1.1 This data protection information applies to the processing of all personal data in the following organisations:
i. Tourism Association Pyhrn-Priel - Bad Hall - Steyr and the National Park Region, Tourism Association within the meaning of the Upper Austrian Tourism Act
ii. Pyhrn-Priel Tourismus GmbH, FN 216132t, LG Steyr
iii. Touristische Freizeiteinrichtungen Pyhrn-Priel GmbH, FN 237954h, LG Steyr
as well as any other legal entities founded or acquired in the future that are majority-owned by the aforementioned organisations (hereinafter all "BTS-Tourismus").
Contact details for enquiries / cancellations:
BTS-Tourismus
Bahnhofstraße 2, 4580 Windischgarsten
Fax: +43(0) 7562 5266-10 / E-Mail: info@pyhrn-priel.net
1.2 The protection of personal data and compliance with the relevant data protection regulations - currently Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - "GDPR") and the Data Protection Act 2018, as amended ("DSG 2018"), as well as the legal acts adopted on the basis thereof - have the highest priority at BTS-Tourismus. In accordance with Articles 12 and 13 GDPR, this data protection information provides an overview of which data is processed by BTS-Tourismus for which purposes and how BTS-Tourismus guarantees the protection of this data.
1.3 This data protection information can be accessed electronically at any time on the website www.urlaubsregion-pyhn-priel.at/datenschutz, printed out, downloaded and saved on a storage medium.
1.4 The terms used in this data protection information are to be understood as defined in Art 4 GDPR.
2.1 The controller within the meaning of Article 4(7) GDPR is the organisation listed in point 1.1. that decides on the purposes and means of processing personal data, i.e. is the contractual partner, carries out pre-contractual measures or is subject to the legal obligation to process data. The websitewww.urlaubsregion-pyhrn-priel.at ("website") is operated by Pyhrn-Priel Tourismus GmbH, which means that only Pyhrn-Priel Tourismus GmbH is responsible for all data processing relating to the website. The websiteswww.bergethermestadt.at, www.badhall.at and www.steyr-nationalpark.at ("website") are operated by the Pyhrn-Priel - Bad Hall - Steyr Tourist Board and the National Park Region, meaning that only the latter is responsible for all data processing relating to the website. If the responsibility for data processing between the organisations listed under point 1.1. is unclear, Pyhrn-Priel Tourismus GmbH is responsible in case of doubt. Joint responsibility of several organisations in accordance with point 1.1. only exists if and insofar as they jointly decide on the purposes and means of processing personal data.
2.2 The data protection officer of the organisations listed in point 1.1. is
KPMG Security Services GmbH
FN 356786k, HG Wien
Zweigniederlassung Linz, Kudlichstraße 41, 4020 Linz
E-Mail: D SBA-pyh rn-priel@kpmg.at
3.1 BTS-Tourismus processes (see Art 4 Z 2 GDPR) personal data ("data") of natural persons ("data subjects" or individually gender-neutral "data subject") within the meaning of Art 4 Z 1 GDPR.
3.2 The term data subject includes all categories of data subjects affected by data processing. These include in particular members, employees, job applicants, interested parties and contact persons, customers and other contractual partners of BTS-Tourismus (such as in particular suppliers, subcontractors and consultants) as well as their contact persons and users of the online services of BTS-Tourismus (see further point 4.).
3.3 BTS-Tourismus processes data only in compliance with the principles laid down in Art 5 ff GDPR and only if at least one lawfulness condition pursuant to Art 6 (1) GDPR is met. The purpose and duration of processing as well as the legal basis for data processing are regulated by category in point 4.
3.4 BTS-Tourismus also processes special categories of personal data within the meaning of Art. 9 para. 1 GDPR ("sensitive data"). BTS-Tourismus only processes sensitive data if a case of Art 9 para 2 GDPR exists, in particular if this is necessary due to labour and social law regulations (Art 9 para 2 lit b) leg cit) or if this data is voluntarily provided or disclosed by the data subject (e.g. in CVs of job applicants) (Art 9 para 2 lit a) and e) leg cit).
