Information about data use pursuant to the General Data Protection Regulation (GDPR):

Mandatory information according to Art 13 and 14 GDPR of a purely informative nature.

Status: September 2023

1. What information is available on this page?

Österreichische Post AG (hereinafter referred to as "Austrian Post", "we", "us") processes your personal data in full compliance with the provisions of data protection law, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act and all other applicable laws.

In this document, you will find information about data processing performed in relation to our customer management. This document includes the following sections:

• To whom is this information addressed? (item 2)
• Who is responsible for the processing of your data? (item 3)
• Information on possible data processing operations (item 4), in particular on
  
  • Post Online Accounts: Post.at, Action Finder, Philatelists (4.1 - 4.4)
  • The e-letter service (4.5)
  • The "Meine Marke" service (4.6)
  • Digital Stamps (Cryptostamps) (4.7)
  • The Post Kartenstudio (4.8)
• With whom are we allowed to share your data? (item 5)
• Automated decision making and profiling (item 6)
• What rights do you have? (item 7)
• How can you get in touch with us? (item 8)
• Use of technical interfaces (so-called Software Develepment Kits hereinafter "SDK") in the Post App (item 9)

Information about the use of cookies on our websites is available at Data protection.

If you are looking for information on specific Post products or services such as mail and parcel delivery, advertising and marketing or business customer relations, you will find it in the selection field on the right-hand side. If you need printed copies of the information provided on this page or on additional pages, please contact the staff at our service locations.

2. To whom is this information addressed?

This privacy policy is intended for all of our customers who use the Austrian Post online services.

3. Who is responsible for the processing of your data?

The responsible party for data processing described on this page is

Österreichische Post AG,
Rochusplatz 1,
1030 Vienna,
Austria

4. Information about possible data processing

4.1. Post online accounts (private clients)
If you create a post online account, we may process your data in the course of registration and account creation.

Which of your data can we process for this purpose?
For this purpose we process the following data:
Address data, contact data, personal master data

What is the legal basis for this processing?
The legal basis for this processing results from your consent to the terms of use of the respective product or service (Art 6 para 1 lit b GDPR).

How long can your data be stored?
Your data will be deleted within three years after inactivity at the latest.

With whom are we allowed to share your data?
Your data may be transmitted to the following categories of recipients for the purpose of registering for a Austrian post online account:

Processors

Other information about this processing:
If you do not provide the above data, it will not be possible to conclude a contract for a Austrian post online account.

4.2. Identification of online accounts (private customers)
We may process your data for the identification of your online account to enhanced products and services of Austrian post. You will find information below about the processing of your data in the context of this identification; Further information about the identification process can be found here: Photo identification (login to Post account required).

Which of your data can we process for this purpose?
For this purpose we process the following data:
Data from the Post Online account (name, date of birth); your identification status and the ID data provided by the identity check (name, date of birth, type/authority/validity and number of the ID); ID data, insofar as these are transmitted; image data for biometric identification, insofar as these are transmitted by you

What is the legal basis for this processing?
The legal bases for this processing are

• the conclusion of a contract on the terms of use of the respective product or service (Art 6 para 1 lit b GDPR);
• Our legitimate interests in the storage of the read-out identification data (documentation of reliable identification, as well as defence against warranty claims and/or claims for damages by the senders - Art 6 para 1 lit f GDPR);
• Image data for biometric identification, insofar as these are transmitted by you, are processed exclusively on the basis of your explicit consent in accordance with Art 9 (1) lit a GDPR.

You have the option of revoking your consent at any time with future effect without having to state reasons. Please note that the biometric check will be done immediately and in real time after the pictures have been uploaded. No biometric data will be saved. Therefore, a revocation after uploading the photos is not possible.
For more information on exercising your data subject rights, please refer to item 8 of our general data protection policy: post.at/data-protection. After successful identification, you can no longer independently change your master data (name, date of birth, title) in your Post account for security reasons. If an adjustment is necessary, our Post customer service can assist you.

