Data protection LEGAL INFORMATION & DATA PROTECTION POLICY

Österreichische Post AG's Data Protection Policy

Mandatory information according to Art 13 and 14 DSGVO with a purely informative character

Updated: September 2023
 

1. What information is available on this page?

Österreichische Post AG ("Austrian Post", "we", "us") processes your personal data exclusively in accordance with the provisions of data protection law, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, the Austrian Postal Market Act, and all other applicable laws.

On this page, you will find information about data processing that concerns our entire company. This document includes the following sections:

  • To whom is this information addressed? (item 2)
  • Who is responsible for processing your data? (item 3)
  • Information about possible data processing (item 4), in particular
    • the video surveillance systems in our company buildings and branches (4.1)
    • data protection management and handling legal proceedings (4.2 to 4.3)
    • managing image, sound and video recordings for marketing purposes (4.4)
    • accounting and bookkeeping (4.5)
    • corporate compliance and Corporate Social Responsibility (4.6 to 4.10)
    • data and organisation management (database maintenance, real estate, vehicles, It Maintenance, Statistical purposes) (4.11 to 4.19)
    • press relations (events, external communication  –  4.20 to 4.22)
    • address broker business (4.23)
  • With whom are we allowed to share your data? (item 5)
  • Automated decision-making and profiling (item 6)
  • What rights do you have? (item 7)
  • How can you get in touch with us? (item 8)
  • Information about cookies (item 9)
  • Legal notice (item 10)

If you are looking for information on specific postal products or services such as mail and parcel delivery, advertising and marketing or business customer relations, you will find it in the selection field on the right-hand side.
If you need printed copies of the information provided on this page or on additional pages, please contact the staff at our service locations.

2. To whom is this information addressed?

The information that you will find on this page is addressed to interested parties, customers, suppliers, and business partners.

If you are business partner of Austrian Post, you will find further information for business partners in the selection field on the right-hand side.

When you apply to Austrian Post, we will inform you at the beginning of the application process in which form we process your personal data. You will find the related information in the selection field on the right-hand side of this page.

When you apply to Austrian Post or are already an employee, we will inform you at the beginning of the application process in which form we process your personal data. You will find the related information in the selection field on the right-hand side of this page. The latest version of this policy is always available on the Intranet under Employees/data protection and on our information board.

3. Who is responsible for processing your data?

The responsible party for all processing described in the data protection policy available on this page is

Österreichische Post AG
Rochusplatz 1
1030 Vienna
Austria

4. Information about possible data processing

4.1. Video surveillance and recording at Austrian Post facilities
We may process your data in the context of video surveillance and recording at our branches, our administrative buildings including the "Post am Rochus" shopping centre as well as in our mail and parcel distribution centres and delivery bases for the purpose of self-protection and the prevention, control, and clarification of criminally relevant conduct. The video material is only viewed and, if necessary, transmitted to public bodies such as authorities if there is the need to do so.

Which of your data can we process for this purpose?
Video recordings

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) of the GDPR) in the self-protection of our administrative buildings and branches as well as in the prevention, control, and clarification of criminally relevant conduct, insofar as this affects our area of responsibility.

How long can your data be stored?
Your data will be stored for the purpose of video surveillance and recording

  • for a maximum of 72 hours after recording in our administrative buildings
  • for a maximum of 4 months after recording at our delivery bases
  • for a maximum of 3 months after recording at our branches

In individual cases, the data may be stored for a longer period of time if it is necessary to transfer it to an authority (no longer than 1 year from recording in the case of administrative buildings).

With whom are we allowed to share your data?
For the purpose of video surveillance and recording in our administrative buildings, your data may be transferred to the following categories of recipients:

Processors
Public authorities

Other information about this processing:
You are under no contractual or legal obligation to provide your data for video surveillance and recording in our administrative buildings. All monitored areas are marked.

4.2. Data protection management
We process your data as part of our data protection management (data subject rights and possible data protection incidents) in order to comply with our legal obligations regarding the security of your personal data and the prompt and proper processing of your data subject rights.

Which of your data can we process for these purposes?
For data subject rights: address data, identification data, contact data, attendance data, employment contract/financial status, marketing data, usage data, personal master data, payment data.
In the case of data protection incidents, depending on the scope of the incident, all categories of data affected by the incident may be relevant.

What is the legal basis for this processing?
The legal basis is our legal obligation (Art 6 (1) (c) of the GDPR) under the General Data Protection Regulation:

  • to document data protection incidents and, if necessary, to report them to the data protection authority or the data subjects within 72 hours in accordance with Art. 33 and 34 of the GDPR;
  • the obligation to receive data subject rights according to Art. 12 to 22 of the GDPR and process them in a timely manner.
  • Special categories of personal data are additionally processed on the basis of Art. 9 (2) (f) of the GDPR, insofar as the processing is necessary for the establishment, exercise, or defence of legal claims.

