Last updated: October 6, 2022
Thank you for your interest in the information on our website!
Hotel Opernring Betriebsgesellschaft m.b.H.
FN 228656 i
Wipplingerstraße 35/5. OG
T: +43 1 5875518-0
Data collection on our website
On the one hand, personal data is collected from you if you expressly inform us of this, on the other hand, data, in particular technical data, is collected automatically when you visit our website. Some of this data is collected to ensure error-free functioning of our website. Other data may be used for analysis purposes. However, you can generally use our website without having to provide any personal information.
Technologies on our website
Our website uses external "Typekit" fonts from the provider Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland ("Adobe") for the uniform display of fonts.
ATTENTION: Within the scope of this service, data transfer to the USA takes place or cannot be ruled out.
When you call up our website, your browser loads the required fonts directly from Adobe so that they can be displayed correctly on your end device. In the process, your browser establishes a connection to Adobe's servers in the USA. This enables Adobe to know that your IP address has been used to access our website. According to Adobe, no cookies are used when providing the fonts.
The processing of your data is in our interest in a uniform and appealing presentation of our online offer. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
Cookies and Local Storage
Cookies are small data packets that are exchanged between your browser and the/our web server when you visit our website. They do not cause any damage and only serve to recognize the website visitor. Cookies can only store information supplied by your browser, i.e. information that you yourself have entered into the browser or that is present on the website. Cookies cannot execute code and cannot be used to access your terminal device.
The next time you visit our website with the same end device, the information stored in cookies may subsequently be sent back either to us ("first-party cookie") or to a third-party web application to which the cookie belongs ("third-party cookie"). Through the stored and returned information, the respective web application recognizes that you have already called up and visited the website with the browser of your end device.
Cookies contain the following information:
- Cookie name
- Name of the server from which the cookie originally originated
- Cookie ID number
- A date when the cookie is automatically deleted
Depending on their purpose and function, we divide cookies into the following categories:
- Technically necessary cookies to ensure the technical operation and basic functions of our website. These types of cookies are used, for example, to maintain your settings while you navigate the website; or they can ensure that important information is retained throughout the session (e.g. login, shopping cart).
- Statistics cookies to understand how visitors interact with our website by collecting and analyzing information anonymously only. This helps us gain valuable insights to optimize both the website and our products and services.
- Marketing cookies to set targeted advertising activities for users on our website.
- Unclassified cookies are cookies that we are currently working with individual cookie providers to classify.
Depending on how long they are stored, we also divide cookies into session and persistent cookies. Session cookies store information used during your current browser session. These cookies are automatically deleted when you close the browser. This does not leave any information on your terminal device. Persistent cookies store information between two visits to the website. Based on this information, you will be recognized as a returning visitor on your next visit and the website will respond accordingly. The lifetime of a permanent cookie is determined by the provider of the cookie.
You can also set your Internet browser to generally prevent cookies from being saved on your end device or to ask you each time whether you agree to cookies being set. Once cookies have been set, you can delete them at any time. You can find out how all this works in detail in the help function of your browser.
Please note that a general deactivation of cookies may lead to functional restrictions on our website.
On our website, we also use so-called local storage functions (also called "local storage"). In this case, data is stored locally in the cache of your browser, which continues to exist and can be read even after closing the browser - as long as they do not delete the cache or it is the session storage.
Third parties cannot access the data stored in the local storage. If special plugins or tools use the local storage functions, this is described with the respective plugin or tool.
If you do not want plugins or tools to use local storage functions, you can control this in the settings of your respective browser. We would like to point out that this may result in functional restrictions.
Recipient country: USA
On our website, the Facebook Pixel service of the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used for the analysis, optimization and economic operation of our online offer.
ATTENTION: Within the scope of this service, data transfer to the USA takes place or cannot be ruled out.
With the help of Facebook pixels, it is possible for Facebook, on the one hand, to determine the visitors to our website as a target group for the display of ads (so-called "Facebook ads"). Accordingly, we use Facebook pixels to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). With the help of Facebook Pixel, we also want to ensure that our Facebook Ads correspond to the potential interest of users and do not have a harassing effect. With the help of Facebook Pixel, we can, on the other hand, track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").
