Data protection LEGAL INFORMATION & DATA PROTECTION POLICY

Österreichische Post's data protection policy
Updated: April 2020
 
1. Who is in charge of handling your personal data?
Österreichische Post, Rochusplatz 1, 1030 Vienna (hereinafter referred to as “Österreichische Post”, “we”, “us”) is responsible for adequately protecting your personal data. Österreichische Post complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety.

1.2 We process your personal data pursuant to provisions defined in data protection legislation, including, but not limited to, the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, the specific provisions defined in the Austrian Postal Market Act and other pertinent legislation.

1.3 This data protection policy provides information about why and how we process your data when your visit our website or subscribe to our newsletter or if you are an interested party, client, supplier or business partner.

2. What interest does Österreichische Post have regarding my data and based on which grounds may Österreichische Post process my data? 

2.1 Performance of a contract and performance steps required prior to entering into a contract: we use your personal data pursuant to Art 6(1)(b) of the GDPR 

  • for the provision of postal services (shipping and delivering mail), e.g. when you send a parcel. For the delivery of mail items sent by public authorities, we will process your personal data pursuant to the provisions of the Delivery Act. We will collect signature-related data about the signing speed and pen pressure and share them with the competent authority or court as required by law.
  • for the payment of retirement benefits, unemployment benefits
  • for logistics services, e.g. shipping goods
  • for ongoing customer service and for answering your inquiries, e.g. when you contact us with a question
  • for financial services
  • for services related to communication and information technology using automated data processing and information technology, e.g. when you use our website or data processing at our distribution centres for letter mail and parcel shipping)
  • to manage master data and contractual data, e.g. if you have a user account or a PO box with us or if you are an Österreichische Post partner
  • for the performance of contracts, e.g. for mail forwarding or release delivery authorizations, collection services, parcel stamps, e-letters or for sweepstakes
  • for the provision of printing services (e.g. postcard app, Österreichische Post online printing, photo printing)
  • for the performance of contracts, e.g. regarding philately products such as stamps subscriptions, Meine Marke personalised stamps
  • for real estate evaluation (e.g. when renting or selling real estate)
  • for vehicle marketing purposes

We process your personal master data, address data (e.g. for the provision of postal services), contact data (e.g. e-mail address, telephone number), payment data, shipping data, user data, document content data, identification data (e.g. ID data, company register number, KSV number, VAT ID), image data for the abovementioned purposes.
We can only enter into and perform a contract if we can process your personal data.  If you do not provide the required data, we cannot enter into a contract.

2.2 Your data may also be processed in the interest of Österreichische Post or of a third party. This data processing is done pursuant to Article 6(1) (f) of the GDPR