How long can your data be stored?
For the purpose of managing data protection incidents and data subject rights, your data will be stored for a maximum of 3 years and one month from receipt of the request or notification of the data protection incident.

With whom are we allowed to share your data?
For the purpose of data protection incident management, your data may be disclosed to the following categories of recipients:

Public authorities
Data protection officer

For the purpose of the management of data subject rights, your data may be disclosed to the following categories of recipients:

Processors
Data protection officer

Other information about this processing:
If you do not provide us any or insufficient data to respond to data subject rights, we will not be able to respond to your requests.

4.3. Handling of legal matters and disputes and investment management
We process your data when handling legal matters and disputes in order to benefit from the full scope of legal advice provided to Austrian Post as well as to avoid and defend against legal claims.

Which of your data can we process for this purpose?
Address data, identification data, contact data, attendance data, personal master data, payment data, document content data

What is the legal basis for this processing?
The legal basis is our legitimate interests in asserting our legal claims and positions and/or in being able to exercise our rights as parties in legal proceedings.

How long can your data be stored?
As a general rule, your data collected for the purpose of handling legal cases and disputes will be stored for a maximum of 3 years. Judicial or administrative decisions and related files may be stored for up to 30 years for documentation and research purposes.

With whom are we allowed to share your data?
For the purpose of handling legal cases and disputes, your data may be disclosed to the following categories of recipients:

Public authorities
Notaries, tax advisors, and lawyers

4.4. Management of image, sound, and video recordings for marketing purposes
We may process your data as part of the management of image, sound, and video recordings, using the material created for marketing and promotional purposes and for editorial coverage. The use for advertising purposes relies on your granting rights to us and our providing precise information about the purpose and recipients to you.

Which of your data can we process for this purpose?
personal master data, address data, identification data, image and video material including sound recordings, address data

What is the legal basis for this processing?
The legal basis for this processing is

  • The granting of rights, which we conclude with you where appropriate (Art. 6 (1) (b) of the GDPR),
  • and our legitimate interest (Art. 6 (1) (f) of the GDPR) in the recording of images, sound and video for editorial reporting or in the central, legally compliant management of all image, sound, and video material.

How long can your data be stored?
If you agree to grant rights to us, you will find detailed information about the storage period of the created images in the agreement. As a general rule, depending on the category, we may store your data collected for the purpose of marketing and promotional activities for a maximum of 10 years from the creation of the images.

With whom are we allowed to share your data?
If you agree to grant rights to us, you will find detailed information about the recipient of the created images in the agreement. As a general rule, for the purpose of managing image, sound, and video material, your data may be transferred to the following categories of recipients:

Processors
Photographers
Graphic designers

Other information about this processing:
If you do not provide the aforementioned data, we cannot enter into an agreement with you.

4.5. Accounting and bookkeeping
We may process your data as part of accounting and bookkeeping activities to manage the group’s payment transactions, create orders, and issue and settle invoices. In doing so, we manage and update the master data of our debtors and creditors (particularly by cross-referencing with public registers). For business customers, a credit check is also conducted via an interface with KSV. Furthermore, the group’s receivables are managed, credit risk is mitigated, and insolvencies of our customers and suppliers are handled. We also review suppliers concerning payments and compensation and reclaim excessive or unjustified payments from the suppliers in question. The purpose of the processing also includes liquidity planning and financing, monitoring of payment transactions and bank accounts, transaction and account management, risk management, and ensuring the group’s solvency. Additionally, we provide support to our customers and suppliers and handle internal and external enquiries related to invoicing, complaint management, and receivables management via telephone, letter, email, fax, etc.

Which of your data may we process for these purposes?
Personal master data, identification data, contact data, address data, payment data, financial status data, insolvency proceedings status data, organisational unit, document content data, contract content, log data, usage data.

What is the legal basis for this processing?
The legal basis for this processing is

  • Our legitimate interest in ensuring correct payment processing, reclaiming excessive or unjustified payments, documenting business transactions, efficiently managing the company’s cash flows by monitoring income and expenses, operating effective receivables management to reduce the risk of bad debts, preventing payment deficits, and providing you with efficient customer and supplier support. The processing of your signature during payment collection is also carried out for evidentiary purposes in our legitimate interest (Article 6(1)(f) GDPR).
  • The business relationship with you (Article 6 (1) (b) of the GDPR).

How long can your data be stored?
Depending on the category, your data may be deleted up to 7 years after the end of the calendar year to which it relates. In the case of property purchases, your data may be deleted up to 22 years after the end of the calendar year to which it relates.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be shared with the following categories of recipients:

Processors
KSV1870 Holding AG
Our subsidiaries

4.6. Investigation service
Austrian Post's investigation service investigates suspected criminal acts by Austrian Post employees, partners, suppliers and, if necessary, customers for clarification and preventive purposes. Data processing takes place in the course of investigations and follow-up treatment.

Which of your data can we process for this purpose?
Address data, absence data, identification data, contact data, usage data, personal master data, payment data, any special data, and criminally relevant data.

