Data protection LEGAL INFORMATION & DATA PROTECTION POLICY

Österreichische Post AG's Data Protection Policy

Updated: December 2022
 

1. What information is available on this page?
Österreichische Post AG ("Austrian Post", "we", "us") processes your personal data exclusively in accordance with the provisions of data protection law, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, the Austrian Postal Market Act, and all other applicable laws.

On this page, you will find information about data processing that concerns our entire company. This document includes the following sections:

  • To whom is this information addressed? (item 2)
  • Who is responsible for processing your data? (item 3)
  • Information about possible data processing (item 4), in particular
    • the video surveillance systems in our company buildings and branches (4.1)
    • data protection management and handling legal proceedings (4.2 to 4.3)
    • managing image, sound and video recordings for marketing purposes (4.4)
    • accounting and bookkeeping (4.5)
    • corporate compliance and Corporate Social Responsibility (4.6 to 4.10)
    • data and organisation management (database maintenance, real estate, vehicles, It Maintenance, Statistical purposes) (4.11 to 4.19)
    • press relations (events, external communication  –  4.20 to 4.22)
    • address broker business (4.23)
  • With whom are we allowed to share your data? (item 5)
  • Automated decision-making and profiling (item 6)
  • What rights do you have? (item 7)
  • How can you get in touch with us? (item 8)
  • Information about cookies (item 9)
  • Legal notice (item 10)

If you are looking for information on specific postal products or services such as mail and parcel delivery, advertising and marketing or business customer relations, you will find it in the selection field on the right-hand side.
If you need printed copies of the information provided on this page or on additional pages, please contact the staff at our service locations.

2. To whom is this information addressed?
The information that you will find on this page is addressed to interested parties, customers, suppliers, and business partners.

If you are business partner of Austrian Post, you will find further information for business partners in the selection field on the right-hand side.

When you apply to Austrian Post, we will inform you at the beginning of the application process in which form we process your personal data. You will find the related information in the selection field on the right-hand side of this page.

When you apply to Austrian Post, we will inform you at the beginning of the application process in which form we process your personal data. You will find the related information in the selection field on the right-hand side of this page. The latest version of this policy is always available on the Intranet under Employees/data protection and on our information board.

3. Who is responsible for processing your data?
The responsible party for all processing described in the data protection policy available on this page is

Österreichische Post AG
Rochusplatz 1
1030 Vienna
Austria

4. Information about possible data processing
4.1. Video surveillance and recording at Austrian Post facilities
We may process your data in the context of video surveillance and recording at our branches, our administrative buildings including the "Post am Rochus" shopping centre as well as in our mail and parcel distribution centres and delivery bases for the purpose of self-protection and the prevention, control, and clarification of criminally relevant conduct. The video material is only viewed and, if necessary, transmitted to public bodies such as authorities if there is the need to do so.

Which of your data can we process for this purpose?
Video recordings

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) of the GDPR) in the self-protection of our administrative buildings and branches as well as in the prevention, control, and clarification of criminally relevant conduct, insofar as this affects our area of responsibility.

How long can your data be stored?
Your data will be stored for the purpose of video surveillance and recording

  • for a maximum of 72 hours after recording in our administrative buildings
  • for a maximum of 4 months after recording at our delivery bases
  • for a maximum of 3 months after recording at our branches

In individual cases, the data may be stored for a longer period of time if it is necessary to transfer it to an authority (no longer than 1 year from recording in the case of administrative buildings).

With whom are we allowed to share your data?
For the purpose of video surveillance and recording in our administrative buildings, your data may be transferred to the following categories of recipients:

Processors
Public authorities

Other information about this processing:
You are under no contractual or legal obligation to provide your data for video surveillance and recording in our administrative buildings. All monitored areas are marked.

4.2. Data protection management
We process your data as part of our data protection management (data subject rights and possible data protection incidents) in order to comply with our legal obligations regarding the security of your personal data and the prompt and proper processing of your data subject rights.

Which of your data can we process for these purposes?
For data subject rights: address data, identification data, contact data, attendance data, employment contract/financial status, marketing data, usage data, personal master data, payment data.
In the case of data protection incidents, depending on the scope of the incident, all categories of data affected by the incident may be relevant.