  • for the provision of postal services including clarification and processing of damaged items (letter mail shipping and delivery), e.g. when we deliver a parcel to you. In that case, we process the personal data provided by the sender. 
  • for the compilation of statistics with the goal of developing new rates, for handling offers and inquiries, processing applications and providing services, event management
  • for customer service and request/complaint management
  • for supplier management purposes
  • for invoicing and accounting purposes
  • for safeguarding property and responsibility protection via video surveillance
  • for visitor and access management
  • for our event management
  • to apply for subsidies
  • for managing your loyalty pass
  • for a sustainable environmental and waste management system as well as for the implementation of our sustainability strategy
  • for marketing purposes: the use of your data for marketing purposes can also be a justified interest. An example is when you have a customer relationship with us, e.g. you have a user account with Österreichische Post and rely on services such as mail forwarding, PO boxes or release delivery authorization. In this case, we might use your data for market research purposes such as satisfaction surveys and studies about the provided services and for consulting services as well as for direct marketing, provided that, having considered all interests, we believe that the there is a justified interest for processing the data.  In any other case, we will only use your data if you explicitly agree to it. You can revoke this consent at any time. 
  • Use of our data for third-party marketing purposes pursuant to Section 151 of the Austrian Industrial Code (activity as address broker and direct marketing company). With these activities, Österreichische Post supports businesses in their active and targeted client communication processes. Österreichische Post itself gets the required data (name, sex, title, degree, address, data of birth, profession, industry or business and client or interested person file where we obtained your address) from the persons in question, e.g. prior to sweepstakes. This means that you will receive written information at the time of the data collection saying that the data will be used for third-party advertising purposes. At the time of collection as well as at any later point in time, you have the option of objecting to this processing. For detailed information about an objection, pursuant to Article 7. However, the data can also be bought from other address brokers and direct marketing businesses. In that case, you will receive information from the suppliers of such address brokers about the planned use of your data.
    Names and addresses collected in such manner can then be passed on to advertising businesses for sending out advertising mail or for other marketing purposes. The data can also be used for analyses and evaluations. In order to improve customer communication processes, data may be analysed with marketing analysis tools and associated with other data. The data used for this purpose is collected with the help of publicly accessible information such as regional statistical data provided by Statistics Austria (no personal data) and surveys among the data subjects similar to those done for voting analyses and projections. The lawfulness of the processing of such data is subject to constant verification and will be warranted pursuant to high legal standards. 
  • For compliance purposes. This means meeting statutory and other requirements, e.g. income tax and social security deductions, recording/reporting duties, audits, compliance with inspections by public authorities, “good governance”, reaction to legal disputes, administration of in-house inquiries/complaints/claims, investigation and behaviour in line with strategies/procedures, fulfilment of a trust-building communication policy as well as disclosure and information needs. To that effect, special categories of personal data (especially data from criminal proceedings) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory stipulations for this processing.
  • For planning, implementing and documenting internal revision action as well as forensic analyses to ensure that our business processes improve on a continuous basis and to meet provisions imposed by supervisory authorities. In addition, data collection for clarification and prevention purposes in the case of suspected unlawful activity towards Österreichische Post. To that effect, special categories of personal data (especially data from criminal proceedings) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory provisions for this processing.
  • To settle damages and insurance claims. To that effect, special categories of personal data (especially health-related data and criminally relevant data) may be processed pursuant to Article 9 of the GDPR. When doing so, we comply with all special statutory provisions for this processing.
  • For ensuring IT security and maintaining IT operations, the execution of stress tests, the development of new products and systems and the adaptation of existing ones, data migration to ensure system viability and integrity and ultimately, the viability and integrity of processed data. In this case, personal data is predominantly used for tests provided that such tests cannot be done with anonymous data without excessive costs. As a matter of course, data security pursuant to Article 32 of the GDPR will be ensured at all times.

In addition to the aforementioned personal data, we will process your personal master data, address data (e.g. from the provision of postal services), contact data (e.g. e-mail address, telephone number), payment data, shipping data, document content data, identification data, complaint/inquiry data from inquiries/complaints, image and audio data (e.g. video, image and telephone recordings).
 
2.3 Compliance with statutory obligations: Österreichische Post is also subject to statutory obligations, e.g. from the Austrian Postal Market Act, the Delivery Act, requirements from supervisory authorities, documentation duties as well as provisions from company law and capital market laws, tax law and entrepreneurial law. In addition, Österreichische Post has inspection and reporting obligations. In order to be able to comply with these provisions, we process your personal data pursuant to Article 6(1) (c) of the GDPR exclusively in the scope required by the law in question.

2.4 Consent: Unless there are no justified grounds as described in 2.1 to 2.3 above, we will ask for your consent pursuant to Article 6(1) (a) of the GDPR. When doing so, we will naturally fully comply with all applicable statutory provisions (including the Austrian Telecommunications Act). Österreichische Post will need your voluntary consent that you can revoke at any time in the future especially for the following purposes:

  • Österreichische Post account: If you have signed up for an Österreichische Post account or for the online services of Österreichische Post, we will process the following data categories: personal main data, address data, contact data and, in the case of identification, the required ID data.
  • Marketing purposes such as the electronic delivery of e-mails, text messages, messages on Österreichische Post customer portals and mobile data applications, via social network and contact via telephone. Based on your consent, Österreichische Post may send you marketing information via these channels about events and suggestions about products and services from the Österreichische Post range of services.
  • Tracking user behaviour on the websites and apps of Österreichische Post provided that you use them. For additional information about cookies, please see legal information and cookie information for websites under item 9.

2.5 Österreichische Post will send you a separate notification before we start processing your data for purposes other than the ones described in this document. 

