Data protection policy for business client management, products, and services

Information about data use pursuant to the General Data Protection Regulation (GDPR):

Mandatory information according to Art 13 and 14 GDPR of a purely informative nature.
Status: September 2023

1. What information is available on this page?

Österreichische Post AG (hereinafter referred to as "Austrian Post", "we", "us") processes your personal data in full compliance with the provisions of data protection law, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, and all other applicable laws.

In this document, you will find information about data processing performed in relation to online products and services. This document includes the following sections:

  • To whom is this information addressed? (item 2)
  • Who is responsible for the processing of your data? (item 3)
  • Information about possible data processing (item 4), in particular
    • customer management of our business partners (4.1)
    • auditing (4.2)
    • our supplier portal and award/tender management (4.3)
    • our sponsoring activities (4.4)
    • administration of our Post Partners (4.5-4.6)
    • our POS Sampling service (4.7)
    • corporate compliance and corporate social responsibility (4.8 to 4.11)
    • organising guided tours (4.12)
  • With whom are we allowed to share your data? (item 5)
  • Automated decision-making and profiling (item 6)
  • What rights do you have? (item 7)
  • How can you get in touch us? (item 8)

Information about the use of cookies on our websites is available at Data protection.

If you are looking for information on specific postal products or services such as mail and parcel delivery, advertising and marketing or our Austrian Post online services, you will find it in the selection field on the right-hand side.

Information about group accounting and related processing activities is available in the general data protection policy in the selection field on the right-hand side.

If you need printed copies of the information provided on this page or on additional pages, please contact the staff at our service locations.

2. To whom is this information addressed?

This privacy policy applies to our business partners (suppliers, business clients, etc.).

3. Who is responsible for the processing of your data?

The responsible party for all data processing described on this page is
Österreichische Post AG,
Rochusplatz 1,
1030 Vienna,
Austria

4. Information about possible data processing

4.1. Customer management, online accounts, inquiries and complaints, analysis of customer data (business and SME clients)
We process your data within the scope of customer management, for contacting customers, customer assistance, master data administration, internal administration purposes, business analyses and strategy development, complaint management, registration, and administration for business online accounts for postal products.

Which of your data do we process for this purpose?
For this purpose, we process the following data: 
address data, document content data, conversation-related information, contract content, identification data, contact data, usage data, personal master data, payment data

What is the legal basis for this processing?
The legal basis for this processing is the fulfilment of the contract and the performance of precontractual measures pursuant to Art. 6 (1) (b) of the GDPR to allow for the use of specific services and products by Austrian Post.
Furthermore, the legal basis is our legitimate interest (Art. 6 (1) (f) of the GDPR) to ensure the proper processing of customer requests and, if applicable, your consent (Art. 6 (1) (a) of the GDPR), which we obtain where needed as defined by law. You can revoke this consent at any time without giving reasons with future effect.

How long can your data be stored?
Your data used for the purpose of customer management as well as analysis will be deleted no later than 3 years after the end of the contract or final contact, depending on the category.
Your registration data from online business accounts for postal products will be deleted no later than 30 days after termination or three years after inactivity.
As a result of corporation law provisions (e.g., Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.

With whom are we allowed to share your data?
Your data may be transmitted to the following categories of recipients for the purpose of customer management and analysis:

Processors
Affiliated group companies

For the purpose of answering and forwarding calls as well as processing item inquiries for items handed over to Austrian Post for shipping, personal master data and contact data including the sub-ject of the inquiries as well as, in the case of item inquiries, address data, order and payment data will also be transferred to a subsidiary of Austria Post outside the EU or the EEA, specifically to Bosnia and Herzegovina.

The European Commission has declared the data protection level in Bosnia and Herzegovina to be inadequate. In these cases, the security of your personal data is guaranteed by the application of EU standard data protection clauses (appropriate safeguards according to Art. 46 of the GDPR) after a documented case-by-case assessment. These are available upon request at post.at/sonstigedatenschutzanliegen.

Other information about this processing:
You are under no contractual or legal obligation to provide your data for the mentioned services. The conclusion and fulfilment of the corresponding contracts are only possible if you provide your data in advance. If you do not provide the necessary data, no contract can be concluded or the services can-not be provided. 

4.2. Audits
Various activities in the area of group accounting are performed by external professionals (tax advisors and auditors). For the purpose of anti-money laundering compliance, we can check the legitimacy of these tax advisors and auditors.

