Data protection

Protection of your personal data when visiting the OeNB’s websites

When you visit one of the OeNB’s websites, the respective server logs and processes certain personal data:

Web server logging
Each time you access one of our websites, the web server logs the following data to ensure an appropriate level of information and system security: IP address, username (if required), date and time of your visit as well as technical information about the web object you retrieved and the browser and operating system you used (combined log format). The OeNB will process these data for the purposes of evaluating security requirements, assessing potential risks and fending off threats to the OeNB’s IT infrastructure under its information security management system. In case improper use is made of the OeNB’s websites or IT infrastructure, log data will be forwarded to the competent authorities. Log data will be stored in line with the right to restriction of processing (Article 18 GDPR) for up to three years. The legal basis for this processing is Article 6 para 1 lit f in conjunction with recital 49 GDPR. 

Additional personal information, such as your name, address, telephone number or e-mail address, is not recorded unless you have opted to provide this information in the space provided (e.g. when registering for a newsletter or requesting information via a contact form). The personal data you provide will be processed exclusively for the purpose of dealing with your request. These data will not be transferred to third parties.

Social media plug-ins
Many OeNB websites allow you to connect to social media networks via social media plug-ins. To protect its website visitors’ data, the OeNB uses social media buttons based on Shariff technology. This means that no personal data are transmitted to the operators of social media services when you access our websites. A plug-in will make contact with the server of the given service only if you click on the respective button. The information that you have visited our websites will therefore only be transmitted to that service if you have given your consent (Article 6 para 1 lit a and Article 49 para 1 lit a GDPR). If you click on the plug-in while logged in to the selected service, you can share content from the respective OeNB websites on your profile or leave a comment. This allows the service to assign your visit to our websites to your user account. Please note that, as website operator, the OeNB does not receive any information about the content of the transmitted data or on how these data are used by the social media service in question.

By activating and using a social media plug-in, you agree to the subsequent transfer of personal data to the selected service. More information on how the respective services use your personal data can be found in the data privacy statements provided by the selected service(s):

• Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
  https://www.facebook.com/policy.php
• Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
• YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4. Ireland
  https://www.google.com/intl/de_ALL/policies/privacy
• X: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
  https://twitter.com/privacy?lang=en
• LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• SoundCloud Global Limited & Co. KG, Rheinsberger Str. 76/77, 10115 Berlin
• Podigee, Revaler Straße 28, 10245 Berlin, Deutschland
• Flockler, Rautatienkatu 21B, 33100, Tampere, Finnland

Website analytics policy
The OeNB uses technical tools to analyze how its websites are used. This allows us to improve usability and user experience. As a rule, the tools we use do not provide us with information about your identity.

Matomo On-Premise:
We use Matomo On-Premise, an analytics tool that helps us optimize our websites and make them more user friendly. Matomo creates analyses of and statistics on how our websites are used on the basis of pseudonymized user IDs. We anonymize web server log data by IP masking before using them for analytics purposes. The tool is operated on OeNB infrastructure. The legal basis for this processing is Article 6 para 1 lit f GDPR; the legitimate interest of the OeNB is the optimization of its websites and the content offered.

For this analyses, persistent cookies are stored on your device. This allows us to recognize and count returning visitors, track click paths and measure interest in our website content. We do not collect any data related to your identity.  Cookies are small text files that are stored on your computer and allow us to identify your device when you return to our websites. We use cookies for analytics purposes on the basis of your consent in accordance with Article 165 para 3 Telecommunications Act 2021 in conjunction with Article 6 para 1 lit a General Data Protection Regulation (GDPR) if you have agreed to the relevant options on the cookie consent banner, where you can also change or withdraw your consent at any time. You can open the banner by clicking the check mark in the bottom left corner.

For further information about Matomo and its privacy policy, please visit https://matomo.org/privacy.

Use of Captcha
The OeNB uses the Austrian IT‑Service Captcha (www.captcha.eu) ) on its websites to ensure that the data, or queries, submitted to the OeNB via contact forms are coming from a human and not a bot. For this, Captcha will evaluate the following personal data, which will be forwarded to the service provider: Masked IP address (the last 4 digits are deleted before storage), type and model of end device, type and model of browser, referrer website, cookie or local storage value, mouse movements and time intervals between keystrokes. These data are processed in accordance with Article 6 para 1 lit f GDPR and on the basis of our legitimate interests in maintaining the security of our web server and protecting the forms on our website against abuse and fraudulent input made by automated software. A data processing agreement has been concluded with the provider in accordance with Article 28 GDPR.