3. With whom are we allowed to share your data?
3.1 Data transmission within the Österreichische Post corporation: We may entrust specific data processing steps to specialised departments or companies within our corporation. We will do that, for instance, to better process your customer data for internal administration purposes. 

3.2 External service providers: We comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. These services may include data storage in secure computer centres, printing invoices and advertising material, postcards, photos and digitising contracts or invoices (creating a digital, non-editable image). Our data processors include IT service providers, printing service providers, service providers for customer assistance activities, contract management, market research institutes, marketing businesses and advertising agencies.

3.3 Courts and public authorities: There are some statutory provisions that Österreichische Post can only comply with by sharing your personal data with public authorities (such as social security organisations, tax offices or prosecuting bodies, supervisory bodies, customs bodies) or courts in the required scope.

3.4 Other recipients: As part of a contractual relationship and especially in relation with our performance duty, in specific cases, we may additionally share your personal data (e.g. with other postal service providers (e.g. UPU, IPC), freight forwarding companies, physicians, hospitals, insurance companies and brokers, experts, attorneys, interest groups, address brokers and direct marketing companies, banks and capital investment firms, insurance companies, CPAs, consultants, subsidy granting bodies, shareholders, investors). In addition, under certain circumstances, your data may be shared with companies that work in advertising. Such companies include commercial enterprises and associations that address consumers.

4. May your data also be shared with third parties in another country (including outside the EU)?
4.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection guarantees exist (e.g. binding in-house data protection provisions or standard EU data protection clauses).

4.2 In exceptional cases, the data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees (item 4.1).

4.3 Österreichische Post will transfer your data to its subsidiary in Bosnia for the purpose of answering and forwarding phone calls received at our customer service centre. To that effect, your personal main data and contact data as well as the subject of your inquiry will be processed in Bosnia. In this case, data will be processed based on EU standard data protection clauses (safeguards pursuant to Article 46 of the GDPR); these are available upon request by writing to DSGVO.Vertrag@post.at 

4.4 Given the use of Facebook, data will be transferred to non-EU states. Data transfer is anonymised or pseudoanonymised. Facebook is bound by the EU-US Privacy Shield.

5. How long will your data be stored?

5.1 As soon as Österreichische Posts no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

5.2 The statutory period of prescription pursuant to the Austrian Civil Code is between three and thirty years. During this time period, claims against Österreichische Post may be brought forward. We may keep your personal data as long as necessary depending on the possible claim.  

5.3 As a result of corporation law provisions (e.g. Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship. 

6. What rights do you have?

6.1 If you so desire, we will provide information about your personal data that we process at Österreichische Post whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format. 

6.2 Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing.

6.3 In some of the abovementioned cases, your consent will give Österreichische Post the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data. 

6.4 Do you have any questions, suggestions or feedback? In that case, please contact our data protection officer mentioned in item 8. In addition, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Wickenburggasse 8-10, 1080 Vienna.

7. Your right to object

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing.  
In addition, you have the right to object if reasons arise for you to do so as a result of your particular situation.
If you would like to object, please go to our website at datenschutzanfrage.post.at, call us at 0800 010 100 or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.
 
8. Contact information
You can get in touch with our data protection officer by visiting datenschutzanfrage.post.at, by e-mailing us at kundenservice@post.at or by writing to Österreichische Post AG, Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.

 

9. Legal information and cookie information for websites

9.1. General information 

The information provided on the websites of Österreichische Post is for informational purposes only.  We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur. 

Österreichische Post accepts no liability or guarantee for the information provided on its websites. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, Österreichische Post does not guarantee that its websites and auxiliary systems (e.g. servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its websites without prior notification.

Österreichische Post is not liable for inaccurate or missing information on its websites. This especially applies, without limitation, to (hyper)links and other content used on our websites directly or indirectly or that can be accessed from them. All decisions based on information provided by Österreichische Post on its websites are the sole and only responsibility of the user.
In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of the information (including hyperlinks) provided on its websites.

All abovementioned provisions also apply to software that can directly or indirectly be accessed or used from the websites of Österreichische Post. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply.
 
9.2 Copyright

The design and content of these websites is subject to copyright. Any change or reproduction of images or text from these websites is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g. trademarks, logos).
 
