Privacy Policy

1. PSA is the processor for your bank in connection with data processing for your debit card or credit card

PSA performs the role of central service provider (processor) on behalf of Austrian banks, thereby providing technical systems to support the issuing of cards, payment media for mobile phones (e.g. debit card mobile) and the processing of transactions.

If you have any questions concerning the processing of personal data in connection with your debit card or credit card (e.g. in connection with payments using debit cards and cash withdrawals), we ask you to contact your bank.
 

2. Who is responsible for data processing? Who can you turn to?

The organisation responsible for processing your data is:

PSA Payment Services Austria GmbH (‘PSA’)
Handelskai 92, Gate 2
1200 Vienna

Email: office@psa.at
https://www.psa.at/impressum

If you have any questions on data protection or wish to assert your rights, please email privacy@psa.at or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna.

You can also contact our Data Security Officer by emailing datenschutz@psa.at or writing to PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna.
 

3. As the responsible entity, what data does PSA process, and for what purpose?

We only collect personal data required for the implementation and processing of our services, and data which you voluntarily provide to us. As the responsible entity, PSA processes the personal data of:

  1. Contracting partners and their employees in the context of the initiation and processing of contracts or the development and ongoing enhancement of payment solutions for the purpose of fulfilling specific contractual obligations;
    • Data processed: ‘name’, ‘contact details’, ‘customer data’, Credit rating information and extracts from WiEReG (Beneficial Owners Register Act)
    • Legal basis: Fulfilment of contractual obligations (in accordance with article 6 subsection 1(b) of the GDPR) and legitimate interests (article 6 subsection 1(f) of the GDPR), namely the upholding of location-independent communications and the maintenance of business contacts and the economic advancement of PSA.
       
  2. Participants in events organised by PSA and associated activities relating to the organisation of such events (forwarding of personalised invitations and correspondence with participants);
    • Data processed: ‘name’, ‘contact details’, ‘affiliated company’
    • Legal basis: legitimate interests (article 6 subsection 1(f) of the GDPR), namely information/event management and efficient internal and external communications in this regard.
       
  3. Persons recorded in the context of video surveillance at ATM machines operated by PSA for the purpose of collecting evidence of criminal offences or ensuring compliance with ordinances, whereby video surveillance footage will only be evaluated by official decree in case of an emergency;
    • Data processed: ‘role of the individual’, ‘image data’, ‘place and date of recording’
    • Legal basis: Fulfilment of contractual obligations (article 6 subsection 1(b) of the GDPR), compliance with legal obligations (article 6 subsection 1(c) of the GDPR) and legitimate interests (article 6 subsection 1(f) of the GDPR), namely an interest in the prevention of theft, burglary, misuse of non-cash payment means and criminal property damage and the preservation of evidence to enforce legal claims and report to the police.
       
  4. Card data in the context of legal and supervisory obligations aimed at preventing money laundering and the financing of terrorism as well as fraud, and at facilitating reports to the Austrian Financial Intelligence Unit of the Criminal Intelligence Service (BKA) in certain suspected cases in line with article 16 of the FM-GwG (Financial Markets Anti-Money Laundering Act);
    • Data processed: ‘card data’, ‘transaction data’, ‘device data’
    • Legal basis: fulfilment of contractual obligations (in accordance with article 6 subsection 1(c) of the GDPR) and legitimate interests (article 6 subsection 1(f) of the GDPR), namely the prevention of money laundering, the financing of terrorism and fraud.
       
  5. Persons recorded in the context of video surveillance on the office premises of PSA with a view to protecting the properly of PSA as well as third-party data stored by PSA;
    • Data processed: ‘role of the individual’, ‘image data’, ‘place and date of recording’
    • Legal basis: legitimate interests (article 6 subsection 1(f) of the GDPR), namely the protection of property and data stored by PSA as well as the assertion and enforcement of claims under civil law.
       
  6. Personal data from possible crimes within the meaning of the HschG (Whistleblower Protection Act) as part of the whistleblower system.

4. Data directly collected from affected parties

  1. Personal data of contracting partners and their employees is collected in the context of the initiation and processing of contracts (‘name’, ‘contact details’, ‘customer data’).
  2. In the context of participation in events organised by PSA, the personal data of event participants is collected through notification by the respective organisation (e.g. bank) at which the person is employed (‘name’, ‘contact details’, ‘affiliated company’).
  3. Personal data in the context of video surveillance at ATM machines operated by PSA is collected at the actual ATMs (‘role of the individual’, ‘image data’, ‘place and date of recording’).
  4. Personal data in the context of fulfilling legal and supervisory obligations is collected via the actual ATM or device (‘card data’, ‘transaction data’, ‘device data’).
  5. Personal data in the context of video surveillance on the office premises is collected in the actual offices of PSA (‘role of the individual’, ‘image data’, ‘place and date of recording’).
     

5. Data not collected directly from affected parties

Personal data from contracting partners is also collected from third parties (‘Credit rating information and extracts from WiEReG’).

6. Processor

Processor

The processor commissioned by PSA processes your data where necessary to perform their specific services. PSA contractually obliges its processors to uphold the confidentiality and security of all personal data. At present, PSA uses the following processor:

  • Antares NetlogiX Netzwerkberatung GmbH
  • TogetherSecure GmbH

We have taken suitable technical and organisational steps to protect your personal data. In particular, these measures include provisions to guard against unauthorised access of any kind to your personal data alongside controls on data entry, processing and availability.

MS Teams

PSA offers the option of communicating via Microsoft Teams, a video conferencing tool supplied by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland (‘Microsoft Ireland’).

