Privacy Policy

1. For data processing related to your debit/Bankomat® card or credit card, PSA is generally the processor on behalf of your bank (except for occasional card transactions as per item 3.4.).

PSA acts as the central service provider (processor) for Austrian credit institutions, providing the technical systems for card issuance, payment media on mobile phones (e.g., Bankomat® mobile card), and for processing transactions.

If you have questions about the processing of personal data in connection with your debit/Bankomat® card or credit card, for example, in the context of payments with Bankomat® cards and cash withdrawals, please contact your bank.
 

2. Who is responsible for data processing and who can you contact?

The party responsible for the processing of your data is

PSA Payment Services Austria GmbH (‘PSA’)
Handelskai 92, Gate 2
1200 Vienna

Email: office@psa.at
https://www.psa.at/impressum

For questions about data protection or to exercise data subject rights, please contact us by email at privacy@psa.at or by mail at PSA Payment Services Austria GmbH, Attn: Data Protection, Handelskai 92, Gate 2, 1200 Vienna.
You can reach our Data Protection Officer at the email address datenschutz(at)psa.at or by mail at PSA Payment Services Austria GmbH Handelskai 92, Gate 2, 1200 Vienna.
 

3. What data is processed by PSA as the responsible party and for what purpose?

Only personal data that is necessary for the performance and processing of our services, or that you have voluntarily provided to us, is collected. PSA processes personal data as the responsible party from:

  1. Contractual partners and their employees in the context of contract initiation and execution or the development and continuous improvement of payment solutions to fulfill the respective contractual obligations;
    • Processed data: "name", "contact details", "customer data", "credit reports and WiEReG reports"
    • Legal basis: fulfillment of contractual obligations (Art 6 para 1 lit b GDPR) legitimate interests (Art 6 para 1 lit f GDPR), namely maintaining remote communication and managing business contacts, as well as the economic progress of PSA.
       
  2. Participants in events organized by PSA and related activities for organizing these events (sending personalized invitations and correspondence with participants);
    • Processed data: "name", "contact details", "associated company"
    • Legal basis: legitimate interests (Art 6 para 1 lit f GDPR), namely managing information and events efficiently, as well as internal and external communication in these matters.
       
  3. Persons recorded during video surveillance at Bankomat® ATMs operated by PSA as the responsible party to collect evidence in criminal cases or to prove transactions, with video surveillance evaluation only occurring upon official order in specific cases;
    • Processed data: "role of the person", "image data", "location and date of recording"
    • Legal basis: fulfillment of contractual obligations (Art 6 para 1 lit b GDPR), fulfillment of legal obligations (Art 6 para 1 lit c GDPR), legitimate interests (Art 6 para 1 lit f GDPR), namely the interest in preventing theft, burglary, misuse of non-cash payment methods, property damage, and securing evidence to enforce legal claims and file police reports.
       
  4. Cardholders during occasional card transactions in the course of cash withdrawals at Bankomat® ATMs operated by PSA outside of a framework agreement due to contract fulfillment under ZaDiG 2018.
    • Processed data: "card data", "transaction data", "device data";
    • Legal basis: fulfillment of contractual obligations (Art 6 para 1 lit c GDPR).
       
  5. Cardholders during individual payments in the course of cash withdrawals within the Austrian Bankomat® system outside of a framework agreement due to legal and regulatory obligations to prevent money laundering and terrorist financing, as well as reporting to the Financial Intelligence Unit of the Federal Criminal Police Office in certain suspected cases under § 16 FM-GwG;
    • Processed data: "card data", "transaction data", "device data";
    • Legal basis: fulfillment of legal obligations (Art 6 para 1 lit c GDPR), namely the prevention of money laundering and terrorist financing.
       
  6. Persons recorded during video surveillance in PSA's office premises to protect PSA's property and the data of third parties stored at PSA;
    • Processed data: "role of the person", "image data", "location and date of recording"
    • Legal basis: legitimate interests (Art 6 para 1 lit f GDPR), namely property protection and the protection of data stored at PSA, as well as asserting and enforcing civil law claims.
       
  7. In the context of operating PSA websites to analyze user behavior and to integrate social media services (e.g., YouTube);
    • PSA uses cookies on its homepage. Depending on the cookie settings, the processed personal data varies. Cookies are small text files that serve to determine the frequency of use and the number of users of our website. You also have the option of giving separate consent to the type and scope of the cookies used on our website via the cookie banner that opens upon your first visit to the website and can be reopened at any time via a link in the footer. Please note that certain cookies are required for the website to display correctly. These essential cookies do not contain personal data and are not optional. Furthermore, additional cookies, especially for preferences, statistics, and marketing, are only used with your consent. The settings made and any consents given can be adjusted or revoked at any time by reopening the cookie banner. Details about these cookies and the ability to change your cookie settings can be found at: https://www.psa.at/  
    • Legal basis: consent (Art 6 para 1 lit a GDPR).
       
