Find your perfect match!

Find your perfect match!

Arrival

Departure

-

-

  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • Su
Save

Occupancy

  • Occupancy
  • Rooms
    1
  • Adults
    2
  • Children
    0
Save

Save code


DATA PROTECTION POLICY "Guest booking"

Vienna House Hotelmanagement GmbH

  1. Processing activity
    Management of guest data

  2. Controller
    Vienna House Hotelmanagement GmbH ("VIENNA HOUSE")
    Business address: Dresdner Straße 87, 1200 Vienna, Austria
    Telephon: +43 1 333 73 73-0
    Email: office[a]viennahouse.com

  3. Purposes of data processing
    • On the legal basis of fulfilling or preparing the agreement
      1. Fulfilling queries from customers for reservations or information
      2. Internal administration of reservation queries and management of room availability
      3. Managing the customer's stay in the hotel by tracking services used (telephone, bar, TV etc.)
      4. Increasing customer satisfaction and customer retention by observing personal wishes, advertising measures, information on competitions and events, and conducting surveys
      5. Meeting individual requests for additional offers, recommendations and services of third-party providers
      6. Management of bonus points (settlement, redemption) within the context of and in cooperation with loyalty and bonus programmes (e.g. frequent flyer programmes)
      7. Dissemination of proprietary and third-party advertisement, directly or within online information offerings and products
      8. Settlement of conflicts
      9. Provision of communication channels to VIENNA HOUSE for servicing the contractual relationship
    • On the legal basis of a legitimate interest:
      1. Internal administration (access to rooms) and identifying conduct for appropriate handling of guests (observation of house rule and safety rules)
      2. Development of statistics and appraisals, and creation of internal reports
      3. Familiarity with and managing the preferences of new and returning customers
      4. Handling of claims and complaints
    • On the legal basis of (overriding) legitimate interests of VIENNA HOUSE for direct advertisement:
      1. Re-acquiring old customers and acquiring new customers
      2. Gathering of user numbers for services for the purposes of documenting reach
      3. Maintaining customer satisfaction and customer retention (by using profiling, see Point 9.)
      4. Disseminating/playing advertisement for offers and services of VIENNA HOUSE by use of direct advertisement ("marketing purposes") insofar as this is legally permissible
      5. Analysing user conduct and personal preferences of customers for targeted dissemination of advertisement with the goal of avoiding dispersion losses (by using profiling, see Point 9.)
      6. Improving the services of VIENNA HOUSE by conducting surveys and analysing questionnaires, managing claims/complaints and offering the benefits of loyalty programmes
    • On the legal basis of the legal obligation:
      1. Creating and storing legally-prescribed documents in observance of accounting principles
      2. Fulfilment of legal reporting requirements

  4. Changes to purpose (Forwarding)
    Direct advertisement:
    VIENNA HOUSE hereby informs that it processes customers' personal data for the purposes of direct advertisement (incl. profiling). VIENNA HOUSE intends to use direct advertisement to aid in the marketing of advertised (proprietary or third-party) services and products. The data will not be passed onto any (non-group-affiliated) third parties for this purpose. There is no incompatibility with the purpose of the original data collection.

  5. Objecting to processing for the purposes of direct advertisement:
    The customer can object to the use of their personal data for direct advertisement (including "profiling") at any time without providing any reasons to the controller. By lodging an objection, VIENNA HOUSE can no longer use the customer's personal detail for these purposes in future.

  6. Legal basis of data processing
    1. Management of guest data: Fulfilment or preparation of the agreement
    2. Direct advertisement (incl. profiling): overriding legitimate interests of VIENNA HOUSE (see Point 8.)
    3. Legal obligation (Art. 6 Para. 1 GDPR)
    4. Additional service: consent. The controller explicitly solicits the customer's consent for individual services (electronic newsletter, transfer of the data into the marketing system). This consent can be revoked at any time with future effect.

  7. Special cases of data processing:
    Access controls: protection against unauthorised access via electronic locking systems for hotel rooms (bedrooms, lounges, spa, lifts, etc.)
    Video surveillance: monitoring of publicly accessible rooms in the hotel

