Privacy Policy

1. Preamble/General Information – Data processing in connection with your debit card or credit card as a processor for your bank

PSA takes on the role of the central service provider (processor) for Austrian banks and provides the technical systems for issuing cards and payment media on mobile phones (debit card mobile) and for processing transactions.

If you have any questions about the processing of personal data in connection with your debit card or credit card (e.g. as part of the issuing support for the debit cards and cash withdrawals), please contact your bank.

2. Who is responsible for data processing and who can you contact?

The party responsible for the processing of your data is

PSA Payment Services Austria GmbH (“PSA”)
Rennweg 46-50
1030 Vienna
https://www.psa.at/legal notice

If you have any questions, you can contact the Data Protection Officer by e-mail at privacy@psa.at or by post at PSA Payment Services Austria GmbH, c/o Data Protection, Rennweg 46-50, 1030 Vienna.

3. What data does PSA process as the responsible party?

We only collect the personal data necessary to perform and process our services or that you have voluntarily provided to us. As the responsible party, PSA processes personal data from:

  1. Suppliers and/or business partners and their employees as part of contract initiation and processing, or the development and continual further development of innovative payment solutions;
    •  “name”, “contact addresses”, “customer data”.
       
  2. People who call the 24-hour lost card hotline operated by PSA and their employees;
    •  “name”, “caller's card details”, “details for blocking the card”.
       
  3. Persons recorded as part of the video surveillance at ATMs serviced by PSA, whereby the video surveillance is only evaluated if ordered by the authorities when the occasion arises;
    •  “role of the person”, “image data”, “location and date of the recording”, “card data”.
       
  4. Card data in the context of legal, concessional and organizational obligations, such as to prevent money laundering and terrorist financing or to prevent fraud;
    •  “card data and security features”, “transaction data”, “device data”.
       
  5. Persons recorded as part of the video surveillance of the PSA office premises;
    •  “role of the person”, “image data”, “location and date of the recording”.
       
  6. Visitors to the website, provided the data protection conditions were accepted when the website was accessed.
    •  “cookies”, “anonymized IP address”, “device and device data”.

4. What sources does this data come from?

  1. Personal data from suppliers, business partners and their employees are collected in the course of contract initiation and processing (“name”, “contact addresses”, “customer data”).
  2. Personal data of persons who call the 24h lost card hotline operated by PSA is collected directly on the lost card hotline (“name“, “caller’s card data”, “details for blocking the card”).
  3. Personal data recorded as part of video surveillance at ATMs serviced by PSA is collected directly at the ATM (“role of the person”, “image data”, “place and date of the recording”, “card data”).
  4. Personal data in the context of legal, concessional and organizational obligations to fulfill legal obligations is collected directly at the ATM or on the device (“card data and security features”, “transaction data”, “device data”).
  5. Personal data recorded as part of video surveillance is collected directly at the PSA offices (“role of the person”, “image data”, “place and date of the recording”).
  6. Personal data of visitors to the website is collected directly when the website is accessed (“cookies”, “anonymised IP address”, “device and device data”).

5. For what purposes and on what legal basis is the data processed?

PSA processes personal data

to fulfill legal obligations (Art 6 Para 1 lit c GDPR)

  • This includes both statutory and regulatory obligations that PSA must observe as a payment service provider (e.g. reports to the Austrian Money Laundering Reporting Office in certain suspected cases in accordance with § 16 FM-GwG).
  • Data processing for the purpose of preventing, investigating or identifying cases of fraud in accordance with § 86 ZaDiG 2018.

to protect legitimate interests (Art 6 Para 1 lit f GDPR) through

  • measures to prevent and combat fraud (e.g. fraud transaction monitoring);
  • video surveillance to collect evidence of crimes or to prove funds committed (e.g. at ATMs, in the entrance area of offices/server rooms);
  • telephone recordings (e.g. when blocking cards);
  • measures to adjust the security of card payments;
  • operational monitoring to maintain payment transactions in Austria.


to fulfill contractual obligations (Art 6 Para 1 lit b GDPR);

within the scope of consent (Art 6 Para 1 lit a GDPR)

  • for the purposes stated in the consent.