  8. Data you provide to us via the contact form:
    • First name, last name, email address, and other data you provide; for business customers additionally: company and telephone number
    • Legal basis: consent (Art 6 para 1 lit a GDPR) legitimate interests (Art 6 para 1 lit f GDPR
       

4. Data collected directly from the data subjects

  1. Personal data from contractual partners and their employees are collected in the context of contract initiation and execution ("name", "contact data", "customer data").
  2. Personal data from event participants are collected in the context of participating in events organized by PSA through communication by the respective company (e.g., credit institution) where the person is employed ("name", "contact data", "associated company").
  3. Personal data in the context of video surveillance at Bankomat® ATMs operated by PSA as the responsible party are collected directly at the ATM ("role of the person", "image data", "location and date of recording").
  4. Personal data in the context of fulfilling legal and regulatory obligations are collected directly at the ATM or the device ("card data", "transaction data", "device data").
  5. Personal data in the context of video surveillance in the office premises are collected directly in the office premises of PSA ("role of the person", "image data", "location and date of recording").
  6. Personal data in the context of occasional card transactions through cash withdrawals at Bankomat® ATMs operated by PSA outside of a framework agreement are collected directly at the ATM ("card data", "transaction data", "device data").
  7. Personal data in the context of operating PSA websites are collected during the data subjects' visits to the PSA websites. Depending on the cookie settings, the personal data processed varies. Details about these cookies and how to change your cookie settings can be found at: https://www.psa.at/
     

5. Data that is not collected directly from the data subject

Personal data of contractual partners are also collected from third parties ("credit reports and WiEReG reports").
 

6. Processor

Processor

Processors commissioned by PSA will only process your data if they need it to perform their respective services. PSA contractually obligates its service providers to guarantee the confidentiality and security of personal data. PSA currently uses the following processors:

  • Antares NetlogiX Netzwerkberatung GmbH
  • World-Direct eBusiness solutions GmbH
  • iProspect GmbH
  • Merkle Germany GmbH
  • Hubspot Inc.
  • Worldline Schweiz AG
  • A1 Telekom Austria AG
  • CANCOM Austria GmbH (previously K-Businesscom)

We have taken the appropriate technical and organizational measures to protect your personal data. These measures include, in particular, measures to protect against unauthorized access to your personal data, as well as input, processor and availability monitoring.

MS Teams

PSA offers the option to communicate via "Microsoft Teams." This is a video conferencing tool provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (in short: Microsoft Ireland).

When using "Microsoft Teams," personal data may be transmitted to the USA. Microsoft Ireland has concluded standard data protection clauses with its corporate sub-processors located in third countries to comply with the requirements of Art. 46 ff GDPR.

Further information on data processing in connection with the use of "Microsoft Teams" and the Data Protection Addendum agreed to between PSA and Microsoft can be found at:

https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

The use of "Microsoft Teams" is not a prerequisite for communicating with PSA. Alternatively, PSA offers in-person meetings and telephone conferences. If communication occurs via "Microsoft Teams," Microsoft Ireland becomes the processor. Data processing is therefore based on the fulfillment of contractual obligations (Art. 6 para. 1 lit. b GDPR).

Recipients

Due to legal obligations that serve to detect criminal offenses or prevent money laundering and terrorist financing, as well as combat fraud, data is transmitted to the following recipients:

  • Law enforcement authorities/courts

In the case of the data subject's consent, data is transmitted to social media services (e.g., YouTube).
 

7.  Are data transferred to a third country or an international organization?

PSA forwards card transaction data related to item 3.4 to the payment card system (card organizations), which may be located outside the European Economic Area to authorize and execute transactions.

a) MasterCard Europe SPRL

b) Visa Europe Services LLC

c) American Express Payment Services Ltd., Frankfurt am Main Branch

d) Diners Club International Ltd

e) JCB International Co

f) Union Pay International Co. Ltd. for the payment brands "CUP" and "Union Pay."
 

8. Clarification regarding website analysis

PSA has deliberately decided against using Google Analytics to avoid any related transfer of personal data to third countries. Instead, PSA works together with "Matomo."
 

