Data protection declaration and information in accordance with Articles 13 and 14 GDPR
The protection of your personal data is very important to us. We therefore process your data exclusively in a lawful manner on the basis of the statutory provisions (DSGVO, DSG 2018, TKG 2003). In this data protection information, we inform you about the most important aspects of data processing - type, scope and purpose of the collection and use of personal data - in the context of the use of our website and in the context of other services provided by our company.
1.1. Responsible for the processing
The person responsible for your data (within the meaning of Art. 4 Z 7 GDPR) for the processing of your personal data (personal data within the meaning of Art. 4 Z 1 GDPR) is:
Tourismusverband Bad Ischl
A-4820 Bad Ischl
Phone: +43 6132 27757
Data protection officer:
We take the protection of personal data seriously and have appointed an external data protection officer for this purpose. Our data protection officer is MMag. Martin Zeppezauer, Thurnbichlweg 50, A-6353 Going am Wilden Kaiser (www.zepedes.com). You can contact our data protection officer at the email address firstname.lastname@example.org.
1.2. Purposes, data categories and legal bases for the processing of personal data
Purposes of processing
The purposes of processing your personal data generally result from our business activities as a tourism organization: making our online offers available, processing customer inquiries / orders / bookings, accounting, communication with business partners and customers. Detailed information on the purposes of processing and, if necessary, further processing for other compatible purposes as well as the processed data categories can be found in the detailed descriptions of the individual data processing processes
General categories of data
• Personal master data (e.g. name, date of birth and age, address)
• Contact details (e.g. email address, telephone number, fax number)
• Communication data (time and content of communication)
• Order or booking data (e.g. ordered goods or commissioned services and invoice data such as service period, payment method, invoice date, tax identification number ...)
• Payment details (e.g. account number, credit card details)
• Contract data (content of contracts of any kind)
• Web usage data (e.g. server data, log files and cookies)
• Video surveillance images (in the tourist information checkout area)
Special categories of data (“sensitive data”) according to Art. 9 GDPR
• Health data (only if you have given us your express consent to process your order (e.g. mediation of a hotel specializing in guests with food intolerances or allergies))
Legal basis for processing
There is basically no obligation to provide the data for the data processing described in this data protection declaration. Failure to provide this data simply means that we cannot offer these services. The legal basis for the processing of your personal data, which is necessary for the fulfillment of a contract with you or an order from you to us, is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary on our part to fulfill a legal obligation (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interests, Art. 6 (1) lit. f GDPR (“legitimate interest”) serves as the legal basis for processing. In this case, we will also inform you about our legitimate interests. Unless we have any other legal basis explained above for the processing of personal data, we will ask for your consent to data processing, whereby in these cases we refer to Art. 6 (1) lit. a GDPR or in the case of the processing of sensitive data based on Art. 9 (2) lit. a GDPR as the legal basis. You can revoke this consent at any time free of charge without affecting the legality of the processing carried out on the basis of the consent until the revocation.
1.3. Data transfer to processors and third parties
We process your personal data with the support of contract processors who support us in providing our services. These processors are through a corresponding agreement iSd. Art. 28 GDPR with us obliged to strictly protect your personal data and may not share your personal data with anyone else purpose than to provide our services. You can find out which processors are involved in the detailed descriptions of the individual data processing processes.
Your personal data will be passed on to companies other than our contract processors to typical economic service providers such as B. banks, tax consultants or auditors. Transfer of personal data to state institutions and authorities only takes place within the framework of mandatory national legal provisions.
Depending on your order (e.g. for bookings and inquiries), your personal data will only be transmitted to hotel partners or other tourist service providers (members of our organization) to the extent necessary, which are necessary to fulfill your order. The transmitted personal data vary depending on the service.
1.4. Transfers to third countries
In principle, we process your personal data in the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if we use the services of our contract processors or third parties, this will only take place if the requirements of Art. 44 ff. GDPR are available for the transfer to third countries: i.e. on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU or in compliance with officially recognized contractual obligations, the so-called "EU standard contractual clauses". If we rely on the EU standard contractual clauses as the legal basis for the transmission of your personal data, we will also check the admissibility of this data transmission as part of a comprehensive risk assessment. If we come to a negative result, we will not process this data without your express consent in accordance with Art. 49 Paragraph 1 lit. Send Art. 6 Para. 1 lit. a GDPR to a third country.
