1. Basic Information

This data protection declaration concerns all persons who use the services of Tertius Hotel Betriebs GmbH. In this data protection declaration you will learn about the type, scope and purpose of the collection and use of your personal data by our company. We respect your privacy and strive to strictly comply with the legal requirements for the processing of your personal data [EU Regulation No. 679/2016 (General Data Protection Regulation/GDPR), DSG (Data Protection Law), TKG (Telecomunication Law 2003) and Telecommunications-Telemedia Data Protection Act (TTDSG)]. All your personal data will be processed on this basis.

2. Responsible party

Tertius Hotel Betriebs GmbH
Managing Director: Herr Christian Hofer
Hahnenkammstraße 5
6370 Kitzbühel
Tel.: +43 (0)5356 20665-0
Fax: +43 (0)5356 20665-55
E-Mail: direktion.kitz@hotel-kaiserhof.at
ATU 68108424
FN 399649w

3. Collection and processing of personal data

The protection of your personal data is very important to us.

We collect, process and use personal data only to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. We collect, process and use personal data about the use of our Internet pages (usage data) only insofar as this is necessary to enable the user to use the service or to bill the user.

The collected customer data will be deleted after completion of the order or termination of the business relationship. The statutory retention periods remain unaffected.

Data transmission when concluding contracts for services and digital content

We only transmit personal data to third parties if this is necessary within the framework of the contract processing, for example to the credit institution commissioned with the payment processing. Further transmission of data does not take place or only if you have expressly consented to the transmission. Your data will not be passed on to third parties without your express consent, for example for advertising purposes. The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

Your personal data will only be processed to the extent that this is permitted by law and necessary for the fulfilment of the respective purpose (registration, provision of services, contract processing, fulfilment of legal obligations, sending information material, sending newsletters, carrying out customer analyses).

The following personal data is collected and processed within the scope of our service:

• your master data: First and last name, address (state, country, postcode, street), nationality, gender, date of birth, e-mail address, telephone number, customer number and language
• the data in travel documents presented: Type of ID card/ID type (passport, ID card, driving licence) ID card number, duration (date of issue/expiry), issuing authority, date of birth, nationality)
• the data on the method of payment and in connection with payments, in particular with debit cards, credit cards and bank cards
• the length of stay you have requested as well as destinations, contacts, conditions, special services, frequent flyer number, personal preferences related to your stay, which you make known to us
• special categories of data such as data on special needs and on marriage/partnership

are required for our services. This also includes bookings of travel, guides, gastronomy, rental vehicles, transfers, registration processing, insurance, events, tours, accreditations, vouchers including customer creation, billing and their verification (B2B, B2C, FIT), ticket bookings.

This data is therefore stored and processed by us for these purposes and, where necessary, transferred to third parties with whom we cooperate in order to provide the most effective and best possible service for our customers - this may also include service providers in third countries as order processors, software and agency service providers.

Profiling is the process by which the responsible person (controller or processor) collects and processes personal data for the purpose of providing and improving offers and services so that they can be better tailored to the needs of the client. However, no decisions that may entail legal consequences or damages of any kind for the client are made in an automated manner.

We can process the following data in our hotel software Protel: Name, gender, date of birth, car registration number, ID card number, issuing authority, date of issue/expiry, company, profession, tax number, membership card, photo, remarks and relationship to other profiles.

We may associate the following data related to your reservation with your profile: previous reservations, future reservations, invoices, offers, confirmations, notes and questionnaires. Personal data provided by you will be processed until you withdraw your consent. You can withdraw your consent at any time, free of charge and without giving reasons, at the hotel reception, by telephone on +43 (0)5356 20665-0 or via E-Mail direktion.kitz@hotel-kaiserhof.at.

The legal bases for these data processing operations are as follows

• the fulfilment of our pre-contractual and contractual obligations towards you,
• your consents,
• legal, contractual or other legal obligations on our part (e.g. documentation rights and obligations under accounting, tax and customs law, contracting, reporting, litigation)
• TKG, TTDSG and
• our legitimate interests (e.g. improving our customer service, including in the area of direct marketing, or protecting our own legal interests).

The duration of storage is determined by the duration of our business relationship, the consents you have given, and also by the statutory retention obligations and legal obligations applicable to us. In the case of regular cooperation, we strive to provide the best possible personal customer service. The customer requests you have already submitted help us to get to know you well so that we can satisfy you on an ongoing and permanent basis.

Video surveillance

In the interest of public safety, there may be video surveillance around the hotel entrance, parking and garage. Videos are stored in independent hard drives at the respective location. Recorded videos are stored for a maximum of 72 hours.

