Data protection

Data privacy statement

This data privacy statement informs you about the nature, scope and purpose of processing personal data (referred to simply as “data” in the following) within our online offering and the related websites, functions and content as well as external online presences such as our social media profiles (jointly referred to as “online offering” in the following). In regards to the terminology that is used, such as “processing” or “controller”, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

Hotel Schloss Obermayerhofen GmbH
Gräfin Brigitte Kottulinsky
Neustift 1
8272 Sebersdorf
Österreich
Tel: +43 (0)3333 / 2503
Fax: +43 (0)3333 / 2503 - 50
E-Mail: schlosshotel (at) obermayerhofen. at
Web: www.obermayerhofen.at
UID-Nummer: ATU67002236
Geschäftsführer: Frau Brigitte Graf Kottulinsky


Legal notice


For data protection inquiries, please contact:

Frau Bigitte Graf Kottulinsky
E-mail: schlosshotel (at) obermayerhofen. at , telephone: +43 (0)3333 / 2503


Type of data disseminated:

- Basic data (e.g. name, address).
- Contact data (e.g. e-mail, telephone numbers).
- Content data (e.g. text input, photos, videos).
- Usage data (e.g. websites visited, interest in content, access times).
- Metadata/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (in the following, data subjects are also jointly referred to as “users”).

Purpose of processing

- Delivering the online offering, its functions and contents.
- Responding to contact requests and communicating with users.
- Security measures.
- Coverage measurement/marketing.

Terminology

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data. The term is far-reaching and encompasses practically all handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Applicable legal basis

We inform you of the legal basis of our processing in accordance with Art. 13 GDPR. Insofar as the legal basis is not identified in the data privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 (1), point a and Art. 7 GDPR, the legal basis for processing to provide our services and for contractual performance as well as responding to enquiries is Art. 6 (1), point b GDPR, the legal basis for processing to meet our legal obligations is Art. 6 (1), point c GDPR and the legal basis for processing to protect our legitimate interests is Art. 6 (1), point f GDPR. In case the vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1), point d GDPR.

Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR.

The measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access rights, input, dissemination, ensuring availability and the separation of data. We have also implemented procedures for protecting the rights of data subjects, the erasure of data, and responding to threats to the data. Furthermore, we take the protection of personal data into account in the development and selection of hardware, software and procedures according to the principle of data protection through the design of technology and through default settings that favour data protection (Art. 25 GDPR).

Cooperation with processors and third parties

Insofar as we disclose data to other persons and companies (processors or third parties) in the course of our processing, transfer data to them or otherwise grant them access to data, this is done solely based on legal permission (e.g. when a transfer of the data to third parties such as payment service providers is required for contractual performance pursuant to Art. 6 (1), point b GDPR), when you have given your consent, based on a legal obligation or to protect our legitimate interests (e.g. when employing agents, web hosting providers etc.).

Insofar as we engage third parties for processing data based on a “processing contract”, this is done pursuant to Art. 28 GDPR.

Transmission to third party countries

Insofar as we process data in a third party country (i.e. outside the European Union (EU) or European Economic Area (EEA)) or this is done within the scope of utilising third-party services or the disclosure or transfer of data to third parties, this takes place solely to meet our (pre-)contractual obligations, based on your consent, due to a legal obligation or to protect our legitimate interests. Subject to legal or contractual permission, we only process or have data processed in a third party country when the special requirements pursuant to Art. 44 ff. GDPR are met. This means that processing is performed, for example, based on specific guarantees such as the officially recognised determination of a data protection level equivalent to the EU (e.g. by the “Privacy Shield” for the USA) or subject to officially recognised special contractual obligations (known as “standard contract clauses”).

Rights of the data subject

You have the right to request confirmation whether relevant data are processed and to obtain information about these data as well as additional information and a copy of the data pursuant to Art. 15 GDPR.

Pursuant to Art. 16 GDPR, you have the right to request the completion of data pertaining to you or the correction of incorrect data pertaining to you.

