Privacy notice in accordance with Articles 13 and 14 of the GDPR

The protection of your personal data is of particular importance to us. We therefore process your data exclusively in a lawful manner in accordance with statutory provisions (in particular the GDPR, DSG 2018 and TKG 2021). In this privacy policy, we inform you about the most important aspects of data processing – the nature, scope and purposes of the collection and use of personal data – in connection with the use of our website and in connection with other services provided by our company.

Joint controllers (within the meaning of Article 4(7) of the GDPR in conjunction with Article 26 of the GDPR) for the processing of your personal data (personal data within the meaning of Article 4(1) of the GDPR) are:
Wildkogel Arena Marketing OG
Marktstraße 171
A-5741 Neukirchen am Großvenediger
Tel. +43 720 710 730
Email: info@wildkogel-arena.at

Neukirchen
Tourist Board Marktstraße 171
A-5741 Neukirchen am Großvenediger
Tel. +43 720 710 730
Email: info@wildkogel-arena.at Bramberg


Tourist Board Stoitznergasse 3
A-5733 Bramberg am Wildkogel
Tel. +43 720 710 730
Email: info@wildkogel-arena.at

We, the partners listed here, process your personal data as “joint controllers” within the meaning of Article 26 of the GDPR. We have mutually committed ourselves to providing you with the relevant information regarding this joint processing within the meaning of Articles 12 to 14 of the GDPR, to ensuring the appropriate protection of this data, and to enabling you to exercise your rights as a data subject within the meaning of Articles 15–21 of the GDPR. To exercise your rights as a data subject, you may contact any of the partners listed here.

Data Protection Officer:
We take the protection of personal data seriously and have appointed an external Data Protection Officer for this purpose. Our Data Protection Officer is MMag. Martin Zeppezauer, Thurnbichlweg 54, A-6353 Going am Wilden Kaiser (www.zepedes.com).
You can contact our Data Protection Officer at the email address martin@zepedes.com.

Purposes of processing

The purposes for which we process your personal data generally arise from our business activities as a tourism organisation: providing our online services, processing customer enquiries, orders and bookings, accounting, and communicating with business partners and customers. For detailed information on the purposes of processing and, where applicable, on further processing for other compatible purposes, as well as on the categories of data processed, please refer to the detailed descriptions of the individual data processing procedures.

• Personal master data (e.g. name, date of birth and age, address)
• Contact details (e.g. email address, telephone number, fax number)
• Communication data (time and content of the communication)
• Order or booking data (e.g. goods ordered or services commissioned, and billing data such as service period, payment method, invoice date, tax identification number, etc.)
• Payment data (e.g. account number, credit card details)
• Contract data (contents of contracts of any kind)
• Web usage data (e.g. server data, log files and cookies)

Special categories of data (“sensitive data”) pursuant to Article 9 of the GDPR

• Health data (only insofar as this is provided to us by you through your explicit consent to the processing of your request (e.g. arranging a hotel specialising in guests with food intolerances or allergies))

Legal basis for processing

There is generally no obligation to provide the data described in this privacy policy. Failure to provide this data simply means that we cannot offer these services. The legal basis for the processing of your personal data required to fulfil a contract with you or an order placed by you with us is Article 6(1)(b) of the GDPR. Where the processing of personal data is necessary for us to comply with a legal obligation (accounting obligations, bookkeeping obligations or other statutory documentation requirements), Article 6(1)(c) of the GDPR serves as the legal basis. If the processing of data is carried out in your own vital interests, the legal basis for data processing is Article 6(1)(d) of the GDPR. If we process your data to perform a task carried out in the public interest (‘exercise of official authority’), the legal basis is Article 6(1)(e) of the GDPR. If the processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not override our interest, Article 6(1)(f) of the GDPR (“legitimate interest”) serves as the legal basis for the processing. In this case, we will also inform you of our legitimate interests. Where we have no other legal basis for the processing of personal data as explained above, we will request your consent to the data processing, in which case we will rely on Article 6(1)(a) of the GDPR or, in the case of the processing of sensitive data, on Article 9(2)(a) of the GDPR as the legal basis. You may withdraw this consent at any time free of charge, without this affecting the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.

