Data protection LEGAL INFORMATION & DATA PROTECTION POLICY

Data protection
LEGAL INFORMATION & DATA PROTECTION POLICY
Österreichische Post data protection policy 
Updated: July 2020
 
1. Who is in charge of handling your personal data?

1.1 Österreichische Post AG, Rochusplatz 1, 1030 Vienna ("Post", "we", "us") is responsible for adequately protecting your personal data. Österreichische Post complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety. 
 
1.2 We process your personal data in accordance with data protection regulations, above all the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, relevant regulations defined in the Postal Market Act and other relevant laws. 
 
1.3 This data protection policy provides information about why and how we process your data when your visit our website or subscribe to our newsletter or if you are an interested party, client, supplier or business partner.
 
2. What interest does Österreichische Post have regarding my data and based on which grounds may Österreichische Post process my data?
2.1 Performance of a contract and performance steps required prior to entering into a contract: we use your personal data pursuant to Art 6(1)(b) of the GDPR

  • to provide postal services (shipping letters and parcels as well as delivery), for example, when you post a parcel. We process your personal data as defined in the Austrian Delivery Act for delivering mail from the authorities. For this purpose, signature data about writing speed and writing pressure are collected and transferred to the competent authority or court as defined in the Austrian Delivery Act 
  • for the payment of retirement benefits, unemployment benefits 
  • for logistics services, e.g. shipping goods
  • for ongoing customer service and for answering your inquiries, e.g. when you contact us with a question
  • for financial services 
  • for services related to communication and information technology using automated data processing and information technology, e.g. when you use our website or data processing at our distribution centres for letter mail and parcel shipping)  
  • to manage master data and contractual data, e.g. if you have a user account or a PO box with us or if you are an Österreichische Post partner
  • for the performance of contracts, e.g. for mail forwarding or release delivery authorizations, collection services, parcel stamps, e-letters or for sweepstakes
  • for the provision of printing services (e.g. postcard app, Österreichische Post online printing, photo printing)
  • for the performance of contracts, e.g. regarding philately products such as stamps subscriptions, Meine Marke personalised stamps
  • for real estate evaluation (e.g. when renting or selling real estate)
  • for vehicle marketing purposes 
  • We process your personal master data, address data (e.g. for the provision of postal services), contact data (e.g. e-mail address, telephone number), payment data, shipping data, user data, document content data, identification data (e.g. ID data, company register number, KSV number, VAT ID), image data for the above-mentioned purposes.
  • We can only enter into and perform a contract if we can process your personal data. If you do not provide the required data, we cannot enter into a contract.

2.2 Your data may also be processed in the interest of Österreichische Post or of a third party. This data processing is done pursuant to Article 6(1) (f) of the GDPR

  • for the provision of postal services including clarification and processing of damaged items (letter mail shipping and delivery), e.g. when we deliver a parcel to you. In that case we process the personal data provided by the sender.
  • for the compilation of statistics with the goal of developing new rates, for handling offers and inquiries, processing applications and providing services, event management
  • for customer service and request/complaint management
  • for supplier management purposes 
  • for invoicing and accounting purposes
  • for safeguarding property and responsibility protection via video surveillance  
  • for visitor and access management
  • for our event management
  • to apply for subsidies
  • for managing credits on your loyalty card
  • a sustainable environmental and waste management system as well as for the implementation of our sustainability strategy
  • for marketing purposes: the use of your data for marketing purposes can also be considered legitimate interest. An example is when you have a customer relationship with us, e.g. you have a user account with Österreichische Post and rely on services such as mail forwarding, PO boxes or release delivery authorization. In this case, we might use your data for market research purposes such as satisfaction surveys and studies about the provided services and for consulting services as well as for direct marketing, provided that, having considered all interests, we believe that the there is a legitimate interest for processing the data. In any other case, we will only use your data if you explicitly agree to it. You can revoke this consent at any time.
  • Use of your data for third-party marketing purposes pursuant to Section 151 of the Austrian Industrial Code (activity as address broker and direct marketing company). With these activities, Österreichische Post supports businesses in their active and targeted client communication processes. Österreichische Post itself gets the required data (name, gender, title, degree, address, data of birth, profession, industry or business and client or interested person file where we obtained your address) from the persons in question, e.g. prior to prize draws. This means that you will receive written information at the time of the data collection saying that the data will be used for third-party advertising purposes. At the time of collection as well as at any later point in time, you have the option of objecting to this processing. For additional information about your right to object, please see item 7. In addition, you can avoid receiving advertising material from address brokers and direct marketing businesses by joining the so-called "Robinson List" managed by the Austrian Federal Economic Chamber.
  • However, the data can also be bought from other address brokers and direct marketing businesses. In that case, you will receive information from the suppliers of such address brokers about the planned use of your data.