9. How long is personal data stored?

  • In connection with contract execution: 7 years
  • In connection with events: 7 years
  • In connection with video surveillance at ATMs: 90 days
  • In connection with legal obligations under the FM-GwG: 10 years
  • In connection with video surveillance in the office premises: 72 hours
  • In connection with operating the website: varies depending on the cookie settings. Details about these cookies and how you can change your cookie settings can be found at: https://www.psa.at/.
     

10. What rights do I have as a data subject?

We would like to remind you that rights and questions regarding the processing of personal data related to your debit/Bankomat® card or credit card should primarily be addressed to your bank as your contracting partner and the party responsible for your data.

You have the right to access, rectify, delete, or restrict the processing of your stored data at any time, the right to object (if the data processing is based on public interest or legitimate interest) to the processing, as well as the right to data portability under the requirements of data protection law.

To do so, you can contact PSA by email at privacy(at)psa.at, or by mail at PSA Payment Services Austria GmbH Attn: Data Protection Handelskai 92, Gate 2, 1200 Vienna.

If, despite our obligation to process your data lawfully, there is an unexpected violation of your right to lawful processing of your data, please contact us by mail or email at the above contact details, to inform us of your concerns so we can properly address them.

You also have the right to file a complaint with the Austrian Data Protection Authority (Barichgasse 40-42, 1030 Vienna) or with another data protection supervisory authority in the European Union, particularly at your place of residence or work.
 

11. Am I obligated to provide data?

You are not legally obligated to provide us with your data. However, if you do not provide us with your data, we may not be able to provide our services to you.

If data processing is based on your consent, you can revoke it at any time effective for the future. To revoke consent, you can contact us by email at privacy(at)psa.at, or by mail at PSA Payment Services Austria GmbH Attn: Data Protection Handelskai 92, Gate 2, 1200 Vienna. However, without your consent, we may not be able to provide the respective service to you.
 

12. Information about automated decision-making including profiling

PSA does not process personal data in automated decision-making procedures. PSA does not engage in profiling. 
 

13. Updating data protection information

Due to the rapid development of technology, legislation, and jurisprudence, it may be necessary to make occasional changes to this data protection information. Therefore, please always read the latest version on our website.

Compliance

1. Code of Conduct

The PSA Code of Conduct defines the ethical and legal framework within which PSA and its employees act and strive for success. It contains the basic principles and rules for behavior within the company and in relationships with external partners and the public.

 They explain how we perceive our ethical and legal responsibilities as a company and are an expression of our company values:

  • Professional
  • Secure
  • Credible
  • Innovative
  • Respectful

 The code of conduct adapts to new or changed legal framework conditions. It is intended to strengthen awareness of good legal and moral judgement as an integral part of our entrepreneurial activity.

 2. Whistleblowing

You can use the anonymous whistleblower system (“whistleblower platform”) to submit anonymous reports on the following legal violations (see Section 3 HSchG and Section 40 FM-GwG):

  • Financial services, financial products and financial markets as well as prevention of money laundering and terrorist financing
  • Internal violations of the Financial Market-Money Laundering Act (FM-GwG)
  • Environmental protection
  • Consumer protection
  • Protection of privacy and personal data as well as security of network and information systems
  • Union rules on competition and state aid (“Antitrust, Competition and State Aid Law”)
  • Prevention and punishment of criminal offenses in accordance with Sections 302 to 309 of the StGB (German Criminal Code) ("Corruption")
  • Product security and product compliance
  • Public procurement
  • Road safety
  • Radiation protection and nuclear safety
  • Food and feed safety, animal health and animal welfare
  • Public health
  • Violations of the law to the detriment of the financial interests of the Union
  • Violation of internal market regulations and corporate tax regulations

 Reports must contain specific information about the facts of the crime and should be truthful. If you are not sure whether the facts you have reported are true, we ask you to mark them as a suspicion.

Anonymous whistleblowers are entitled to protection (Section 6 HSchG). Each report is reviewed for validity unless the report does not fall within the scope of the law or the report does not contain any evidence of validity. Obviously false reports will be rejected by PSA and prosecuted legally.

If you intend to submit a report in this regard, you can access the PSA's protected reporting channel via the following link:
https://psa.hitguard.at/cmwb

The relevant data protection declaration can be found under data protection, in particular under points 3.6., 6. and 8.

Questions and answers on the topic of whistleblowing can be found here: https://www.psa.at/en/data-protection-compliance/faq-whistleblower-plattform