How long will your data be stored?
Data uploaded by you will be stored for a maximum of 72 hours to allow for a manual review and troubleshooting. ID data provided by you for identity verification purposes will be deleted at the latest after 3 years of inactivity on the corresponding Österreichische Post account. Alternatively you can delete your Post account by yourself (you can see how can delete your Post-Online account here in our FAQs).

With whom are we allowed to share your data?
Your data may be transmitted to the following categories of recipients for the purpose of identifying your Post online account:

Processors

The matching of your ID data with your Post Online account is carried out exclusively by us.

Other information about this processing:
If you do not provide the above data, it will not be possible to identify your online account to Austrian post. 
If an error occurs during the identity verification process or if you do not want your data to get checked against your Post account, you can prove your identity in person by going to a postal branch or by using your mobile phone signature. You have no contractual or legal obligation to provide your data. If you do not provide your data for the biometric identity verification, you can use the other options available or order any (additional) services even without an identified Post account directly at any of our branches.

4.3. Online accounts (philatelists)
We process your data when using the online shop as well as the ordering of goods in the philately online shop.  

Which of your data can we process for this purpose?
For this purpose, we may process the following data:
Personal master data, contact data, address data, contract contents

What is the legal basis for this processing?

Legal basis for this processing

• Is the contract concluded in the course of the purchase of a product in the Philately online shop (Art 6 para 1 lit b GDPR);
• and the protection of our legitimate interest (Art 6 para 1 lit b GDPR), in order to be able to guarantee a proper purchase.

How long can your data be stored?
Your data will be deleted for the purpose of using the online shop and ordering goods, depending on the category, at the latest within 3 years of inactivity or after 72 hours of cancellation.

Your data may be transmitted to the following recipients / categories of recipients for the purpose of card printing:

Processors

Other information about this processing:
You are not contractually or legally obliged to provide your data for the creation and management of online accounts for philatelists. The aforementioned data are required for account creation. If you do not provide us with the above data, no online account (philatelist) can be created.

4.4. Aktionsfinder (online service)
We process your data within the framework of the Aktionsfinder service (online service) in order to enable you to use the full scope of the service in question in accordance with the General Terms of Use Aktionsfinder.

Which of your data can we process for this purpose?
For this purpose, we may process the following data:
Address data
identification data
Usage data
Personal master data

What is the legal basis for this processing?
The legal basis for this processing is the fulfilment of the contract and the implementation of precontractual measures (Art 6 para 1 lit b GDPR) in order to provide the Aktionsfinder service (online service).

How long can your data be stored?
Your data will be deleted at the latest one week after termination of the contract or at the latest three years after inactivity.

With whom are we allowed to share your data?
Your data will be transferred to Processors for the purpose of storage.

Other information about this processing:
You are not contractually or legally obliged to provide your data for the Service Aktionsfinder (Online Service). The conclusion and fulfilment of the contract for the Service Aktionsfinder (online service) is only possible if you provide your data in advance. If you do not provide the necessary data, no contract can be concluded or the service cannot be provided.

4.5. E-Brief recipients
We may process your data as part of the E-Brief product to enable you to receive electronic mail and to upload and categorise your important documents.

Which of your data can we process for this purpose?
For this purpose, we may process the following data:
Address data, personal master data, identification data

What is the legal basis for this processing?
The legal basis for this processing is the fulfilment of the contract and the implementation of pre-contractual measures in accordance with Art 6 Para 1 lit b GDPR in order to provide the E-Brief service.

How long can your data be stored?
Your data will be deleted no later than 30 days after cancellation or three years after inactivity.

With whom are we allowed to share your data?
Your data may be transferred to the following categories of recipients for the purpose of e-letter processing: 

Processors

Other information about this processing:
You are not contractually or legally obliged to provide your data for the E-Brief service. The conclusion and performance of the contract for the e-letter service is only possible if you provide your data in advance. If you do not provide the necessary data, no contract can be concluded or the e-letter service cannot be provided.