Names and addresses collected in such manner can then be passed on to advertising businesses for sending out advertising mail or for other marketing purposes. The lawfulness of the processing of such data is subject to constant verification and will be warranted pursuant to high legal standards.

  • for compliance purposes. This means meeting statutory and other requirements, e.g. income tax and social security deductions, recording/reporting duties, audits, compliance with inspections by public authorities, “good governance”, reaction to legal disputes, administration of in-house inquiries/complaints/claims, investigation and behaviour in line with strategies/procedures, fulfilment of a trust-building communication policy as well as disclosure and information needs. To that effect, special categories of personal data (especially data from criminal proceedings) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory provisions for this processing. 
  • for planning, implementing and documenting internal revision action as well as forensic analyses to ensure that our business processes improve on a continuous basis and to meet provisions imposed by supervisory authorities. In addition, data collection for clarification and prevention purposes in the case of suspected unlawful activity towards Österreichische Post. To that effect, special categories of personal data (especially data from criminal proceedings) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory provisions for this processing.
  • to settle damages and insurance claims. To that effect, special categories of personal data (especially health-related data and criminally relevant data) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory provisions for this processing.
  • For ensuring IT security and maintaining IT operations, the execution of stress tests, the development of new products and systems and the adaptation of existing ones, data migration to ensure system viability and integrity and ultimately, the viability and integrity of processed data. In this case, personal data is predominantly used for tests provided that such tests cannot be done with anonymous data without excessive costs. As a matter of course, data security pursuant to Article 32 of the GDPR will be ensured at all times.
  • to maintain and improve data quality. Data protection laws require us to check personal data for data quality (especially up-to-dateness, consistency, accuracy) on a regular basis and to adapt them if necessary. For that purpose, we use adequate software and analysis processes to eliminate duplicates, among others. To improve data quality, these processes may also rely on statistical and non-personal data (e.g. provided by Statistics Austria).

In addition to the aforementioned personal data, we will process your personal master data, address data (e.g. from the provision of postal services), contact data (e.g. e-mail address, telephone number), payment data, shipping data, document content data, identification data, complaint/inquiry data from inquiries/complaints, image and audio data (e.g. video, image and telephone recordings).
 
2.3 Compliance with statutory obligations: Österreichische Post is also subject to statutory obligations, e.g. from the Austrian Postal Market Act, the Delivery Act, requirements from supervisory authorities, documentation duties as well as provisions from company law and capital market laws, tax law and entrepreneurial law. In addition, Österreichische Post has inspection and reporting duties. In order to be able to comply with these provisions, we process your personal data pursuant to Article 6(1) (c) of the GDPR exclusively in the scope required by the law in question. 
 
