Privacy policy for the video surveillance systems of the Österreichischen Postbus Aktiengesellschaft

1. Scope of Application

1.1 This Privacy Policy governs the processing of personal data in the course of video surveillance, which is conducted by the Österreichischen Postbus Aktiengesellschaft ("Postbus AG" or "we").

1.2 The processing of personal data by the Postbus AG as controller is strictly subject to the General Data Protection Regulation ("GDPR") as well as the Austrian Data Protection Law 2018 ("DSG").

2. Data processing, purposes and legal bases

2.1 Video surveillance

2.1.1 The Postbus AG processes video recordings in the passenger areas in the buses as well as in the area of petrol stations and workshops based on the legitimate interest (art. 6 sec. 1 lit. f) GDPR or § 12 DSG) or based on a statutory obligation or legal allowance (art. 6 sec. 1 lit. c) GDPR or § 12 DSG) on every day of the year around the clock for the following purposes:
(a) Property protection (protection of the buses, facilities including installations);
(b) protection and increasing the safety of passengers, employees and other persons concerned (particularly of customers and employees of the Postbus AG);
(c) preventing, containing and clarifying behaviour relevant in accordance with criminal and civil law (general prevention), insofar as the controller’s area of responsibility is affected;
(d) preserving evidence in case of an incident (i.e. in case of danger, injuries or damage to persons or objects for the clarification of behaviour relevant in accordance with criminal and civil law) as well as
(e) processing of incidents pursuant to judicial issues and insurance law.

2.1.2 The video recordings collect and store the following personal data pertaining to the data subjects:
(a) Image data (appearance, behaviour) of the data subjects;
(b) place and time of the image recording,
(c) identity and role (offender, victim, witness, etc.) of the data subjects, insofar as recognizable form the recording.

3. Location of the video surveillance systems and camera angle

3.1 As a basic principle, every location of the individual video surveillance systems as well as the respective camera angle are strictly limited to what is absolutely necessary. Both comply with the security aspects required and to be observed in each individual case.

3.2 The video surveillance systems are located as follows:

3.2.1 In buses: The individual video surveillance equipment is installed according to the type of bus taking the structural and safety-related aspects of each individual case into consideration. The recording range includes the entire passenger area.

3.2.2 In the area of petrol stations and workshops in Graz: There are cameras located at the petrol stations as well as in the area of workshops and wash facilities. Surveillance only takes place in the outdoor areas.

4. Place of data processing, security measures and access rights

4.1 The place of data processing (place of the recording) complies with the application of the respective video surveillance equipment. The recording/processing on storage media of the respective video surveillance equipment or on access secure proprietary servers takes place depending on the application and type of camera.

4.2 The video recordings are stored in an encrypted form. At the same time, this data can only be read out using a special readout software. Therefore, even in the case of unauthorized access, recordings cannot be viewed by unauthorized third parties.

4.3 Only employees of the intercompany data processor (refer to item 7.) are authorized to read out video recordings. These employees as well as those the Postbus AG tasked with managing the incident in individual cases have access to analysed video recordings. Analysed video recordings are stored at storage locations with strict access restrictions. The analysis of the video recordings as well as access to them requires the prior setup of special system authorizations. All processes associated with the analysis of or access to video recordings are recorded/logged.

5. Video surveillance signs

5.1 The Postbus AG ensures that the data subjects can easily obtain knowledge of the video surveillance measures. Signs displaying a pictogram can be found on all entrance and exit doors of the buses, so that the data subject can avoid the video surveillance in a timely manner. The signs are installed at suitable locations and easily visible in the area of petrol stations and workshops:

5.2 The pictograms that indicate video surveillance measures look as follows:

Entrance and exit areas in buses

Piktogramm Video Einstieg

Inside buses as well as workshop areas

Piktogramm Video Innenraum

6. Processor

6.1 The Postbus AG uses the following subsidiary companies as IT service providers:

ÖBB-Business Competence Center GmbH
1030 Wien, Erdberger Lände 40-48
E-Mail: bcc.datenschutz@oebb.at