4. Newsletter

You are free to subscribe to our newsletter. The registration, for which you must disclose your e-mail address and give your consent to receive the newsletter, only becomes effective when you confirm a registration link that you receive by e-mail. In order to be able to provide you with targeted information in the newsletter, we also allow you to provide information on specific interests, key dates, location details and regions and the like when you register.

In each newsletter you receive, you will find all the information you need to unsubscribe. If you have any questions about our newsletters, please contact marketing@hotel-kaiserhof.at and we will be happy to help you.

The content of our website has been carefully compiled and checked several times, but we do not assume any liability for the topicality, correctness and completeness of the information provided. Claims for damages due to the use or non-use of the information or due to the use of incorrect or incomplete information are excluded. All offers are subject to change and non-binding. We reserve the right to change, supplement or delete the offer or parts thereof without prior notice or to temporarily or permanently cease publication of the website.

The content and programming of our website are protected by copyright and ancillary copyright. Any reproduction - including excerpts - and public reproduction, in particular the copying of texts, graphics and photos, is prohibited without our prior written consent.

5. Passing on to third parties

Your personal data will not be disclosed to third parties, except for

• we are legally obliged to do so, e.g. according to the TKG, StGB or StPO
• in medical emergencies to authorised medical personnel
• on the basis of your express written consent
• at your express request for services outside the hotel (e.g. taxis, opera/concert tickets, etc.)

Your bank details will be passed on to electronic payment service providers for the purpose of payment processing.

6. Data processing on behalf of/commitment of processors

We only use external processors if their activities are necessary for the provision of our services (e.g. newsletter dispatch). These processors have made a commitment to us to comply with the applicable data protection provisions and have concluded a processing contract in accordance with Article 28 of the GDPR.

Your personal data will be shared with the following external data processors:

• Amadeus IT Holding SA, Madrid, ESP
• BMD Systemhaus GmbH, Steyr, AUT
• Google Inc., Dublin, IRL
• INCERT eTourismus GmbH & CoKG, Linz, AUT
• Intervalid GmbH, Wien, AUT
• Microsoft, Wien, AUT
• Matomo via Hetzner Online GmbH, Gunzenhausen, GER
• Hotjar Ltd, Paceville St. Julian’s, MLT
• ProASP Professional Application Services Providing GmbH, Bad Vöslau, AUT
• Protel Hotelsoftware Hotelsoftware Austria GmbH, Wien, AUT
• The Hotels Network, S.L., Barcelona, ESP
• Travelclick Inc., New York, USA
• Zendesk Inc., San Francisco, USA

We prefer to use processors from within the EU. We only use them from outside the EU if an adequacy decision has been issued by the European Commission for the third country in question or if we refer to the European Commission's standard contractual clauses or if suitable guarantees are in place with the third country (e.g. EU/US Privacy Shield) or we have agreed a binding data protection regulation with the processor.

In the voucher area, based on a separate agreement, your personal data will be collected and processed on our behalf by the order processor INCERT eTourismus GmbH & Co KG, Leonfeldner Strasse 328, 4040 Linz within the framework of order data processing according to Art 28 GDPR in accordance with the corresponding legal requirements. In the event of support measures, INCERT eTourismus also has access to your data, but may only use it for the purpose of support measures and not for its own purposes.

After cancellation of the purchase or order process, the data stored with us will be deleted after 14 days in order to be able to support any problems within the scope of the order process. In the event of the conclusion of a contract, all data from the contractual relationship will be stored until the expiry of the retention period of 7 years under tax law. The data: Name, address, ordered voucher, purchased service and date of purchase will also be stored until the expiry of the product liability (10 years) or until the expiry of the warranty and redemption period for vouchers (30 years) stipulated in the Consumer Protection Act.

7. Data collection on our website

Cookies

We use cookies, which are small text elements used to store information in web browsers. Most of the cookies we use are so-called "session cookies". They are automatically deleted after the end of your visit. Other cookies remain stored on your terminal device until you delete them. These cookies enable us to recognise you the next time you visit our website. They also help to speed up loading processes and make the use of our offers more convenient for you. The information recognised and stored by cookies serves to recognise you, but also to analyse your user behaviour. They are stored on the server of the respective provider who, as an order processor, has undertaken to comply with the applicable data protection standards.

After you have visited our website, cookies remain stored on your terminal device unless you refuse them from the outset or actively delete them. Actively deactivating cookies may impair the functionality of our website for you. You can also prevent the storage of cookies by making the appropriate setting in your browser. However, we would like to point out that in this case you may not be able to use all the functions of our website.