2.4 Consent: Unless there are no justified grounds as described in 2.1 to 2.3 above, we will ask for your consent pursuant to Article 6(1) (a) of the GDPR. When doing so, we will naturally fully comply with all applicable statutory provisions (including the Austrian Telecommunications Act). Österreichische Post will need your voluntary consent that you can revoke at any time in the future especially for the following purposes:

  • Österreichische Post account: If you have signed up for an Österreichische Post account or for the online services of Österreichische Post, we will process the following data categories: personal main data, address data, contact data and, in the case of identification, the required ID data.
  • Marketing purposes such as the electronic delivery of e-mails, text messages, messages on Österreichische Post customer portals and mobile data applications, via social network and contact via telephone. Based on your consent, Österreichische Post may send you marketing information via these channels about events and suggestions about products and services from the Österreichische Post range of services.
  • tracking user behaviour on the websites and apps of Österreichische Post provided that you use them. For additional information about cookies, please see legal information and cookie information for websites under item 9.

2.5 Österreichische Post will send you a separate notification before we start processing your data for purposes other than the ones described in this document.
 
3. With whom are we allowed to share your data?
3.1 Data transmission within the Österreichische Post corporation: We may entrust specific data processing steps to specialised departments or companies within our corporation. We will do that, for instance, to better process your customer data for internal administration purposes.
3.2 External service providers: We comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. These services may include data storage in secure computer centres, printing invoices and advertising material, postcards, photos and digitising contracts or invoices (creating a digital, non-editable image). Our data processors include IT service providers, printing service providers, service providers for customer assistance activities, contract management, market research institutes, marketing businesses and advertising agencies. 
3.3 Courts and public authorities: There are some statutory provisions that Österreichische Post can only comply with by sharing your personal data with public authorities (such as social security organisations, tax offices or prosecuting bodies, supervisory bodies, customs bodies) or courts in the required scope.
 
3.4 Other recipients: As part of a contractual relationship and especially in relation with our performance duty, in specific cases, we may additionally share your personal data (e.g. with other postal service providers (e.g. UPU, IPC), freight forwarding companies, physicians, hospitals, insurance companies and brokers, experts, attorneys, interest groups, address brokers and direct marketing companies, banks and capital investment firms, insurance companies, CPAs, consultants, subsidy granting bodies, shareholders, investors). In addition, under certain circumstances, your data may be shared with companies that work in advertising. These include companies that provide mail-order service or retail services, financial service providers and insurances, IT and telecommunication companies and utilities as well as associations such as charities, NGOs and political parties.
 
4. May your data also be shared with third parties in another country (including outside the EU)?
4.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection guarantees exist (e.g. binding in-house data protection provisions or standard EU data protection clauses). 
4.2 Provided that you have given your explicit consent, data may be transferred to a third country (Article 49(1)(a) of the GDPR). This is to inform you about possible risks related to intentional data transfer and a lack of adequate data protection safeguards (item 4.1). On our website, we use, among others, different cookies and similar technologies ("cookies") that we and third-party providers may rely on to process personal data. These third-party providers include Google LLC and YouTube LLC that are headquartered in the USA where they process their data. The European Court of Justice has declared the data protection level in the USA to be inadequate. It highlighted the risk of your data being accessed by US authorities for control and surveillance purposes and the fact that no effective legal remedies against this exist. Before we place cookies and transfer your data to these companies, we will ask you to provide your explicit consent (Article 6(1)(a) of the GDPR and Article 49(1)(a) of the GDPR) and we will provide detailed information about all data processing (purpose, data categories, and storage period, among others). Information about specific cookies is available here Cookie-Einstellung bearbeiten. You can revoke your consent at any time with future effect. To do that, go to Cookie-Einstellung bearbeiten on our website and change the settings as needed. In addition, please note that we are working hard to implement (additional) adequate safeguards pursuant to Article 46 of the GDPR as an alternative legal basis for the above-mentioned data transfer.
4.3 Österreichische Post will transfer your data to its subsidiary in Bosnia for the purpose of answering and forwarding phone calls received at our customer service centre as well as processing clarification inquiries for items shipped by Österreichische Post. To that effect, your personal main data and contact data as well as the subject of your inquiry and, for clarification inquiries, also your address data, order and payment data will be processed in Bosnia. In this case, data will be transferred based on EU standard data protection clauses (safeguards pursuant to Article 46 of the GDPR); these are available upon request at post.at/otherinquiries.
4.4 Given the use of Facebook, data will be transferred to non-EU states. Data transfer is anonymised or pseudoanonymised.

