Data protection information for applicants to Post Wertlogistik GmbH

Updated: December 2020

1. Who is in charge of handling your personal data? To whom does this data protection policy apply? From whom do we receive your data?

1.1. Post Wertlogistik GmbH, Steinheilgasse 1, 1210 Vienna (hereinafter referred to as "WLG, "we", "us") is responsible for adequately protecting your personal data. WLG complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety. 
1.2. We process your personal data in accordance with data protection regulations, above all the General Data Protection Regulation (GDPR), the Austrian Data Protection Act and other relevant laws. 
1.3. This data protection policy applies to WLG job applicants. If your application leads to employment with us, our relevant data protection policy for employees of WLG will additionally apply. This policy might al-ready be available to your for your information. 
1.4. As a general rule, we receive personal data directly from you, but also from third parties (see item 3). During the application process, you have to provide the data required for a potential employment and which we are legally required to collect. If you do not provide this data, we usually refuse to offer employment. However, you do not have to provide your consent to data processing of data not relevant for a possible employment or that is not legally required.

2. What interest does WLG have regarding my data and based on for what purpose may WLG process my data (data protection policy pursuant to Article 13 of the GDPR)?

2.1. You can send us an open application or use the applicant management system (karriere.post.at) by Österreichische Post Aktiengesellschaft whom we rely on as a processor to apply for a position with us. Unless you have applied directly to us, your application was forwarded to us by a staffing agency (see items 3.1 and 4.1 below). 
Your application and the processing of your application is a processing of personal data and might also be a processing of personal data of a special category. We follow all special legal requirements for processing such data.

2.2. Data processing, depending on how you applied:

2.2.1. Application via our applicant management system (karriere.post.at)
If you decide to apply via this system, you have to create a user account. For the creation and maintenance of your user accounts, the relevant data protection policy of the platform applies. This information will be provided to you when you create the account. Use the following link to see this information once again: 
https://karriere.post.at/content/Datenschutz/?locale=de_DE
If you do not enter the data required for your application, we cannot process your application and therefore cannot consider your application. 
Legal basis for data processing: Article 6 (1) (b) of the GDPR (performance of a contract).
2.2.2. Open applications
If you send an open application to WLG, you will be sending us all application documents, and ultimately personal data, that you consider necessary for the application. In order for us to process your open application and subsequently make the legally required background check about you, provided that we invite you to a job interview, we will need the following data from you: your first and last name, your date of birth, your place of birth, your nationality and your address.
If you do not provide this data in your open application and if you do not provide it upon our request, we cannot process your application and we therefore will not be able to consider your application. 

Legal basis for data processing: Article 6 (1) (b) of the GDPR (performance of a contract). 

2.3. Possible data processing independently of how you applied

2.3.1. To comply with statutory obligations
WLG has statutory obligations, e.g., documentation duties as well as provisions from employer law, labour law, and social law as well as provisions from company law, tax law and entrepreneurial law. In addition, we have inspection and reporting duties. We process your data as required by law to comply with these regulations.
Legal basis for processing: Article 6 (1) (c) of the GDPR (legal obligation).

2.3.2. Based on your consent
During the application process, we usually do not process any data on the basis of your consent. We will only ask for your additional consent if none of the justified grounds as defined in items 2.2.1, 2.2.2, 2.3.1, 2.3.3, 2.3.4 and 2.3.5 applies (e.g., if you wish for your application to be kept on file). If you have provided your consent for an individual case, you can revoke this at any time and without having to state reasons.
Legal basis for data processing: Article 6 (1) (a) of the GDPR (consent).

2.3.3. Insurance data excerpt from your social security provider
Provided that we invite you to a job interview, we will ask you to send us an insurance data excerpt from your social security provider (without information about your assessment basis). You can request this doc-ument from your social security provider; additional information is available here: https://www.sozialversicherung.at/cdscontent/?contentid=10007.820947&portal=svportal. When compiling this insurance data excerpt, the social security provider acts as an independent responsible party as defined in Article 4 (7) of the GDPR.
We will process this insurance data excerpt sent to us by you based on our legitimate interest and for the purpose of 
- avoiding and preventing behaviour punishable by criminal and civil law,
- self-protection (property/assets).
- responsibility protection (protection of clients' property/contractual liability towards clients)
Among others, the legal basis for data processing are the following laws (as amended) and contractual duties: Article 6 (1) (f) of the GDPR (legitimate interest), Sections 129 (4) and Section 5 (3) in connection with Section 130 (8) of the 1994 Industrial Code, Sections 353 ff of the Austrian Civil Code, contractual liability.