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to Section 82 of the Austrian Stock Corporation Act to implement an internal control system (Art. 6 (1) (c) of the GDPR);
  • as well as our legitimate interest in establishing, exercising, and defending legal claims (Art. 6 (1) (f) and Art. 9 (2) (f) of the GDPR).

How long can your data be stored?
Depending on the category, your data collected for the purpose of the investigation service is generally deleted within one month of the internal investigation being stopped or of the final conclusion of any legal proceedings; at the latest, your data will be deleted within 3 years from the start of the internal investigation, unless a pending case lasts longer.

For investigation purposes, your data may be transmitted to the following categories of recipients:

Courts, prosecutors, and police
Processors

4.7. Cash audits
For the purpose of ensuring the correctness of accounting, we carry out cash audits at postal branches, delivery bases, hand cash registers, philatelic services, and Post Partners, among others. Personal data are collected in the process.

Which of your data can we process for this purpose?
personal master data, contact data, identification data, usage data, attendance data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in the correctness of transactions and in the prevention of irregularities.

How long can your data be stored?
For the purpose of cash audits, your data will be stored for a maximum of 10 years from the date of the report, depending on the category.

For cash audit purposes, your data may be transmitted to the following categories of recipients:

Public authorities
Affiliated group companies
Processors

4.8. Internal audits
We may process your data as part of our internal auditing activities. Internal and IT auditing provide independent and objective auditing and consulting services based on the rules of procedure for group auditing.

Which of your data can we process for this purpose?
Address data, contact data, personal master data, identification data, attendance data, usage data, generally special data, payment data, data relevant under criminal law

What is the legal basis for this processing?
The legal basis for this processing is

  • the fulfilment of legal obligations pursuant to Art. 6 (1) (c) as well as Section 82 of the Austrian Stock Corporation Act, Article 22 (1) of the Austrian Act on Limited Liability Companies, Section 243a (2) of the Austrian Stock Corporation Act (internal control and audit systems);
  • as well as our legitimate interest in establishing, exercising, and defending legal claims (Art. 6 (1) (f) and Art. 9 (2) (f) of the GDPR).

How long can your data be stored?
For the purpose of internal auditing, your data will be stored for 10 years from the date the reports were sent, depending on the category.

For internal auditing purposes, your data may be transmitted to the following categories of recipients:

Processors
Public authorities (Court of Auditors)
Tax auditors
Affiliated group companies

4.9. Group insurance management
We process your data within the framework of group insurance management, for the purposes of concluding and maintaining insurance contracts, fulfilling legal obligations and for risk protection as well as to properly process insurance claims.

Which of your data can we process for this purpose?
Address data, contact data, personal master data, general special data (such as image records, document content data), identification data, health data, payment data, and data relevant under criminal law.

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to the Austrian Insurance Contract Act, the Austrian Social Security Act, the General Social Security Act for the processing of insurance claims, conclusion and maintenance of insurance contracts (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in the risk coverage for Austrian Post in cases of damage.

How long can your data be stored?
For the purpose of insurance management, your data will be stored for 3 years from the final settlement of any proceedings and/or from the expiry of our legal claims, depending on the category. Contract documents can be kept for up to 7 years.

With whom are we allowed to share your data?
For the purpose of insurance management, your data may be transmitted to the following categories of recipients:

Courts and public authorities
Lawyers/notaries/lawyers
Experts
Social security institutions
Insurance brokers
Insurance companies

4.10. Environmental management
We may process your data as part of our environmental management. The purpose of data processing is to fulfil the obligations of the Austrian Sustainability and Diversity Improvement Act as well as to safeguard Austrian Post's reputation as a responsible and sustainable company.

Which of your data are we allowed to process for this purpose?
Personal master data, contact data, address data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to Section 11 of the Austrian Waste Management Act, Section 1 and 2 of the Austrian Sustainability and Diversity Improvement Act about environmental management and the preparation of sustainability reports (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in safeguarding the reputation of Austrian Post as a responsible and sustainable company.

How long can your data be stored?
For the purpose of environmental management, your data will be deleted within 10 years of publication of the sustainability report at the latest, depending on the category.

For the purpose of environmental management, your data may be transmitted to the following categories of recipients:

Processors

4.11. Data governance
We may process your data as part of our data governance activities in order to continuously check data for their data quality (in particular with regard to up-to-datedness, consistency, correctness) and to adjust them if necessary. For that purpose, we use adequate software and analysis processes to eliminate duplicates, among others. To improve data quality, these processes may also rely on statistical and non-personal data (e.g., provided by Statistics Austria).

Which of your data can we process for this purpose?
For this purpose, we may process data from various Austrian Post systems, insofar as these need to be checked for quality on an ongoing basis.

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) (f) of the GDPR) to increase the transparency of data management (data catalogue) and of data flows, as well as our legitimate interest in the centralised quantification of data quality.

