1. General information
1.1.Responsibility for the Processing of your Data
The responsible person ("controller" within the meaning of Art. 4 no. 7 GDPR) of the processing of your personal data ("personal data" within the meaning of Art. 4 no. 1 GDPR) is:
Janus Hotelbetriebsgesellschaft mbH
5640 Bad Gastein
Tel.: +43 (6434) 20 37-0
Data protection officer:
We take the protection of personal data seriously and have appointed an external data protection officer for this purpose. Our data protection officer is MMag. Martin Zeppezauer, Thurnbichlweg 50, A-6353 Going am Wilden Kaiser (www.zepedes.com). You can contact our data protection officer at the email address email@example.com.
1.2. Purposes, Categories of Data and Lawfulness of the Processing of Personal Data
Purposes of the processing of personal data
The purposes of processing your personal data generally result from our business activities as a hotel: making our online offers available, processing customer inquiries, bookings, ordering / purchasing third-party services, accounting, communication with business partners and customers. Detailed information on the purposes of processing and, if necessary, further processing for other compatible purposes as well as the processed data categories can be found in the detailed descriptions of the individual data processing processes.
General categories of data
- Personal master data (e.g. name, date of birth and age, address)
- Contact details (e.g. email address, telephone number, fax number)
- Communication data (time and content of communication)
- Order or booking data (e.g. ordered goods or commissioned services and invoice data such as service period, payment method, invoice date, tax identification number ...)
- Payment details (e.g. account number, credit card details)
- Contract data (content of contracts of any kind)
- Web usage data (e.g. server data, log files and cookies)
- Identification numbers (e.g. identity card number, vehicle registration number ...)
- Video surveillance images
Processing of special categories of personal dataaccording to Art. 9 GDPR
- Health data (only if you have given us your explicit consent to process your order (e.g. mediation of a hotel specializing in guests with food intolerances or allergies))
Lawfulness of the processing of personal data
There is basically no obligation to provide the data for the data processing described in this data protection declaration. Failure to provide this data simply means that we cannot offer these services. The legal basis for the processing of your personal data, which is necessary for the fulfilment of a contract with you or an order from you to us, is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary on our part to fulfil a legal obligation (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interests, Art. 6 (1) lit. f GDPR ("legitimate interest") serves as the legal basis for processing. In this case, we will also inform you about our legitimate interests. Unless we have any other legal basis explained above for the processing of personal data, we will ask for your consent to data processing, whereby in these cases we refer to Art. 6 (1) lit. a GDPR or in the case of the processing of special categories of data based on Art. 9 (2) lit. a GDPR as the legal basis. You can revoke this consent at any time free of charge without affecting the legality of the processing carried out on the basis of the consent until the revocation.
1.3. Transfers of Personal Data to Data Processors and Third Parties
We process your personal data with the support of data processors who support us in providing our services. These data processors are through a corresponding agreement within the meaning of Art. 28 GDPR with us obliged to strictly protect your personal data and may not process your personal data for any purpose other than to provide our services. You can find out which data processors are involved in the detailed descriptions of the individual data processing processes.
Your personal data will be passed on to companies other than our data processors to typical economic service providers such as banks, tax consultants or auditors. Transfer of personal data to state institutions and authorities only takes place within the framework of mandatory national legal provisions.
Depending on your order (e.g. for bookings and inquiries), your personal data will only be transmitted to other tourist service providers (members of our organization) to the extent necessary to fulfil your order. The transmitted personal data vary depending on the service.
1.4. Transfers of Personal Data to Third Countries or International Organisations
In principle, we process your personal data in the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if we use the services of our data processors or third parties, this will only take place if the requirements of Art. 44 ff. GDPR are available for the transfer to third countries: i.e. on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU or in compliance with officially recognized contractual obligations, the so-called "EU standard contractual clauses". If we rely on the EU standard contractual clauses as the legal basis for the transmission of your personal data, we will also check the admissibility of this data transmission as part of a comprehensive risk assessment. If we come to a negative result, we will not transfer these data without your explicit consent in accordance with Art. 49 (1) lit. a and Art. 6 (1) lit. a GDPR to a third country.