9.3 Use of cookies 

Several parts of our websites rely on cookies and similar technologies (hereinafter referred to as "cookies").  They make our offer more user-friendly and more efficient.

Cookies are small text files that are placed on your computer or smartphone and that your browser will store. They usually include information about web pages/passages a visitor of the website has visited. In addition, they are used to save user settings so that users are recognised when they return to the website and do not have to log on again. Cookies are also used for targeted information display to users and the analysis of pageviews of our website.

So-called cookie providers that we work with may also place cookies on their websites. In that case, cookies are used either to improve our own products or services just as if we had placed them ourselves. For instance, to understand how our websites are used, we work with analysis partners including Google and Facebook (for additional information, please see item 9.3.2). However, cookie providers may also use cookies for their own purposes, e.g. to display (their own or third-party) advertising and to measure their effectiveness; in such case, Österreichische Post has no influence on the purpose and means of data processing performed via such cookies. On the other hand, we do not benefit from such data processing. Cookies from third-party providers may fall into any of the cookie categories listed under item 9.3.1.

See the cookie banner in our Cookie-Einstellung bearbeiten for information about the use, scope and type of cookies.

9.3.1 Cookie settings and management, legal basis

Except technically required cookies (essential cookies) that may be placed on our websites pursuant to Section 96 of the Austrian Telecommunications Act and based on our legitimate interest (provision of functional online services) pursuant to Article 6 (1) (f) of the GDPR even without your consent, you can actively agree to the use of performance cookies and cookies for marketing purposes or reject them before they are placed.

To allow you to do that, we have introduced a cookie consent management tool that will provide detailed information about the cookies we use (especially name, purpose, validity, provider) on a dedicated cookie banner that is displayed when you visit the website in question for the first time. With this tool, you can accept the use of cookies  in general before they are placed or you can make a more specific selection depending on the cookie category and, within every cookie category, depending on the cookie and cookie provider in question. After you have consented to the use and made your choice, you can go to “Cookie-Einstellung bearbeiten” directly in the cookie consent management tool at any time to revoke your consent or to change the settings. If additional cookies or cookie providers are added after you have provided your consent, we will display another cookie banner where you will once again be able to actively make your selection. In the cookie management tool, every cookie provider is listed individually and a link to their privacy policies is provided. See those privacy policies to find out how you can deactivate their cookies as well. 

In addition, you can go to your browser settings to determine if you allow cookies to be placed or not. Also, the settings on your end device may give you the option of managing cookies. For detailed information about how this works, please see instructions provided by the manufacturer of your device.

If you reject the saving of all cookies that require your consent, the functionality of our website(s) may be limited.

9.3.2 Additional information about Google 360

We also try to improve our services and offerings by using Google products. 

Google must comply with the principles of European data protection law as defined in the EU-US "Privacy Shield" agreement (https://www.privacyshield.gov/EU-US-Framework). This ensures that a certain level of data security is guaranteed.

In addition, unlike in the case of traditional Google products, the Google 360 version offers considerably better protection for our users' data. One example is that Google 360 does not allow Google to process saved data sets itself.

IP anonymization has been activated on the website of Österreichische Post , which means that only shortened IP addresses can be processed and they cannot be associated with specific persons. However, among others, the following information will be stored: products and services ordered or visited, how long you looked at certain offerings or what device you used to access the website.

Data is always stored in the "Google Storage Cloud" and that data usually has a "lifespan" of 14 months. 

Google Analytics 360 processes the data listed above in order to analyse and assess the use of our website and to create target groups. 

We use this data exclusively for market research purposes, for optimising our websites, for advertising purposes and for providing additional services related to internet use. 

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.3 Additional information about the advertising functions of Google Inc.

Once we have understood what is important to you and what you are interested in, we can show you relevant and helpful information. To place and manage our ads, we rely on Google Display & Video as well as Google Adwords (Google Ads), which are, among others, also displayed on YouTube.

We use the services of Google Ads to place advertising (so-called Google ads) on external websites and highlight our attractive offerings. By linking the data to the advertising campaign, we can determine how successful specific advertising efforts have been. In doing so, we strive to show you advertising that is relevant to you, to make our website more interesting for you and to reach a fair calculation of advertising costs. 