What is the legal basis for this processing?
The legal basis is our legal obligation (Art 6 (1) (c) of the GDPR) under the General Data Protection Regulation:

  • to document data protection incidents and, if necessary, to report them to the data protection authority or the data subjects within 72 hours in accordance with Art. 33 and 34 of the GDPR;
  • the obligation to receive data subject rights according to Art. 12 to 22 of the GDPR and process them in a timely manner.
  • Special categories of personal data are additionally processed on the basis of Art. 9 (2) (f) of the GDPR, insofar as the processing is necessary for the establishment, exercise, or defence of legal claims.

How long can your data be stored?
For the purpose of managing data protection incidents and data subject rights, your data will be stored for a maximum of 3 years and one month from receipt of the request or notification of the data protection incident.

With whom are we allowed to share your data?
For the purpose of data protection incident management, your data may be disclosed to the following categories of recipients:

Public authorities
Data protection officer

For the purpose of the management of data subject rights, your data may be disclosed to the following categories of recipients:

Processors
Data protection officer

Other information about this processing:
If you do not provide us any or insufficient data to respond to data subject rights, we will not be able to respond to your requests.

4.3. Handling of legal matters and disputes and investment management
We process your data when handling legal matters and disputes in order to benefit from the full scope of legal advice provided to Austrian Post as well as to avoid and defend against legal claims.

Which of your data can we process for this purpose?
Address data, identification data, contact data, attendance data, personal master data, payment data, document content data

What is the legal basis for this processing?
The legal basis is our legitimate interests in asserting our legal claims and positions and/or in being able to exercise our rights as parties in legal proceedings.

How long can your data be stored?
As a general rule, your data collected for the purpose of handling legal cases and disputes will be stored for a maximum of 3 years. Judicial or administrative decisions and related files may be stored for up to 30 years for documentation and research purposes.

With whom are we allowed to share your data?
For the purpose of handling legal cases and disputes, your data may be disclosed to the following categories of recipients:

Public authorities
Notaries, tax advisors, and lawyers

4.4. Management of image, sound, and video recordings for marketing purposes
We may process your data as part of the management of image, sound, and video recordings, using the material created for marketing and promotional purposes and for editorial coverage. The use for advertising purposes relies on your granting rights to us and our providing precise information about the purpose and recipients to you.

Which of your data can we process for this purpose?
personal master data, address data, identification data, image and video material including sound recordings, address data

What is the legal basis for this processing?
The legal basis for this processing is

  • The granting of rights, which we conclude with you where appropriate (Art. 6 (1) (b) of the GDPR),
  • and our legitimate interest (Art. 6 (1) (f) of the GDPR) in the recording of images, sound and video for editorial reporting or in the central, legally compliant management of all image, sound, and video material.

How long can your data be stored?
If you agree to grant rights to us, you will find detailed information about the storage period of the created images in the agreement. As a general rule, depending on the category, we may store your data collected for the purpose of marketing and promotional activities for a maximum of 10 years from the creation of the images.

With whom are we allowed to share your data?
If you agree to grant rights to us, you will find detailed information about the recipient of the created images in the agreement. As a general rule, for the purpose of managing image, sound, and video material, your data may be transferred to the following categories of recipients:

Processors
Photographers
Graphic designers

Other information about this processing:
If you do not provide the aforementioned data, we cannot enter into an agreement with you.

4.5. Accounting and bookkeeping
We may process your data for accounting and bookkeeping purposes in order to manage payment transactions, including incoming and outgoing group documents.

Its purpose is liquidity planning, financing, monitoring payment transactions and bank accounts, and ensuring the group's solvency.

Which of your data can we process for these purposes?
Personal master data, identification data, contact data, payment data, document content data, contract data, log data, usage data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest in efficiently managing the company's cash flows and preventing a payment deficit (Art. 6 (1) (f) of the GDPR).

How long can your data be stored?
Your data used for the aforementioned purpose may be deleted within a time frame of 7 years starting at the end of the calendar year to which they relate, depending on the category.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be disclosed to the following categories of recipients:

Processors

Your data may also be transferred outside the EU or EEA, specifically to Switzerland, the United Kingdom, and Canada. Switzerland, the United Kingdom and Canada have been confirmed by the EU Commission as having an adequate level of data protection.

4.6. Investigation service
Austrian Post's investigation service investigates suspected criminal acts by Austrian Post employees, partners, suppliers and, if necessary, customers for clarification and preventive purposes. Data processing takes place in the course of investigations and follow-up treatment.

Which of your data can we process for this purpose?
Address data, absence data, identification data, contact data, usage data, personal master data, payment data, any special data, and criminally relevant data.