3.5 If necessary, i.e. if no other lawfulness condition listed in Art 6 (1) GDPR or - in the case of sensitive data - no other case of Art 9 (2) GDPR exists (or as a precautionary measure in addition thereto), BTS-Tourismus will obtain the consent of the data subjects. If data subjects voluntarily disclose data not required by BTS-Tourismus, they will not be "collected" by BTS-Tourismus and the data subject thereby gives their express consent to the processing of this data by BTS-Tourismus. Data subjects have the right to revoke any consent given in whole or in part at any time. The revocation must be addressed to BTS-Tourismus (contact details see point 1.1.). Although the revocation of consent is not bound to any particular form, it is recommended to declare the revocation in text form (e.g. letter, e-mail or fax) for verification purposes. The withdrawal of consent does not affect the processing of data on the basis of other conditions pursuant to Art. 6 para. 1 GDPR or other cases pursuant to Art. 9 para. 2 GDPR or the lawfulness of the processing carried out on the basis of the consent until the withdrawal.
3.6 BTS-Tourismus will also only disclose, transfer or pass on data if at least one of the lawfulness conditions listed in Art. 6 para. 1 GDPR or - in the case of sensitive data - a case of Art. 9 para. 2 GDPR exists. The categories of recipients to whom BTS-Tourismus passes on data are - apart from the recipients listed by category in point 4 - in particular the processors pursuant to Art 28 GDPR, authorities and courts and, in the case of debt collection measures, debt collection agencies and lawyers. BTS-Tourismus does not transfer any data to recipients in a non-EU member state or to international organisations without consent. Within the BTS-Tourismus company, the organisational units and employees receive the data they need to fulfil their duties.
3.7 Automated decision-making ("profiling") does not take place at BTS-Tourismus.
4.1 Processing of data within the framework of the Pyhrn-Priel - Bad Hall - Steyr Tourist Board and the National Park Region
BTS-Tourismus collects and processes data of the members of the Pyhrn-Priel - Bad Hall - Steyr Tourist Board and the National Park Region and of their executive bodies and, if necessary, of persons attributable to them (employees) on the basis of Art 6 para 1 lit b) (fulfilment of a contract) and c) (fulfilment of a legal obligation) GDPR.
4.2. Processing of data when expressing interest in offers from BTS-Tourismus and when contacting BTS-Tourismus
When expressing interest in offers from BTS-Tourismus and when contacting BTS-Tourismus, data from those interested in offers from BTS-Tourismus and from those contacting BTS-Tourismus are processed.BTS-Tourismus and of those making contact (in particular via the website) are processed on the basis of Art. 6 (1) (b) GDPR (implementation of pre-contractual measures) for the purpose of sending targeted offers and processing enquiries. The following data categories are processed: Access data, master data, contact data and correspondence/communication/content data. In order to process the offer or enquiry and to answer any follow-up questions, the data of interested parties and contacting persons will be stored for a period of six months from the date of the enquiry or contact and then deleted.
4.3. Processing of data when ordering and performing contractual services
When ordering and performing contractual services, BTS-Tourismus collects and processes the data necessary for the purpose of fulfilling the contract, in particular access, master, contact, correspondence/communication/content, order/contract, invoice and bank/account/payment data, depending on the type of legal relationship, on the basis of Art6(1)(b) GDPR and the data that must be collected in accordance with the applicable legal provisions (also) on the basis of Art. 6(1)(c) GDPR.The data is processed and stored for as long as this is necessary for the fulfilment of the contractual relationship (including post-contractual obligations) and for legal (in particular VAT) reasons. Insofar as this is necessary for the purpose of fulfilling the contract, customer data is also passed on to the vicarious agents and consultants of BTS-Tourismus involved in the processing of the contractual relationship on the basis of Art. 6 para. 1 lit. b) GDPR.
4.4. Processing of data when purchasing Pyhrn-Priel-Cards
BTS-Tourismus also processes the data provided when ordering Pyhrn-Priel-Cards on the basis of Art. 6 para. 1 litb) GDPR, BTS-Tourismus also processes the data requested when ordering a Pyhrn-Priel Card and required for the provision of services or card use, as well as other data voluntarily provided by the data subject to optimise the service (depending on the type of card, in particular master, contact and bank/account/payment data as well as place/destination, date/period and scope of the services offered or used). Data required for the fulfilment of the contract or provision of services will be marked accordingly during the ordering process. The data on which the Pyhrn-Priel-Cards are based will be stored for the period of validity of the respective card, otherwise for a maximum of 48 months and then deleted.
