Österreichische Post AG's Data Protection Policy

Updated: July 2022
1. Who is in charge of handling your personal data?
1.1 Österreichische Post AG, Rochusplatz 1, 1030 Vienna ("Post", "we", "us") is responsible for adequately protecting your personal data. Österreichische Post complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety.
1.2 We process your personal data in accordance with data protection regulations, above all the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, relevant regulations defined in the Postal Market Act and other relevant laws.
1.3 This data protection policy provides information about why and how we process your data when you use our website, when you subscribe to our newsletter, if you are interested in our services or if you are a supplier or business partner of Österreichische Post.

2. What interest does Österreichische Post have regarding my data and based on which grounds may Österreichische Post process my data?
2.1 Performance of a contract and performance steps required prior to entering into a contract: we use your personal data pursuant to Art 6 (1) (b) of the GDPR  

  • for the provision of postal services (shipping and delivering mail), e.g., when you send a parcel. We process your personal data as defined in the Austrian Delivery Act when delivering mail from the authorities. For this purpose, signature data about writing speed and writing pressure are collected and transferred to the competent authority or court as defined in the Austrian Delivery Act 
  • for the payment of retirement benefits, unemployment benefits
  • for logistics services, e.g., shipping goods 
  • for ongoing customer service and for answering your inquiries, e.g., when you contact us with a question
  • for financial services 
    • for services related to communication and information technology using automated data processing and information technology, e.g., when you use our website or data processing at our distribution centres for letter mail and parcel shipping  
    • to manage master data and contractual data, e.g., if you have a PO box with us or if you are an Österreichische Post partner
    • Österreichische Post account: if you have signed up for an Österreichische Post account or for the online services of Österreichische Post, we will process the following data categories: personal main data, address data, contact data and, in the case of identification, the required ID data.
  • for the performance of contracts, e.g., for mail forwarding or release delivery authorisations, collection services, parcel stamps, e-letters or for sweepstakes
  • for the provision of printing services (e.g., postcard app, Österreichische Post online printing, photo printing)
  • for the performance of contracts, e.g., regarding philately products such as stamps subscriptions, Meine Marke personalised stamps
  • for real estate utilisation (e.g., when renting or selling real estate)
  • for vehicle marketing purposes 
    We process your personal master data, address data (e.g., for the provision of postal services), contact data (e.g., e-mail address, telephone number), payment data, shipping data, user data, document content data, identification data (e.g., ID data, company register number, KSV number, VAT ID), image data for the abovementioned purposes.
    We can only enter into and perform a contract if we can process your personal data. If you do not provide the required data, we cannot enter into a contract

2.2 Your data may also be processed in the interest of Österreichische Post or of a third party. This data processing is performed pursuant to Article 6 (1) (f) of the GDPR

  • for the provision of postal services including clarification and processing of damaged items (letter mail shipping and delivery), e.g., when we deliver a parcel to you. In that case we process the personal data provided by the sender
  • for the compilation of statistics with the goal of developing new rates, for handling offers and inquiries, processing applications and providing services, event management
  • for customer service purposes including inquiry/complaint management
  • for supplier management purposes
  • for invoicing and accounting purposes
  • for safeguarding property and responsibility protection via video surveillance
  • for visitor and access management
  • for our event management
  • to apply for subsidies
  • for managing credits on your loyalty card
  • a sustainable environmental and waste management system as well as for the implementation of our sustainability strategy
  • for market research purposes such as satisfaction surveys and studies about rendered services
  • for marketing purposes: the use of your data for direct marketing activities by Österreichische Post can also be considered legitimate interest. An example is when you have a customer relationship with us, e.g., you have a user account with Österreichische Post and rely on services such as mail forwarding, PO boxes or release delivery authorization. In any other case, we will only use your data for marketing activities by Österreichische Post if you explicitly agree to it. You can revoke this consent at any time.
  • for profiling to allow for customised marketing purposes by Österreichische Post:
    To allow for the best possible use of our Österreichische Post products and services, we rely on partially automated data processing that can, among others, analyse the products you use and your user behaviour regarding such products (e.g., purchase frequency and purchase volume). This analysis allows us to provide physical or electronic advertising for our products and services that matches your interests and preferences (e.g., relevant product updates or special offers) and to create profiles about our customers that anticipate future interests and purchase likelihood. This kind of data processing is called profiling and is performed based on our legitimate interest in providing targeted advertising to our clients. However, in this context, no automated decisions that would have legal or any other considerable consequences for you are made.
    You can object to profiling for marketing purposes at any time. In the case of such an objection, you would no longer receive any direct advertising that is based on your preferences and personal behaviour. For more information about making such an objection please see item 7 (your right to object).
  • Use of your data for third-party marketing purposes pursuant to Section 151 of the Austrian Industrial Code (activity as address broker and direct marketing company). With these activities, Österreichische Post supports businesses in their active and targeted client communication processes. Österreichische Post itself gets the required data (name, gender, title, degree, address, data of birth, profession, industry or business and client or interested person file from which we obtained your address) from the persons in question, e.g., prior to prize draws. This means that you will receive written information at the time of the data collection saying that the data will be used for third-party advertising purposes. At the time of collection as well as at any later point in time, you have the option of objecting to this processing. For additional information about your right to object, please see item 7. In addition, you can avoid receiving advertising material from address brokers and direct marketing businesses by joining the so-called "Robinson List" managed by the Austrian Federal Economic Chamber (
  • However, such data can also be bought from other address brokers and direct marketing businesses. In that case, you will receive information from the suppliers of such address brokers about the planned use of your data.