Protection of your personal data when using cookies

The OeNB uses cookies to collect data about visitors to this website in order to personalize content, provide log-in functionality, integrate social media plug-ins and analyze website traffic based on anonymized data. Cookies that are essential for accessing our content and using our online services may be stored on your device without your explicit consent (Article 165 para 3 Telecommunications Act 2021). For storing nonessential cookies on your device, we need your consent, which you can give, or change and withdraw at any time, in the cookie consent banner. In the banner, you will also find information for which purposes cookies are set and on how long the OeNB will, as a rule, store them unless you delete them manually or adjust your browser settings to refuse or automatically delete cookies. You can give, change or revoke this consent via the cookie consent banner, which can be opened at any time via the checkmark icon at the bottom left.

Protection of your personal data when communicating electronically with the OeNB

You can contact the OeNB electronically by using the contact details and forms available at www.oenb.at/en/Contact.html. The data submitted this way will be processed by the OeNB to facilitate electronic communication between the OeNB and users and to maintain electronic contact management systems. The legal basis for the processing of electronic correspondence is Article 6 para 1 lit e GDPR (in conjunction with Articles 1 and 1a Austrian eGovernment Act and Articles 28 et seq. Austrian Act on the Service of Official Documents, if applicable), provided that the processing is necessary for the fulfillment of the OeNB’s statutory tasks under the Nationalbank Act; otherwise, Article 6 para 1 lit f GDPR applies. In the latter case, it is the legitimate interest of the OeNB to allow electronic correspondence also for private-law matters. The OeNB stores e-mails for up to ten years unless longer-term storage is required by the underlying purpose of the e-mail correspondence.

E-mails are checked for spam and harmful content. By default, e-mails are automatically scanned for spam or malware; only in suspicious cases or in case of doubt are individual e-mails scrutinized in more detail by specialists (in consultation with the recipient if necessary). In case of misuse or criminal content, all relevant data are forwarded to the authorities in charge.

For the purpose of ensuring an appropriate degree of information and system security as well as detecting and handling malware, the OeNB e-mail server generates log files of e-mail correspondence and stores them in line with the right to restriction of processing (Article 18 GDPR) for up to three years. When you send an e-mail to an OeNB address, the following data are logged: recipient’s e-mail address, IP address and hostname; number of recipients; sender’s e-mail address, IP address and hostname; subject, date and time when the e-mail was received by the server; file name of any attachments; size of message; risk classification for spam and delivery status. These data will not be passed on to third parties unless improper use is made of the OeNB’s websites or IT infrastructure. In such cases, log data will be forwarded to the authorities in charge (Article 6 para 1 lit f in conjunction with recital 49 GDPR).

OeNB user account privacy policy

The OeNB protects websites and IT services that contain sensitive data by operating access control systems with personal user accounts. This involves processing personal data, such as, in particular, name, family name, title, name of company or organization, e-mail address, telephone number (for two-factor authentication), access rights and constraints, username, password and other access codes including period of validity and change procedures as well as information collected by log files. The legal basis for processing these data is the OeNB’s legitimate interest in implementing state-of-the-art data security measures and ensuring data use in compliance with the applicable legal acts and agreements, specifically Art. 6 para 1 lit. e General Data Protection Regulation (GDPR) in conjunction with Article 3 E‑Government Act for the public sphere and Article 6 para 1 lit. f in conjunction with Article 32 GDPR for the private sphere. The data are typically provided by the people concerned (data subjects) or by companies or organizations they are affiliated with. Data processing may be carried out by processors contracted by the OeNB in line with Article 28 GDPR. The OeNB saves account data as long as the access rights are active and log data for up to three years; if applicable, data are saved for a longer period, e.g. until the expiry of statutory retention periods or pending the settlement of legal disputes in which the data are needed as evidence.

Videoconferencing tools

The OeNB facilitates communication by means of audiovisual meeting and conferencing systems (online meeting tools). For the purpose of making these online meeting tools available for use, the OeNB processes personal data of meeting participants. These data may at the most include: Unique identification number(s), first and last name, e-mail address, phone number and other contact information, affiliation, availability status, photo (if uploaded), audio and/or video stream, chat messages, shared data, documents and screen contents, audiovisual recordings (where legitimate and previously disclosed), detailed technical information on the end devices used (e.g. operating system, browser software, display resolution) as well as log data and statistical information on tool usage (e.g. IP address, MAC address, date and time of interactions). Audio and video streams (audiovisual data) are usually not recorded, only in legitimate exceptional cases (mostly conferences or public events) and only if this has been previously announced by the online meeting host.

