Data protection policy by Post Wertlogistik GmbH for selected data processing steps at the company’s bases Video surveillance, access, visitor management

Mandatory information according to Art 13 and 14 GDPR of a purely informative nature.

Status: September 2024

1.  Who is in charge handling your personal data? What else should you know about this data processing?

1.1. Post Wertlogistik GmbH, Steinheilgasse 1, 1210 Vienna (hereinafter referred to as "PWL, "we", "us") is responsible for adequately protecting your personal data.

1.2. PWL complies with all legal provisions about the protection, lawful handling and confidentiality of personal data (especially the General Data Protection Regulation (GDPR), the Austrian Data Protection Act) and other relevant provisions.

.

2.  To whom is this data protection policy addressed?

2.1. This data protection policy applies to all persons who are present at PWL's bases and make use of the relevant data processing, such as (leasing) employees of Post Wertlogistik GmbH, visitors or other external parties. Please note that further special data protection policies may also be relevant to you and apply in addition to this general data protection policy. Such data protection policies are displayed at the bases or in the cash-in-transit vehicles (for drivers and co-drivers) or are otherwise brought to your attention directly. If you have any questions, please contact the data protection officer (see item 12. below).

3.  From whom do we receive your data?

3.1. We receive the personal data directly from you or automatically through an action triggered by you. We may only grant you access to selected areas, especially the areas that under video surveillance, some of them equipped with access systems, if we can process your personal data.

4.  What interest does PWL have regarding my data and based on which grounds may PWL process my data (data protection policy pursuant to Article 13 of the GDPR)?

4.1. Video surveillance at our bases:

4.1.1.Video surveillance at our bases in restricted (public and non-public) areas, especially but not limited to entrance areas, hallways, facades/roof, garages, high-security areas is performed based on our legitimate interest and for the following purposes:

  • dSelf-protection (property/assets of Post Wertlogistik GmbH),Protection of hired personnel - prevention and early detection of production-related and other sources of danger caused by the use of machines
  • Responsibility protection (protection of clients' property/contractual liability towards clients of Post Wertlogistik GmbH),
  • Compliance with statutory duties of care,
  • Avoiding and controlling (general prevention) as well as resolving behaviour punishable by criminal and civil law,
  • Handling cases in court and with insurance companies,
  • Evidence basis for internal case investigation/difference processing and, closely related, the protection of hired personnel from unjustified suspicions.

with exclusive evaluation in the case defined by the purpose.

4.1.2. Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations:
If you are an employee - works agreement (Article 88 of the GDPR), Article 6 (1) (c) of the GDPR (legal obligation), Article 9 (2) (f) of the GDPR (legitimate interest), Article 9 (2) (f) of the GDPR (establishment, exercise or defence of legal claims), Articles 12f of the Austrian Data Protection Act, Sections 353 ff of the Austrian Civil Code, Section 3 of the Austrian Worker Protection Act, Section 1157 of the Austrian Civil Code, duties to safeguard traffic, contractual liability Sections 1295 in conjunction with 1489 of the Austrian Civil Code (damages), Section 933f of the Austrian Civil Code (warranty), Section 80 of the Austrian Code of Criminal Procedure.
If you are an external party - Art. 6 (1) (f) of the GDPR (legitimate interest), Article 9 (2) (f) of the GDPR (establishment, exercise or defence of legal claims), Articles 12f of the Austrian Data Protection Act, Sections 353 ff of the Austrian Civil Code, duties to safeguard traffic, contractual liability Sections 1295 in conjunction with Section 1489 of the Austrian Civil Code (damages), Section 933f of the Austrian Civil Code (warranty), Section 80 of the Austrian Code of Criminal Procedure.

4.2. General access authorisation for bases:

4.2.1. We process your personal data needed for granting access to the bases of Post Wertlogistik GmbH or to restricted (not publicly accessible) areas via the use of electronic access systems, access requests, visitor logs, random bag checks including relevant text documents created and archived with automatic assistance (e.g., correspondence) based on legitimate interest and for the following purposes:

  • Access control to buildings and restricted areas by the owner or authorised users,
  • Self-protection (property/assets of Post Wertlogistik GmbH),
  • Responsibility protection (protection of clients' property/contractual liability towards clients of Post Wertlogistik GmbH),
  • Compliance with statutory duties of care,
  • Protection of hired personnel,
  • Compliance with data protection regulations (a key element of technical and organizational measures for all data processing)
  • Avoiding and controlling (general prevention) as well as resolving behaviour punishable by criminal and civil law,
  • Handling cases in court and with insurance companies,
  • Evidence basis for internal case investigation/difference processing and, closely related, the protection of hired personnel from unjustified suspicions.