4.5 Processing of data when visiting the website
When visiting the website, necessary (technical) data (access data within the meaning of point 7. and cookies within the meaning of point 8.) of the website visitors for the operation, security and optimisation of the website are collected and processed on the basis of the legitimate interests of BTS-Tourismus in accordance with Art 6 para 1 lit f) GDPR (see further points 7. and 8.).
4.6 Data processing when using online platforms
BTS-Tourismus operates a platform on the website through which interested parties can access information and documents on offers in the Pyhrn-Priel - Bad Hall - Steyr region and the National Park region online and book excursions and/or stays in the region online with external service providers. The data collected from the person concerned in the course of the booking process, such as in particular the number of persons, first and last name, address/address, country, date of birth, e-mail address, telephone number, arrival/departure dates, other information on the excursion/stay and payment information, are processed in the "feratelDeskline® WebClient" system to process the booking. However, BTS-Tourismus only provides the platform free of charge and without obligation and does not enter into any contractual relationship with the interested party. Any contracts are concluded exclusively between the interested party and the external service provider. BTS-Tourismus therefore collects the data required for the booking via the system on the basis of its legitimate interests in accordance with Art. 6 (1) (f) GDPR (in particular its interest in promoting and supporting regional companies) and makes the booking data available to the external service provider via the system. Mandatory data is labelled accordingly during the booking process. Payment transactions are always encrypted.
4.7 Processing of data of job applicants
BTS-Tourismus processes applicant data - in particular master data, contact data, correspondence/communication/content data and other data provided by the applicant in their application - on the basis of Art 6 para 1 lit b) GDPR (implementation of pre-contractual measures). If an (online) form is provided for applications, the data required for the assessment of the application will be marked accordingly. Sensitive data voluntarily provided by the job applicant in their application will be processed on the basis of Art 9 para 2 lit a) GDPR. BTS-Tourismus processes and stores this data - subject to a (pending, announced or imminent) legal dispute - for a period of six months from receipt of the application.
4.8. Processing of employee data
Furthermore, data such as master data, contact data, correspondence/communication/content data, contract data, personnel administration data and payroll data are processed on a (labour) contractual and legal basis (Art. 6 para. 1 lit. b) and c) GDPR),personnel administration and payroll data, as well as, on the basis of Art 9 para 2 lit a) and lit c) GDPR, sensitive data voluntarily provided by employees and required under labour and social law regulations (such as sick notes). For the purpose of contacting customers and contractual partners, professional contact details and portrait photos of employees may be published on the website on the basis of BTS-Tourismus's legitimate interest in smooth business operations in accordance with Art. 6 para. 1 lit. f) GDPR and § 12 para. 2 no. 4 DSG 2018.
4.9 Processing of data for the purpose of direct advertising
If BTS-Tourismus receives the email address of data subjects in connection with a sale or the provision of a service, it is authorised to send direct advertising by email in the form of information and mailings for its own or similar products and services on the basis of its legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR. Data subjects have the right to object to the processing of data concerning them for the purpose of such advertising at any time (in particular also during the transmission of e-mails) (see point 15.8.).
4.10. Processing of data when sending email newsletters
If BTS-Tourismus sends email newsletters, it collects and processes the email address of subscribers to email newsletters only on the basis of consent in accordance with Art 6(1)(a) GDPR and stores it until the subscribers have unsubscribed or withdrawn their consent (see points 12. and 15.10.).
4.11. Processing of data Digital holiday companion (hereinafter referred to as "Franzi")
In order to use Franzi, it is possible to register and create a profile via a terminal device (e.g. smartphone, PC) on the respective Progressive Web App (abbreviated PWA) of Franzi of BTS-Tourismus. Once registered or identified, the customer can use Franzi's services. In order to use the information services and receive service offers from BTS-Tourismus, it is necessary to register by providing an e-mail address.
In this context, BTS-Tourismus collects the following data: Name, e-mail address, residential address, date of birth, insofar as this is necessary for the use of Franzi's offers or the recording of registration data. In addition, data is collected as described in point 8 of this privacy policy.
BTS-Tourismus processes the data collected via Franzi only on the basis of consent within the meaning of Art 6 para 1 lit a) GDPR, also for the purpose of advertising your data for the purpose of advertising the products offered by BTS-Tourismus or in the region through marketing campaigns of various kinds (e.g. sending newsletters by e-mail, sending messages in Franzi's PWA).
Your data will only be passed on to third parties if this is necessary for the purpose of processing the guest registration.
