Privacy Policy

Last updated:October 6, 2022

Thank you for your interest in the information on our website!

The purpose of this Privacy Policy is to inform users of our website about the nature, scope, and purposes of the processing of personal data. In this context, personal data refers to any information that can be used to personally identify you as a user of our website (theoretically, possibly through indirect means or by linking various data), including your IP address. Information stored in cookies is generally not personal data, or is only personal data in exceptional cases; however, this is covered by a special provision that makes the permissibility of cookie use largely dependent on the user’s active consent, depending on the purpose of the cookies.

In a general section of this Privacy Policy, we provide you with information on data protection that generally applies to our processing of data, including data collection on our website. In particular, as data subjects, you are informed of the rights to which you are entitled.

The terms used in our Privacy Policy and our data protection practices are governed by the provisions of the EU General Data Protection Regulation (“GDPR”) and other applicable national laws.

Person in charge

Hotel Opernring Betriebsgesellschaft m.b.H.
FN 228656 i
Wipplingerstraße 35, 5th floor
1010 Vienna
Austria

E: office@o11-hotel.com
T: +43 1 5875518-0
Data Collection on Our Website

We collect personal data from you when you expressly provide it to us, and we also automatically collect certain data—particularly technical data—when you visit our website. Some of this data is collected to ensure that our website functions properly. Other data may be used for analytical purposes. However, you can generally use our website without having to provide any personal information.

Technologies on our website

Adobe Typekit

Our website uses external “Typekit” fonts provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe”) to ensure consistent font display.

ATTENTION! This service involves the transfer of data to the United States, or such a transfer cannot be ruled out.

When you visit our website, your browser downloads the necessary fonts directly from Adobe so that they can be displayed correctly on your device. In doing so, your browser establishes a connection to Adobe’s servers in the United States. As a result, Adobe is informed that our website has been accessed via your IP address. According to Adobe, no cookies are used in the process of delivering the fonts.

We process your data in order to ensure a consistent and appealing presentation of our online content. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

For more information about Adobe Typekit Web Fonts, visit: https://www.adobe.com/privacy/policies/typekit.html. Adobe’s privacy policy can be found at: https://www.adobe.com/privacy/policy.html

Cookies and Local Storage

We use cookies on our website to make it more user-friendly and functional. Some cookies are stored on your device.

Cookies are small data packets exchanged between your browser and our web server when you visit our website. They cause no harm whatsoever and are used solely to recognize website visitors. Cookies can only store information provided by your browser, i.e., information that you have entered into the browser yourself or that is available on the website. Cookies cannot execute code and cannot be used to access your device.

The next time you visit our website using the same device, the information stored in cookies may subsequently be sent back either to us (“first-party cookie”) or to a third-party web application to which the cookie belongs (“third-party cookie”). Based on the stored and returned information, the respective web application recognizes that you have already accessed and visited the website using your device’s browser.

Cookies contain the following information:

Cookie Name
Name of the server from which the cookie originally came
Cookie ID
A date on which the cookie is automatically deleted

Depending on their purpose and function, we classify cookies into the following categories:

Technically necessary cookies, which are required to ensure the technical operation and basic functionality of our website. These types of cookies are used, for example, to retain your settings as you navigate the website; or they may ensure that important information is preserved throughout your session (e.g., login, shopping cart).
Statistics cookies, which help us understand how visitors interact with our website by collecting and analyzing information anonymously. This provides us with valuable insights that enable us to optimize both the website and our products and services.
Marketing cookies used to deliver targeted advertising to users on our website.
Unclassified cookies are cookies that we are currently working with third-party cookie providers to classify.

Depending on their storage duration, we also classify cookies as session cookies and persistent cookies. Session cookies store information that is used during your current browser session. These cookies are automatically deleted when you close your browser. No information is left on your device. Persistent cookies store information between visits to the website. Based on this information, you are recognized as a returning visitor on your next visit, and the website responds accordingly. The lifespan of a persistent cookie is determined by the cookie provider.

The legal basis for the use of technically necessary cookies is our legitimate interest in the technically sound operation and smooth functionality of our website, in accordance with Article 6(1)(f) of the GDPR. Our website cannot function properly without these cookies. The use of statistical and marketing cookies requires your consent in accordance with Article 6(1)(a) of the GDPR. You may withdraw your consent to the use of cookies at any time with future effect in accordance with Article 7(3) of the GDPR. Consent is voluntary. If consent is not given, there are no disadvantages. Further information about the cookies we actually use (in particular regarding their purpose and storage duration) can be found in this Privacy Policy and in the information about the cookies we use in our cookie banner.