4.2.2. Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations:
If you are an employee - works agreement (Article 88 of the GDPR), Article 6 (1) (c) of the GDPR (legal obligation), Article 6 (1) (f) of the GDPR (legitimate interest), Sections 353ff of the Austrian Civil Code, Section 3 of the Austrian Worker Protection Act, Section 1157 of the Austrian Civil Code, duties to safeguard traffic, contractual liability Sections 1295 in conjunction with 1489 of the Austrian Civil Code (damages), Section 933f of the Austrian Civil Code (warranty), Section 80 of the Austrian Code of Criminal Procedure.
If you are an external service provider, Article 6 (1) (f) of the GDPR (legitimate interest), Sections 353ff of the Austrian Civil Code, duties to safeguard traffic, contractual liability Sections 1295 in conjunction with 1489 of the Austrian Civil Code, Section 933f of the Austrian Civil Code (warranty), Section 80 of the Austrian Code of Criminal Procedure.

4.3. Biometric access system at the Vienna base:

4.3.1. In addition to the general access system mentioned under item 4.2, at the Vienna base we use an access system for access to the high-security area for the use of which your fingerprint (right or left finger) will be recorded, in addition to the processing of your first/last name, your date of birth, an ID number, log data, including relevant text documents created with automatic assistance (such as correspondence). From this fingerprint, selected features will be turned into a hash value and processed by local readers.

The access system is used for the following purposes, and, for employees, also based on legitimate interest:

  • Access control to buildings and restricted areas by the owner or authorised users,
  • Self-protection (property/assets of Post Wertlogistik GmbH),
  • Responsibility protection (protection of clients' property/contractual liability towards clients of Post Wertlogistik GmbH),
  • Compliance with statutory duties of care,
  • Protection of hired personnel,
  • Compliance with data protection regulations (a key element of technical and organizational measures for all data processing)
  • Avoiding and controlling (general prevention) as well as resolving behaviour punishable by criminal and civil law,
  • Handling cases in court and with insurance companies,
  • Evidence basis for internal case investigation/difference processing and, closely related, the protection of hired personnel from unjustified suspicions.

4.3.2. Among others, the legal basis for data processing are the following laws (as amended) and contractual obligations:

If you are an employee - works agreement (Article 88 of the GDPR), Article 6 (1) (c) of the GDPR (legal obligation), Article 6 (1) (f) of the GDPR (legitimate interest), Article 9 (2) (b) of the GDPR (explicit processing in the field of employment and social security and social protection law), Article 9 (2) (f) (establishment, exercise or defence of legal claims), Sections 353 ff of the Austrian Civil Code, Section 3 of the Austrian Worker Protection Act, Section 1157 of the Austrian Civil Code, duties to safeguard traffic, Section 80 of the Austrian Code of Criminal Procedure, contractual liability Article 1295 in conjunction with Article 1489 of the Austrian Civil Code (damages), Sections 93f of the Austrian Civil Code (warranty).

If you are an external service provider, Article 6 (1) (a) of the GDPR (consent), Article 9 (2) (f) of the GDPR (establishment, exercise or defence of legal claims), Sections 353ff of the Austrian Civil Code, duties to safeguard traffic, Section 80 of the Austrian Code of Criminal Procedure, contractual liability Sections 1295 in conjunction with Section 1489 of the Austrian Civil Code (damages), Section 933f of the Austrian Civil Code (warranty).

5.  Any possible processing for other purposes

5.1. Below you will find a list of possible purposes for which your personal data may be further processed in addition to the purposes mentioned under item 4; We also provide information about the legal basis for this processing and the storage period. Under item 7, we disclose the possible recipients of your data in connection with this data processing.

Please note:

5.1.1. The processing (and especially the additional storage) of your personal data for other purposes will only be performed if it is absolutely necessary and legally permissible. Only those data records / data categories that are required to fulfill the additional purpose are affected by processing. This is not the rule. Under certain circumstances, processing may only take place in response to your interaction (e.g., request for information in accordance with Art. 15 of the GDPR) with us.

5.1.2. If  data are shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing.

5.1.3.At PWL, only those departments and employees that are in charge of meeting contractual and legal obligations and legitimate interests receive personal data so that they can fulfill their duties.

