Data protection policy of Post Wertlogistik GmbH

1. Who is in charge of handling your personal data?

1.1. Post Wertlogistik GmbH, Steinheilgasse 1, 1210 Vienna (hereinafter referred to as "WLG, "we", "us") is responsible for adequately protecting your personal data.

1.2. WLG complies with all legal provisions about the protection, lawful handling and confidentiality of personal data (especially the General Data Protection Regulation (GDPR), the Austrian Data Protection Act) as well as data security and other relevant provisions.

 

2. For what purpose and on what legal basis do we process your personal data?

We are a cash-in-transit company with professional licences (i) for the security industry (professional detectives, security industry), limited to the security industry (ii) cross-border transport of goods (ii) renting of vehicles without providing a driver (iv) storage industry. We rely on these professional licences to provide our services and we process your personal data as an interested party, client, supplier, business partner, contact person or participant in a prize draw.

2.1. Processing for the performance of a contract and performance steps required prior to en-tering into a contract:

We use your personal data pursuant to Art 6(1)(b) of the GDPR

  • to provide the contractually agreed services/order processing. The services we provide to you will depend on the contract, e.g. cash-in-transit contract, storage contract, contract for filling and maintaining cash machines and self-service machines, contract for money processing, counting, preparing and packaging of coins and banknotes, contract for the provision of change, contract for the provision of a cash deposit system and related additional services, contract for prize draw participation/conditions of participation if you participate in one of our prize draws.
  • for ongoing customer service and for answering your inquiries, e.g., when you contact us with a question (via our contact form, among other options).

We process your personal master data, address data (e.g., for the provision of postal services), contact data (e.g., e-mail address, telephone number), payment data, shipping data, user data, document content data, identification data (e.g., ID data, company register number, KSV number, VAT ID), image data for the above-mentioned purposes.

The scope of data processing is defined in the contractual documents.
Wertlogistik will send you a separate notification before we start processing your data for purposes other than the ones described in this document.

2.2. Processing based on legitimate interests

Your data may also be processed in the interest of Wertlogistik or of a third party.
This data processing is performed pursuant to Article 6 (1) (f) of the GDPR

  • to manage our business and sales, for customer support services, supplier management and business partner management. This also includes managing our CRM system together with our parent company (Österreichische Post Aktiengesellschaft) and selected group companies, especially to avoid advertising/over-servicing of services already in use, questions about potential client risks (e.g., assessing the credit risk) and necessary internal coordination for the (joint) external presentation ("buddy system").
  • to create statistics for developing new products/services.
  • for marketing purposes: the use of your data for direct marketing activities by Wertlogistik can also be considered a legitimate interest. Such data use by Wertlogistik will take place if you have a customer relationship with us and/or if you are interested in selling our products or services. In any other case, we will only use your data for marketing activities by Wertlogistik if you explicitly agree to it. You can revoke this consent at any time. Your data used for marketing purposes may also be purchased by address brokers and direct marketing businesses (see item 3. below).
  • to ensure property and responsibility protection, to prevent attacks, to gather evidence for preventing/enforcing claims and to enforce our internal rules and regulations through video surveillance, access control, random bag checks - for this purpose, please note the separate and specific "Data protection policy of Post Wertlogistik GmbH for selected data processing at our bases (video surveillance, access, visitor management) that you will be made familiar with when you are granted access to one of our bases. To that effect, special categories of personal data (especially data from criminal proceedings, biometric data) may be processed pursuant to Article 9 of the GDPR.
  • for compliance purposes: this refers to compliance with statutory and other requirements such as income tax and social security deductions, recording and reporting duties, audits, compliance with inspections by the government/authorities, reacting to trials, claiming legal rights, defence for legal disputes, processing damages and insurance claims, managing internal inquiries/complaints/claims, investigation of and compliance with strate-gies/procedures, compliance with internal resolution and information duties and fulfilling client and insurance contracts. To that effect, special categories of personal data (especially data from criminal proceedings, health-related data) may be processed pursuant to Ar-ticle 9 of the GDPR.
  • to plan, execute and document internal audit activities and forensic analysis as well as activities for ongoing improvement, e.g., for ensuring profitability, quality and security, to ensure the continuous improvement of our business process in order to meet statutory obligations as well as for information and prevention purposes in the case of suspected criminal behaviour against WLG. To that effect, special categories of personal data (especially health-related data and criminally relevant data) may be processed pursuant to Article 9 of the GDPR. We follow all special legal requirements for processing such data.
  • To ensure IT security and maintaining IT operations, the execution of stress tests, the development of new products and systems and the adaptation of existing ones, data migration to ensure system viability and integrity and ultimately, the viability and integrity of processed data. In this case, provided personal data are predominantly used for tests provided that such tests cannot be done with anonymous data without excessive costs.
     