How long can your data be stored?
As long as the verified data are present in our data files, they can be processed as part of our data governance activities.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be shared with the following categories of recipients:

Processors

4.12. Historical research
We may process your data in the course of historical research for the purpose of responding to requests for historical data received by Austrian Post (excerpts from books, registers, newspaper articles, etc.), or borrowing historical items.

Which of your data can we process for this purpose?
contact data, personal master data, address data, other documents, contract content

What is the legal basis for this processing?
The legal basis for the aforementioned processing is

  • the contract for borrowing historical materials (Art.6 (1) (b) of the GDPR) that we have signed with you or that we might sign;
  • our legitimate interest (Art. 6 (1) (f) of the GDPR) in the proper processing of requests for historical research.

How long can your data be stored?
For the aforementioned purpose, your data may be stored for a maximum of 3 years from the last contact.

4.13. Access systems at group properties
We may process your data as part of our access systems to our group properties to ensure controlled access to buildings / sensitive premises as well as to demarcated protection zones for the purpose of self-protection. Visitor information is recorded in the reception book.

Which of your data can we process for this purpose?
Contact data, personal master data, attendance data, identification data, usage data

What is the legal basis for this processing?
The legal basis is our legitimate interests (Art. 6 (1) (f) of the GDPR) to effectively ensure controlled access to our buildings and sensitive premises.

How long can your data be stored?
As a general rule, your data can be stored for this purpose for a maximum of 1 month after you leave the respective building. If you have received a personalised access card, the data processed for it will be deleted no later than 6 months after the card has been returned.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be shared with the following categories of recipients:

Processors
Public authorities

Your data may also be transferred to processors outside the EU or the EEA, specifically in Switzerland. The European Commission has declared the data protection level in Switzerland to be adequate.

Other information about this processing:
If you do not provide the aforementioned data, you will not be able to enter our buildings and other properties.

4.14. Processing of prospective customer data for the purchase/sale and rental/leasing of properties

We can process your data in the context of the purchase/sale or rental/leasing of properties. This includes managing prospective customer data for properties of Austrian Post that are offered for rent or sale: prospective customers can express their interest in a specific property of Austrian Post and the receipt of further information about this property via a contact form, by e-mail/telephone or during a personal on-site conversation. Subsequently, they will be recorded as interested parties for the respective property inquired about and will receive the relevant property information electronically or will be contacted by telephone for this purpose. Should a purchase/sale or rental/leasing occur, we can process your data for pre-contractual measures as well as for the conclusion of the contract.

Which of your data may we process for these purposes?

Address data, contact information, personal master data, payment information, financial status, contract contents, document content data.

What is the legal basis for this processing?
The legal basis for the processing mentioned above are:

  • the contract for the rental/leasing or purchase/sale of property (Article 6 (1) (b) of the GDPR) that we have concluded with you or potentially could conclude;
  • our legitimate interests in the proper management of our properties (Article 6 (1) (f) of the GDPR).
  • or for prospective customers who have expressed their interest by 1 May 2023, your explicit consent (Article 6 (1) (a) of the GDPR), which we will obtain in compliance with the law at the appropriate time. This consent can be revoked at any time without giving reasons, with effect for the future.

How long can your data be stored?

Your data may be stored for up to 30 years from the conclusion of the sales process in the context of property distribution and rental, and up to 3 years from the last contact in the context of prospective customer management.

If prospective customer data are not fully disclosed, they will be deleted after 14 days.

With whom are we allowed to share your data?

For the purpose of property transactions, your data may be shared with the following categories of recipients

  • Processors
  • Lawyers/notaries
  • Authorities

Other information about this processing:

If you do not provide us with the aforementioned data, we cannot conclude a contract for property purchases/rentals.

4.15. Real estate construction and development
We may process your data in the course of real estate construction and development. For real estate construction, the necessary documents are sent to the relevant building authorities. Real estate development includes the management of Österreichische Post AG's real estate portfolio, especially the conclusion and maintenance of contracts with service providers as well as managing their contact information and processing and documenting bills and invoices.

Which of your data may we process for these purposes?
Address data, contact data, personal master data, identification data, payment data, financial status, organisational unit, contract content, document content data

What is the legal basis for this processing?
The legal basis for the aforementioned processing is

  • the contract in the context of real estate construction and development (Art. 6 (1) (b) of the GDPR) which we have concluded with you or could potentially conclude;
  • our legitimate interests in the proper management of our properties;
  • our legal obligation (Art. 6 (1) (c) of the GDPR pursuant to the respective regional building code to transmit data to the competent building authorities to the extent necessary.

How long can your data be stored?
Your data can be stored in the context of real estate development as well as real estate construction up to 7 years from the end of the calendar year in which the contract expired or the last bookings were considered in the balance sheet.

With whom are we allowed to share your data?
For the purpose of managing our properties, your data may be disclosed to the following categories of recipients:

Processors
Lawyers/notary/tax advisors 
Public authorities

4.16. Management of lost property
In the context of the management of lost and found property, we process your data for the purpose of storing and retrieving undeliverable items and other lost property.

