Data privacy

Porsche Bank AG and/or Porsche Versicherungs AG are responsible for data processing. In certain cases, Porsche Bank AG may also act as a processor for Porsche Versicherungs AG or Porsche Versicherungs AG may act as a processor for Porsche Bank AG.

We use all personal data provided by the customer on his application and / or the self-disclosure to us or disclosed during an ongoing business relationship. We also process data which we receive via information from third parties, such as credit agencies, company register. These data can basically be divided into the following data categories:

• Contact and identification data: Surname, first name, gender, address, e-mail address, telephone number, cell phone number, date/place of birth, identification numbers, nationality, etc.
• Contract data: purchased products, (financial) services, date of purchase contract, purchase price, optional equipment, warranties, etc.
• Creditworthiness and banking data: Payment history, balance sheets, data from credit agencies, score values, financial circumstances, account details, credit card number, etc.
• Accounting data: Books, inventories, opening balances, annual financial statements including management reports, business letters and accounting vouchers, etc., books and records, and related supporting documents.
• Vehicle usage data: with vehicle identification (VIN) or vehicle registration number Data linked to VIN/vehicle registration number.

For the Fulfillment of a Contract or the Implementation of Pre-contractual Measures

this applies, for instance, to the financing of motor vehicles—whether through leasing or credit financing—the conclusion and administration of associated maintenance products, the management of savings accounts for capital investment at the customer's request by Porsche Bank AG, and the provision of insurance services and claims processing by Porsche Versicherungs AG.This also encompasses the associated customer support and the handling of inquiries within the scope of the application, quotation, and claims processing workflows. The conclusion and fulfillment of the respective financing and/or insurance contract is possible only if we are able to process your personal data.If you do not provide us with the necessary data, no financing and/or insurance contract can be concluded.
 

Use of Online Services

When utilizing our online services, they must be linked to the customer portal known as carLOG.carLOG is a system operated pursuant to a user agreement between you and Porsche Bank AG and Porsche Versicherungs AG, under the joint responsibility of these entities and other companies within the Porsche Holding GmbH group.carLOG functions as a Single Sign-On (SSO) system for specific applications.Further details regarding this can be found in the carLOG Privacy Policy at https://carlog.com/at/de/ph/privacy.

To fulfill legal obligations

Your data is also stored by our accounting and bookkeeping departments for the purpose of fulfilling documentation and retention obligations under commercial and tax law. Additional legal bases upon which your data is processed and/or transmitted arise for Porsche Bank AG from the Common Reporting Standard Act (GMSG)—which generally applies only to persons with tax residence outside Austria (natural persons and legal entities with residence/registered office or place of effective management abroad)—the Deposit Guarantee and Investor Compensation Act, the Capital Outflow Reporting Act (KapMeldeG) regarding the reporting obligation for capital outflows, and the Account Register and Account Inspection Act (KontRegG), which governs the operation of a central account register for all accounts and securities accounts held in Austria.

Porsche Bank AG and Porsche Versicherungs AG also process data pursuant to the Capital Requirements Regulation (Regulation (EU) No 575/2013), consumer credit regulations, and the Banking Act and Insurance Contract Act, for the purposes of auditing, regulatory reporting, and risk management/risk assessment. A further legal basis for the processing of your data by Porsche Bank AG is provided by the Financial Market Money Laundering Act (FM-GwG) and the Federal Act on the Establishment of a Register of Beneficial Owners of Companies (Beneficial Owners Register Act – WiEReG), together with the associated due diligence obligations aimed at preventing money laundering and terrorist financing. Within the scope of these due diligence obligations for the prevention of money laundering and terrorist financing, Porsche Bank AG is required to obtain and retain specific documents and information from individuals at the inception of a business relationship or in connection with an occasional transaction. Pursuant to the FM-GwG, Porsche Bank AG is required—among other things—to establish and verify the identity of customers, the beneficial owners of customers, or any potential trustees acting on behalf of the customer; to assess the purpose pursued by the customer and the intended nature of the business relationship; to obtain and verify information regarding the origin of the funds involved; and to continuously monitor the business relationship and the transactions conducted within its framework. In particular, Porsche Bank AG is required to retain copies of the documents and information obtained that are necessary for the fulfillment of the described due diligence obligations, as well as the transaction vouchers and records required for the investigation of transactions. Furthermore, Porsche Bank AG is obliged to implement risk-based procedures to determine whether the customer—or the beneficial owner of the customer—is a politically exposed person.

In the context of complying with due diligence obligations aimed at preventing money laundering and terrorist financing, the exchange of documents and information with subsidiaries of Porsche Bank may, on a case-by-case basis, be necessary to fulfill such due diligence obligations. Should personal data be transferred in this process to a country for which the EU Commission has not determined that an adequate level of protection regarding the processing of personal data exists, Porsche Bank AG has, in every instance, implemented appropriate measures to protect personal data; these measures include the adoption of Standard Data Protection Clauses as the legal basis for data transfers in this context. The Standard Contractual Clauses issued by the EU Commission can be found here.

