Data protection policy for the CardStudio by Österreichische Post AG Updated: September 2021

1. Who is in charge of handling your personal data?

1.1 Österreichische Post AG, Rochusplatz 1, 1030 Vienna ("Post", "we", "us") is responsible for adequately protecting your personal data. Österreichische Post complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety.

1.2 We process your personal data in accordance with data protection regulations, above all the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, relevant regulations defined in the Postal Market Act and other relevant laws.

1.3 This data protection policy provides information about why and how we process your data when you use our postcard app (hereinafter also referred to as "service"). For general information about data protection at Österreichische Post, please click here.

2.What interest does Österreichische Post have regarding my data and based on which grounds may Österreichische Post process my data?

Performance of a contract and performance steps required prior to entering into a contract: we use your personal data pursuant to Art 6 (1) (b) of the GDPR  to create a digital postcard via the postcard app. The postcard is subsequently physically sent to the recipient. 
There are two different ways of using Österreichische Post CardStudio. Please find detailed information below:

Use via the Österreichische Post online account: if you have an Österreichische Post online account and if you have used it to log in to our CardStudio, we process your data for the services requested by you.  Data will be processed for the following purposes: 

a. Recording master data for signing up/registering in the Österreichische Post CardStudio: we use your master data (contact data [i.e., title, first name, last name, e-mail address, telephone number, address] and data relevant for invoicing] from the Österreichische Post online account in order to offer the service so that you can subsequently create a digital postcard or greeting card to be delivered to the recipient. 

b. Recording the recipient's address data for sending a postcard or greeting card: we collect the recipient's address data (i.e., the recipient's name and mailing address) so that the postcard or greeting card can be sent to the recipient. 

c. Recording and storing audio and video messages for creating an audiovisual message: the Österreichische Post CardStudio gives users the option of recording video and voice messages that they can then upload to a server. Access data for these audio and video files are encrypted via a QR code and printed on the postcard or greeting card for the recipient to see.

d. Storing photo and content data for creating a personalised message: our Österreichische Post CardStudio allows users to create personalised content and gives them the option of having a photo taken by them printed on the postcard or greeting card. We collect these data (i.e., the text and the photos that will be printed on the postcard or greeting card) so that the customised postcard or greeting card can be created and sent. 

e. Collecting and storing your item data: the status of the postcard or greeting card to be sent is processed and shared using specific item data. For this purpose, we collect the following item data for the postcard or greeting card in question: "card uploaded", "card paid", "card in print", "card printed" and "card sent“. 

f. Collecting and storing payment data: in order to correctly invoice our services, we collect and store your payment data (e.g., invoice recipient, invoice address, e-mail address, telephone number and order number).

2.1.2 Direct use of the Österreichische Post CardStudio: if you are not signed in via our Österreichische Post online account and use the postcard and/or greeting card app directly, we will process your data for the services requested by you. These service might include: 

a. Collecting and storing contact data for signing up/registering for the Österreichische Post CardStudio: we use  your contact data (e.g., title, first name, last name, address, e-mail address and telephone number) to offer you the service that subsequently allows you to create a digital postcard and/or greeting card and then send it to the recipient.

b. Collecting the recipient's address data for sending a postcard or greeting card: we collect the recipient's address data (i.e., the recipient's name and mailing address) so that the postcard and/or greeting card can be sent to the recipient.

c. Recording and storing audio and video messages for creating an audiovisual message: The Österreichische Post CardStudio offers users the option of recording video or voice messages that they can subsequently upload to a server. Access data for these audio and video files are encrypted via a QR code and printed on the postcard and/or greeting card for the recipient to see.

d. Storing photo and/or content data for creating a personalised message: the Österreichische Post CardStudio allows you to create personalised content and (optionally) to have a photo created by you printed on a postcard and/or greeting card. We collect these data (i.e., text and/or photos to be printed on the postcard or greeting card) so that we can create and send the customised postcard or greeting card. 

e. Collecting and storing your item data: the status of the postcard or greeting card to be sent is processed and shared using specific item data. For this purpose, we collect the following item information for the postcard and/or greeting card in question: "card uploaded", "card paid", "card in print", "card printed" and "card sent“.

f. Collecting and storing payment data: in order to correctly invoice our services, we collect and store your payment data (e.g., invoice recipient, invoice address, e-mail address, telephone number and order number).
 

