Privacy Policy

Privacy Policy

Last updated:October 6, 2022

Thank you very much for your interest in the information on our website!

Through this Privacy Policy, we would like to inform users of our website about the nature, scope, and purposes of the processing of personal data. Personal data in this context refers to any information that can be used to personally identify you as a user of our website (theoretically, possibly through indirect means or by linking various data points), including, among other things, your IP address. Information stored in cookies is generally not personal data, or is so only in exceptional cases; however, this information is subject to a special provision that makes the permissibility of using cookies largely dependent on the user’s active consent, depending on the purpose of the cookies.

In a general section of this Privacy Policy, we provide you with information on data protection that generally applies to our processing of data, including data collection on our website. In particular, as data subjects, you are informed of the rights to which you are entitled.

The terms used in our Privacy Policy and our data protection practices are governed by the provisions of the EU General Data Protection Regulation (“GDPR”) and other applicable national laws.

Person in Charge

Hotel Opernring Betriebsgesellschaft m.b.H.
FN 228656 i
Wipplingerstraße 35, 5th floor
1010 Vienna
Austria

E: office@o11-hotel.com
T: +43 1 5875518-0
Data Collection on Our Website

We collect your personal data in two ways: first, when you expressly provide it to us; and second, when data—particularly technical data—is automatically collected when you visit our website. Some of this data is collected to ensure that our website functions properly. Other data may be used for analytical purposes. However, you can generally use our website without having to provide any personal information.

Technologies on Our Website

Adobe Typekit

To ensure consistent font display, our website uses external “Typekit” fonts provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (“Adobe”).

ATTENTION! As part of this service, data is transferred to the United States, or such a transfer cannot be ruled out.

When you visit our website, your browser downloads the necessary fonts directly from Adobe so that they can be displayed correctly on your device. In doing so, your browser establishes a connection to Adobe’s servers in the United States. As a result, Adobe becomes aware that our website has been accessed via your IP address. According to Adobe, no cookies are used when providing the fonts.

We process your data in order to ensure a consistent and appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

For more information about Adobe Typekit Web Fonts, visit: https://www.adobe.com/privacy/policies/typekit.html. Adobe’s privacy policy can be found at: https://www.adobe.com/privacy/policy.html

Cookies and Local Storage

We use cookies on our website to make our site more user-friendly and functional. Some of these cookies are stored on your device.  

Cookies are small data packets exchanged between your browser and our web server when you visit our website. They cause no harm whatsoever and are used solely to recognize website visitors. Cookies can only store information provided by your browser—that is, information you have entered into the browser yourself or that is available on the website. Cookies cannot execute code and cannot be used to access your device. 

The next time you visit our website using the same device, the information stored in cookies may subsequently be sent back either to us (“first-party cookie”) or to a third-party web application to which the cookie belongs (“third-party cookie”). Based on the stored and returned information, the respective web application recognizes that you have already accessed and visited the website using your device’s browser.   

Cookies contain the following information:

  • Cookie Name
  • Name of the server from which the cookie originally came
  • Cookie ID number
  • A date on which the cookie is automatically deleted

Depending on their purpose and function, we classify cookies into the following categories:  

  • Technically necessary cookies that ensure the technical operation and basic functionality of our website. These types of cookies are used, for example, to retain your settings as you navigate the website; or they may ensure that important information is retained throughout your session (e.g., login, shopping cart). 
  • Statistics cookies, which help us understand how visitors interact with our website by collecting and analyzing information solely on an anonymous basis. This provides us with valuable insights that help us optimize both the website and our products and services. 
  • Marketing cookies used to deliver targeted advertising to users on our website.  
  • Unclassified cookies are cookies that we are currently working with providers of individual cookies to classify.  

Depending on their storage duration, we also classify cookies as session cookies and persistent cookies. Session cookies store information that is used during your current browser session. These cookies are automatically deleted when you close your browser. No information is left on your device. Persistent cookies store information between visits to the website. Based on this information, you are recognized as a returning visitor on your next visit, and the website responds accordingly. The lifespan of a persistent cookie is determined by the cookie provider.  

The legal basis for the use of technically necessary cookies is our legitimate interest in the technically sound operation and smooth functionality of our website, in accordance with Article 6(1)(f) of the GDPR. Our website cannot function properly without these cookies. The use of statistical and marketing cookies requires your consent in accordance with Article 6(1)(a) of the GDPR. You may withdraw your consent to the use of cookies at any time with future effect, in accordance with Article 7(3) of the GDPR. Consent is voluntary. If you do not give your consent, there will be no adverse consequences. Further information about the cookies we actually use (in particular regarding their purpose and storage duration) can be found in this Privacy Policy and in the information about the cookies we use in our cookie banner. 

