Data Protection Policy

Starting on 25 May 2018, the General Data Protection Regulation or GDPR applies throughout the European Union. The GDPR stipulates how personal data may be processed and how they must be protected. You will find a summary of the basic information below. 

What is the GDPR?

The GDPR is a regulation of the European Union. It applies directly in every member state, including in Austria. Every person whose data are processed can directly claim protection under the GDPR. Detailed information can be found here.

What does the GDPR govern?

The GDPR contains regulations about the processing of your personal data. The GDPR protects all information about you including your name, telephone number, investment, and hobbies. The principles in this regulation stipulate how your personal data may be stored and processed. Detailed information can be found here.

Why is the Austrian data protection law (DSG 2018) still in force?

The European Union has not only enacted the GDPR, but an entire “data protection package”. Part of this was also a new data protection directive. What is the difference between a directive and a regulation? Unlike a regulation, a directive must be implemented in national law. The GDPR also gives the member states leeway to govern individual aspects in greater detail than set forth in the GDPR itself.

Both of these aspects are being covered in Austria through the 2018 Data Protection Amendment Act, or the DSG 2018. We will of course also comply with the DSG 2018 when it is relevant for you and your relationship with us.

Why is the protection of my data so important?

Data protection is a fundamental right. Just as your right to freedom or security, your right to data protection is enshrined in the Charter of Fundamental Rights of the European Union. This EU Charter of Fundamental Rights applies to the relationship between you and government institutions.

The law also recognises that there must be a balance between the interests of entities processing personal data and the so-called data subjects in private and business affairs – for example between you and your bank. These rules can be found in the GDPR and DSG 2018.

Personal data say a lot about us and can reveal our hobbies, preferences, and wishes. And this is of course worth protecting. But we have to know your preferences in order to be able to offer you individualised service. One core element of data protection is that we find a way together in which we can and may process your data in your interests and under your supervision. Detailed information can be found here.

Where can I learn more about the GDPR and DSG 2018?

(All links as of May 2018)

The text of the GDPR can be found here:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&

The text of the DSG 2018 can be found here:
https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&FassungVom=2018-05-25

The EU Charter of Fundamental Rights:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:12012P/TXT

You can find more information about your rights on the following web sites:

Austrian Data Protection Authority:
https://www.dsb.gv.at/

European Commission:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

(All links as of May 2018)

It is important to clarify some basic terms so that we can talk about data protection. We have also included the Article designations of the GDPR so that you can look these definitions up if you wish to do so. Please note that the information provided here is only a summary. The full text of the GDPR and the respective articles can be found here:

https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.DEU

What are personal data?

Personal data include all information that relate to an identifiable natural person (“data subject”). A natural person is considered to be identifiable when his or her identity can be determined directly or indirectly, for example by reference to a name or code number.

More information can be found in Article 4 (1) GDPR.

What does the processing of data include?

The term “processing” means any operation performed on personal data with or without the help of automated systems. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

More information can be found in Article 4 (2) GDPR.

What does “controller” mean?

The term “controller” refers to the natural or legal person, public authority, agency, or other body that decides on the purposes and means of processing personal data alone or jointly with others. One example of this is us as a management company.

More information can be found in Article 4 (7) GDPR.

What does “processor” mean?

The term “processor” means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

More information can be found in Article 4 (8) GDPR.

Who is responsible for processing personal data?

The following company is responsible for processing your data:

Erste Asset Management GmbH
Am Belvedere 1
A-1100 Vienna
Imprint

Contact for issues relating to data protection:

Erste Asset Management GmbH
Data Protection
Am Belvedere 1, A-1100 Vienna
E-mail: Datenschutz@erste-am.com

Responsible authority for data protection issues:

Austrian Data Protection Authority
Wickenburggasse 8, A-1080 Vienna
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
https://www.dsb.gv.at/

Is there a data protection officer pursuant to Article 37 GDPR?

Article 37 of the GDPR lists instances where the controller must appoint a data protection officer in any case. Among other cases, a data protection officer must be appointed when the core activities of the company consist of processing operations  which, by virtue of their nature, their scope, and/or their purposes, require regular and  systematic monitoring of data subjects on a large scale. With regards to the “core activity”, recital 97 of the GDPR states that the core activity always pertains to data processing as the primary activity but not to data processing as an ancillary activity.

The primary activity of Erste Asset Management GmbH is the management of investment funds. For this reason, the appointment of a data protection officer is not mandatory at this time. You can contact us at any time if you have any questions or concerns about data protection.

What personal data are processed?

We process the following personal data:

• Master and identification data such as first and last name, e-mail address, and if necessary telephone number, date of birth, hobbies, etc. when you provide this information to us
• The results of processing to fulfil contracts and declarations of consent
• Data to meet legal and regulatory requirements

Please note: This is simply a general list. We do not have all of the data specified above in every case. You have the right to receive a detailed, individual list from us upon request at any time. Please contact datenschutz@erste-am.com to this end.