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to Section 82 of the Austrian Stock Corporation Act to implement an internal control system (Art. 6 (1) (c) of the GDPR);
  • as well as our legitimate interest in establishing, exercising, and defending legal claims (Art. 6 (1) (f) and Art. 9 (2) (f) of the GDPR).

How long can your data be stored?
Depending on the category, your data collected for the purpose of the investigation service is generally deleted within one month of the internal investigation being stopped or of the final conclusion of any legal proceedings; at the latest, your data will be deleted within 3 years from the start of the internal investigation, unless a pending case lasts longer.

For investigation purposes, your data may be transmitted to the following categories of recipients:

Courts, prosecutors, and police
Processors

4.7. Cash audits
For the purpose of ensuring the correctness of accounting, we carry out cash audits at postal branches, delivery bases, hand cash registers, philatelic services, and Post Partners, among others. Personal data are collected in the process.

Which of your data can we process for this purpose?
personal master data, contact data, identification data, usage data, attendance data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in the correctness of transactions and in the prevention of irregularities.

How long can your data be stored?
For the purpose of cash audits, your data will be stored for a maximum of 10 years from the date of the report, depending on the category.

For cash audit purposes, your data may be transmitted to the following categories of recipients:

Public authorities
Affiliated group companies
Processors

4.8. Internal audits
We may process your data as part of our internal auditing activities. Internal and IT auditing provide independent and objective auditing and consulting services based on the rules of procedure for group auditing.

Which of your data can we process for this purpose?
Address data, contact data, personal master data, identification data, attendance data, usage data, generally special data, payment data, data relevant under criminal law

What is the legal basis for this processing?
The legal basis for this processing is

  • the fulfilment of legal obligations pursuant to Art. 6 (1) (c) as well as Section 82 of the Austrian Stock Corporation Act, Article 22 (1) of the Austrian Act on Limited Liability Companies, Section 243a (2) of the Austrian Stock Corporation Act (internal control and audit systems);
  • as well as our legitimate interest in establishing, exercising, and defending legal claims (Art. 6 (1) (f) and Art. 9 (2) (f) of the GDPR).

How long can your data be stored?
For the purpose of internal auditing, your data will be stored for 10 years from the date the reports were sent, depending on the category.

For internal auditing purposes, your data may be transmitted to the following categories of recipients:

Processors
Public authorities (Court of Auditors)
Tax auditors
Affiliated group companies

4.9. Group insurance management
We process your data within the framework of group insurance management, for the purposes of concluding and maintaining insurance contracts, fulfilling legal obligations and for risk protection as well as to properly process insurance claims.

Which of your data can we process for this purpose?
Address data, contact data, personal master data, general special data (such as image records, document content data), identification data, health data, payment data, and data relevant under criminal law.

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to the Austrian Insurance Contract Act, the Austrian Social Security Act, the General Social Security Act for the processing of insurance claims, conclusion and maintenance of insurance contracts (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in the risk coverage for Austrian Post in cases of damage.

How long can your data be stored?
For the purpose of insurance management, your data will be stored for 3 years from the final settlement of any proceedings and/or from the expiry of our legal claims, depending on the category. Contract documents can be kept for up to 7 years.

With whom are we allowed to share your data?
For the purpose of insurance management, your data may be transmitted to the following categories of recipients:

Courts and public authorities
Lawyers/notaries/lawyers
Experts
Social security institutions
Insurance brokers
Insurance companies

4.10. Environmental management
We may process your data as part of our environmental management. The purpose of data processing is to fulfil the obligations of the Austrian Sustainability and Diversity Improvement Act as well as to safeguard Austrian Post's reputation as a responsible and sustainable company.

Which of your data are we allowed to process for this purpose?
Personal master data, contact data, address data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to Section 11 of the Austrian Waste Management Act, Section 1 and 2 of the Austrian Sustainability and Diversity Improvement Act about environmental management and the preparation of sustainability reports (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in safeguarding the reputation of Austrian Post as a responsible and sustainable company.

How long can your data be stored?
For the purpose of environmental management, your data will be deleted within 10 years of publication of the sustainability report at the latest, depending on the category.

For the purpose of environmental management, your data may be transmitted to the following categories of recipients:

Processors

4.11. Data governance
We may process your data as part of our data governance activities in order to continuously check data for their data quality (in particular with regard to up-to-datedness, consistency, correctness) and to adjust them if necessary. For that purpose, we use adequate software and analysis processes to eliminate duplicates, among others. To improve data quality, these processes may also rely on statistical and non-personal data (e.g., provided by Statistics Austria).

