Information on the protection of personal data
Personal data are personal details or other information about identified or identifiable individuals, including data about their Internet surfing and communication activities. Anonymous data, i.e. information which cannot be linked to the identity of an individual (not even via a specific identification number such as an IP address), are not considered personal data (e.g. information on most frequently visited websites or the number of visitors to a website). The OeNB processes personal data in line with the provisions laid down in the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).
Data protection officer
The OeNB’s Data Protection Officer is Bernhard Horn. You can contact him via the Contact section below.
The OeNB takes all necessary technical and organizational security measures to protect your personal data against loss and misuse. Your data will be processed in a secure, state-of-the-art operating environment. The OeNB’s IT infrastructure is certified under the international ISO 9001 and 27001 standards.
Access to the OeNB’s websites is secured via HTTPS. This means that communication between your browser and the OeNB’s servers is encrypted. If you wish to contact the OeNB or its employees by e-mail, please note that, given the technical configuration of e-mail protocols, the confidentiality of e-mail information cannot be guaranteed. The content of unencrypted e-mails can be viewed by third parties unless special security measures are taken. We therefore recommend using only the contact form or any other secure mode of transfer (see www.oenb.at/en/Contact.html) to transmit confidential information.
Transfer of personal data to third countries
The OeNB uses website support services offered by providers that are established, or whose parent companies are established, in third countries outside the EEA (in particular Google LLC, headquartered in the USA) to optimize its websites. Where such services are used, it cannot be ruled out that personal data are transferred to a third country within the meaning of the GDPR.
For users of Google services based in Europe, the data controller responsible is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). It cannot be excluded, however, that Google Ireland Limited transfers your personal data to servers run by its head office in the USA, i.e. Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043), or may have to disclose your personal data to US authorities or US intelligence services under the US CLOUD Act. The Court of Justice of the European Union classifies the USA as a third country that does not ensure a level of data protection corresponding to European standards. In particular, there is the risk that, under US law, service providers must disclose personal data to US authorities or US intelligence services for surveillance purposes without data subjects being adequately legally protected. Pursuant to Article 49 para 1 lit a GDPR, you therefore need to consent to transfers of your personal data to service providers in third countries in order for the respective website support services to be put to use. You can give, make changes to or withdraw your consent in the cookie consent banner.
Right to object
According Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data carried out by the OeNB on the basis of its legal mandate, as laid down in the Federal Act on the Oesterreichische Nationalbank (Nationalbank Act; Article 6 para 1 lit e GDPR), or for the purposes of its legitimate interests (Article 6 para 1 lit f GDPR). For further details, please refer to the section “Your rights as a data subject”.
Right to withdraw your consent at any time
You have the right to withdraw your consent to any consent-based processing of your personal data at any time. Withdrawing your consent will be without prejudice to the lawful use of personal data collected up to the point of consent withdrawal (Article 7 para 3 GDPR).
Protection of your personal data when visiting the OeNB’s websites
When you visit one of the OeNB’s websites, the respective server logs and processes certain personal data:
Web server logging
Each time you access one of our websites, the web server logs the following data to ensure an appropriate degree of information and system security: IP address, username (if required), date and time of your visit as well as technical information about the web object you retrieved and the browser and operating system you used (combined log format). The OeNB will process these data for the purposes of evaluating security requirements, assessing potential risks and fending off threats to the OeNB’s IT infrastructure under its information security management system. In case improper use is made of the OeNB’s websites or IT infrastructure, log data will be forwarded to the authorities in charge. Log data will be stored in line with the right to restriction of processing (Article 18 GDPR) for up to three years. The legal basis for this processing is Article 6 para 1 lit f in conjunction with recital 49 GDPR.
Additional personal information, such as your name, address, telephone number or e-mail address, is not recorded unless you have opted to provide this information in the space provided (e.g. when registering for a newsletter or requesting information via a contact form). The personal data you provide will be processed exclusively for the purpose of dealing with your request. These data will not be transferred to third parties.