  8. Description of the (overriding) legitimate interests for the purposes of direct advertisement:
    VIENNA HOUSE also processes customer data (however, not the data of children or special categories personal data within the meaning of Art. 9 GDPR ("sensitive data")) to use said data for the purposes of direct advertisement for (further) products of companies affiliated with VIENNA HOUSE (see also Point 5.). VIENNA HOUSE has a legitimate interest in processing personal data for the purposes of direct advertisement (Recital 47, last section of GDPR). This solely involves the processing of customer data in the possession of VIENNA HOUSE from the contractual relationship and for which the retention period still applies. This does not involve an extension to the retention period. The primary goal of data processing is acquiring customers with the objective of bringing them into a (preliminary) contractual relationship and retaining them as customers. VIENNA HOUSE relies on its constitutionally protected freedom of running a business (Art. 6 StGG (Austrian Constitution)) and freedom of communication (particularly Art. 10 ECHR, which also protects advertising measures), and on those rights
    • To send postal advertisement;
    • To make advertising calls following consent;
    • To send electronic mail following consent;
    • To send electronic mail in accordance with Section 107 Para. 3 of the Telecommunication Act (TKG);
    VIENNA HOUSE complies with legal, communication-related requirements while using this data, particularly those of Section 107 TKG.
    • Video surveillance:
      A data protection impact assessment (Art. 35 and 36 GDPR) has been performed. Signs are placed visibly to provide notice of video monitoring. VIENNA HOUSE has a legitimate interest in the video surveillance of publicly accessible parts of the hotel in order to safeguard the protection of domiciliary right, property as well as guests.
    • Data processing within the group:
      VVIENNA HOUSE is part of a corporate group. VIENNA HOUSE uses group-affiliated companies on a collaborative basis to fulfil its extensive obligations (processing bookings via a central booking system, payment systems, marketing, accounting, etc.). VIENNA HOUSE has a legitimate interest therein (Recital 48 of GDPR).
      This particularly relates to the management of booking data from all group-affiliated companies performed via a central booking system. This database is maintained by VIENNA HOUSE; data is saved and managed centrally. The data is inputted directly by the customer, the subsidiary hotel, or the booking agent depending on the booking. Group-affiliated companies have access to this database for the purposes of contractual fulfilment (performing bookings, capacity planning, etc.).
    • IT security:
      VIENNA HOUSE saves the IP addresses of its customers for a period of 7 days in order to defend against targeted attacks in the form of overloading servers (denial of service attacks) and other damage to systems. VIENNA HOUSE has a legitimate interest in this form of data processing for the purposes of maintaining the functionality of its services provided online (Recital 49 of GDPR).

  9. Analyses of personal aspects of the customer ("profiling")
    "Gathering and storing"
    VIENNA HOUSE stores customer activities (e.g. duration of stay, orders, complaints, special services, personal preferences, response to offers etc.) to enable optimal customer care and to ensure relevant and targeted measures can be used to improve satisfaction and customer retention, and to adjust the service on an individual basis.
    Analysis of personal interests
    VIENNA HOUSE stores customer behaviour, special services, personal preferences, and thus deduces specific personal interests in order to prevent dispersion losses (and to minimise data processing operations) when playing advertising content and within direct marketing. VIENNA HOUSE uses these analysed interests in order to communicate targeted, interest-specific offers and advertising to customers and thus prevent dispersion loss in advertising.

  10. Objecting to "profiling":
    The customer can object to the use of their personal data for the purposes of profiling at any time without providing any reasons to the controller. By lodging an objection, VIENNA HOUSE can no longer use the customer's personal detail for the purpose of profiling in future.

  11. Obligation to provide data
    Customers are under no obligation to provide data except to fulfil legal reporting obligations.

  12. Automated decision-making
    The customer is not subject to any automated decision that has a legal effect upon them.

  13. Types of data processed
    Disclosed mandatorily by the customer:
    Arrival; Departure; Room number; First and last name; Date of birth; Nationality; Address(es); Accompanying person; Children; Age of children
    Disclosed voluntarily by the customer:
    Telephone; Email address(es); Invoice address; Car licence plate; Payment information (credit card details); Interests; Dietary habits; Preferences
    Gathered by VIENNA HOUSE additionally:
    Origin of data provided; Additional services used; Profession of faith; Claims, complaints; IP addresses (log files); End device data (device ID); Browser used Timestamp: date and time Initial and recurring (update); Session ID; Login data (email and encrypted password); Login checks – successful and failed logins; Interface information feature (API token); Information from the app: Device version, spare storage for information to be loaded, APP version used, software version of app and device, day of publication, regional selection, PushToken and device ID)

  14. Data sources (Unless not gathered from customer)
    Statistical data:
    Statistik Austria: Robinson entries (list protecting consumers against unsolicited advertisement via post, email, telephone and fax)

  15. External recipients of data
    Communication of electronic identification data to controllers:
    Source | Type of data
    Google Analytics, services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland |
      Anonymised
    IP address, name of website, browser-specific information, information on website use
    „Social-plug-ins“: Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Youtube LLC, principal place of business in 901 Cherry Avenue, San Bruno, CA 94066, USA - represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; LinkedIn Ireland UC.; Wilton Place,Dublin 2, Irland | IP address, URLs, cookies and data on browser settings
    For more detailed information on the types of data processing mentioned above can be found under „Cookie Information“ on our website.