5.2. Processing to exercise your rights as a data subject under the GDPR:

5.2.1. If you exercise your rights under Art. 15-22 of the GDPR, the data you provide in this context and any additional information will be processed to prove the lawful processing of your request and for the possible exercise or defense of legal claims.

5.2.2. Legal basis for data processing: Fulfillment of a legal obligation (Art. 6 (1) (c) of the GDPR in conjunction with Art. 15-22 of the GDPR), safeguarding the legitimate interests of the controller after a proportionality test (Art. 6 (1) (f) of the GDPR).

5.3. Processing for handling data protection incidents:

5.3.1. If a (potential) data protection incident is suspected/exists, your data will be processed for the purpose of reporting and managing corresponding (including alleged) data protection incidents.

5.3.2. Legal basis for data processing: Fulfillment of a legal obligation (Art. 6 (1) (c) of the GDPR in conjunction with Art. 33 and Art. 34 of the GDPR), protection of the legitimate interests of the controller after a proportionality test (Art. 6 (1) (f) of the GDPR).

5.4. Processing in the context of legal disputes:

5.4.1. Should legal disputes arise between you and PWL, the personal data required for the protection of rights and legal prosecution/enforcement by PWL will be processed for this purpose. Under certain circumstances, your data may also be required for legal disputes between third parties and PWL. PWL relies in particular on the support of the parent company (legal department and insurance processing). Due to the large number of different possible forms of such legal disputes and the associated different recipients, some of these can only be listed in categories (see item 7.).

5.4.2. Legal basis for data processing: Safeguarding the legitimate interests of the controller after a proportionality test (Art. 6 (1) (f) of the GDPR), establishment, exercise or defence of legal claims (Art. 9 (2) (f) of the GDPR).

6.  What data categories are processed from external sources (data protection information pursuant to Article 14 of the GDPR in the case of indirect data collection)?

6.1. No data from third parties / external sources will be processed in connection with the processing activities mentioned here.

7.  With whom/which recipients may your data be shared?

7.1. Below you will find a list of the potential categories of recipients and specific recipients (insofar as this is possible) of PWL to whom personal data may be transferred in the context of the aforementioned data processing.

Please note:

  • The listed recipients will only receive your data if this is necessary to provide a service or to maintain PWL's business operations. 
  • If data are shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing by third parties. 
  • At PWL, only those departments and employees that are in charge of meeting contractual and legal obligations and legitimate interests receive personal data so that they can fulfill their duties.
  • Contracts have been concluded with all processors that precisely regulate their obligations with regard to data and data security.

7.2. External service providers (processors): In a world of labour division, the required data processing work is oftentimes provided by specialised businesses, so-called service providers (processors). These businesses can provide such services at attractive rates while, most importantly, delivering high quality. Therefore, we transfer your personal data to such businesses in the scope necessary for them to provide the contractually agreed services. Such services include, among others, data storage in our secure data centres and the maintenance of video equipment and access systems on site.

Processors in the context of video surveillance:

  • Siemens Aktiengesellschaft Österreich (processor), Siemens AG (subprocessor), Oognify GmbH (subprocessor),
  • PKE Electronics GmbH (processor), 
  • Fiegl & Spielberger Solution GmbH (processor), Geutebrück GmbH (subprocessor), 
  • Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (subprocessor), 
  • Atos IT Solutions and Services GmbH (processor),
  • G4S Secure Solutions AG (processor).

Processors in the context of access control/access control systems:

  • PKE Electronics GmbH (processor), 
  • Fiegl & Spielberger Solution GmbH (processor), Geutebrück GmbH (subprocessor), 
  • Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (subprocessor), 
  • Atos IT Solutions and Services GmbH (processor),
  • G4S Secure Solutions AG (processor).

Processors in the context of legal disputes:

  • Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (subprocessor), ADVOKAT Unternehmensberatung GREITER & GREITER GmbH (subprocessor), Lawlift GmbH (subprocessor), SAP Österreich GmbH (subprocessor),
  • Atos IT Solutions and Services GmbH (processor).

Processors in the context of exercising your rights as a data subject:

  • Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (subprocessor), 
  • Atos IT Solutions and Services GmbH (processor).

Processors in the context of handling data protection incidents:

  • Österreichische Post Aktiengesellschaft (processor), Atos IT Solutions and Services GmbH (subprocessor), 
  • Atos IT Solutions and Services GmbH (processor).