Social media plug-ins
Many OeNB websites allow you to connect to social media networks via social media plug-ins. To protect its website visitors’ data, the OeNB uses social media buttons based on Shariff technology. This means that no personal data are transmitted to the operators of social media services when you access our websites. A plug-in will make contact with the server of the given service only if you click on the respective button. The information that you have visited our websites will therefore only be transmitted to that service if you have given your consent (Article 6 para 1 lit a and Article 49 para 1 lit a GDPR). If you click on the plug-in while logged in to the selected service, you can share content from the respective OeNB websites on your profile or leave a comment. This allows the service to assign your visit to our websites to your user account. Please note that, as website operator, the OeNB does not receive any information about the content of the transmitted data or on how these data are used by the social media service in question.
By activating and using a social media plug-in, you agree to the subsequent transfer of personal data to the selected service. More information on how the respective services use your personal data can be found in the data privacy statements provided by the selected service(s):
- Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
- Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland
- Twitter International Company, The Academy, 42 Pearse Street, Dublin 2, Ireland
Website analytics policy
The OeNB uses technical tools to analyze how its websites are used. This allows us to improve usability and user experience. As a rule, the tools we use do not provide us with information about your identity.
We use Matomo On-Premise, an analytics tool that helps us optimize our websites and make them more user friendly. Matomo creates analyses of and statistics on how our websites are used on the basis of pseudonymized user IDs. For this purpose, persistent cookies are stored on your device. This allows us to recognize and count returning visitors, track click paths and measure interest in our website content. We do not collect any data related to your identity. We anonymize web server log data by IP masking before using them for analytics purposes. Matomo runs on the OeNB’s infrastructure.
Use of Google Analytics:
The information generated by using Google Analytics (including your IP address) is transferred to a Google server. To protect your privacy, Google Analytics has been configured in such a way that your IP address will be anonymized immediately within the area of EU or EEA countries after it has been transferred to Google servers and that it will be stored by Google exclusively in its anonymized form (anonymizeIp=true). Only in exceptional cases is the full IP address sent to Google servers in the USA and shortened there. On behalf of the OeNB, Google will use the information gathered to analyze your use of the OeNB’s websites and to compile reports on website activities.
You can enable Google Analytics by agreeing to the setting of statistical cookies in the cookie consent banner on our website (Article 6 para 1 lit a and Article 49 para 1 lit a GDPR), where you can give, change or revoke this consent via the cookie consent banner, which can be opened at any time via the checkmark icon at the bottom left. In addition, the OeNB concluded a data processing agreement with Google Ireland Limited pursuant to Article 28 GDPR.
Use of Google reCaptcha
The OeNB uses Google reCAPTCHA (see www.google.com/recaptcha) on its websites to ensure that the data, or queries, submitted to the OeNB via contact forms are coming from a human and not a bot. For this, reCAPTCHA will evaluate the following personal data, which will be forwarded to the service provider: IP address of the device you used, the website you visited before ours (referrer URL), date and duration of your visit, identification data of the browser and operating system you used, Google account if you are signed in to Google at the same time, mouse movements around the reCAPTCHA checkboxes, cookies, display instructions and scripts as well as tests requiring you to correctly evaluate images displayed on your screen. These data are processed in accordance with Article 6 para 1 lit f GDPR and on the basis of our legitimate interests in maintaining the security of our web server and protecting the forms on our website against abuse and fraudulent input made by automated software.
Protection of your personal data when using cookies
Protection of your personal data when communicating electronically with the OeNB
You can contact the OeNB electronically by using the contact details and forms available at www.oenb.at/en/Contact.html. The data submitted this way will be processed by the OeNB to facilitate electronic communication between the OeNB and users and to maintain electronic contact management systems. The legal basis for the processing of electronic correspondence is Article 6 para 1 lit e GDPR (in conjunction with Articles 1 and 1a Austrian eGovernment Act and Articles 28 et seq. Austrian Act on the Service of Official Documents, if applicable), provided that the processing is necessary for the fulfillment of the OeNB’s statutory tasks under the Nationalbank Act; otherwise, Article 6 para 1 lit f GDPR applies. In the latter case, it is the legitimate interest of the OeNB to allow electronic correspondence also for private-law matters. The OeNB stores e-mails for up to ten years unless longer-term storage is required by the underlying purpose of the e-mail correspondence.