Which of your data can we process for this purpose?
personal master data, address data.

What is the legal basis for this processing?
The legal basis for this processing is the protection of our legitimate interests (Art. 6 (1) (f) of the GDPR) for the purpose of storage and retrieval of undeliverable items.

How long can your data be stored?
Your data collected for the purpose of item inquiry will be deleted no later than 1 month after the inquiry was made, depending on the category.

4.17. Fleet marketing
We process your data in the context of the sale of vehicles for the purpose of managing vehicle marketing.

Which of your data can we process for this purpose?
personal master data, identification data, address data, contact data, usage data

What is the legal basis for this processing?
The legal basis for this processing is

  • the contract for the sale of vehicles (Art. 6 (1) (b) of the GDPR);
  • as well as the protection of our legitimate interests (Art. 6 (1) (b) of the GDPR) to process the sale of vehicles.

How long can your data be stored?
Your data collected for the aforementioned purpose will be deleted at the latest within 7 years after the end of the calendar year in which the contract was concluded, depending on the category.

Other information about the processing:
If you do not provide the aforementioned data, we will not be able to conclude a contract for the purchase of a vehicle.

4.18. IT-Maintenance
We use Austrian Post's IT applications and IT systems as part of the processing activities described in our data protection notices, and we ensure their operation on an ongoing basis.
Several of our processing activities are based on our IT systems. Depending on the purpose for which we process the data, the data we process, the legal basis on which we base the processing and how long we have to store the data differ. Therefore, you will find the different data categories, legal bases and storage periods in the other paragraphs under point 4 of these notes or in the further data protection notes. 

To whom may your data be disclosed?

We use external service providers in some cases to maintain our IT infrastructure in order to ensure secure technical systems. Legally compliant order processing agreements are concluded with all service providers, insofar as this is legally required. Further information on possible data recipients can be found in section 5 of these notes.

4.19. Anonymization for statistical purposes
As part of the processing described on this page, we may anonymize your data in order to generate statistics. For this, we remove any personal reference and the resulting data does not allow any inference to your person.

4.20. External communication & press relations
We may process your data within the scope of external communications and press relations in order to provide information about Austrian Post for radio, television, press, Internet, and social media. The content is made available to the media in Austria but is also available to users worldwide. This includes information on the company's economic activities and performance as well as comments on various reports in different media. In addition, the company places its own targeted messages in the media.

Which of your data can we process for this purpose?
personal master data, image and call recordings, attendance data, contact data

What is the legal basis for this processing?
The legal basis for this processing is
our legitimate interest (Art. 6 (1) (f) of the GDPR) in external communication and press relations or your express consent (Art. 9 (2) (e) of the GDPR), which we obtain where needed in accordance with the law;
or the contract (service contract) Art. 6 (1) (b) of the GDPR) that we have concluded with you.

How long can your data be stored?
Your data will be deleted for the purpose of external communication and press relations after a maximum of 3 years after the last contact, depending on the category.

With whom are we allowed to share your data?
For internal information management purposes, your data may be transmitted to the following categories of recipients:

Print media
Online media
Media index

Other information about this processing:
You are under no contractual or legal obligation to provide your data for the purpose of external communication and press relations.

4.21. Stakeholder management
We may process your data as part of stakeholder management activities to conduct targeted lobbying activities with public decision makers.

Which of your data can we process for this purpose?
personal master data, image and sound recordings, contact data, document content data

What is the legal basis for the processing?
The legal basis for this processing is our legitimate interest (Art. 6 (1) f of the GDPR) to conduct stakeholder management and lobbying activities.

How long can your data be stored?
For the purpose of stakeholder management, your data will be stored for a maximum of 3 years after initial contact, depending on the category.

With whom are we allowed to share your data?
For stakeholder management purposes, your data may be transmitted to the following categories of recipients:

Processors
Lobbying registers

Other information about this processing:
You are under no contractual or legal obligation to provide your data for the purpose of stakeholder management.

4.22. Event organisation
We may process your data in the context of organizing events.

Which of your data can we process for this purpose?
Personal master data, address data, contact data, identification data, image and sound recordings, information about allergies.

What is the legal basis for this processing?
The legal basis for this processing is 

  • our legal obligation (Art 6 para 1 lit c DSGVO);
  • our legitimate interest (Art 6 Abs 1 lit f DSGVO);
  • or the contract according to Art 6 para 1 lit b DSGVO that we have concluded with you.

How long can your data be stored?
Your data will be stored for the purpose of organizing events from a maximum of 7 years, depending on the category.