2.1.3 We can only enter into and perform a contract if we can process your personal data. If you do not provide the required data, we cannot enter into a contract.

2.2 Your data may also be processed in the interest of Österreichische Post or of a third party. This data processing is performed pursuant to Article 6 (1)  (f) of the GDPR for the following purposes: 
• for the purpose of ensuring system security,
• for the purpose of statistical analyses, provided that these are technically necessary,
• for customer service including complaint management (especially if you have rated your items or submitted a damage report).

For the last purpose mentioned above, we process the following data:
a) the date of the login, 
b) the type of device used, 
c) the operating system used and its version, 
d) the browser used and its version, 
e) item data, status information,
f) personal master data, date of birth, address data and contact information (e.g., e-mail address, telephone number).
 

2.3 Consent: In some cases, we will ask for your consent pursuant to Article 6 (1) (a) of the GDPR. When doing so, we will naturally fully comply with any additional applicable statutory provisions. Especially for the following purposes, Österreichische Post will need your voluntary consent that you can revoke at any time with future effect:
• For us to provide the postcard and/or greeting card app: n order for us to make the Österreichische Post CardStudio service available to users, we rely on technical interfaces. For additional information about technical interfaces, please see item 10.
• for tracking your user behaviour in order to improve our service.
• for sending you push notifications.
• for the use of the camera and audio, video or image data (i.e., video, audio and/or image recordings) on the user's device to create a personalised postcard and/or greeting card.
• for storing GPS and/or location data for the purpose of sharing the specific location on the postcard and/or greeting card. 

For the purposes mentioned above, we process the following data:

a) the date of the login, 
b) the type of device used, 
c) the operating system used and its version, 
d) the browser used and its version, 
e) item data, 
f) personal master data, date of birth, address data and contact information (e.g., e-mail address, telephone number),
g) GPS data (user's country, region and city),
h) video and/or image and audio data (i.e., video, audio and/or image recordings) on the device in question.
 

2.4 Österreichische Post will send you a separate notification before we start processing your data for purposes other than the ones described in this document.

3. With whom are we allowed to share your data?

3.1 Data transmission within the Österreichische Post corporation: we may entrust specific data processing steps to specialised departments or companies within our corporation. We will do that, for instance, to better process your customer data for internal administration purposes.

3.2 External service providers: we comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. Such services include, among others, data storage in secure IT centres, the use of IT services as well as marketing activities. 
Our data processors include IT service providers, printing services, payment services (for payment processing), service providers for customer assistance activities, market research institutes, marketing businesses and advertising agencies. 

3.3 Courts and public authorities: there are some statutory provisions that Österreichische Post can only comply with by sharing your personal data with public authorities (such as prosecuting bodies, supervisory bodies or courts) in the required scope.

3.4 Other recipients: as part of a contractual relationship and especially in relation with our performance duty, in specific cases, we may additionally share your personal data with other parties. Others that may receive data include attorneys. 

4. May your data also be shared with third parties in another country (including outside the EU)?

4.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection safeguards exist (e.g. binding in-house data pro-tection provisions or standard EU data protection clauses).

4.2 In exceptional cases, the data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees (item 4.1). This is done via technical interfaces that we and third parties may occasionally use to process personal data as well. These third-party providers include Google LLC and Apple Inc which are headquartered in the USA where they process their data. The European Court of Justice has declared the data protection level in the USA to be inadequate. It highlighted the risk of your data being accessed by US authorities for control and surveillance purposes and the fact that no effective legal remedies against this exist. Before we use these technical interfaces and transfer your data to these companies, we will ask you to provide your explicit consent (Article 6 (1) (a) of the GDPR  in conjunction with  Article 49 (1) (a) of the GDPR) and we will provide detailed information about all data processing (purpose, data categories, and storage period, among others). For specific information about all technical interfaces, please see item 10 of the data protection policy. You can revoke your consent at any time with future effect. In addition, please note that we are working hard to implement (additional) adequate safeguards pursuant to Article 46 of the GDPR as an alternative legal basis for the above-mentioned data transfer. If you do not agree with this, you cannot use the app. In this case, we kindly ask you not to agree and to deinstall the app. Please note that alternatively, you can use our services on post.at.

