Data protection policy of Post Wertlogistik GmbH

Mandatory information according to Art 13 and 14 GDPR of a purely informative nature.

Status: September 2023

  1. Who is in charge of handling your personal data? 

1.1. 1. Post Wertlogistik GmbH, Steinheilgasse 1, 1210 Vienna (hereinafter referred to as "PWL, "we", "us") is responsible for adequately protecting your personal data. 

1.2. PWL complies with all legal provisions about the protection, lawful handling and confidentiality of personal data (especially the General Data Protection Regulation (GDPR), the Austrian Data Protection Act as well as data security and other relevant provisions. 

 

2. To whom is this data protection policy addressed? 

We are a cash transport company with professional licences (i) for the security industry (professional detectives, security industry), limited to the security industry (ii) cross-border transport of goods (ii) renting of vehicles without providing a driver (iv) storage industry. 

We rely on these processional licences to provide our services and we process your personal data as an interested party, customer, supplier/ business partner, contact person/recipient or participant in a prize draw

3. From whom do we receive your data?  

3.1. We receive personal information directly from you. 

3.2. If the personal data do not originate directly from you, we will inform you of this at the relevant point in this data protection policy.

 

4. What interest does PWL have regarding your data and based on which grounds may PWL process your data (data protection policy pursuant to Article 13 + 14 of the GDPR)? With whom are we allowed to share your data? How long will your data be stored?

4.1. Order processing

  • Purpose and legitimate interest: We process your data to record purchase orders to initiate the conclusion of individual contracts and for subsequent order and order processing, including the provision of order statuses. 
  • Data categories: personal master data, address data, contact data, identification data, login and logout data, usage data.
  • Legal basis:

- Contract with data subjects Art. 6 (1) (b) of the GDPR,

- Safeguarding the legitimate interest (Art. 6 (1) (f) of the GDPR) to ensure the proper processing of customer requests and, if applicable, your consent (Art. 6 (1) (a) of the GDPR), which we obtain where needed as defined by law. 

  • Storage period: The order account will be deleted within 3 years of the last order or the last login to the respective order portal; the orders will be deleted on a rolling basis within 3 years of the respective order. 
  • Recipients: Sautner & Partner GmbH (processor), Microsoft Ireland Operations Limited (sub-processor), Masterwork Automodules MoneTech processor (GmbH), X-Net Services GmbH (sub-processor), Disitec GmbH (processor), GZT Geldzähltechnik GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor).
    In connection with this processing activity, your data will also be transferred to a company (sub-processor) based in Ireland, whose shareholder is located outside the EU or EEA. 
  • Other information about this processing: The data are partly provided by you, partly by third parties (e.g., our customers, if you act as the recipient).

4.2. GWT master data

  • Purpose and legitimate interest: We process your master data as customers, contact persons and recipients centrally in our route planning software GWT so that we can then plan the routes (see the processing activity of transportation and order picking below) and carry out the processing of cash and valuables transports and other (associated) services for or by the data subjects on file.
  • Data categories: personal master data, address data, contact data, identification data, usage data. 
  • Legal basis:
    - Contract with data subjects Art. 6 (1) (b) of the GDPR in conjunction with Standard and Model Ordinance 2004 (old), SA001 (also refers to third parties involved in the business transaction), 
    - Safeguarding the legitimate interests of the controller following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR.
  • Storage period: The deletion of your master data in GWT takes place within 3 years from the end of the only/last contractual relationship with you as a customer or within 3 years from the last servicing, if you are acting as a recipient.
  • Recipients: Sautner & Partner GmbH (processor), Atos IT Solutions and Services GmbH (processor), CHG-MERIDIAN AG (processor), Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor).
  • Other information about this processing: The data are partly provided by you, partly by third parties (e.g., our customers for whom you act as the recipient).