Which of your data can we process for this purpose?
For this purpose, we may process data from various Austrian Post systems, insofar as these need to be checked for quality on an ongoing basis.

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) of the GDPR) to increase the transparency of data management (data catalogue) and of data flows, as well as our legitimate interest in the centralised quantification of data quality.

How long can your data be stored?
As long as the verified data are present in our data files, they can be processed as part of our data governance activities.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be shared with the following categories of recipients:

Processors

4.12. Historical research
We may process your data in the course of historical research for the purpose of responding to requests for historical data received by Austrian Post (excerpts from books, registers, newspaper articles, etc.), or borrowing historical items.

Which of your data can we process for this purpose?
contact data, personal master data, address data, other documents, contract content

What is the legal basis for this processing?
The legal basis for the aforementioned processing is

  • the contract for borrowing historical materials (Art.6 (1) (b) of the GDPR) that we have signed with you or that we might sign;
  • our legitimate interest (Art. 6 (1) (f) of the GDPR) in the proper processing of requests for historical research.

How long can your data be stored?
For the aforementioned purpose, your data may be stored for a maximum of 3 years from the last contact.

4.13. Access systems at group properties
We may process your data as part of our access systems to our group properties to ensure controlled access to buildings / sensitive premises as well as to demarcated protection zones for the purpose of self-protection. Visitor information is recorded in the reception book.

Which of your data can we process for this purpose?
Contact data, personal master data, attendance data, identification data, usage data

What is the legal basis for this processing?
The legal basis is our legitimate interests (Art. 6 (1) (f) of the GDPR) to effectively ensure controlled access to our buildings and sensitive premises.

How long can your data be stored?
As a general rule, your data can be stored for this purpose for a maximum of 1 month after you leave the respective building. If you have received a personalised access card, the data processed for it will be deleted no later than 6 months after the card has been returned.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be shared with the following categories of recipients:

Processors
Public authorities

Your data may also be transferred to processors outside the EU or the EEA, specifically in Switzerland. The European Commission has declared the data protection level in Switzerland to be adequate.

Other information about this processing:
If you do not provide the aforementioned data, you will not be able to enter our buildings and other properties.

4.14. Management of our properties: registration of prospect data and data about real estate sales and rentals
We may process your data for managing property sales or rentals. This includes the collection of prospect data: interested parties can express their interest online or by e-mail/telephone and can subsequently be registered as prospects for the object of interest and receive information about the property. If the sale or rental takes place, we may process your data for precontractual measures as well as the conclusion of the contract.

Which of your data can we process for these purposes?
Address data, contact data, personal master data, payment data, financial status, contract content, document content data

What is the legal basis for this processing?
The legal basis for the aforementioned processing operations is

  • the contract for the rental/sale of properties (Art. 6 (1) (b) of the GDPR), which we have concluded with you or that we might conclude with you.
  • our legitimate interests in the proper management of our properties as well as of our prospect data (Art 6 (1) (f) of the GDPR).

How long can your data be stored?
For property sales and rentals, your data may be stored for up to 30 years from the conclusion of the sales process and for up to 3 years from the final contact in the case of prospect management.

With whom are we allowed to share your data?
Your data may be disclosed to the following categories of recipients for the purpose of managing our properties:

Processors
Lawyers/notary/tax advisors 
Public authorities

Other information about this processing:
If you do not provide the aforementioned data, it will not be possible to conclude a contract for real estate purchases / rentals.

4.15. Real estate construction and development
We may process your data in the course of real estate construction and development. For real estate construction, the necessary documents are sent to the relevant building authorities. Real estate development includes the management of Österreichische Post AG's real estate portfolio, especially the conclusion and maintenance of contracts with service providers as well as managing their contact information and processing and documenting bills and invoices.

Which of your data may we process for these purposes?
Address data, contact data, personal master data, identification data, payment data, financial status, organisational unit, contract content, document content data

What is the legal basis for this processing?
The legal basis for the aforementioned processing is

  • the contract in the context of real estate construction and development (Art. 6 (1) (b) of the GDPR) which we have concluded with you or could potentially conclude;
  • our legitimate interests in the proper management of our properties;
  • our legal obligation (Art. 6 (1) (c) of the GDPR pursuant to the respective regional building code to transmit data to the competent building authorities to the extent necessary.

How long can your data be stored?
Your data can be stored in the context of real estate development as well as real estate construction up to 7 years from the end of the calendar year in which the contract expired or the last bookings were considered in the balance sheet.