You can also configure your web browser to prevent cookies from being stored on your device altogether, or to prompt you each time to confirm whether you consent to the use of cookies. You can delete cookies at any time once they have been set. For detailed instructions on how to do this, please refer to your browser’s help section.

Please note that disabling cookies altogether may result in limited functionality on our website.

On our website, we also use so-called local storage functions (also known as “local storage”). This involves storing data locally in your browser’s cache; this data remains there even after you close your browser—unless you clear the cache or it is session storage—and can still be accessed.

Third parties cannot access the data stored in local storage. If specific plugins or tools use local storage functions, this is described in the documentation for the respective plugin or tool.

If you do not want plugins or tools to use local storage features, you can manage this in your browser settings. Please note that this may result in some functional limitations.

Facebook Pixel

Purpose: Marketing
Destination country: USA

Our website uses the Facebook Pixel service provided by the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), for the purposes of analyzing, optimizing, and ensuring the efficient operation of our online services.

ATTENTION! This service involves the transfer of data to the United States, or such a transfer cannot be ruled out.

With the help of Facebook pixels, Facebook is able to identify visitors to our website as a target audience for displaying ads (so-called “Facebook Ads”). Accordingly, we use Facebook Pixel to display the Facebook Ads we place only to those Facebook users who have shown an interest in our online offering or who exhibit certain characteristics (e.g., interests in specific topics or products, determined based on the websites they have visited), which we transmit to Facebook (so-called “Custom Audiences”). We also use Facebook pixels to ensure that our Facebook ads align with users’ potential interests and do not come across as intrusive. Additionally, Facebook pixels allow us to track the effectiveness of Facebook ads for statistical and market research purposes by determining whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).

Your actions are stored in one or more cookies. These cookies allow Facebook to match your user data (such as your IP address and user ID) with the data in your Facebook account. The collected data is anonymous to us and cannot be viewed by us; it is used solely for advertising purposes. You can prevent this link to your Facebook account by logging out before performing any actions.

The processing of your data is based on your consent within the meaning of Article 6(1)(a) of the GDPR. You may withdraw this consent at any time with future effect.

For more information on how Facebook processes personal data, including the legal bases on which Facebook relies and the options available to data subjects for exercising their rights with respect to Facebook, please see Facebook’s Privacy Policy at https://de-de.facebook.com/policy.php

To control the types of ads you see on Facebook, visit the page Facebook has set up and follow the instructions for managing interest-based ads: https://www.facebook.com/settings?tab=ads

The settings are platform-independent, meaning they apply to all devices, such as desktop computers or mobile devices.

For general information on displaying Facebook ads, please visit: https://de-de.facebook.com/policy.php

For specific information and details about the Facebook Pixel and how it works, please visit the Facebook Help Center: https://de-de.facebook.com/business/help/651294705016616

Font Awesome

Our website uses web fonts provided by Fonticons, Inc. to ensure consistent display of fonts and icons.

When you visit a page, your browser loads the necessary web fonts into its cache to display text and fonts correctly. To do this, the browser you are using must connect to Fonticons’ servers. As a result, Fonticons becomes aware that our website has been accessed via your IP address.

We use web fonts to ensure a consistent and visually appealing presentation of our online content. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

If your browser does not support web fonts, a default font from your computer will be used.

For more information about Font Awesome, visit https://fontawesome.com/help and in the privacy policy of Fonticons, Inc.: https://fontawesome.com/privacy

Giggle

We use the Giggle booking service on our website. This service is provided by Giggle GmbH, Jahnstraße 18, A-6020 Innsbruck, Austria (“Giggle”). Giggle allows users to book events and services online through our website.

When you access the Giggle service, your IP address is transmitted to a Giggle server. If you make an online booking for an event or service via Giggle through our website, we process your email address, the booked service or event, and your related data, as well as your first and last name, in order to handle your request. In some cases, we also use your phone number to provide you with relevant information regarding the booked event or service.

Your data is processed for the purpose of fulfilling the contract or pre-contractual obligations in accordance with Article 6(1)(b) of the GDPR. We store your data to process your booking and, in addition, to comply with our legal retention requirements.