7.3. Courts, public authorities, insurance companies, other recipients:

In addition to the aforementioned processors, it may be necessary, within the scope and for the purpose of clarifying security incidents that are identified and assessed in connection with the processing activities described above and that may lead to legal disputes, for the personal data to be transferred to a person of trust (member of the works council), the data protection officer of Post Wertlogistik GmbH, security authorities (for the provision of evidence in criminal law matters / security police purposes), to the public prosecutor's office (for the provision of evidence in criminal law matters), to courts (for the provision of evidence in criminal law or civil law matters) and to insurance companies (exclusively for the processing of insurance claims) as well as to Österreichische Post Aktiengesellschaft (legal department, which then acts as an independent controller) and/or lawyers, experts, notaries, tax consultants/auditors.

In the context and for the purpose of the proper handling of any data protection incidents and data subject rights, it may also be possible for the personal data required in each case to be forwarded to the data protection authority.

7.4. At PWL, only those departments and employees that are in charge of meeting contractual and legal obligations and justified interests receive personal data so that they can fulfill their duties. If data is shared with recipients for processing, this does not mean that all data sets will be shared, but merely those that are required for processing by third parties.

8. May your data also be shared with third parties in another country (including outside the EU)?

8.1. Yes, provided that the European Commission has confirmed that this third country has an adequate data protection level and that adequate data protection guarantees exist (e.g., binding in-house data protection provisions or standard EU data protection clauses).

8.2. In exceptional cases, the data may also be shared with a third country with your explicit consent, provided that we have informed you about possible risks associated with the planned disclosure and the lack of adequate data protection guarantees (item 8.1).

9. How long will your data be stored?

9.1. As soon as PWL no longer needs your personal data for the purposes described above, they will be deleted, unless statutory storage periods to the contrary apply.

9.2. We usually delete your personal data after the following standard deletion period:

  • any video material recorded during video surveillance will be deleted no later than 90 days after the video was recorded,
  • data processed for general access granting and random bag checks (personal master data, identification data, reason for access authorisation, contact data, ID data, signature, access requests, bag check reports) will be deleted within 3 months after the access authorisation has expired; access traffic data will be deleted within 3 months after having passed a reader/access gate, 
  • data processed for the biometric system at the base (personal master data, identification data, reason for access authorisation, contact data, ID data, signature) as well as, for external service providers, the declaration of consent provided will be deleted within 3 months after the access authorisation has expired: related access traffic data will be deleted within 3 months after having passed a reader/access date; the hash value obtained from the fingerprint will be deleted within a day after the access authorisation has expired,
  • we retain the data processed in connection with legal matters and disputes for up to 3 years; the court/official decision itself (notice, judgment, etc.) or court and out-of-court settlements, including the main documents, will be deleted after 30 years - in each case calculated from the date of the legally binding decision or out-of-court settlement,
  • the data processed in the context of a possible data protection incident will be deleted 3 years after becoming aware of the alleged and ultimately unconfirmed data protection incident or after sending the last required notifications to the data protection authority or data subjects - if a data protection incident actually occurred,
  • the data processed in connection with the handling of data subject rights will be deleted 3 years after the reply letter has been sent.

10.  Does PWL use automated decision-making for my personal data

If we use automated decision-making including profiling during processing, we will let you know separately about such processing. We currently use no such processing.

11.  What rights do you have?

11.1. If you so desire, we will provide information about your personal data that we process whenever you like. In addition, in some cases, you also have the right to data portability, meaning that we would give you all personal data you have disclosed to us in a structured, standard and machine processable format.

11.2. Under certain conditions, you can also demand that the processing of your data is limited or that your personal data are rectified or deleted. In addition, you can object to the processing, provided that this is justified by special circumstances. You can object to the processing independently of the circumstances if the processing is done for the purpose of direct advertising.

11.3. Your right to object under certain conditions, you can also object to the processing, provided that this is justified by special circumstances. You can object to the processing independently of the circumstances if the purpose of the processing is direct advertising. For contact information, please see item 12 below.

11.4. In addition, you have the option of filing a complaint with the Austrian Data Protection Authority: Österreichische  Datenschutzbehörde,  Barichgasse 40-42, 1030 Vienna. In the case of unlawful processing of your personal data, you can also turn to the competent court civil court.

12.  Contact information and data protection officer

To get in touch with the data protection officer of Post Wertlogistik GmbH, please e-mail us at wertlogistik.datenschutzbeauftragter@post.at or write to Post Wertlogistik GmbH, Datenschutz/data protection, Steinheilgasse 1, 1210 Vienna.