Which of your data can we process for this purpose?
Personal master data, identification data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legitimate interest in achieving effective anti-money laundering compliance (Art. 6 (1) (f) of the GDPR).

How long can your data be stored?
Your data may be retained for this purpose for up to 3 years from the expiry of the professional authorisation in relation to our company, depending on the category.

4.3. Award and tender management, supplier portal
As a sector contracting entity, Austrian Post is partly subject to public procurement law and thus also legally subject to certain strict documentation requirements. We process your data for the purpose of award and tender management in order to carry out invitations to tender, procurement processes and invoice processing, contract initiation and processing of contracts as well as documentation of the entire awarding process and the related documentation. All suppliers sign up themselves on the supplier portal of Austrian Post and are fully responsible for changes to the master data and contact persons. For more information on Austrian Post's supplier portal, click here: Austrian Post supplier portal

Which of your data can we process for this purpose?
For this purpose, we process the following data:
address data, identification data, contact data, personal master data, payment data, document content data and data relevant to criminal law.

What is the legal basis for this processing?
The legal basis for the tender processes as well as the entire documentation obligation are

  • our legal obligations (Art. 6 (1) (c) of the GDPR) pursuant to Section 132 of the Federal Tax Code and Sections 33ff, 78 ff, 82 (2) (1), 83 of the Federal Procurement Act and Section 11 of the Act on the Court of Auditors (documentation obligation and implementation of tenders);
  • as well as our legitimate interest according to Art. 6 (1) (f) of the GDPR in the proper maintenance of contacts with our business partners;
  • With regard to data relevant under criminal law, we process these on the basis of Sections 78 and 83 of the Federal Procurement Act (obligation to exclude legally convicted entrepreneurs from tenders) in conjunction with Art. 10 of the GDPR.

An additional legal basis for the award and tender management is the respective contract concluded with you in the context of the award or tender (Art. 6 (1) (b) of the GDPR).

How long can your data be stored?
As a general rule, your data may be stored for the purpose of supplier management and award and tender management for up to 10 years from the end of the calendar year in which the last delivery or service was provided; the maximum being 30 years after the end of the business relationship.

For the aforementioned purpose, your data may be transmitted to the following categories of recipients:

Processor
Court of Auditors

Other information about this processing:
You are under no contractual or legal obligation to provide your data. If you do not provide the aforementioned data, it will not be possible to conclude a contract or sign up on Austrian Post's supplier portal.

4.4. Sponsoring
We may process your data in the context of sponsoring for the purpose of marketing through various collaborations, positioning the company as environmentally friendly, achieving public impact, increasing brand value and strengthening the image, among others.

Which of your data can we process for this purpose?
For this purpose, we may process the following data:
personal master data, address data, contact data, identification data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legitimate interest (Art. 6 (1) (f) of the GDPR) to do sponsoring
  • the contract on sponsoring (Art. 6 (1) (b) of the GDPR) which we have concluded with partners.

How long can your data be stored?
For sponsoring purposes, your data will be stored for a maximum of 7 years, depending on the category, starting from the beginning of the collaboration agreement.

With whom are we allowed to share your data?
For sponsoring purposes, your data may be transmitted to the following categories of recipients:

Processors

Other information about this processing:
If you do not provide the aforementioned data, we will not be able to conclude a sponsorship agreement.

4.5. Customer management and processing of inquiries and complaints from Post Partners
We may process your data as part of our Post Partners' customer administration and for processing your inquiries and complaints if we have a substantiated business relationship in the form of a collaboration agreement with you or if a business relationship as a cooperation partner is in the offing.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
personal master data, address data, contact data, identification data, employment contract and financial status, usage data, payment data, attendance data, contract information.

What is the legal basis for this processing?
The legal basis for this processing is

  • the collaboration agreement for the distribution, sale of postal services on behalf of Österreichische Post AG as well as banking services as sub-contractors of Österreichische Post AG (Art. 6 (1) (b) of the GDPR);
  • our legitimate interest (Art. 6 (1) (f) of the GDPR) to ensure proper Post Partner administration and the flawless processing of customer inquiries (use of Austrian Post services and purchase of goods).