5. How long will your data be stored?
5.1 As soon as Österreichische Posts no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.
5.2 The statutory period of prescription pursuant to the Austrian Civil Code is between three and thirty years. During this time period, claims against Österreichische Post may be brought forward. We may keep your personal data as long as necessary depending on the possible claim.  
5.3 As a result of corporation law provisions (e.g. Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.

6. What rights do you have?
6.1 If you so desire, we will provide information about your personal data that we process at Österreichische Post whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format. 
6.2 Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing.
6.3 In some of the above-mentioned cases, your consent will give Österreichische Post the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.
6.4 Do you have any questions, suggestions or feedback? In that case, please contact our data protection officer mentioned in item 8. Also, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna.

7. Your right to object
As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing.
In addition, you have the right to object if reasons arise for you to do so as a result of your particular situation.
If you would like to object, please go to our website at datenschutzanfrage.post.at or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.

8. Contact us
To contact the data protection officer of Österreichische Post, please visit datenschutzanfrage.post.at or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna. For any other inquiries, please use our contact form available at post.at/otherinquiries.

9. Legal information and cookie information for websites
9.1. General information
The information provided on the websites of Österreichische Post is for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided on its websites. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its websites and auxiliary systems (e.g. servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its websites without prior notification.

Österreichische Post is not liable for inaccurate or missing information on its websites. This especially applies, without limitation, to (hyper)links and other content used on our websites directly or indirectly or that can be accessed from them. All decisions based on information provided by Österreichische Post on its websites are the sole and only responsibility of the user.
In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of the information (including hyperlinks) provided on its websites. 
All above-mentioned provisions also apply to software that can directly or indirectly be accessed or used from the websites of Österreichische Post. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply. 
 
9.2 Copyright
The design and content of these websites is subject to copyright. Any change or reproduction of images or text from these websites is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g. trademarks, logos). 
 
9.3 Use of cookies
Several parts of our websites rely on cookies and similar technologies (hereinafter referred to as "cookies"). They make our offer more user-friendly and more efficient. 

Cookies are small text files that are stored on your computer or smartphone and that your browser will store. They usually provide information about what pages/parts of our website were visited by users and can, among others, save user settings so that returning users will be recognised and do not have to log in again. Also, they allow for the targeted displaying of information to users as well as the analysis of website views. 

Our business partners, so-called cookie providers, may also place cookies on our websites. These are used to improve our own products and services as if we had placed these cookies ourselves. For instance, to understand how our websites are used, we work with analysis partners including Google and Facebook (for additional information, please see item 9.3.2). However, cookie providers may also rely on cookies used on our websites for their own purposes, e.g. to place (their own or third-party) advertising on our websites and to measure their effectiveness. In such case, Österreichische Post has no influence on the purpose and means of the cookie-based data processing while also not benefiting from this data processing. Cookies from such third-party providers may fall into the cookie categories listed under item 9.3.1.

Information about the use, scope and type of cookie is available in our cookie banner displayed under Cookie-Einstellung bearbeiten

9.3.1. Cookie settings and management, legal basis
Other than technically required cookies (functionally necessary cookies) that may be placed on our websites even without your consent  pursuant among others to Section 96 of the Telecommunications Act and because of our legitimate interest (providing a functional online service offer) pursuant to Article 6(1)(f) of the GDPR, you can actively accept or reject the use of performance cookies and cookies for marketing purposes before they are placed. 

To that effect, we have created a cookie consent management tool that displays a cookie banner with additional information about the cookies we use when you access the website in question for the first time (especially name, purpose, lifespan, provider). Via this cookie banner, you have the option of generally agreeing to the use of cookies or to make a more detailed selection depending on the cookie category. You can even select specific cookies or cookie providers within a specific cookie category. You can change your consent or selection at any time by going to Cookie-Einstellung bearbeiten make your selection. In the cookie consent management tool, all cookie providers are listed individually and links to their privacy policies are provided. These policies include additional information, including without limitation, information about additional options for deactivating these cookies.