    Names and addresses collected in such manner can then be passed on to advertising businesses for sending out advertising mail or for other marketing purposes. The lawfulness of the processing of such data is subject to constant verification and meets high legal standards.
  • for compliance purposes. This means meeting statutory and other requirements, e.g., income tax and social security deductions, recording/reporting duties, audits, compliance with inspections by public authorities, "good governance", reaction to legal disputes, administration of inhouse inquiries/complaints/claims, investigation and behaviour in line with strategies/procedures, fulfilment of a trustbuilding communication policy as well as disclosure and information needs. To that effect, special categories of personal data may be processed pursuant to Article 9 of the GDPR and Article 10 of the GDPR for data from criminal proceedings. When doing so, we comply with all special statutory provisions for this processing.
  • for planning, implementing and documenting internal revision action as well as forensic analyses to ensure that our business processes improve on a continuous basis and to meet provisions imposed by supervisory authorities. In addition, data collection for clarification and prevention purposes in the case of suspected unlawful activity towards Österreichische Post. To that effect, special categories of personal data pursuant to Article 9 and criminally relevant data pursuant to Article 10 of the GDPR may be processed. When doing so, we comply with all special statutory provisions for this processing.
  • to settle damages and insurance claims. To that effect, special categories of personal data pursuant to Article 9 and criminally relevant data pursuant to Article 10 of the GDPR may be processed. When doing so, we comply with all special statutory provisions for this processing.
  • For ensuring IT security and maintaining IT operations, the execution of stress tests, the development of new products and systems and the adaptation of existing ones, data migration to ensure system viability and integrity and ultimately, the viability and integrity of processed data. In this case, personal data are predominantly used for tests provided that such tests cannot be done with anonymous data without excessive costs. As a matter of course, data security pursuant to Article 32 of the GDPR will be ensured at all times.
  • to maintain and improve data quality. Data protection laws require us to check personal data for data quality (especially up-to-dateness, consistency, accuracy) on a regular basis and to adapt them if necessary. For that purpose, we use adequate software and analysis processes to eliminate duplicates, among others. To improve data quality, these processes may also rely on statistical and non-personal data (e.g., provided by Statistics Austria).

    In addition to the aforementioned personal data, we will process your personal master data, address data (e.g., from the provision of postal services), contact data (e.g., e-mail address, telephone number), payment data, shipping data, document content data, identification data, complaint/inquiry data from inquiries/complaints, image and audio data (e.g., video, image and telephone recordings).

2.3 Compliance with statutory obligations: Österreichische Post is also subject to statutory obligations, e.g., from the Austrian Postal Market Act, the Delivery Act, requirements from supervisory authorities, documentation duties as well as provisions from company law and capital market laws, tax law and entrepreneurial law. In addition, Österreichische Post has inspection and reporting duties. In order to be able to comply with these provisions, we process your personal data pursuant to Article 6 (1) (c) of the GDPR exclusively in the scope required by the law in question. 

To meet the quality assessment and assurance obligation defined in the Austrian Postal Market Act, we carry out customer satisfaction surveys after our customers have gotten in touch with us. If you do not want to participate in this survey, please let your customer advisor know when you speak to them. Alternatively, you can let us know afterwards by going to our website (for additional information, see item 8) or by writing to our customer service at Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.
2.4 Consent: unless there are no justified grounds as described in 2.1 to 2.3 above, we will ask for your consent pursuant to Article 6(1) (a) of the GDPR. When doing so, we will naturally fully comply with all applicable statutory provisions (including the Austrian Telecommunications Act). Especially for the following purposes, Österreichische Post will need your voluntary consent that you can revoke at any time with future effect:

  • marketing purposes such as the electronic delivery of e-mails, text messages, messages on Österreichische Post customer portals and mobile data applications, via social networks and contact via telephone. Based on your consent, Österreichische Post may send you marketing information via these channels about events and suggestions about products and services from the Österreichische Post range of services 
  • tracking user behaviour on the websites and apps of Österreichische Post provided that you use them. For additional information about cookies, please see legal information and cookie information for websites under item 9.

