Data protection policy for the postcard app by Österreichische Post AG

1. Who is in charge of handling your personal data?

1.1 Österreichische Post AG, Rochusplatz 1, 1030 Vienna ("Post", "we", "us") is responsible for adequately protecting your personal data. Österreichische Post complies with all legal provisions about the protection, lawful handling and confidentiality of personal data as well as data safety.

1.2 We process your personal data in accordance with data protection regulations, above all the General Data Protection Regulation (GDPR), the Austrian Data Protection Act, relevant regulations defined in the Postal Market Act and other relevant laws.

1.3 This data protection policy provides information about why and how we process your data when you use our postcard app (hereinafter also referred to as "service"). For general information about data protection at Österreichische Post, please click here.

 

2. What interest does Österreichische Post have regarding my data and based on which grounds may Österreichische Post process my data?

2.1 Performance of a contract and performance steps required prior to entering into a contract: we use your personal data pursuant to Art 6 (1) (b) of the GDPR to create a digital postcard via the postcard app. The postcard is subsequently physically sent to the recipient.

There are two different ways of using our postcard app: Please find detailed information below:

2.1.1 Use via the Österreichische Post online account: if you have an Österreichische Post online account and if you have used it to log in to our postcard app, we process your data for the services requested by you. Data will be processed for the following purposes:

a. Collecting master data for signing in to/signing up for the postcard app: we use your master data (contact data [i.e., title, first name, last name, e-mail address, telephone number, address] and data relevant for invoicing] from the Österreichische Post online account in order to offer the service so that you can subsequently create a digital postcard to be delivered to the recipient.

b. Collecting the recipient's address data for sending the postcard: we collect the recipient's address data (i.e., the recipient's name and mailing address) so that the postcard can be sent to the recipient.

c. Recording and storing audio and video messages for creating an audiovisual message: the postcard app offers the option of recording video and audio messages that users can subsequently upload to a server. Access data for these audio and video files are encrypted via a QR code and printed on the postcard for the recipient to see.

d. Storing photo and content data for creating a personalised message: the status of the postcard to be sent is processed and shared using specific item data. For this purpose, we collect the following item information for the postcard in question: "card uploaded", "card in print", "card printed" and "card sent".

e. Collecting and storing your item data: the status of the postcard to be sent is processed and shared using specific item data. For this purpose, we collect the following item information for the postcard in question: "card uploaded", "card in print", "card printed" and "card sent".

f. Collecting and storing payment data: in order to correctly invoice our services, we collect and store your payment data (e.g., invoice recipient, invoice address, e-mail address, telephone number and order number).

 

2.1.2 Direct use via our postcard app: if you are not signed in via our Österreichische Post online account and use the postcard app directly, we will process your data for the services requested by you. These services might include:

a. Collecting and storing contact data for signing in to/signing up for the postcard app: we use your contact data (e.g., title, first name, last name, address, e-mail address and telephone number) to offer you the service that subsequently allows you to create a digital postcard and then send it to the recipient.

b. Collecting the recipient's address data to send the postcard: we collect the recipient's address data (e.g., recipient's name and mailing address) so that we can subsequently send them a postcard.

c. Recording and storing audio and video messages for creating an audiovisual message: the postcard app offers the option of recording video and audio messages that users can subsequently upload to a server. Access data for these audio and video files are encrypted via a QR code and printed on the postcard for the recipient to see.

d. Storing photo and content data for creating a personalised message: the postcard app allows you to create personalised content and (optionally) to have a picture created by you printed on a postcard. We collect these data (e.g., text and/or photos to be printed on the postcard) to create and send the personalised postcard.

e. Collecting and storing your item data: the status of the postcard to be sent is processed and shared using specific item data. For this purpose, we collect the following item information for the postcard in question: "card uploaded", "card in print", "card printed" and "card sent“.

f. Collecting and storing payment data: in order to correctly invoice our service, we collect and store your payment data (e.g., invoice recipient, invoice address, e-mail address, telephone number and order number).

2.1.3 We can only enter into and perform a contract if we can process your personal data. If you do not provide the required data, we cannot enter into a contract.

2.2 Consent: in some cases, we will ask for your consent pursuant to Article 6 (1) (a) of the GDPR. When doing so, we will naturally fully comply with any additional applicable statutory provisions. Especially for the following purposes, Österreichische Post will need your voluntary consent that you can revoke at any time with future effect:

3. With whom are we allowed to share your data?

3.1 Data transmission within the Österreichische Post corporation: we may entrust specific data processing steps to specialised departments or companies within our corporation. We will do that, for instance, to better process your customer data for internal administration purposes.

3.2 External service providers: we comply with statutory and contractual obligations. In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. Such services include, among others, data storage in secure IT centres, the use of IT services as well as marketing activities. 
Our data processors include IT service providers, printing services, payment services (for payment processing), service providers for customer assistance activities, market research institutes, marketing businesses and advertising agencies. 

