DATA PROTECTION DECLARATION AND INFORMATION OBLIGATIONS ACCORDING TO ART. 13 DSGVO

1 Responsible party according to definitions in Art. 4 No. 7 of the General Data Protection Regulation (DSGVO)

 

Venediger Lodge Management GmbH

Market Street 64

5741 Neukirchen | Austria

+43 6565 6204

info@venediger-lodge.at

 

If you wish to object to the collection, processing or use of your data by us in accordance with these data protection provisions as a whole or for individual measures, you can address your objection to the person responsible.

You can save and print this data protection declaration at any time.

2 General information on data processing in the company and on the website.

For the facilitation and realisation of guest booking; the successful execution of the guest’s stay; to coordinate the hotel stay according to the wishes and interests of the guest; to ensure the provision of future hotel services which correspond with the interests of the guest; for marketing purposes as pertaining to hotel performance and the improvement of this performance.

2.1 Types of data processed

– Inventory data (e.g. names, addresses)

– Contact data (e.g. e-mail, telephone numbers)

– Content data (e.g. text entries, photographs, videos)

– Usage data (e.g. websites visited, interest in content, access times)

– Meta/communication data (e.g. device information, IP addresses)

– Contract data (e.g., subject matter of contract, term, customer category)

– Payment data (e.g. bank details, payment history)

of customers, interested parties and business partners

 

2.2 Purpose of processing

– Providing the online offer incl. functions and contents

– Answering contact requests, user communication

– Security measures

– Reach measurement/marketing

– Provision of contractual services

– Service and customer care

 

2.3 Legal basis

In accordance with Art. 13 DSGVO, we inform you of the legal basis for our data processing. If the legal bases are not mentioned in the respective paragraphs in the privacy policy, the following apply:

Obtaining consent: Art. 6 para. 1 lit. a and Art. 7 DSGVO.

Processing for the performance of services, execution of contracts and response to inquiries: Art. 6 para. 1 lit. b DSGVO

Processing for the fulfillment of legal obligations: Art. 6 para. 1 lit. c DSGVO

Processing for the protection of legitimate interests: Art. 6 (1) lit. f DSGVO

 

2.4 Cooperation with processors and third parties

In principle, we only use your personal data within our company.

If and to the extent that we involve third parties in the performance of contracts (such as logistics service providers), they will only receive personal data to the extent that the transfer is necessary for the corresponding service.

In the event that we outsource certain parts of data processing (“commissioned processing”), we contractually oblige commissioned processors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the data subject.

The disclosure and transfer of data to processors and third parties only takes place under the following conditions:

On the basis of a legal permission (e.g. for the fulfillment of a contract according to Art. 6 para. 1 lit. b DSGVO a transfer of data to third parties is required – for example payment providers).

On the basis of your consent

On the basis of a legal obligation

On the basis of legitimate interests (e.g. when using agents, web hosts, etc.)

The commissioning of third parties for data processing by means of a commissioning processing agreement is based on Art. 28 DSGVO.

2.5 Transfers to third countries

Should data be processed outside the European Union (EU) or the European Economic Area (EEA) by using third-party services or by disclosing or transferring data to third parties, this will only be done under the following conditions:

For the fulfillment of (pre)contractual obligations.

On the basis of your consent

On the basis of a legal obligation

On the basis of legitimate interests

Subject to legal or contractual permissions, we process or have data processed in a third country only if the specific conditions of Art. 44 et seq. DSGVO – the processing is carried out on the basis of special guarantees, such as the officially recognized determination of a level of data protection that corresponds to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognized special contractual obligations.

 

2.6 Retention or deletion of data

Data processed by us will be deleted or restricted in processing in accordance with Art. 17 and 18 DSGVO. Unless explicitly stated in this privacy policy, data will be deleted if it is no longer required for its intended purpose and the deletion is not subject to any legal retention obligations. If the data is required for other and legally permissible purposes, it will not be deleted, but its processing will be restricted so that it is not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

In accordance with legal requirements, retention is carried out in particular for 7 years in accordance with Section 132 (1) BAO (accounting records, vouchers/invoices, accounts, receipts, business papers, statement of income and expenditure, etc.), for 22 years in connection with real property and for 10 years for records in connection with electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.

 

2.7 Provision of contractual services

We process inventory data (e.g. names and addresses as well as contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 lit b. DSGVO. The entries marked as mandatory in online forms, are required for the conclusion of the contract.

The following data is processed:

Inventory data (e.g. customer master data, such as company name, name contact person or addresses).

Contact data (e.g. e-mail, telephone numbers)

Content data (e.g. text entries, photographs, videos)

Contract data (e.g. subject of contract, term)

Payment data (e.g. bank details, payment history)

Usage and metadata (e.g. in the context of evaluating and measuring the success of marketing measures)

As a matter of principle, we do not process special categories of personal data, unless these are components of commissioned processing. Data subjects include our customers, prospective customers as well as their customers, users, website visitors or employees as well as third parties. The purpose of the processing is the provision of contractual services, billing and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b DSGVO (contractual services), Art. 6 para. 1 lit. f DSGVO (analysis, statistics, optimization, security measures). We process data that are necessary for the justification and fulfillment of the contractual services and point out the necessity of their indication. Disclosure to external parties only takes place if it is necessary in the context of an order. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client as well as the legal requirements of a contract processing pursuant to Art. 28 DSGVO and do not process the data for any other purposes than those specified in the order.

