Privacy Statement
This privacy statement is for information purposes only.
The companies of the ASFINAG Group take data protection and confidentiality very seriously and adhere to the current national and European data protection regulations.
Use of the ASFINAG Group’s whistleblowing system can result in the processing of the personal data of the whistleblower, the person who is affected by the report and those persons who are affected by or involved in the follow-up measures. This privacy statement informs the data subjects of processing activities in this regard.
Please carefully read the data protection information before submitting a report.
Data controllers
The relevant company in the ASFINAG Group that has received the report shall be the data controller, as defined in Art 4(7) of the General Data Protection Regulation (GDPR), for the processing activities that take place in connection with reports made via the electronic whistleblowing system.
The ASFINAG Group consists of the following companies:
- Autobahnen- und Schnellstraßen-Finanzierungs-AG
- ASFINAG Maut Service GmbH
- ASFINAG Baumanagement GmbH
- ASFINAG Service GmbH
- ASFINAG Alpenstraßen GmbH
- ASFINAG Commercial Services GmbH
- ASFINAG European Toll Service GmbH
Depending on the situation (for example, in the case of conflicts of interest), Autobahnen- und Schnellstraßen-Finanzierungs-AG may process a report relating to another company in the ASFINAG Group. In this case, it shall also be the data controller.
The direct contact persons for issues relating to data protection law are ASFINAG’s data protection officers, who can be contacted at datenschutz@asfinag.at.
Purposes of the data processing
The electronic whistleblowing system allows for concerns regarding violations of ethical principles, misconduct and unlawful activities to be reported anonymously or while disclosing one’s identity. In the case of such a report, personal data of the person who is reporting a concern (the whistleblower), the person or persons affected by the report and the persons who are affected by or involved in any follow-up measures may be processed.
Use of the electronic whistleblowing system regularly results in the processing of the following data:
- Data of the whistleblower (to the extent that their identity is disclosed), such as their forename and surname, contact data and information regarding how they are personally affected; relationship of the whistleblower to the reported company (employee, supplier, shareholder or other);
- Data of the accused person or persons otherwise affected by the report as indicated in the report, the uploaded documents or the subsequent dialogue, including, in particular, their name, employer, role and the specific accusations;
- Data of persons helping to collect and further process the report.
Use of the electronic whistleblowing system is voluntary. The whistleblower is neither legally nor contractually obliged to provide us with these data. However, the whistleblowing system cannot be used without entering the data marked as mandatory into the report form. We are not able to contact the whistleblower without contact data being entered (for example, to confirm receipt of the report, ask follow-up questions or collect more information).
The processing of these data serves the purpose of fulfilling the obligations under the Austrian Whistleblower Protection Act (HinweisgeberInnenschutzgesetz - “HschG”) as well as to allow for reports to be received via the electronic whistleblowing system, to assess their validity and to enable their further processing and thereby prevent, investigate and, where necessary, prosecute any potential legal violations, prevent harm and protect our company, employees and business partners.
Data recipients
- Sharing of data within the ASFINAG Group
When processing reports for the other responsible companies in the ASFINAG Group, Autobahnen- und Schnellstraßen-Finanzierungs-AG shall act as data processors.
Depending on the situation, personal data may also be shared with bodies that are responsible for processing the report or for any potential follow-up measures and reviews within another company in the ASFINAG Group. - Further sharing of data with external bodies
If the accusations made are substantiated, the data may be shared with lawyers, prosecuting authorities or other responsible authorities, as well as with criminal and civil courts.
The electronic whistleblowing system is operated by the EQS Group, which acts as our specialised, technical service provider. Furthermore, we sometimes use service providers for data processing (especially for technical implementation, e.g. IT, website, app and hosting service providers). Our data processors are carefully chosen and are bound by our instructions.
No data shall be transmitted to third countries.
Storage period
Personal data that are not relevant for the processing of a report or for the purposes of data processing will not be collected. If data are collected unintentionally, such data shall be erased without delay.
We are legally required to retain personal data for a five-year period from the final time it is processed or transmitted; retention may also be required beyond this period for as long as necessary to carry out administrative or judicial proceedings that have already been initiated or investigative proceedings under the Austrian Code of Criminal Procedure (Strafprozessordnung). After the retention obligation has expired, we shall erase these data.
