Data Privacy

• To fulfill contractual obligations [Art. 6 (1)(b) GDPR]

Processing of personal data (Art. 4 (2) GDPR) occurs to provide and arrange for bank transactions and financial services including but not limited to performance under our agreements with you and execution of your orders as well as performance of pre-contractual measures.

The purposes of processing data is determined first and foremost by the specific product (e.g. account, loan, securities, deposits) and may, among other things, include needs assessments, consultation, asset management and administration and execution of transactions.

Such data processing occurs for example in connection with debit cards (also called ATM cards) provided to you by Kathrein and which you can use to execute payment transactions with retailers at POS terminals and online (e-commerce payments in online shops), to withdraw cash from respective ATM or cash machines and to facilitate transactions between debit cards ("ZOIN"). For those transactions, the financial institution of the card holder and of the recipient of the payment must be identifiable in order for those institutions to settle the transactions with each other. For that purpose, nearly all financial institutions operating within Austria have signed an agreement with PSA Payment Services Austria GmbH (PSA) (the PSA agreement). The agreement aims to regulate the mutual rights and obligations of the financial institutions and the PSA. The agreement stipulates the terms financial institutions have agreed upon regarding transactions (e.g. withdrawal of funds) executed by non-customers of the bank at bank-owned cash machines or payment transactions through POS terminals. PSA is responsible for the technical aspects of the transaction with eligible cards among those institutions. In addition, PSA operates its own ATMs or cash machines. To facilitate the transaction and settle payments between the financial institutions, the institutions must process the data of their own customers. The legal basis for processing data are a variety of Acts, e.g. the Austrian Banking Act (Bankwesengesetz), the Austrian Payment Services Act (Zahlungsdienstgesetz, ZaDiG), the Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz, FM-GwG), etc., with which the parties to the PSA agreement must comply, and the agreement between the financial institution and its customer (e.g. checking account agreement, credit or debit card agreement). To exercise your rights in connection with the data processing measures listed above, please contact Kathrein.

For specific details regarding data processing activities referenced above, please read the respective agreements and relevant terms and conditions.

• To fulfill legal obligations [Art. 6 (1)(c) GDPR]

Processing of personal data might be necessary to fulfill a range of legal requirements (arising from the Banking Act, the Financial Markets Anti-Money Laundering Act, the Securities Supervision Act, the Stock Exchange Act etc.) as well as due to regulatory requirements (e.g. those established by the European Central Bank, the European Financial Authority, the Austrian Financial Market Authority etc.), which the bank is subject to as an Austrian financial institution. Examples are:

- Filing of suspicious activity reports with the Financial Intelligence Unit (Geldwäschemeldestelle) (Section 16 FM-GwG)
- Providing information to the FMA in accordance with the Securities Supervision Act (WAG) and the Stock Exchange Act (BörseG) in order to monitor compliance with the provisions governing the misuse of insider information in the market
- Providing information to the financial penalty authorities in response to financial penalty proceedings for deliberate financial crimes
- Providing information to federal tax authorities in accordance with Section 8 of the Austrian Accounts Register and Inspection of Accounts Act (Kontenregister- und Konteneinschaugesetz)
- Assessment and control of risks
- Credit check (credit scoring) for loan applications
Credit scoring assesses the credit risk of the loan applicant by applying statistical comparisons of subpopulations. The resulting score is deemed to help assess the probability of repayment of a requested loan. To calculate the score, we use your master data (marital status, number of children, duration of employment, employer), information about your general financial status (income, assets, monthly expenses, collateral etc.) and information regarding your payment history (regular loan payments, payment reminders, data collected from credit agencies). If the risk of default is too high, the loan application will be denied.

• As a result of your consent [Art. 6 (1)(a) GDPR]

If you have given consent to processing of your personal data for certain purposes (e.g. transfer of data to the recipients named in the consent, notifications via ELBA, receipt of marketing material), the data will only be processed for the purposes and to the extent stated in the consent form. Consent can be withdrawn at any time and will become effective for future processing of data.

• To safeguard legitimate interests [(Art. 6 (1)(f) GDPR] in general

If necessary, for weighing the interests, data can be processed for the benefit of Kathrein and third parties to safeguard legitimate interests. In the following cases, data is processed to safeguard legitimate interests. Examples are:

- Inquiry with and exchange of data with credit agencies (e.g. Austrian Credit Protection Association 1870) to assess credit risk or risk of default
- Review and optimization of processes regarding needs analysis and direct communication with Clients
- Video monitoring to collect data evidence in connection with criminal offenses or to furnish proof for orders and deposits (e.g. at the teller) - especially for the protection of customers and employees
- Certain telephone recordings (for quality assurance or in the case of complaints)
- Measures to controlling business and help develop services and products
- Measures for the protection of customers and employers as well as the property of the bank
- Measures to prevent and combat fraud (Fraud Transaction Monitoring), to combat money laundering, financing of terrorist activities and criminal offenses endangering assets. In this context, data will be analyzed (e.g. with payment transactions). Those measures are also for your own protection
- Processing of data for legal prosecution
- Assertion of legal claims and defense against legal disputes
- Ensuring IT security and IT operations within the bank
- Prevention and investigation of crimes