Pursuant to Art. 17 GDPR, you have the right to request the prompt deletion of relevant data. Alternatively you may request a restriction of processing for the data pursuant to Art. 18 GDPR.

Pursuant to Art. 20 GDPR, you have the right to request a copy of the data pertaining to you that you have provided to us and to request their transfer to another controller.

Furthermore, you have the right pursuant to Art. 77 GDPR to submit a complaint to the applicable supervisory authority.

Right of withdrawal

Pursuant to Art. 7 (3) GDPR, you have the right to revoke your consent with future effect.

Right to object

You may object to the future processing of data pertaining to you at any time pursuant to Art. 21 GDPR. In particular, you can object to processing for the purpose of direct marketing.

Cookies and right to object to direct marketing

Cookies are small files stored on a user’s device. Various information can be stored in cookies. A cookie is used primarily to store information about a user (or the device on which the cookie is stored) during or also after a visit to an online offering. A temporary, session or transient cookie is a cookie that is deleted after a user leaves an online offering and closes their browser. Such a cookie can be used for example to store the contents of a shopping cart in an online shop or a login status. Permanent or persistent cookies are cookies that continue to be stored even after the browser is closed. For example, the login status can be stored when a user returns after several days. Such a cookie can also be used to store the user’s interests for coverage measurement or marketing purposes. Third-party cookies are cookies of providers other than the controller who operates the online offering (otherwise one speaks of first-party cookies when referring to the cookies of the controller).

We may use temporary and permanent cookies. The relevant information is provided in our data privacy statement.

If a user does not want cookies to be stored on their device, they can deactivate the corresponding option in their browser’s system settings. Stored cookies can be erased in the browser’s system settings. Excluding cookies can limit the functionality of this online offering.

A general objection to the use of cookies for online marketing purposes can be submitted to numerous services, in particular in case of tracking, via the US page http://www.aboutads.info/choices or the EU page http://www.youronlinechoices.com. Furthermore, storing cookies can be deactivated in the browser settings. Please note that you may not be able to use all functions of this online offering in that case.

Data erasure

The data processed by us are erased or their processing is restricted pursuant to Art. 17 and 18 GDPR. Unless expressly specified within the scope of this data privacy statement, the data stored by us are erased as soon as they are no longer needed for their intended purpose and their erasure does not conflict with any statutory retention obligations. Insofar as the data are not erased because they are needed for other and legally permissible purposes, their processing is restricted. This means the data are blocked and not processed for other purposes. This applies for example for data that have to be retained for commercial or tax law reasons.

According to legal requirements in Germany, a 10-year retention period applies pursuant to Section 147, Paragraph 1 of the Tax Code (AO) and Section 257, Paragraph 1, No. 1 and 4, Paragraph 4 of the German Commercial Code (HGB) (books, records, management reports, accounting records, account books, documents relevant for taxation etc.), and a 6-year retention period pursuant to Section 257, Paragraph 1, No. 2 and 3, Paragraph 4 HGB (business letters).

According to legal requirements in Austria, a 7-year retention period applies pursuant to Section 132, Paragraph 1 of the Federal Fiscal Code (BAO) (accounting records, documents/invoices, accounts, vouchers, business documents, listing of income and expenses etc.), a 22-year retention period in the context of land and a 10-year retention period related to services provided electronically, telecommunication, radio and television services provided to non-entrepreneurs in EU member states and for which the mini one-stop shop (MOSS) exemption is claimed.

Processing for business purposes

We also process
- contract data (e.g. object of the contract, term, customer category), and
- payment data (e.g. bank details, payment history)
of our customers, prospects and business partners for the purpose of contractual performance, service and customer support, marketing, promotion and market research.

Order processing in the online shop and customer account
Online booking with online booking tool

We process the data of our customers in the course of ordering processes in our online shop for the purpose of selecting and ordering the chosen products and services, their payment and delivery or execution.

The processed data include basic data, communication data, contract data and payment data, and the data subjects affected by processing include our customers, prospects and other business partners. Processing is performed for the purpose of contractual performance in the course of operating an online shop, billing, delivery and customer service. We use session cookies in this context to store shopping cart contents and permanent cookies to store the login status.