These advertising materials are delivered by Google via so-called "Ad Servers". We use Ad Server cookies which measure certain success parameters, including how many times the ads were shown and how many clicks they obtained from users. Provided that you have accessed our website via a Google ad, Google Ads will place a cookie on your device. Such cookies are usually valid for 30 days only and are not used to identify you personally. However, specific users can be grouped via browser recognition. 

If you have registered for one of the services provided by Google, Google can link your visit to your account. Even if you have not registered or logged on, the service provider might obtain information about our IP address and save it.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.4 Additional information about Google Remarketing

In addition to Google Adwords, we use an application called Google Remarketing. This is a procedure that we use to target you once again. This application allows us to display our ads on your device after you have visited our website and continue using the internet. This is done via cookies saved on your browser. These cookies allow Google to identify and analyse your user behaviour when you access different websites. This is how Google can determine that you have previously visited our website. According to information provided by Google, data collected as part of remarketing activities will not be associated with any of your personal data that Google may have saved. Google also highlights that it uses pseudo-anonymization for its marketing activities. For more information about Google's data protection policy, please visit: https://www.google.com/intl/de/policies/privacy.

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.5 Additional information about Facebook & Instagram

For the same purpose, i.e. displaying customised ads, Instagram Ads and Facebook Ads may be activated provided that you give your consent. This is not personal information. User-related information will be saved on servers located both in the European Union (Ireland) and in the USA. The information will be stored for a period of 90 days.

Both the Facebook and Instagram Pixel allow us to check if users were redirected to our website after having clicked on an Instagram or Facebook ad. Among other processes, Instagram and Facebook Pixel use cookies, which are small text files that are stored locally in your web browser's cache memory on your device. If you have logged on to Instagram or Facebook with your user account, your visit to our online offerings will be registered in your user account. All data collected about you is anonymous for us and therefore will not allow us to identify users. However, Instagram and Facebook can associate this data with your user account on these platforms.

Personal information will be saved on servers located both in the European Union (Ireland) and in the USA. Theoretically, these saved cookies can remain in place for up to two years. For additional information about Facebook's privacy policy, please visit: https://www.facebook.com/privacy/explanation. Information about Instagram's privacy policy is available here: https://www.facebook.com/help/instagram/155833707900388

After you have given your consent and made your selection, you can revoke or change these "cookie settings" at any time by going to the cookie management platform.

9.3.6 Additional information about Microsoft Advertising

We use Microsoft Advertising to display relevant ads online whenever you actively use the search engines "Bing" or "Yahoo". This involves the tracking of technical data, e.g. in relation to your device or browser settings as well as behaviour-related data such as the URL of any accessed websites, time spent on them, products and services visited, etc. User profiles are created with the help of pseudonyms. The data will be stored for 13 months in Microsoft's cloud-based solution in Ireland and in the USA. For additional information about Bing's analysis services, please visit the Bing Ads website at: https://help.bingads.microsoft.com/#apex/3/de/53056/2. For additional information about Microsoft's and Bing's data protection policy, please visit the Microsoft privacy policy at https://privacy.microsoft.com/de-de/privacystatement.

9.4. Newsletters
We will only send you newsletters, e-mails or other electronic messages with advertising information if you have previously provided your consent or if a legal permission exists. For our newsletter sign-up process, we use the so-called double opt-in procedure. This means that, after signing up for our newsletter, we will send you an e-mail to the address you have indicated. Your registration will only be valid if you confirm this e-mail (e.g. by clicking on the confirmation link). In order to comply with our documentation duties, we keep logs of all registrations (especially e-mail address and time of registration). 

 

10. Changes or complements 

We reserve the right to change or complement this privacy policy at any time and without prior notification. An updated version is available on our website. If certain parts or specific passages are found to be invalid, to have become invalid or are not fully valid, the content and validity of the rest of the document shall remain unaffected.

11. Employees 

If you apply for a position at Österreichische Post, we will let you know how and to what extent we process your personal data before we start the application process. If you subsequently become an employee of Austrian Post, we will process your data as described in the data protection policy for employees of Österreichische Post. This policy is available on the Intranet under Employees/data protection and on our information board.