3.3 Courts and public authorities: there are some statutory provisions that Österreichische Post can only comply with by sharing your personal data with public authorities (such as prosecuting bodies, supervisory bodies or courts) in the required scope.

3.4 Other recipients: as part of a contractual relationship and especially in relation with our performance duty, in specific cases, we may additionally share your personal data with other parties. Others that may receive data include attorneys.

4. May your data also be shared with third parties in another country (including outside the EU)?

4.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection safeguards exist (e.g., binding in-house data protection provisions or standard EU data protection clauses).

4.2 In exceptional cases, the data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees (item 4.1). This is done via technical interfaces that we and third parties may occasionally use to process personal data as well. These third-party providers include Google LLC and Apple Inc which are headquartered in the USA where they process their data. The European Court of Justice has declared the data protection level in the USA to be inadequate. It highlighted the risk of your data being accessed by US authorities for control and surveillance purposes and the fact that no effective legal remedies against this exist. Before we use these technical interfaces and transfer your data to these companies, we will ask you to provide your explicit consent (Article 6 (1) (a) of the GDPR  and Article 49 (1) (a) of the GDPR) and we will provide detailed information about all data processing (purpose, data categories, and storage period, among others). For specific information about all technical interfaces, please see item 10 of the data protection policy. You can revoke your consent at any time with future effect. In addition, please note that we are working hard to implement (additional) adequate safeguards pursuant to Article 46 of the GDPR as an alternative legal basis for the above-mentioned data transfer. If you do not agree with this, you cannot use the app. In this case, we kindly ask you not to agree and to deinstall the app. Please note that alternatively, you can use our ser-vices on post.at.

5. How long will your data be stored?

5.1 As soon as Österreichische Post no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

5.2 The statutory period of prescription pursuant to the Austrian Civil Code is between three and thirty years. During this time period, claims against Österreichische Post may be brought forward. We may keep your personal data as long as necessary depending on the possible claim. As a result of corporation law provisions (e.g. Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.

5.3. The following data will be deleted after the indicated periods:

a) image and audio recordings and the QR code: will be deleted after 9 months.

6. Is the processing subject to automated decision-making or profiling?

We do not perform automated decision-making including profiling as defined in Article 22 of the GDPR.

7. What rights do you have?

7.1 If you so desire, we will provide information about your personal data that we process at Österreichische Post whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format.

7.2 Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing.

7.3 In some of the above-mentioned cases, your consent will give Österreichische Post the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

7.4 Do you have any questions, suggestions or feedback? In that case, please contact our data protection officer mentioned in item 9. Also, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna.

8. Your right to object

As a data subject, you have the right to object to the use of your data if the processing serves the purpose of direct marketing.  In addition, you have the right to object if reasons arise for you to do so as a result of your particular situation. If you would like to object, please go to our website at datenschutzanfrage.post.at or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna.

9.Contact us

To contact the data protection officer of Österreichische Post, please visit datenschutzanfrage.post.at or write to Postkundenservice, Bahnsteggasse 17-23, 1210 Vienna. For any other inquiries, please use our contact form available at post.at/sonstigeanfragen.

10. Legal information and information about technical interfaces

10.1 General information: The information and notifications provided in the postcard app are for informational purposes only. We take great care to ensure that all information is correct and complete. However, we cannot exclude that unintentional or incidental mistakes will occur.

Österreichische Post accepts no liability or guarantee for the information provided on the Öster-reichische Post app. Above anything, Österreichische Post does not guarantee that all information can be displayed using any software or hardware configuration, that the information is up-to-date, secure and free from mistakes, that it meets your expectations and/or that it is permanently available. Also, we do not guarantee that the postcard app by Österreichische Post or supporting systems (e.g., servers) are free from viruses. In addition, Österreichische Post reserves the right to complement or change the information on its postcard app without prior notification.

Österreichische Post shall not be liable for incorrect or missing information, especially not for (hyper)links and other content that is either directly or indirectly used on the postcard app or that are accessible from them. All decisions based on information provided by Österreichische Post on its postcard app are the sole and only responsibility of the user.
In addition, Österreichische Post accepts no liability for immediate/specific damage or consequential damage or other damage of any kind that may result in any way from the direct or indirect use of provided information (including hyperlinks).

All above-mentioned provisions also apply to software that can directly or indirectly be accessed or used on the postcard app by Österreichische Post AG. If third-party software is accessed via (hyper)links, the rules of the provider in question shall apply.

10.2 Copyright: the design and content of the postcard app are subject to copyright. Any use or reproduction of images or text is subject to prior written consent by Österreichische Post. It is explicitly prohibited to use marks (e.g., trademarks, logos).

11. Changes or complements
We reserve the right to change or complement the information provided at any time and without prior notification. If certain parts or specific passages are found to be invalid, to have become invalid or are not fully valid, the content and validity of the rest of the document shall remain unaffected.