2.5 Österreichische Post will send you a separate notification before we start processing your data for purposes other than the ones described in this document.

3. With whom are we allowed to share your data?
3.1 Data transmission within the Österreichische Post corporation: we may entrust specific data processing steps to specialised departments or companies within our corporation. We will do that, for instance, to better process your customer data for internal administration purposes.

3.2 External service providers: we comply with statutory and contractual obligations.  In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors).  These businesses can provide such services at attractive rates while delivering high quality.  Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services.  These services may include data storage in secure computer centres, printing invoices and advertising material, postcards, photos and digitising contracts or invoices (creating a digital, non-editable image). Our data processors include Österreichische Post partners, IT service providers, printing services, service providers for customer assistance activities, contract management, market research institutes, marketing businesses and advertising agencies.

3.3 Courts and public authorities: there are some statutory provisions that Österreichische Post can only comply with by sharing your personal data with public authorities (such as social security organisations, tax offices or prosecuting bodies, supervisory bodies, customs bodies or health authorities) or courts in the required scope.
3.4 Other recipients: as part of a contractual relationship and especially in relation with our performance duty or in the case of legal disputes, in specific cases, we may additionally share your personal data e.g., with other postal service providers (e.g., UPU, IPC), freight forwarding companies, physicians, hospitals, insurance companies and brokers, experts, attorneys, interest groups, address brokers and direct marketing companies, banks and capital investment firms, insurance companies, CPAs, consultants (especially tax experts), subsidy granting bodies, shareholders, investors, and external payment providers. In addition, as part of our address broker activities, we may forward your data to advertising companies. These include companies that provide mail-order services or retail services, financial service providers and insurances, IT and telecommunication companies and utilities as well as associations such as charities, NGOs and political parties.

4. May your data also be shared with third parties in another country (including outside the EU)?
4.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection guarantees exist (e.g., binding in-house data protection provisions or standard EU data protection clauses only in the case of a documented case-by-case evaluation of the adequate protection level).

4.2 Provided that you have given your explicit consent, data may be transferred to a third country (Article 49 (1) (a) of the GDPR). This is to inform you about possible risks related to intentional data transfer and a lack of adequate data protection safeguards (item 4.1). On our website, we use, among others, different cookies and similar technologies (hereinafter referred to as "cookies") that we and third-party providers may rely on to process personal data. These third-party providers include companies such as Google LLC (for a detailed list, please see cookies by US providers) that are headquartered in the USA where they process their data. The European Court of Justice has declared the data protection level in the USA to be inadequate. It highlighted the risk of your data being accessed by US authorities for control and surveillance purposes and the fact that no effective legal remedies against this exist. Before we place cookies and transfer your data to these companies, we will ask you to provide your explicit consent (Article 6 (1) (a) of the GDPR and Article 49 (1) (a) of the GDPR) and we will provide detailed information about all data processing (purpose, data categories, and storage period, among others). Information about specific cookies is available under "Edit cookie settings". You can revoke your consent at any time with future effect. To do that, go to "Edit cookie settings" on our website and change the settings as needed. In addition, please note that we are working hard to implement (additional) adequate safeguards pursuant to Article 46 of the GDPR as an alternative legal basis for the abovementioned data transfer.

4.3 In the area of postal services, international item data may, given the contractual duty to deliver mail and the Treaty of Bern for international mail delivery signed by Austria, be processed in any third country in the world, provided that this is necessary for the delivery of a specific item (Article 49 (1) (b), (c), (d) of the GDPR).

4.4 In certain situations, your data might be processed in the following third countries:
Bosnia and Herzegovina (group company): for the purpose of answering and forwarding phone calls received at the Österreichische Post customer service hotline as well as for handling item inquiry cases for items shipped by Österreichische Post. To that effect, your personal master data and contact data as well as the subject of your inquiry and, for clarification inquiries, also your address data, order and payment data will be processed.
India: contact data including the title of the meeting are processed on our behalf for the purpose of internal room bookings 
USA: if services providers are used (see item 3.2), your data may also be transferred to the USA
Vietnam: for delivery purposes, address data that cannot be read automatically at our distribution centres are coded remotely via video on our behalf. 
In these cases, data transmission is based on EU standard data protection clauses and is performed along with a documented case-by-case check of the adequacy of the protection level (guarantee pursuant to Article 46 of the GDPR); these are available upon request on

4.5 As a result of the use of Facebook, data will be transferred to third countries. Data transfer is anonymised or pseudo anonymised.

