1. Who is in charge of data processing, and whom can you contact?
The company in charge of processing your data is:
PSA Payment Services Austria GmbH (“PSA”)
Handelskai 92, Gate 2
2. As the controller, what data does PSA process, and for what purpose?
The only personal data collected are those that are required to perform and process our services, or those that you provide to us voluntarily. As controller, PSA processes the personal data of:
- Contractual partners and their employees as part of contract preparation and performance, or as part of the establishment and ongoing development of payment solutions for the purpose of fulfilling various contractual requirements;
- Data processed: “Name”, “Contact information”, “Customer data”
- Legal basis: Fulfilment of contractual obligations (Art. 6 (1) b GDPR)
- Participants in events organised by PSA and associated activities to organise such activities (sending of personalised invitations and correspondence with participants)
- Data processed: “Name”, “Contact information”, “Associated company”
- Legal basis: Protection of legitimate interests (Art. 6 (1) b GDPR), namely efficient information and event management and internal and external communications in these matters.
- Callers to the 24-hour Card Block Hotline operated by PSA, to block cards and to preserve documentation of the caller’s block request;
- Data processed: “Name”, “Caller’s card information”, “Card block details”
- Legal basis: Fulfilment of contractual obligations (Art. 6 (1) b GDPR), fulfilment of statutory requirements (Art. 6 (1) c GDPR) and consent to recording of data (Art. 6 (1) a GDPR)
- Individuals recorded via video surveillance of the Bankomats® serviced by PSA for the purpose of collecting evidence in the event of criminal offences or to provide evidence for withdrawals, in which case the video surveillance is only evaluated by official order in the specific case at issue;
- Data processed: “Person’s role”, “Image data”, “Recording date and location”, “Card information”
- Legal basis: Fulfilment of contractual obligations (Art. 6 (1) b GDPR and fulfilment of statutory requirements (Art. 6 (1) c GDPR)
- Card information in connection with statutory and regulatory requirements, e.g. to prevent money laundering and financing of terrorism or to prevent fraud (e.g. reports to the Austrian Financial Intelligence Unit in certain suspected cases pursuant to Sec. 16 of the Austrian Financial Markets Anti-Money Laundering Act [Finanzmarkt-Geldwäschegesetz, FM-GwG]; prevention, investigation or identification of fraud pursuant to Sec. 86 of the Austrian Payment Services Act [Zahlungsdienstegesetz, ZaDiG 2018]);
- Data processed: “Card information and card security features”, “Transaction data”, “Device data”
- Legal basis: Fulfilment of statutory requirements (Art. 6 (1) c GDPR) and protection of legitimate interests (Art. 6 (1) f GDPR), namely the prevention of money laundering, financing of terrorism and fraud
- Individuals recorded via video surveillance of PSA premises to protect PSA property and third-party data stored on PSA premises;
- Data processed: “Person’s role”, “Image data”, “Recording date and location”
- Legal basis: Protection of legitimate interests (Art. 6 (1) f GDPR), namely protection of private property and protection of data stored on PSA premises
- Website visitors, insofar as data protection provisions were accepted upon accessing the website.
- Data processed: “Cookies”, “Anonymised IP address”, “Device data”
- Legal basis: Consent (Art. 6 (1) a GDPR)
3. What sources do these data come from?
- Personal data of contractual partners and their employees are collected as part of contract preparation and performance (“Name”, “Contact addresses”, “Customer data”).
- Personal data of committee participants are collected as part of their participation in events organised by the PSA via communications from the business (e.g. financial institution) at which they are employed.
- Personal data of callers to the 24-hour Card Block Hotline operated by PSA are collected directly on the Hotline (“Name”, “Caller’s card information”, “Card block details”).
- Personal data of individuals recorded via video surveillance of the Bankomats® serviced by PSA are collected directly at the Bankomats® (“Person’s role”, “Image data”, “Recording date and location”, “Card information”).
- Personal data in the context of statutory and regulatory requirements to fulfil legal requirements are collected directly at the Bankomats® or on the device (“Card information and card security features”, “Transaction data”, “Device data”).
- Personal data of individuals recorded via video surveillance are collected directly on PSA’s premises (“Person’s role”, “Image data”, “Recording date and location”).
- Personal data of website visitors are collected directly when the website is accessed (“Cookies”, “Anonymised IP address”, “Device data”).