Online Contract Conclusion and the Photo Identification Procedure at Porsche Bank AG

In the course of concluding an online contract—and specifically during the associated "Photo Identification" procedure—personal data (specifically biometric facial data used for comparison against an identity document) is processed by Porsche Bank AG. This processing is carried out for the purpose of online biometric identification, in accordance with the Austrian Financial Market Money Laundering Act, to ensure compliance with customer due diligence obligations. The legal basis for this data processing is the user's consent, which is obtained during the online identification procedure. As part of the "Photo Identification" procedure utilized, Porsche Bank AG also employs automated decision-making processes. Using a camera, specific data values are generated based on an image ("selfie") captured by the user during the process. A corresponding data value ("template") is also generated based on the photograph contained within the identity document used for verification. These two values are then compared; if a match is detected, the individual is deemed successfully identified. Should this automated verification process fail to yield a conclusive result, the validation process and the associated financing application cannot be completed. The user will receive a corresponding notification and, within the same validation session, is generally granted three additional verification attempts, as well as the option to utilize an alternative validation method—such as Video Identification or ID Austria Identification. In this context, the user retains the right—in all instances—to request human intervention by a representative of Porsche Bank AG, to express their own point of view, and to challenge the automated decision. These rights may be exercised by contacting [email protected].

To safeguard our legitimate interests or those of third parties

Exercise or Defense of Legal Claims

In specific instances, we also process personal data for the purpose of exercising or defending legal claims. Our legitimate interest in this regard lies in the enforcement of legal claims arising from financing and insurance contracts, the repossession of vehicles, and the settlement of outstanding debts. In this context, the objective also involves minimizing the following economic risks: asset risk, default risk, and realization risk.

Credit Assessment

Porsche Bank AG also processes personal data for the purpose of credit checks and risk assessments regarding financing and leasing products, both within the contractual and pre-contractual phases. The legal basis for this data processing is the Consumer Credit Act and our legitimate interest. This legitimate interest consists of creditor protection and risk minimization.

For the purpose of credit assessment and the processing of applications, Porsche Bank AG may—in compliance with statutory regulations and to safeguard its legitimate interests—obtain necessary information regarding the customer from the *Kreditschutzverband 1870* (KSV) and the Consumer Credit Information System (*Konsumentenkreditevidenz*) operated by the KSV.

The customer is also hereby informed that, in order to safeguard its legitimate interests regarding credit assessment, risk minimization, and/or the protection of creditor interests, Porsche Bank AG—within the context of the financing arrangement—transmits the following data to CRIF GmbH (Rothschildplatz 3/Top 3.06.B, 1020 Vienna) and Dun & Bradstreet Austria GmbH (Austria Campus 6, Jakov-Lind-Straße 4, 1020 Vienna): first name and surname, address, date of birth, leasing amount, industry sector, telephone number, and bank details.

As an independent data controller, CRIF GmbH processes the transmitted data for its own purposes as a credit information agency and address publisher, as described at https://www.crif.at/datenschutz/. Refinancing

For the purpose of refinancing by Porsche Bank AG—specifically within the scope of other legitimate economic interests—information regarding the customer and the contractual relationship may be transmitted in encrypted form to a data trustee, potentially by means of a silent assignment. This measure is implemented to ensure additional data security safeguards in the context of the assignment of receivables or the transfer of the contractual relationship. Furthermore, non-personal data may be transmitted to a purchaser of receivables if such transmission is necessary for the purposes of assigning receivables or transferring a contractual relationship. Personal data is disclosed to the purchaser of receivables only in the event that specific triggering events occur which reflect a legitimate interest.

Compliance, Including Corruption Prevention

We process the personal data provided to us—on an ad-hoc basis—for the purpose of verifying the integrity of business partners as well as for the prevention of corruption. In the course of this data processing, the receipt and granting of gratuities (invitations and gifts) are documented. Individuals who receive gratuities from the company, or who grant gratuities to the company, are recorded in a database. The operation of this database ensures compliance with internal guidelines regarding gratuities and thereby guarantees traceable documentation. The objective is to ensure adherence to compliance regulations concerning the prevention of corruption. Personal data is retained for a period of 10.5 years from the date of recording. The categories of data processed for this purpose include: professional contact details (first name, last name, email address, company name).

Additional data processing activities within the compliance domain include the whistleblower hotline and internal investigations. Further information can be found at https://www.porschebank.at/ueber-uns/compliance-hinweisgebersystem.

Further information regarding the verification of business partner integrity can be found in the Privacy Policy for the Verification of Business Partner Integrity at https://www.porschebank.at/datenschutz.