For the purposes mentioned above, we will process your personal master data, address data, contact data (e.g., e-mail address, telephone number), payment data, creditworthiness data, item data, user data (such as system-specific data, e.g., provided and processed by a deposit system used by you), document content data, identification data (e.g., ID data, company register number, KSV number, VAT number, customer number), image data.

2.3. Processing based on legal obligations

WLG has statutory obligations, e.g., provisions from supervisory authorities, provisions from company law, tax law and entrepreneurial law as well as inspection and reporting duties and duties related to commercial law. In order to be able to comply with these provisions, we process your personal data pursuant to Article 6 (1) (c) of the GDPR in the scope required by the law in question.

We process your personal master data, address data, contact data (e.g., e-mail address, telephone number), payment data, shipping data, user data, document content data, identification data (e.g., ID data, company register number, KSV number, VAT ID), and image data for the above-mentioned purposes.

2.4. Processing based on your consent

If neither a contract/precontractual activity, legal obligation nor legitimate interest exists, the data processing can be legitimate based on your consent. Unless there are no legitimate grounds as described in 2.1 to 2.3 above, we separately will ask for your consent pursuant to Article 6 (1) (a) of the GDPR. The revocation of the consent shall not affect the lawfulness of any data processing performed before your revocation. The scope and content of the data processing for which you have provided your consent depends on the consent in question.

2.5. Are you obligated to provide your data?

We can only enter into and perform a contract if we can process your personal data. If you do not provide the required data, we cannot enter into a contract. The same applies wherever your data are required for legal reasons, in which case we also have to process your data. If you do not want this, we are not allowed to provide certain services to you. If we process your data based on your consent, it is up to you to decide if you want to provide your consent and share your data or not.

2.6. Does WLG use automated decision-making for my personal data?

If we use automated decision-making including profiling during processing, we will let you know separately about such processing. We currently use no such processing.

3. Do you also process data that WLG does not collect itself?

Most of your personal data that we process are provided by you or result from your use of our services. We may additionally process your data from other sources::

3.1. Data source: publicly accessible registers such as: company register, land register, insolvency register, central population register, commercial register, association register, decrees.

Data categories: personal master data, address data, contact data (e.g., e-mail address, telephone number), posi-tions, commercial activities, shareholdings, financial data (e.g., financial statements, creditworthi-ness data, insolvencies, bankruptcies), land ownership with liens and rights, document content files, identification files, photo data (e.g., of IDs).

Purposes and legal basis:

  • Duty of care (especially Section 1157 of the Austrian Civil Code, general road safety duties)
  • Legitimate interest in fraud prevention and anti-fraud activities and other criminal offenses
     

3.2. Data source: debtor registers, e.g., by Kreditschutzverband von 1870

Data categories: personal master data, address data, contact data (e.g., e-mail address, telephone number), positions, commercial activities, shareholdings, financial data (e.g., creditworthiness data, especially accounts receivable and debt, insolvencies, bankruptcies).