If the above-mentioned data is changed and/or supplemented in the course of registration or by you, this supplemented/changed data will also be stored and processed by BTS-Tourismus.
As things stand at present, no cookies that are not absolutely necessary for the operation or functioning of Franzi are used. If (in the future) cookies are also used that are not absolutely necessary for this purpose, they will only be used on the basis of consent in accordance with Art. 6 para. 1 lit a) GDPR, which can be given by actively clicking on a tick box. Otherwise, point 8 applies.
4.12. Processing of data when purchasing an employee card
BTS-Tourismus also processes the data requested when ordering an employee card and absolutely necessary for the provision of services or card use, as well as other data voluntarily provided by the data subject for service optimisation (depending on the type of card, in particular master, contact and bank/account/payment data as well as place/destination, date/period and scope of the services offered or used) on the basis of Art. 6 para. 1 lit. b) GDPR. Data required for the fulfilment of the contract or provision of services will be marked accordingly during the ordering process. The data on which the employee card is based will be stored for the period of validity of the respective card, otherwise for a maximum of 48 months and then deleted.
BTS-Tourismus does not process any data that is not collected from the data subjects themselves, with the exception of necessary technical access data in accordance with point 7. when accessing the website and data collected by necessary cookies in accordance with point 8.
6.1 BTS-Tourismus does not process and store data permanently, but only in accordance with the periods prescribed in the applicable legal provisions, but in any case for as long as is necessary for the purposes for which the data was collected. BTS-Tourismus stores data in a form that enables the identification of data subjects only for as long as is necessary for the purposes for which they are processed.
6.2 If it is possible to specify a retention or storage period for data, this is regulated by category in point 4. In the case of existing contractual relationships, the corresponding data - subject to other legal bases that permit data processing beyond this - will be processed and stored for as long as is necessary for the fulfilment of the contractual relationships (including post-contractual obligations).
6.3 If data is only processed on the basis of consent (see point 3.5.), this data will be deleted immediately following withdrawal of consent by the data subject in accordance with Art. 7 para. 3 GDPR and will not be processed (any further). The same applies in the event of a justified objection pursuant to Art 21 GDPR, if data is only processed on the basis of a legitimate interest pursuant to Art 6 para 1 lit f) GDPR.
7.1 Persons can visit the website without providing any personal data. BTS-Tourismus (specifically the controller: Pyhrn-Priel Tourismus GmbH) only collects and processes data of a technical nature about every access to the website in the course of operating its website, which is processed automatically when the website is accessed and which is considered personal data or could be used to identify the person or personal data of data subjects and which is stored in so-called server log files ("access data"). This includes the IP address, unique device identification, type and version of the operating system and browser, file name and path, type of transmission protocol, date and time of access, bytes transferred, referrer URL (previously visited page) and the requesting provider.
7.2 However, BTS-Tourismus does not process this access data for the purpose of identifying the person or determining other personal data of the data subject, but exclusively for the purpose of operation, needs-based design, adaptation, improvement, maintenance, optimisation and further development of the website (including functions, services, modules and features) as well as for error detection and correction, to maintain system security and - if web analysis tools are used - for the purpose of internal statistical evaluation, without drawing conclusions about the person of the data subject. There is also no profiling.
7.3 The provision, maintenance and administration of the web server is carried out by the processor TTG Tourismus Technologie GmbH, Freistädter Straße 119, 4041 Linz.
8.1 Cookies are files that are stored locally in the cache of the website visitor's Internet browser and are used in particular to offer additional functions on the website, to make it more user-friendly, effective and secure by recognising the accessing Internet browser and by storing temporary files and - if web analysis tools are used - to enable an (anonymised) analysis of the use of the website.
8.2 Cookies that are absolutely necessary for the functioning of the website are used on the basis of the legitimate interests of BTS-Tourismus pursuant to Art 6 para 1 lit f) GDPR in the operation, security and optimisation of the website. Any other cookies are processed on the basis of consent in accordance with Article 6(1)(a) GDPR, which can be given when visiting the website by actively clicking on a tick box. Data subjects have the option of withdrawing their consent at any time by deactivating and/or deleting cookies in the settings of their internet browser and specifying how long they are stored and when they are deleted. The procedure for doing so depends on the Internet browser used by the data subject. However, non-acceptance and deactivation of cookies may result in certain functions and/or content of the websites not working or not working as expected.