You can also configure your web browser to prevent cookies from being stored on your device altogether, or to prompt you each time to confirm whether you consent to the use of cookies. You can delete cookies at any time once they have been set. For detailed instructions on how to do this, please refer to your browser’s help section.   

Please note that disabling cookies across the board may result in limited functionality on our website. 

On our website, we also use so-called local storage functions (also known as “local storage”). This involves storing data locally in your browser’s cache; this data remains there even after you close your browser—unless you clear the cache or the data is stored in session storage—and can still be accessed. 

Third parties cannot access the data stored in local storage. If specific plugins or tools use local storage functions, this is described in the documentation for the respective plugin or tool. 

If you do not want plugins or tools to use local storage features, you can control this in your browser's settings. Please note that this may result in some functional limitations.

Facebook Pixel

Purpose: Marketing
Destination country: USA

Our website uses the Facebook Pixel service provided by the social network Facebook—which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”)—for the purposes of analyzing, optimizing, and ensuring the efficient operation of our online services.

ATTENTION! As part of this service, data is transferred to the United States, or such a transfer cannot be ruled out.

With the help of Facebook Pixel, Facebook is able, on the one hand, to identify visitors to our website as a target audience for displaying ads (so-called “Facebook Ads”). Accordingly, we use Facebook Pixel to display the Facebook Ads we place only to those Facebook users who have shown an interest in our online offerings or who exhibit certain characteristics (e.g., interests in specific topics or products, determined based on the websites they have visited) that we transmit to Facebook (so-called “Custom Audiences”). We also use Facebook pixels to ensure that our Facebook ads align with users’ potential interests and do not come across as intrusive. Furthermore, Facebook Pixels allow us to track the effectiveness of Facebook ads for statistical and market research purposes by determining whether users were redirected to our website after clicking on a Facebook ad (so-called “conversion”).

Your actions are stored in one or more cookies. These cookies allow Facebook to match your user data (such as your IP address and user ID) with the data in your Facebook account. The data collected is anonymous to us and cannot be viewed by us; it is used solely for advertising purposes. You can prevent this link to your Facebook account by logging out before performing any actions. 

The processing of your data is based on your consent within the meaning of Article 6(1)(a) of the GDPR. You may withdraw this consent at any time with future effect.

For more information on how Facebook processes personal data, including the legal bases on which Facebook relies and the options available to data subjects for exercising their rights with respect to Facebook, please see Facebook’s Privacy Policy at https://de-de.facebook.com/policy.php 

To control the types of ads you see on Facebook, you can visit the page set up by Facebook and follow the instructions there regarding usage-based advertising settings: https://www.facebook.com/settings?tab=ads 

The settings are platform-independent, meaning they apply to all devices, such as desktop computers and mobile devices.

For general information on displaying Facebook ads, see:   https://de-de.facebook.com/policy.php

For specific information and details about the Facebook Pixel and how it works, please visit the Facebook Help Center: https://de-de.facebook.com/business/help/651294705016616

Font Awesome

Our website uses so-called web fonts, provided by Fonticons, Inc., to ensure consistent display of fonts and icons. 

When you visit a page, your browser loads the necessary web fonts into its cache to display text and fonts correctly. To do this, the browser you are using must connect to Fonticons’ servers. As a result, Fonticons learns that our website was accessed via your IP address. 

We use web fonts to ensure a consistent and visually appealing presentation of our online content. This constitutes a legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

If your browser does not support web fonts, a default font from your computer will be used.

For more information about Font Awesome, visit https://fontawesome.com/help and in the privacy policy of Fonticons, Inc.: https://fontawesome.com/privacy

Giggle

We use the Giggle booking service on our website. This service is provided by Giggle GmbH, Jahnstraße 18, A-6020 Innsbruck, Austria (“Giggle”). Giggle allows users to book events and services online through our site. 

When you access the Giggle service, your IP address is transmitted to a Giggle server. If you make an online booking for an event or service through Giggle via our website, we process your email address, the booked service or event, and your related data—as well as your first and last name—in order to handle your request. In some cases, we also use your phone number to provide you with relevant information about the event or service you booked.

Your data is processed for the purpose of fulfilling the contract or pre-contractual obligations in accordance with Article 6(1)(b) of the GDPR. We store your data to process your reservation and, in addition, to comply with our legal retention requirements.