With whom are we allowed to share your data?
For the purpose of managing our properties, your data may be disclosed to the following categories of recipients:

Processors
Lawyers/notary/tax advisors 
Public authorities

4.16. Management of lost property
In the context of the management of lost and found property, we process your data for the purpose of storing and retrieving undeliverable items and other lost property.

Which of your data can we process for this purpose?
personal master data, address data.

What is the legal basis for this processing?
The legal basis for this processing is the protection of our legitimate interests (Art. 6 (1) (f) of the GDPR) for the purpose of storage and retrieval of undeliverable items.

How long can your data be stored?
Your data collected for the purpose of item inquiry will be deleted no later than 1 month after the inquiry was made, depending on the category.

4.17. Fleet marketing
We process your data in the context of the sale of vehicles for the purpose of managing vehicle marketing.

Which of your data can we process for this purpose?
personal master data, identification data, address data, contact data, usage data

What is the legal basis for this processing?
The legal basis for this processing is

  • the contract for the sale of vehicles (Art. 6 (1) (b) of the GDPR);
  • as well as the protection of our legitimate interests (Art. 6 (1) (b) of the GDPR) to process the sale of vehicles.

How long can your data be stored?
Your data collected for the aforementioned purpose will be deleted at the latest within 7 years after the end of the calendar year in which the contract was concluded, depending on the category.

Other information about the processing:
If you do not provide the aforementioned data, we will not be able to conclude a contract for the purchase of a vehicle.

4.18. IT-Maintenance
We may process your data in the context of IT operations maintenance and control to be able to ensure the operational and administrative support of the IT applications and IT systems of Österreichische Post AG.

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art 6 para 1 lit f GDPR) for IT operational maintenance and control. 

How long can your data be stored?
Depending on the category, your data will be overwritten within 60 days of the generation of back-up or log data for the purpose of IT maintenance. 

With whom are we allowed to share your data?
Your data may be transferred to the following categories of recipients for the purpose of IT maintenance:

Processors

Your data may also be transferred outside the EU or EEA to Switzerland, the UK, Japan, the USA, Australia and India for the purpose of providing IT service and support. Switzerland, the UK and Japan have been confirmed by the EU Commission as having an adequate level of data protection.

Australia, India and the USA have not been confirmed by the EU Commission as having an adequate level of data protection. In these cases, the security of your personal data is ensured by concluding EU standard data protection clauses (appropriate guarantee pursuant to Art 46 DSGVO) after a documented case-by-case review. These are available upon request at post.at/otherrequestsdataprotection.

4.19. Anonymization for statistical purposes
As part of the processing described on this page, we may anonymize your data in order to generate statistics. For this, we remove any personal reference and the resulting data does not allow any inference to your person.

4.20. External communication & press relations
We may process your data within the scope of external communications and press relations in order to provide information about Austrian Post for radio, television, press, Internet, and social media. The content is made available to the media in Austria but is also available to users worldwide. This includes information on the company's economic activities and performance as well as comments on various reports in different media. In addition, the company places its own targeted messages in the media.

Which of your data can we process for this purpose?
personal master data, image and call recordings, attendance data, contact data

What is the legal basis for this processing?
The legal basis for this processing is
our legitimate interest (Art. 6 (1) (f) of the GDPR) in external communication and press relations or your express consent (Art. 9 (2) (e) of the GDPR), which we obtain where needed in accordance with the law;
or the contract (service contract) Art. 6 (1) (b) of the GDPR) that we have concluded with you.

How long can your data be stored?
Your data will be deleted for the purpose of external communication and press relations after a maximum of 3 years after the last contact, depending on the category.

With whom are we allowed to share your data?
For internal information management purposes, your data may be transmitted to the following categories of recipients:

Print media
Online media
Media index

Other information about this processing:
You are under no contractual or legal obligation to provide your data for the purpose of external communication and press relations.

4.21. Stakeholder management
We may process your data as part of stakeholder management activities to conduct targeted lobbying activities with public decision makers.

Which of your data can we process for this purpose?
personal master data, image and sound recordings, contact data, document content data

What is the legal basis for the processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) f of the GDPR) to conduct stakeholder management and lobbying activities.

How long can your data be stored?
For the purpose of stakeholder management, your data will be stored for a maximum of 3 years after initial contact, depending on the category.