In addition, you have the option of going to your browser settings to determine whether you want to allow cookies or not. Your device might also allow you to manage your cookies. To learn how this works, please see the user manual provided by the manufacturer of your device.

If users opt to not store cookies, certain functions of the website might not be available. 


9.3.2 Additional information about the advertising functions of Google Inc.

Once we have understood what is important to you and what you are interested in, we can show you relevant and helpful information. To place and manage our ads, we rely on Google Display & Video as well as Google Adwords(Google Ads), which are, among others, also displayed on YouTube.

We use the services of Google Ads to place advertising (so-called Google ads) on external websites and highlight our attractive offerings. By linking the data to the advertising campaign, we can determine how successful specific advertising efforts have been. In doing so, we strive to show you advertising that is relevant to you, to make our website more interesting for you and to reach a fair calculation of advertising costs. 

These advertising materials are delivered by Google via so-called "Ad Servers". We use Ad Server cookies which measure certain success parameters, including how many times the ads were shown and how many clicks they obtained from users. Provided that you have accessed our website via a Google ad, Google Ads will place a cookie on your device. Such cookies are usually valid for 30 days only and are not used to identify you personally. However, specific users can be grouped via browser recognition. 

If you have registered for one of the services provided by Google, Google can link your visit to your account. Even if you have not registered or logged on, the service provider might obtain information about our IP address and save it.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.3 Additional information about Google Remarketing

In addition to Google Adwords, we use an application called Google Remarketing. This is a procedure that we use to target you once again. This application allows us to display our ads on your device after you have visited our website and continue using the Internet. This is done via cookies saved on your browser. These cookies allow Google to identify and analyse your user behaviour when you access different websites. This is how Google can determine that you have previously visited our website. According to information provided by Google, data collected as part of remarketing activities will not be associated with any of your personal data that Google may have saved. Google also highlights that it uses pseudo-anonymization for its marketing activities. For more information about Google's data protection policy, please visit: https://www.google.com/intl/de/policies/privacy.

After you haven given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.4 Additional information about Facebook & Instagram

For the same purpose, i.e. displaying customised ads, Instagram Ads and Facebook Ads may be activated provided that you give your consent. This is not personal information. Personal information will be saved on servers located both in the European Union (Ireland) and in non-EU-States. The information will be stored for a period of 90 days.

Both the Facebook and Instagram Pixel allow us to check if users were redirected to our website after having clicked on an Instagram or Facebook ad. Among other processes, Instagram and Facebook Pixel use cookies, which are small text files that are stored locally in your web browser's cache memory on your device. If you have logged on to Instagram or Facebook with your user account, your visit to our online offerings will be registered in your user account. All data collected about you is anonymous for us and therefore will not allow us to identify users. However, Instagram and Facebook can associate this data with your user account on these platforms. 

Personal information will be saved on servers located both in the European Union (Ireland) and in non-EU-States. Theoretically, these saved cookies can remain in place for up to two years. For additional information about Facebook's privacy policy, please visit: https://www.facebook.com/privacy/explanation. Information about Instagram's privacy policy is available here: https://www.facebook.com/help/instagram/155833707900388

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

 
10. Changes or additions
We reserve the right to change or complement the information provided in this data protection policy at any time and without prior notification. An updated version is available on our website. If certain parts or specific passages are found to be invalid, to have become invalid or are not fully valid, the content and validity of the rest of the document shall remain unaffected.
 
 
11. Employees 
If you apply for a position at Österreichische Post, we will let you know how and to what extent we process your personal data before we start the application process. If you subsequently become an employee of Austrian Post, we will process your data as described in the data protection policy for employees of Österreichische Post. The updated policy is available on the Intranet under Employees/data protection and on our information board.