4.3. Transportation and order picking 

  • Purpose and legitimate interest: We process your data as our customers, contact persons and recipients in connection with the processing of cash and value transports and other (related) services for the purpose of automation-supported tour/route planning/optimisation and subsequent servicing, including tour and value tracking/assignment. 
  • Data categories: personal master data, address data, contact data, identification data, usage data, document content data. 
  • Legal basis:
    - Contract with data subjects Art. 6 (1) (b) of the GDPR, 
    - Safeguarding the legitimate interests of the controller following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR.
  • Storage period: The tour data will be deleted within 3 years of data collection at the latest; any data in key databases will be deleted within 3 years of the end of the only/last contractual relationship with you as a customer. 
  • Recipients: Sautner&Partner GmbH (processor), Secure Innovation Ltd (processor), Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), Microsoft Ireland Operations Limited (sub-processor), Masterwork Automodules MoneTech GmbH (processor), X-Net Services GmbH (sub-processor), Fiegl & Spielberger Solution GmbH (processor), Geutebrück GmbH (sub-processor), Disitec GmbH (processor), GZT Geldzähltechnik GmbH (sub-processor), GELDSERVICE AUSTRIA Logistik für Wertgestionierung und Transportkoordination G.m.b.H. / Oesterreichische Nationalbank (other external recipients), Diebold Nixdorf GmbH (other external recipients), customer banks (other external recipients), if applicable).
    In connection with this processing activity, your data will also be transferred to a company (sub-processor) based in Ireland, whose shareholder is located outside the EU or EEA. Furthermore, your data will also be transmitted to a company (sub-processor) based in Great Britain. The EU Commission has confirmed that the UK has an adequate level of data protection. 
  • Other information about this processing: The data are provided by you, partly by third parties (e.g., our customers for whom you act as the recipient/contact person).

4.4. Alarm management

  • Purpose and legitimate interest: If transports are carried out by Österreichische Post Aktiengesellschaft and PWL alarm systems are used, contact details of contact persons may be processed for the purpose of rapid alarm acknowledgement. 
  • Data categories: Personal master data, contact data.
  • Legal basis:
    - Safeguarding the legitimate interests of PWL following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR
  • Storage period: Alarm contacts are always kept up to date and deleted after 3 years at the latest. If your private telephone number is processed as an emergency contact, you can revoke its processing at any time.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), F24 Schweiz AG (sub-processor), Atos IT Solution and Services GmbH (processor), G4S Secure Solutions AG (processor), ESI S.A.S (sub-processor), NET.UP IT Services GmbH (sub-processor), Sautner & Partner GmbH (processor), Siemens Aktiengesellschaft Österreich (processor), Siemens AG (sub-processor), Oognify GmbH (sub-processor).
  • Other information about this processing: The data are provided by you.

4.5. Counting

  • Purpose and legitimate interest: We process your data in the context of counting (collected) values (banknotes and coins) and forwarding them for posting.
  • Data categories: personal master data, address data, contact data, identification data, usage data, document content data
  • Legal basis:
    - Contract with data subjects Art. 6 (1) (b) of the GDPR.
  • Storage period: When the contractual relationship relating to the last location of a customer ceases to exist, the customer's master data are also deleted from the counting databases. Counting data are deleted on a rolling basis within 3 years of the respective data collection/counting. Your data as a contact person will be deleted from the counting databases within one year of the last contact with you (= last counting time/counting/announcement counting file). Counting files, Safebags and difference/falsification reports will be destroyed or deleted in physical form within 6 months and in electronic form within 3 years of the respective counting/data collection.
  • Recipients: IT-eXperience Informationstechnologie GmbH (processor), Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), Sautner&Partner GmbH (processor), Microsoft Ireland Operations Limited (sub-processor), Rhenus Office Systems Austria GmbH (processor), Bunzl & Biach Gesellschafts m.b.H (sub-processor), Energie AG (sub-processor), Papyrus Altpapierservice Handelsgesellschaft m.b.H. (sub-processor), Nissin Transport GmbH (sub-processor), CP International Logistik GmbH (sub-processor), Disitec GmbH (processor), GZT Geldzähltechnik GmbH (sub-processor), GELDSERVICE AUSTRIA Logistik für Wertgestionierung und Transportkoordination G.m.b.H. (other external recipients), Atos IT Solution and Services GmbH (processor).
    In connection with this processing activity, your data will also be transferred to a company (sub-processor) based in Ireland, whose shareholder is located outside the EU or EEA. 
  • Other information about this processing: The data are provided by you or automatically assigned to you by the system.