Data transfer to the USA
Through the services integrated in this website, Google Tag Manager, Google Analytics, Google Remarketing, Google Fonts and YouTube, your data will (at least in some cases) also be transferred to the USA. Authorities or secret services in the USA can access your data without giving you legal recourse. The ECJ has therefore determined that there is no sufficient level of data protection in the sense of Art. 44 to 50 GDPR for data transfers from the EU to the USA. For this reason, the legal basis for the use of this service is your express consent pursuant to Art. 49 (1) lit. a GDPR.
1.5. Data Erasure and Period of Data Storage
Your personal data will be deleted by us as soon as the purpose for which we collected your data no longer applies. Storage can also take place if we process the data for a purpose that is compatible with the original purpose. It can also take place if this is provided for by laws, ordinances or other provisions to which our company is subject.
1.6. Data Sources
We only collect your personal data from you and do not use any other data sources.
We do not use any automated decision-making or profiling processes that have a legal effect on you or that significantly affect you in a similar manner. With your consent, however, we will use your usage data to get to know your interests better and thus to be able to display information of interest to you or to be able to make you tailor-made offers or to be able to display corresponding information to you on third-party websites or social media platforms.
1.8. Safeguarding your Data Protection Rights
In principle, you have the right to information, correction, deletion and restriction of the processing of personal data in accordance with the GDPR. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to revoke any consent you may have given to the processing of your personal data. The lawfulness of the processing of your personal data up to the time of revocation is not affected by this. You have the right to object to the processing of your personal data for the purpose of direct marketing. In the event of an objection, your personal data will no longer be processed for the purpose of direct marketing. A detailed explanation of these rights can be found here in Chapter III.
Right of complaint
If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can complain to the competent supervisory authority. In Austria, this is the data protection authority (Wickenburggasse 8, 1080 Vienna, email: firstname.lastname@example.org).
2. Visiting our Website
In this section we inform you how we process your personal data when you visit our website.
2.1. Presentation of the Website
For technical reasons, based on the legal basis of § 165 (3) S 3 TKG 2021 (required for the operation of our website), the following data, which your internet browser transmits to us or to our web space provider, will be processed (so-called "server log files"):
- Browser type and version
- Operating system and device type used (e.g. desktop / mobile)
- Website from which you are visiting us (referrer URL)
- Website you visit
- Date and time of your access
- Your internet protocol address (IP address)
This data, which is anonymous to us, is stored separately from any personal data you may have provided and therefore does not allow us to draw any conclusions about a specific person. They are evaluated for statistical purposes in order to be able to optimize our website and our offers.
SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as B. Orders or inquiries that you send to us as the website operator, an SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http: //" to "https: //" or by the lock symbol in your browser line. If the SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.
Technical service providers
We create and edit the content of our website with the help of the following service provider. With this service provider we have concluded a corresponding agreement according to Art. 28 GDPR to process your data exclusively to the extent of our order:
- Tandem GmbH (Landseestraße 17, A-6020 Innsbruck)
Cookie Banner - Cookies on our website
Data transfer to the USA
Through the services integrated in this website, Google Tag Manager, Google Analytics, Google Remarketing, Google Fonts und YouTube, your data will (at least in some cases) also be transferred to the USA. Authorities or secret services in the USA can access your data without giving you legal recourse. The ECJ has therefore determined that there is no sufficient level of data protection in the sense of Art. 44 to 50 GDPR for data transfers from the EU to the USA. For this reason, the legal basis for the use of this service is your express consent pursuant to Art. 49 (1) lit. a GDPR.