8.3 Session cookies are stored temporarily for the duration of access by the data subject and deleted after the browser is closed; persistent cookies remain stored on the data subject's device until they remove them from their browser.
8.4 Purpose of the cookies actually used by us if consent is given:
Technically necessary cookies: These cookies help to make the website usable by enabling basic functions such as page navigation and access to secure websites. Our website cannot function properly without these cookies.
Cookies for analysis purposes: These cookies help us to analyse user behaviour.
Cookies for marketing purposes: These cookies are used to show visitors advertisements of interest across the website, including from third parties.
Personalisation cookies: These cookies are used to show you personalised content relevant to your interests.
The following web analysis tools are used on the website on the basis of consent in accordance with Art. 6 (1) (a) GDPR, which can be given by actively clicking on a tick box when visiting the website.
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and that enable the use of our website by the website visitor to be analysed. The information generated by the cookie about your use of our website is usually stored on European servers and only in exceptional cases transmitted to a Google server in the USA and stored there. We use Google Analytics with activated IP anonymisation. This means that your IP address is generally truncated by Google within the European Union and only in exceptional cases is the full IP address transmitted to a Google server in the USA and only truncated there. The IP address transmitted by the relevant browser as part of Google Analytics is not merged with other Google data. On our behalf, Google will use the information collected to analyse the use of the website in order to compile reports on website activity. The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be cancelled at any time with effect for the future. The corresponding browser plugin can be downloaded and installed at the following link: https: //tools.google.com/dlpage/gaoptout. We have concluded a corresponding agreement with the provider of the service in accordance with Art. 28 GDPR as a processor, which ensures that your data is processed exclusively within the scope of our order. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of advertisements by Google(https://adssettings.google.com/authenticated).
The website uses tracking from Adform A/S, 1. sal. K, Wildersgade 10B, 1408 København, Denmark. Adform uses a cookie to display targeted adverts via the Adform platform. For this purpose, the geographical origin, device type and pages viewed are recorded, but no information identifying individuals.
This website uses the open source web analysis service Matomo, a service of InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, ("Matomo"). Matomo uses technologies that enable cross-page recognition of the user to analyse user behaviour. Matomo is hosted exclusively on our own servers so that all analysis data remains with us and is not passed on. The IP address is anonymised before storage (shortened by the last two bytes).
With the help of Matomo, we are able to collect and analyse data about the use of our website by website visitors. This enables us to find out when which pages were accessed and from which region. We also record various log files (e.g. IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. click behaviour).
The processing of the data is based on our legitimate interest in the anonymised analysis of user behaviour in order to optimise our website (Art. 6 (1) lit. f GDPR). If you have given us your consent to set "analysis" cookies, Matomo will also set cookies. This allows us to recognise returning users and "analyse" their behaviour on our website in more detail. This data is processed on the basis of Art. 6 (1) lit. a GDPR. You can revoke your consent at any time in the cookie settings.
Apart from not giving consent, data subjects have the option at any time to deactivate and/or delete cookies in the settings of their Internet browser and to specify how long they are stored and when they are deleted. The procedure for this depends on the Internet browser used by the data subject. In addition, data subjects can prevent the processing of data generated by cookies and related to their use by downloading and installing the browser add-on available at tools.google.com/dlpage/gaoptout to deactivate Google Analytics or by deactivating Adform under the link https://site.adform.com/de/privacy-center/platform/widerrufsrecht/. Furthermore, data subjects can delete the data processed by Adform here: https: //site.adform.com/privacy-center/platform-privacy/right-to-be-forgotten/.
10.1 Furthermore, the remarketing function within the Google AdWords service is used on the website on the basis of consent pursuant to Art 6 para 1 lit a) GDPR, which can be given during the visit by actively clicking on a tick box. With the remarketing function, BTS-Tourismus can present the data subject with adverts based on their interests on other websites within the Google display network (on Google itself, so-called "Google Ads", or on other websites). For this purpose, the interaction of the data subject on the website is analysed, e.g. which offers the data subject was interested in, in order to be able to display targeted advertising to the data subject on other websites even after they have visited the BTS-Tourismus website. BTS-Tourismus uses the "Google Tag Manager" to manage Google marketing services.