With whom are we allowed to share your data?
For stakeholder management purposes, your data may be transmitted to the following categories of recipients:

Processors
Lobbying registers

Other information about this processing:
You are under no contractual or legal obligation to provide your data for the purpose of stakeholder management.

4.22. Event organisation
We may process your data when organizing events.

Which of your data can we process for this purpose?
personal master data, address data, contact data, identification data, image and sound recordings, information about allergies

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest (Art. 6 (1) (f) of the GDPR);
  • or the contract according to Art. 6 (1) (b) of the GDPR that we have concluded with you.

How long can your data be stored?
For the purpose of organising events, your data will be stored for a maximum of 7 years, depending on the category.

With whom are we allowed to share your data?
Your data may be transferred to the following categories of recipients for the purpose of organising events:

Processors
Other external recipients

In doing so, we may also use a processor in the US to conduct surveys, to which the IP address of the participating device and the survey results may be transmitted. You can give your express consent to the transfer in accordance with Art. 49 (1) (a) of the GDPR in the context of the respective event.
The European Court of Justice has declared the data protection level in the USA to be inadequate. It particularly highlighted the risk of your data being accessed by US authorities for control and surveillance purposes and the fact that no effective legal remedies against this exist.
In these cases, the additional security of your personal data is guaranteed by the application of EU standard data protection clauses (appropriate safeguards according to Art. 46 of the GDPR) after a documented case-by-case assessment. These are available upon request at post.at/otherrequestsdataprotection.

Other information about this processing:
You are under no contractual or legal obligation to provide your data.
If you do not provide the aforementioned data, you cannot participate in our events.

4.23. Address Data
We process address data as part of our Address Data product to ensure that postal addresses are up to date for reference purposes. We make sure that at no time a connection to a natural person exists or is made.

Which of your data can we process for this purpose?
address data, marketing data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. (6) (1) (f) of the GDPR) to prepare address data in a standardised manner for reference purposes.

How long can your data be stored?
The data in question will be deleted no later than 1 month after the generation process.

5. With whom are we allowed to share your data?
Below, you will find information about the general categories of recipients of Austrian Post. In addition, under item 4 ("Information about possible data processing"), you will find the categories of recipients to whom data may be transmitted in the context of a specific processing. A list of possible recipients and categories of recipients of Austrian Post is available here: LIST

5.1. External service providers (processors)
We comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services.
These services may include data storage in secure computer centres, printing invoices and advertising material, postcards, photos and digitising contracts or invoices (creating a digital, non-editable image).
Our data processors include Post Partners, IT service providers, service providers for customer assistance activities, marketing businesses and advertising agencies.
We perform in-depth audits on all our processors on a regular basis.

5.2. Public bodies and institutions
Austrian Post must, in order to maintain its operations and fulfil all our legal obligations, transmit personal data to authorities (such as social security agencies, tax authorities or law enforcement agencies, supervisory authorities, customs authorities, health authorities) and other institutions (e.g., commissions) as well as courts to the extent required.

5.3. Other external recipients
As part of a contractual relationship and especially in relation with our performance duty or in the case of legal disputes, in specific cases, we may additionally share your personal data e.g., with other postal service providers (e.g., UPU, IPC), freight forwarding companies, physicians, hospitals, insurance companies and brokers, experts, attorneys, interest groups, address brokers and direct marketing companies, banks and capital investment firms, insurance companies, CPAs, consultants (especially tax experts), subsidy granting bodies, shareholders, investors, and external payment providers.
In addition, as part of our address broker activities, we may forward your data to advertising companies. These include companies that provide mail-order service or retail services, financial service providers and insurances, IT and telecommunication companies and utilities as well as associations such as charities and NGOs.

5.4. Data transmission within the Österreichische Post group
We may entrust specific data processing steps to specialised departments or companies within our group. We will do that, for instance, to better process your customer data for internal administration purposes. A list of our affiliated companies is available here: Holdings

5.5. Data transfer outside the EU or EEA
In individual cases, your data may be transferred to a country outside the EU or the EEA ("third country") if this third country has been confirmed by the European Commission to have an adequate level of data protection or if other suitable data protection safeguards are in place (e.g., binding internal company data protection regulations or EU standard data protection clauses only if they include a documented case-by-case review of the adequacy of the level of protection).
In the section "Information about possible data processing" (item 4), you will find information whether such transfer takes place outside the EU or the EEA in the context of a particular processing.

6. Automated decision-making and profiling
No automated decision-making or profiling pursuant to Art. 22 (1) and (4) of the GDPR is performed in the data processing by Austrian Post described on this page.