2.3.4. Creditworthiness data
If we invite you to a job interview, we kindly ask you to request an "InfoPass Bewerber" or "InfoPass Finanzierer" with information about your creditworthiness from KSV 1870 Information AG, Wagenseilgasse 7, 1120 Vienna, Austria (hereinafter referred to as: KSV 1870) before the interview, to bring this document to the interview and to give it to us. This has the advantage that you will be able to see the creditworthiness information provided by KSV 1870 and all included data before this information is handed over to WLG. As a result, you will know exactly what personal data we will process from this "InfoPass Bewerber" or "InfoPass Finanzierer". When making this creditworthiness assessment and when collecting information for the "InfoPass Bewerber" or "InfoPass Finanzierer", KSV 1870 acts as an independent processor as defined in Article 4 (7) of the GDPR. Please note that for requesting and obtaining the product "InfoPass Bewerber" and "InfoPass Finanzierer" by KSV 1870, the data protection policy by KSV 1870 alone applies. Follow this link to get your "InfoPass Bewerber": https://www.ksv.at/selbstauskunft-private/infopass-bewerber.
WLG will only process creditworthiness data you provide to us in the "InfoPass Bewerber" or "InfoPass Finanzierer". We will process this "InfoPass Bewerber" or "InfoPass Finanzierer" sent to us by you based on our legitimate interest and for the purpose of
- avoiding and preventing behaviour punishable by criminal and civil law,
- self-protection (property/assets).
- responsibility protection (protection of clients' property/contractual liability towards clients)
- legal obligation (duty of care).
Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations: Article 6 (1) (f) of the GDPR (legitimate interest), Sections 129 (4) and Section 5 (3) in connection with Section 130 (8) of the 1994 Industrial Code, Sections 353 ff of the Austrian Civil Code, Section 1157 of the Austrian Civil Code, contractual liability.

2.3.5. Photo for employee ID
If we hire you, we will issue an employee ID that will include a photo of your face. In order for us to be able to provide an employee ID on your first day of work, we kindly ask you to bring an ID photo (passport format) to the job interview. If you do not bring an ID photo to your job interview, we will use the picture you previously sent us in your application package to issue your employee ID. The processing of the photo will be done in our legitimate interest and for the purpose of
- avoiding and preventing behaviour punishable by criminal and civil law,
- self-protection (property/assets).
- responsibility protection (protection of clients' property/contractual liability towards clients).
Among others, the legal basis for data processing are the following laws (as amended) and contractual obli-gations: Article 6 (1) (f) of the GDPR, Sections 353 ff of the Austrian Civil Code, contractual liability.

3. What data categories are processed from external sources (data protection information pursuant to Article 14 of the GDPR in the case of indirect data collection)?

3.1. From staffing agencies:
If you applied for a position with WLG via a staffing agency, the staffing agency will collect your personal data (usually your first and last name, your date of birth, your place of birth, your nationality and address, your education, previous career, résumé and sometimes your cover letter and other personal data that you consider relevant for your application) and will transfer this data to us for evaluation. Also, we will let the staffing agency know if and when we hired you (see item 4.1 definitely below).
Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations: Article 6 (1) (b) of the GDPR (performance of a contract), Article 6 (1) (f) of the GDPR (legitimate interest).

3.2. Background check by a security authority pursuant to Section 130 (9) of the 1994 Industrial Code
WLG is a company that performs cash transports on a daily basis and therefore processes millions of cash. In addition, we are responsible for high-security storage of valuable goods. As a security operator as defined in Sections 129 (4) and (5) (3) in connection with Section 130 of the 1994 Industrial Code, WLG may only hire employees with legal capacity and who have the qualification and reliability needed for such activities, especially in the security and transport industry. WLG offers its business activities in an area that is increasingly exposed to criminal acts. This needs to be prevented and extends to potential future employees. The background checks are designed to prevent any behaviour punishable by criminal law.  
As a security operator, WLG is legally required to have a background check performed by the competent security authority no later than two weeks before hiring the new employee in question. 

For the competent security authority to be able to perform this background check, we will share the following data: your first and last name, your date of birth, your place of birth, your nationality and address that we will obtain from the population register excerpt about your main residence provided by you. The security authority will perform an internal check about you. After finishing this assessment, they will let WLG know if you are a person "reliable and qualified" to perform the desired job whom we are allowed to hire or not. If the authority tells us that you are not a "reliable" or qualified person for this profession, we may not hire you. 
The security authority does not provide us with any information about the data used for the internal assessment (including criminal record or administrative fines). Also, we do not question the results we receive.
Among others, the legal basis for data processing are the following laws (as amended): Article 6 (1) (c) (legal obligation), Sections 129 (4) and (5) (3) in connection with Section 130 (9) of the 1994 Industrial Act.

