Find your perfect match!

Find your perfect match!

Arrival

Departure

-

-

  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • Su
Save

Occupancy

  • Occupancy
  • Rooms
    1
  • Adults
    2
  • Children
    0
Save

Save code


DATA PROTECTION POLICY "Online services"

Vienna House Hotelmanagement GmbH

  1. Processing activity
    Maintaining the online availability of information concerning the controller's company for interested parties and customers

  2. Controller
    Vienna House Hotelmanagement GmbH ("VIENNA HOUSE")
    Business address: Dresdner Straße 87, 1200 Vienna, Austria
    Telephon: +43 1 333 73 73-0
    Email: office[a]viennahouse.com

  3. Purposes of data processing
    On the legal basis of fulfilling or preparing the agreement
    1. Maintaining the availability of information and advertisement concerning the controller's company
    2. Provision of communication- and booking channels to disseminate content, service customer relationships, execute bookings and vouchers
    3. Maintaining and increasing customer satisfaction and customer retention by analysing usage behaviour with the goal of improving the service offering
    4. Gathering of user numbers for the purposes of documenting the website's reach

  4. Legal basis of data processing
    1. Online usage: contractual fulfilment.
      Use of the online media and controller is based on an agreement within the meaning of Art. 6 Para. 1 lit b GDPR ; a registration relationship arises from registration. The controller hereby discloses that they make use of third-party content (such as links, Pixel, plug-ins) when performing their contractual services. Due to technical circumstances when accessing content/the Internet, electronic identification data, particularly IP address and user's browser settings, are automatically sent to third parties when loading online pages, who further process the data under their own responsibility. The primary contractual relationship arises with the respective service provider when using the controller's social media channels.
    2. Additional services: consent.
      The controller explicitly solicits the customer's consent for individual services on the online platform (e.g. electronic newsletter). This consent can be revoked at any time with future effect.
    3. Overriding legitimate interests (see Point 6.)

  5. Change in purpose
    The controller does not undertake any change in purpose when processing personal data.

  6. Description of the (overriding) legitimate interests for the purposes of IT security:
    The controller saves the IP addresses of users for a period of 7 days in order to defend against targeted attacks in the form of overloading servers (denial of service attacks) and other damage to systems. The controller has a legitimate interest in this form of data processing for the purposes of maintaining the functionality of its services provided online (Recital 49 of GDPR).

  7. Analyses of personal aspects of the customer
    Analysis of personal aspects of the customer does not take place.

  8. Obligation to provide data
    Customers are under no obligation to provide data.

  9. Automated decision-making
    The customer is not subject to any automated decision that has a legal effect upon them.

  10. Types of data processed
    Gathered by the controller: IP addresses (log files); End device data; Browser used; Device used; Communication log; Information on account usage (e.g. date created, number of logins, data of last query); Information on newsletter subscription; User ID; Facebook user ID; Facebook email address; Facebook profile link; Date of last Facebook matching; Location

  11. Data sources (If not disclosed by customer or gathered by controller)
    E.g. login via Facebook; Social media channels (For detailed information, see Point 12)

  12. External recipients of data
    Categories of external commercial service providers (commissioned data processors): Bank payment service providers: Payment information
    Telecommunication companies: Shipping addresses
    IT service providers for processing voucher-based booking: Booking details
    Google Analytics, services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland: anonymised IP address, name of website, browser-specific information, information on website use
    „Social-plug-ins“ (Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Youtube LLC, principal place of business in 901 Cherry Avenue, San Bruno, CA 94066, USA - represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; LinkedIn Ireland UC.; Wilton Place,Dublin 2, Irland): IP address, URLs, cookies and data on browser settings

  13. Transfer to third states
    The following data is transferred to third states outside the EU as part of data processing:
    Country | Application | Types of data
    USA (EU-US Privacy Shield) | Google Analytics | anonymised IP address, name of website, browser-specific information, information on website use
    USA (EU-US Privacy Shield) | Facebook, Twitter, Instagram, Youtube, LinkedIn | Social plug-ins (after consent by double click): IP address, name of website, browser-specific information, information on website use

  14. Retention period
    Non-registered customers:
    The personal data (particularly IP address) of (non-registered) website visitors are stored for 7 days for the purposes of IT security.
    Registered customers (newsletter subscribers):
    Data from registered customers is processed by the controller upon the legal bases mentioned above for the duration of the contractual relationship. The data can be modified and deleted by the controller at any time. However, the usage agreement ends upon cancellation of the newsletter subscription, which leads to immediate deletion. More detailed information can be found here Data protection policy newsletter customer“.

  15. Data subject rights
    • Art. 15 GDPR "Right of access": The customer has the right to obtain confirmation as to whether their personal data is being processed.
    • Art. 16 GDPR "Rectification": The customer has the right to have inaccurate or incomplete personal data rectified.
    • Art. 17 GDPR "Erasure": The customer has the right to demand the erasure of personal data without undue delay where the grounds stated under Art. 17 Para. 1 GDPR apply.
    • Art. 18 GDPR "Restriction": The customer has the right to demand that the processing of personal data is restricted where the grounds stated under Art. 18 Para. 1 GDPR apply.
    • Art. 20 GDPR "Data portability": The customer has the right to receive their personal data in a structured, commonly used and machine-readable format.
    • Art. 21 GDPR "Object" The customer has the right to lodge an objection at any time to the processing of their personal data on the basis of an overriding legitimate interest.
      Objecting to direct advertisement: the customer has the right to lodge an objection at any time to the processing of their personal data for the purposes of direct advertisement.

  16. Right to lodge a complaint
    Art. 77 GDPR
    Every customer has the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes this regulation.

  17. Supervisory authority
    Austria
    Austrian Data Protection Authority
    Barichgasse 40-42, 1030 Vienna, Austria
    Tel.: +43 1 52 152-0
    E-Mail: [email protected]

    Czech Republic
    The Office for Personal Data Protection
    Urad pro ochranu osobnich udaju
    Pplk. Sochora 27
    170 00 Prague 7
    Tel.: +420 234 665 111
    Fax: +420 234 665 444
    E-Mail: [email protected]
    www.uoou.cz

    Germany
    Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
    Husarenstraße 30
    53117 Bonn
    Tel.: +49 228 997799 0; +49 228 81995 0
    Fax: +49 228 997799 550; +49 228 81995 550
    E-Mail: [email protected]
    www.bfdi.bund.de
    The competence for complaints is split among different data protection supervisory authorities in Germany. Competent authorities can be identified according to the list provided under www.datenschutz-wiki.de/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte

    Poland
    Personal Data Protection Office
    ul. Stawki 2, 00-193 Warsaw
    Tel.: +48 22 53 10 300
    Fax: +48 22 53 10 30
    Infoline: +48 606 950 000
    E-Mail: [email protected]
    www.uodo.gov.pl

    Romania
    The National Supervisory Authority for Personal Data Processing
    Opre B-dul Magheru 28-30 Sector 1
    BUCUREŞTI
    Tel.: 40.318.059.211
    Fax: 40.318.059.602
    E-Mail: [email protected]
    www.dataprotection.ro

    Slovakia
    Office for Personal Data Protection of the Slovak Republic
    Hraničná 12, 820 07
    Bratislava 27
    Tel.: + 421 2 32 31 32 14
    Fax: + 421 2 32 31 32 34
    E-Mail: [email protected]
    www.dataprotection.gov.sk

Version: Feb 2020
Download PDF