financial crime proceedings for a deliberate financial offence
  • Providing information to federal tax authorities in accordance with Section 8 of the Account Register and Account Entry Act.

- within the scope of your consent (Section 6 Para. 1a GDPR): If you have granted us consent to process your personal data, processing will only take place in accordance with the purposes set out in the declaration of consent and to the extent agreed therein. Any consent given may be revoked at any time with future effect (for example, you may object to the processing of your personal data for marketing and promotional purposes if you no longer consent to processing in the future).

- to safeguard legitimate interests (Section 6 Para. 1f GDPR): Should it become necessary to process your data over and above the terms stipulated in the contract in order to safeguard the legitimate interests of UniCredit Bank Austria AG or a third party, then such processing can be carried out in the following cases:

  • Consultation of and data exchange with credit agencies (such as the Austrian Credit Protection Association 1870) for the identification of credit and default risks;
  • Review and optimisation of needs analysis and direct customer approach procedures
  • Advertising or market and opinion research, provided that you have not objected to the use of your data pursuant to Section 21 GDPR
  • Video surveillance for collecting evidence of criminal offences, or to provide evidence of transactions and deposits (e.g., at ATMs); these especially serve to protect customers and employees
  • Telephone records (such as in the event of complaints)
  • Measures relating to business management and the enhancement of services and products
  • Measures for protecting employees and customers, as well as the property of the bank
  • Measures for the prevention and combating of fraud (Fraud Transaction Monitoring)
  • In the course of legal proceedings

4. Who has acces to your data?

Within UniCredit Bank Austria AG, your data is received by those offices or employees that require your data to fulfil contractual, statutory and regulatory obligations and to safeguard legitimate interests. Furthermore, data processing companies acting on our behalf (especially IT and back-office service providers, and service line providers) receive your data if they require it to provide their respective services. Accordingly, all the data processing companies are contractually obligated to keep your data confidential and to process it only in the context of service provision.

Public authorities and institutions, (such as the European Banking Supervisory Authority, European Central Bank, Austrian Financial Market Authority, fiscal authorities, etc.) and UniCredit S.p.A. as our parent company, may be granted access to your personal data if there is a statutory or regulatory obligation to do so.

Notice of bank secrecy: With regard to forwarding data to other third parties, we would like to point out that as an Austrian credit institution, UniCredit Bank Austria AG is obligated to comply with banking secrecy regulations in accordance with Section 38 of the Austrian Banking Act, and must therefore maintain confidentiality regarding all customer-related information and facts which have been entrusted or made accessible to the bank in the course of the business relationship. Therefore, we can share your personal data only if you have explicitly released us from banking secrecy in advance, in writing or if we have a legal or regulatory obligation or authorisation for it.

In this context, recipients of personal data can be other credit and financial institutions or similar institutions (depending on the agreement, this can be, for example, correspondent banks, stock exchanges, depositary banks, credit agencies, etc.). 

5. How long will your data be stored and processed?

For the entire period of the business relationship (from the initiation, to the implementation, until the end of the contract) and beyond, in accordance with the legal safekeeping and documentation obligations. These are set out, among others, in:

  • the Austrian Company Code (UGB)
  • the Federal Fiscal Code (BAO)
  • the Austrian Banking Act (BWG)
  • the Financial Markets Money Laundering Act (FM-GwG)
  • the Austrian Securities Supervision Act (WAG)

Moreover, the statutory limitation periods must be taken into consideration for the retention period, and in accordance with the provisions of the General Civil Code (ABGB), for example, these can extend to as long as 30 years in certain cases (the general limitation period is 3 years)

6. Which data protection rights are you entitled to?

At any time, you have:

  • the right of access, the right to rectification, right to erasure or the right to restriction of processing regarding your stored data
  • the right to object to the processing of your data
  • the right to data portability as set forth in the provisions of the Data Protection Law

Any complaints should be directed to the Austrian Data Protection Authority:

7. Are you obliged to provide data?

You must provide such personal data which is necessary to establish and maintain our business relationship, as well as the information which we are legally required to collect.

If you are not willing to provide this data to us, in most cases we are obliged to refuse to enter into a contract with you or to process your order. In such cases, we are no longer able to execute an existing contract and must therefore terminate it.

However, you are not obliged to grant permission to process your data in the case of data that is not relevant for the fulfilment of the contract, or is not required for this purpose by legal and/or regulatory authorities.

8. Is there automatic decision making including profiling?

We do not use automated decision-making procedures as defined under Section 22 GDPR to reach decisions with regard to the creation or implementation of the business relationship.

A credit assessment (credit scoring) is done for loan disbursement. The default risk of credit seekers is assessed with the help of statistical comparison groups. The calculated score should make it possible to predict how likely it is that the credit that has been applied for will be repaid. The following data is used in the calculation of this score:

  • Your core data (such as marital status, number of children, length of employment, employer, etc.)
  • Information regarding your overall financial circumstances (such as income, assets, monthly expenses, debt situation, collateral, etc.)
  • Data on payment behaviour (such as on-time loan repayment, payment reminders, details from credit agencies)

If the default risk is deemed too high, the credit application is rejected and if applicable, an entry is made in the consumer loan register maintained by KSV1870, the Austrian Credit Protection Association 1870, and an internal alert is also generated. If a credit application has been rejected, it is visible for 6 months in the consumer loan register maintained by KSV1870, as per a ruling by the Data Protection Authority.

9. Cookies and web analytics

We use so-called cookies to make our offer as attractive as possible for you. Cookies are small text files which enable user recognition. You can prevent the installation of cookies by adjusting your browser software accordingly.  

In order to analyse and improve the structure and navigation of our website and tailor it to the needs of our customers, we use a locally installed analysis tool, used for statistical evaluation, in order to review the needs-based design of our website. Only anonymous information is stored, and we are not able to establish a connection with your person.

10. Data Security

The security of your data is our highest concern. Our stated aim is to take all technical and organisational measures required to ensure that our data processing is carried out in a secure manner and to process your personal data in such a way that it is protected from access by unauthorised third parties.
We make sure our IT infrastructure complies with the highest international security standards by using the most up-to-date security software, codes and encryption procedures.