For more information about Giggle, visit: https://hotel.giggle.tips/privacy

Google Tag Manager

Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

ATTENTION! As part of this service, data is transferred to the United States, or such a transfer cannot be ruled out.

When Google Tag Manager is launched, your browser establishes a connection to Google's servers. This allows Google to determine that our website was accessed via your IP address. 

Tag Manager is a service that allows us to manage website tags through a user interface. This enables us to embed code snippets—such as tracking codes or conversion pixels—on websites without modifying the source code. Tag Manager only forwards the data; it does not collect or store it. Tag Manager itself is a cookie-free domain and does not process any personal data, as it is used solely to manage other services within our online offering. Tag Manager handles the resolution of other tags, which may themselves collect data. However, Tag Manager does not access this data. If deactivation has been performed at the domain or cookie level, this setting remains in effect for all tracking tags implemented using Tag Manager.

Here you can find out exactly where Google's data centers are located: https://www.google.com/about/datacenters/inside/locations/

For more information on data protection, please visit the following Google websites:

Privacy Policy: https://policies.google.com/privacy
Google Tag Manager FAQ: https://www.google.com/intl/de/tagmanager/faq.html
Google Tag Manager Terms of Service: https://marketingplatform.google.com/intl/de/about/analytics/tag-manager/use-policy/
Google Ads Data Processing Terms, including Standard Contractual Clauses for transfers to third countries: https://business.safety.google/adsprocessorterms/

Hosting

As part of the hosting of our website, all data processed in connection with the operation of our website is stored. This is necessary to enable the website to function. We therefore process the data on the basis of our legitimate interest, pursuant to Article 6(1)(f) of the GDPR, in optimizing our website. To provide our online presence, we use services from web hosting providers to whom we provide the aforementioned data as part of a data processing arrangement pursuant to Article 28 of the GDPR.

Contact Us

When you contact us, your information will be used to process your inquiry and handle it in accordance with our pre-contractual rights and obligations under Article 6(1)(b) of the GDPR. The processing of your data is necessary to handle and respond to your inquiry; otherwise, we will not be able to respond to your inquiry, or will only be able to do so to a limited extent. The information may be stored in a customer and prospect database for direct marketing purposes based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR.

We will delete your inquiry and your contact information once your inquiry has been fully resolved and provided that no legal retention periods prevent the deletion—for example, in connection with the subsequent fulfillment of a contract. This is usually the case if there has been no contact with you for a continuous period of three years.

Server Log Files

For technical reasons—in particular to ensure that our website functions properly and securely—we process technically necessary data regarding visits to our website in what are known as server log files, which your browser automatically transmits to us. 

The access data we process includes:

  • Name of the website accessed  
  • Browser type used, including version
  • The visitor's operating system
  • the page the visitor previously viewed (referrer URL)
  • Time of the server request
  • Amount of data transferred
  • Hostname of the accessing computer (IP address used)

This data is not associated with any specific individuals and is used solely for statistical analysis, as well as for the operation and improvement of our website and for the security and optimization of our online services. This data is transmitted solely to our website host. This data is not linked or combined with other data sources. If there is suspicion of unlawful use of our website, we reserve the right to review this data retrospectively. Data processing is based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR in ensuring the technically error-free display and optimization of our website.

Access data is deleted shortly after the purpose for which it was collected has been fulfilled—usually after a few days—unless further retention is necessary for evidentiary purposes. Otherwise, the data is retained until the incident has been fully resolved.

SSL Encryption

When you visit our website, we use the widely adopted SSL (Secure Socket Layer) protocol in conjunction with the highest encryption level supported by your browser. You can tell whether a particular page on our website is being transmitted securely by the closed key or lock icon displayed in your browser’s status bar. The use of this protocol is based on our legitimate interest, pursuant to Article 6(1)(f) of the GDPR, in the use of appropriate encryption techniques. 

We also implement appropriate technical and organizational security measures in accordance with Article 32 of the GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments and maintained at the state of the art.

General Information on Data Protection

The following provisions in our Privacy Policy apply not only to the collection of data on our website, but also, more generally, to the processing of personal data in other contexts.

Personal Data

Personal data is information that can be individually associated with you. Examples include your address, your name, your mailing address, your email address, and your phone number. Information such as the number of users visiting a website is not considered personal data because it cannot be linked to a specific individual.

