1.  General

The protection of your personal data is of particular concern to us. We therefore process your data exclusively in a lawful manner on the basis of the statutory provisions (especially GDPR, DSG 2018, TKG 2021). In this privacy policy, we inform you about the most important aspects of data processing – type, scope and purposes of the collection and use of personal data – in the context of the use of our website and in the context of other services of our company.

Only the German version of our privacy policy is legally binding text. The English translation serves as a legally non-binding information. Deviations of the English text or how it could be understood do not affect the exclusive legal validity of the German text and its meaning.

1.1.       Responsibility for the Processing of your Data

The responsible person (“controller” within the meaning of Art. 4 no. 7 GDPR) of the processing of your personal data (“personal data” within the meaning of Art. 4 no. 1 GDPR) is:

Alpbach Tourismus GmbH
c/o Congress Centrum Alpbach
Alpbach 246
A-6236 Alpbach
Tel. +43 5336 600 100
E-Mail: info@alpbach.at
WEB: www.congressalpbach.com

1.2.      Purposes, Categories of Data and Lawfulness of the Processing of Personal Data

Purposes of the processing of personal data

The purposes of the processing of your personal data generally result from our business activities as a congress organisation with an integrated travel agency: provision of our online offers, processing of customer enquiries / orders / bookings, accounting, communication with business partners and customers, organisation and implementation of congresses / conferences / events as well as arranging accommodation and other tourist services for the organisers or participants of our congresses. Detailed information on the purposes of the processing and, if applicable, for further processing for other compatible purposes as well as for the data categories processed, please refer to the detailed descriptions of the individual data processing processes.

General categories of data

• Personal master data (e.g., name, date of birth and age, address)
• Contact details (e.g., email address, telephone number, fax number)
• Communication data (time and content of communication)
• Order or booking data (e.g., ordered goods or commissioned services and invoice data such as service period, payment method, invoice date, tax identification number ...)
• Payment details (e.g., account number, credit card details)
• Contract data (content of contracts of any kind)
• Web usage data (e.g., server data, log files and cookies)
• Identification numbers (e.g., identity card number, vehicle registration number ...)
• Video surveillance images

Processing of special categories of personal data according to Art. 9 GDPR

Health data (only if you have given us your explicit consent to process your order (e.g., mediation of a hotel specializing in guests with food intolerances, allergies or special needs such as accessibility for wheel chairs)).

Lawfulness of the processing of personal data

There is basically no obligation to provide the data for the data processing described in this data protection declaration. Failure to provide this data simply means that we cannot offer these services. The legal basis for the processing of your personal data, which is necessary for the fulfilment of a contract with you or an order from you to us, is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary on our part to fulfil a legal obligation (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If the processing of the data takes place in your own vital interest, the legal basis for the data processing is Art. 6 (1) lit. d GDPR. If processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interests, Art. 6 (1) lit. f GDPR (“legitimate interest”) serves as the legal basis for processing. In this case, we will also inform you about our legitimate interests. Unless we have any other legal basis explained above for the processing of personal data, we will ask for your consent to data processing, whereby in these cases we refer to Art. 6 (1) lit. a GDPR or in the case of the processing of special categories of data based on Art. 9 (2) lit. a GDPR as the legal basis. You can revoke this consent at any time free of charge without affecting the legality of the processing carried out on the basis of the consent until the revocation.

1.3.      Transfers of Personal Data to Data Processors and Third Parties

We process your personal data with the support of data processors who support us in providing our services. These data processors are through a corresponding agreement within the meaning of Art. 28 GDPR with us obliged to strictly protect your personal data and may not process your personal data for any purpose other than to provide our services. You can find out which data processors are involved in the detailed descriptions of the individual data processing processes.

Your personal data will be passed on to companies other than our data processors to typical economic service providers such as banks, tax consultants or auditors. Transfer of personal data to state institutions and authorities only takes place within the framework of mandatory national legal provisions.

Depending on your order (e.g., for bookings and inquiries), your personal data will only be transmitted to hotel partners or other tourist service providers (partners of our organization) to the extent necessary to fulfil your order. The transmitted personal data vary depending on the service. At the same time, we pass on information about room bookings that we make for the organisers of the congresses in our house to these respective organisers, insofar as this information is necessary for the implementation of their events (e.g. organisation of transfers).