You can also prevent the forwarding of usage data generated by the cookie (incl. your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available on the google.com website. However, the plug-in is only available for certain browser programs.

Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent. The processing of the data entered in the contact form is therefore based exclusively on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation. The data you entered in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods - remain unaffected.

Registration on this website

You can register on our website to use additional functions on the site. We use the data entered for this purpose only for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise we will reject the registration.

For important changes, for example in the scope of the offer or in the case of technically necessary changes, we use the e-mail address provided during registration to inform you in this way. The processing of the data entered during registration is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing already carried out remains unaffected by the revocation.

The data collected during registration will be stored by us for as long as you are registered on our website and will then be deleted. Legal retention periods remain unaffected.

Hotjar

If you have consented to the use of cookies, we use Hotjar software from Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St. Julian's STJ 3141, Malta to improve the user experience on our website. Hotjar allows us to measure and analyse user behaviour on our website. For this purpose, Hotjar sets cookies on the end device and can store this data in pseudonymised form (e.g. browser information, operating system, time spent on the page).

You can prevent data processing by Hotjar by following the instructions in the following link https://www.hotjar.com/de/legal/policies/do-not-track/ or by revoking your consent in the cookie banner. More information on data protection and data processing at Hotjar can be found at https://www.hotjar.com/legal/policies/privacy.

8. Tracking Services – Plugins und Tools

Google Analytics und Google Analytics 4

We use Google Analytics, a web analytics service provided by Google Inc, Mountain View, CA 94043, USA. We have concluded an order data processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics. Google Analytics uses cookies. The information generated by the cookie about your user behaviour is usually transmitted to a Google server in the USA and stored there. Your IP address will be shortened beforehand within the European Union and thus anonymised or at least pseudonymised. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google Analytics cookies are stored on the basis of Art. 6 Para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

Google uses this information to evaluate your use of the website, to compile reports on website activity and to provide other services to the website operator in connection with the use of the website and the Internet. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Our website uses the "demographic characteristics" function of Google Analytics. This allows reports to be generated that contain statements about the age, gender and interests of site visitors. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as shown in the item "Objection to data collection".

You can prevent the storage of cookies by setting your browser accordingly. The browser plug-in required for this can be found at https://tools.google.com/dlpage/gaoptout?hl=de. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.

For more information on Google's use of data for advertising purposes, setting and objection options, and the applicable data protection provisions, please visit Google's websites at https://www.google.de/intl/de/policies/privacy (data protection by Google when you use websites and apps), https://www.google.com/policies/technologies/ads (use of data for advertising purposes), https://www.google.com/analytics/terms/de.html and https://www.google.com/intl/de_de/analytics/ (Google Analytics is explained in more detail).

YouTube

Our website uses plugins from the YouTube site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

YouTube is used in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. Further information on the handling of user data can be found in YouTube's privacy policy at https://www.google.de/intl/de/policies/privacy.

Vimeo

Our website uses plugins from the video portal Vimeo. The provider is Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA. When you visit one of our pages equipped with a Vimeo plugin, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. In addition, Vimeo obtains your IP address. This also applies if you are not logged in to Vimeo or do not have an account with Vimeo. The information collected by Vimeo is transmitted to the Vimeo server in the USA.

If you are logged into your Vimeo account, you enable Vimeo to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account. The privacy policy published by Vimeo is available at https://vimeo.com/privacy.

Google Maps

This site uses the map service Google Maps via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission. Google Maps is used in the interest of an appealing presentation of our online offers and to make it easy to find the places we indicate on the website. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR.

More information on the handling of user data can be found in the privacy policy of https://www.google.de/intl/de/policies/privacy.

Matomo

This website uses the open source web analytics service Matomo. Matomo is hosted by the third-party provider Hetzner Online GmbH Industriestrasse 25, 91710 Gunzenhausen, Germany.

With the help of Matomo, the use of our website by website visitors can be recorded and analysed. This enables us to find out which page views were made and which region you come from. In addition, various log files are collected (e.g. IP address, referrer, browsers used and operating systems). This allows us to measure whether you perform certain actions (e.g. clicks, purchases, etc.). The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and § 25 Para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

IP anonymisation is used for the analysis with Matomo. This means that your IP address is shortened before analysis and can no longer be clearly assigned to you. Matomo has been configured so that it does not save any cookies in your browser.

An order processing agreement has been concluded for the use of the above-mentioned service. This contract, which is required by data protection law, ensures that the personal data of website visitors is only processed in accordance with our instructions and in compliance with the GDPR.

The privacy policy published by Matomo is available at https://matomo.org/privacy-policy/.