10.2 For this purpose, (re)marketing tags ("web beacons") are integrated into the website when the website on which Google marketing services are activated after consent has been granted is accessed. These are used to set cookies in the data subject's internet browser, which record the visits. In particular, the following data is recorded in this file: the website visited, what content the data subject was interested in, what offers the data subject clicked on, technical information about the data subject's browser and operating system, referring websites, visit time/duration of visit, information about the use of the online offer/interaction with the website, IP address of the data subject. If the data subject subsequently visits other websites, they can be shown adverts tailored to their interests. The data collected in this way is only used to uniquely identify a web browser and is processed pseudonymously as part of Google Marketing Services. The information collected by Google Marketing Services about the data subject is transmitted to Google and stored on Google servers in the USA (see section 9.1.).
10.3 When using the Google AdWords service, so-called "conversion tracking" is used. If data subjects have reached the website via an advert placed by Google, Google AdWords places cookies on the data subject's computer. These cookies lose their validity after 30 days and are not used for personal identification. The information collected with the help of conversion cookies is used to compile statistics for BTS-Tourismus. If the data subject visits the website and the cookies have not yet expired, BTS-Tourismus can recognise that the data subject clicked on the ad and was redirected to the website. BTS-Tourismus thus learns the total number of data subjects who clicked on its advert and were redirected to its website. However, it does not receive any information with which data subjects can be personally identified.
10.4 Apart from not giving their consent, data subjects have the option of deactivating personalised advertising by Google marketing services in their Internet browser settings at any time. Alternatively, data subjects have the option of downloading and installing a browser plug-in to deactivate personalised advertising at the following link: https://www.google.com/settings/ads/plugin.
11.1 Plugins from third-party providers are also used on the website to integrate their content and services (such as videos). However, such plugins are only accessed on the basis of consent in accordance with Art. 6 para. 1 lit. a) GDPR. If data subjects consent to the access of such plugins, a connection to the servers of the third-party providers is established and the corresponding plugin is accessed. The content of the plugins is transmitted directly to the data subject's browser by the respective third-party provider. By accessing the plugins, the third-party providers receive the information that the data subject's browser has accessed the BTS-Tourismus website, even if the data subject is not registered with the relevant third-party provider or is not currently logged in. The plugin transmits log data to the respective servers of the third-party providers. This log data contains the following data IP address, the address of the websites visited that also contain plugin functions, the type and settings of the browser, the date and time of the request, the way the plugin is used and cookies.
11.2 The processing of the data by the third-party providers takes place within the framework of the respective data protection regulations of the third-party providers. As the operator of the website, BTS-Tourismus has no knowledge of the content of the data transmitted to the third-party providers or how it is processed. Third-party providers may in any case use so-called pixel tags (invisible graphics or "web beacons") for statistical or marketing purposes. In addition, pseudonymous information may be stored in cookies on the data subject's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of the BTS-Tourismus website, as well as being linked to such information from other sources.
11.3 If the data subject is registered with the third-party providers and logged into user accounts of the third-party providers, the third-party provider can personally assign the user behaviour to the data subject. The data subject can prevent this by logging out of their user account beforehand. If a data subject is not a member of the third-party provider, the third-party provider can still obtain and store certain data (see point 11.1.).
11.4 Apart from not giving consent, data subjects can completely prevent the loading of plugins with add-ons for their browser, e.g. with the script blocker "NoScript" (http://noscript.net/). In addition, reference is also made once again to the possibility of deactivating cookies (see point 8.2.).
11.5 The following presentation provides an overview of third-party providers as well as their content and links to their privacy policies, which contain further information on the processing of data by the third-party providers and objection options:
11.6 Some of the third-party providers are certified under the Privacy Shield Agreement and thus guarantee compliance with the European level of data protection, such as Google(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active) and Facebook(https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
12.1 BTS-Tourismus sends physical brochures by post as well as e-mail newsletters and electronic notifications with advertising information - subject to direct advertising in accordance with point 4.9 - only on the basis of consent in accordance with Art 6 para 1 lit a) GDPR. To register for the e-mail newsletter, it is sufficient to provide an e-mail address.
12.2 The registration for the e-mail newsletter is carried out in a so-called double opt-in procedure, i.e. after registering for the e-mail newsletter, the person concerned receives an e-mail in which he is asked to confirm his registration. This confirmation is necessary so that no-one can register with a third-party e-mail address. Registrations for the e-mail newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes storing the IP address and the time of registration and confirmation. Changes to the stored data are also logged.
