Information on Data Protection and Data Processing

This page contains information on the protection of your personal data as regulated by the General Data Protection Regulation (GDPR).

1. Who is the data controller?
Erste Social Finance Holding GmbH
Am Belvedere 1, 1100 Vienna

Contact for data protection-related inquiries: contact@erstesocialfinance.com

2. Who is the Data Protection Officer?
Gregor König, Erste Group Bank AG, Am Belvedere 1, 1100 Vienna, datenschutz@erstegroup.com

3. For what purposes and on what legal bases will my personal data be processed?
We are a financial institution according to Article 4 (1) 26 of the EU Capital Adequacy Regulation offering financing. We finance female entrepreneurs, social organizations (e.g., NGOs), and social entrepreneurs through loans and other innovative financial instruments (e.g., subordinated loans). We also offer support services that serve to build up the knowledge of companies and organizations. We process your personal data within the scope of these activities.

Processing for the performance of a contract or of pre-contractual measures taken upon your request.
The services we are called upon to provide for you will depend on the contract in question. The scope of data processing can be found in the contract documents.

Processing to satisfy a legal obligation
Legal regulations also require us to process your personal data, e.g., the Austrian Commercial Code (UGB), the EU Capital Adequacy Regulation, and the Financial Market Money Laundering Act. This applies to:

  • Risk management, especially credit risk and operational risk
  • Identity determination, reporting of suspicious activities, compliance with sanction regulations
  • Accounting, controlling, and compliance with tax regulations
  • Information to public prosecutors, law courts, tax penalty authorities

Processing due to legitimate interests
A legitimate interest for data processing by us or third parties exists in the following cases:

  • Measures to protect employees, customers, and ESFH property
  • Exercising or defending rights
  • Preventing and combatting fraud as well as preventing money laundering and terrorist funding
  • Documentation of past damage cases as a decision-making aid for entering into new or extended customer relationships.
  • Improving data quality
  • Ensuring the security of IT and IT operations
  • Measures for business, sales and group management, such as customer segmentation, reorganisation and associated customer analyses, avoidance of advertising for products already in use as well as the general direction of the business strategy and product portfolio. This also includes the development of data models for such measures.
  • Measures for process and quality management: We collect data on our processes and services on an event-driven basis. We use these data to ensure the quality of our services, compliance with our service standards and the efficiency of our processes.
  • Selection to evaluate satisfaction with the services and products we offer
  • Product development using, inter alia, data models
  • Creation of synthetic or anonymised data for testing purposes (in limited cases it may also be necessary to use real data for testing purposes)
  • If you send us a file containing a digital signature or a digital seal, we will transmit this document to a validation service (e.g. signature verification service of “Rundfunk und Telekom Regulierungs-GmbH” – the radio and telecommunications regulatory company) for signature/seal verification.
  • If we provide a document that contains your data with our digital signature, we will transmit the document to a trust service provider (e.g. A-Trust).

Processing based on consent
If there is neither a contract nor a legal obligation or a legitimate interest, processing the data may still be lawful if you have given us your consent to do so. The scope and content of this data processing will invariably depend on the consent given in a certain case. You can withdraw your consent at any time for the future. The withdrawal of consent shall, however, not affect the lawfulness of processing before the withdrawal of consent. This means that withdrawal of consent shall not be effective for the past.

Processing for statistical purposes
We also process your personal data for statistical purposes in accordance with Article 7 of the Austrian Data Protection Act.

4. Will data other than those collected from me be processed?
Most of your personal data that we process will have been provided by you. However, your data may also originate from other sources:

For the categories of data and data processing mentioned above, the other explanations in this information sheet shall also apply (except for item 3.)

5. Am I obliged to provide my personal data? What will happen if I do not want to do so?
For our business relationship, we require many of your personal data. Where required by contract or legal regulation, we must process your personal data. If you do not wish us to do so, we may unfortunately be unable to provide certain services. If we process your data solely on the basis of your consent, you are not obliged to give this consent or to provide the data.