Change the cookie settings in your web browser
How the web browser you are using handles cookies, i.e. which cookies are allowed or rejected, can be determined in the settings of your web browser. You can delete cookies already stored on your computer / device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be called up using the help function of the respective web browser.
In addition, it is possible to generally object to cookies and similar tracking technologies using the services listed below by setting your individual preferences - which technologies you want to allow for usage and interest-based advertising:
- European Interactive Digital Advertising Alliance (EDAA):
- Network Advertising Initiative (NAI):
2.3. Communication with us
Contact form and email
On our website, we offer you the option of contacting us by email and / or using a contact form. In this case, the information you provide will be processed for the purpose of processing your contact based on the legal basis of contract fulfilment in accordance with Art. 6 (1) lit. b GDPR. There is no legal or contractual obligation to provide this personal data. Failure to provide it simply means that you do not submit your request and we cannot process it. The data will only be passed on to third parties if this is stated on the website or in this data protection declaration or is necessary for the fulfilment of the contract or if this is required by statutory provisions. We only save your data for as long as is expedient for processing your inquiries or for any queries you may have.
2.4. Online Shop (s) / Booking Portal (s)
For the purpose of providing contractual services as well as their payment and execution in the context of online purchases, bookings and prospectus orders, we process your personal master data, contract and payment data and communication data (IP address and server log files) on the basis of the legal bases of Art. 6 (1) lit. b GDPR (fulfilment of the contract) as well as Art. 6 (1) lit. c GDPR (legal obligation for invoicing and archiving).
We store this data as long as the purpose requires it, statutory provisions provide for this (retention period of invoices according to § 132 BAO for 7 years; voucher orders until the expiry of the redemption period for 30 years) or we store this data on the basis of the legal basis of Art. 6 (1) lit. f GDPR (legitimate interest) to defend against possible liability claims. If you cancel the order process, we will save the data to clarify possible problems during the order process for 14 days.
There is no legal or contractual obligation to provide personal data. Failure to provide them simply means that we cannot process your bookings / orders.
"Bookvisit" online bookings
For the processing of online bookings, we process your personal data in order to be able to provide you with the booked services with the help of our service provider BookVisit™ Sweden (Kungsgatan 34-36, 411 19 Gothenburg, Sweden). For this purpose, we store and process inventory data, communication data, contract data, payment data of our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the legal basis of Art. 6 (1) lit. b GDPR (booking processes, answering requests for quotations and sending brochures) and Art. 6 (1) lit. c GDPR (legally required retention periods of bookings or invoices). For this purpose, the data fields marked as required are required for the establishment and fulfilment of the contract. We disclose your personal data in the context of this data processing to third parties (other tourist service providers) on the legal basis of Art. 6 (1) lit. b GDPR (if it is necessary for the processing of a booking process), or on the basis of our legitimate interest according to Art. 6 (1) lit. f GDPR for the use of appropriate booking software. We have concluded a corresponding agreement with the company BookVisit™ Sweden in accordance with Art. 28 GDPR as a data processor, which ensures that your data is processed exclusively within the scope of our order. Further information on the data protection of BookVisit™ Sweden can be found at: https://www.visitgroup.com/cookie-policy.
The Fork Tischreservierungen
For the processing of table reservations in our restaurants, we process your personal data in order to be able to provide you with the booked restaurant seats with the help of the table reservation program "The Fork" of our service provider La Fourchette SAS (70, rue Saint-Lazare, 75009 Paris, France). For this purpose, we store and process your name and email address as well as information about your table reservation. The processing takes place for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the legal basis of Art. 6 (1) lit. b GDPR. For this purpose, the data fields marked as required are required for the establishment and fulfilment of the contract. We disclose your personal data in the context of this data processing to our service provider La Fourchette SAS on the basis of our legitimate interest according to Art. 6 (1) lit. f GDPR for the use of appropriate booking software. We have concluded a corresponding agreement with the company La Fourchette SAS in accordance with Art. 28 GDPR as a data processor, which ensures that your data is processed exclusively within the scope of our order. Further information on the data protection of La Fourchette SAS can be found at: https://www.thefork.at/legal#datenschutzerklarung-und-cookie-richtlinien.