Processing is performed based on Art. 6 (1), point b (completing ordering processes) and c (legally required archiving) GDPR. Here the information identified as mandatory is required for contract closing and contractual performance. We only disclose the data to third parties in the course of delivery and payment or to legal advisers and public authorities within the scope of legal permission and obligations. The data are only processed in third party countries when this is required for contractual performance (e.g. by customer request on delivery or payment).

Users may set up an optional user account where they can in particular view their orders. Users are informed of the required mandatory information in the course of registration. The user accounts are not public and cannot be indexed by search engines. When a user cancels their user account, their user account data are erased except when their retention is required for commercial or tax law reasons pursuant to Art. 6 (1), point c GDPR. Information remains in the customer account until it is deleted, and is subsequently archived in case of a legal obligation. Securing the data upon cancellation before the end of the contract term is the responsibility of the user.

We store the IP address and time of the respective user action in the course of registration, subsequent logins and the use of our online services. This storage is based on our legitimate interests and the interest of the user in protection against misuse and other unauthorised use. In principle there is no dissemination of these data to third parties, unless this is required to pursue our claims or in case of a legal obligation pursuant to Art. 6 (1), point c GDPR.

Erasure takes place after the expiration of statutory warranty and similar obligations. The need to retain the data is reviewed every three years. In case of statutory archiving obligations, erasure takes place after the end of the applicable retention period (6 years under commercial law and 10 years under tax law).

Contractual services

We process the data of our contractual partners and prospects as well as other customers, clients and contractual partners (jointly referred to as “contractual partners”) pursuant to Art. 6 (1), point b. GDPR for the purpose of providing our contractual or pre-contractual services. The data processed in this context and the nature, scope and purpose of as well as the need for their processing are determined based on the underlying contractual relationship.

The processed data include the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers), contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

We generally do not process special categories of personal data except when these are part of commissioned or contractual processing.

We process data require for contract closing and contractual performance, and point out the need for the information insofar as this is not evident for the contractual partners. Disclosure to external persons or companies only takes place when required in the course of contractual performance. In processing the data provided to us within the scope of an order, we act according to the directives of our customers and the applicable legal requirements.

We may store the IP address and time of the respective user action in the course of using our online services. This storage is based on our legitimate interests and the interest of the user in protection against misuse and other unauthorised use. In principle there is no dissemination of these data to third parties, unless this is required to pursue our claims pursuant to Art. 6 (1), point f. GDPR or in case of a legal obligation pursuant to Art. 6 (1), point c. GDPR.

The data are erased when they are no longer needed for the purpose of contractual or statutory fiduciary duty or in the context of possible warranty and comparable obligations; here the need to retain the data is reviewed every three years. Otherwise the statutory retention obligations apply.

External payment service providers

We engage external payment service providers; we and the users can conduct payment transactions via the platforms of these providers:
Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full ),
Visa (https://www.visa.de/datenschutz ),
Mastercard (https://www.mastercard.de/de-de/datenschutz.html ),
Sofort-Überweisung (https://www.raiffeisen.at/oesterreich/1006622610903_496077189930558810-1033060106634-NA-30-NA.html ),
heidelpay (https://www.heidelpay.com/at/datenschutz/ )

In the course of contractual performance, we engage the payment service providers based on Art. 6 (1), point b. GDPR. Otherwise we engage external service providers based on our legitimate interests pursuant to Art. 6 (1), point b. GDPR to offer effective and secure payment options to our users.

The data processed by payment service providers include basic data such as the name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums, and contract, amount and recipient-related information. This information is required for processing the transactions. However, the data provided are processed only by the payment service providers and stored by them. This means we do not obtain any credit card or account-related information, but only a confirmation of payment or notice of non-payment. The data may be transmitted to credit agencies by the payment service providers. This transmission is for the purpose of identity verification and credit screening. Please refer to the general business terms and conditions and data privacy statements of the payment service providers.