4.6. Prize draws

  • Purpose and legitimate interest: We process your data to carry out prize draws to acquire new customers or retain existing customers.
  • Data categories: personal master data, address data, contact data, marketing data. 
  • Legal basis:
    - Contract (prize draw contract) with data subjects Art. 6 (1) (b) of the GDPR.
  • Storage period: Your data for participation in the prize draw will be deleted within 3 days after the campaign period/raffle including shipping or within the same period after receipt of a request for deletion. 
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), MBIT Solutions GmbH (sub-processor), Lindtner + Partner Communication GmbH (sub-processor), Atos IT Solution and Services GmbH (processor).
  • Other information about this processing: The data are provided by you.

4.7. Fleet management

  • Purpose and legitimate interest: We process your data for the administration of our vehicle fleet – insofar as personal data are involved – from rental and leasing to the handling of any accidents or traffic fines.
  • Data categories: personal master data, address data, contact data, identification data, usage data, document content data, criminally relevant data. 
  • Legal basis:
    - Compliance with a legal obligation Art. 6 (1) (c) of the GDPR in conjunction with Art. 9 (2) (b) of the GDPR (in particular with regard to speeding offenses – Section 103 of the Austrian Motor Vehicle Act),
    - Safeguarding the legitimate interests of the controller following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR in conjunction with Art. 9 (2)  (f) of the GDPR (in particular with regard to data from accident reports/health data, criminally relevant data).
  • Storage period: Accident reports are deleted after 5 years from the date of the accident, and data on traffic fines after 3 years from the date on which the anonymous order is handed over to the vehicle renter.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), Österreichische Post Aktiengesellschaft (other external recipients – as independent controllers), Atos IT Solution and Services GmbH (processor), security authorities and district authorities (public bodies and institutions), insurance companies/insurance brokers/appraisers/lawyers (other external recipients – as independent controllers).
  • Other information about this processing: The data are partly provided by you, partly by third parties (e.g., authorities).

4.8. Property management

  • Purpose and legitimate interest: We process your data for the central administration of contractual partners and their contact persons (in particular landlords/landladies, maintenance companies), commissions including approvals (rental agreements, maintenance and repairs) and relevant documents in connection with the properties. 
  • Data categories: personal master data, address data, contact data, identification data, payment data, document content data.
  • Legal basis:
    - Compliance with a legal obligation Art. 6 (1) (c) of the GDPR in conjunction with Section 132 of the Austrian Federal Tax Code/212 Austrian Business Code, Section 18 (10) of the Austrian VAT Act in conjunction with Section 6 (1) (9) (a) and Section 3a (9c) of the Austrian VAT Act
    - Safeguarding the legitimate interests of the controller following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR
  • Storage period: Rental contracts are deleted after 7 years from the last interest payment, other contracts/assignments that are relevant for tax purposes according to Section 132 of the Austrian Federal Tax Code or relevant according to Section 212 of the Austrian Business Code after 7 years from the end of the calendar year in which the contract is terminated/fulfilled (unless the contract provides for a longer warranty/compensation period – in such case, for the duration of the relevant warranty/compensation period. Supplier contacts within the scope of this processing activity are usually deleted 3 years after the last contact.
  • Recipients: Österreichische Post Aktiengesellschaft (processor) Atos IT Solution and Services GmbH (sub-processor), Atos IT Solution and Services GmbH (processor).
  • Other information about this processing: Some of the data are provided by you, some by third parties (e.g., registers).