To whom may your data be disclosed?
Your data may be transferred to the following categories of recipients for the purpose of organizing events:

Order processors
Other external recipients

In doing so, we may also use a processor in the USA to conduct surveys, to which the IP address of the participating device and the survey results may be transmitted. You can give your express consent to the transfer according to Art 49 para 1 lit a DSGVO in the context of the respective event.
Companies in the USA are not certified by the European Commission as having an adequate level of data protection if they do not participate in the Data Privacy Framework Program. In particular, there is a risk that your data may be subject to access by US authorities for control and monitoring purposes and that no effective legal remedies are available against this.
Additional security of your personal data is ensured in these cases after a documented case-by-case review by concluding EU standard data protection clauses (appropriate guarantee pursuant to Art 46 DSGVO). These are available upon request at post.at/otherrequestsdataprotection.

Other information about this processing:
You are not contractually or legally obliged to provide your data for the organization of events.
If you do not provide the above data, participation in our events is not possible.

 

4.23. Address Data
We process address data as part of our Address Data product to ensure that postal addresses are up to date for reference purposes. We make sure that at no time a connection to a natural person exists or is made.

Which of your data can we process for this purpose?
address data, marketing data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest (Art. (6) (1) (f) of the GDPR) to prepare address data in a standardised manner for reference purposes.

How long can your data be stored?
The data in question will be deleted no later than 1 month after the generation process.

5. With whom are we allowed to share your data?

Below, you will find information about the general categories of recipients of Austrian Post. In addition, under item 4 ("Information about possible data processing"), you will find the categories of recipients to whom data may be transmitted in the context of a specific processing. A list of possible recipients and categories of recipients of Austrian Post is available here: LIST

5.1. External service providers (processors)
We comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services.
These services may include data storage in secure computer centres, printing invoices and advertising material, postcards, photos and digitising contracts or invoices (creating a digital, non-editable image).
Our data processors include Post Partners, IT service providers, service providers for customer assistance activities, marketing businesses and advertising agencies.
We perform in-depth audits on all our processors on a regular basis.

5.2. Public bodies and institutions
Austrian Post must, in order to maintain its operations and fulfil all our legal obligations, transmit personal data to authorities (such as social security agencies, tax authorities or law enforcement agencies, supervisory authorities, customs authorities, health authorities) and other institutions (e.g., commissions) as well as courts to the extent required.

5.3. Other external recipients
As part of a contractual relationship and especially in relation with our performance duty or in the case of legal disputes, in specific cases, we may additionally share your personal data e.g., with other postal service providers (e.g., UPU, IPC), freight forwarding companies, physicians, hospitals, insurance companies and brokers, experts, attorneys, interest groups, address brokers and direct marketing companies, banks and capital investment firms, insurance companies, CPAs, consultants (especially tax experts), subsidy granting bodies, shareholders, investors, and external payment providers.
In addition, as part of our address broker activities, we may forward your data to advertising companies. These include companies that provide mail-order service or retail services, financial service providers and insurances, IT and telecommunication companies and utilities as well as associations such as charities and NGOs.

5.4. Data transmission within the Österreichische Post group
We may entrust specific data processing steps to specialised departments or companies within our group. We will do that, for instance, to better process your customer data for internal administration purposes. A list of our affiliated companies is available here: Holdings

5.5. Data transfer outside the EU or EEA
In individual cases, your data may be transferred to a country outside the EU or the EEA ("third country") if this third country has been confirmed by the European Commission to have an adequate level of data protection or if other suitable data protection safeguards are in place (e.g., binding internal company data protection regulations or EU standard data protection clauses only if they include a documented case-by-case review of the adequacy of the level of protection).
In the section "Information about possible data processing" (item 4), you will find information whether such transfer takes place outside the EU or the EEA in the context of a particular processing.

5.6 Data transfer in the context of cookies and similar technologies

In the cookie banners accessible on the page in question, we provide information about the recipients as well as the use, scope, and type of cookies and similar technologies used on our websites or other software solutions. In the respective banner, you can edit your cookie preferences and access information about the cookie providers/recipients and their privacy policies.

If only technically required cookies are used on the respective website or other software solution, we will inform you directly on the website or other software solution or in the privacy policy accessible there.

6. Automated decision-making and profiling

No automated decision-making or profiling pursuant to Art. 22 (1) and (4) of the GDPR is performed in the data processing by Austrian Post described on this page.

7. What rights do you have?

You have the right of access to your personal data that we process as a controller. For more information, please refer to Article 15 of the GDPR.

Under certain conditions, you may request the restriction of processing as well as the rectification and deletion of your personal data. For more information, please refer to Articles 16 to 19 of the GDPR.

In addition, under certain conditions, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard, and machine processable format. For more information, please refer to Article 20 of the GDPR.

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object at any time to the processing of your data carried out in the legitimate interests of Austrian Post or third parties if reasons arise from your specific circumstances. For more information, please refer to Article 21 of the GDPR. The processing of your personal data may be based on your consent pursuant to Art. 6 (1) (a) of the GDPR. You can revoke this consent at any time without giving reasons with future effect; until then, we will process your data lawfully.

For information about the legal basis of our data processing, please see item 4 "Information about possible data processing").