1.4.     Transfers of Personal Data to Third Countries or International Organisations

In principle, we process your personal data in the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if we use the services of our data processors or third parties, this will only take place if the requirements of Art. 44 ff. GDPR are available for the transfer to third countries: i.e. on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU or in compliance with officially recognized contractual obligations, the so-called "EU standard contractual clauses". If we rely on the EU standard contractual clauses as the legal basis for the transmission of your personal data, we will also check the admissibility of this data transmission as part of a comprehensive risk assessment. If we come to a negative result, we will not transfer these data without your explicit consent in accordance with Art. 49 (1) lit. a GDPR to a third country.

1.5.      Data Erasure and Period of Data Storage

Your personal data will be deleted by us as soon as the purpose for which we collected your data no longer applies. Storage can also take place if we process the data for a purpose that is compatible with the original purpose. It can also take place if this is provided for by laws, ordinances or other provisions to which our company is subject.

1.6.     Data Sources

In principle, we collect your personal data directly from you. However, we also receive personal data from the organisers of the congresses / conferences / events in our house. You can find information on this in the respective detailed information in this data protection information.

1.7.      Profiling

We do not use any automated decision-making or profiling processes that have a legal effect on you or that significantly affect you in a similar manner. With your consent, however, we will use your usage data to get to know your interests better and thus to be able to display information of interest to you or to be able to make you tailor-made offers or to be able to display corresponding information to you on third-party websites or social media platforms.

1.8.     Safeguarding your Data Protection Rights

In principle, you have the right to information, correction, deletion and restriction of the processing of personal data in accordance with the GDPR. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to revoke any consent you may have given to the processing of your personal data. The lawfulness of the processing of your personal data up to the time of revocation is not affected by this. You have the right to object to the processing of your personal data for the purpose of direct marketing. In the event of an objection, your personal data will no longer be processed for the purpose of direct marketing. A detailed explanation of these rights can be found here in Chapter III.

Right of complaint

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can complain to the competent supervisory authority. In Austria, this is the data protection authority (Barichgasse 40-42, A-1030 Wien, email: dsb@dsb.gv.at).

2.Visiting our Website

In this section we inform you how we process your personal data when you visit our website.

2.1.      Presentation of the Website

Server data

For technical reasons, based on the legal basis of § 165 (3) S 3 TKG 2021 (required for the operation of our website), the following data, which your internet browser transmits to us or to our web space provider, will be processed (so-called "server log files"):

Browser type and version

Operating system and device type used (e.g., desktop / mobile)

Website from which you are visiting us (referrer URL)

Website you visit

Date and time of your access

Your internet protocol address (IP address)

This data, which is anonymous to us, is stored separately from any personal data you may have provided and therefore does not allow us to draw any conclusions about a specific person. They are evaluated for statistical purposes in order to be able to optimize our website and our offers.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as B. Orders or inquiries that you send to us as the website operator, an SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http: //” to “https: //” or by the lock symbol in your browser line. If the SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

Technical service providers

We create and edit the content of our website with the help of the following service provider. With this service provider we have concluded a corresponding agreement according to Art. 28 GDPR to process your data exclusively to the extent of our order:

Technical Conception:

Valantic CX Austria GmbH (Gusswerk Halle 6, Söllheimerstraße 16, A-5020 Salzburg); More information on data protection at: https://www.valantic.com/de/datenschutzerklaerung/

Webhosting:

Hetzner Online GmbH (Industriestr. 25, D-91710 Gunzenhausen). More information on data protection at: https://www.hetzner.com/de/legal/privacy-policy/

2.2.    Cookies

Cookie Banner - Cookies on our website

Our website uses cookies, which help us to make our website more user-friendly and efficient for you, to carry out statistical analyses of the use of our website and also to show you content that is of interest to you on other websites. Cookies are small text files that are used to store information when visiting websites and are stored on the website visitor's computer. The legal basis for cookies, which are absolutely necessary for the proper operation of our website (e.g., shopping cart cookie), is § 165 (3) S 3 TKG 2021. Cookies that are not necessary for the function of our website (e.g., analysis or marketing cookies) are deactivated and will only be activated by your consent in accordance with Art 6 (1) lit. a GDPR in our cookie banner ("Accept"). By clicking on "Settings" you can activate or deactivate individual cookies or cookie groups. If you restrict the use of cookies on our website, you may no longer be able to use all functions of our website to their full extent. You can find detailed information about the cookies used on our website in our cookie banner.