9. Social Media

The content on our pages can be shared in social networks such as Facebook, Instagram or Twitter in a data protection compliant manner. The content is shared via plugins. Our site uses the eRecht24 Safe Sharing Tool. This tool only establishes direct contact between the networks and users when the user actively clicks on one of these buttons. This tool does not automatically transfer user data to the operators of these platforms. If the user is registered with one of the social networks, an information window appears when using the social buttons of Facebook, Twitter & Co. in which the user can confirm the text before sending it. Our users can share the contents of this page in social networks in a data protection compliant manner without complete surfing profiles being created by the operators of the networks.

Facebook-Plugins (Like & Share Button)

We have integrated Facebook components on our website. You can recognise the Facebook plugins by the Facebook logo or the "Like" button on our page. You can find an overview of the Facebook plugins at https://developers.facebook.com/ docs/plugins/.

The social plug-ins operated by Facebook are buttons that Facebook uses to measure who visits our website. When you visit our pages, a direct connection is established between your browser and the Facebook server via the plug-in. Facebook thereby receives the information that you have visited our site with your IP address. If you click the Facebook "Like" button while you are logged into your Facebook account, you can link the content of our pages on your Facebook profile. This allows Facebook to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use. If you do not want Facebook to be able to associate your visit to our pages with your Facebook user account, please log out of your Facebook user account.

The privacy policy published by Facebook is available at https://www.facebook.com/privacy/policy/. It provides information about the use, collection and processing of personal data by Facebook and informs about the setting options for the protection of privacy.

The companies responsible for processing personal data are Facebook Ireland Ltd, 4 Grand Canal Square Dublin 2, Ireland (for persons living outside the USA and Canada), and Facebook Inc, 1601 S. California Avenue, Palo Alto, CA 94303, USA.

Instagram-Plugin

Functions of the Instagram service are integrated on our pages. These functions are offered/integrated by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.

If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram. For more information, please see the Instagram privacy policy: https://www.instagram.com/legal/privacy/.

10. Duration of processing

We process your personal data, insofar as necessary, for the duration of the entire business relationship (from the initiation, processing to the termination of a contract as well as until the settlement of outstanding claims). After the contract has been fully processed, your data will be stored until the expiry of the warranty, limitation and compensation periods and statutory retention periods applicable to us, and beyond that until the end of any legal disputes in which the data is required as evidence.

We store data that you have provided to us for marketing and information purposes, e.g. receipt of newsletters, until you withdraw your consent to this.

11. Data protection

In order to protect your personal data against accidental or intentional manipulation, loss or destruction and against access by unauthorised persons, we use technical and organisational security measures in accordance with Article 32 of the GDPR. Our security measures are continuously improved in accordance with technical progress.

Our website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Encrypted payment transactions on this website

If there is an obligation to transmit your payment data (e.g. account number in the case of direct debit authorisation) to us after the conclusion of a contract with costs, this data is required for payment processing. Payment transactions via the common means of payment (Visa/MasterCard, direct debit) are made exclusively via an encrypted SSL or TLS connection. With encrypted communication, the payment data you transmit to us cannot be read by third parties.

12. Your rights

With regard to the processing of your data, you may, in accordance with the DSGVO and the national data protection law, request information about your personal data stored by us at any time and free of charge. As a data subject, you have the right to:

• Information (Art. 15 GDPR)
• Rectification/Correction (Art. 16 GDPR)
• Delition (unlawfully processed data) (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Right of objection (Art. 21 GDPR)
• Right of appeal (Art. 77 GDPR)

As we process the data on the basis of our legitimate interests, you generally have the right to object if you have reasons arising from your particular situation that speak against this processing. As we (also) process the data for direct marketing, you can object to this processing for direct marketing purposes at any time.

You can revoke a data protection consent that you have given us at any time. The revocation does not affect the lawfulness of the processing carried out up to that point. A revocation has the consequence that we no longer process your data for the above-mentioned purposes from that point on. For a revocation and more detailed information on your rights as a data subject, please contact us at marketing@hotel-kaiserhof.at. We will be happy to help you.

The Austrian Data Protection Authority (Österreichische Datenschutzbehörde/DSB), Barichgasse 40-42, 1030 Vienna, Tel.: +43 (1) 52 152-0, e-mail: dsb@dsb.gv.at is the competent supervisory authority for complaints.

13. Others

We have implemented organisational and technical safeguards, which we continually evaluate and adapt as necessary, to protect your personal data that we store and process.

This privacy policy may be amended/adjusted by us as necessary due to business or legal innovations. The new version will apply from the time it is made available on our website.