12.3 The dispatch of e-mail newsletters and electronic notifications is carried out by the dispatch service provider and processor TTG Tourismus Technologie GmbH, Freistädter Straße 119, 4041 Linz. BTS-Tourismus has concluded an order processing contract with the mailing service provider, in which the latter undertakes to process and protect the data of the data subjects only in accordance with Art 28 GDPR on behalf of BTS-Tourismus and not to pass it on to third parties (see point 13 below).
12.4 In the case of registration for an e-mail newsletter, the e-mail and registration data and the IP address of the data subjects will be processed and stored until they unsubscribe from the newsletter. The data processed after registration, namely the emails sent to the data subjects, whether and when they were opened or blocked or marked as spam, whether they could not be delivered temporarily or permanently and the links clicked on are stored for a period of 12 months and then deleted. Data subjects can unsubscribe from the e-mail newsletter at any time, i.e. revoke their consent. A link to unsubscribe from the e-mail newsletter can be found at the end of each e-mail.
13.1 If data is processed on behalf of BTS-Tourismus, it shall only work with processors within the meaning of Art. 4 (8) GDPR who offer sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the existing legal provisions and the protection of the rights of the data subjects is guaranteed. To this end, BTS-Tourismus concludes appropriate contracts with its processors (unless these third-party providers already have appropriate conditions) that meet the requirements of Art 28 GDPR and complies with Art 44 ff GDPR for processors based in third countries.
13.2 Processors of BTS-Tourismus are currently:
BTS-Tourismus takes appropriate and suitable technical and organisational measures for the security of the data and data processing, taking into account the criteria of Art 32 GDPR, and ensures that the data is protected against unauthorised or unlawful processing and against loss, damage and alteration.
15.1 BTS-Tourismus safeguards the rights of data subjects in accordance with the applicable legal provisions. According to the current legal situation, the data subjects are entitled to the (abstract) rights listed below. The data subjects can assert their rights by sending an appropriately specified request - preferably in text form (e.g. letter or email) - to BTS-Tourismus (for contact details see point 1.1.). If the applicable legal provisions stipulate deadlines for the fulfilment of the request, BTS-Tourismus will comply with these.
15.2 Right to confidentiality
BTS-Tourismus respects the fundamental right of the data subject to data protection in accordance with Section 1 (1) DSG 2018 and the right to data secrecy in accordance with Section 6 DSG 2018.
15.3 Right to access and information
Under the conditions and in accordance with Art. 13 to 15 GDPR, the data subject has the right to access and information about the processing of their data by BTS-Tourismus and about their rights.
15.4 Right to rectification and completion
Under the conditions and in accordance with Art 16 GDPR, the data subject has the right to rectification of inaccurate and completion of incomplete data concerning him/her.
15.5 Right to erasure
Under the conditions and in accordance with Art 17 GDPR, the data subject has the right to obtain the erasure of personal data concerning him or her without undue delay.
15.6 Right to restriction of processing
Under the conditions and in accordance with Art 18 GDPR, the data subject has the right to request the restriction of the processing of their data.
15.7 Right to data portability
Under the conditions and in accordance with Art. 20 GDPR, the data subject has the right to receive data concerning him or her, which he or she has provided to BTS-Tourismus, in a structured, commonly used and machine-readable format and to transmit those data to another controller or to require BTS-Tourismus to transmit the data processed by it directly to another controller, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
15.8 Right to object
Under the conditions and in accordance with Art 21 GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Art 6(1)(e) or (f) GDPR. In the event of a justified objection, BTS-Tourismus will no longer process the data of the data subject affected by the objection, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims. If the data subject objects to processing for direct marketing purposes, their data will no longer be processed for these purposes.
15.9 Right not to be subject to an automated decision
Under the conditions and in accordance with Art. 22 GDPR, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
15.10. Right to withdraw consent
In accordance with Art. 7 (3) GDPR, the data subject has the right to withdraw consent to the processing of data concerning him or her at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
15.11. Right to lodge a complaint
In accordance with Art. 77 GDPR in conjunction with Section 24 DSG 2018, the data subject has the right to lodge a complaint with the competent supervisory authority (data protection authority) without prejudice to any other administrative or judicial remedy.
15.12. Right to judicial remedy
Pursuant to Art 79 GDPR in conjunction with Section 27 DSG 2018, the data subject has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him/her (right of appeal to the Federal Administrative Court), without prejudice to any other administrative or extrajudicial remedy.