The legal basis for the use of this cookie banner (consent management platform) to control and document your consent or settings regarding cookies and other tools requiring consent for accessing our website is our legal obligation in accordance with Art. 6 (1) lit. c GDPR. When accessing our website, a connection is established with the server of the provider of our cookie banner and subsequently a cookie is stored in your browser to store your cookie preferences. The processed data will be stored until the specified storage period expires or you delete these cookies.

We use the following cookie banner:

"CookieFirst" by Digital Data Solutions B.V. (Plantage Middenlaan 42a, 1018 DH, Amsterdam, The Netherlands); Further information on data protection can be found at: https://cookiefirst.com/legal/privacy-policy/.

Change the cookie settings in your web browser

How the web browser you are using handles cookies, e.g., which cookies are allowed or rejected, can be determined in the settings of your web browser. You can delete cookies already stored on your computer / device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be called up using the help function of the respective web browser.

In addition, it is possible to generally object to cookies and similar tracking technologies using the services listed below by setting your individual preferences - which technologies you want to allow for usage and interest-based advertising:

·         European Interactive Digital Advertising Alliance (EDAA): https://www.youronlinechoices.com/uk/your-ad-choices

·         Network Advertising Initiative (NAI):
https://optout.networkadvertising.org/?c=1#!%2F

2.3.    Communication with us

Contact form and email

On our website, we offer you the option of contacting us by email and / or using a contact form. In this case, the information you provide will be processed for the purpose of processing your contact based on the legal basis of contract fulfilment in accordance with Art. 6 (1) lit. b GDPR. There is a legitimate interest on our part pursuant to Article 6 (1) lit.  f GDPR for the use of a contact form. The legitimate interest lies in offering our website visitors an opportunity to contact us that does not require them to call up their own e-mail client. There is no legal or contractual obligation to provide this personal data. Failure to provide it simply means that you do not submit your request and we cannot process it. The data will only be passed on to third parties if this is stated on the website or in this data protection declaration or is necessary for the fulfilment of the contract or if this is required by statutory provisions. We only save your data for as long as is expedient for processing your inquiries or for any queries you may have.

2.4.    Digital Information Services / Registration

Your Green Meeting - Login

In principle, no registration is necessary to visit our website. However, for the detailed planning of your event, we offer on the legal basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR the possibility of registering for our planning tool "Your Green Meeting". Our legitimate interest is to conduct the events in our house as sustainable as possible. After registration, it is possible to view detailed information (detailed technical plans) for the Congress Centre Alpbach. Our CCA team will support you in this registration area in planning your event as sustainably as possible and certifying it as a Green Meeting. For certification within the framework of the Austrian Ecolabel for Green Meetings and Events, it is necessary for us to transmit the data entered by you in the registration area for your event on the legal basis of the performance of the contract in accordance with Art. 6 (1) lit. b GDPR (fulfilment of your order) to the Federal Ministry for Climate, Action, Environment, Energy, Mobility, Innovation and Technology. The following personal data will be processed: title, first name, last name, company name, e-mail address as well as the data entered for the event (event details within the meaning of the above-mentioned certification). There is no obligation to provide this data. If you do not want to provide this data, it will only mean that we will not be able to carry out the certification on your behalf. We will only store your data for as long as it is appropriate (3 years as a basis for planning possible further events).

2.5.    Web Analysis - Statistical Analyses of our Website

Google Tag Manager

We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to be able to manage website tags via a common tool of Google.  The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies and does not collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags   implemented with Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least a case-by-case) data transfers to the USA is thus an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on Google's data protection   can be found at: https://policies.google.com/privacy?hl=en-GB. Learn more about how Google uses personal data: https://business.safety.google/privacy/.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and that enable an analysis of the use of our website by the site visitor. The information generated by the cookie about your use of our website is usually stored on European servers and only in exceptional cases transmitted to a Google server in the USA and stored there. We use Google Analytics with activated IP anonymization. This means that your IP address is usually shortened by Google within the European Union and only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least a case-by-case) data transfers to the USA is thus an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. The IP address transmitted by the corresponding browser as part of Google Analytics will not be merged with other Google data. On our behalf, Google will use the resulting information to evaluate the use of the website in order to compile reports on website activity. The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be objected to at any time with effect for the future. The corresponding browser plugin can be downloaded and installed under the following link:  https://tools.google.com/dlpage/gaoptout. User data is stored for 14 months. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy (https://policies.google.com/privacy) as well as in the settings for the presentation of advertisements by Google (https://adssettings.google.com/authenticated). Learn more about how Google uses personal data: https://business.safety.google/privacy/.