For more information about Giggle, visit: https://hotel.giggle.tips/privacy

Google Tag Manager

Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

ATTENTION! This service involves the transfer of data to the United States, or such a transfer cannot be ruled out.

When Google Tag Manager is launched, your browser connects to Google's servers. This allows Google to determine that our website has been accessed via your IP address.

Tag Manager is a service that allows us to manage website tags via a user interface. This enables us to embed code snippets, such as tracking codes or conversion pixels, into websites without modifying the source code. Tag Manager only forwards the data; it does not collect or store it. Tag Manager itself is a cookie-free domain and does not process any personal data, as it serves solely to manage other services within our online offering. Tag Manager handles the resolution of other tags, which may themselves collect data. However, Tag Manager does not access this data. If deactivation has been performed at the domain or cookie level, this setting remains in effect for all tracking tags implemented via Tag Manager.

Here you can find out exactly where Google data centers are located: https://www.google.com/about/datacenters/inside/locations/

For more information on data protection, please visit the following Google websites:

Privacy Policy: https://policies.google.com/privacy
Google Tag Manager FAQ: https://www.google.com/intl/de/tagmanager/faq.html
Google Tag Manager Terms of Service: https://marketingplatform.google.com/intl/de/about/analytics/tag-manager/use-policy/
Google Ads Data Processing Terms, including standard contractual clauses for transfers to third countries: https://business.safety.google/adsprocessorterms/

Hosting

As part of our website hosting, all data processed in connection with the operation of our website is stored. This is necessary to enable the website to function. We therefore process the data on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR in optimizing our website offering. To provide our online presence, we use services from web hosting providers to whom we provide the aforementioned data within the scope of data processing pursuant to Article 28 of the GDPR.

When you contact us, your information will be used to process your inquiry and handle it in accordance with the fulfillment of pre-contractual rights and obligations under Article 6(1)(b) of the GDPR. The processing of your data is necessary to handle and respond to your inquiry; otherwise, we will not be able to respond to your inquiry, or at best only to a limited extent. The information may be stored in a customer and prospect database for direct marketing purposes based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR.

We will delete your inquiry and your contact information once your inquiry has been fully resolved and there are no legal retention requirements preventing the deletion, such as those related to the subsequent fulfillment of a contract. This is usually the case if there has been no contact with you for a continuous period of three years.

Server log files

For technical reasons, particularly to ensure that our website functions properly and securely, we process technically necessary data regarding visits to our website in so-called server log files, which your browser automatically transmits to us.

The access data we process includes:

Name of the website visited
Browser type used, including version
the visitor's operating system
the page the visitor previously visited (referrer URL)
Time of the server request
amount of data transferred
Hostname of the accessing computer (IP address used)

This data is not associated with any specific individuals and is used solely for statistical analysis, as well as for the operation and improvement of our website and to ensure the security and optimization of our online services. This data is transmitted solely to our website host. This data is not combined or merged with other data sources. If there is suspicion of unlawful use of our website, we reserve the right to review this data retrospectively. Data processing is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR in the technically error-free presentation and optimization of our website.

Access data is deleted shortly after the purpose has been fulfilled, usually within a few days, unless further retention is necessary for evidentiary purposes. Otherwise, the data is retained until the incident has been fully resolved.

SSL encryption

When you visit our website, we use the widely adopted SSL (Secure Sockets Layer) protocol in conjunction with the highest encryption level supported by your browser. You can tell whether a particular page on our website is being transmitted securely by the closed key or lock icon displayed in your browser’s status bar. The use of this protocol is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR in the use of appropriate encryption techniques.

We also implement appropriate technical and organizational security measures in accordance with Article 32 of the GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments and kept up to date with the latest standards.

General Information on Data Protection

The following provisions in our Privacy Policy apply not only to the collection of data on our website, but also generally to the processing of personal data in other contexts.

Personal data

Personal data is information that can be linked to you individually. Examples include your address, name, mailing address, email address, and phone number. Information such as the number of users visiting a website is not considered personal data because it cannot be linked to a specific individual.

Legal Basis for the Processing of Personal Data

Unless more specific information is provided in this Privacy Policy (e.g., regarding the technologies used), we may process your personal data on the following legal grounds:

Consent pursuant to Article 6(1)(a) of the GDPR– The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and pre-contractual measures pursuant to Article 6(1)(b) of the GDPR– Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures.
Legal obligation pursuant to Article 6(1)(c) of the GDPR– Processing is necessary for compliance with a legal obligation.
Protection of vital interests pursuant to Article 6(1)(d) of the GDPR– Processing is necessary to protect the vital interests of the data subject or of another natural person.
Legitimate interests pursuant to Article 6(1)(f) of the GDPR– Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Please note that, in addition to the provisions of the GDPR, national data protection laws in your or our home country may apply.