4.9. Supplier management incl. contract management

  • Purpose and legitimate interest: We also process and transmit data as part of the business relationship with our suppliers. Supplier data are recorded in the relevant systems in order to carry out tenders, procurement processes and invoice processing. The processing of the contracts and the awarding/ordering procedure are documented. 
  • Data categories: personal master data, identification data, address data, contact data, payment data, document content data, criminally relevant data (extract from criminal record).
  • Legal basis:
    - Fulfilment of a legal obligation Art. 6 (1) (c) of the GDPR in conjunction with Section 132 of the Austrian Federal Tax Code,
    - Safeguarding the legitimate interests of PWL in the proper management of our partners and suppliers in accordance with the proportionality test pursuant to Art. 6 (1) (f) of the GDPR
    - Express consent Art. 9 (2)  (a) of the GDPR (supplier submits the criminal record extract himself/herself)
  • Storage period: Your data will be deleted 30 years after the end of the business relationship with you if it concerns a construction contract awarded to you as part of a tender. In the case of other orders placed with you, there are shorter storage periods of between three and fifteen years, depending on the service category, calculated from the end of the calendar year to which they relate or from the award of the contract or the last activity in the supplier account. Contracts and key documents relating to suppliers are deleted at the end of the 7-year statutory retention period (starting at the end of the calendar year to which the contract relates). Data on tender participants who are not awarded a contract will be deleted five years after the end of the tender/award.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), QAD Europe GmbH (sub-processor), Sviss GmbH (sub-processor), Simmeth System GmbH (sub-processor), WPS Management GmbH (sub-processor). 
  • Other information about this processing: Some of the data are provided by you, some by third parties (e.g., registers).

4.10. Customer management

  • Purpose and legitimate interest: We may process your customer data – in addition to the processing mentioned elsewhere regarding GWT master data, accounting and bookkeeping and order processing – as part of customer management for the purpose of processing/managing general master data of customers and interested parties in the course of contract initiation and processing, customer support including the processing of inquiries and complaints.
  • Data categories: personal master data, address data, contact data, identification data, usage data, payment data, document content data, conversation content.
  • Legal basis:
    - Contract initiation or contract (for PWL products and services) with data subjects Art. 6 (1)  (b) of the GDPR,
    - Safeguarding the legitimate interests in the management of our customers and proper processing of customer concerns following a proportionality test pursuant to Art. 6 (1)  (f) of the GDPR in conjunction with Art. 9 (2)  (f) of the GDPR,
    - If applicable, your consent (Art. 6 (1)  (a) of the GDPR), which we obtain as necessary in accordance with the law. You can revoke this consent at any time without giving reasons with future effect.
  • Storage period: Your data will be deleted for the purpose of customer administration no longer than 3 years after the end of the contract or final contact. As a result of corporation law provisions (e.g., Federal Fiscal Act, Company Act), your contractual data must be stored for at least seven years after the end of the contractual relationship.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), smartpoint IT consulting GmbH (sub-processor), Microsoft Österreich GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor).
    According to Microsoft Österreich GmbH, it has positioned its servers in the EU. 
    In joint responsibility with the parent company (Österreichische Post Aktiengesellschaft) and selected group companies, a CRM system is maintained for customer support, to avoid queries regarding potential customer risks (e.g., assessment of credit risk) and necessary internal coordination regarding the (joint) external image ("buddy system"); these group companies are considered data recipients in this respect.
  • Other information about this processing: The data processed for this purpose originate either from you or from public registers. 