Google Signals Extension to Google Analytics
As an additional function to Google Analytics, we use "Google Signals" on this website. If you have activated personalized ads in your Google account and have linked your device with which you visit our website to your Google account, Google can analyze your usage behavior across devices (cross-device tracking). For example, Google can see how users search for products on a website on a smartphone and later return to complete purchases on a tablet or laptop. The Google Signals extension also provides us with additional demographic data and data on the interests of our website visitors for even more targeted online advertising campaigns, which, however, are anonymous to us. If you want to stop Google's cross-device analysis, you can deactivate the "Personalized Advertising" function in the settings of your Google Account.  For more information, please visit: https://support.google.com/My-Ad-Center-Help/answer/12155154?hl=en&ref_topic=11583829&sjid=6726979475871235225-EU  For more information about Google Signals, please visit the following link: https://support.google.com/analytics/answer/7532985?hl=en&sjid=6726979475871235225-EU#zippy=%2Cthemen-in-diesem-artikel%2Cin-this-article  

 

2.6.    Integration of other Third-Party Services and Content

We integrate content or functions of third parties within our website. This always presupposes that the providers of this content or functions perceive the IP address of the users. Without the IP address, they would not be able to send the content to the browser of the respective user. The IP address is therefore required for the presentation of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. However, we have no influence on whether the third-party providers store the IP address, e.g., for statistical purposes. The legal basis for the use of these services, insofar as they are necessary for the functioning of our website, is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR, otherwise your consent according to Art. 6 (1) lit a GDPR. Information on the purpose and scope of the further processing and use of the data by the providers of the embedded services/content as well as further information within the meaning of the Art. 13 and 14 GDPR can be found under the information links listed below. The following services/content are embedded in our website:

BootstrapCDN (JSDELIVR)

For a modern design and presentation of the content offered on different devices as well as for faster loading times, we use the so-called Bootstrap technology on our website. Bootstrap is a content delivery network of Volentio JSD Limited (Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB). We use this service on the basis of our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. Our legitimate interest lies in an appealing presentation of the content of our website as well as in our interest in being able to make this content available in the shortest possible loading times. We have concluded an agreement with Volentio JSD Limited in accordance with Art. 28 GDPR as a data processor (Data Processum Addendum), which ensures that your data is processed exclusively within the scope of our order. Detailed information about this Data Processum Addendum can be found at: https://www.jsdelivr.com/documents/data-processing-agreement.pdf. In principle, the European Commission has certified that the United Kingdom has a level of protection that is essentially equivalent to that in the European Union. The legal basis for the transfer of data to the UK is therefore Art. 45 GDPR. For more information on Bootstrap's privacy policy, please visit: https://www.jsdelivr.com/terms/privacy-policy.

Alpbachtal Information

We have integrated so-called "widgets" on our website, which are made available to us by our regional tourism organisation Tourismusverband Alpbachtal & Tiroler Seenland (Zentrum 1, A-6233 Kramsach/Tirol). In these widgets, it is possible for us to display various content (e.g. event calendar) within our website. The legal basis for the presentation of this content is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest lies in providing comprehensive information about the tourist offers as a supplement to the offers of our congress centre. This content is loaded from the server of the Tourismusverband Alpbachtal & Tiroler Seenland. The access of such content requires that the IP address of the user is transmitted to the Tourismusverband Alpbachtal & Tiroler Seenland. When you visit one of these pages, a connection is established to the servers of the Tourismusverband Alpbachtal & Tiroler Seenland and the information about which of our pages you have visited is transmitted to the Tourismusverband Alpbachtal & Tiroler Seenland. The Tourismusverband Alpbachtal & Tiroler Seenland also receives further information about your web browser, the operating system, the date and time of the access. Further information on data protection from the Tourismusverband Alpbachtal & Tiroler Seenland can be found at: https://www.alpbachtal.at/de/info-und-service/datenschutz.