5. How long will your data be stored?

5.1 As soon as Österreichische Post no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

5.2 The statutory period of prescription pursuant to the Austrian Civil Code is between three and thirty years. During this time period, claims against Österreichische Post may be brought forward. We may keep your personal data as long as necessary depending on the possible claim. As a result of corporation law provisions (e.g. Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.

5.3. The following data will be deleted after the indicated periods: 
a) video and/or image and audio data (i.e., video, audio and/or image recordings) and the QR code: will be deleted after 9 months.

 

6. Is the processing subject to automated decision-making or profiling?

We do not perform automated decision-making including profiling as defined in Article 22 of the GDPR.

7. What rights do you have?

7.1 If you so desire, we will provide information about your personal data that we process at Österreichische Post whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format.

7.2 Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing.

7.3 In some of the above-mentioned cases, your consent will give Österreichische Post the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

7.4 Do you have any questions, suggestions or feedback? In that case, please contact our data protection officer mentioned in item 9. Also, you have the option of filing a complaint with the Austrian Data Protec-tion Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna.

8. Your right to object

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object if reasons arise for you to do so as a result of your particular situation. If you would like to object, please go to our website at datenschutzanfrage.post.at or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.

9. Contact us

To contact the data protection officer of Österreichische Post, please visit dataprotection or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna. For any other inquiries, please use our contact form at post.at/otherinquiries.

10. Legal information and information about technical interfaces

10.1 General information: the information provided in the Österreichische Post CardStudio is for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its Öster-reichische Post CardStudio and auxiliary systems (e.g. servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change  the information in its CardStudio without prior notification.

Österreichische Post shall not be liable for incorrect or missing information, especially not for (hyper)links and other content that is either directly or  indirectly used in the CardStudio or that are accessible from it.  All decisions based on information provided by Österreichische Post in its CardStudio are the sole and only responsibility of the user.

In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of provided in-formation (including hyperlinks).

All above-mentioned provisions also apply to software that can directly or indirectly be accessed or used in  the CardStudio by Österreichische Post AG.  If third-party software is accessed via (hyper)links, the rules of the  provider in question shall apply.

10.2 Copyright: the structure and content of the Österreichische Post CardStudio are protected by copyright. Any use or reproduction of images or text is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g. trademarks, logos).

10.3 Use of technical interfaces (so-called software these goals, hereinafter referred to as "SDK"): for the Österreichische Post CardStudio, we rely on different technologies (so-called software development kits, hereinafter referred to as "SDK") to make the CardStudio more user friendly. A software development kit (SDK) is a collection of software development tools in one installable package. They facilitate the creation of applications by having compiler, debugger and perhaps a software framework. They are normally specific to a hardware platform and operating system combination. The following SDKs are used for the Österreichische Post CardStudio:

Firebase Analytics: we use the Firebase Analytics service by Google to create analysis reports and user analyses. When this service is used, data (IP address) are processed and shared with the provider (Google).

(Android only) Google Play Core: we use the Google Play Core services by Google to display update notifications in the app. When this service is used, data (IP address) are processed and shared with the provider (Google).

Install Referrer: we use theInstall Referrerservice by Google to identify the origin of a verification. When this service is used, data (IP address) are processed and shared with the provider (Google).

(iOS only) MessageUI: we use theMessageUIservice by Apple to send e-mails from the app in the case of support requests. When this service is used, data (IP address) are processed and shared with the provider (Google).

 

11. Changes or complements

We reserve the right to change or complement the information provided at any time and without prior notification. If certain parts or specific passages are found to be invalid, to have become invalid or are not fully valid, the content and validity of the rest of the document shall remain unaffected.