Your actions are stored in one or more cookies. These cookies enable Facebook to match your user data (such as IP address, user ID) with the data of your Facebook account. The collected data is anonymous and not visible to us and can only be used in the context of advertisements. You can prevent the linking with your Facebook account by logging out before you take any action.
The processing of your data is based on your consent within the meaning of Art. 6 para. 1 lit. a DSGVO. You can revoke this consent at any time with effect for the future.
For more information about how Facebook processes personal data, including the legal bases on which Facebook relies and how data subjects can exercise their rights against Facebook, please see Facebook's Data Policy at https://de-de.facebook.com/policy.php
To set which types of advertisements are displayed to you within Facebook, you can visit the page set up by Facebook and follow the instructions there regarding the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads
The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
For general instructions on how to display Facebook ads, see: https://de-de.facebook.com/policy.php
For specific information and details about Facebook Pixel and how it works, visit Facebook's help section: https://de-de.facebook.com/business/help/651294705016616
Our website uses so-called web fonts provided by Fonticons, Inc. for the uniform display of fonts and icons.
When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must connect to Fonticons' servers. This enables Fonticons to know that our website has been accessed via your IP address.
The use of web fonts is in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
If your browser does not support web fonts, a default font is used by your computer.
On our website we use the booking service Giggle. The provider of this service is Giggle GmbH, Jahnstraße 18, A-6020 Innsbruck, Austria ("Giggle"). Giggle allows users to book events and services online via our site.
For the use of Giggle, your IP address is transmitted to a Giggle server when you call up the service. If you make an online booking of an event or service via our website using Giggle, we process your email address, the booked service or event and your related data as well as your first and last name for the purpose of processing your request. In individual cases, we also use your telephone number, in particular to inform you about relevant information regarding the booked event or service.
The processing of your data is based on the performance of the contract or the fulfillment of pre-contractual obligations pursuant to Art 6 para 1 lit b DSGVO. We store your data for the processing of your booking and beyond that within the scope of our statutory retention obligations.
For more information on Giggle, please visit: https://hotel.giggle.tips/privacy
Google Tag Manager
Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").
ATTENTION: Within the scope of this service, data transfer to the USA takes place or cannot be ruled out.
When you start the Google Tag Manager, your browser establishes a connection to Google's servers. Through this, Google obtains knowledge that our website was called up via your IP address.
Tag Manager is a service that allows us to manage website tags through an interface. This allows us to add code snippets such as tracking codes or conversion pixels to websites without interfering with the source code. In doing so, the data is only forwarded by the Tag Manager, but not collected or stored. The Tag Manager itself is a cookie-less domain and does not process any personal data, as it serves purely to manage other services in our online offering. The Tag Manager takes care of the resolution of other tags, which in turn may collect data. However, the Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags that are implemented with the Tag Manager.
Here you can find out where exactly Google data centers are located: https://www.google.com/about/datacenters/inside/locations/
Further information on data protection can be found on the following Google web pages:
FAQ Google Tag Manager: https://www.google.com/intl/de/tagmanager/faq.html
Google Tag Manager Terms of Service: https://marketingplatform.google.com/intl/de/about/analytics/tag-manager/use-policy/
Google Ads Data Processing Terms including standard contractual clauses for third country transfers: https://business.safety.google/adsprocessorterms/
As part of the hosting of our website, all data to be processed in connection with the operation of our website is stored. This is necessary to enable the operation of the website. We therefore process the data accordingly on the basis of our legitimate interest pursuant to Art 6 (1) lit. f DSGVO in optimizing our website offering. To provide our online presence, we use services of web hosting providers to whom we provide the above-mentioned data as part of order processing pursuant to Art 28 DSGVO.
When contacting us, your data will be used to process the contact request and its handling in the context of the fulfillment of pre-contractual rights and obligations pursuant to Art. 6 para. 1 lit. b DSGVO. The processing of your data is necessary to process and respond to your request, otherwise we will not be able to respond to your request or at best only to a limited extent. The information may be stored in a customer and prospect database on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO in direct marketing.
We delete your inquiry and your contact data, provided that your inquiry has been answered conclusively and the deletion does not conflict with any legal retention periods, e.g. in the context of a subsequent contract processing. This is usually the case when there has been no further contact with you for three years.