Accessiway Accessibility Application

In order to make our website barrier-free, we integrate the "accessiway" service of the service provider AccessiWay GmbH (Liechtensteinstraße 111, 1090 Vienna) via an interface. For this purpose, it is necessary that your IP address together with some browser information (browser type, browser version, etc.) as well as information about when you accessed these pages is transmitted to the accessiway server. The above-mentioned data will be deleted after the website has been retrieved in the barrier-free view, and not be stored. The legal basis for this data processing is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest is to make our website accessible to people with disabilities. Further information on the processing of this data and data protection at AccessiWay can be found at: https://www.accessiway.com/privacy-policy and https://www.accessiway.com/privacy-security

3. Other Data Processing in Business and Customer Contact

In this section we inform you about other data processing processes outside our website.

3.1.      Job Applications

The contact data and application documents transmitted to us in the course of a job application will be processed by us exclusively internally for the purpose of selecting suitable candidates for an employment relationship. There is no legal or contractual obligation to provide the personal data. Failure to do so will only result in you not submitting your request and we will not be able to process it. The personal data transmitted in this way will be stored by us in accordance with the statutory provisions for a maximum of 6 months, in the case of the explicit consent of the applicant to keep the documents in evidence, for a maximum of 2 years.

3.2.    Online Presence in Social-Media

In addition to our website, we maintain online presences within social networks and platforms. The legal basis for using these services is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest lies in communicating with the customers and business partners there and in being able to inform them about our services on these networks. When accessing the respective networks and platforms, the terms and conditions and the privacy policies of the respective operators of these networks apply. Further information on the processing of your personal data by the respective providers of these services (which personal data is processed for which purposes on the basis of which legal basis, how long this data is stored by the respective provider and, if applicable, how long this data is stored by the respective provider). Information on profiling and third-country transfers) can be found below in the descriptions of the individual services or via the information links listed there.

Facebook Fanpage

We operate a Facebook fan page on the "Facebook" platform of the company Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The legal basis for the processing of the personal data associated with this is our legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. Our legitimate interest is to provide customers and potential new customers with information about us and our offers via this information channel. We would like to point out that you use this Facebook page and its functions at your own risk. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating). When you visit our Facebook page, Facebook collects, among other things: Your IP address and other information collected in the form of cookies or other tracking technologies. The data collected about you in this context will be processed by Facebook and may be (at least partially) transferred to the USA. Facebook / Meta is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least on a case-by-case basis) data transfers to the USA is thus an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR, with which the European Commission certifies an adequate level of data protection in the USA. In a decision, the ECJ found that "Facebook" and the operator of a Facebook fan page are responsible for this personal data as joint controllers within the meaning of Art. 26 GDPR. Facebook provides the contract for joint data processing at the following link: https://www.facebook.com/legal/terms/page_controller_addendum. We, as the site operator of our fan page, have no influence on the specific contents of the agreement. What information Facebook receives and how it is used (how Facebook uses the data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users in order to individualize content or advertising, how long Facebook stores this data, whether data from a visit to the Facebook page is passed on to third parties, and much more), describes Facebook in general terms in its data usage policy. There you will also find information about how to contact Facebook and how to set up advertisements. The Privacy Policy is available at the following link: https://www.facebook.com/privacy/policy/. As a fan page operator, we do not receive any additional (not publicly visible) information about individual Facebook users from Facebook's analyses, but only statistically processed information (e.g. total number of page views, page activity, post reach, etc.) that helps us to make our posts more attractive.

Instagram

Instagram is an online service for sharing photos and videos. We have a profile (account) on Instagram. The provider is Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). For more information on the processing of your personal data through the use of Instagram and how to contact us, please visit: https://privacycenter.instagram.com/policy/

LinkedIn

In order to stay in contact primarily with business partners, we use the web-based social network service LinkedIn. The provider is LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). For more information on the processing of your personal data through the use of LinkedIn and how to contact us, please visit: https://de.linkedin.com/legal/privacy-policy.

YouTube

We use a YouTube channel via the video portal "YouTube" to publish our videos. The service is provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). For more information on the processing of your personal data through the use of YouTube and how to contact us, please visit: https://www.google.com/policies/privacy/.

Vimeo

We use a Vimeo channel via the video portal "Vimeo" to publish our videos. The provider of the service is Vimeo Inc. (555 West 18th Street, New York 10011, USA). For more information on the processing of your personal data through the use of Vimeo and how to contact us, please visit: https://vimeo.com/privacy.

