Privacy Policy

General information and mandatory information

Data protection

The operators of this website and its pages take the protection of your personal data very seriously. Hence, we handle your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.

Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.

We herewith advise you that the transmission of data via the Internet (i.e. through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third party access.

Information about the responsible party (referred to as the “controller” in the GDPR)

The data processing controller on this website is:

Financial Market Authority (FMA)
Otto-Wagner-Platz 5
1090 Wien

Phone: +43 1 249 59 0
Fax: +43 1 249 59 5499
Email: [email protected]

The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g. names, e-mail addresses, etc.).

Your rights as data subject

Information about, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right to at any time demand information about your archived personal data, their source and recipients as well as the purpose of the processing of your data. You may also have a right to have your data rectified or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at any time at the address provided in the upper section of this page.

Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. To do so, all you are required to do is sent us an informal notification via e-mail. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

Right to object to the collection of data

In the event that data are processed on the basis of Art. 6 Sect. 1 lit. e or f GDPR, you have the right to at any time object to the processing of your personal data based on grounds arising from your unique situation.

Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time at the address provided in the upper section of this page. The right to demand restriction of processing applies in the following cases:

  • In the event that you should dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.
  • If the processing of your personal data was/is conducted in an unlawful manner, you have the option to demand the restriction of the processing of your data in lieu of demanding the eradication of this data.
  • If we do not need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand the restriction of the processing of your personal data instead of its eradication.
  • If you have raised an objection pursuant to Art. 21 Sect. 1 GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.

Right to data portability

You have the right to demand that we hand over any data we automatically process on the basis of your consent or in order to fulfil a contract be handed over to you or a third party in a commonly used, machine readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

Right to log a complaint with the competent supervisory agency

You have the right to log a complaint with a supervisory agency about our data processing of your personal data. Competent supervisory agency in Austria is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Wien. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, such as purchase orders or inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption programme. You can recognise an encrypted connection by checking whether the address line of the browser switches from “http://” to “https://” and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

Designation of a data protection officer as mandated by law

We have appointed a data protection officer for our company.

TÜV TRUST IT TÜV AUSTRIA GMBH
TÜV AUSTRIA-Platz 1
2345 Brunn am Gebirge

Phone: +43 50454 1001
Email: [email protected]

Recording of data on our website

Cookies

Server log files

The provider of this website and its pages automatically collects and stores information in so-called server log files, which your browser communicates to us automatically. The information comprises:

  • The type and version of browser used
  • The used operating system
  • Referrer URL
  • The time of the server inquiry
  • The IP address

This data is not merged with other data sources.

This data is recorded on the basis of Art. 6 Sect. 1 lit. f GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded.

Security Logs

The IP address of visitors, user ID of logged in users, and username of login attempts are conditionally logged to check for malicious activity and to protect the site from specific kinds of attacks. Examples of conditions when logging occurs include login attempts, log out requests, requests for suspicious URLs, changes to site content, and password updates. This information is retained for 14 days.

This site is part of a network of sites that protect against distributed brute force attacks. To enable this protection, the IP address of visitors attempting to log into the site is shared with a service provided by ithemes.com. For privacy policy details, please see the iThemes Privacy Policy.

Contact form

If you submit inquiries to us via our contact form, the information provided in the contact form as well as any contact information provided therein will be stored by us in order to handle your inquiry and in the event that we have further questions. We process this data only in the context of the legal regulations.

Hence, the processing of the data entered into the contact form occurs exclusively based on your consent (Art. 6 Sect. 1 lit. a GDPR). You have the right to revoke at any time any consent you have already given us. To do so, all you are required to do is sent us an informal notification via e-mail. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

The information you have entered into the contact form shall remain with us until you ask us to eradicate the data, revoke your consent to the archiving of data or if the purpose for which the information is being archived no longer exists (e.g. after we have concluded our response to your inquiry). This shall be without prejudice to any mandatory legal provisions – in particular retention periods.

Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We process this data only in the context of the legal regulations.

The processing of these data is based on Art. 6 para. 1 lit. b GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases, the processing is based on your consent (Article 6 (1) a GDPR) and/or on our legitimate interests (Article 6 (1) (f) GDPR), since we have a legitimate interest in the effective processing of requests addressed to us.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Matomo

This website uses the open source web analysis service Matomo with server logs. Prior to archiving, your IP address will first be anonymized.

Livestream

The videos and livestreams provided on this website are provided through our partner, Braintrust Marketing Services Ges.m.b.H., using the Vimeo video player, which is provided by Vimeo.com Inc., 555 West 18th Street, New York, New York 10011, USA. As part of the embedding process, certain information is sent to Vimeo, including IP address, technical information about your device and the web page you visited.

Your personal information may be transferred to the U.S..

Detailed information about the data that is gathered and stored by Vimeo may be found in the privacy statement at https://vimeo.com/privacy.

Newsletter

Eyepin

The FMA uses eyepin for sending newsletters. Eyepin is a service that allows the organisation and analysis of sending newsletters. The data (e.g. your e-mail address) that you enter to receive a newsletter are stored on eyepin’s servers in Austria. Processing is conducted on the legal basis of your having given permission, and permission may be revoked at any time. We use eyepin GmbH, Billrothstraße 52, 1190 Vienna, as a processor for conducting processing. No transmission of data to a third country occurs. We process your personal data until you revoke permission to do so. We would also like to inform you, that it is not necessary to make personal data available for contractual or legal purposes.

