Data Protection Information
1. Data controller
Oesterreichische Nationalbank (OeNB)
Otto-Wagner-Platz 3, 1090 Vienna, Austria
VAT identification no.: ATU 15348407
Phone: (+43-1) 404 20-0
Fax: (+43-1) 404 20-6698
2. Purpose of the processing activity
The purpose of the processing activity is to run an electronic whistleblowing and reporting system allowing for receiving and tracking information reported by employees or business partners – in accordance with the Austrian Whistleblower Protection Act (HSchG) and the ECB Guidelines ECB/2021/49 and ECB/2021/50 (“Ethics Framework”) – about (possible) irregularities in the company that may constitute a criminal offense or damage the company’s reputation or about instances of fraud, embezzlement or other offenses against property. The provisions laid down in the HSchG are applied equally to all reports. Data are provided on a voluntary basis.
3. Legal basis
The legal basis for the processing is Article 6 para. 1 lit. c GDPR in conjunction with the HSchG and ECB Guidelines ECB/2021/49 and ECB/2021/50. Notifications exceeding this scope are processed for the purpose of pursuing the OeNB’s legitimate interest in ensuring proper business conduct and running an effective internal control system (Article 6 para. 1 lit. f GDPR).
4. Data recipients
In justified cases, data will be transmitted to the Governing Council of the ECB or to qualified legal representatives and competent authorities. The legal basis for such data transfers is compliance with reporting requirements pursuant to Article 14 para. 3 ECB/2021/49, with notification requirements pursuant to Article 78 Austrian Criminal Procedure Code (StPO) and with obligations to testify or submit evidence (Article 6 para. 1 lit. c GDPR). In all other cases, the legal basis is the OeNB’s legitimate interest in establishing, exercising or defending legal claims (Article 6 para. 1 lit. f GDPR).
The tool operator and data processor is EQS Group AG, Karlstraße 47, 80333 Munich, Germany.
5. Retention period
The data will be retained for a period of five years from the date when they were last processed or transmitted and beyond that period for as long as is deemed necessary for the conduct of ongoing administrative or judicial processes or investigations under the StPO (Article 8 para. 11 HSchG).
6. Your rights as a data subject
You have the right to obtain confirmation as to whether or not your personal data, and which of your personal data, are being processed by the OeNB (Article 15 GDPR). You have the right to obtain the rectification of inaccurate personal data or to have incomplete personal data completed (Article 16 GDPR) as long as the rectification and/or completion of the data are necessary for the purpose of the processing operation. You have the right to obtain the erasure of your personal data if the OeNB has processed them unlawfully (Article 17 GDPR). Under certain conditions, you have the right to obtain restriction of the processing of your personal data (Article 18 GDPR). Should you consider your right to data protection infringed by any processing of your personal data by the OeNB, you may lodge a complaint with the Austrian Data Protection Authority (DSB).
You have the right to object to the processing of your personal data on grounds relating to your particular situation (Article 21 GDPR).
7. How to contact the OeNB’s Data Protection Officer
datenschutz@oenb.at