Transfer of Personal Data

Your personal data will not be disclosed to third parties for any purposes other than those listed in this Privacy Policy.

We will only share your personal information with third parties if:

you have given your explicitconsentto this in accordance withArticle 6(1)(a) of the GDPR,
the disclosure is necessary pursuantto Article 6(1)(f) of the GDPRto safeguardlegitimate interestsand to assert, exercise, or defend legal claims, and there is no reason to believe that you have an overriding legitimate interest in preventing the disclosure of your data,
there is alegal obligationto disclose the data pursuantto Article 6(1)(c) of the GDPR, and this is permitted by law and/or
it is necessary for theperformance of a contractwith you, in accordance withArticle 6(1)(b) of the GDPR.

Collaboration with Data Processors

We carefully select the service providers who process personal data on our behalf. If we engage third parties to process personal data under a data processing agreement, we do so in accordancewith Article 28 of the GDPR.

Transfer to third countries

If we process data in a third country, or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other individuals or companies, this is done solely on the basis of the legal grounds set forth above regarding the transfer of data.

Subject to express consent or contractual necessity, we process or have the data processed in accordance with Art. 44–49 of the GDPR only in third countries with a level of data protection recognized as adequate or on the basis of specific safeguards, such as a contractual obligation through the European Commission’s Standard Contractual Clauses, the existence of certifications, or binding internal data protection policies.

Data transfers to the United States / End of the Privacy Shield

We would like to expressly point out that, as of July 16, 2020, due to a legal dispute between a private individual and the Irish Data Protection Commission, the so-called “Privacy Shield”—an adequacy decision by the European Commission under Article 45 of the GDPR, which confirmed that the United States maintains an adequate level of data protection under certain circumstances—is no longer valid, effective immediately.

The Privacy Shield therefore no longer constitutes a valid legal basis for the transfer of personal data to the United States!

If we do transfer data to the United States or use a service provider based in the United States, we explicitly mention this in this Privacy Policy (see, in particular, the description of the technologies on our website).

What does the transfer of personal data to the United States mean for you as a user, and what risks are involved?

In any case, the risks for you as a user stem from the powers of U.S. intelligence agencies and the legal situation in the United States, which, in the view of the European Court of Justice, no longer ensure an adequate level of data protection. These include, among other things, the following points:

Section 702 of the Foreign Intelligence Surveillance Act (FISA) imposes no restrictions on intelligence agencies’ surveillance activities and provides no safeguards for non-U.S. citizens.
Presidential Policy Directive 28 (PPD-28) does not provide affected individuals with effective legal remedies against actions taken by U.S. authorities and does not establish safeguards to ensure that such actions are proportionate.
The ombudsman provided for under the Privacy Shield does not have sufficient independence from the executive branch; he cannot issue binding orders to the intelligence agencies.

Is the transfer of data to the U.S. in compliance with the law based on the Standard Contractual Clauses?

The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of February 5, 2010), Article 46(2)(c) of the GDPR, remain valid; however, a level of protection for personal data equivalent to that in the European Union must be ensured. Thus, not only are the contractual relationships with our service providers relevant here, but also the possibility of access to the data by authorities in the United States and the legal system there (legislation and case law, administrative practices of authorities).

The standard contractual clauses are not binding on public authorities in the United States and therefore do not provide adequate protection in cases where such authorities are authorized under U.S. law to interfere with the rights of data subjects without additional measures on our part and that of our service provider.

Is the transfer of data to the U.S. in compliance with the law based on your consent?

There is currently debate over whether informed consent—and thus a voluntary and informed restriction of parts of your fundamental right to data protection—is legally possible at all.

What measures do we take to ensure that data transfers to the United States comply with the law?

If U.S. providers offer this option, we choose to process data on EU servers. This should technically ensure that the data remains within the European Union and cannot be accessed by U.S. authorities.

Furthermore, we are carefully evaluating European alternatives to the U.S. tools we currently use. However, this is a process that cannot be completed overnight, as it also involves technical and economic implications for us. We will continue to use U.S. service providers only if, for technical and/or economic reasons, it is impossible for us to switch to European tools and/or immediately discontinue the use of U.S. tools.

