TKK advises caution in handling pension account information

Complaints concerning the activation of the Austrian citizen card (Bürgerkarte) in connection with the sale of financial products have been brought to the attention of the Austrian Telekom-Control Commission (TKK), which is the supervisory authority according to the Austrian Signature Act (SigG). The facts reported in the complaints are likely to constitute infringements of the SigG or the Data Protection Act (DSG). Specifically, when speaking with potential customers, sales staff of financial services providers have for some time purportedly been comparing the returns from their financial products with the expected yields from state pensions. Yet, individuals have access to their personal pension account only after logging in via citizen card or mobile phone signature (https://www.sozialversicherung.at/pktesv/). This requires, in turn, previous registration for the issue of a qualified certificate in the name of the individual customer. Many financial advisors are, in fact, entitled to carry out registration, since a large number are also active in the capacity of registration office for the certification service provider (A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH or “A-Trust”). Yet, consumers need to bear in mind that financial advisors could in this way potentially have access to the particular individual’s confidential signature information. The risk of unauthorised third parties accessing confidential pension account information can additionally not be ruled out.

Recommendations when activating the citizen card through financial advisors

As supervisory authority pursuant to the Signature Act, the TKK appreciates the increasing use of the citizen card and the mobile phone signature as a valuable step towards simplifying administration. In order to avoid any potential (even inadvertent) infringement of requirements of the Signature Act or the Data Protection Act, the TKK recommends various precautionary measures in the situation described above:

• When registering for the issue of a qualified certificate, the advisor should in the least provide an overview of the content of the A-Trust security and certification system as well as outline the potential legal implications of an electronic signature created through the use of the certification and the special liability held by A-Trust, providing the customer with a fact sheet containing this information.

• Except for the transaction limit per signature, which can be entered in the certificate, there is no limitation to the use of the qualified certificate. The qualified electronic signature substitutes the personal signature. It can, therefore, also be used to submit, with legal effect, declarations of the kind which are required by law or contract to be submitted in writing (also as specified in general terms and conditions). Exceptions to the above are a consumer’s declaration of suretyship, wills and notarial deeds.

• You must carefully safeguard your e-card if the certificate function is activated. No one besides you must have access to the accompanying signature PIN. When registering for a mobile phone signature, the signature password assigned to your mobile phone must only be known to you, and you should be the only person using the SIM card, as far as possible.

• To protect against misuse of the information stored in your pension account, make sure to log out properly, i.e. using the “Logout” button, immediately after accessing your pension account via a PC.

You can obtain more details relating to the use of a qualified certificate for creating qualified electronic signatures in the fact sheets provided on the A-Trust website at https://www.a-trust.at/docs/belehrung/a-sign-premium/a-sign-premium-Belehrung.pdf (citizen card) and https://www.a-trust.at/docs/belehrung/a-sign-premium-mobile/a-sign-premium-mobile-Belehrung.pdf (mobile phone signature).
More detailed information on the certification services provided by A-Trust can be viewed at http://www.a-trust.at/ATrust/Downloads.aspx, and on the electronic signature in general at https://www.signatur.rtr.at/de/vd/VD.html.