Where do you obtain the personal data that you process?

Most of your personal data that we process was provided by you: for example when you signed up for our newsletter or submitted an enquiry.

Data can also come from the following sources:

• Public sources such as the trade register, property register, bankruptcy database, or register of associations
• From other institutions in the Erste Asset Management GmbH group

We may also receive data from government agencies or from individuals acting under government mandate, such as from the Financial Market Authority, guardianship or criminal courts, public prosecutors, or court-appointed notaries. You have the right to receive a detailed, individual list from us.

For what purposes and on what legal basis are my personal data processed?

We are a management company pursuant to the Austrian Investment Fund Act 2011 and pursuant to the Alternative Investment Fund Manager Act. We process your personal data in connection with this activity. In detail, this means:

Processing for contract fulfilment

We are permitted to render certain services for you depending on the type of contracts that we have concluded with you. This can be an agreement relating to a special purpose fund, or can be a management agreement, for example. We must process your data to this end. Our offerings are just as diverse as the wide range of contracts that we enter into. The scope of data processing is specified in the terms of the respective contract.

Processing to fulfil legal obligations

Certain legal regulations and purposes also require that we process your personal data, such as:

• The Austrian Banking Act; monitoring insider trading, conflicts of interest, and market manipulation: the Securities Supervision Act 2018, the Stock Market Act, the EU Market Abuse Regulation 596/2014
• Ascertaining your identity, transaction monitoring, reporting suspicious activity: Financial Market Money Laundering Act and the EU Wire Transfer Regulation 847/2015
• Provision of information to public prosecutors, courts, and criminal financial authorities pertaining to criminal proceedings based on intentional financial crimes: Austrian Banking Act, criminal procedural code, criminal financial code

Processing based on legitimate interests

We or third-party agents have a legitimate interest in processing data in the following cases:

• Measures for the prevention of fraud, fraud transaction monitoring
• Data processing for exercising legal claims
• Recording telephone calls, for example for complaints and for documenting declarations that are relevant for transactions

Processing personal data for the purposes of direct marketing can also be a legitimate interest.

Processing based on declaration of consent

If there is no contract, legal obligation, or legitimate interest, data processing can also be legal when you have given us your consent or authorisation to do so. The scope and contents of this data processing are always defined by the specific consent that you have granted. You can revoke this consent at any time.

The revocation has no impact on the legality of data processing up to the point in time that the consent is revoked. In other words, revocation has no retroactive effect.

Am I obligated to provide my personal data? What happens when I do not wish to do so?

We require certain personal data from you for our business relationship. If we do not know your name and e-mail address, we cannot send you any newsletters or information about our new products, or invitations to interesting events. We also cannot manage your special purpose fund without this information. If we cannot verify your identity, the law prohibits us from accepting you as a special purpose fund client. If you do not wish to provide your personal data to us, we may be unable to offer you certain products and services. If we are only permitted to process your data based on your consent, you are not obligated to give this consent or provide your data.

Are any decisions made based on automated processing, such as profiling?

We employ no automated decision-making processes pursuant to Article 22 GDPR at the beginning of or during our business relationship.

To whom are my personal data passed on?

Your personal data can be passed on to:

• Companies, units, and persons (employees and contract agents) within the group headed by Erste Asset Management GmbH when these entities need these data to fulfil contractual, legal, or supervisory obligations and to realise their legitimate interests
• Public agencies and institutions when we are legally obligated to do so, for example the Austrian Financial Market Authority, tax authorities, etc.
• Third parties contracted by us, such as IT and back office service providers, when they require these data for their activities. Third parties are contractually required to treat your data confidentially and to only process them for the provision of the relevant services
• Third parties when this is required for contract fulfilment or based on legal regulations, for example the recipient of a wire transfer and their payment transaction service provider.

Your data may also be passed on to third parties when you have consented to this forwarding.

Are my personal data forwarded to a non-EU country?

(All links as of May 2018)

Our processors can work with sub-processors in non-EU countries. These sub-processors are obligated to comply with Austrian data protection and security standards.

We will provide you with a list of current service providers in non-EU countries as well as information about the basis on which the data are forwarded upon request.

How long are my personal data stored?

(All links as of May 2018)

Your personal data are stored for as long as required to fulfil the relevant purposes in any case. The law also stipulates for how long we must keep the data. These retention obligations may also apply when you are no longer our customer or an interested party. You can find an overview of the legal retention obligations that apply in Austria here, for example:

https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html

What security measures are applied in data processing?

We place high value on data protection and data security. We have taken all technical and organisational measures needed to secure our data processing. This especially pertains to the protection of your personal data. We protect these data against unauthorised and unlawful processing, unintentional loss, unintentional destruction, and unintentional damage. These measures include the use of modern security software and encryption methods, physical access control, and precautions to prevent and defend against external and internal attacks.