E-mails are checked for spam and harmful content. By default, e-mails are automatically scanned for spam or malware; only in suspicious cases or in case of doubt are individual e-mails scrutinized in more detail by specialists (in consultation with the recipient if necessary). In case of misuse or criminal content, all relevant data are forwarded to the authorities in charge.
For the purpose of ensuring an appropriate degree of information and system security as well as detecting and handling malware, the OeNB e-mail server generates log files of e-mail correspondence and stores them in line with the right to restriction of processing (Article 18 GDPR) for up to three years. When you send an e-mail to an OeNB address, the following data are logged: recipient’s e-mail address, IP address and hostname; number of recipients; sender’s e-mail address, IP address and hostname; subject, date and time when the e-mail was received by the server; file name of any attachments; size of message; risk classification for spam and delivery status. These data will not be passed on to third parties unless improper use is made of the OeNB’s websites or IT infrastructure. In such cases, log data will be forwarded to the authorities in charge (Article 6 para 1 lit f in conjunction with recital 49 GDPR).
The OeNB protects websites and IT services that contain sensitive data by operating access control systems with personal user accounts. This involves processing personal data, such as, in particular, name, family name, title, name of company or organization, e-mail address, telephone number (for two-factor authentication), access rights and constraints, username, password and other access codes including period of validity and change procedures as well as information collected by log files. The legal basis for processing these data is the OeNB’s legitimate interest in implementing state-of-the-art data security measures and ensuring data use in compliance with the applicable legal acts and agreements, specifically Art. 6 para. 1 lit. e General Data Protection Regulation (GDPR) in conjunction with Article 3 E‑Government Act for the public sphere and Article 6 para. 1 lit. f in conjunction with Article 32 GDPR for the private sphere. The data are typically provided by the people concerned (data subjects) or by companies or organizations they are affiliated with. Data processing may be carried out by processors contracted by the OeNB in line with Article 28 GDPR. The OeNB saves account data as long as the access rights are active and log data for up to three years; if applicable, data are saved for a longer period, e.g. until the expiry of statutory retention periods or pending the settlement of legal disputes in which the data are needed as evidence.
The OeNB facilitates communication by means of audiovisual meeting and conferencing systems (online meeting tools). For the purpose of making these online meeting tools available for use, the OeNB processes personal data of meeting participants. These data may at the most include: Unique identification number(s), first and last name, e-mail address, phone number and other contact information, affiliation, availability status, photo (if uploaded), audio and/or video stream, chat messages, shared data, documents and screen contents, audiovisual recordings (where legitimate and previously disclosed), detailed technical information on the end devices used (e.g. operating system, browser software, display resolution) as well as log data and statistical information on tool usage (e.g. IP address, MAC address, date and time of interactions). Audio and video streams (audiovisual data) are usually not recorded, only in legitimate exceptional cases (mostly conferences or public events) and only if this has been previously announced by the online meeting host.
The legal basis for processing data is Article 6 para 1 lit e of the General Data Protection Regulation (GDPR) wherever online meeting tools are used for the purpose of fulfilling statutory tasks within the OeNB’s mandate under the Nationalbank Act of 1984 or other applicable EU or national laws; otherwise Article 6 para 1 lit f GDPR applies. In the latter cases, the OeNB’s legitimate interest is providing electronic, audiovisual means of communication in private-law matters. Profile data and communication content are transferred to all online meeting participants. Legitimate audiovisual recordings may be used for documentation purposes and, where applicable, for the purposes of the OeNB’s public relations and press activities, and for publication on the OeNB’s websites and social media outlets (compatibility: no sensitive data, purpose limitation, prior notification of all online meeting participants, Article 6 para 1 lit f GDPR). Moreover, data may be processed for archiving purposes in the public interest (Article 6 para 1 lit f GDPR and Article 89 GDPR in conjunction with Article 7 para 1 no 2 Austrian Data Protection Act in conjunction with the Austrian Federal Archives Act). The OeNB will regularly receive your contact and profile data directly from you or from your organization based on Article 6 para 1 lit f GDPR. In the absence of contrary legal obligations or contractual agreements, you are not obliged to disclose your contact information to the OeNB. However, without disclosing your contact information you cannot use online meeting tools. Profile data are stored until the associated profile is deleted. If you join online meetings via link, no profile will be created. Audiovisual recordings will be processed for as long as they are relevant to the OeNB for the purposes of documentation or public relations and press activities. Afterwards they will be dealt with as directed by the Austrian Federal Archives Act. Log data will be stored for up to six months. There will be no automated decision-making.