4.6. Meine Marke
We process your data as part of the purchase and delivery of your customised stamp.

Which of your data can we process for this purpose?
For this purpose we process the following data:
Personal master data, address data, payment data, contract content, identification data, contact data.

What is the legal basis for this processing?
The legal basis for this processing are

• the contract concluded in the course of purchasing a "Meine Marke" product (Article 6 (1) (b) of the GDPR);
• the protection of our legitimate interest (Article 6 (1) (f) of the GDPR) to ensure a proper purchase.

How long can your data be stored?
Your data will be deleted no later than 2 years after receipt by the State Printing Office for the purpose of purchasing and delivering your customised stamp. In the collectors’ exchange, the data will be deleted a maximum of 3 business days after receipt of the revocation.

With whom are we allowed to share your data?
Your data may be transmitted to the following recipients / categories of recipients for the purpose of purchasing and delivering your customised stamp:

Processors

Other information about this processing:
You are not contractually or legally obliged to provide your data for the creation of your individually designed stamp. The aforementioned data is required for the conclusion of a contract. If you do not provide us with the aforementioned data, we will not be able to provide you with the "My stamp" product.

4.7. Digital Stamps (Crypto Stamps)
We may process your data as part of the purchase of your Crypto Stamp, and subsequently as part of your order for the associated physical stamp.

Which of your data can we process for this purpose?
For this purpose we process the following data: 
Personal master data, contact data, address data, usage data, payment data, contract contents 

What is the legal basis for this processing?
Legal basis for this processing

• is the contract for the product "Digital Stamp", which we have concluded with you (Art 6 para 1 lit b GDPR);
• and the protection of our legitimate interest (Art 6 Abs 1 lit b GDPR) to ensure a proper purchase of the product.

How long can your data be stored?
When you request your physical Crypto Stamp through the Onchainstore, your data will be deleted for the purpose of delivering your Crypto Stamp within 3 working days of your order.
If you purchase your physical Crypto Stamp in the online shop of Austrian Post, your data for the purpose of delivering your Crypto Stamp will be deleted within 3 years at the latest or billing data in 7 years.

Who can your data be passed on to?
Your data may be transferred to the following categories of recipients for the purpose of delivering your physical Crypto Stamp:

Processors

Other information about this processing:
You are not contractually or legally obliged to provide your data for the delivery of the physical stamp. The aforementioned data is required for the conclusion of a contract. If you do not provide us with the aforementioned data, we will not be able to provide you with the "Digital Stamp" product.

4.8. Post KartenStudio
We may process your data within the Post KartenStudio in order to provide or offer the services contained therein.

Which of your data can we process for this purpose?
For this purpose, we may process the following data:
Personal master data, address data, contact data, payment data, contract content, identification data, usage data

What is the legal basis for this processing?
Legal basis for this processing

• is the contract about the services of the "Post KartenStudio", which we have concluded with you (Art 6 Abs 1 lit b GDPR);
• and the protection of our legitimate interest (Art 6 para 1 lit b GDPR) to ensure the proper use of the app.

How long can your data be stored?

• Your data will be deleted within 14 days after the creation of a postcard in the case of an unaccepted order (for the purpose of a later completion/order) of a postcard or in the case of a system crash.
• Your data will be deleted for the purpose of an additional sound message in 9 months at the latest, from the date of transmission of the data to the printer. 
• Your data will be deleted for the purpose of creating/transmitting your postcard 90 days from the date of transmission to the printer, or in a maximum of 9 months. 
• Billing data will be deleted after 2 years from the date of billing.

Who can your data be passed on to?
Your data may be transmitted to the following categories of recipients for the purpose of card printing:

Processors

Other information about this processing:
You are not contractually or legally obligated to provide your data to the
processing of the product "Post KartenStudio". The aforementioned data are required for the conclusion of a contract. If you do not provide us with the aforementioned data, we will not be able to provide you with the "Post KartenStudio" product. 