External payment service providers
To pay for the order processes / bookings, we use external payment service providers on the legal basis of Art. 6 (1) lit. b GDPR (fulfilment of the contract), via whose platforms you can make your payments. The payment data entered by you as part of the order (e.g. account numbers, credit card numbers including check digits, passwords / TANs, etc.) are processed exclusively by our payment service providers and are not visible to us. We only receive a confirmation of the payment made or information from our payment service providers that the payment could not be made. Further information on the data protection and terms and conditions of our payment service providers can be found at:
- Six Payment Services, Zweigniederlassung Österreich, Marxergasse 1B, A-1030 Wien
Tel. +43 1 717 01 – 0
2.5. Web Analysis - Statistical Analyses of our Website
Google Tag Manager
We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to be able to manage website tags via a common tool of Google. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies and does not collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager. Further information on Google's data protection can be found at: https://policies.google.com/privacy?hl=en-GB.
Google Ads Conversion Tracking
On the legal basis of your consent pursuant to Art. 6 (1) lit. a GDPR, our website uses the functions of "Google Analytics Remarketing" in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. The provider is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This feature makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalized advertising messages that have been adapted to you depending on your previous usage and surfing behavior on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC). If you have given your consent, Google will link your web and app browsing history to your Google Account for this purpose. In this way, the same personalized advertising messages can be displayed on every device on which you sign in with your Google Account. To support this feature, Google Analytics collects Google-authenticated user IDs, which are temporarily linked to our Google Analytics data to define and create audiences for cross-device advertising. You can permanently object to cross-device remarketing/targeting by deactivating personalized advertising in your Google Account; follow this link here: https://www.google.com/settings/ads/onweb/. The summary of the collected data in your Google Account takes place exclusively on the basis of your consent, which you can give or revoke with Google (Art. 6 (1) lit. a GDPR). Further information on Google's data protection can be found at: https://www.google.com/policies/privacy/
2.7. Integration of other Third-Party Services and Content
We integrate content or functions of third parties within our website. This always presupposes that the providers of this content or functions perceive the IP address of the users. Without the IP address, they would not be able to send the content to the browser of the respective user. The IP address is therefore required for the presentation of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. However, we have no influence on whether the third-party providers store the IP address, e.g. for statistical purposes. The legal basis for the use of these services, insofar as they are necessary for the functioning of our website, is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR, otherwise your consent according to Art. 6 (1) lit a GDPR. Information on the purpose and scope of the further processing and use of the data by the providers of the embedded services/content as well as further information within the meaning of the Art. 13 and 14 GDPR can be found under the information links listed below. The following services/content are embedded in our website:
3. Other Data Processing in Business and Customer Contact
In this section we inform you about other data processing processes outside our website.
3.1. Job Applications
The contact data and application documents transmitted to us in the course of a job application will be processed by us exclusively internally for the purpose of selecting suitable candidates for an employment relationship. There is no legal or contractual obligation to provide the personal data. Failure to do so will only result in you not submitting your request and we will not be able to process it. The personal data transmitted in this way will be stored by us in accordance with the statutory provisions for a maximum of 6 months, in the case of the explicit consent of the applicant to keep the documents in evidence, for a maximum of 2 years.
3.2. Online Presence in Social-Media
In addition to our website, we maintain online presences within social networks and platforms: Facebook and YouTube in order to communicate with customers and business partners and to connect to them via these networks to be able to inform about our services. When accessing the respective networks and platforms, the terms and conditions and the data protection guidelines of the respective operators of these networks apply.