Note on data transfers to the USA
Through the services of Google Analytics, Google Remarketing, Google Maps, Google Translate, Facebook and Youtube*, your data will (at least occasionally) also be transmitted to the third country USA. Authorities or secret services in the USA can access your data without you being able to do so legally. The ECJ has therefore determined that there is no adequate level of data protection iSd. of Art 44ff GDPR for data transfers from the EU to the USA. For this reason, the legal basis for using this service is your express consent in accordance with Art. 49 (1) lit. a GDPR.
1.5. Data deletion and storage duration
Your personal data will be deleted by us as soon as the purpose for which we collected your data no longer applies. Storage can also take place if we process the data for a purpose that is compatible with the original purpose. It can also take place if this is provided for by laws, ordinances or other provisions to which our company is subject.
1.6. Data sources
We only collect your personal data from you and do not use any other data sources.
We do not use any automated decision-making or profiling processes that have a legal effect on you or that significantly affect you in a similar manner. With your consent, however, we will use your usage data to get to know your interests better and thereby show you information that is of interest to you or to be able to make you tailor-made offers or to be able to show you corresponding information on third-party websites or social media platforms.
1.8. Safeguarding your data protection rights
In accordance with the GDPR, you have the right to information, correction, deletion, restriction, data portability, revocation and objection. To do this, please contact us as the person responsible using the contact details given in this data protection information. A detailed explanation of these rights can be found here in Chapter III.
Right to Complain
If you believe that the processing of your data violates data protection law or that your data protection claims have been violated in any other way, you can complain to the responsible supervisory authority. In Austria this is the data protection authority (Wickenburggasse 8, 1080 Vienna, email: email@example.com).
2. Visit our website
In this section we inform you how we process your personal data when you visit our website.
2.1. Presentation of the website
For technical reasons, based on the legal basis of Section 96 (3) S 3 TKG 2003 (required for the operation of our website), inter alia. The following data, which your internet browser transmits to us or to our web space provider, collects (so-called "server log files"):
• Browser type and version
• Operating system and device type used (e.g. desktop / mobile)
• Website from which you are visiting us (referrer URL)
• Website you visit
• Date and time of your access
• Your internet protocol address (IP address)
This data, which is anonymous to us, is stored separately from any personal data you may have provided and therefore does not allow us to draw any conclusions about a specific person. They are evaluated for statistical purposes in order to be able to optimize our website and our offers.
SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as B. Orders or inquiries that you send to us as the website operator, an SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http: //" to "https: //" or by the lock symbol in your browser line. If the SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.
Technical service providers
We create and edit the content of our website with the help of the following service providers, which we through a corresponding agreement within the meaning of Art. 28 GDPR to process your data exclusively to the extent of our order:
• TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz)
Cookie Banner - Cookies on our website
Change the cookie settings in your web browser
How the web browser you are using handles cookies, i.e. which cookies are allowed or rejected, can be determined in the settings of your web browser. You can delete cookies already stored on your computer / device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be called up using the help function of the respective web browser.
2.3. Communication with us
Contact form and email
On our website, we offer you the option of contacting us by email and / or using a contact form. In this case, the information you provide will be processed for the purpose of processing your contact based on the legal basis of contract fulfillment in accordance with Art. 6 (1) lit. b GDPR. There is no legal or contractual obligation to provide this personal data. Failure to provide it simply means that you do not submit your request and we cannot process it. The data will only be passed on to third parties if this is stated on the website or in this data protection declaration or is necessary for the fulfillment of the contract or if this is required by statutory provisions. We only save your data for as long as is expedient for processing your inquiries or for any queries you may have.
2.4. Online shop (s) / booking portal (s)
For the purpose of providing contractual services as well as their payment and execution in the context of online purchases, bookings and prospectus orders, we process your personal master data, contract and payment data and communication data (IP address and server log files) on the basis of the legal bases of Art. 6 (1) lit. b GDPR (fulfillment of the contract) as well as Art. 6 (1) lit. c GDPR (legal obligation for invoicing and archiving).
We store this data as long as the purpose requires it, statutory provisions provide for this (retention period of invoices according to § 132 BAO for 7 years; voucher orders until the expiry of the redemption period for 30 years) or we store this data on the basis of the legal basis of Art. 6 ( 1) lit.f GDPR (legitimate interest) to defend against possible liability claims. If you cancel the order process, we will save the data to clarify possible problems during the order process for 14 days.
