Data Protection Declaration

Scope The protection and security of your data are of paramount interest to us. For this reason, we provide comprehensive information about how we handle your data. You will learn how we collect your personal data, what we do with it, for what purposes and on what legal bases, and what rights and claims are associated with it for you. The data protection declaration applies to data processing at Österreichische Staatsdruckerei GmbH and within the scope of our websites: www.staatsdruckerei.at, jobportal.staatsdruckerei.at, reisepass.oesd.at, www.fs-info.at, zulassung.oesd.at, and related services that refer to this data protection declaration. Our data protection information for the use of our websites and the data protection declaration of Österreichische Staatsdruckerei GmbH do not apply to your activities on the websites of social networks or other providers that you can access through the links on our websites. Please refer to the privacy policies of these providers on their websites. Name and address of the data controller Controller within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the member states of the European Union, and other regulations with data protection character: Österreichische Staatsdruckerei GmbH Tenschertstraße 7, 1230 Vienna, Austria Phone.: +43 1 206 66-0 Email: office@staatsdruckerei.at Website: www.staatsdruckerei.at You can reach the data protection officer by email at: privacy@staatsdruckerei.at

1. Collection and processing of personal data from business partners

1.1. Purposes of processing, categories of personal data

In the context of a business relationship with customers and suppliers, we process personal data for the following purposes:

• Processing for the purpose of contract fulfillment
• Processing and transmission of data in the context of a business relationship with customers and suppliers, including text documents (e.g., correspondence) created and archived with automation support
• Customer support, detailed information for logistics and accounting
• Communication with business partners regarding products, services, and projects, e.g., processing customer or supplier inquiries
• Order processing, collection of payments, for accounting and billing purposes, invoicing, deliveries
• Order processing, e.g., in the production of ID documents
• Compliance with legal requirements, e.g., tax retention obligations
• Settlement of legal disputes, defense of legal claims, enforcement of existing contracts

1.2. The following categories of personal data may be processed for the aforementioned purposes:

• Customer and supplier data as well as data from interested parties
• Contact details such as name, title, address, phone number, email address, delivery, invoice recipients
• Information processed within the scope of a project or the execution of a contractual business relationship with Österreichische Staatsdruckerei GmbH or voluntarily provided by contact persons
• Information from publicly available sources

The data you provide is necessary to achieve the purposes mentioned above and for contract fulfillment or the performance of pre-contractual measures. Without this data, the individual purposes described may not be achieved, or we may not be able to conclude a contract with you. In the context of the necessary balancing of interests, we consider in particular the nature of the personal data, the purpose of processing, the circumstances of processing, and your interest in the confidentiality of your personal data.

1.3. Recipients of personal data

In the event of a specific case, data may be disclosed to the following recipients:

• All relevant departments of Österreichische Staatsdruckerei GmbH for the purpose of contract processing
• Competent administrative authorities, especially tax authorities for audits
• Contract or business partners involved in the delivery or service
• Insurance companies in the event of an insurance claim
• Business auditors for auditing purposes
• Courts for initiating debt collection proceedings
• Federal Agency "Statistics Austria" for the preparation of legally required (official) statistics
• Parent company of the client for accounting
• Customers for the receipt of services
• Banks for payment processing

1.4. Sources of data (Art. 13 and 14 GDPR)

We process personal data that we receive from you by post, fax, or email as part of contact or inquiry. We may also obtain information from publicly available sources.

1.5. Legal basis for data processing

The data is processed for the fulfillment of a contract or the performance of pre-contractual measures based on Art. 6 (1) lit. b GDPR.

1.6. Duration of data storage

We store the data until the termination of the business relationship or the expiration of the guarantee, warranty, limitation, and statutory retention periods applicable to the client. Beyond that, data may be stored until the resolution of any legal disputes for which the data is needed as evidence.

2. Processing of personal data from business partners in video conferences

We conduct video conferences over the Internet and use various communication tools for this purpose. Video conferences are intended to save working time and travel costs and are indispensable in exceptional circumstances to maintain business operations. The use of conference services involves the transfer of personal data to a third country, especially the USA. For the transfer to the USA, an adequacy decision exists under Art. 45 (3) GDPR. On July 10, 2023, the new adequacy decision (EU-U.S. Data Privacy Framework) came into effect. Although a valid legal basis for data transfer to the USA exists again, it applies only if the U.S. company to which the data is to be transferred is certified by the U.S. Department of Commerce. We transmit personal data only to certified U.S. companies covered by the new adequacy decision. Certification can be verified through a corresponding list. We generally coordinate the use of the video platform or online software with the business partner, who can voluntarily participate in a video or online conference at any time. To enter a virtual meeting room, a participant must agree to the installation of software that enables participation.

2.1. The following categories of personal data are processed:

Participant lists, registration data such as username, email address, IP address, and device data.

2.2. Recipients of personal data

Video conferences are exclusively conducted through selected and internally approved service providers. Possible use of services for video and online conferences: TEAMS located in the USA. The use of TEAMS is subject to the terms of use and privacy policy of Microsoft. Privacy policy: https://privacy.microsoft.com/en-us/privacystatement By using Microsoft Teams, you accept Microsoft's terms of use and privacy policy. ZOOM Video Communications Inc. ("Zoom") located in the USA. The use of Zoom is subject to their terms of use and privacy policy: https://zoom.us/en-us/privacy.html By using "Zoom," you accept their terms of use and privacy policy.

2.3. Legal basis for processing

The data is processed to fulfill a contract or carry out pre-contractual measures based on Art. 6 (1) lit. b GDPR. The use involves the transfer to a third country (possibly the USA). In this regard, we rely on the adequacy decision, the EU-U.S. Data Privacy Framework, and on Art. 49 (1) a to c GDPR.