The business terms and conditions and data privacy statements of the respective payment service providers, available on the respective websites and/or transaction applications, apply for payment transactions. We are also referring to these for the purpose of further information and asserting rights to withdrawal, information and other data subject rights.

Administration, financial accounting, office organisation, contact management

We process data in the course of administrative tasks and the organisation of our business, financial accounting and compliance with legal obligations such as archiving. Here we process the same data as in the course of our contractual performance. The basis of processing is Art. 6 (1), point c. and Art. 6 (1), point f. GDPR. Customers, prospects, business partners and website visitors are affected by this processing. The purpose of and our interests in processing include administration, financial accounting, office organisation and data archiving that serves to maintain our business activities, complete our tasks and provide our services. The erasure of data in regards to contractual performance and communication corresponds to the information provided for these processing activities.

In this context we disclose or transmit data to the financial administration, consultants such as auditors or tax consultants and other billing offices and payment service providers.

We also store information about suppliers, organisers and other business partners based on our legitimate business interests, for example to subsequently contact them. These mainly company-specific data are generally stored by us permanently.

Business management analyses and market research

In order to operate our business economically and identify market trends and preferences of contractual partners and users, we analyse the data available to us for business processes, contracts, enquiries etc. In doing so we process basic data, communication data, contract data, payment data, usage data and metadata based on Art. 6 (1), point f. GDPR; data subjects include contractual partners, prospects, customers, visitors and users of our online offering.

The analyses are conducted for the purpose of business management evaluations, marketing and market research. We are able to take the profiles of registered users with information, for example on the services used, into account in doing so. The analyses are conducted by us to improve usability, optimise our offering and for operating efficiency. These analyses are solely for our own use and are not disclosed externally, except in case of anonymous analyses with summarised values.

Insofar as these analyses or profiles are related to specific persons, they are erased or anonymised when the user cancels, otherwise two years after the end of the respective contract. Otherwise the overall business management and general trend analyses are prepared anonymously as far as possible.

Data privacy statement for the application process

We process applicant data only for the purpose and within the scope of an application process according to the applicable legal requirements. The processing of applicant data is performed to meet our (pre-)contractual obligations within the scope of the application process pursuant to Art. 6 (1), point b. GDPR, Art. 6 (1), point f. GDPR insofar as data processing becomes necessary for us, for example in the course of legal proceedings (Section 26 BDSG applies additionally in Germany).

The application process requires applicants to provide us with the applicant data. Required applicant data are identified insofar as we offer an online form. Otherwise they are derived from the job posting. They generally include information about the person, mailing and contact addresses and the application documents such as the cover letter, CV and certificates. Applicants may voluntarily provide us with additional information as well.

By submitting their application to us, applicants agree to the processing of their data for the purpose of the application process according to the nature and scope described in this data privacy statement.

Insofar as special categories of personal data pursuant to Art. 9 (1) GDPR are voluntarily provided within the scope of the application process, they are generally processed pursuant to Art. 9 (2), point b GDPR (e.g. health data such as disability or ethnicity). Insofar as special categories of personal data pursuant to Art. 9 (1) GDPR are requested from applicants in the course of the application process, they are generally processed pursuant to Art. 9 (2), point a GDPR (e.g. health data when these are required for the occupation).

Applicants may submit their application using an online form on our website when this is provided. The data are transmitted to us encrypted according to the state of the art.
Applicants may also submit their applications to us by e-mail. In this case however, please note that e-mail is generally not sent in encrypted form and the applicant is responsible for encryption. Therefore we assume no responsibility for the transmission of the application between the sender and receipt on our server, and recommend using an online form or submission by mail. In addition to applying using the online form or e-mail, applicants may submit their application to us by regular mail.

The data provided by applicants may be further processed by us for the purpose of the employment relationship in case of a successful application. Otherwise the applicant data are erased insofar the application for a job posting is not successful. The applicant data are also erased when an application is retracted. Applicants have the right to do so at any time.