When you use Microsoft Teams, it is possible that personal data may be transmitted to the USA. In order to comply with the requirements of article 46ff of the GDPR, Microsoft Ireland has concluded standard data protection clauses with group sub-processors headquartered in third countries.

For more information on data processing in connection with the use of Microsoft Teams and the Data Protection Addendum agreed between ourselves and Microsoft, please visit:

https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Using Microsoft Teams is not a requirement for communicating with PSA. As an alternative, PSA offers personal meetings and telephone conferences. Where Microsoft Teams is used for communication, Microsoft Ireland will act as processor. For this reason, data is processed on the basis of the fulfilment of contractual obligations (article 6 subsection 1(b) of the GDPR).

Recipient

Due to legal obligations that serve to detect criminal offenses, to prevent money laundering and terrorist financing and to combat fraud and criminal offenses within the meaning of the HschG, data may be sent to the following recipients:

  • Law enforcement agencies/courts
  • Austrian Financial Intelligence Unit of the Criminal Intelligence Service (BKA).
     

7.  Clarification regarding website analysis

To avoid the potential transfer of personal data to third countries, PSA deliberately decided against utilising Google Analytics. Instead, PSA cooperates with Matomo to prevent any processing at all of personal data.

This is achieved by ensuring the last six digits of the IP addresses of website visitors are not recorded and so cannot be linked to any individual. From the analysis data, we can only determine from where the website is specifically accessed (i.e. from which federal state).

8. For how long is personal data stored?

  • Contract processing: 7 years
  • Events: 7 years
  • Video surveillance at ATM machines: 90 days
  • Legal obligation in accordance with the FM-GwG (Financial Markets Anti-Money Laundering Act): 10 years
  • Video surveillance on office premises: 72 hours
  • in connection with the whistleblower system: five years and longer, at least as long as the implementation of administrative or judicial proceedings that have already been initiated or an investigation according to the StPO (Code of Criminal Procedure) is necessary. Log data from processing operations actually carried out, such as in particular changes, queries and transmissions of these processing operations, must be stored by the responsible person from their last processing or transmission until three years after the retention obligation no longer applies.

9. As an affected person, what are my rights?

We would like to remind you that in the first instance, questions concerning rights in connection with the processing of personal data linked to your debit card or credit card should be addressed to your bank as your contractual partner and the entity responsible for data processing.

At all times, you have the right to be informed of the data we store; you also have the right to the rectification or deletion of such data, and to restrict or object to the processing thereof (where data is processed on the basis of a public interest or to uphold a legitimate interest). Furthermore, you have the right to data portability in accordance with the requirements of data protection law.

To this end, please email privacy@psa.at or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna.

In the unlikely event that your right to the lawful processing of your data is breached in spite of our duty to process your data in line with legal requirements, please contact us by post or email as shown above so that we can address your concerns.

You also have the right to lodge a complaint with the Austrian data protection authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna) or another data supervisory authority within the European Union (especially in the place where you live or work).
 

10. Am I obliged to supply data?

Although you are not legally obliged to supply us with data, we may be unable to provide services for you if you decline to provide us with your data.

Where data processing is performed with your consent, you may permanently revoke your consent at any time. To do so, please email privacy@psa.at or write to PSA Payment Services Austria GmbH, z.H. Datenschutz, Handelskai 92, Gate 2, 1200 Vienna. However, please note that without your consent, we are unable to provide services.
 

11. Information on automated decision-making, including profiling

PSA does not process personal data as part of automated decision-making processes; no profiling is performed. 
 

12. Updating of data protection information

Owing to rapid developments in technology, legislation and case law, it may be necessary to amend this privacy policy from time to time. For this reason, please be sure to refer to the current version on our web site.

Compliance

1. Code of Conduct

The PSA Code of Conduct defines the ethical and legal framework within which PSA and its employees act and strive for success. It contains the basic principles and rules for behavior within the company and in relationships with external partners and the public.

 They explain how we perceive our ethical and legal responsibilities as a company and are an expression of our company values:

  • Professional
  • Secure
  • Credible
  • Innovative
  • Respectful

 The code of conduct adapts to new or changed legal framework conditions. It is intended to strengthen awareness of good legal and moral judgement as an integral part of our entrepreneurial activity.

 2. Whistleblowing

You can use the anonymous whistleblower system (“whistleblower platform”) to submit anonymous reports on the following legal violations (see Section 3 HSchG and Section 40 FM-GwG):

  • Financial services, financial products and financial markets as well as prevention of money laundering and terrorist financing
  • Internal violations of the Financial Market-Money Laundering Act (FM-GwG)
  • Environmental protection
  • Consumer protection
  • Protection of privacy and personal data as well as security of network and information systems
  • Union rules on competition and state aid (“Antitrust, Competition and State Aid Law”)
  • Prevention and punishment of criminal offenses in accordance with Sections 302 to 309 of the StGB (German Criminal Code) ("Corruption")
  • Product security and product compliance
  • Public procurement
  • Road safety
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and animal welfare
  • Public health
  • Violations of the law to the detriment of the financial interests of the Union
  • Violation of internal market regulations and corporate tax regulations

 Reports must contain specific information about the facts of the crime and should be truthful. If you are not sure whether the facts you have reported are true, we ask you to mark them as a suspicion.

Anonymous whistleblowers are entitled to protection (Section 6 HSchG). Each report is reviewed for validity unless the report does not fall within the scope of the law or the report does not contain any evidence of validity. Obviously false reports will be rejected by PSA and prosecuted legally.

If you intend to submit a report in this regard, you can access the PSA's protected reporting channel via the following link:
https://psa.hitguard.at/cmwb

The relevant data protection declaration can be found under data protection, in particular under points 3.6., 6. and 8.