Legal Basis for the Processing of Personal Data

Unless more specific information is provided in this Privacy Policy (e.g., regarding the technologies used), we may process your personal data based on the following legal grounds:

  • Consent pursuant to Article 6(1)(a) of the GDPR– The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Performance of a contract and precontractual measures pursuant to Article 6(1)(b) of the GDPR– Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of precontractual measures.
  • Legal obligation pursuant to Article 6(1)(c) of the GDPR– Processing is necessary for compliance with a legal obligation.
  • Protection of vital interests pursuant to Article 6(1)(d) of the GDPR– Processing is necessary to protect the vital interests of the data subject or another natural person.
  • Legitimate interests pursuant to Article 6(1)(f) of the GDPR– Processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence.

Please note that, in addition to the provisions of the GDPR, national data protection laws in your or our home country may apply.

Transfer of Personal Data

Your personal data will not be disclosed to third parties for any purposes other than those listed in this Privacy Policy.

We will only share your personal information with third parties if:

  • You have given your explicitconsentpursuant toArticle 6(1)(a) of the GDPRto,
  • the disclosure is necessary pursuantto Article 6(1)(f) of the GDPRto safeguardlegitimate interestsand to assert, exercise, or defend legal claims, and there is no reason to believe that you have an overriding legitimate interest in preventing the disclosure of your data,
  • there is alegal obligationto disclose the data pursuantto Article 6(1)(c) of the GDPR, and this is permitted by law and/or
  • it is necessary for theperformance of a contractwith you, in accordance withArticle 6(1)(b) of the GDPR.

Collaboration with Data Processors

We carefully select the service providers who process personal data on our behalf. If we engage third parties to process personal data under a data processing agreement, we do so in accordancewith Article 28 of the GDPR.

Transfer to Third Countries

If we process data in a third country, or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other individuals or companies, this is done solely on the basis of the legal grounds set forth above for the transfer of data.

Subject to express consent or contractual necessity, we process or have the data processed in accordance with Art. 44–49 of the GDPR, only in third countries with a level of data protection recognized as adequate or on the basis of specific safeguards, such as a contractual obligation through the European Commission’s Standard Contractual Clauses, the existence of certifications, or binding internal data protection policies.

Data Transfers to the U.S. / Discontinuation of the Privacy Shield

We would like to expressly point out that, as of July 16, 2020, due to a legal dispute between a private individual and the Irish Data Protection Commissioner, the so-called “Privacy Shield”—an adequacy decision by the European Commission pursuant to Article 45 of the GDPR, which confirmed that the United States provides an adequate level of data protection under certain circumstances—is no longer valid, effective immediately.

The Privacy Shield therefore no longer constitutes a valid legal basis for the transfer of personal data to the United States!

If we do transfer data to the United States or use a service provider based in the United States, we will explicitly mention this in this Privacy Policy (see, in particular, the description of the technologies on our website).

What does the transfer of personal data to the United States mean for you as a user, and what risks are involved?

In any case, the risks for you as a user stem from the powers of U.S. intelligence agencies and the legal situation in the United States, which—in the view of the European Court of Justice—no longer ensure an adequate level of data protection. Among other things, this involves the following points:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not impose any restrictions on intelligence agencies' surveillance activities or provide any safeguards for non-U.S. citizens.
  • Presidential Policy Directive 28 (PPD-28) does not provide affected individuals with effective legal remedies against actions taken by U.S. authorities and does not establish safeguards to ensure that such actions are proportionate.
  • The ombudsman provided for under the Privacy Shield does not have sufficient independence from the executive branch; he cannot issue binding orders to the intelligence agencies.

Is the transfer of data to the U.S. in compliance with the law based on the Standard Contractual Clauses?

The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of February 5, 2010), Article 46(2)(c) of the GDPR, remain in effect; however, a level of protection for personal data equivalent to that in the European Union must be ensured. Therefore, not only are the contractual relationships with our service providers relevant here, but also the ability of U.S. authorities to access the data and the U.S. legal system (legislation and case law, as well as the administrative practices of government agencies).

The standard contractual clauses are not binding on U.S. government authorities and therefore do not yet provide adequate protection in cases where U.S. law authorizes such authorities to interfere with the rights of data subjects without additional measures on our part and that of our service provider.

Is the transfer of data to the U.S. based on your consent in compliance with the law?

There is currently debate over whether informed consent—and thus a voluntary and informed restriction of parts of your fundamental right to data protection—is legally possible at all.

What measures do we take to ensure that data transfers to the U.S. comply with the law?

To the extent that U.S. providers offer this option, we choose to process data on EU servers. This should technically ensure that the data remains within the European Union and that U.S. authorities cannot access it.