What about cookies, social networks, web analytics, and re-targeting?

Cookies: We use cookies on different parts of our web site. Cookies are small text files that allow users to be recognised when they return to our web site. However, no personal information such as your name or address are stored for this. This means that the information they contain cannot be used to identify you. 

We use cookies to tailor our offerings to your needs and to analyse how these offerings are used. You can configure your browser to require your express consent before cookies are used, or to generally block the use of cookies. You can use our web site without accepting cookies.

Web analytics: We forward personal data to the service provider Webtrekk GmbH for the purposes of anonymised statistical analyses of the user flow on our web sites. You can prohibit the forwarding of your data.

What are my rights?

The GDPR grants you the following rights pertaining to your personal data. You have the right to:

• Access, pursuant to Article 15 GDPR
• Rectification, pursuant to Article 16 GDPR
• Erasure, pursuant to Article 17 GDPR
• Restriction of processing, pursuant to Article 18 GDPR
• Data portability, pursuant to Article 20 GDPR
• Objection, pursuant to Article 21 GDPR
• No decision-making based solely on automated processing, including profiling, pursuant to Article 22 GDPR 

What does the right to access mean?

You have the right to demand a confirmation of whether we process your personal data. If this is the case, you also have the right to information about this personal data and to the following information:

• Purposes of processing
• Categories of personal data that are processed
• Recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, especially recipients in non-EU countries and at international organisations
• If possible the planned duration that the personal data will be stored for or, if this is not possible, the criteria that are applied to determine this duration;
• The existence of the right to have your personal data rectified or erased; restriction of or objection to this processing
• Right to file complaints with a supervisory authority
• All available information about the source of the personal data when the data are not collected from the data subject
• Whether automated decision-making including profiling are used pursuant to Article 22 (1) and (4) GDPR and – at least in these cases –  meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject.

An explanation of how exactly to exercise your rights can be found here.

What does the right to rectification mean?

It is important to us that your data are correct and complete at all times. If you suspect that they are incorrect or incomplete, you can request that we rectify or complete the data. An explanation of how to exercise this right can be found here.

What does the “right to erasure” and the “right to be forgotten” mean?

We attach considerable importance to only processing your data in accordance with the rules of the GDPR and DSG 2018. Should you have reason to believe that this is not the case, you can request that your personal data be erased. Reasons for this can be:

• The personal data are no longer required for the purposes for which they were collected or processed in some other manner.
  
  For example: Your personal data must be erased when they were solely collected to establish a special purpose fund or to send newsletters (sole purpose) and you have not consented to the processing of these data for other purposes. In this case, there is no need to process the data further after the termination of the special purpose fund or when you have unsubscribed from the newsletter and after the retention obligation no longer applies. The legal retention obligations are described here.
• You revoke your consent on which the processing was based pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR, and there is no other legal basis for processing.
  For example: You have consented to the processing of your personal data for individual product offers from a third-party provider (sole purpose). As soon as you revoke this consent, your personal data must be erased. Exceptions: There are other purposes or justifications for processing and you are also in a customer relationship with the third-party provider, for example.
• You file an objection against processing pursuant to Article 21 (1) GDPR, and there are no overriding legitimate grounds for processing.
  For example: You can file an objection when an entity is processing your personal data without your consent just because this entity claims to have a legitimate interest in doing so (and there is no other justification). When you contest this and there was no legitimate interest, your personal data must be erased. Your objection was successful. 
• Your personal data were processed unlawfully.
  Unlawfully processed personal data must be erased. 
• The erasure of your personal data is mandated by EU law or the law of the member state.
  This refers to laws or other regulations that demand the erasure of personal data.
• The personal data were collected in connection with the offer of information society services pursuant to Article 8 (1) GDPR.
  This is a special protection afforded to minors who use online services.

This was a brief summary of the right to erasure. This should not be confused with the “right to be forgotten”.

The “right to be forgotten” pertains to personal data that have been made public. This means that when a person who originally published the data is required to erase the data (because one of the reasons for deletion above applies), this person must also then inform all persons who received the data in question as a result of their publication that the data in question must be erased. This rule is rather complicated. These provisions of the GDPR pertain to Internet search engines in particular.

An explanation of how to exercise your right to erasure and to being forgotten can be found here.

What does the right to restrict processing mean?