4.11. Compliance management

  • Purpose and legitimate interest: We process your data in connection with compliance with the business compliance guidelines of the parent company (Österreichische Post Aktiengesellschaft) and legal obligations. This includes in particular the documentation of related companies and persons as well as potential conflicts of interest and transactions with them, the processing of sponsoring and donation projects and the processing of inquiries, information and notifications on compliance issues. 
  • Data categories: personal master data, identification data, address data, contact data, document content data, criminally relevant data.
  • Legal basis:
    - Fulfilment of a legal obligation Art. 6 (1) (c) of the GDPR in conjunction with IAS (International Accounting Standards), Section 132 of the Austrian Federal Tax Code
    - Safeguarding the legitimate interests of PWL following a proportionality test pursuant to
  • Art. 6 (1) (f) of the GDPR in conjunction with Art. 9 (2) (f) of the GDPR
  • Storage period: Your data will be deleted after a period of three years from receipt of the underlying request or from the time we become aware of the possible conflict of interest; however, if the response/completion process takes longer than three years, the data will only be deleted once the request has been completed. Sponsorship requests must be stored for 7 years for subsequent review. 
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), fobi solutions GmbH (sub-processor), A1 Telekom Austria AG (sub-processor), Atos IT Solutions and Services GmbH (processor), Compliance Committee ÖPAG (other external third parties – independent controllers), auditors (independent controller), courts and supervisory authorities (public bodies and institutions).
  • Other information about this processing: The data processed for this purpose originate either from you, from public registers or from third parties (inquirers).

4.12. Rights management

  • Purpose and legitimate interest: If we grant you selected customer/supplier access to our IT systems, we process your data regarding the assignment and administration of unique and personalized user IDs for rights management (rights and access management), for the assignment and administration of additional system-specific authorizations (users), including on the basis of the above-mentioned personalized user ID, and for the documentation of the release approval for the assignment of rights by external parties.
  • Data categories: personal master data, identification data, attendance data, contact data, document content data, usage data.
  • Legal basis:
    - Consent Art. 6 (1) (a) of the GDPR (profile picture)
    - Safeguarding the legitimate interests of PWL as an employer following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR 
  • Storage period: Your data will be deleted no later than three years after termination of the contract for work or other withdrawal / discontinuation of authorisation access.
  • Recipients: Sautner & Partner GmbH (processor), Microsoft Ireland Operations Limited (sub-processor), Siemens AG Austria Smart Infrastructure, RSS (processor), Siemens AG (sub-processor), Qognify GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), Österreichische Post Aktiengesellschaft (processor) and Atos IT Solutions and Services GmbH (sub-processor), Post IT Services GmbH (sub-processor), IPG Information Process Group Austria GmbH (sub-processor), Softpoint Trusted Quality GmbH (sub-processor), ServiceNow Nederland B.V (sub-processor), Lomnido GmbH (sub-processor)
    In addition, if a system of one of our suppliers is used and the supplier/their employee is granted a user (e.g., admin), their user data can be created/processed, which is why the following recipients are potentially possible: Masterwork Automodules MoneTech GmbH (processor), X-Net Services GmbH (sub-processor), Fiegl & Spielberger Solution GmbH (processor), Geutebrück GmbH (sub-processor), LBS Logics GmbH (processor), Amazon Web Services Inc. (sub-processor), Cargo Guard GmbH (processor), netcup GmbH (sub-processor), comp-IT-ence GmbH (sub-processor), PKE electronics GmbH (processor), netcup GmbH (sub-processor), comp -IT- ence GmbH (sub-processor), PKE electronics GmbH (processor), G4S Security Systems GmbH (processor), ESI S.A.S Integration (sub-processor), NET-UP IT Services GmbH (sub-processor), IT-eXperience Informationstechnologie GmbH (processor), CHG-MERIDIAN Austria GmbH (processor).
    In connection with this processing activity, your data will also be transferred to a company (sub-processor) based in Ireland, whose shareholder is located outside the EU or EEA. 
  • Other information about this processing: If you do not provide your user data, you cannot be granted access and you cannot provide your service or use certain services as a customer. The data processed for this purpose either originate from you or are assigned to you in the course of granting rights (e.g., user ID). You decide whether or not to upload a photo of yourself to your profile. You can delete the photo yourself at any time.