How long can your data be stored?
For the purpose of managing Post Partners, your data may be stored for a maximum of 7 years starting at the end of the calendar year during which the cooperation agreement has been terminated.
For the purpose of processing your inquiries and complaints, your data will be deleted after 7 years from the end of the calendar year during which the respective service/communication was rendered/took place.

With whom are we allowed to share your data?
For sponsoring purposes, your data may be transmitted to the following categories of recipients:

Processors

Other information about this processing:
You are under no contractual or legal obligation to provide your data. If you do not provide your data, we cannot conclude a collaboration agreement with you and/or your inquiries and complaints cannot be processed.

4.6. Trainings (Post Partner)
We process your data as part of our contractual relationship to ensure compliance with regulatory and operational requirements.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
personal master data, address data, contact data, attendance data, skills, identification data, usage data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interests (Art. 6 (1) (f) of the GDPR) in complying with regulatory and operational requirements.

How long can your data be stored?
Your data collected for training purposes designed to ensure compliance with regulatory and operational requirements may be stored for a maximum of 18 months after the training has been completed.

4.7. POS sampling (distribution of advertising material at branches)
We process your data within the scope of your orders in order to make your advertising materials/documents/articles available to Österreichische Post AG clients at our branches.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
personal master data, contact data, address data, identification data, payment data, employment contract / financial status.

What is the legal basis for this processing?
The legal basis for this processing is

  • the contract about the service of POS sampling (Art. 6 (1) (b) of the GDPR) which we have concluded with you;
  • our legitimate interest (Art. 6 (1) (f) of the GDPR) to ensure the proper distribution of promotional materials/documents/articles as defined in the client agreement.

How long can your data be stored?
Your data may be used for the purpose of the POS sampling service for a maximum of 7 months from the end of the contract or completion of the order.

Other information about this processing:
You are under no contractual or legal obligation to provide your data. If you do not provide your data, we cannot enter into a contract for the service of POS sampling.

4.8. Risk management and internal control system management
The purpose of the processing is the operation of a risk management system as well as analysis and control of corporate risks. Furthermore, we process the data in order to fulfil the legal obligations regarding the implementation of an internal control system as well as to ensure compliance with corporate business processes by way of control measures.

Which of your data can we process for this purpose?
For these purposes, we process the following data:
contact data, personal master data, identification data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation according to Section 243a (2) of the Austrian Business Code, Section 267 (3b) of the Austrian Business Code, Section 82 of the Austrian Stock Corporation Act as well as Section 84 (6) of the Austrian Stock Corporation Act to implement a risk management system and internal control system in a public limited company (Art. 6 (1) (c) of the GDPR);
  • and our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR (protection against financial loss and protection of corporate interests).

How long can your data be stored?
For the purpose of risk management, your data will be stored for a maximum of 2 years from the completion of a risk measure, depending on the category.
For the purpose of ICS management, your data will be stored for a maximum of 5 years from the completion of the control or measures.

Who will receive your data?
For the purpose of risk management and internal control system, your data may be transferred to the following categories of recipients:

  • Auditors
  • Court of Auditors
  • Processors

4.9. Compliance management
The purpose of data processing is to fulfil obligations under capital market law in accordance with the Market Abuse Regulation and the Austrian Stock Exchange Act, in particular to prevent the misuse of insider information. Furthermore, we process the data for documentation obligations. The data is also processed for the purpose of handling and processing inquiries and notifications on compliance-related topics as well as for documentation purposes in the context of regulatory and mandatory compliance training.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
address data, identification data, personal master data, contact data, all special data (document content data) and data relevant to criminal law.

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation pursuant to Section 119 (4) of the Austrian Stock Exchange Act, Art. 17 (1), Art. 18 (5) and Art 19 of the Market Abuse Regulation (Art 6 (1) (c) of the GDPR); Art. 4 (2) (3) of the GDPR
  • as well as our legitimate interest in establishing, exercising, and defending legal claims (Art. 6 (1) (f) and Art. 9 (2) (f) GDPR).

How long can your data be stored?
Depending on the category, your data will be stored for compliance management purposes for a maximum of 7 years from receipt of the request and/or in the case of sponsorship requests, from the end of the respective calendar year.

With whom are we allowed to share your data?
For compliance management purposes, your data may be transmitted to the following categories of recipients:

  • Other external recipients
  • Courts, authorities, and commissions
  • Processors

4.10. Resilience management
We may process your data as part of resilience management, where data may be collected, stored, and analysed for the implementation of BCM (Business Continuity Management) measures. Information gained from this is used to prepare reports, increase reliability, and contact responsible parties and decision-makers. Usage data are processed only for the purpose of documenting that a person has been correctly informed in an exceptional situation.