7. What rights do you have?
You have the right of access to your personal data that we process as a controller. For more information, please refer to Article 15 of the GDPR.

Under certain conditions, you may request the restriction of processing as well as the rectification and deletion of your personal data. For more information, please refer to Articles 16 to 19 of the GDPR.

In addition, under certain conditions, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard, and machine processable format. For more information, please refer to Article 20 of the GDPR.

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object at any time to the processing of your data carried out in the legitimate interests of Austrian Post or third parties if reasons arise from your specific circumstances. For more information, please refer to Article 21 of the GDPR. The processing of your personal data may be based on your consent pursuant to Art. 6 (1) (a) of the GDPR. You can revoke this consent at any time without giving reasons with future effect; until then, we will process your data lawfully.

For information about the legal basis of our data processing, please see item 4 "Information about possible data processing").

Would you like to exercise your rights or do you have further questions, suggestions, or feedback? In this case, please go to item 8 ("How can you get in touch with us?") and contact the indicated person.

In addition, you have the option of filing a complaint with the Austrian Data Protection Authority:

Austrian Data Protection Authority,
Barichgasse 40-42,
1030 Vienna
Austria

Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

8. Contact us
To contact the data protection officer of Österreichische Post or to exercise your rights, please visit post.at/dataprotectioninquiry or write to

Postkundenservice,
To the attention of the Data Protection Officer
Bahnsteggasse 17-23,
1210 Vienna
Austria

or to the e-mail-address team-datenschutz@post.at.

To ensure that your request to exercise your data protection rights is complete and can be assigned and processed properly in our databases, we require the following information in every case:

  • Description of your request
  • First name, last name
  • Date of birth (especially to exclude similarities of names in connection with processing your request)
  • Postal address
  • E-mail address (in so far as you have provided an E-Mail adress to the Post in connection with a service or in order to contact the Post)
  • Legible copy of a valid photo ID (e.g. driver's license, ID card, passport) or a digitally signed request, e.g. cell phone signature
    (no photo ID or digital signature is required when exercising the following rights:
    “Withdrawal of Consent/objection for advertising purposes" and "Erasure of data for third-party marketing purposes").

Your request will be processed based on the data you provide in the contact form. Please pay attention to the correctness of your data, especially to the usage of hyphens, commas, spaces etc. in your name and address.

9. Use of cookies
Several parts of our websites rely on cookies and similar technologies (hereinafter referred to as "cookies"). They make our offer more user-friendly and more efficient.

Cookies are small text files that are saved on your computer or smartphone and that your browser will store. They usually provide information about what pages/parts of our website were visited by users and can, among others, save user settings so that returning users will be recognised and do not have to log in again. Also, they allow for the targeted displaying of information to users as well as the analysis of website views.

Our business partners, so-called cookie providers, may also place cookies on our websites. These are used to improve our own products and services as if we had placed these cookies ourselves. For instance, to understand how our websites are used, we work with analysis partners including Google and Facebook (for additional information, please see item 9.4). However, cookie providers may also rely on cookies used on our websites for their own purposes, e.g., to place (their own or third-party) advertising on our websites and to measure their effectiveness. In such case, Österreichische Post has no influence on the purpose and means of the cookie-based data processing while also not benefiting from this data processing. Cookies from such third-party providers may fall into the cookie categories listed under item 9.1.

9.1. Cookie settings and management, legal basis
Other than technically required cookies (functionally necessary cookies) that may be placed on our websites even without your consent  pursuant among others to Section 165 of the Telecommunications Act  and because of our legitimate interest (providing a functional online service offer) pursuant to Article 6 (1) (f) of the GDPR, you can actively accept or reject the use of performance cookies and cookies for marketing purposes before they are placed.

To that effect, we have created a cookie consent management tool that displays a cookie banner with additional information about the cookies we use when you access the website in question for the first time (especially name, purpose, lifespan, provider.). Via this cookie banner, you have the option of generally agreeing to the use of cookies or to make a more detailed selection depending on the cookie category. You can even select specific cookies or cookie providers within a specific cookie category.  You can change your consent or selection at any time by going to cookie   "Edit cookie settings" in the cookie consent management platform. If, after you have provided your consent, more cookies or cookie providers are added, the cookie banner will be displayed once again and you will be able to make your selection. In the cookie consent management tool, all cookie providers are listed individually and links to their privacy policies are provided. These policies include additional information, including without limitation, information about additional options for deactivating these cookies.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform (on post.at: at the bottom of the Website).