A given consent can be revoked at any time effective for the future. To do so, contact us by e-mail at privacy@psa.at or by post at PSA Payment Services Austria GmbH, c/o Data Protection, Rennweg 46-50, 1030 Vienna.

Data processing or data transmissions that are necessary to fulfill the contract cannot be revoked.

6. Data transmission

Within PSA, only those employees will receive your data who require it to fulfill their contractual, legal and regulatory obligations as well as legitimate interests.

Processors commissioned by PSA (these are in particular IT service providers, payroll processors, etc.) will only process your data if they need it to perform their respective services. PSA contractually obligates its service providers to guarantee the confidentiality and security of personal data. If there is a legal or regulatory obligation, public bodies and institutions (e.g. courts, Austrian Financial Market Authority) may also receive your personal data.

If necessary, personal data will also be transmitted to bodies that pursue the prevention and/or clarification of payment card fraud in order to protect payment transactions from fraud and to ensure the security of the transaction and Austrian payment transactions.

We have taken the appropriate technical and organizational measures to protect your personal data. These measures include, in particular, measures to protect against unauthorized access to your personal data, as well as input, order processor and availability monitoring.  

7. How long is personal data stored?

Your personal data will be processed by PSA as long as PSA is obligated to do so according to legal retention and documentation obligations as outlined in the Payment Services Act (ZaDiG), the Business Code (UGB), the Federal Tax Code (BAO), the Banking Act (BWG), and the Financial Market Money Laundering Act (FM-GwG). In special cases (e.g. in the event of ongoing warranty obligations) data will be kept until the end of the statute of limitations or the time at which the case has been resolved.

8. What rights do I have as a data subject?

We would like to point out once again that rights and questions in connection with the processing of personal data on your debit card or credit card should primarily be directed to your bank as your contractual partner and party responsible for the data processing.

You have the right to information, correction, deletion or restriction of the processing of your stored data at any time, a right to object to processing and a right to data portability in accordance with the requirements of the GDPR.

To do so, contact us by e-mail at privacy@psa.at or by post at PSA Payment Services Austria GmbH, c/o Data Protection, Rennweg 46-50, 1030 Vienna. You can address complaints to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna.

9. Am I obligated to provide data?

In order to block cards, prevent fraud, fulfill legal obligations or process a contractual relationship, it is necessary to process personal data. If you do not provide us with this data, it will generally not be possible to process a transaction or block a card.

To clarify, we want to state that you are not obligated to provide your consent to data processing with regard to data that is not relevant or that is not required by law and/or regulation.

10 Information about automated decision making including profiling

PSA does not process personal data in automated decision-making processes. 

11. 11. Updating data protection information

This data protection information can be updated without prior notice to reflect legal changes or changes in the processes of processing personal data. In the event of a change, PSA will inform you with a notice on the website. 

12. Information on the use of the PSA website (web analysis) 

Our websites use Google Analytics, a web analytics service provided by Google Ireland Ltd (“Google”). Google Analytics uses “cookies”, text files that are saved on your computer and enable an analysis of your use of the website. We process your data on the basis of our overriding legitimate interest in order to create easy-to-use website access statistics in a cost-effective manner.

The information generated by the cookie about your use of our websites is transmitted to Google servers in the USA and stored there. Our websites use the IP anonymization option offered by Google Analytics. Google will not combine the IP address transmitted by your browser as part of Google Analytics with other data. We do not save any of your data that is collected in connection with Google Analytics.

You can prevent the storage of cookies by setting your browser software accordingly. In this case you may not be able to use all of the functions of our website to their full extent.

You can find more information on Google's terms of use, the Google data protection declaration and options for opting out at
https://policies.google.com/terms?hl=en or
https://policies.google.com/?hl=at&gl=en   and
https://support.google.com/analytics/answer/181881?hl=en