Further details can be found in eyepin’s privacy policy (in German only) at: https://www.eyepin.com/en/privacy-policy/

Events

Invitario

In holding FMA events, we process your personal data for the purposes of the performance of a contract (Article 6 (1) (b) GDPR). Invitario GmbH, Lerchenfelder Str. 74, 1080 Vienna conducts the processing, who we use as a processor. No transmission of personal data to a third country occurs. The duration of processing is based on Article 22 paragraph 4 FMABG in its applicable version. Personal data is required to be made available for the purposes of fulfilling a contract. It is not possible to participate at FMA events without providing personal data. We advise that automated processing, including profiling, does not occur.

Registrations, Lists of Participants, Pre-Information and Surveys

If you have registered to attend one of our events, then we process your personal data for the purpose of holding the event. In the event that you register, we send you pre-information, in order to be able to inform you about the event. We process the personal data of persons concerned, who have registered for an event, to be able to have a list of participants. After participating at one of our events, we send you surveys, which you may complete to allow us to identify how you found our event. The legal basis is based on Article 6 (1) (f) GDPR. We justify our legitimate interest as being for organising and holding events. We organise events, to permit the exchange of information between the supervisor and supervised entities. Invitario GmbH, Lerchenfelder Str. 74, 1080 Vienna conducts the processing, who we use as a processor. No transmission of personal data to a third country occurs. The duration of processing is based on Article 22 paragraph 4 FMABG in its applicable version. We advise that automated processing, including profiling, does not occur.

Sending of Invitations and Save The Date messages

We send invitations and save the date messages to inform you about the possibility of taking part at our events. The legal basis for sending out invitations is based on our legitimate interest, which we justify by holding events for the purposes of dialogue and information about Austrian as a financial centre. Invitario GmbH, Lerchenfelder Str. 74, 1080 Vienna conducts the processing, who we use as a processor. No transmission of personal data to a third country occurs. The duration of processing is based on Article 22 paragraph 4 FMABG in its applicable version. We advise that automated processing, including profiling, does not occur.

Processing of personal data of speakers

Speakers at FMA events have permitted us under Articles 14 et seq. of the Copyright Act (UrhG; Urheberrechtsgesetz) to take pictures and record sound and video and to publish them. We base the processing of personal data on our legitimate interest (Article 6 (1) (f) GDPR), which we justify by exercising our rights. Invitario GmbH, Lerchenfelder Str. 74, 1080 Vienna conducts the processing, who we use as a processor. No transmission of personal data to a third country occurs. The duration of processing is based on Article 22 paragraph 4 FMABG in its applicable version. We advise that automated processing, including profiling, does not occur.

Joint Control

The essence of joint control

Joint control by the FMA, the European Banking Authority (EBA), reporting supervisory authorities[1], the European Commission, as well as the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) for the purposes of processing personal data using the European reporting system for material CFT/AML weaknesses (EuReCA).

Processing itself

EBA has the legal mandate to provide a database for the purposes of preventing and combating money laundering and terrorist financing in the European Union. For this purpose, EBA has developed the European reporting system for material CFT/AML weaknesses (EuReCA) and the reporting supervisory authorities are obliged to make information available in EuReCA for the jointly responsible controllers.

Exercising of the rights of the data subject

All rights that are made use of by data subjects, namely the right of access (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), right to restriction of processing (Article 18 GDPR), the right to object against processing (Article 21 GDPR) and the right to data portability (Article 20 GDPR), the right to not be subject to a decision solely based on automated processing – including profiling (Article 22 GDPR) as well as the notification obligation (Article 19 GDPR) shall be exercised by the FMA, provided that the data subject asserts one of the aforementioned rights towards the FMA. It is expressly determined as defined in final sentence of Article 26 (1) GDPR, that the FMA’s duties are defined in European Union legislative acts, to which the FMA is subjected.

  • Name of the processing activity: EuReCA – European reporting System for material CFT/AML weaknesses
  • Purpose of processing: EuReCA collects information from reporting authorities in conjunction with the prevention and combatting of money laundering and terrorist financing.
  • Legal basis for processing: Article 9a (1) and Article 9a (3) of Regulation (EU) 1093/2010.
  • Recipients of personal data: European Banking Authority (EBA), reporting supervisory authorities, the European Commission, as well as the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority.
  • Transfer of personal data to a third country: Such a transfer does not take place.
  • Duration of processing: EBA stores personal data in an identifiable form for a period of up to 10 years from the time of it being collected by EBA.
  • It is necessary to make personal data available for statutory or contractual purposes and what would the consequences be of failure to make it available? Personal data is required to be made available for statutory purposes.
  • Automated decision-making processes including profiling does not take place.

[1] Processing includes joint processing with specified national and EU reporting authorities as described in Article 9a (1a) of Regulation (EU) 1093/2010 and in Article 1 of Annex II of Delegated Regulation (EU) 2024/595.