We delete the data after expiry of legal warranty and comparable obligations. The necessity of keeping the data is reviewed every three years; in the case of legal archiving obligations, the deletion takes place after their expiry (end of tax law retention obligation (7 years) according to § 132 para. 1 BAO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order, in principle after the end of the order.

 

2.8 Administration, financial accounting, office organization, contact management.

We process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The processing bases are Art. 6 para. 1 lit. c. DSGVO, Art. 6 para. 1 lit. f. DSGVO. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities.

In this context, we disclose or transfer data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.

Furthermore, based on our business interests, we store information on suppliers, event organizers and other business partners, e.g. for the purpose of contacting them at a later date. This data, most of which is company-related, is generally stored permanently.

 

2.9 Online presence in social media

In order to communicate with customers, interested parties and users active there and to be able to inform them about our services, we maintain company presences in social networks and platforms. When calling up the respective networks and platforms, the terms and conditions and data processing policies of the respective operators apply. Unless otherwise stated here in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms (e.g. writing posts on our online presences or sending messages).

 

3 General use of the website

3.1 Hosting

The hosting services used by us serve to provide infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services, which we use for the purpose of operating this online offering.

We or the hosting provider process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 para. 1 lit. f) DSGVO in conjunction with. Art. 28 DSGVO (conclusion of order processing contract).

 

3.2 Access data/server log files

We or our hosting provider collect data about each access to the server on which this service is located (so-called server log files). We automatically collect information about your usage behavior and your interaction with us and register data about your computer or mobile device. We collect, store and use data about each access to our online offer. Access data includes:

Name and URL of the file accessed

date and time of access

amount of data transferred

message about successful retrieval (HTTP response code)

browser type and browser version

operating system

Referer URL (i.e. the previously visited page)

Websites that are called up by the user’s system via our website

Internet service provider of the user

IP address and the requesting provider

We use this log data without assigning it to you personally or otherwise profiling it for statistical evaluations for the purpose of operating, securing and optimizing our online offering, but also to anonymously record the number of visitors to our website (traffic) and the extent and type of use of our website and services, as well as for billing purposes to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalized and location-based content and analyze traffic, search for and correct errors, and improve our services.

This is also our legitimate interest according to Art 6 (1) f) DSGVO.

We reserve the right to review the log data retrospectively if there is a justified suspicion of unlawful use based on concrete indications. We store IP addresses for a maximum period of 3 months in the log files if this is necessary for security purposes or for the provision of services or billing for a service, for example, if you use one of our offers. After cancellation of the order process or after receipt of payment, we delete the IP address if it is no longer required for security purposes. We also store IP addresses if we have a concrete suspicion of a criminal offense in connection with the use of our website. We also store the date of your last visit as part of your account (e.g. when registering, logging in, clicking links, etc.). Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident is finally clarified.

 

3.3 SSL encryption

This site uses SSL encryption for security reasons and to protect the transmission of confidential content, such as the inquiries and orders that you send to us as site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. You can find out more about data security in section 6.

 

3.4 Personal data via website

Personal data that you transmit electronically via this website, such as your name, e-mail address, address or other personal details, will only be used by us for the specified purpose, stored securely and not passed on to third parties. The provider automatically collects and stores information on the web server such as the browser used, operating system, referring page, IP address, time of access, etc.. This data cannot be assigned to any specific person without checking further data sources and we do not evaluate this data further as long as there is no illegal use of our website.

 

3.5 Contact with us

If you contact us (e.g. contact form, e-mail, telephone or social media), the data you provide will be processed for the purpose of handling the contact request and its processing as well as for follow-up questions pursuant to Art. 6 para. 1 lit. b) DSGVO; this is also our legitimate interest pursuant to Art. 6 para. 1 lit. f) DSGVO. We do not pass on this data without your consent. We only store and use other personal data if you consent to this or if this is legally permissible without special consent. User details may be stored in a customer relationship management system (“CRM system”) or comparable inquiry organization. We delete the inquiries if they are no longer necessary. We review the necessity every two years; Furthermore, the legal archiving obligations apply.

You have the right to revoke your consent at any time with effect for the future. In this case, your personal data will be deleted immediately. Your personal data will also be deleted without your revocation if we have processed your request or you revoke the consent to storage granted here. This also happens if the storage is inadmissible for other legal reasons.

“Mandatory fields are marked with an *”.

 

3.6 Integration of third-party services and content

Within our online offer, we use content or service offers from third-party providers to integrate their content and services, such as videos or fonts. This is done on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO).