• To safeguard legitimate interests [(Art. 6 (1)(f) GDPR] in marketing our services

Analysis of your data processed by Kathrein in order to

- provide or send you customized information and offers of Kathrein and the companies named below, their products and services which Kathrein procures,
- develop services and products that match your interests and personal circumstances, as well as
- improve the ease of use of your service applications, such as TIPAS+, ELBA or other apps

is based on our legitimate interest in marketing our services. Processing of your data for this purpose continues as long as you do not object.

The following data collected by Kathrein or transmitted to Kathrein by you or at your request will be processed for that purpose:

Personal Data/Master Data

Gender, professional title, name, date of birth, country of birth, nationality, marital status, tax status, level of education, profession, employer, authentication information such as driver's license data, income data, address and other contact data such as telephone number or email address, geographic location data, securities risk category in accordance with your investor profile, housing situation such as renter or owner and apartment or house, family relations (without collecting the personal data of those individuals), number of persons in the household, data provided during consultation sessions such as hobbies and interests or planned purchases and automobile, household expenses, internal ratings such as evaluation of income and expenses and assets and liabilities by Kathrein.

Data regarding Kathrein products and services

Data in connection with the Kathrein services utilized by you, including

- forms of payment used by you, such as credit and debit cards,
- debits and credits and outstanding payments on accounts and loans
- interest rates charged for those services, and charges and fees,
- payment history, including the options used by you to place orders (e.g. ELBA),
- incoming and outgoing wire transfers, payer and payee and providers transmitting payment orders, amount, description and payment references, client references,
- frequency and type of money transactions, with non-cash payments, the data of the merchants or service providers receiving payment and information about the transactions executed with them,
- data from ELBA,
- savings history and securities transactions and securities account balances, including details regarding securities held.

Device and Contact Center Data (telephone hotline including interactive voice control)

Frequency, time and place of usage of contact centers (telephone service including interactive voice control) as well as audio and video recordings made in the course of using those services with reference to the relevant legal basis (e.g. in connection with support services for ELBA).

Data from services, website and communications

Data for the use of electronic services and websites, use of features of websites and of apps and email messages between you and Kathrein, information regarding viewed web pages or content and links that were accessed, including external websites, information regarding the time it takes a user to react to content or download errors, the amount of time spent on a website as well as information on usage and about subscriptions of newsletters published by Kathrein.

This information is collected with the help of automated technologies such as cookies or web beacons (tracking pixel that registers access to emails or websites) or web tracking (tracking and analysis of search behavior) on the website or ELBA and with the help of external service providers or software.

Kathrein's website integrates the analytics tool of Digital Workroom. It does not use cookies or store personal data. When accessing a page, tracking pixels store country code, browser name and version, operating system, resolution and color scheme as well as the anonymized IP address in a unique key to be used for page statistics.

Kathrein does not use plugins or similar tools that transmits data to third party providers. Digital Workroom statistics analyzes user behavior without using personal data. Kathrein does not use social media plugins.

Account and portfolio data accessed online

Data regarding information about accounts and portfolios accessed online through service providers, data of those service providers, content and purpose as well as frequency of inquiries and content of the information provided.

Technical data of the mobile devices used for data access

Information about devices and systems used to access websites or portals and apps or other forms of communication, such as internet protocol addresses (IP addresses) or type and version of the operating system and internet browser, and in addition device identification and promotional identification or location data and other comparable data of the devices and systems used.

Data regarding user-generated content

Information posted on websites or apps of RBI such as comments or personal posts and photos or videos and similar content.

Data regarding products and services procured from other companies

Data of products and services procured for you from RBI as well as from RBI affiliates, Raiffeisen Kapitalanlage-Gesellschaft m.b.H., Raiffeisen Immobilien Vermittlung Ges.m.b.H., Raiffeisen Centrobank AG, Card Complete Service Bank AG. Furthermore, products of Kathrein Capital Management GmbH.

That data includes personal data and detailed data of the products, such as nature of the transactions, durations, interest rate, fees, credit and debit and payments in arrears.

If the products procured are instruments of payment, the processed data will include: payment history, incoming and outgoing wire transfers, payer and payee, providers transmitting payment orders, amount, description and payment reference, client references, frequency and type of money transactions; with non-cash payments, the data of the merchants or service providers receiving payment, and information about the transactions executed with them.