Subject to legitimate revocation of the applicants, erasure takes place at the end of six months so that we are able to answer possible follow-up questions about the application and meet our obligation to produce supporting documents under equal treatment laws. Invoices for the possible reimbursement of travel expenses are archived in accordance with tax law requirements.

Making contact

When making contact with us (e.g. using a contact form, e-mail, telephone or via social media), the user’s information is processed for the purpose of handling and processing the contact request pursuant to Art. 6 (1), point b) GDPR. User information may be stored in a customer relationship management (CRM) system or comparable enquiry organisation system.

We erase the enquiries insofar as they are no longer needed. A review of necessity is performed every two years and statutory archiving obligations apply in addition.

Newsletter

The information that follows describes the content of our newsletter as well as the processes for registration, sending and statistical evaluation and your rights to object. By subscribing to our newsletter, you agree to receive it and consent to the described processes.

Content of the newsletter: We send newsletters, e-mails and other electronic notices with promotional information (“newsletter” in the following) only with the consent of the recipient or legal permission. Insofar as the content of a newsletter is described in concrete terms in the course of registration, this is relevant for the consent of the user. Otherwise our newsletters contain information about our products and related information (e.g. safety instructions), offers, promotions and our company.

Double opt-in and logging: A double opt-in process is used to register for our newsletter. This means you receive an e-mail after you register, asking you to confirm your registration. Confirmation is required to prevent registration with third-party e-mail addresses. Newsletter registrations are logged to document the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the sending service provider are also logged.

Registration data: All you need to provide to register for the newsletter is your e-mail address. Optionally we ask you to provide a name so we can address you personally in the newsletter.

Sending out the newsletter and the associated measurement of success are based on the consent of the recipients pursuant to Art. 6 (1), point a, Art. 7 GDPR in conjunction with Section 107, Paragraph 2 of the Telecommunications Act (TKG), or based on legal permission pursuant to Section 107, Paragraph 2 and 3 TKG.

Logging the registration process is performed based on our legitimate interests pursuant to Art. 6 (1), point f GDPR. Our interests are aimed at operating a user-friendly and secure newsletter system that serves our business interests, meets the expectations of users and permits us to provide proof of consent.

Cancellation/withdrawal – you may cancel your subscription to our newsletter and withdraw your consent at any time. A link to cancel the newsletter is found at the end of each newsletter. We may store unsubscribed e-mail addresses for up to three years based on our legitimate interests before we erase them, in order to provide proof of original consent. The processing of these data is restricted to the purpose of defending against possible claims. An individual request for erasure may be made at any time, provided that original consent is confirmed at the same time.

Newsletter sending service provider

The newsletter is sent out by the sending service provider Newstroll email marketing software, Marco Ahrendt, Maustäle 18, D 72793 Pfullingen. Die Datenschutzbestimmungen des Versanddienstleisters können Sie hier einsehen: https://www.newstroll.de/datenschutz/ . We engage the sending service provider based on our legitimate interests pursuant to Art. 6 (1), point f GDPR and a processing contract pursuant to Art. 28 (3), sentence 1 GDPR.

The sending service provider may use the data of the recipients in pseudonymised form, i.e. with no assignment to a user, to optimise or improve its own services, for example for the technical optimisation of sending and the presentation of the newsletter or for statistical purposes. However, the sending service provider does not use the data of our newsletter recipients to contact them directly, nor are the data disseminated to third parties.

Newsletter success measurement

The newsletters contain what is called a web beacon, a pixel-sized file that is fetched by our server or, when we use a sending service provider, by their server when the newsletter is opened. Technical information, for example about your browser and system, as well as your IP address and the time of access, is obtained in this context.

This information is used for the technical improvement of services based on the technical data or target groups and their reading behaviour based on their access locations (that can be determined with the help of the IP address) or access times. Statistical data collection also includes determining whether the newsletter is opened, when it is opened and what links are clicked. This information could be assigned to individual newsletter recipients for technical reasons. However, our intent and that of the sending service provider, if any, is not to observe individual users. In fact we use the evaluations to identify the reading habits of our users and adapt our content to them, or to send different content according to the interests of our users.