Which of your data can we process for this purpose?
For this purpose, we process the following data: 
identification data, personal master data (first name, last name), contact data, usage data (telephone connections, usage times, log data, logins/logouts)

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in preparing reports, increasing reliability and contacting the responsible parties and decision-makers.

How long can your data be stored?
For the purpose of resilience management, your data will be deleted at the latest 3 years after the data in question were collected, depending on the category. 

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be transmitted to the following categories of recipients: 

  • Processors 
  • Courts and public authorities
  • Other external recipients

4.11. Investor relations management
In the context of investor relations management, your data may be processed for the purpose of fulfilling obligations under company and capital market law (Austrian Stock Corporation Act, Austrian Stock Exchange Act, corporate governance code) and providing support and information to share-holders, potential investors, and analysts on the financial situation of Austrian Post, as well as for the preparation of corresponding reports.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
personal master data, contact data, address data, attendance data, identification data, payment data, contract data

What is the legal basis for this processing?
The legal basis for this processing is

  • our legal obligation to properly manage Austrian Post as a stock corporation in accordance with Sections 70 ff of the Austrian Stock Corporation Act, Sections124 ff of the Austrian Stock Ex-change Act, the corporate governance code and Section 243c of the Austrian Business Code (Art. 6 (1) (c) of the GDPR);
  • our legitimate interest pursuant to Art. 6 (1) (f) of the GDPR in the support and information of shareholders, potential investors, and analysts.

How long can your data be stored?
For the purpose of this processing, your data may usually be stored for up to 10 years, depending on the category. We perform periodic checks to see if data can be deleted. 
Internally, reports and minutes of meetings can be stored for up to 30 years from their creation or as long as they are available in the public company register.

With whom are we allowed to share your data?
For the aforementioned purpose, your data may be transmitted to the following categories of recipients:

  • Public authorities
  • Lawyers/notary/tax advisors
  • Other external recipients
  • Processors

4.12. Guided tours at distribution centres
We process your data as part of our guided tours at distribution centres and for the purpose of organising facility tours for external parties.

Which of your data can we process for this purpose?
For this purpose, we process the following data:
Personal master data, contact data

What is the legal basis for this processing?
The legal basis for this processing is our legitimate interest according to Art. 6 (1) (f) of the GDPR in organizing facility tours.

How long can your data be stored?
For the purpose of tours at distribution centres, your data will be deleted no later than within 1 month after the date of the tour, depending on the category.

Other information about this processing:
If you do not provide the aforementioned data, we cannot give you a tour of the facilities.

5. With whom are we allowed to share your data?

To learn with which recipient categories we are allowed to share your data, please see the section "Information about possible data processing". A detailed description of Austrian Post recipients and/or categories of recipients is available under item 5 in the document Data protection.

6. Automated decision-making and profiling

As a general rule, no automated decision-making or profiling pursuant to Article 22 (1) and (4) GDPR is carried out in data processing at Austrian Post.

7. What rights do you have?

You have the right of access to your personal data that we process as a controller. For more information, please refer to Article 15 of the GDPR.

Under certain conditions, you may request the restriction of processing as well as the rectification and deletion of your personal data. For more information, please refer to Articles 16 to 19 of the GDPR.

In addition, under certain conditions, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard, and machine processable format. For more information, please refer to Article 20 of the GDPR.

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object at any time to the processing of your data carried out in the legitimate interests of Austrian Post or third parties if reasons arise from your specific circumstances. For more information, please refer to Article 21 of the GDPR. The processing of your personal data may be based on your consent pursuant to Art. 6 (1) (a) of the GDPR. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

For information about the legal basis of our data processing, please see item 4 ("Information about possible data processing").

In addition, you have the option of filing a complaint with the Austrian Data Protection Authority:

Austrian Data Protection Authority,
Barichgasse 40-42,
1030 Vienna
Austria

Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

8. How can you get in touch with us?

Would you like to exercise your rights or do you have further questions, suggestions, or feedback?
To contact Austrian Post's data protection officer or to exercise your rights, please use one of the contact options listed under item 8 of our general data protection policy: post.at/Datenschutz.