4. Data transfer
Processors contracted by PSA (e.g. IT service providers, etc.) process your data as needed to perform their respective services. PSA contractually obligates its processors to ensure the confidentiality and security of personal data. When required by a statutory or regulatory requirement, public bodies and institutions (e.g. courts, Austrian Financial Market Authority, Austrian National Bank) may be recipients of your personal data.
When necessary, PSA may also process and transfer personal data to bodies engaged in the prevention and/or investigation of payment card fraud in order to protect payment processes from fraud and to ensure the security of the transaction and of payment transactions in Austria.
We have taken appropriate technical and organisational measures to protect your personal data. In particular, these measures include actions to prevent unauthorised physical or digital access to your personal data, such as input controls, processor controls, and availability controls.
5. How long are personal data saved?
PSA processes your personal data for as long as it is required to do so by statutory retention and documentation requirements, as specified in ZaDiG 2018, the Austrian Commercial Code [Unternehmensgesetzbuch, UGB], the Austrian Federal Tax Code [Bundesabgabenordnung, BAO], the Austrian Banking Act [Bankwesengesetz, BWG] and the FM-GwG, among others. Under certain circumstances (e.g. in the case of ongoing warranty obligations), data are retained until the end of the limitation period or until the cessation of the relevant event.
6. What rights do I have as a data subject?
Please note once again that all rights and questions relating to the processing of personal data for your debit/Bankomat® card or credit card should primarily be addressed to your bank as your contractual partner and the controller for the data processing.
You have at any time a right to access, rectification, erasure or restriction of processing of your saved data, a right to object to processing (insofar as the data is processed on the basis of a public interest or to protect a legitimate interest), and a right to data portability in accordance with the provisions of the data protection law.
7. Am I required to provide data?
You are not required by law to provide your data to us. However, if you do not provide us with your data, we may not be able to perform our services (e.g. card blocking) for you.
8. Information on automated decision-making, including profiling
PSA does not process any personal data in automated decision-making processes.
9. Updates to data privacy statement
This data privacy statement may be updated without prior notice in order to reflect changes to the law or changes to the procedures under which personal data is processed. PSA will announce any changes by means of a notice on its website.
10. Information on use of PSA’s website (web analytics)
Our websites use Google Analytics, a web analytics service of Google Ireland Ltd (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer that can be used to analyse your use of the website. We process your data on the basis of our overriding legitimate interest to compile easy-to-use website statistics in a cost-efficient manner.
The information generated by the cookie about your use of our websites is transferred to a Google server in the United States and stored there. In this process, our websites use the IP anonymisation option provided by Google Analytics. Google does not link the IP address provided to Google Analytics by your browser with other data. We do not store any of your data that are collected in connection with Google Analytics.
You can prevent the cookies from being stored by means of an appropriate setting and/or extension in your browser. In this case, you may not be able to fully use all functions of our website.
To continuously improve our website and for the purposes of system performance, providing information about our service portfolio and optimising the user experience, the service provider for the PSA website automatically prepares server log files with information automatically provided by your browser.
- For processing relating to your debit/Bankomat® card or credit card, PSA is a processor for your bank
For Austrian financial institutions, PSA acts as the central service provider (processor) which provides the technical systems for issuing cards, payment mediums on mobile phones (e.g. Bankomat®Karte mobil), or for processing transactions.
If you have questions about the processing of personal data in relation to your debit/Bankomat® card or credit card, e.g. in connection with Bankomat® card payments or cash withdrawals, please contact your bank.
- Microsoft Teams
PSA offers its contractual partners the option to communicate via Microsoft Teams at its partners’ request. Microsoft Teams is a videoconferencing tool offered by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland and the Microsoft Corporation, One Microsoft Way Redmond, Washington 98052 (“Microsoft”).
Microsoft is based in the United States, and the data may be processed there. For more information about processing in connection with the use of Microsoft Teams and the standard contractual clauses signed by and between us and Microsoft, see https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67
Use of Microsoft Teams is not required to communicate with PSA. Our contractual partners can decide if they wish to make use of this option. As an alternative, PSA offers personal discussions and conference calls. If the contractual partner wishes to communicate via Microsoft Teams, PSA will accommodate this. As such, processing is performed on the basis of fulfilment of contractual obligations (Art. 6 (1) b GDPR).