We attach considerable importance to always processing your data in accordance with the rules of the GDPR and DSG 2018. Should you have reason to believe that this is not the case, you can request that the processing of your personal data be restricted. However, this is only possible for the following legitimate reasons:

• You contest the correctness of your personal data. You can demand that the processing of your personal data be restricted for the duration of the period required by the data controller to verify the correctness of your personal data.
  Opinions can differ. But further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased or changed immediately. It could turn out that the data were correct after all.
• The processing of personal data is unlawful. But instead of having your personal data erased, you “only” wish to have their use restricted.
  The GDPR gives you the right to choose. If you do not wish to have unlawfully processed data erased immediately, you can demand that they remain stored, but that they may no longer be used.
• Data controllers no longer need your personal data for processing. However, they need the data to assert, exercise, or defend legal claims.
  When your personal data should in fact be erased but are needed so that you can exercise or defend your own rights, they can still be processed for these purposes.
• You have filed an objection against processing pursuant to Article 21 (1) GDPR. Restricted processing can be demanded until it is determined whether the legitimate interests of the controller override your interests.
  Further processing can be restricted for the time during which a matter is being clarified so that the contested personal data do not have to be erased immediately. It could turn out that the processing was justified after all.

An explanation of how to exercise your right to restrict processing can be found here.

What does the right to data portability mean?

Your personal data belong to you. Because of this, you have the right to receive this data in a structured, common, and machine-readable format. This pertains to data that you have provided to us and that are processed by means of automated systems based on your consent or for contract fulfilment. You can also demand that we forward these personal data directly to another controller.

In what form will I be given the data?

We provide the data as a standard format (e.g. as an Excel file). An explanation of how to exercise this right can be found here.

Was does the right to object mean?

Your data may only be processed when there is a legitimate interest in doing so.

If such a legitimate interest is claimed, you must be informed of this. If you feel that there is no legitimate interest, you can raise an objection. This is especially the case when your personal data are used for direct marketing. If the controller is unable to prove any legitimate reasons for further processing, the controller will not be permitted to continue processing your data after you object. Except for processing for the purposes of direct marketing. Your objection has absolute effect here.

An explanation of how to exercise your right to object can be found here.

What does your right to not be subject to decision-making based solely on automated processing, including profiling, mean?

We do not employ automated decision-making pursuant to Article 22 GDPR for entering into or fulfilling business relationships. More information can be found here. For this reason, the right to object to this does not apply.

What information am I required to provide?

We must verify your identity for every enquiry so that your financial data do not fall into the wrong hands and so that another person cannot erase your data against your will. Please understand that we will demand additional information about your identity in cases of doubt. This serves your own protection so that only authorised persons can access your data.

How can I submit a request?

Regardless of which right you wish to exercise, you can submit your request to us in any of three ways:

• By regular mail (please sign and include a copy of a photo ID) to
  Erste Asset Management GmbH
  Am Belvedere 1, A-1100 Vienna
  
• In person at our offices, or
• By e-mail (only with a qualified electronic signature) to datenschutz@erste-am.com 

Please explain your case as concretely as possible so that we can process it without delay. Please pay particular attention to the information about your right to data portability.

How long will it take for my request to be processed?

We will provide you with the information about relevant measures immediately, in any case within one month after receipt of your request.

This period can be extended by a further two months when the complexity and number of requests requires this additional time. We will inform you of a possible deadline extension and the reasons for this within one month after the receipt of your request in any case.

How will my request be processed?

We treat the data that you provide to us confidentially. But e-mails cannot always be trusted. In terms of security, e-mails can be compared with a postcard, not with a letter in a sealed envelope. Because we do not want to send you your data on a postcard, we will send you the information by regular mail.

What are the key considerations relating to my right to data portability?

We only forward data directly to third parties when you

• expressly instruct us to do so, 
• release us from our obligation to banking secrecy, and 
• when the third party in question is a financial services provider, attorney, notary, tax consultant, accountant, or government agency.

Does it cost anything when I exercise my rights?

No, the requests are processed free of charge. Exception: When requests are submitted for reasons that are clearly unjustified or to an excessive extent, we are entitled to demand a reasonable fee. This covers the administrative costs for the notification, refusal, or implementation of the requested measure.

Can I file a complaint?

Our employees will be pleased to assist you with all complaints, questions, and suggestions relating to data protection. We are certain that we can work together to find a solution to nearly every problem.

If you do not receive an answer to a request in good time, feel that your data protection rights have been violated, or feel that we have not processed your request in accordance with the law, you can file a complaint with the responsible supervisory authority:

Austrian Data Protection Authority

Wickenburggasse 8
A-1080 Vienna, Austria
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at
https://www.dsb.gv.at/

Every person who has suffered tangible or intangible damages due to a violation of the GDPR or of § 1 or Article 2 (1) of the DSG 2018 is also entitled to compensation from the controller or processor pursuant to Article 82 GDPR. The general provisions of civil code apply in such cases. Please note that the Austrian Data Protection Authority is not responsible for damage claims, but the local court that is responsible for matters of civil law in your district. You can also file motions and lawsuits with the regional court whose competence covers the district where the defendant resides or has its offices. You can find the competent court here: https://www.justiz.gv.at/

Valid from May 2018