To ensure the continued use of U.S. tools, we are taking the following measures:

Whenever possible, we will ask for your consent before using a U.S. tool and provide you with clear information in advance about how the service works. You can find information about the risks associated with transferring data to the U.S. in this section.

We strive to enter into standard contractual clauses with U.S. service providers and to require additional safeguards. In particular, we require the use of technologies that prevent access to data, such as encryption that cannot be broken even by U.S. authorities, or the anonymization or pseudonymization of data, whereby only the service provider can link the data to specific individuals. At the same time, we require additional information from the service provider in the event that third parties actually access the data, or that the service provider exhausts all legal remedies before access to the data is granted at all.

General retention period

Unless an explicit retention period is specified when data is collected (e.g., in a consent form), we are required underArticle 5(1)(e) of the GDPRto erase personal data as soon as the purpose of its processing no longer applies. In this context, we would like to point out that the statutory retention obligations to which we are subject constitute a legitimate purpose for the further processing of the personal data collected thereby.

We generally store and retain personal data until the end of a business relationship or until the expiration of applicable warranty, guarantee, or statute of limitations periods; furthermore, until the resolution of any legal disputes in which the data is required as evidence; or, in any case, until the end of the third year following the last contact with a business partner.

Retention Periods in Particular

Specific information regarding the retention period of data can be found in the descriptions of individual technologies on our website. Our cookie table provides information on the retention period of individual cookies. In addition, you can always contact us directly to inquire about the specific retention period of data. To do so, please use the contact information provided in this Privacy Policy.

Rights of Data Subjects

Data subjects have the right to:

(i)pursuant to Article 15 of the GDPR,to requestinformationabout your personal data that we process. In particular, you may request information regarding the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, erasure, restriction of processing, or objection; the existence of a right to lodge a complaint; the origin of your data, if it was not collected by us; as well as information regarding the existence of automated decision-making, including profiling, and, where applicable, meaningful information regarding its details;
(ii)pursuant to Article 16 of the GDPR,to request the immediaterectificationof inaccurate personal data or the completion of your personal data stored by us;
(iii)pursuant to Article 17 of the GDPR,to request theerasure ofyour personal data stored by us under certain circumstances, unless processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
(iv)pursuant to Article 18 of the GDPR,the requestthe(temporary)restriction of the processingof your personal data, provided that you contest the accuracy of the data, the processing is unlawful but you oppose its erasure, we no longer need the data but you require it to assert, exercise, or defend legal claims, or you have objected to the processing pursuant to Article 21 of the GDPR;
(v)pursuant to Article 20 of the GDPR,to receive from us the personal data you have provided to us in a structured, commonly used, and machine-readable format, or to request that we transmit such data directly to another controller; however, this applies only to those personal data that we process using automated means based on your consent or on a contract;
(vi)pursuant to Article 21 of the GDPR,if your personal data is processed on the basis of our legitimate interest, toobjectto the processing of your personal data, provided there are grounds for doing so arising from your particular situation or the objection relates to direct marketing. In the latter case, you have a general right to object, which we will honor without requiring you to specify a particular situation;
(vii) towithdraw your consent at any timein accordance with Article 7(3) of the GDPR.As a result, we will no longer be permitted to continue processing data that was based on this consent. Among other things, you have the option to withdraw your consent to the use of cookies on our website with future effect by adjusting our cookie settings ;
(viii) tolodge a complaint with a supervisory authority regarding the unlawful processing of your data by us,in accordance with Article 77 of the GDPR. As a general rule, you may contact the supervisory authority in the jurisdiction where you usually reside, work, or where our company is headquartered.

The competent supervisory authority for Hotel Opernring Betriebsgesellschaft m.b.H. is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Tel.: +43 1 52 152-0, dsb@dsb.gv.at

Exercising the rights of data subjects

You decide how your personal data is used. If you wish to exercise any of the rights listed above, please feel free to contact us by email at office@o11-hotel.com or contact us by mail or phone.

Please help us clarify your request by answering questions from our staff regarding the specific processing of your personal data. If we have reasonable doubts about your identity, we may ask you to provide a copy of your ID.

If you have any questions regarding data protection, please contact us at office@o11-hotel.com or via the other contact details listed in this Privacy Policy.

Vienna, October 6, 2022