Furthermore, we are carefully evaluating European alternatives to the U.S. tools we currently use. However, this is a process that cannot be completed overnight, as it also involves technical and economic implications for us. We are currently continuing to use U.S. service providers only in cases where, for technical and/or economic reasons, it is impossible for us to use European tools and/or immediately discontinue the use of U.S. tools.

We are taking the following measures regarding the continued use of U.S. tools:

Whenever possible, we will ask for your consent before using a U.S. tool and provide you with transparent information in advance about how the service works. You can find information about the risks associated with transferring data to the U.S. in this section.

We strive to enter into standard contractual clauses with U.S. service providers and to demand additional guarantees. In particular, we require the use of technologies that prevent access to data—for example, encryption that cannot be broken even by U.S. authorities, or the anonymization or pseudonymization of data, whereby only the service provider can link the data to specific individuals.  At the same time, we require additional information from the service provider in the event that a third party actually gains access to data, or we require the service provider to exhaust all legal remedies before access to data is granted at all.

General Retention Periods

Unless an explicit retention period is specified when data is collected (e.g., as part of a consent form), we are required underArticle 5(1)(e) of the GDPRto delete personal data as soon as the purpose of its processing no longer applies. In this context, we would like to point out that the statutory retention requirements to which we are subject constitute a legitimate purpose for the continued processing of the personal data collected in this manner.

As a general rule, we store and retain personal data until the end of a business relationship or until the expiration of applicable warranty, guarantee, or statute of limitations periods; beyond that, until the resolution of any legal disputes in which the data is required as evidence; or, in any case, until the end of the third year following the last contact with a business partner.

Retention Periods in Particular

The descriptions of individual technologies on our website include specific information about how long data is stored. Our cookie table provides information about the storage periods for individual cookies. In addition, you can always contact us directly to inquire about the specific storage period for data. To do so, please use the contact information provided in this Privacy Policy.

Rights of Data Subjects

Data subjects have the right to:

  • (i)pursuant to Article 15 of the GDPR,to requestinformationabout your personal data that we process. In particular, you may request information regarding the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, erasure, restriction of processing, or objection; the existence of a right to lodge a complaint; the origin of your data, if it was not collected by us; and the existence of automated decision-making, including profiling, and, where applicable, meaningful information regarding its details;
  • (ii)pursuant to Article 16 of the GDPR,to request, without delay, therectificationof inaccurate personal data or the completion of your personal data stored by us;
  • (iii)pursuant to Article 17 of the GDPR,to request, under certain circumstances, theerasure ofyour personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims;
  • (iv)pursuant to Article 18 of the GDPR,the requestthe(temporary)restriction of the processingof your personal data if you contest the accuracy of the data, if the processing is unlawful but you oppose its erasure, if we no longer need the data but you need it to assert, exercise, or defend legal claims, or if you have objected to the processing pursuant to Article 21 of the GDPR;
  • (v)pursuant to Article 20 of the GDPR,to receive from us the personal data you have provided to us in a structured, commonly used, and machine-readable format, or to request that we transmit such data directly to another controller; however, this applies only to those personal data that we process using automated means based on your consent or a contract;
  • (vi)pursuant to Article 21 of the GDPR,if your personal data is processed on the basis of our legitimate interest, toobjectto the processing of your personal data, provided there are grounds arising from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will honor without requiring you to specify a particular situation;
  • (vii) towithdraw your consent, once given, at any timein accordance with Article 7(3) of the GDPR.As a result, we may no longer continue processing data that was based on this consent in the future. Among other things, you have the option to withdraw your consent to the use of cookies on our website, effective for the future, by adjusting our cookie settings ;
  • (viii) tolodge a complaint with a supervisory authoritypursuant to Article 77 of the GDPRregarding our unlawful processing of your data. As a general rule, you may contact the supervisory authority in your usual place of residence, your place of work, or the location of our company headquarters.

The competent supervisory authority for Hotel Opernring Betriebsgesellschaft m.b.H. is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Tel.: +43 1 52 152-0, dsb@dsb.gv.at

Exercising the Rights of Data Subjects

You decide how your personal data is used. Therefore, if you wish to exercise any of the rights listed above with us, please feel free to contact us by email at office@o11-hotel.com or by mail or phone.

Please help us clarify your request by answering questions from our staff regarding the specific processing of your personal data. If we have reasonable doubts about your identity, we may ask you to provide a copy of your ID.

If you have any questions regarding data protection, you can reach us at office@o11-hotel.com  or via the other contact details listed in this Privacy Policy.

Vienna, October 6, 2022