3.3. Video Surveillance
For the purpose of protecting our property and for the purpose of preventing or clearing up behaviour that is relevant to criminal law, we have installed video surveillance in the reception / checkout area of ??our information office and marked it accordingly. These surveillance images are only evaluated in case of incident and, provided there is no suspicion, are stored for a maximum of 72 hours and are then automatically deleted. If necessary, the data will be stored for the duration of the process. The legal basis for this data processing is our legitimate interest in the protection of our property in accordance with Art. 6 (1) lit. f GDPR. There is no right to object to the processing of this data and no right to data portability.
3.4. Guest registration data
As the owner of an accommodation facility, we are acc. § 10 (1) Meldegesetz obliged to keep a register of guests accommodated with us (guest directory), from which the data according to § 5 (1) and (3) Meldegesetz as well as the date of arrival and departure can be seen. This concerns the following data: name, date of birth, gender, nationality, country of origin and address including postal code as well as the date of arrival and departure. For foreign guests, we are also obliged to record the type, number, date of issue and the issuing authority of the travel document. The legal basis for the processing of these data is our legal obligation pursuant to Art. 6 (1) lit. c GDPR. These data (guest directory) are mandatory for us to keep for a period of seven years from the date of registration in accordance with § 10 (2) Meldegesetz. Therefore, there is neither a right of objection on your part, nor a right to erasure or a right to restriction of processing (see point "Safeguarding your data protection rights" in this data protection declaration). Likewise, we are acc. § 6 Tourismus-Statistik-Verordnung obliged to forward data on arrival, departure and country of origin to the municipality (mayor as the competent registration authority) in which our accommodation facility is located. The guest directory is managed electronically by us. The IT service provider feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck) used for this purpose is obliged as a processor in accordance with Art. 28 GDPR to process your data exclusively within the scope of the order (maintenance of the electronic guest directory). Your guest registration data will only be processed in the EU, a transfer to a third country does not take place.
3.5. Guest Card
For the period of your stay with us, you have the opportunity to take advantage of a guest card with discounts and/or completely free services. We will only issue this guest card at your request via the guest card system used by our local/regional tourism organisation (Gasteinertal Tourismus GmbH (Tauernplatz 1, 5630 Bad Hofgastein)) in the form of an electronically generated guest. For this purpose, the following data from our guest registration data system are used: first name, last name, date of birth, period of stay as well as country of origin and postal code. When using the guest card, additional data about the use (which offers were used when and by whom) are processed. This is necessary for the service provider in order to check the legitimacy for the use of the reduced/free services. In addition, this data is required to enable the billing of the services between the service providers the local/regional tourism organization. Recipients of your guest card data are therefore the local/regional tourism organization, the service providers and we as your accommodation provider. The IT service provider of the electronic guest card system feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck) is obliged as a processor in accordance with Art. 28 GDPR to process your data exclusively within the scope of the order (issuing of electronic guest card, verification of legitimation and documentation for clearing purposes). The legal basis for the processing of these data is your consent acc. Art. 6 (1) lit. a GDPR. You can revoke this consent free of cost at any time orally or in writing (e-mail to us) without affecting the legality of the processing carried out on the basis of the consent until the revocation. The data remains stored in the guest card system for a maximum of 3 years on the basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR (for billing purposes and to defend against possible liability claims).
3.6. Guest/Visitor WiFi
We offer freely accessible visitor Wi-Fi in our hotels. In order to provide the services of the hotspot for you, the use of personal data of your end device is required. In this context, the MAC addresses (Media Access Control Address) of end devices may also be stored temporarily. Furthermore, we may store log data ("log files") about the type and scope of use of the services for 7 days. This data cannot be assigned directly to your person, but directly to your used device and thus also indirectly to your person. To provide this offer, we use the services of Elektro Gassner (Martin-Lodinger-Straße 12, 5630 Bad Hofgastein) as our data processor. We have concluded a corresponding agreement with our processor in accordance with Art. 28 GDPR, which ensures that your data is processed exclusively within the scope of our order.