3.3. Social media check

In addition, we reserve the right to perform a search about you (by entering your first and last name) in popular search engines (e.g., Google) and social media prior to offering your employment. These checks performed by WLG will only include publicly available/accessible postings and profiles as well as information from public and generally accessible sources (e.g., newspaper articles). If we find postings or infor-mation that we consider to speak against your reliability or qualification (Section 130 (8) of the 1994 Industrial Code), we will let you know during or before the job interview.
This social media check is performed based on a legitimate interest and for the following purposes:
- avoiding and preventing behaviour punishable by criminal and civil law,
- self-protection (property/assets).
- responsibility protection (protection of clients' property/contractual liability towards clients).
- compliance with statutory obligations (duty of care)
Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations: Article 6 (1) (f) of the GDPR (legitimate interest), Sections 129 (4) and (5) (3) in connection with Section 130 (8) of the 1994 Industrial Code, Sections 353 ff of the Austrian Civil Code, Section 1157 of the Austrian Civil Code, contractual liability.

4. With whom are we allowed to share your data?

4.1. External service providers: in a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while, most importantly, delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. Such services include, among others, data storage in our secure data centres.
4.2. Courts, authorities, insurances: there are some statutory provisions that WLG can only comply with by sharing your personal data with public authorities (such as social security organisations, tax offices or prosecuting bodies, supervisory bodies, etc.) or courts in the required scope.
4.3. Other recipient: in individual cases, as part of the precontractual relationship, your personal data might be shared with additional parties (such as insurance companies or brokers, human resources providers, etc.)
4.4. If data is shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing by third parties.

5. How long will your data be stored?

5.1. As a general rule, applications that do not lead to employment will automatically be deleted within six months after the conclusion of the application process. We will delete all data provided by you (your application package, InfoPass Bewerber or InfoPass Finanzierer, photo for the employee ID) as well as all data we collected from/had collected by third parties (result of the background check and the social media check). Provided that you have given us your consent, we will keep your application on file beyond these 6 months. You can revoke this consent at any time and without having to give reasons. A revocation will not affect the lawfulness of data processing performed until that point in time. In any case, we will keep your application documents for a period of 6 months.
5.2. If your application leads to employment at WLG, we will provide the data protection policy for our employees that will apply to you as soon as you have been hired. 
5.3. If you applied via our applicant management system (karriere.post.at), you can delete your user account yourself. You will once again receive information about the relevant data protection policy (the link is available under 2.2.1 above). If you applied for a position and you went through the entire application process, we will, even if you delete your account, keep your application documents for six months after the conclusion of the application documents, and delete them immediately after this period. If you do not sign in to your user account for 6 months at a time, it will automatically be deleted.
5.4. If, in individual cases, you have provided your consent for data processing, you can revoke this consent at any time and without having to give reasons. If you revoke your consent, we will immediately delete the personal data processed based on your consent. A revocation will not affect the lawfulness of data processing performed until that point in time.

6. To what extent is automated decision-making used?

Our application process does not include any automated decision-making. Humans alone decide if you will be hired and if your application is successful. In addition, the creditworthiness information provided by you, the social media check performed by us and the background check to assess your qualification and reliability by a security authority all rely on human decisions. However, at WLG, we are bound by the result of the reliability assessment and we are not allowed to hire employees that do not have the required reliability or qualification.

7. What rights do you have?

7.1. If you so desire, we will provide information about your personal data that we process at WLG whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format. 
7.2. Under certain conditions, you can also demand that the processing of your data is limited or that your personal data are rectified or deleted. In addition, you can object to the processing, provided that this is justified by special circumstances. You can object to the processing independently of the circumstances if the processing is done for the purpose of direct advertising.
7.3. In addition, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde,  Barichgasse 40-42, 1030 Vienna. In the case of unlawful processing of your personal data, you can also turn to the competent court civil court.

 

8. Contact information and data protection officer

You can get in touch with the data protection officer of Post Wertlogistik GmbH at wertlogistik.datenschutzbeauftragter@post.at or by writing to Wertlogistik GmbH, Datenschutz/data protection, Steinheilgasse 1, 1210 Vienna.