Server log files
For technical reasons, in particular to ensure a functional and secure Internet presence, we process technically necessary data about accesses to our website in so-called server log files, which your browser automatically transmits to us.
The access data we process include:
- Name of the retrieved website
- type of browser used incl. version
- Operating system used by the visitor
- the previously visited page of the visitor (referrer URL)
- Time of the server request
- Data volume transferred
- Host name of the accessing computer (IP address used)
This data is not assigned to any natural persons and is only used for statistical evaluations and for the operation and improvement of our website as well as for the security and optimization of our Internet offer. This data is only transmitted to our website hoster. This data is not linked or merged with other data sources. If there is any suspicion of illegal use of our website, we reserve the right to check this data retrospectively. The data processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO in the technically error-free presentation and optimization of our website.
The access data is deleted shortly after the purpose has been fulfilled, usually after a few days, unless further storage is required for evidence purposes. Otherwise, the data is retained until final clarification of an incident.
For your visit to our website, we use the common SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser. You can see whether an individual page of our website is transmitted encrypted by the closed display of the key or lock symbol in the status bar of your browser. The use of this procedure is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO in the use of appropriate encryption techniques.
We also use appropriate technical and organizational security measures in accordance with Art. 32 DSGVO to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved according to the technological development and kept at the state of the art.
General information on data protection
The following provisions apply in their principles not only to data collection on our website, but also generally to other processing of personal data.
Personal data is information that can be individually assigned to you. Examples include your address, name, postal address, e-mail address or telephone number. Information such as the number of users who visit a website is not personal data, because it does not allow an assignment to an individual person.
Legal basis for the processing of personal data
- Consent pursuant to Art. 6(1)(a) DSGVO - The data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes.
- Contract performance and pre-contractual measures pursuant to Art. 6 (1) lit. b DSGVO - Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures.
- Legal obligation pursuant to Art. 6 para. 1 lit. c DSGVO - Processing is necessary for compliance with a legal obligation.
- Protection of vital interests pursuant to Art. 6(1)(d) DSGVO - Processing is necessary to protect the vital interests of the data subject or another natural person.
- Legitimate interests pursuant to Art. 6(1)(f) DSGVO - Processing is necessary to protect the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Please note that in addition to the provisions of the GDPR, national data protection regulations in your or our home country may apply.
Transmission of personal data
We will only share your personal information with third parties if:
- you have given your express consent to this in accordance with Art. 6 para. 1 lit. a DSGVO,
- the disclosure is necessary in accordance with Art. 6 (1) f DSGVO for the protection of legitimate interests and for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
- there is a legal obligation for the disclosure pursuant to Art. 6 (1) lit. c DSGVO, as well as this is legally permissible and / or
- it is necessary according to Art. 6 para. 1 lit. b DSGVO for the processing of contractual relationships with you.
Cooperation with processors
We carefully select our service providers who process personal data on our behalf. If we commission third parties with the processing of personal data on the basis of a contract processing agreement, this is done in accordance with Art. 28 DSGVO.
Transfer to third countries
If we process data in a third country or do so in the context of using third-party services or disclosing or transferring data to other persons or companies, this will only be done on the basis of the legal grounds outlined above for the transfer of data.
Subject to explicit consent or contractual necessity, we process or have processed the data in accordance with Art. 44-49 GDPR only in third countries with a level of data protection recognized as adequate or on the basis of special guarantees, such as a contractual obligation by so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection rules.
Data transfer to the USA / discontinuation of the Privacy Shield
We would like to expressly point out that as of July 16, 2020, due to a legal dispute between a private individual and the Irish supervisory authority, the so-called "Privacy Shield", an adequacy decision of the EU Commission pursuant to Art 45 GDPR, which confirmed an adequate level of data protection to the USA under certain circumstances, is no longer valid with immediate effect.
The Privacy Shield is therefore no longer a valid legal basis for the transfer of personal data to the USA!
What can the transfer of personal data to the USA mean for you as a user and what are the risks in this context?
Risks for you as a user are in any case the powers of the U.S. intelligence services and the legal situation in the U.S., which currently, according to the ECJ, no longer ensure an adequate level of data protection. Among other things, these are the following points:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no limits on the surveillance activities of the intelligence community and no safeguards for non-U.S. citizens.