Tool provider (processor):
- Skype for Business: on-premise operation only – in the OeNB’s data centers.
- MS Teams: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland.
- Webex: Cisco International Limited, registered in England and Wales (Company Number 06640658), 9-11 New Square Park, Bedfont Lakes, Feltham, TW14 8HA (UK) and Cisco Systems, Inc., 170 West Tasman Drive, San Jose, California 995134 (USA).
Transfer of personal data to third countries: When using Webex and, because of the US Foreign Intelligence Surveillance Act (FISA), potentially also when using MS Teams, personal data are transferred to the UK and to the USA, both third countries outside the European Economic Area. For the UK, the European Commission has issued an adequacy decision pursuant to Article 45 GDPR; such a decision has not been issued for the USA, however. Cisco has implemented binding corporate rules on data protection pursuant to Article 47 GDPR (ec.europa.eu/newsroom/article29/document.cfm?doc_id=50116). The OeNB has agreed standard data protection clauses pursuant to Article 46 para 2 lit c GDPR with Cisco and Microsoft. These can be downloaded at trustportal.cisco.com/c/dam/r/ctp/docs/dataprotection/cisco-master-data-protection-agreement.pdf or requested by mail to email@example.com.
Right to object: Please notify the meeting host if you think that the use of a chosen online meeting tool could be legally problematic in terms of anticipated communication content or purpose or if you object to the use of such a tool for justified personal reasons. In case OeNB shares this view, we will look for an adequate alternative, where available. If you do not want any of your personal data to be processed in legitimate audiovisual recordings, please participate without audiovisual interaction (microphone muted, camera off). You will be able to submit questions or comments in writing in a chat window; these will not be included in audiovisual recordings.
Use of photographs and videos by the OeNB
The OeNB processes photographs and videos of individuals to document its events and activities. With due regard to the rights of individuals shown in photographs and/or videos, the OeNB makes selected photographs and/or videos available to newspapers and TV programs and/or uses them on its websites, in OeNB information material and on social media sites, e.g. on Facebook, Twitter or YouTube. The OeNB processes this visual material for the purposes of its legitimate interests according to Article 6 para 1 lit f GDPR, which include documentation of events relevant to the public as well as the bank’s press and public relations activities. Moreover, the OeNB stores photographs and videos for archiving purposes in the public interest and deletes them if documentation is no longer required (Article 89 para 1 GDPR in conjunction with Article 7 para 1 item 2 DSG in conjunction with the Austrian Federal Archives Act).
Your rights as a data subject
The GDPR provides you, as a data subject, with a number of rights in relation to the processing of your personal data:
- You have the right to obtain confirmation as to whether or not your personal data, and which of your personal data, are being processed by the OeNB (Article 15 GDPR).
- You have the right to obtain the rectification of inaccurate personal data or to have incomplete personal data completed (Article 16 GDPR) as long as the rectification and/or completion of the data are necessary for the purpose of the processing operation.
- You have the right to obtain the erasure of your personal data if the OeNB has processed them unlawfully (Article 17 GDPR).
- Under certain conditions, you have the right to obtain restriction of the processing of your personal data (Article 18 GDPR).
- You have the right to object to the processing of your personal data on grounds relating to your particular situation or where personal data are processed for direct marketing purposes (Article 21 GDPR).