The legal basis for processing data is Article 6 para 1 lit e of the General Data Protection Regulation (GDPR) wherever online meeting tools are used for the purpose of fulfilling statutory tasks within the OeNB’s mandate under the Nationalbank Act of 1984 or other applicable EU or national laws; otherwise Article 6 para 1 lit f GDPR applies. In the latter cases, the OeNB’s legitimate interest is providing electronic, audiovisual means of communication in private-law matters. Profile data and communication content are transferred to all online meeting participants. Legitimate audiovisual recordings may be used for documentation purposes and, where applicable, for the purposes of the OeNB’s public relations and press activities, and for publication on the OeNB’s websites and social media outlets (compatibility: no sensitive data, purpose limitation, prior notification of all online meeting participants, Article 6 para 1 lit f GDPR). Moreover, data may be processed for archiving purposes in the public interest (Article 6 para 1 lit f GDPR and Article 89 GDPR in conjunction with Article 7 para 1 no 2 Austrian Data Protection Act in conjunction with the Austrian Federal Archives Act). The OeNB will regularly receive your contact and profile data directly from you or from your organization based on Article 6 para 1 lit f GDPR. In the absence of contrary legal obligations or contractual agreements, you are not obliged to disclose your contact information to the OeNB. However, without disclosing your contact information you cannot use online meeting tools. Profile data are stored until the associated profile is deleted. If you join online meetings via link, no profile will be created. Audiovisual recordings will be processed for as long as they are relevant to the OeNB for the purposes of documentation or public relations and press activities. Afterwards they will be dealt with as directed by the Austrian Federal Archives Act. Log data will be stored for up to six months. There will be no automated decision-making.

Tool provider (processor):

• MS Teams: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland.
• Webex: Cisco International Limited, registered in England and Wales (Company Number 06640658), 9-11 New Square Park, Bedfont Lakes, Feltham, TW14 8HA (UK) and Cisco Systems, Inc., 170 West Tasman Drive, San Jose, California 995134 (USA).

Transfer of personal data to third countries: When using Webex and, because of the US Foreign Intelligence Surveillance Act (FISA), potentially also when using MS Teams, personal data are transferred to the UK and to the USA, both third countries outside the European Economic Area. For both countries, the European Commission has issued an adequacy decision pursuant to Article 45 GDPR. Additionally, Cisco has implemented binding corporate rules on data protection pursuant to Article 47 GDPR (ec.europa.eu/newsroom/article29/document.cfm?doc_id=50116). The OeNB has agreed standard data protection clauses pursuant to Article 46 para 2 lit c GDPR with Cisco and Microsoft. These can be downloaded at trustportal.cisco.com/c/dam/r/ctp/docs/dataprotection/cisco-master-data-protection-agreement.pdf or requested by mail to datenschutz@oenb.at.

Right to object: Please notify the meeting host host or the person who has sent the participation link if you think that the use of a chosen online meeting tool could be legally problematic in terms of anticipated communication content or purpose or if you object to the use of such a tool for justified personal reasons. In case OeNB shares this view, we will look for an adequate alternative, where available. If you do not want any of your personal data to be processed in legitimate audiovisual recordings, please participate without audiovisual interaction (microphone muted, camera off). You will be able to submit questions or comments in writing in a chat window; these will not be included in audiovisual recordings.

Use of photographs and videos by the OeNB

The OeNB processes photographs and videos of individuals to document its events and activities. With due regard to the rights of individuals shown in photographs and/or videos, the OeNB makes selected photographs and/or videos available to newspapers and TV programs and/or uses them on its websites, in OeNB information material and on social media sites, e.g. on Facebook, Twitter or YouTube. The OeNB processes this visual material for the purposes of its legitimate interests according to Article 6 para 1 lit f GDPR, which include documentation of events relevant to the public as well as the bank’s press and public relations activities. Moreover, the OeNB stores photographs and videos for archiving purposes in the public interest and deletes them if documentation is no longer required (Article 89 para 1 GDPR in conjunction with Article 7 para 1 item 2 DSG in conjunction with the Austrian Federal Archives Act).

Feedback function

You can provide feedback and report errors on certain OeNB websites. Providing your e-mail address is voluntary. The purpose and legitimate interest of the processing is to improve the OeNB's websites and to process your suggestions. The legal basis is Article 6 para 1 lit f GDPR; data processor for this function is Usersnap GmbH, Energiestraße 1, A-4020 Linz. Your feedback data will be stored for as long as there is an interest in documenting it. It will not be transferred to third parties.