Purposes and legal basis:

  • Duty of care (especially Section 1157 of the Austrian Civil Code, general road safety duties) 
  • Legitimate interest in fraud prevention and anti-fraud activities and other criminal offenses as well as risk minimisation
     

3.3. Data source: address brokers and direct marketing companies pursuant to Section 151 of the Austrian Industrial Code

Data categories: personal master data, address data, contact data (e.g., e-mail address, telephone number), data of birth, profession, industry or business name and affiliation of the person in question with a client or interested person system. 

Purposes and legal basis:

  • Marketing purposes

In that case, you will receive information from the suppliers of such address brokers about the planned use of your data. Data collected in such manner can then be passed on to advertising businesses for sending out advertising mail or for other marketing purposes.

4. With whom are we allowed to share your data?

4.1. External service providers: in a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (data processors). These businesses can provide such services at attractive rates while, most importantly, delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. Such services include, among others, data storage in our secure data centres, the provision and maintenance of applications/software, the provision of cash deposit systems and the related interfaces and necessary data processing, invoicing, printing services, maintenance of video systems and access control systems at our bases.

4.2 Courts, authorities, insurances: in the case of security breaches and for the purpose of resolving them, it might be necessary to forward personal data to persons of trust (members of the works council), the data protection officer of Post Wertlogistik GmbH, the investigation service of Österreichische Post Aktiengesellschaft, security authorities (to provide evidence in criminal cases/for policy security purposes), to the prosecution (to provide evidence in criminal and civil cases), to courts (to provide evidence in criminal cases/for policy security purposes) and to insurance companies (to process insurance claims only).

As described in item 2.2., we manage a CRM system together with our parent company (Österreichische Post Aktiengesellschaft) and other selected group companies and share the responsibility for it; these group companies are considered to be data recipients.

In addition, data will also be shared with auditors and third persons provided that this is required for them to meet their contractual obligations (e.g., banks, recipients of transfers) or if you have given your consent.

4.3. At WLG, only those departments and employees that are in charge of meeting contractual and legal obligations and legitimate interests receive personal data so that they can fulfil their duties. If data are shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing by third parties.

5. May your data also be shared with third parties in another country (including outside the EU)?

5.1 Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection safeguards exist (e.g. binding in-house data protection provisions or standard EU data protection clauses).

5.2. In exceptional cases, data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees (item 5).

 

6. How long will your data be stored?

6.1. As soon as WLG no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

6.2. We usually delete your personal data (i) after your client/supplier relationship has ended or 3 years after we were last in touch with you (ii) after the final resolution of a lawsuit (iii) 6 months after a prize draw took place (iv) after a legitimate interest ceases to exist (v) after the statutory period has ended.

The legal stipulations/storage periods applicable to Wertlogistik GmbH are the following: Section 212 of the Commercial Code (7 years), Section 132 of the Federal Tax Code (7 years or while the tax procedure lasts), Section 1295 in connection with 1489 of the Austrian Civil Code (compensation period 3 years), Sections 933f of the Austrian Civil Code (guarantee period 2/3 years).

 

7. What rights do you have?

7.1. If you so desire, we will provide information about your personal data that we process at WLG whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format.

7.2. Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing. In some of the above-mentioned cases, your consent will give Österreichische WLG the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

7.3. Your right to object: under certain conditions, you can also object to the processing, provided that this is justified by special circumstances. You can object to the processing independently of the circumstances if the purpose of the processing is direct advertising. For contact information, please see item 8 below.

7.4. In addition, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna. In the case of unlawful processing of your personal data, you can also turn to the competent court civil court.

8. Who is the data protection officer and how can I get in touch?

EBERHARDT Attorneys-at-Law, Weihburggasse 18-20, 1010 Vienna. To get in touch with the data protection officer of Post Wertlogistik GmbH, please e-mail us at wertlogistik.datenschutzbeauftragter@post.at or write to Post Wertlogistik GmbH, Datenschutz/data protection, Steinheilgasse 1, 1210 Vienna.