Hosting

We utilise hosting services to obtain infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services we use for the purpose of operating this online offering.

In doing so, we and/or our hosting provider process basic data, contact data, content data, contract data, usage data, metadata and communication data of customers, prospects and visitors to this online offering based on our legitimate interests in the efficient and secure delivery of this online offering pursuant to Art. 6 (1), point f GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).

Collection of access data and logfiles

We and/or our hosting provider collect data based on our legitimate interests pursuant to Art. 6 (1), point f. GDPR for each access to the server where this service is hosted (known as server logfiles). The access data include the name of the accessed website, file, date and time of access, transmitted data volume, report on successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and requesting provider.

Logfile information is stored for a maximum of 7 days for security reasons (e.g. to resolve cases of misuse or fraud) and then erased. Data that must be retained as evidence until the incident in question is finally resolved are exempt from erasure.

Google Tag Manager

Google Tag Manager is a solution that allows us to manage what are called website tags via an interface (for example to integrate Google Analytics and other Google marketing services into our online offering). Tag Manager itself (which implements the tags) does not process any personal data of the users. In regards to the processing of personal data of users, please refer to the following information about the Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookies regarding the use of the online offering by the user is generally transmitted to a Google server in the USA where it is stored.

Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google uses this information on our behalf in order to evaluate the use of our online offering by the users, compile reports about the activities within this online offering and provide us with additional services related to the use of this online offering and the Internet. In doing so, pseudonymised usage profiles for the users may be prepared from the processed data.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users within member states of the European Union or other states in the European Economic Area is shortened by Google. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

The IP address transferred by the user’s browser is not combined with other data by Google. Users can prevent the storage of cookies by configuring the settings of their browser software accordingly. Furthermore, users can prevent the capture of data generated by the cookie and related to their use of the online offering by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Alternatively to the browser add-on or in browsers on mobile devices, please click the following link to prevent future data collection by Google Analytics within this website: Analytics-Opt-Out. This stores an opt-out cookie on your device. If you delete your cookies then you have to click the link again.

Further information about the use of data by Google, settings and rights to object is available in the Google data privacy statement (https://policies.google.com/technologies/ads) and the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

The personal data of users are erased or anonymised after 14 months.

Google Universal Analytics

We use Google Analytics in the “Universal Analytics” version. “Universal Analytics” is a Google Analytics process that prepares the user analysis on the basis of a pseudonymised user ID and thereby creates a pseudonymised user profile with information from the use of various devices (known as cross-device tracking).

Formation of target groups with Google Analytics

We use Google Analytics in order to display the advertisements placed within advertising services of Google and its partners only to those users who have shown an interest in our online offering, or who exhibit certain characteristics (e.g. interest in certain topics or products determined based on the websites that are visited), which we transmit to Google (known as Remarketing Audiences or Google Analytics Audiences). With the help of Remarketing Audiences, we also want to ensure that our advertisements correspond to the potential interests of users.

Google AdWords and conversion measurement

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

We use the Google AdWords online marketing method to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites etc.) so they are displayed for users who have a presumed interest in the advertisements. This allows us to display advertisements for and within our online offering more selectively in order to only present advertisements to users that potentially correspond to their interests. For example, when advertisements for products in which a user has expressed interest in other online offerings are displayed to that user, this is called remarketing. When our and other websites that are part of the Google advertising network are accessed, a Google code is executed directly by Google and what are known as (re)marketing tags (invisible graphics or code, also known as web beacons) are integrated into the website. These are used to store an individual cookie or small file on the user’s device (comparable technologies may also be used instead of cookies). This file stores the websites the user visits, the content the user is interested in and the offers on which the user clicks, as well as technical information about the browser and operating system, referrer URLs, time of the visit and further information about the use of the online offering.

We also receive an individual conversion cookie. Google uses information obtained with the help of this cookie to prepare conversion statistics for us. However, we only obtain the anonymous total number of users who have clicked our advertisement and were forwarded to a page with a conversion tracking tag. We do not receive any information that could be used to identify the users personally.

