Data protection

Information on the protection of personal data

Personal data are personal details or other information about identified or identifiable individuals, including data about their Internet surfing and communication activities. Anonymous data, i.e. information which cannot be linked to the identity of an individual (not even via a specific identification number such as an IP address), are not considered personal data (e.g. information on most frequently visited websites or the number of visitors to a website). The OeNB processes personal data in line with the provisions laid down in the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

Data protection officer

The OeNB’s Data Protection Officer is Bernhard Horn. You can contact him via the Contact section below.

Data security

The OeNB takes all necessary technical and organizational security measures to protect your personal data against loss and misuse. Your data will be processed in a secure, state-of-the-art operating environment. The OeNB’s IT infrastructure is certified under the international ISO 9001 and 27001 standards.

Access to the OeNB’s websites is secured via HTTPS. This means that communication between your browser and the OeNB’s servers is encrypted. If you wish to contact the OeNB or its employees by e-mail, please note that, given the technical configuration of e-mail protocols, the confidentiality of e-mail information cannot be guaranteed. The content of unencrypted e-mails can be viewed by third parties unless special security measures are taken. We therefore recommend using only the contact form or any other secure mode of transfer (see to transmit confidential information.

Transfer of personal data to third countries

The OeNB uses website support services offered by providers that are established, or whose parent companies are established, in third countries outside the EEA (in particular Google LLC, headquartered in the USA) to optimize its websites. Where such services are used, it cannot be ruled out that personal data are transferred to a third country within the meaning of the GDPR.

For users of Google services based in Europe, the data controller responsible is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). It cannot be excluded, however, that Google Ireland Limited transfers your personal data to servers run by its head office in the USA, i.e. Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043), or may have to disclose your personal data to US authorities or US intelligence services under the US CLOUD Act. The Court of Justice of the European Union classifies the USA as a third country that does not ensure a level of data protection corresponding to European standards. In particular, there is the risk that, under US law, service providers must disclose personal data to US authorities or US intelligence services for surveillance purposes without data subjects being adequately legally protected. Pursuant to Article 49 para 1 lit a GDPR, you therefore need to consent to transfers of your personal data to service providers in third countries in order for the respective website support services to be put to use. You can give, make changes to or withdraw your consent in the cookie consent banner.

Right to object

According Article 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data carried out by the OeNB on the basis of its legal mandate, as laid down in the Federal Act on the Oesterreichische Nationalbank (Nationalbank Act; Article 6 para 1 lit e GDPR), or for the purposes of its legitimate interests (Article 6 para 1 lit f GDPR). For further details, please refer to the section “Your rights as a data subject”.

Right to withdraw your consent at any time

You have the right to withdraw your consent to any consent-based processing of your personal data at any time. Withdrawing your consent will be without prejudice to the lawful use of personal data collected up to the point of consent withdrawal (Article 7 para 3 GDPR).