5. How long will your data be stored?
5.1 As soon as Österreichische Posts no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

5.2 The statutory period of prescription pursuant to the Austrian Civil Code is between three and thirty years. During this time period, claims against Österreichische Post may be brought forward. We may keep your personal data as long as necessary depending on the possible claim.
5.3 As a result of corporation law provisions (e.g., Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.

6. What rights do you have?
6.1 If you so desire, we will provide information about your personal data that we process at Österreichische Post whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format. 

6.2 Under certain conditions, you can also demand that the processing of your data is limited or that your personal data are rectified or deleted. In addition, you can object to the processing.

6.3 In some of the abovementioned cases, your consent will give Österreichische Post the right to process your data. You can revoke this consent at any time with future effect without the need to state reasons. Until then, we will lawfully process your data.

6.4 You want to exercise your rights or you have any questions, suggestions, or feedback? In that case, please please use the contact offered in item 8. Also, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, or

7. Your right to object
As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing. In addition, you have the right to object if reasons arise for you to do so as a result of your particular situation. If you would like to object, please use the contact offered in item 8.

8. Contact us
To contact the data protection officer of Österreichische Post or to exercise your rights, please visit or write to

To the attention of the Data Protection Officer
Bahnsteggasse 17-23,
1210 Vienna.

or to the e-mail-address

To ensure that your request to exercise your data protection rights is complete and can be assigned and processed properly in our databases, we require the following information in every case:

  • Description of your request
  • First name, last name
  • Date of birth (especially to exclude similarities of names in connection with processing your request)
  • Postal address
  • E-mail address (in so far as you have provided an E-Mail adress to the Post in connection with a ser-vice or in order to contact the Post)
  • Legible copy of a valid photo ID (e.g. driver's license, ID card, passport) or a digitally signed request, e.g. cell phone signature
    (no photo ID or digital signature is required when exercising the following rights: 
    “Withdrawal of Consent/objection for advertising purposes" and "Erasure of data for third-party marketing purposes").

Your request will be processed based on the data you provide in the contact form. Please pay attention to the correctness of your data, especially to the usage of hyphens, commas, spaces etc. in your name and address.

9. Legal information and cookie information for websites
9.1. General information
The information provided on the websites of Österreichische Post is for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided on its websites. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its websites and auxiliary systems (e.g., servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its websites without prior notification. 

Österreichische Post is not liable for inaccurate or missing information on its websites. This especially applies, without limitation, to (hyper)links and other content used on our websites directly or indirectly or that can be accessed from them. All decisions based on information provided by Österreichische Post on its websites are the sole and only responsibility of the user.

In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of the information (including hyperlinks) provided on its websites. 
All abovementioned provisions also apply to software that can directly or indirectly be accessed or used from the websites of Österreichische Post. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply. 
9.2 Copyright
The design and content of these websites are subject to copyright. Any change or reproduction of images or text from these websites is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g., trademarks, logos). 
9.3 Use of cookies
Several parts of our websites rely on cookies and similar technologies (hereinafter referred to as "cookies"). They make our offer more user-friendly and more efficient. 

Cookies are small text files that are saved on your computer or smartphone and that your browser will store. They usually provide information about what pages/parts of our website were visited by users and can, among others, save user settings so that returning users will be recognised and do not have to log in again. Also, they allow for the targeted displaying of information to users as well as the analysis of website views. 

Our business partners, so-called cookie providers, may also place cookies on our websites. These are used to improve our own products and services as if we had placed these cookies ourselves. For instance, to understand how our websites are used, we work with analysis partners including Google and Facebook (for additional information, please see item 9.3.2). However, cookie providers may also rely on cookies used on our websites for their own purposes, e.g., to place (their own or third-party) advertising on our websites and to measure their effectiveness. In such case, Österreichische Post has no influence on the purpose and means of the cookie-based data processing while also not benefiting from this data processing. Cookies from such third-party providers may fall into the cookie categories listed under item 9.3.1.

Information about the use, scope and type of cookies is available in our cookie banner displayed under "Edit cookie settings". 