2.4. Duration of data storage

We store collected personal data for as long as necessary for the purposes we have specified, unless there is a legal obligation to retain data for a longer period. Conference services store data for the duration of our ongoing business relationship with the respective conference service and as long as the services are provided to us, as well as according to the legal obligations of the service provider to retain data.

3. Collection and Processing of Personal Data for Visitor Registration in the Business Premises of OeSD

3.1. Purposes of Processing and Legal Basis

Data for visitor registration is collected from the individual before their visit, stored, and shared with the relevant Reception and Security departments to register the visit of an individual to OeSD. Without this registration, visitors do not have access to the company premises and buildings. For visitor registration, personal data is collected on-site (scan of an identity document) to determine and record who is present in the business premises and to create a visitor pass. The collection, storage, and sharing are based on legitimate interests under Article 6 (1) lit. f GDPR. In individual cases, a balance of interests is conducted to assess whether a legitimate interest opposes the data collection, especially concerning children. Our legitimate interest is the protection of OeSD as a high-security company with critical infrastructure. Data is not disclosed to third parties. Failure to provide this data means that visitors cannot be registered, and the company cannot be visited. We ensure the protection of personal data through current technical and organizational measures, adapted to the state of the art.

3.2. Duration of Data Storage

We store your visitor registration and visitor registration data for 12 months in our system. After this period, the data collected for this process is deleted.

4. Collection and Processing of Personal Data When Visiting Our Website

During each access to website content, temporary data is stored, potentially allowing identification. The following data is collected:

• Date and time of access
• IP address
• Hostname of the accessing computer
• Website from which the website was accessed
• Websites accessed through the website
• Visited page on our website
• Notification of successful retrieval
• Transferred data volume
• Information about the browser type and version
• Operating system

Temporary data storage is necessary for the operation of a website visit, and further storage in log files ensures the functionality of the website and the security of information systems. These purposes represent our legitimate interest in data processing.

4.1. Recipients of Personal Data

The website is hosted by Körbler GmbH; Hofweg 1; 8435 Leitring | office@koerbler.com | www.koerbler.com. The host receives the aforementioned data as a data processor.

4.2. Legal Basis for Processing

Legitimate interest according to Article 6 (1) lit. f GDPR for providing information about the company and promoting/marketing products and services.

4.3. Duration of Data Storage

Data is deleted when no longer necessary for the purpose of collection. When providing the website, this is the case when the respective session has ended. For the Staatsdruckerei's normal websites, log files are retained for 7 days, accessible exclusively to administrators. Afterward, they are only indirectly available through the reconstruction of backup tapes and are finally deleted after two weeks.

4.4. Cookies

Cookies are data stores that allow specific, device-related information to be stored on the user's access device (PC, smartphone, etc.). We store information necessary for the website's operation in cookies. Users can influence cookie use through settings in the consent form (cookie banner). In addition, the cookie decision can be revised via a link available at the bottom of each web page. Disabling cookies may restrict the functionality of our website.

4.5. Matomo

The Matomo web analytics service is used on our website. Matomo is open-source software that evaluates website visitor access. Analysis is facilitated by cookies, and the data is stored on our server in Austria, not shared with third parties. Users can prevent Matomo from storing cookies by modifying settings in the cookie banner.

4.6. Use of Websites by Minors

Processing of personal data is only allowed for individuals who have reached the age of 16. Use of our systems and tools by users below this age requires parental/guardian consent, and we will cease processing such data upon awareness.

4.7. Social Plugins

Social plugins (buttons) from social networks such as Facebook, X, LinkedIn, and YouTube are used on our websites. These buttons are initially disabled and require user activation.

The purpose of using social plugins is to interact with users via social media to provide information about our company, our products and services.

4.8. Google Maps

Google Maps is embedded on our website via an API for easy transmission of our location to customers, suppliers, applicants, and interested parties. Google Maps is initially disabled, and users need to load the map through the displayed cookie banner before accessing our location data. The use of Google Maps involves the transmission of personal data (IP address) to the United States, with an adequacy decision (EU-US Data Privacy Framework) existing for such transfers according to Article 45 (3) GDPR. Google is certified by the U.S. Department of Commerce; certification can be verified via a corresponding list. Through our processing activities, we only transfer personal data to certified US companies to which the new adequacy decision applies.

5. Data Subject Rights:

5.1. Right to Information:

You can request information about your personal data processed by us under Article 15 GDPR.

5.2. Right to Object:

You have the right to object to the processing of your personal data under Article 6 (1) GDPR for reasons arising from your particular situation. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The collection of data for the provision of the website and the storage of log files are absolutely necessary for the operation of the website.

5.3. Right to Rectification:

You can request the correction or completion of your data under Article 16 GDPR if the information concerning you is incorrect or incomplete.

5.4. Right to Erasure:

Under Article 17 GDPR, you can request the deletion of your personal data.

5.5. Right to Restriction of Processing:

Under Article 18 GDPR, you can request the restriction of the processing of your personal data.

5.6. Right to Data Portability:

If the conditions of Article 20 (1) GDPR are met, you have the right to receive the data processed based on your consent or in fulfillment of a contract in a structured, commonly used, and machine-readable format. To exercise your rights, contact our data protection officer at privacy@staatsdruckerei.at.

5.7. Right to Lodge a Complaint:

If you believe that the processing of your personal data violates data protection laws, you have the right to lodge a complaint with the supervisory authority (Article 77 GDPR). The competent supervisory authority for the controller is the Austrian Data Protection Authority: Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Vienna Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at