This always requires that the third-party providers of this content, perceive the IP address of users, because without the IP address they could not send the content to their browser. The IP address is thus necessary for the display of this content. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.

To contracted service providers who supply cloud-based software and data handling solutions to the hotel. These providers operate with the sole purpose of processing and analysing guest data for the aforementioned purposes.

 

3.7 Integration of Elfsight Apps

Venediger Lodge uses the services of Elfsight to integrate Instagram photos and the route planner. Details on the handling of personal data by Elfsight and the associated rights can be found in the Elfsight privacy policy: https://elfsight.com/privacy-policy/

 

4 Processing of inventory data

Services used and service providers:

 

5 Your rights as a data subject affected by data processing.

Under applicable laws, you have various rights regarding your personal data. If you wish to exercise these rights, please send your request by e-mail or by post, clearly identifying yourself, to the address mentioned in section 1.

Below you will find an overview of your rights.

 

5.1 Right to confirmation and information according to Art. 15 DSGVO

You have the right to receive confirmation from us at any time as to whether personal data relating to you is being processed. If this is the case, you have the right to request from us free information about the personal data stored about you, together with a copy of this data.

Furthermore, you have the right to the following information:

the purposes of processing;

the categories of personal data processed;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;

if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;

the existence of a right to obtain the rectification or erasure of personal data concerning you, or to obtain the restriction of processing by the controller, or a right to object to such processing;

The existence of a right of appeal to a supervisory authority;

if the personal data is not collected from you, any available information about the origin of the data;

the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for you.

If personal data are transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

 

5.2 Right to rectification or completion pursuant to Art. 16 DSGVO.

You have the right to request that we correct any inaccurate personal data relating to you without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.

 

5.3 Right to erasure (“right to be forgotten”) pursuant to Art. 17 DSGVO

Pursuant to Art. 17(1) DSGVO, you have the right to request that we delete personal data concerning you without undue delay, and we are obliged to delete personal data without undue delay if one of the following reasons applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

You revoke your consent on which the processing was based pursuant to Art. 6 (1) p. 1 a) DSGVO or Art. 9 (2) a) DSGVO and there is no other legal basis for the processing.

You object to the processing pursuant to Art. 21 (1) DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) DSGVO.

 

The personal data have been processed unlawfully.

The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.

The personal data has been collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

If we have made the personal data public and we are obliged to erase it pursuant to Article 17(1) of the GDPR, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers who process the personal data that you have requested that they erase all links to, or copies or replications of, that personal data.

 

5.4 Right to restriction of processing according to Art. 18 DSGVO.

You have the right to request us to restrict processing if one of the following conditions is met:

the accuracy of the personal data is contested by you for a period of time which enables us to verify the accuracy of the personal data,

the processing is unlawful and you have refused to erase the personal data and have instead requested the restriction of the use of the personal data;

we no longer need the personal data for the purposes of processing, but you need the data to assert, exercise or defend legal claims; or

you have objected to the processing pursuant to Article 21 (1) DSGVO, as long as it has not yet been determined whether the legitimate reasons of our company outweigh yours.

 

5.5 Right to data portability pursuant to Art. 20 DSGVO.

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that

the processing is based on consent pursuant to Art. 6 (1) p. 1 a) DSGVO or Art. 9 (2) a) DSGVO or on a contract pursuant to Art. 6 (1) p. 1 b) DSGVO and

the processing is carried out with the help of automated procedures.

When exercising your right to data portability pursuant to paragraph 1, you have the right to obtain that the personal data be transferred directly from us to another controller, to the extent that this is technically feasible.

 

5.6 Right of objection according to Art. 21 DSGVO.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) sentence 1 e) or f) DSGVO; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If we process personal data for the purpose of direct marketing, you have the right to object at any time to processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

You have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) DSGVO, unless the processing is necessary for the performance of a task carried out in the public interest.

 

5.7 Automated decisions including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

Automated decision-making based on the personal data collected will not take place.

 

5.8 Right to revoke a data protection consent

You have the right to revoke consent to the processing of personal data at any time.

 

5.9 Right to complain to a supervisory authority pursuant to Art. 77 DSVO.

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement, if you are of the opinion that the processing violates data protection law or that your data protection rights have been violated in any other way. In Austria, this is the data protection authority.

 

6 Data security

We make every effort to ensure the security of your data within the framework of the applicable data protection laws and technical possibilities.

Your personal data is transmitted encrypted with us. This applies to your orders and also to the customer login. We use the SSL (Secure Socket Layer) coding system, but we would like to point out that data transmission on the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

To protect your data, we maintain technical and organizational security measures in accordance with Art. 32 DSGVO, which we constantly adapt to the state of the art.

We also do not guarantee that our offer will be available at certain times; disruptions, interruptions or failures cannot be ruled out. The servers we use are carefully backed up on a regular basis.

You can reach us at the following contact details:

Venediger Lodge Management GmbH

Market Street 6

5741 Neukirchen | Austria

+43 6565 6204

info@venediger-lodge.at