There is no legal or contractual obligation to provide personal data. Failure to provide them simply means that we cannot process your bookings / orders.
HRS online bookings and booking inquiries
For processing online bookings and inquiries we use your personal data to provide you with the services you have booked with the help of our service provider HRS Destination Solutions (Breslauerplatz 4, D-50668 Cologne). To do this, we save and process inventory data, communication data, contract data, payment data of our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services or for the fulfillment of pre-contractual services on the basis of the legal bases of Art. 6 Para. 1 lit. b GDPR (booking processes, answering requests for quotations) and Art. 6 Para. 1 lit. (legally required retention periods for bookings or invoices). For this purpose, the data fields marked as necessary are required for the establishment and fulfillment of the contract. We disclose your personal data to third parties (hotel partners or other tourist service providers) within the scope of this data processing on the basis of the legal basis of Art. 6 (1) lit. . Art. 6 (1) lit. f GDPR for the use of the corresponding booking software. We have concluded a corresponding agreement with the company HRS Destination Solutions in accordance with Art. 28 GDPR as a processor, which ensures that your data will only be processed within the scope of our order. Further information on data protection from HRS Destination Solutions can be found at: www.im-web.de/datenschutzerklaerung.php.
External payment service providers
To pay for the order processes / bookings, we use external payment service providers on the basis of the legal basis of Art. 6 (1) lit. b GDPR (fulfillment of the contract), through whose platforms you can make your payments. The payment data you enter in the context of the order (e.g. account numbers, credit card numbers including check digits, passwords / TANs, etc.) are processed exclusively by our payment service providers and cannot be viewed by us. We only receive a confirmation of the payment or information that the payment could not be carried out via our payment service provider. Further information on data protection and terms and conditions of our payment service providers can be found at:
• QENTA Payment CEE GmbH, Taborstrasse1-3 / 10, 1020 Vienna (Branch: Reininghausstrasse 10, 8020 Graz)
Tel .: +43 316 813 681
• PAYONE GmbH (Six Payment), Austrian branch, Marxergasse 1B, A-1030 Vienna
Tel. +43 1 717 01 - 0
2.5. Email newsletter
E-mail newsletter (TTG)
You can register for our newsletter on our website. The legal basis for sending the newsletter is your consent within the meaning of. Art. 6 (1) lit. a GDPR. The registration for our newsletter takes place in the so-called double opt-in procedure. In this way we ensure that nobody can log in with someone else's e-mail address (e.g. with your e-mail address). Your consent can be revoked at any time free of charge by clicking on the "Unsubscribe link" at the end of each broadcast. The legality of the data processing operations that have already taken place remains unaffected by the revocation. After deleting your e-mail address, we will save it for 3 years on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) in order to be able to prove your originally given consent if necessary. We use the service provider TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz) to send out our newsletter. With the help of TTG we can analyze our newsletter campaigns. When opening an e-mail sent with the TTG newsletter tool, a connection to the TTG servers (server location Linz, Austria) is established. In this way we can determine whether a newsletter message has been opened and which links have been clicked. The purpose of these analyzes is to better adapt future newsletters to the interests of the recipients. In addition, technical information such as the time of access, the IP address, browser type and operating system of the recipient are registered. We have a processor agreement with the TTG iSd. Art. 28 GDPR closed in order to ensure that your data is only processed to the extent desired by us and permitted by you. General data protection information from TTG at: www.ttg.at/datenschutz/.
2.6. Web analysis - statistical analysis of our website
Google Tag Manager
We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags using a common tool. The Google Tag Manager tool itself (the tags implemented) is a domain that does not set any cookies and does not collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in effect for all tracking tags that are implemented with the Google Tag Manager. Further information on data protection from Google can be found at: www.google.com/policies/privacy/.
2.7. Web marketing
Our website uses the functions of "Google Analytics Remarketing" in connection with the cross-device functions of Google AdWords and Google DoubleClick on the basis of the legal basis of your consent in accordance with Article 6 (1) lit. The provider is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC) . If you have given your consent, Google will link your web and app browser history to your Google account for this purpose. In this way, the same personalized advertising messages can be displayed on every device on which you log in with your Google account. To support this function, Google Analytics collects Google-authenticated user IDs, which are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising. You can permanently object to cross-device remarketing / targeting by deactivating personalized advertising in your Google account; follow this link: www.google.com/settings/ads/onweb/. The collected data is summarized in your Google account exclusively on the basis of your consent, which you can give to Google or revoke (Art. 6 Para. 1 lit. a GDPR). Further information on data protection from Google can be found at: www.google.com/policies/privacy/.