Would you like to exercise your rights or do you have further questions, suggestions, or feedback? In this case, please go to item 8 ("How can you get in touch with us?") and contact the indicated person.

In addition, you have the option of filing a complaint with the Austrian Data Protection Authority:

Austrian Data Protection Authority,
Barichgasse 40-42,
1030 Vienna
Austria

Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

8. Contact us

To contact the data protection officer of Österreichische Post or to exercise your rights, please visit post.at/dataprotectioninquiry or write to

Postkundenservice,
To the attention of the Data Protection Officer
Bahnsteggasse 17-23,
1210 Vienna
Austria

or to the e-mail-address team-datenschutz@post.at.

To ensure that your request to exercise your data protection rights is complete and can be assigned and processed properly in our databases, we require the following information in every case:

  • Description of your request
  • First name, last name
  • Date of birth (especially to exclude similarities of names in connection with processing your request)
  • Postal address
  • E-mail address (in so far as you have provided an E-Mail adress to the Post in connection with a service or in order to contact the Post)
  • Proof of identity – as proof of identity, either a digitally signed request or a (redacted) official ID or other (redacted) official documents such as registration forms, birth certificates can be submitted, provided that at least the name, date of birth, and issuing authority are visible.

No photo ID or digital signature is required when exercising the following rights: “Withdrawal of Consent/objection for advertising purposes" and "Erasure of data for third-party marketing purposes".

Should you request information according to Article 15 of the GDPR and there are doubts about your identity because you neither provide us with proof of identity nor are otherwise considered to be clearly identified, we can, upon request, send you the information by mail (registered and to be signed for) upon disclosure of your address and date of birth.

Your request will be processed based on the data you provide in the contact form. Please pay attention to the correctness of your data, especially to the usage of hyphens, commas, spaces etc. in your name and address.

9. Use of cookies

Several parts of our websites rely on cookies and similar technologies (hereinafter referred to as "cookies"). They make our offer more user-friendly and more efficient.

Cookies are small text files that are saved on your computer or smartphone and that your browser will store. They usually provide information about what pages/parts of our website were visited by users and can, among others, save user settings so that returning users will be recognised and do not have to log in again. Also, they allow for the targeted displaying of information to users as well as the analysis of website views.

Our business partners, so-called cookie providers, may also place cookies on our websites. These are used to improve our own products and services as if we had placed these cookies ourselves. For instance, to understand how our websites are used, we work with analysis partners including Google and Facebook (for additional information, please see item 9.4). However, cookie providers may also rely on cookies used on our websites for their own purposes, e.g., to place (their own or third-party) advertising on our websites and to measure their effectiveness. In such case, Österreichische Post has no influence on the purpose and means of the cookie-based data processing while also not benefiting from this data processing. Cookies from such third-party providers may fall into the cookie categories listed under item 9.1.

9.1. Cookie settings and management, legal basis
Other than technically required cookies (functionally necessary cookies) that may be placed on our websites even without your consent  pursuant among others to Section 165 of the Telecommunications Act  and because of our legitimate interest (providing a functional online service offer) pursuant to Article 6 (1) (f) of the GDPR, you can actively accept or reject the use of performance cookies and cookies for marketing purposes before they are placed.

To that effect, we have created a cookie consent management tool that displays a cookie banner with additional information about the cookies we use when you access the website in question for the first time (especially name, purpose, lifespan, provider.). Via this cookie banner, you have the option of generally agreeing to the use of cookies or to make a more detailed selection depending on the cookie category. You can even select specific cookies or cookie providers within a specific cookie category.  You can change your consent or selection at any time by going to cookie   "Edit cookie settings" in the cookie consent management platform. If, after you have provided your consent, more cookies or cookie providers are added, the cookie banner will be displayed once again and you will be able to make your selection. In the cookie consent management tool, all cookie providers are listed individually and links to their privacy policies are provided. These policies include additional information, including without limitation, information about additional options for deactivating these cookies.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform (on post.at: at the bottom of the Website).

If you have activated an ad blocker in your browser, it will also affect the behaviour of the cookie banner. The ad blocker prevents cookie banners from being displayed and you can configure individual cookies by going to "Edit cookie settings". Provided that the ad blocker is enabled, only required cookies are set, without which the website would not function properly. To see detailed information about required cookies, you would need to disable the ad blocker for this purpose.

In addition, you have the option of going to your browser settings to determine whether you want to allow cookies or not. Your device might also allow you to manage your cookies. To learn how this works, please see the user manual provided by the manufacturer of your device.

If users opt out of storing cookies, certain functions of the website might not be available.

9.2. Additional information about the advertising functions of Google Inc.
Once we have understood what is important to you and what you are interested in, we can show you relevant and helpful information. To place and manage our ads, we rely on Google Display & Video as well as Google Adwords (Google Ads).