4.13. IT (operational maintenance, process management, software development and management, security information and event management (SIEM) and security incident handling, IT security risk management))

  • Purpose and legitimate interest: We process your data for the resource-efficient operation and provision of PWL's IT systems and applications, in compliance with legal and internal organisational / group legal requirements (including cost optimisation in license management), for the creation, maintenance and further development of the documentation of PWL's business processes, for the creation and further development of IT applications for PWL users, for the detection, storage and handling of security-relevant IT events, for the reduction of risks (risk assessment), in particular by referring to comparative values from the past or past events, and for the documentation of any IT security risks.
  • Data categories: personal master data, identification data, attendance data, address data, contact data, login and logout data, document content data, usage data.
  • Legal basis:
    - Safeguarding the legitimate interests of PWL following a proportionality test pursuant to Art. 6 (1)  (f) of the GDPR. 
  • Storage period: Data for the purpose of operational maintenance and control are deleted after a maximum of 3 months or 93 days, depending on the system and backup. Log data, process management data and software development and management data are deleted after 3 years from the creation of the digital data record. Data on IT security incidents are deleted after 7 years from the occurrence of the respective incident. Data on IT security risk management are deleted after 7 years from full implementation of the measures and completion/completion of the check.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), Huemer Data Center Gesellschaft m.b.H. (sub-processor), Microsoft Österreich GmbH (sub-processor), Softpoint Trusted Quality GmbH (sub-processor), ServiceNow Nederland B.V (sub-processor), A1 Telekom Austria AG (sub-processor), BOC Products & Services AG (sub-processor), Coupa Software Inc. (sub-processor), NTS Netzwerk Telekom Service AG (sub-processor), Softpoint Trusted Quality GmbH (sub-processor), Atos IT Solution and Services GmbH (processor), Sautner & Partner GmbH (processor), Microsoft Ireland Operations Limited (sub-processor), Masterwork Automodules MoneTech GmbH (processor), X-Net Services GmbH (sub-processor), Fiegl & Spielberger Solution GmbH (processor), Geutebrück GmbH (sub-processor), LBS logics GmbH (processor), Amazon Web Services, Inc. (sub-processor), CargoGuard GmbH (processor), netcup GmbH (sub-processor), comp-IT-ence GmbH (sub-processor), Siemens Aktiengesellschaft Österreich (processor), Siemens AG (sub-processor), Qognify GmbH (sub-processor), PKE electronics AG, (processor), G4S Security Systems GmbH (processor), ESI S.A.S (sub-processor), NET.UP IT Services GmbH (sub-processor), IT eXperience Informationstechnologie GmbH (processor), CHG MERIDIAN Austria GmbH (processor), DDipl.-Ing. Mag.rer.soc.oec. Gernot Schmied (other external recipients).
    In connection with technical operational maintenance and control, IT security risk management, security information and event management and security Incident handling, your data may also be transferred outside the EU or EEA to the USA. The EU Commission has confirmed that the USA and the certified US companies used have an adequate level of data protection. Microsoft Österreich GmbH, Coupa Software Inc. and Amazon Web Services, Inc. have positioned their servers in the EU, according to their own statements. In connection with this processing activity, your data will also be transferred to a company (sub-processor) based in Ireland, whose shareholder is located outside the EU or EEA. 
  • Other information about this processing: You are obliged to provide your data for the above-mentioned IT purposes, otherwise you will not be able to use the services. The data processed for this purpose either originate from you or are aggregated by you in the course of your IT use (e.g., log data).

4.14. IT service desk

  • Purpose and legitimate interest: We may process your data as part of the IT service desk for the purposes of incident management, for processing service requests, in each case in the form of a ticket system. 
  • Data categories: personal master data, address data, contact data, identification data, usage data.
  • Legal basis:

- Safeguarding the legitimate interests of PWL following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR

  • Storage period: Your data will be deleted after a maximum of 7 years from the end of the calendar year to which they relate.
  • Recipients: Österreichische Post Aktiengesellschaft (processor) and its sub-processors Post IT Services GmbH (sub-processor), Lomnido GmbH (sub-processor), Softpoint Trusted Quality GmbH (sub-processor), ServiceNow Nederland B.V. (sub-processor).
  • Other information about this processing: If you do not provide your data for the maintenance of the IT service desk, you will not be able to use this relevant service.