Furthermore, we must retain log data regarding processing procedures that were carried out in the course of case management for three more years after the final time it was processed or transmitted.
Legal basis
The data processing in connection with the operation of the electronic whistleblowing system relates to the legal authorisations and obligations pursuant to Section 8 of the Austrian Whistleblower Protection Act in conjunction with Art. 6(1)(c) and (e), Art. 9(2)(g) and Art. 10 GDPR.
Should the data processing exceed our legal authorisations or obligations, it shall take place on the basis of our legitimate interest in the reporting and detection of company-related irregularities (Art. 6(1)(f) GDPR and Art. 10 GDPR in conjunction with Section 4(3) of the Austrian Data Protection Act).
Rights of the data subjects
The GDPR grants the rights described below to persons who are subject to the data processing described above. To assert these rights please contact us via the contact details set out in the attachment.
- Right to access
Data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed. Where applicable, they are also entitled to request access to the personal data as well as, inter alia, the purposes of the processing, the categories of personal data concerned and the categories of recipients. - Right to rectification
If inaccurate personal data concerning them is being processed, the data subjects can request the rectification of their data without undue delay. - Right to erasure
In certain circumstances, data subjects have the right to request the erasure of the personal data concerning them without undue delay. However, if the data processing is necessary to fulfil a legal obligation or for the establishment, exercise or defence of legal claims, this right to erasure shall not apply. - Right to restriction of processing
In specific situations, data subjects are entitled to request the restriction of data processing. In such cases, the data can, with the exception of its storage, only be processed with the consent of the data subject or within narrow limits (for example, for the establishment, exercise or defence or legal claims). - Right to object
In certain circumstances, data subjects have the right to object to the processing of their data. In such cases, their personal data shall no longer be processed. However, if legitimate grounds for data processing can be demonstrated which override the interests, rights and freedoms of the data subject or if data processing serves the establishment, exercise or defence of legal claims, the processing of the personal data may continue. - Right of appeal
The data subjects are entitled to lodge a complaint with the competent supervisory authority if they consider that the processing of their personal data infringes provisions of data protection law.
Restriction of the rights of the data subjects
According to Section 8(9) of the Austrian Whistleblower Protection Act, the rights of the person affected by the report to access, rectification, erasure, restriction of processing and to object do not apply as long as and to the extent that this is necessary to protect the identity of the whistleblower or another person protected under the Austrian Whistleblower Protection and to fulfil the above aims (particularly to prevent attempts to prevent, undermine or delay reports or follow-up measures relating to reports). This applies in particular for the duration of administrative or judicial proceedings as well as investigative proceedings under the Austrian Code of Criminal Procedure.
Attachment – Contact details
Autobahnen- und Schnellstraßen-Finanzierungs-Aktiengesellschaft
Austro Tower, Schnirchgasse 17, 1030 Vienna
T +43 (0) 50 108-10000
F +43 (0) 50 108-10020
E office@asfinag.at
ASFINAG Alpenstraßen GmbH
Rennweg 10 A, 6020 Innsbruck
T +43 (0) 50 108-10000
F +43 (0) 50 108-10020
E office@asfinag.at
ASFINAG Bau Management GmbH
Austro Tower, Schnirchgasse 17, 1030 Vienna
T 05 108-14000
F 05 108-14020
E baumanagement@asfinag.at
ASFINAG Commercial Services GmbH
Austro Tower, Schnirchgasse 17, 1030 Vienna
T 05 108-14000
F 05 108-14020
E acs@asfinag.at
ASFINAG European Toll Service GmbH
Schnirchgasse 17, 1030 Vienna
T 050 108-10000
F 050 108-10020
E office@asfinag.at
ASFINAG Maut Service GmbH
Alpenstraße 99, 5020 Salzburg
T 05 108-0
F 05 108-12282
E info@asfinag.at
ASFINAG Service GmbH
Traunuferstraße 9, 4052 Ansfelden
T 050 108-34700
F 050 108-34720
E servicecenter@asfinag.at
Version: June 2023