6. Is there any automated decision-making, including profiling?
If automated decision-making, including profiling, takes place in the course of a specific processing operation, you will be informed of this in advance.

7. To whom will my personal data be disclosed?
Your personal data may be disclosed to:

  • Partners of ESFH (e.g., ERSTE Foundation, etc.) in connection with additional support services you may require, or to measure satisfaction and impact.
  • Credit institutions, bodies and persons within the network of Sparkasse savings banks, Erste Bank and Erste Group who require the data for contractual, legal or regulatory duties as well as for legitimate interests.
  • Public authorities and institutions, as well as persons acting on behalf of public authorities, insofar as we are legally obliged to do so or in order to protect our legitimate interests, e.g., tax authorities, etc.
  • Processors and other service providers (controllers) commissioned by us, e.g. for IT, back office, legal and tax advice, chartered accountants and collection companies, to the extent they require the data for their tasks.
  • Bank auditors and auditors of annual financial statements, insofar as this is necessary for the auditing activity
  • Third parties, if this is mandatory for the fulfilment of the contract or legal provisions
  • Validation services, e.g. Rundfunk und Telekom Regulierungs-GmbH (the radio and telecommunications regulation company), to the extent this is necessary to verify a digital signature or digital seal transmitted by you.
  • Trust service providers, e.g. A-Trust, if we provide a document containing your data with our digital signature.

Disclosure to third parties may also take place if you have consented to the disclosure and for the period of your valid consent. A list containing an overview of potential recipients can be found here.

8. Will my data be transferred to a third country?
Your personal data may be transferred to a third country in the following cases:

  • This is necessary in order to assert, exercise or defend legal claims or there is a legal obligation, e.g. at the request of the authorities under a mutual legal assistance agreement.
  • This is necessary for your contract or for pre-contractual measures
  • Our processors and sub-processors may be located in third countries. Unless the transfer is based on an adequacy decision of the European Commission, we will transfer the data on the basis of appropriate or suitable safeguards. We will be happy to provide you with these on request.

In other cases where data is transferred to a third country, you will be informed separately.

A list containing an overview of potential recipients in third countries can be found here. 

9. How long will my personal data be stored?
Your personal data will be stored for as long as necessary for the respective purpose: This may be for the duration of the customer relationship, pending legal proceedings, the existence of a claim, or if required by law. Storage may also be necessary if you are no longer our customer.

The legal provisions that are essential for us include, for example.:

  • Austrian Commercial Code Article 212 (7 years)
  • Federal Tax Code, Article 132 (7 years or for the duration of tax proceedings);
  • Financial Market Money Laundering Act, Article 21 (10 years from the end of the business relationship).

An overview of other statutory retention obligations applicable in Austria can be found here

10. What are my rights?
The GDPR grants you certain rights regarding your personal data. You have the right to: information, rectification, erasure, restriction, data portability, objection, and decisions that are not based solely on automated processing, including profiling.

Regardless of which right you wish to assert, please submit your application preferably:

  • By letter, signed by hand and accompanied by a copy of your ID, to
    Erste Social Finance Holding GmbH
    Am Belvedere 1, 1100 Vienna
  • By email, ideally with a qualified electronic signature, to contact@erstesocialfinance.com

Please understand that in case of doubt we may request further information about your identity. This also serves for your own protection, to prevent unauthorised persons from accessing your data.

We will provide you with the relevant information about the measures without delay, within one month of receiving your request. The deadline may be extended by a further two months if this is necessary due to the complexity and number of requests. However, we will inform you within one month of receiving your request about any possible extension of the deadline and the reasons for it.

If you do not receive a timely response to a request, or if you believe that we have not complied with your request in accordance with the law, or if you feel that your right to data protection has been violated, you can also lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Wien
https://www.dsb.gv.at

Version dated: February 2025

Credits and legal notice: Owned, produced, published and edited: Erste Social Finance Holding GmbH
Postal address: Am Belvedere 1, 1100 Vienna