If you have activated an ad blocker in your browser, it will also affect the behaviour of the cookie banner. The ad blocker prevents cookie banners from being displayed and you can configure individual cookies by going to "Edit cookie settings". Provided that the ad blocker is enabled, only required cookies are set, without which the website would not function properly. To see detailed information about required cookies, you would need to disable the ad blocker for this purpose.

In addition, you have the option of going to your browser settings to determine whether you want to allow cookies or not. Your device might also allow you to manage your cookies. To learn how this works, please see the user manual provided by the manufacturer of your device.

If users opt out of storing cookies, certain functions of the website might not be available.

9.2. Additional information about the advertising functions of Google Inc.
Once we have understood what is important to you and what you are interested in, we can show you relevant and helpful information. To place and manage our ads, we rely on Google Display & Video as well as Google Adwords (Google Ads).

We use the services of Google Ads to place advertising (so-called Google ads) on external websites and highlight our attractive offerings. By linking the data to the advertising campaign, we can determine how successful specific advertising efforts have been. In doing so, we strive to show you advertising that is relevant to you, to make our website more interesting for you and to reach a fair calculation of advertising costs.

These advertising materials are delivered by Google via so-called "Ad Servers". We use Ad Server cookies which measure certain success parameters, including how many times the ads were shown and how many clicks they obtained from users. Provided that you have accessed our website via a Google ad, Google Ads will place a cookie on your device. Such cookies are usually valid for 30 days only and are not used to identify you personally. However, specific users can be grouped via browser recognition.

If you have registered for one of the services provided by Google, Google can link your visit to your account. Even if you have not registered or logged on, the service provider might obtain information about our IP address and save it.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3. Aditional information about Google Remarketing
In addition to Google Adwords, we use an application called Google Remarketing. This is a procedure that we use to target you once again. This application allows us to display our ads on your device after you have visited our website and continue using the Internet. This is done via cookies saved on your browser. These cookies allow Google to identify and analyse your user behaviour when you access different websites. This is how Google can determine that you have previously visited our website. According to information provided by Google, data collected as part of remarketing activities will not be associated with any of your personal data that Google may have saved. Google also highlights that it uses pseudo-anonymization for its marketing activities. For more information about Google's data protection policy, please visit https://www.google.com/intl/de/policies/privacy.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.4. Additional information about Facebook, Instagram & LinkedIn
For the same purpose, i.e., displaying customised ads, Instagram Ads, Facebook Ads and LinkedIn ads may be activated provided that you give your consent. This is not personal information. Personal information will be saved on servers located both in the European Union (Ireland) and in third countries. The information will be stored for a period of 90 days.

Facebook, Instagram, and LinkedIn Pixel allow us to check if users were redirected to our website after having clicked on an Instagram, Facebook or LinkedIn ad. Among other processes, Instagram, Facebook and LinkedIn Pixel use cookies, which are small text files that are stored locally in your web browser's cache memory on your device. If you have logged on to Instagram, Facebook or LinkedIn with your user account, your visit to our online offerings will be registered in your user account. All data collected about you is anonymous for us and therefore will not allow us to identify users. However, Instagram, Facebook and LinkedIn can associate this data with your user account on these platforms.

Personal information will be saved on servers located both in the European Union (Ireland) and in third countries. These saved cookies can remain in place for up to 2 years.

For additional information about Facebook's privacy policy, please visit: https://www.facebook.com/privacy/explanation

Information about Instagram's privacy policy is available here: https://www.facebook.com/help/instagram/155833707900388.

Information about LinkedIn's privacy policy is available here: https://de.linkedin.com/legal/privacy-policy?

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

10. Legal Information
10.1. Information on Websites of Österreichische Post
The information provided on the websites of Österreichische Post is for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided on its websites. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its websites and auxiliary systems (e.g., servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its websites without prior notification.

Österreichische Post is not liable for inaccurate or missing information on its websites. This especially applies, without limitation, to (hyper)links and other content used on our websites directly or indirectly or that can be accessed from them. All decisions based on information provided by Österreichische Post on its websites are the sole and only responsibility of the user.

In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of the information (including hyperlinks) provided on its websites.
All abovementioned provisions also apply to software that can directly or indirectly be accessed or used from the websites of Österreichische Post. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply.

10.2. Copyright
The design and content of these websites are subject to copyright. Any change or reproduction of images or text from these websites is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g., trademarks, logos).