Marketing Activities and Market Research

Depending on the specific use case, we process your data (contact and identification data, contract data) for marketing and market research purposes in order to promote our products and services. With regard to non-electronic communication with you, we rely on our legitimate interest, which consists of offering financing and insurance products tailored to the specific needs of existing or potential customers. In this context, you have the right to object to the processing of your personal data for direct marketing purposes at any time (via email to [email protected]). Electronic contact for marketing and market research purposes is initiated only if you have previously provided us with your explicit consent to do so.

Controlling and Reporting

Based on customer and/or contract information, customer- and contract-related analyses may be generated for controlling and reporting purposes. This is done primarily in connection with the data processing purposes we pursue, but also to improve our products, services, and customer processes, as well as to facilitate better planning, management, and control.

Group-wide Customer Data Management

Within the scope of an existing customer relationship, and on an as-needed basis, data may be exchanged within the corporate group between Porsche Bank AG (or Porsche Versicherungs AG) and Volkswagen Versicherungsdienst VVD GmbH. This is carried out for internal administrative purposes and for group-wide Customer Relationship Management. As a result, customers benefit from improved service—including, among other things, faster processing of inquiries.

Communication with Business Partners

To improve and ensure effective communication with companies during the course of a business relationship, Porsche Bank AG and/or Porsche Versicherungs AG process the professional contact details of designated contact persons within those companies.

Application of Blocking Notices in Comprehensive Insurance

In specific instances, Porsche Versicherungs AG also processes personal data for the purpose of risk mitigation within the field of comprehensive insurance. To mitigate financial risks for Porsche Versicherungs AG—and to prevent risks to the insurance collective—based on legitimate economic interests, the conclusion of a new comprehensive insurance contract may be declined for customers whose loss ratio has equaled or exceeded 1,000% over a three-year period, or in cases involving multiple accidents caused by the customer's own fault. In this regard, a blocking notice will be applied in such instances; this notice will remain in effect for as long as customer data must be retained in accordance with statutory retention periods under the Insurance Contract Act, or for as long as another contractual relationship with the customer remains in force. When balancing these interests, we strive to maintain a fair equilibrium between the necessity of processing your personal data and the respect for your rights and freedoms—particularly the protection of your privacy. If a blocking notice is in effect, we will decline any application to conclude a comprehensive insurance contract. You may object to this decision by sending an email to the following address: [email protected].
 

New Development and Further Enhancement of IT Systems

In the context of developing our IT systems, actual production data from Porsche Bank AG and/or Porsche Versicherungs AG may be used on an *ad hoc* basis. The legitimate interest in using actual production data within test systems lies in enabling the provision of technical support as well as the new development and further enhancement of these systems.

Data Protection – Data Subject Requests

For the purpose of handling data subject rights in accordance with the General Data Protection Regulation (GDPR)—specifically the storage and documentation of requests submitted by data subjects—we process data transmitted to us (on an *ad hoc* basis) to maintain a register of processed data subject requests. The storage of your data for this purpose is justified by our legitimate interest in being able to demonstrate the measures taken in response to data subject requests in the event of an audit by the Data Protection Authority. For this purpose, your data will be retained for a period of three years.

As your data is processed on the basis of legitimate interests, you may object to such processing at any time by contacting us at [email protected], provided that you present specific grounds for objecting to the processing of your data.

Pursuant to Consent Granted by You

If you have granted Porsche Versicherungs AG your express consent to process sensitive data—specifically health data—in the event of a claim under the passenger accident insurance policy, for the purposes of claims handling and contractual settlement. Generally, the processing of such data is carried out exclusively within the scope of Sections 11a–d of the Insurance Contract Act (*Versicherungsvertragsgesetz*). In all other instances, please refrain from providing us with sensitive data—such as information regarding trade union membership or health data—within the documents you submit to us.

If you have granted Porsche Bank AG your express consent to process sensitive data (specifically biometric facial data) as part of the "Photo-Ident" identification procedure; or if you have provided us with your consent to capture your biometric signature data during the digital contract signing process.

If you have granted your consent to the processing of your data for the purpose of electronic contact for marketing and market research purposes by Porsche Bank AG, your data will be processed for these specific purposes; or, if you have granted us your consent for customer analysis—including profiling—we may process your data in this context.

