1. PSA is the processor for your bank in connection with data processing for your debit card or credit card
PSA performs the role of central service provider (processor) on behalf of Austrian banks, thereby providing technical systems to support the issuing of cards, payment media for mobile phones (e.g. debit card mobile) and the processing of transactions.
If you have any questions concerning the processing of personal data in connection with your debit card or credit card (e.g. in connection with payments using debit cards and cash withdrawals), we ask you to contact your bank.
2. Who is responsible for data processing? Who can you turn to?
The organisation responsible for processing your data is:
PSA Payment Services Austria GmbH (‘PSA’)
Handelskai 92, Gate 2
If you have any questions on data protection or wish to assert your rights, please email email@example.com or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna.
You can also contact our Data Security Officer by emailing firstname.lastname@example.org or writing to PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna.
3. As the responsible entity, what data does PSA process, and for what purpose?
We only collect personal data required for the implementation and processing of our services, and data which you voluntarily provide to us. As the responsible entity, PSA processes the personal data of:
4. Data directly collected from affected parties
5. Data not collected directly from affected parties
Personal data from contracting partners is also collected from third parties (‘Credit rating information and extracts from WiEReG’).
The processor commissioned by PSA processes your data where necessary to perform their specific services. PSA contractually obliges its processors to uphold the confidentiality and security of all personal data. At present, PSA uses the following processor:
We have taken suitable technical and organisational steps to protect your personal data. In particular, these measures include provisions to guard against unauthorised access of any kind to your personal data alongside controls on data entry, processing and availability.
PSA offers the option of communicating via Microsoft Teams, a video conferencing tool supplied by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland (‘Microsoft Ireland’).
When you use Microsoft Teams, it is possible that personal data may be transmitted to the USA. In order to comply with the requirements of article 46ff of the GDPR, Microsoft Ireland has concluded standard data protection clauses with group sub-processors headquartered in third countries.
For more information on data processing in connection with the use of Microsoft Teams and the Data Protection Addendum agreed between ourselves and Microsoft, please visit:
Using Microsoft Teams is not a requirement for communicating with PSA. As an alternative, PSA offers personal meetings and telephone conferences. Where Microsoft Teams is used for communication, Microsoft Ireland will act as processor. For this reason, data is processed on the basis of the fulfilment of contractual obligations (article 6 subsection 1(b) of the GDPR).
Due to legal obligations that serve to detect criminal offenses, to prevent money laundering and terrorist financing and to combat fraud and criminal offenses within the meaning of the HschG, data may be sent to the following recipients:
7. Clarification regarding website analysis
To avoid the potential transfer of personal data to third countries, PSA deliberately decided against utilising Google Analytics. Instead, PSA cooperates with Matomo to prevent any processing at all of personal data.
This is achieved by ensuring the last six digits of the IP addresses of website visitors are not recorded and so cannot be linked to any individual. From the analysis data, we can only determine from where the website is specifically accessed (i.e. from which federal state).
8. For how long is personal data stored?
9. As an affected person, what are my rights?
We would like to remind you that in the first instance, questions concerning rights in connection with the processing of personal data linked to your debit card or credit card should be addressed to your bank as your contractual partner and the entity responsible for data processing.
At all times, you have the right to be informed of the data we store; you also have the right to the rectification or deletion of such data, and to restrict or object to the processing thereof (where data is processed on the basis of a public interest or to uphold a legitimate interest). Furthermore, you have the right to data portability in accordance with the requirements of data protection law.
To this end, please email email@example.com or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna.
In the unlikely event that your right to the lawful processing of your data is breached in spite of our duty to process your data in line with legal requirements, please contact us by post or email as shown above so that we can address your concerns.
You also have the right to lodge a complaint with the Austrian data protection authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna) or another data supervisory authority within the European Union (especially in the place where you live or work).
10. Am I obliged to supply data?
Although you are not legally obliged to supply us with data, we may be unable to provide services for you if you decline to provide us with your data.
Where data processing is performed with your consent, you may permanently revoke your consent at any time. To do so, please email firstname.lastname@example.org or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna. However, please note that without your consent, we are unable to provide services.
11. Information on automated decision-making, including profiling
PSA does not process personal data as part of automated decision-making processes; no profiling is performed.
12. Updating of data protection information
1. Code of Conduct
The PSA Code of Conduct defines the ethical and legal framework within which PSA and its employees act and strive for success. It contains the basic principles and rules for behavior within the company and in relationships with external partners and the public.
They explain how we perceive our ethical and legal responsibilities as a company and are an expression of our company values:
The code of conduct adapts to new or changed legal framework conditions. It is intended to strengthen awareness of good legal and moral judgement as an integral part of our entrepreneurial activity.
You can use the anonymous whistleblower system (“whistleblower platform”) to submit anonymous reports on the following legal violations (see Section 3 HSchG and Section 40 FM-GwG):
Reports must contain specific information about the facts of the crime and should be truthful. If you are not sure whether the facts you have reported are true, we ask you to mark them as a suspicion.
Anonymous whistleblowers are entitled to protection (Section 6 HSchG). Each report is reviewed for validity unless the report does not fall within the scope of the law or the report does not contain any evidence of validity. Obviously false reports will be rejected by PSA and prosecuted legally.
If you intend to submit a report in this regard, you can access the PSA's protected reporting channel via the following link:
The relevant data protection declaration can be found under data protection, in particular under points 3.6., 6. and 8.