2.8. Integration of further services and content from third parties
We include third-party content within our website, such as videos from YouTube, maps from Google Maps, RSS feeds or graphics from others websites, a. This always presupposes that the providers of this content (hereinafter referred to as “third-party providers”) are aware of the IP address of the user. Because without the IP address, you would not be able to send the content to the browser of the respective user. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. However, we have no control over whether the third party provider uses the IP address e.g. B. save for statistical purposes. The legal basis for the use of these services, if they are necessary for the functioning of our website, is our legitimate interest in accordance with Art. 6 (1) lit.f GDPR, otherwise your consent in accordance with Art. 6 (1) lit a GDPR. Information on the purpose and scope of further processing and use of the data by the provider of the embedded services / content as well as further information within the meaning of. Art. 13 and 14 GDPR are available from the information links below. The following services / content are embedded in our website:
Our website uses the Google Translate service from Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This function enables you to display our website in other languages. To use the functions of Google Translate, your IP address is recorded and usually transmitted to a Google server and stored there. The provider of this website has no influence on this data transfer. The use of Google Translate is in the interest of easy accessibility and possibility of using our online offers for international visitors. The legal basis for this is our legitimate interest within the meaning of Art. 6 Para. 1 lit.f GDPR. Further information on Google's data protection guidelines can be found at: www.google.com/intl/de/policies/privacy/.
We use the open source map service "OpenStreetMaps" (also called "OSM") from the Openstreetmap Foundation (St John's Innovation Center, Cowley Road, Cambridge, CB4 0WS, United Kingdom) for mapping Loaded by OSM. The following data is transferred to OSM: the visited page of our website, the IP address of your device and location data. The legal basis for the processing of your data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest lies in an appealing presentation of our online offer or the geographical presentation of the offers in our region. In the case of location data from mobile devices, the legal basis is your consent according to Art. 6 (1) lit. Share location data on your mobile device. More information about OSM at: wiki.openstreetmap.org/wiki/Privacy_Policy.
To protect your orders via the internet form (competitions), this website uses the reCAPTCHA service from Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis of our legitimate interest iSd. 6 (1) lit. By activating the IP anonymization on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and the full IP address will only be sent to a Google server in exceptional cases broadcast in the USA and abbreviated there. The IP address transmitted by your browser as part of reCAPTCHA will not be merged with other Google data. Further information on Google's data protection guidelines can be found at: www.google.com/intl/de/policies/privacy/.
We bind videos from the platform “YouTube” of the provider Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) in enhanced privacy mode. The implementation takes place on the basis of Art. 6 Para. 1 S. 1 lit.f GDPR, whereby our interest lies in the smooth integration of the videos and the appealing design of our website. When you call up a page in which we have embedded a YouTube video, a connection to the Google servers is established and the content is displayed on the website by notifying your browser. According to the information provided by Google, your data (in particular which of our Internet pages you have visited) as well as device-specific information including the IP address are only transmitted to the YouTube server in the extended data protection mode when you watch the video. Sometimes information is sent to the mother company Google Inc., based in the USA, is transmitted to other Google companies and to external Google partners, each of which may be located outside the European Union. By clicking on the video, you consent to this transmission. If you are logged in to Google at the same time, this information will be assigned to your Google member account. You can prevent this by logging out of your member account before visiting our website. Further information on data protection from YouTube can be found at: www.google.com/policies/privacy/.
Webfonts - "Font Awesome"
Our website uses the Webefonts service of Fonticons, Inc. (710 Blackhorn Drive, Carl Junction, 64834 MO, USA) for the uniform display of fonts and icons. When you call up one of our pages, your browser loads the required web fonts and icons from the servers of Fonticons, Inc. into your browser cache for the correct display of fonts and icons. Your IP address will be transmitted to the Fonticons, Inc. server. The legal basis for the use of Font Awesome is our legitimate interest within the meaning of. Art. 6 (1) lit.f GDPR. Our legitimate interest lies in a uniform and visually appealing presentation of our website. Further information on data protection from Font Awesome can be found at: fontawesome.com/privacy. Google Fonts Our website uses the webefonts service of the provider Google Ireland Ltd. for the uniform representation of fonts. (Gordon House, Barrow Street, Dublin 4, Ireland). When you visit one of our pages, your browser loads the required web fonts from the servers of Google Ireland Ltd. to display fonts correctly. in their browser cache. Your IP address will be sent to the servers of Google Ireland Ltd. transmitted. The legal basis for the use of Google Fonts is our legitimate interest within the meaning of. Art. 6 (1) lit.f GDPR. Our legitimate interest lies in a uniform and visually appealing presentation of our website. Further information on data protection from Google Fonts can be found at: www.google.com/intl/de/policies/privacy/
3. Other data processing in business contact
In this section we inform you about other data processing processes outside of our website.