To fulfill the stated purposes, your data will be transmitted—on an as-needed basis—to the following recipients or categories of recipients acting as data processors:

• Porsche Informatik GmbH
• Porsche Konstruktionen GmbH & Co KG
• Vehicle suppliers or intermediaries, storage dealers
• Reisswolf Österreich GmbH
• Excon Controlling Austria GmbH
• Printkom GmbH
• Advertising agencies, market research institutes
• Raiffeisen Bank International AG
• R-IT (Raiffeisen IT) GmbH
• London Stock Exchange Group (LSEG)
• Thomson Reuters Austria Ges.m.b.H.
• Porsche Corporate Finance GmbH
• NTT Data GmbH
• Audatex Österreich GmbH
• POS Solutions GmbH
• Other web, printing, scanning, service, and IT service providers

The data thus provided may be used by data processors solely for the fulfillment of their assigned tasks. In the context of the IT services provided by the London Stock Exchange Group (LSEG), personal data is also transmitted to the United Kingdom (UK). The legal basis for this transmission is the EU Commission’s adequacy decision regarding the United Kingdom (UK). You can find the adequacy decision here.

Furthermore, your data may be transmitted—on an as-needed basis and based on the stated legal grounds—to the following recipients or categories of recipients:

• To: Porsche Holding GmbH, Volkswagen AG – Reason: Legitimate interest in the exchange of compliance data and internal audits. Further information can be found in the Privacy Policy regarding the processing of personal data in the context of audits and internal investigations conducted jointly by multiple audit entities (“Joint Audits”), available at https://www.porschebank.at/datenschutz. To: Co-applicants – Reason: Statutory information obligations of Porsche Bank AG or Porsche Versicherungs AG
• To: Cardif Allgemeine Versicherung AG, Volkswagen Versicherungsdienst VVD, UNIQA Österreich Versicherungen AG, Generali Versicherungs AG, Wiener Städtische Versicherung AG – Reason: Conclusion of an insurance contract by Porsche Versicherungs AG
• To: Insurers, partner workshops, experts, and reinsurers – Reason: Occurrence of an insured event; legitimate interest in the preparation of expert reports; risk assessment by Porsche Bank AG or Porsche Versicherungs AG
• To: Kreditschutzverband 1870 (KSV), CRIF GmbH, Dun & Bradstreet Austria GmbH – Reason: Legitimate interest in credit assessment and/or risk minimization by Porsche Bank AG
• To: Legal representatives, courts – Reason: In the event of a dispute; legitimate interest in the defense and enforcement of legal claims by Porsche Bank AG or Porsche Versicherungs AG
• To: Debt collection agencies – Reason: In the event of a default; legitimate interest in the settlement of outstanding debts and/or the securing of assets by Porsche Bank AG or Porsche Versicherungs AG
• To: Austrian National Bank, auditors, Einlagensicherung der Banken und Bankiers GmbH (Deposit Guarantee Scheme), government authorities – Reason: Within the scope of statutory reporting obligations of Porsche Bank AG and Porsche Versicherungs AG
• To: Banks, payment service providers – Reason: For the processing of payment transactions; for the fulfillment of contractual obligations by Porsche Bank AG or Porsche Versicherungs AG
• To: Fuel companies – Reason: If a fuel card is requested in addition to the contract with Porsche Bank AG
• To: External consultants – Reason: For the fulfillment of statutory obligations of Porsche Bank AG and Porsche Versicherungs AG
• To: Shipping and transport service providers – Reason: For the shipment of goods; for the fulfillment of contractual obligations
• To: LexisNexis Risk Solutions – Reason: For the fulfillment of statutory obligations of Porsche Bank AG under the Financial Market Money Laundering Act (FM-GwG)

We store your personal data only for as long and to the extent necessary for the stated purposes, or as we are legally obliged to do so. To fulfill commercial and tax law documentation and retention obligations, data is stored for the duration of the contract plus seven years. Should your inquiry not result in the conclusion of a contract, your data will be deleted. In accordance with due diligence obligations regarding the prevention of money laundering and terrorist financing, Porsche Bank AG is required to retain data for a period of ten years following the termination of the business relationship. Pursuant to the Insurance Contract Act (specifically Section 12 VersVG), Porsche Versicherungs AG retains your data for a period of ten years following the termination of the contract—covering the entire period during which claims may be asserted against the company. For the purpose of defending against and asserting legal claims, we store your data in accordance with general statutory limitation periods.

If the processing of your personal data is based on consent, you, as the data subject, have the right to withdraw this consent at any time.

In principle, you have the rights of access, rectification, erasure, restriction of processing, and objection, as well as—insofar as provided for by law—a right to data portability. To exercise these rights, please contact us. If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you may lodge a complaint with the supervisory authority. In Austria, the competent authority is the Data Protection Authority (Datenschutzbehörde).

You may exercise these rights by contacting us at the email address [email protected].

Disclosure of Contact Details for the Data Protection Officer pursuant to Article 37, Paragraph 7 of the General Data Protection Regulation (GDPR) for Porsche Bank AG and Porsche Versicherungs AG:

Porsche Bank AG

Porsche Versicherungs AG

Data Protection Officer

Vogelweiderstraße 75

A - 5020 Salzburg

[email protected]