4.15. Accounting and bookkeeping

  • Purpose and legitimate interest: In the context of accounting and bookkeeping, it may be necessary to process your data in order to manage payment transactions, including debtor and creditor management and invoicing. Its purpose is liquidity planning, financing, monitoring payment transactions (incoming and outgoing documents) and bank accounts, as well as ensuring PWL's solvency. 
  • Data categories: personal master data, address data, employment contract/financial status, data for identification, usage data, contact data, payment data, document content data.
  • Legal basis:
    - Fulfilment of a legal obligation Art 6 (1)  (c) of the GDPR,
    - Safeguarding the legitimate interests of PWL following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR.
  • Storage period: Your invoice-related data or payment data may be stored for this purpose for up to 7 years from the end of the calendar year to which they relate. Insolvency data will be deleted within 1 year – depending on what is relevant – calculated from the termination of the insolvency proceedings due to lack of assets / with the consent of the creditors / court-confirmed, proven completion of the final distribution or expiry of the payment period provided for in the restructuring plan or termination or discontinuation of the monitoring of the restructuring plan or expiry of the payment period provided for in the payment plan, premature termination or termination of the absorption proceedings. The KSV insolvency lists and the insolvency data in the event of a decision not to open insolvency proceedings due to a lack of assets to cover costs are kept for 3 years.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solution and Services GmbH (sub-processor), SAP Österreich GmbH (sub-processor), Coupa Software Inc. (sub-processor), Post Business Solutions GmbH (sub-processor), Atos IT Solution and Services GmbH (processor), KSV1870 Holding AG (other external recipients – independent controller), card complete Service Bank AG (other external recipients – independent controller), OeNB/Banks (other external recipients – independent controller), auditors (other external recipients – independent controller).
    In connection with this processing activity, your data may also be transferred outside the EU or the EEA to the USA by sub-service providers of PWL. The EU Commission has confirmed that the USA and the certified US companies used have an adequate level of data protection. 
  • Other information about this processing: You may be obliged under your contract with PWL to provide your data for accounting and bookkeeping purposes. 

4.16. Settlement of legal cases and disputes

  • Purpose and legitimate interest: We process your data for the execution and file management of civil, corporate and administrative legal matters, the establishment, review, negotiation or execution of contracts and declarations, corporate documents and out-of-court correspondence, including the management of the data of parties and natural persons acting on their behalf (including insurance companies, legal representatives, lawyers, notaries) for the purpose of processing. 
  • Data categories: personal master data, address data, contact data, identification data, document content data, attendance data, absence data, payment data, criminally relevant data, health data.
  • Legal basis:
    - Safeguarding the legitimate interests of the controller following a proportionality test pursuant to Art. 6 (1) (f) of the GDPR in conjunction with Art. 9 (2) (f) of the GDPR.
  • Storage period: Decisions/judgments and documents relevant to the outcome of the proceedings are usually stored for 30 years from the legally binding conclusion of the proceedings/dispute (court decision / official decision / conclusion of court settlement / out-of-court settlement.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), ADVOKAT Unternehmensberatung GREITER & GREITER GmbH (sub-processor), Lawlift GmbH (sub-processor), SAP Österreich GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), authorities/courts (public bodies and institutions), Österreichische Post Aktiengesellschaft (other external recipients – as independent controllers), auditors (other external recipients – independent controller), insurance companies (other external recipients – independent controllers), insurance brokers (other external recipients – independent controllers), expert lawyers, notaries, tax consultants (other external recipients – independent controllers), works council (other external recipients – independent controller).
  • Other information about this processing: The data are partly provided by you, partly by third parties (e.g., authorities) or they come from public registers.