User data is pseudonymised for processing within the Google advertising network. This means that Google does not store and process, for example, the name or e-mail address of the user, but processes the relevant data on a cookie basis within pseudonymised user profiles. From the perspective of Google, the advertisements are not managed and displayed for a concrete, identified person but for a cookie owner, regardless of who this cookie owner is. This does not apply when the user has expressly permitted Google to process the data without such pseudonymisation. The information collected about users is transmitted to Google and stored on Google servers in the USA.

Further information about the use of data by Google, settings and rights to object is available in the Google data privacy statement (https://policies.google.com/technologies/ads) and the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Facebook pixel, Custom Audiences and Facebook conversion

Based on our legitimate interests in the analysis, optimisation and economical operation of our online offering and for these purposes, our online offering uses what is called the “Facebook pixel” of the social network Facebook operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

Facebook is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

The Facebook pixel allows Facebook to identify the visitors to our online offering as a target group for this display of advertisements (known as Facebook ads). Accordingly we use the Facebook pixel in order to display the Facebook ads placed by us only to those Facebook users who have shown an interest in our online offering, or who exhibit certain characteristics (e.g. interest in certain topics or products determined based on the websites that are visited), which we transmit to Facebook (known as Custom Audiences). We also use the Facebook pixel to ensure that our Facebook ads correspond to the potential interests of users and are not perceived as bothersome. With the help of the Facebook pixel, we are also able to understand the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were forwarded to our website after clicking a Facebook advertisement (known as conversion).

Facebook processes the data according to Facebook’s data usage guideline. Corresponding general information about the display of Facebook ads in Facebook’s data usage guideline: https://www.facebook.com/policy.php. Specific information and details about the Facebook pixel and its functionality is available in the Facebook help section: https://www.facebook.com/business/help/651294705016616.

You can object to the recording of data by the Facebook pixel and their use for the display of Facebook ads. To choose what types of advertisements are displayed to you on Facebook, you can call up the page set up by Facebook and follow the instructions for configuring usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, meaning they apply for all devices including desktop computers and mobile devices.

You can also object to the use of cookies for the purpose of measuring coverage and for promotional purposes on the deactivation page of the network advertising initiative (http://optout.networkadvertising.org/) and on the US website  (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

Online presence on social media

We maintain online presences on social networks and platforms in order to communicate with their active customers, prospects and users and inform them about our services there. The business terms and conditions and data processing guidelines of the respective operators apply when accessing the respective networks and platforms.

Unless anything to the contrary is specified in our data privacy statement, we process user data insofar as they communicate with us within the social networks and platforms, for example by posting on our online profiles or sending us messages.

Integration of third-party services and content

Within our online offering and based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use content and services offered by third-party providers, integrating their content and services such as videos or fonts (jointly referred to as “content” in the following).

This always requires these third-party providers to obtain the user’s IP address, since they are unable to send content to the user’s browser without the IP address. The IP address is therefore required to display this content. We strive to only integrate content for which the respective providers use the IP address solely for delivering the content. Third-party providers may also use what are called pixel tags (invisible graphics also known as web beacons) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on pages of this website to be evaluated. The pseudonymised information can also be stored in cookies on the user’s device that, among other things, may contain technical information about the browser and operating system, referrer URLs, time of the visit and further details about the use of our online offering, and can be linked to such information from other sources.

YouTube

We integrate videos from the “YouTube” platform of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Fonts

We integrate the fonts (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google ReCaptcha

We integrate the function to identify bots, e.g. for input in online forms (“ReCaptcha”), of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Maps

We integrate the maps of the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data can include, in particular, the IP address and location data of the user, but these data are only collected with consent (generally obtained as part of your mobile device settings). These data may be processed in the USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Use of Facebook Social Plugins

Based on our legitimate interests (i.e. the interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we used the Social Plugins (“plugins”) of the social network facebook.com operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins may represent interaction elements or content (e.g. videos, graphics or text contributions), and are identified by one of the Facebook logos (white “f” on a blue tile, the terms “Like”, “Gefällt mir” or a “thumbs up” symbol) or the addendum “Facebook Social Plugin”. The list and appearance of the Facebook Social Plugins is available here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

When a user calls up a function of this online offering, the user’s device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted from Facebook directly to the user’s device, where it is integrated into the online offering. In doing so, usage profiles for the users may be prepared from the processed data. We therefore have no influence on the scope of the data collected by Facebook with the help of the plugins, and consequently inform users according to our state of knowledge.