- You have the right to withdraw your consent to any consent-based processing of your personal data at any time; this will not affect the lawfulness of processing based on your consent before its withdrawal (Article 7 para 3 GDPR).
- In addition to the right to obtain confirmation, you have the right to receive your personal data, which you have provided to the OeNB, in a structured, commonly used and machine-readable format or to have these data transmitted to another controller (Article 20 GDPR)
- where the processing is carried out by automated means,
- where such a transmission is technically feasible, and
- where the processing is based on your consent (Article 6 para 1 lit a GDPR) or is necessary for the fulfillment of a contract that was concluded, or will be concluded, with you (Article 6 para 1 lit b GDPR).
- Should you consider your right to data protection infringed by any processing of your personal data by the OeNB, you may lodge a complaint with the Austrian Data Protection Authority (DSB) or take legal action before the competent civil court.
To assert your rights as a data subject, please write to “Oesterreichische Nationalbank, Abteilung ITS/Datenschutz, Otto-Wagner-Platz 3, 1090 Vienna, AUSTRIA” or firstname.lastname@example.org. Please state in what way your personal data are subject to data processing by the OeNB, specifying the data processing operation or IT system(s) and clearly outlining the details of your request. Moreover, please provide proof of your identity by enclosing a copy of an official photo identification (e.g. your passport, driver’s license, identity card) or using a qualified electronic signature within the meaning of Article 3 item 12 eIDAS Regulation to prevent improper requests by unauthorized third parties that might endanger the protection of your personal data. For the reasons outlined above, such requests must be made in writing.
Detailed privacy information
In fulfillment of its mandate and in safeguarding its interests, the OeNB frequently processes personal data. This page informs data subjects that are not OeNB staff members pursuant to Article 13 and 14 GDPR on how their personal data are protected when subject to data processing by the OeNB. Information on the purpose(s) and legal basis of processing operations, the type(s) of processed data and your respective rights under the data protection framework is made available below. OeNB staff members will find the relevant information on the OeNB’s intranet.
The following documents provide detailed information pursuant to Article 13 and 14 GDPR how the OeNB processes personal data:
- Access control system (PDF), 89 kB
- Accounting and controlling (PDF), 141 kB
- Appointment to managerial positions (PDF), 119 kB
- Balance of payments (BOP) reports (external statistics) (PDF), 62 kB
- Bank History Archives (PDF), 95 kB
- Call logging (telephone switchboard and security service) (PDF), 87 kB
- Cash authentication training (PDF), 87 kB
- Competition entries (PDF), 99 kB
- Contact platform for central bank research activities in the ESCB (PDF), 105 kB
- Counterfeit money database (PDF), 97 kB
- Data protection management (PDF), 120 kB
- Documentation of monetary policy operations (PDF), 91 kB
- Education and training management (personnel development tool) (PDF), 118 kB
- Electronic communication systems and contact directories (PDF), 114 kB
- Event management (PDF), 120 kB
- Exchange of banknotes and coins (PDF), 92 kB
- Foreclosure statistics (PDF), 83 kB
- JVI supervision and course management (PDF), 109 kB
- Management activities and equity interest management (PDF), 179 kB
- Newsletter system (PDF), 103 kB
- Payment Systems (PDF), 120 kB
- Payment Systems – Eurosystems (PDF), 149 kB
- Photographs and videos (PDF), 98 kB
- Procurement and sales management including intra-group invoicing (PDF), 165 kB
- Promotion of science and research by the OeNB (PDF), 151 kB
- Record and document management (PDF), 126 kB
- Record and document management system (EUREKA) (PDF), 114 kB
- Research activities in the field of economic education (PDF), 118 kB
- Security services – call logging (PDF), 83 kB
- Seizure Tracking Application (SETRA) (PDF), 103 kB
- Statistics Hotline ticketing system (PDF), 125 kB
- Treasury – call logging (PDF), 92 kB
- Video surveillance (PDF), 84 kB
- Visiting Research Program of the Economic Analysis and Research Department (PDF), 92 kB
- Whistleblower system (PDF), 111 kB