6.2 The Postbus AG transmits video recordings to the following data processors (art. 6 sec. 1 lit. f) GDPR):

Mungos Sicher & Sauber GmbH & Co KG
1150 Wien, Felberstraße 1
E-Mail: datenschutz@mungos.at

The aforementioned data processor is responsible for the central testing of the safety-related requirements for video systems. The processor is also responsible for the task of reviewing the requirements pertaining to proper data transfer to requesting authorities and other offices/third parties. Trained employees of the processor only read out and store relevant video sequences in the case of a justified individual case. Therefore, data analysis, i.e. suspending the automatic overwriting of the database, only takes place in the case of a justified incident. At the same time, it is ensured that the evaluation sequence itself is reduced to the absolutely necessary extent and is only conducted by a very limited, particularly trained group of persons. All employees of this organizational unit are trained separately and bound to confidentiality according to § 6 DSG (art. 6 sec. 1 lit. f) GDPR).
Video recordings are only given to or remain with the data processor as long as there is a valid data processing agreement.
The tasks of persons authorized to process data: Analysing video sequences in cases of justified incidents and providing the requesting office with the video material.

7. Data transfers

7.1 Data analysis and transfer only takes place by the controllers’ authorized and specifically trained employees and, if need be, by specifically trained data processors in the case of an objectively justified incident.

7.2 The video sequences that are limited to the absolutely necessary extent are, in the case of an incident, disclosed to the following categories of recipients:
(a) The factually and locally competent domestic or foreign criminal court of law in the individual case for reasons of preserving evidence and defending legal claims in the case of an incident (art. 6 sec. 1 lit. c) or lit. f) GDPR);
(b) the domestic or foreign National Security Authority to ensure security police purposes in the case of an incident (art. 6 sec. 1 lit. c) or lit. f) GDPR);
(c) the factually and locally competent domestic or foreign civil court of law in the individual case for the purpose of securing evidence and defending legal claims in connection with issues pertaining to civil law in the case of an incident (art. 6 sec. 1 lit. c) or lit. f) GDPR);
(d) insurance companies notified by the ÖBB-PV AG to process insurance claims in the case of an incident (art. 6 sec. 1 lit. c) or lit. f) GDPR).

7.3 Video recordings are not transferred to third countries.

8. Storage period

8.1 The storage period for video recordings in buses and in areas of workshops and petrol stations is respectively 72 hours.

8.2 Insofar as this is required to pursue or defend legal claims or comply with statutory retention obligations, we store the video recordings longer than for the period previously mentioned.

9. Your rights

9.1 You are entitled to the following rights against the Postbus AG:
(a) Right of access according to art. 15 GDPR regarding the personal data we process.
(b) The right to rectification according to art. 16 GDPR, the right to erasure according to art. 17 GDPR and the right to restriction of processing according to art. 18 GDPR.
(c) The right to object according to art. 21 GDPR.
(d) The right to data portability according to art. 20 GDPR.
(e) The right to lodge a complaint with the competent supervisory authority according to art. 77 GDPR:

Austrian Data Protection Authority
Barichgasse 40-42  
1030 Wien
Telefon: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

10. Controller of data processing

10.1 Controller in terms of the GDPR is::

Österreichische Postbus Aktiengesellschaft
FN 195030i
Am Hauptbahnhof 2, 1100 Wien
Telefon: +43 (0)5 1717
E-Mail: datenschutz.postbus@pv.oebb.at

10.2 Data protection officer’s contact information:
Am Hauptbahnhof 2, 1100 Wien
E-Mail: datenschutz.postbus@pv.oebb.at

If you send us an information request, please include a copy/scan of an official photo ID, ideally with your current home address and email address. You need to do this because we have to check your identity before responding to your information request or initiating the necessary action. In doing so, you help us ensure that unauthorized third parties do not obtain access to personal data (risk of abuse). As soon as we receive your information request and you have verified your identity, we will respond within four weeks. In the event that we have any questions in the course of responding, we will contact you and ask for your assistance.