5. With whom are we allowed to share your data?

You can find out which categories of recipients your data may be transferred to in the section "Information on possible data processing". You will find a detailed description of the recipients or categories of recipients of Austrian post in section 5 under Data protection.

6. Automated decision making and profiling

In general, no automated decision-making or profiling pursuant to Art 22 (1) and (4) GDPR takes place in connection with the processing of data by Austrian post.

7. What rights do you have?

You have the right of access to your personal data that we process as a controller. For more information, please refer to Article 15 of the GDPR.

Under certain conditions, you may request the restriction of processing as well as the rectification and deletion of your personal data. For more information, please refer to Articles 16 to 19 of the GDPR.

In addition, under certain conditions, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard, and machine processable format. For more information, please refer to Article 20 of the GDPR.

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object at any time to the processing of your data carried out in the legitimate interests of Austrian Post or third parties if reasons arise from your specific circumstances. For more information, please refer to Article 21 of the GDPR. The processing of your personal data may be based on your consent pursuant to Art. 6 (1) (a) of the GDPR. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

For information about the legal basis of our data processing, please see item 4 ("Information about possible data processing").

In addition, you have the option of filing a complaint with the Austrian Data Protection Authority:

Austrian Data Protection Authority,
Barichgasse 40-42,
1030 Vienna
Austria

Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

8. How can you get in touch with us?

Would you like to exercise your rights or do you have further questions, suggestions, or feedback?
To contact Austrian Post's data protection officer or to exercise your rights, please use one of the contact options listed under item 8 of our general data protection policy: post.at/Datenschutz.

9. Use of technical interfaces (so-called Software Develepment Kits hereinafter "SDK") in the Post App:

For the Österreichische Post app, we rely on different technologies (so-called software development kits, hereinafter referred to as "SDK") to make the app more user friendly. A software development kit (SDK) is a collection of software development tools in one installable package. They facilitate the creation of applications by having compiler, debugger and perhaps a software framework. They are normally specific to a hardware platform and operating system combination. The following SDKs are used for the Österreichische Post app:
Firebase Analytics and tag manager: We use the Firebase Analytics service by Google to create analysis reports and user analyses. When this service is used, data (IP address) are processed and shared with the provider (Google).
Firebase Crashlytics: We use the Firebase Crashlytics service by Google to receive crash reports and use them to correct any mistakes that may have been identified. When this service is used, data (IP address) are processed and shared with the provider (Google).
Firebase Messaging: We use the Firebase messaging service by Google to send push notifications to our users. When this service is used, data (IP address) are processed and shared with the provider (Google).
Firebase Performance: We use the Firebase performance service by Google to measure our app's performance and improve it on an ongoing basis When this service is used, data (IP address) are processed and shared with the provider (Google).
Firebase Remote Config: We use the Firebase remote config service by Google to make changes to the app via remote access. Among others, we use it to activate maintenance pages or deactivate specific app versions. When this service is used, data (IP address) are processed and shared with the provider (Google).
(Android only) Google Play Core: We use the Google Play Core services by Google to display update notifications in the app. When this service is used, data (IP address) are processed and shared with the provider (Google).
Install Referrer: We use the Install Referrer service by Google to identify the origin of a verification. When this service is used, data (IP address) are processed and shared with the provider (Google).
Google Maps / Apple Maps: We use Google Maps (Android) and Apple Aps (iOS) to offer certain app functions such as our branch locator and parcel forwarding. When this service is used, data (IP address, device's location data after approval) are processed and shared with the provider (Google/Apple).
FaceID / TouchID / Fingerprint: We use FaceID and TouchID by Apple (iOS) and fingerprint services by Google (Android) to protect e-postboxes if needed. When you choose one of these security options, data (IP address, encrypted biometric data) are processed and shared with the provider (Google/Apple).

(iOS only) MessageUI: We use the MessageUI service by Apple to send e-mails from the app in the case of support requests. When this service is used, data (IP address) are processed and shared with the provider (Google).