9.3.1 Cookie settings and management, legal basis
Other than technically required cookies (functionally necessary cookies) that may be placed on our websites even without your consent  pursuant among others to Section 165 of the Telecommunications Act  and because of our legitimate interest (providing a functional online service offer) pursuant to Article 6 (1) (f) of the GDPR, you can actively accept or reject the use of performance cookies and cookies for marketing purposes before they are placed.

To that effect, we have created a cookie consent management tool that displays a cookie banner with additional information about the cookies we use when you access the website in question for the first time (especially name, purpose, lifespan, provider.). Via this cookie banner, you have the option of generally agreeing to the use of cookies or to make a more detailed selection depending on the cookie category. You can even select specific cookies or cookie providers within a specific cookie category.  You can change your consent or selection at any time by going to cookie   "Edit cookie settings" in the cookie consent management platform. If, after you have provided your consent, more cookies or cookie providers are added, the cookie banner will be displayed once again and you will be able to make your selection. In the cookie consent management tool, all cookie providers are listed individually and links to their privacy policies are provided. These policies include additional information, including without limitation, information about additional options for deactivating these cookies.

In addition, you have the option of going to your browser settings to determine whether you want to allow cookies or not. Your device might also allow you to manage your cookies. To learn how this works, please see the user manual provided by the manufacturer of your device.

If users opt out of storing cookies, certain functions of the website might not be available. 

9.3.2 Additional information about the advertising functions of Google Inc.
Once we have understood what is important to you and what you are interested in, we can show you relevant and helpful information. To place and manage our ads, we rely on Google Display & Video as well as Google Adwords (Google Ads).

We use the services of Google Ads to place advertising (so-called Google ads) on external websites and highlight our attractive offerings. By linking the data to the advertising campaign, we can determine how successful specific advertising efforts have been. In doing so, we strive to show you advertising that is relevant to you, to make our website more interesting for you and to reach a fair calculation of advertising costs. 

These advertising materials are delivered by Google via so-called "Ad Servers". We use Ad Server cookies which measure certain success parameters, including how many times the ads were shown and how many clicks they obtained from users. Provided that you have accessed our website via a Google ad, Google Ads will place a cookie on your device. Such cookies are usually valid for 30 days only and are not used to identify you personally. However, specific users can be grouped via browser recognition. 

If you have registered for one of the services provided by Google, Google can link your visit to your account. Even if you have not registered or logged on, the service provider might obtain information about our IP address and save it.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.3 Additional information about Google Remarketing
In addition to Google Adwords, we use an application called Google Remarketing. This is a procedure that we use to target you once again. This application allows us to display our ads on your device after you have visited our website and continue using the Internet. This is done via cookies saved on your browser. These cookies allow Google to identify and analyse your user behaviour when you access different websites. This is how Google can determine that you have previously visited our website. According to information provided by Google, data collected as part of remarketing activities will not be associated with any of your personal data that Google may have saved. Google also highlights that it uses pseudo-anonymization for its marketing activities. For more information about Google's data protection policy, please visit

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.4 Additional information about Facebook,  Instagram & LinkedIn
For the same purpose, i.e., displaying customised ads, Instagram Ads, Facebook Ads and LinkedIn ads may be activated provided that you give your consent. This is not personal information. Personal information will be saved on servers located both in the European Union (Ireland) and in third countries. The information will be stored for a period of 90 days.

Facebook, Instagram, and LinkedIn Pixel allow us to check if users were redirected to our website after having clicked on an Instagram, Facebook or LinkedIn ad. Among other processes, Instagram, Facebook and LinkedIn Pixel use cookies, which are small text files that are stored locally in your web browser's cache memory on your device. If you have logged on to Instagram, Facebook or LinkedIn with your user account, your visit to our online offerings will be registered in your user account. All data collected about you is anonymous for us and therefore will not allow us to identify users. However, Instagram, Facebook and LinkedIn can associate this data with your user account on these platforms. 

Personal information will be saved on servers located both in the European Union (Ireland) and in third countries. These saved cookies can remain in place for up to 2 years. For additional information about Facebook's privacy policy, please visit: about Instagram's privacy policy is available here: Information about LinkedIn's privacy policy is available here:

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

10. Changes or complements
We reserve the right to change or complement the information provided in this data protection policy at any time and without prior notification. An updated version is available on our website. If certain parts or specific passages are found to be invalid, to have become invalid or are not fully valid, the content and validity of the rest of the document shall remain unaffected.
11. Employees 
If you apply for a position at Österreichische Post, we will let you know how and to what extent we process your personal data before we start the application process. If you subsequently become an employee of Österreichische Post, we will process your data as described in the data protection policy for employees of Österreichische Post. The updated policy is available on the intranet under Employees/Data Protection and on our information board.