3.3.     Photo/Video documentation at events

In the case of events, we may take photos and videos of these events in which you are recognizable as a participant in these events. We need these photos / videos to document events (e.g. what was the setting of various events for the planning of follow-up events). The legal basis for the processing of your personal data (images and videos on which you are recognizable) is our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the efficient planning of events in our congress centre. There is the right to object to the processing. Please send your objection to the e-mail address provided by us in this privacy policy. However, it can be assumed that our above-mentioned interest in the use of the photos does not excessively interfere with your rights as a person depicted. We also always make sure that no legitimate interests of depicted persons are violated. If, for reasons that are particularly worthy of consideration, your personal rights and freedoms are violated by an image / video created by us, we will refrain from further processing. We generally delete photos / videos of events if we no longer need these images to document these events.

3.4.    Video Surveillance

For the purpose of protecting our employees and visitors, our property and for the purpose of preventing or clearing up behaviour that is relevant to criminal law, we have installed video surveillance in the event area as well as in the underground car park and marked it accordingly. These surveillance images are only evaluated in case of incident and, provided there is no suspicion, are stored for a maximum of 72 hours and are then automatically deleted. If necessary, the data will be stored for the duration of the process and if necessary tramsmitted to competent authorities, courts, insurance companies (exclusively for the settlement of insurance claims) as well as to our legal representation (lawyer). The legal basis for this data processing is our legitimate interest in the protection of our property in accordance with Art. 6 (1) lit. f GDPR and § 12 Abs 2 Z 4 DSG. There is no right to object to the processing of this data and no right to data portability.

3.5.    Booking tool I-Net

To process your bookings (e.g. hotel rooms and conference packages and supporting programme), we process your personal data in order to be able to provide you with the booked services with the help of the web-based service of our service provider INFO Networking GmbH (Mombacher Str. 93, D – 55122 Mainz). For this purpose, we store and process inventory data, communication data, contract data, payment data of our customers, interested parties and other business partners. The processing is carried out for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the legal bases of Art. 6 (1) lit. b GDPR (booking processes, response to quotation requests) and Art. 6 (1) lit. c GDPR (legally required retention periods for bookings or invoices). There is no legal or contractual obligation to provide the personal data. Failure to provide it will only result in us not being able to process your bookings/orders. In the context of this data processing, we disclose your personal data to third parties (hotel partners or other tourism service providers) on the legal basis of Art. 6 (1) lit. b GDPR (if it is necessary to process a booking process), or on the basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR for the use of appropriate booking software. We store this data as long as the purpose requires it, legal regulations provide for this (retention period of invoices according to § 132 BAO for 7 years) or we need this data on the basis of the legal basis of Art. 6 (1) lit. f GDPR (legitimate interest) to defend against possible liability claims. We have concluded a corresponding agreement with the company INFO Networking GmbH in accordance with Art. 28 GDPR as a processor, which ensures that your data is processed exclusively within the scope of our order. Further information on I-Net's data protection can be found at: https://www.inet-mainz.de/datenschutz/.

External payment service providers

To pay for the order transactions / bookings, we use external payment service providers on the basis of the legal basis of Art. 6 (1) lit. b GDPR (performance of contract), through whose platforms you can make your payments. The payment data entered by you as part of the order (e.g. account numbers, credit card numbers incl. check digits, passwords / TANs, etc.) will be processed exclusively by our payment service providers and cannot be viewed by us. We only receive a confirmation of the payment made or information from our payment service providers that the payment could not be made. Further information on data protection and terms and conditions of our payment service providers can be found at:

PAYONE GmbH, Zweigniederlassung Österreich, Am Belvedere 10, A-1100 WienTel. +43 1 71701-1800E-Mail: customercare.austria@six-payment-services.com
https://www.payone.com/AT-de/datenschutz

3.6.    Guest/Visitor WiFi

We offer freely accessible visitor Wi-Fi in our Congress Centre Alpbach. In order to provide the services of the hotspot for you, the use of personal data of your end device is required. In this context, the MAC addresses (Media Access Control Address) of end devices may also be stored temporarily. Furthermore, we may store log data ("log files") about the type and scope of use of the services for 7 days. This data cannot be assigned directly to your person, but directly to your used device and thus also indirectly to your person.