Privacy policy of the Donation Association of the Diocese of St. Pölten

 

Name and contact details of the person responsible:
Donation organisation of the diocese of St. Pölten
Domplatz 1, 3100 St. Pölten
Tel: +43 2742 324 202
e-mail: ordinariat@dsp.at

 

Contact details of the data protection officer of the Diocese of St. Pölten:
Cathedral Square 1 
3100 St. Pölten 
e-mail: datenschutz@dsp.at

 

We process your personal data exclusively within the framework of the data protection regulations applicable in Austria (EU General Data Protection Regulation, Data Protection Act, etc.) and provide you with this information in accordance with Article 13 of the GDPR (www.dsp.at/portal/datenschutz) in order to ensure fair and transparent processing of your data:

 

Donation management and processing
The processing of personal data in connection with the administration and processing of donations is primarily carried out to fulfil the donation relationship in accordance with Article 6(1)(b) GDPR. Where necessary, processing is also carried out on the basis of the legitimate interests of the controller in accordance with Article 6(1)(f) GDPR, in particular for the proper administration of donations and for communication with donors. In addition, there are statutory retention and documentation obligations under tax and company law that make it necessary to process personal data in accordance with Article 6(1)(c) GDPR.

 

First and last name, country/region, e-mail address, donation amount and payment information (time of transaction, IBAN) are processed in connection with the processing of donations. 

 

This data is transmitted to the respective processing bank for the purpose of payment processing and to the tax authorities for the fulfilment of legal obligations in connection with the tax deductibility of donations and is also processed exclusively within the church organisation. Within the Catholic Church in the Diocese of St. Pölten, only those departments or employees who need your personal data to process the donation booking will have access to it.

 

 

Since 1 January 2017, the rule has applied that donations are no longer reported to the tax authorities by the donors themselves, but by the organisation receiving the donation. Your donation is automatically recognised as a tax-reducing special expense in the annual tax adjustment in accordance with § 4a and § 18 EStG.

 

So that your donation can be allocated to your tax file, your first name, surname and date of birth must be stated on the transfer. 

 

If payment is made by credit or debit card, the card data required for payment processing, such as card number and expiry date, are processed. For payment by credit or debit card, we use the payment service provider Stripe, 354 Oyster Point Blvd, South San Francisco, CA 94080, for efficient and secure payment processing. Despite the adequacy decision, it cannot be ruled out that US authorities may be able to access data. With regard to the transfer to the USA, there is a corresponding data protection adequacy decision, adopted by the European Commission on 10 July 2023, whereby the service provider Stripe Inc. is included in the corresponding Data Privacy Framework list: https://www.dataprivacyframework.gov/list Further information on the payment partner Stripe can be found here: https://stripe.com/privacy-center/legal 

 

Stripe is certified in accordance with the EU-US Data Privacy Framework. In addition, standard contractual clauses can be used to secure the transfer of data in accordance with 
Art 46 GDPR can be used.

 

If payment is not made by credit or debit card, but by bank transfer, for example, the payment data will be processed exclusively within the European Union, in particular by the bank processing the payment.

 

Finally, we also process your data for internal statistical and analytical purposes, in particular to evaluate the volume of donations and to improve our organisational processes. This processing is carried out on the basis of our legitimate interest in accordance with Article 6(1)(f) GDPR.

 

Duration of storage:
We process your personal data for at least 7 years until the fulfilment of the contract and beyond, insofar as legal obligations (usually of a tax law nature) exist.

 

You have the right to information, correction, deletion or restriction of the processing of your personal data processed by us, a right to object to the processing and the right to data portability in accordance with the data protection regulations applicable in Austria.

 

The Catholic Church in the Diocese of St. Pölten does not use automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR.

 

Finally, we would like to draw your attention to your right to lodge a complaint with the Austrian Data Protection Authority (Barichgasse 40-42, 1080 Vienna).

 

 

Status March 2026

Impressum Datenschutzerklärung

Datenschutz

Wir, die Diözese St. Pölten (Firmensitz: Österreich), würden gerne mit externen Diensten personenbezogene Daten verarbeiten. Diese ist für die Nutzung der Website nicht notwendig, ermöglicht uns aber eine noch engere Interaktion mit Ihnen. Falls gewünscht, treffen Sie bitte eine Auswahl:

Google Analytics

Google LLC, USA

Purpose: Error analysis, statistical evaluation of our website

Processing operations: Collection of connection data, data from your web browser and data about the content content accessed; execution of analysis software and storage of data on your end device, anonymisation of the collected data; evaluation of the anonymous data in the form of statistics

Storage duration: data on your end device for up to two years.

Joint controller: Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA

Legal basis for data processing: Voluntary consent that can be revoked at any time

Consequences of non-consent: No direct effect on the function of the website; however limited possibilities for further development and error analysis

Legal basis for the transfer of data to the USA: The legal basis for the data transfer to the USA is your consent in accordance with Art. 49 para. 1 lit a in conjunction with Art. 6 para. 1 lit a GDPR. The USA does not have a level of data protection corresponding to the standards of the EU. In particular, US secret services can access your data without you being informed and without you being able to take legal can take legal action against it. For this reason, the ECJ has issued a judgement declaring the previous adequacy decision declared invalid.