Your rights as a data subject

The GDPR provides you, as a data subject, with a number of rights in relation to the processing of your personal data:

• You have the right to obtain confirmation as to whether or not your personal data, and which of your personal data, are being processed by the OeNB (Article 15 GDPR).
• You have the right to obtain the rectification of inaccurate personal data or to have incomplete personal data completed (Article 16 GDPR) as long as the rectification and/or completion of the data are necessary for the purpose of the processing operation.
• You have the right to obtain the erasure of your personal data if the OeNB has processed them unlawfully (Article 17 GDPR).
• Under certain conditions, you have the right to obtain restriction of the processing of your personal data (Article 18 GDPR).
• You have the right to object to the processing of your personal data on grounds relating to your particular situation or where personal data are processed for direct marketing purposes (Article 21 GDPR).
• You have the right to withdraw your consent to any consent-based processing of your personal data at any time; this will not affect the lawfulness of processing based on your consent before its withdrawal (Article 7 para 3 GDPR).
• In addition to the right to obtain confirmation, you have the right to receive your personal data, which you have provided to the OeNB, in a structured, commonly used and machine-readable format or to have these data transmitted to another controller (Article 20 GDPR)
  • where the processing is carried out by automated means,
  • where such a transmission is technically feasible, and
  • where the processing is based on your consent (Article 6 para 1 lit a GDPR) or is necessary for the fulfillment of a contract that was concluded, or will be concluded, with you (Article 6 para 1 lit b GDPR).
• Should you consider your right to data protection infringed by any processing of your personal data by the OeNB, you may lodge a complaint with the Austrian Data Protection Authority (DSB) or take legal action before the competent civil court.

To assert your rights as a data subject, please write to “Oesterreichische Nationalbank, Abteilung REFC/Datenschutz, Otto-Wagner-Platz 3, 1090 Vienna, AUSTRIA” or datenschutz@oenb.at. Please state in what way your personal data are subject to data processing by the OeNB, specifying the data processing operation or IT system(s) and clearly outlining the details of your request. Moreover, please provide proof of your identity by enclosing a copy of an official photo identification (e.g. your passport, driver’s license, identity card) or using a qualified electronic signature within the meaning of Article 3 item 12 eIDAS Regulation to prevent improper requests by unauthorized third parties that might endanger the protection of your personal data. For the reasons outlined above, such requests must be made in writing.

Detailed privacy information

In fulfillment of its mandate and in safeguarding its interests, the OeNB frequently processes personal data. This page informs data subjects that are not OeNB staff members pursuant to Article 13 and 14 GDPR on how their personal data are protected when subject to data processing by the OeNB. Information on the purpose(s) and legal basis of processing operations, the type(s) of processed data and your respective rights under the data protection framework is made available below. OeNB staff members will find the relevant information on the OeNB’s intranet.

The following documents provide detailed information pursuant to Article 13 and 14 GDPR how the OeNB processes personal data:

• Access control system (PDF), 89 kB
• Accounting and controlling (PDF), 141 kB
• Appointment to managerial positions (PDF), 119 kB
• Balance of payments statistics (PDF), 105 kB
• Bank History Archives (PDF), 104 kB
• Call logging (telephone switchboard and security service) (PDF), 87 kB
• Cash authentication training (PDF), 87 kB
• Competition entries (PDF), 111 kB
• Contact platform for central bank research activities in the ESCB (PDF), 105 kB
• Counterfeit money database (PDF), 99 kB
• Data collection from cash handlers (PDF), 91 kB
• Data protection management (PDF), 120 kB
• Documentation of monetary policy operations (PDF), 91 kB
• Education and training management (personnel development tool) (PDF), 118 kB
• Equity and interest management (PDF), 124 kB
• Event management (PDF), 120 kB
• Exchange of banknotes and coins (PDF), 92 kB
• Foreclosure statistics (PDF), 83 kB
• JVI supervision and course management (PDF), 109 kB
• Electronic communication systems and contact directories (PDF), 134 kB
• Newsletter system (PDF), 113 kB
• Payment Systems (PDF), 106 kB
• Payment Systems – Eurosystems (PDF), 149 kB
• Photographs and videos (PDF), 98 kB
• Procurement and sales management including intra-group invoicing (PDF), 165 kB
• Promotion of science and research by the OeNB (PDF), 151 kB
• Record and document management (PDF), 126 kB
• Record and document management system (EUREKA) (PDF), 114 kB
• Research activities in the field of economic education (PDF), 118 kB
• Security services – call logging (PDF), 83 kB
• Seizure Tracking Application (SETRA) (PDF), 103 kB
• Statistics Hotline ticketing system (PDF), 125 kB
• Treasury – call logging (PDF), 92 kB
• Video surveillance (PDF), 84 kB
• Visiting Research Program of the Economic Analysis and Research Department (PDF), 92 kB
• Whistleblower system (PDF), 126 kB