4.17. Exercising your rights as a data subject under the GDPR

  • Purpose and legitimate interest: If you exercise your rights in accordance with Art. 15-22 of the GDPR, the data you provide in this context and any additional information will be processed to prove the lawful processing of your request and for the possible exercise or defence of legal claims.
  • Data categories: The data processed in this context are disclosed by you in the course of your request / exercise of rights or originate from the processing activities about which you are informed in our data protection policy.
  • Legal basis:
    - Fulfilment of a legal obligation (Art. 6 (1) (c) of the GDPR in conjunction with Art. 15-22 of the GDPR), 
    - Safeguarding the legitimate interests of the controller following a proportionality test (Art. 6 (1) (f) of the GDPR).
  • Storage period: Data in connection with your exercise of rights in accordance with Art. 15-22 of the GDPR will be deleted after 37 months from receipt of your request. If official/judicial proceedings have been initiated, your data will be deleted after the deletion period specified in item 4.16.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), EBERHARDT Rechtsanwälte OG (data protection officer PWL – other external recipients). 
  • Other information: The data processed in this context will be disclosed by you in the course of your request / exercise of rights or originate from the processing activities about which you are informed in our data protection policy.

4.18. Processing for handling data protection incidents

  • Purpose and legitimate interest: If a (potential) data protection incident is suspected/exists, your data will be processed for the purpose of reporting and managing corresponding (including alleged) data protection incidents. 
  • Data categories: The data processed in this context originate from the processing activities about which you are informed in our data protection policy.
  • Legal basis for data processing:
    - Fulfilment of a legal obligation (Art. 6 (1) (c) of the GDPR in conjunction with Art. 33 and Art. 34 of the GDPR),
    - Safeguarding the legitimate interests of the controller after a proportionality test (Art. 6 (1) (f) of the GDPR).
  • Storage period: Data processing in connection with (potential) data protection incidents will be deleted after 37 months from the time we become aware of the alleged data protection incident or from the time the last required notifications are sent to the data protection authority or the data subject. If official/judicial proceedings have been initiated, this data will be deleted after the deletion period specified in item 4.16.
  • Recipients: Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (sub-processor), Atos IT Solutions and Services GmbH (processor), EBERHARDT Rechtsanwälte OG (data protection officer PWL – other external recipients), data protection authority (public bodies and institutions). 
 
 

5. Does PWL use automated decision-making for my personal data

If we use automated decision-making including profiling during processing, we will let you know separately about such processing. We currently use no such processing.

 

6. May your data also be shared with third parties in another country (including outside the EU)?

6.1. Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection guarantees exist (e.g., binding in-house data protection provisions or standard EU data protection clauses).

6.2. In exceptional cases, the data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees.

 

7. What rights do you have? 

7.1. If you so desire, we will provide information about your personal data that we process whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format. 

7.2. Under certain conditions, you can also demand that the processing of your data is limited or that your personal data is rectified or deleted. In addition, you can object to the processing. In some of the above-mentioned cases, your consent will give PWL the right to process your data. You can revoke this consent at any time without the need to state reasons with future effect. Until then, we will lawfully process your data.

7.3. Your right to object: under certain conditions, you can also object to the processing, provided that this is justified by special circumstances. You can object to the processing independently of the circumstances if the purpose of the processing is direct advertising. For contact information, please see item 8 below.

7.4. In addition, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna. In the case of unlawful processing of your personal data, you can also turn to the competent court civil court.

8. Who is the data protection officer and how can I get in touch? 

EBERHARDT Attorneys-at-Law, Weihburggasse 18-20, 1010 Vienna. You can contact the data protection officer of Post Wertlogistik GmbH at wertlogistik.datenschutzbeauftragter@post.at or at the address Post Wertlogistik GmbH, Datenschutz/Data Protection, Steinheilgasse 1, 1210 Vienna.

 

Please note:

  • The listing of a recipient or a recipient category in item 4 does not mean that your data will actually be passed on to these recipients within the scope of the processing mentioned. If data are shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing by third parties.
  • The named recipients will only receive your data if this is necessary to provide a service or to maintain PWL's business operations. 
  • Contracts have been concluded with all processors that precisely regulate their obligations with regard to data and data security.
  • At PWL, only those departments and employees that are in charge of meeting contractual and legal obligations and legitimate interests receive personal data so that they can fulfil their duties.