- Presidential Policy Directive 28 (PPD-28) does not provide affected individuals with effective remedies against actions taken by U.S. authorities and does not provide barriers to ensuring proportionate measures.
- the Ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive branch; he cannot issue binding orders to the intelligence services.
Legally compliant transfer of data to the USA based on standard contractual clauses?
The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05.02.2010), Art. 46 (2) c DS-GVO, are still valid, but a level of protection for personal data equivalent to that in the European Union must be ensured. Thus, not only the contractual relationships with our service providers are relevant here, but also the possibility of access to the data by authorities in the USA and the legal system there (legislation and case law, administrative practice of authorities).
The standard contractual clauses cannot bind authorities in the U.S. and therefore do not yet provide adequate protection in cases where authorities have the authority under U.S. law to interfere with the rights of data subjects without additional action by us and our service provider.
Legally compliant transfer of data to the USA based on your consent?
It is currently disputed whether informed consent and thus a deliberate and knowing restriction of parts of your fundamental right to data protection is legally possible at all.
What measures do we take to ensure that data transfers to the USA are legally compliant?
Where US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and access by US authorities is not possible.
Furthermore, we are carefully examining European alternatives to the US tools we use. However, this is a process that does not happen overnight, as it also involves technical and economic consequences for us. Only if for technical and / or economic reasons the use of European tools and / or the immediate shutdown of the US tools is impossible for us, US service providers will currently continue to be used.
We take the following measures for the continued use of US tools:
As far as possible, your consent will be requested before using a US tool and you will be informed transparently in advance about how a service works. The risks of transferring data to the USA can be found in this point.
We make every effort to conclude standard contractual clauses with US service providers and to demand additional guarantees. In particular, we require the use of technologies that do not allow access to data, e.g. the use of encryption that cannot be broken even by US services or anonymization or pseudonymization of the data, where only the service provider can make the assignment. At the same time, we require additional information from the service provider if access to data by third parties actually occurs or the exhaustion of all legal remedies by the service provider until access to data is granted at all.
Storage duration in general
Unless an explicit storage period is specified when data is collected (e.g. as part of a declaration of consent), we are obliged to delete personal data as soon as the purpose of its processing no longer exists in accordance with Art. 5 (1) lit. e DSGVO. In this context, we would like to point out that legal retention obligations to which we are subject constitute a legitimate purpose for the further processing of the personal data covered by them.
As a matter of principle, we store and retain data in personal form until the termination of a business relationship or until the expiry of applicable guarantee, warranty or limitation periods, and beyond that until the termination of any legal disputes in which the data are required as evidence, or in any case until the expiry of the third year after the last contact with a business partner.
Storage duration in particular
Rights of data subjects
Data subjects have the right:
- (i) pursuant to Art. 15 DSGVO, to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- (ii) pursuant to Art. 16 DSGVO, to request without undue delay the correction of inaccurate or completion of your personal data stored by us;
- (iii) pursuant to Article 17 of the GDPR, to request, under certain circumstances, the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
- (iv) pursuant to Art. 18 DSGVO, to request the (temporary) restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure, we no longer need the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 DSGVO;
- (v) pursuant to Article 20 of the GDPR, to receive from us your personal data that you have provided to us in a structured, commonly used and machine-readable format, or to request its direct transfer to another controller; However, this only covers those of your personal data that we process with the help of automated processes after your consent or on the basis of a contract;
- (vi) pursuant to Art. 21 DSGVO, if your personal data are processed on the basis of our legitimate interest, to object to the processing of your personal data, provided that there are grounds for doing so which arise from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation;
- (viii) pursuant to Art. 77 DSGVO to complain to a supervisory authority regarding the unlawful processing of your data by us. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.
The competent supervisory authority for Hotel Opernring Betriebsgesellschaft m.b.H. is:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Tel.: +43 1 52 152-0, firstname.lastname@example.org
Assertion of data subject rights
You yourself decide on the use of your personal data. Therefore, should you wish to exercise any of your above rights against us, you are welcome to contact us by e-mail at email@example.com or by mail, as well as by telephone.
Please assist us in specifying your request by answering questions from our responsible employees regarding the specific processing of your personal data. If there is reasonable doubt about your identity, we may request a copy of your identification.
Vienna, October 6, 2022