We use the services of Google Ads to place advertising (so-called Google ads) on external websites and highlight our attractive offerings. By linking the data to the advertising campaign, we can determine how successful specific advertising efforts have been. In doing so, we strive to show you advertising that is relevant to you, to make our website more interesting for you and to reach a fair calculation of advertising costs.

These advertising materials are delivered by Google via so-called "Ad Servers". We use Ad Server cookies which measure certain success parameters, including how many times the ads were shown and how many clicks they obtained from users. Provided that you have accessed our website via a Google ad, Google Ads will place a cookie on your device. Such cookies are usually valid for 30 days only and are not used to identify you personally. However, specific users can be grouped via browser recognition.

If you have registered for one of the services provided by Google, Google can link your visit to your account. Even if you have not registered or logged on, the service provider might obtain information about our IP address and save it.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3. Aditional information about Google Remarketing
In addition to Google Adwords, we use an application called Google Remarketing. This is a procedure that we use to target you once again. This application allows us to display our ads on your device after you have visited our website and continue using the Internet. This is done via cookies saved on your browser. These cookies allow Google to identify and analyse your user behaviour when you access different websites. This is how Google can determine that you have previously visited our website. According to information provided by Google, data collected as part of remarketing activities will not be associated with any of your personal data that Google may have saved. Google also highlights that it uses pseudo-anonymization for its marketing activities. For more information about Google's data protection policy, please visit https://www.google.com/intl/de/policies/privacy.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.4. Additional information about Facebook, Instagram, LinkedIn, TikTok, Reddit, Snapchat, Twitter, Pinterest & Microsoft
For the same purpose, i.e., displaying customised ads, Instagram Ads, Facebook Ads, LinkedIn Ads, TikTok Ads, Reddit Ads, Snapchat Ads, Twitter Ads, Pinterest Ads and Microsoft Ads may be activated provided that you give your consent. This is not personal information. Personal information will be saved on servers located both in the European Union (Ireland) and in third countries. The information will be stored for a period of 90 days.

Facebook Pixel, Instagram Pixel, LinkedIn Pixel, TikTok Pixel, Reddit Pixel, Snapchat Pixel, Twitter Pixel, Pinterest Pixel as all as Microsoft Pixel allow us to check if users were redirected to our website after having clicked on an Instagram, Facebook, LinkedIn, TikTok, Reddit, Snapchat, Twitter, Pinterest or Microsoft ad. Among other processes, Instagram Pixel, Facebook Pixel, LinkedIn Pixel, TikTok Pixel, Reddit Pixel, Snapchat Pixel, Twitter Pixel, Pinterest Pixel and Microsoft Pixel use cookies, which are small text files that are stored locally in your web browser's cache memory on your device. If you have logged on to Instagram, Facebook, LinkedIn, Tik-Tok, Reddit, Snapchat, Twitter, Pinterest or Microsoft with your user account, your visit to our online offerings will be registered in your user account. All data collected about you is anonymous for us and therefore will not allow us to identify users. However, Instagram, Facebook, LinkedIn, TikTok, Reddit, Snapchat, Twitter, Pinterest and Microsoft can associate this data with your user account on these platforms.

Personal information may be saved on servers located both in the European Union (Ireland) and in third countries. These saved cookies can remain in place for up to 2 years.

Information about Microsoft’s ad privacy policy is available here:
https://about.ads.microsoft.com/en-us/resources/policies/microsoft-advertising-privacy-policy

For additional information about Facebook's privacy policy, please visit:
https://www.facebook.com/privacy/explanation

Information about Instagram's privacy policy is available here:
https://www.facebook.com/help/instagram/155833707900388.

Information about LinkedIn's privacy policy is available here:
https://de.linkedin.com/legal/privacy-policy?

Information about TikTok’s privacy policy is available here:
https://support.tiktok.com/de/account-and-privacy

Information about Reddit’s privacy policy is available here:
https://www.reddit.com/policies/privacy-policy

Information about Snapchat’s privacy policy is available here:
https://snap.com/de-DE/privacy/privacy-policy/

Information about Twitter’s privacy policy is available here:
https://privacy.twitter.com/de

Information about Pinterest’s privacy policy is available here:
https://policy.pinterest.com/de/privacy-policy

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

10. Legal Information

10.1. Information on Websites of Österreichische Post
The information provided on the websites of Österreichische Post is for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided on its websites. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its websites and auxiliary systems (e.g., servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its websites without prior notification.

Österreichische Post is not liable for inaccurate or missing information on its websites. This especially applies, without limitation, to (hyper)links and other content used on our websites directly or indirectly or that can be accessed from them. All decisions based on information provided by Österreichische Post on its websites are the sole and only responsibility of the user.

In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of the information (including hyperlinks) provided on its websites.
All abovementioned provisions also apply to software that can directly or indirectly be accessed or used from the websites of Österreichische Post. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply.

10.2. Copyright
The design and content of these websites are subject to copyright. Any change or reproduction of images or text from these websites is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g., trademarks, logos).