  16. External data recipients (sent to commissioned data processors) within the group and external commissioned data processors:
    Group companies: A list of current group companies can be found here
    Categories of external commercial service providers:
    • Tax consultants/accountants
    • Lawyers
    • Banks and payment service providers
    • Collection agency
    • Telecommunication providers
    • External accounting platforms; booking agents and central reservation system (CRS)
    • Banks and payment service providers
    • Telecommunication companies
    Contact can be made with all group companies and commissioned data processors via VIENNA HOUSE for all data protection queries.

  17. Transfer to third states
    The following data is transferred to third states outside the EU as part of data processing:
    Land | Anwendung | Datenarten
    USA (EU-US Privacy Shield) | CRS | Contact information, financial data for cashless payments, optional preferences and customer wishes, data relating to historic bookings
    USA (EU-US Privacy Shield) | Google Analytics | anonymised IP address, name of website, browser-specific information, information on website use
    USA (EU-US Privacy Shield) | Facebook, Twitter, Instagram, Youtube | Social-Plug-ins and Pixel: address, name of website, browser-specific information, information on website use with opt-in.

  18. Retention period
    Due to the legal bases mentioned above, VIENNA HOUSE generally continues to process guest data for an additional 40 months following the end of the agreement (= 36 months for potential contractual damage claims + max. 4 months to file suit) in a manner which is personally identifiable, and thereafter deletes the data (or at least the data which allows reference to be drawn to the data subject's identity). Personally-identifiable processing of invoice data is then performed until the statutory retention obligations have expired.

  19. Data subject rights
    • Art. 15 GDPR "Right of access": The customer has the right to obtain confirmation as to whether their personal data is being processed.
    • Art. 16 GDPR "Rectification": The customer has the right to have inaccurate or incomplete personal data rectified.
    • Art. 17 GDPR "Erasure": The customer has the right to demand the erasure of personal data without undue delay where the grounds stated under Art. 17 Para. 1 GDPR apply.
    • Art. 18 GDPR "Restriction": The customer has the right to demand that the processing of personal data is restricted where the grounds stated under Art. 18 Para. 1 GDPR apply.
    • Art. 20 GDPR "Data portability": The customer has the right to receive their personal data in a structured, commonly used and machine-readable format.
    • Art. 21 GDPR "Objecting to direct advertisement" The customer has the right to lodge an objection at any time to the processing of their personal data on the basis of an overriding legitimate interest.
      Objecting to direct advertisement: the customer has the right to lodge an objection at any time to the processing of their personal data for the purposes of direct advertisement.

  20. Right to lodge a complaint
    Art. 77 GDPR
    Every customer has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes this regulation.

  21. Supervisory authority
    Austria
    Austrian Data Protection Authority
    Barichgasse 40-42, 1030 Vienna, Austria
    Tel.: +43 1 52 152-0
    E-Mail: [email protected]

    Czech Republic
    The Office for Personal Data Protection
    Urad pro ochranu osobnich udaju
    Pplk. Sochora 27
    170 00 Prague 7
    Tel.: +420 234 665 111
    Fax: +420 234 665 444
    E-Mail: [email protected]
    www.uoou.cz

    Germany
    Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
    Husarenstraße 30
    53117 Bonn
    Tel.: +49 228 997799 0; +49 228 81995 0
    Fax: +49 228 997799 550; +49 228 81995 550
    E-Mail: [email protected]
    www.bfdi.bund.de
    The competence for complaints is split among different data protection supervisory authorities in Germany. Competent authorities can be identified according to the list provided under www.datenschutz-wiki.de/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte

    Poland
    Personal Data Protection Office
    ul. Stawki 2, 00-193 Warsaw
    Tel.: +48 22 53 10 300
    Fax: +48 22 53 10 30
    Infoline: +48 606 950 000
    E-Mail: [email protected]
    www.uodo.gov.pl

    Romania
    The National Supervisory Authority for Personal Data Processing
    Opre B-dul Magheru 28-30 Sector 1
    BUCUREŞTI
    Tel.: 40.318.059.211
    Fax: 40.318.059.602
    E-Mail: [email protected]
    www.dataprotection.ro

    Slovakia
    Office for Personal Data Protection of the Slovak Republic
    Hraničná 12, 820 07
    Bratislava 27
    Tel.: + 421 2 32 31 32 14
    Fax: + 421 2 32 31 32 34
    E-Mail: [email protected]
    www.dataprotection.gov.sk

Version: Feb 2020

Download PDF