Due to the integration of the plugins, Facebook receives the information that a user has called up the corresponding page of the online offering. If the user is logged on to Facebook, then Facebook can assign the visit to the user’s Facebook account. When a user interacts with the plugins, e.g. by clicking the “Like” button or submitting a comment, the corresponding information is transmitted from the user’s device directly to Facebook where it is stored. If a user is not a Facebook member, Facebook may nevertheless determine and store the user’s IP address. According to Facebook, only an anonymised IP address is stored in Germany.

In regards to the purpose and scope of data collection and the further processing and use of the data by Facebook as well as your rights in this regard and setting options to protect your privacy, please consult the Facebook data privacy statement: https://www.facebook.com/about/privacy/.

When a user is a Facebook member and does not want Facebook to collect data about the user through this online offering and link it to the user’s profile data stored by Facebook, the user has to log off Facebook and delete their cookies before using our online offering. For further settings and objections to the use of data for promotional purposes, see the Facebook profile settings: https://www.facebook.com/settings?tab=ads or visit the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, meaning they apply for all devices including desktop computers and mobile devices.

Prepared with Datenschutz-Generator.de by the lawyer Dr Thomas Schwenke 
and adapted by the agency crosseye Marketing

Essential Cookies

These cookies do not provide any data to third parties.

Cookie NameAnbieterFunktionLebensdauer
fe_typo_userobermayerhofen.atTypo3 Frontend User Session CookieSession
xeye_cookie_statusobermayerhofen.atStatus der Cookie-ZustimmungUnbegrenzt
stopper-popup-...obermayerhofen.atStatus des Info-PopupUnbegrenzt
ga-disable-UA-…obermayerhofen.atGoogle Analytics Opt-Out-CookieUnbegrenzt
_pk_idobermayerhofen.atIdentifikation des Benutzers,
Matomo Analytics
13 Monate
_pk_refobermayerhofen.atReferrer,
Matomo Analytics
6 Monate
_pk_sesobermayerhofen.atDaten über aktuellen Website-Besuch,
Matomo Analytics
Session
_pk_cvarobermayerhofen.atDaten über aktuellen Website-Besuch,
Matomo Analytics
Session
_pk_hsrobermayerhofen.atDaten über aktuellen Website-Besuch,
Matomo Analytics
Session

Marketing- and Tracking-Cookies

These cookies are only set after consent.

Cookie NameAnbieterFunktionLebensdauer
_gaGoogleIdentifikation des Benutzers,
Google Analytics
2 Jahre
_gidGoogleIdentifikation des Benutzers,
Google Analytics
24 Stunden
_gatGoogleBegrenzung von Server-Anfragen,
Google Analytics
1 Minute
_fbpFacebookpersonalisierte Werbung4 Monate
datrFacebookzur Verhinderung gefälschter Konten2 Jahre
frFacebookBenutzer- und Browser-ID3 Monate
sbFacebookUnterstützt beim Finden neuer Freunde2 Jahre
wdFacebookGröße des Browser-FenstersSession
CONSENTGoogleGoogle Maps, Youtube20 Jahre
NIDGoogleGoogle Maps, Youtube6 Monate
SNIDGoogleGoogle Maps, Youtube6 Monate
DVGoogleGoogle Maps, YoutubeSession
CGICGoogleGoogle Maps, Youtube5 Monate
1P_JARGoogleGoogle Maps, Youtube1 Monat
_gcl_auGoogleGoogle AdSense3 Monate

Weitere Infos: Facebook | Google