3.1. Job applications
The contact details and application documents transmitted to us in the course of a job application are processed by us exclusively internally for the purpose of selecting suitable candidates for an employment relationship. There is no legal or contractual obligation to provide personal data. Failure to provide it simply means that you do not submit your request and we cannot process it. The personal data transmitted will be stored by us for a maximum of 6 months in accordance with the statutory provisions, and for a maximum of 2 years in the case of the applicant's express consent to keep the documents on record.
3.2. Online presence in social media
In addition to our website, we maintain an online presence within social networks and platforms: Facebook, Twitter, Instagram and YouTube in order to communicate with customers and business partners active there and to inform them about our services on these networks. When calling up the respective networks and platforms, the terms and conditions and the data protection guidelines of the respective operators of these networks apply.
Your personal data (email address, name, address) provided for participation in our competitions will only be used by us to determine a winner, to inform him about the prize and to send prizes. Your data will not be shared with third parties. The legal basis for the processing of your personal data is the fulfillment of a contract in accordance with Art 6 Paragraph 1 lit b GDPR. There is no legal or contractual obligation to provide personal data. Failure to provide the data only means that you will not be able to take part in the competition. Your data will be stored for the duration of the competition and - to process any prizes and claims for damages - for a maximum of 3 years thereafter and then deleted. By participating, you also consent to your name being published on our website and on our public social media channels if you win.
3.4. Video surveillance
For the purpose of protecting our property and for the purpose of preventing or clearing up behavior that is relevant to criminal law, we have installed video surveillance in the reception / checkout area of our information office and marked it accordingly. These surveillance images are only evaluated in the event of an incident and remain stored for a maximum of 72 hours unless there is a suspicion and are then automatically deleted. If necessary, the data will be stored for the duration of the process. The legal basis for this data processing is our legitimate interest in the protection of our property in accordance with Art. 6 (1) lit.f GDPR. There is no right to object to the processing of this data and no right to data portability.
3.5. Customer and business partner databases
CRM system (TTG)
We use the CRM system of the provider TTG (TTG Tourismus Technologie GmbH, Freistädter Str. 119, A-4040 Linz) as a database to maintain contact with customers and business partners on the basis of the legal basis of our legitimate interest in accordance with Art. 6 Para. 1 lit. f. GDPR. The stored contacts are only passed on at the express request of the business partner / customer on the basis of the legal basis of consent in accordance with Article 6 (1) lit. a GDPR. You can revoke this consent at any time by sending an email to us free of charge. We have concluded a corresponding agreement with TTG as a processor in accordance with Art. 28 GDPR, which ensures that your data will only be processed within the scope of our order. Further information on data protection at TGG can be found at: www.ttg.at/datenschutz/.
3.6. Guests / visitors WiFi
We offer freely accessible visitor WiFi in public places as well as in our offices. In order to provide the services of the hotspot for you, the use of personal data from your end device is necessary. In this context, the MAC addresses (Media Access Control address) of end devices may also be temporarily saved. Furthermore, we may save log data ("log files") on the type and scope of the use of the services for 7 days. These data cannot be assigned directly to your person, but can be assigned directly to the device you are using and thus also indirectly to your person. To provide this offer, we use the services of Energie AG Oberösterreich (Böhmerwaldstraße 3, A-4020 Linz) as our processor. We have concluded a corresponding agreement with our processor in accordance with Art. 28 GDPR, which ensures that your data will only be processed in the context of our order.
3.7. Registration for events and events
You can register for events from various providers in our region in our information offices. For this purpose we process your personal data (name, email address and telephone number). This data is processed by us on the basis of the legal basis of Art. 6 (1) lit. b GDPR (contract fulfillment / pre-contractual measures) and also passed on to the respective organizer. This data will be deleted or destroyed by us after the event.
Current version of the data protection declaration from 07/07/2021