We process your personal data with the assistance of data processors who help us provide our services. These data processors are bound by a contract with us, in accordance with Article 28 of the GDPR, to strictly protect your personal data and may not process your personal data for any purpose other than the provision of our services. You can find out which data processors are involved in the detailed descriptions of the individual data processing operations. Your personal data may be disclosed to service providers typical in the business sector, such as banks, tax advisers or auditors, other than our data processors. Personal data is only transferred to state institutions and authorities within the framework of mandatory national legislation. Depending on your request (e.g. for bookings and enquiries), your personal data will be transferred exclusively to the extent necessary, where applicable, to hotel partners or other tourism service providers (members of our organisation) required to fulfil your request. The personal data transferred varies depending on the service.

As a general rule, we process your personal data within the EU. Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in connection with the use of services provided by our data processors or third parties, this is done only if the conditions set out in Articles 44 et seq. of the GDPR for transfers to third countries are met: that is, on the basis of specific safeguards, such as an officially recognised determination that a level of data protection equivalent to that of the EU exists, or in compliance with officially recognised contractual obligations, the so-called ‘EU Standard Contractual Clauses’. If we rely on the EU Standard Contractual Clauses as the legal basis for the transfer of your personal data, we will additionally assess the permissibility of this data transfer as part of a comprehensive risk assessment. Should we reach a negative conclusion in this regard, we will not transfer this data to a third country without your explicit consent in accordance with Article 49(1)(a) of the GDPR.

We will delete your personal data as soon as the purpose for which we collected it no longer applies. Data may also be retained if we process it for a purpose compatible with the original one. It may also be retained if required by laws, regulations or other provisions to which our company is subject.

We collect your personal data exclusively from you and do not use any other data sources.

We do not use automated decision-making or profiling processes that have legal effects on you or similarly significantly affect you. However, with your consent, we will use your usage data to gain a better understanding of your interests, thereby enabling us to display information that may be of interest to you, make tailored offers, or display relevant information to you on third-party websites or social media platforms.

Under the GDPR, you have the right to access, rectify, erase and restrict the processing of your personal data. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to withdraw any consent you may have given for the processing of your personal data. This does not affect the lawfulness of the processing of your personal data up to the point of withdrawal. You have the right to object to the processing of your personal data for the purposes of direct marketing. In the event of an objection, your personal data will no longer be processed for the purposes of direct marketing. A detailed explanation of these rights can be found here in Chapter III.

Right to lodge a complaint

If you believe that the processing of your data infringes data protection law or that your data protection rights have otherwise been infringed, you may lodge a complaint with the competent supervisory authority. In Austria, this is the Data Protection Authority (Barichgasse 40-42, 1080 Vienna, email: dsb@dsb.gv.at).

In this section, we explain how we process your personal data when you visit our website.

Server data

For technical reasons, and on the legal basis of Section 165(3) sentence 3 of the Telecommunications Act 2021 (necessary for the operation of our website), the following data – among other things – which your internet browser transmits to us or to our web hosting provider is collected (so-called “server log files”):

• Browser type and version
• Operating system and device type used (e.g. desktop / mobile)
• Website from which you visit us (referrer URL)
• Website you are visiting
• Date and time of your visit
• Your Internet Protocol address (IP address)

This data, which is anonymous to us, is stored separately from any personal data you may have provided and therefore does not allow us to identify any specific individual. It is analysed for statistical purposes to help us optimise our website and our services.

SSL or TLS encryption For security reasons and to protect the transmission of confidential

content, such as orders or enquiries that you send to us as the website operator, this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” or by the padlock symbol in your browser bar. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Technical service providers

We create and edit the content of our website with the help of the following service providers, whom we have bound by a corresponding agreement within the meaning of Article 28 of the GDPR to process your data exclusively within the scope of our mandate:

Technical design:

• MICADO Digital Solutions GmbH (Hammerschmiedstraße 5; A-6370 Kitzbühel) Further information on data protection is available at: https://www.micado.cc/de/datenschutz.html

Web hosting:

• Camyno GmbH (Aue 144; A-6405 Pfaffenhofen). Further information at: https://camyno.com/

Our website uses cookies to help us make our website more user-friendly and efficient for you, to carry out statistical analyses of how our website is used, and to display content that may be of interest to you on other websites. Cookies are small data files used to store information during or about visits to websites, and are stored on the website visitor’s computer. The legal basis for cookies that are strictly necessary for the proper functioning of our website (e.g. shopping basket cookies) is Section 165(3) sentence 3 of the Telecommunications Act 2021. Cookies that are not necessary for the functioning of our website (e.g. analytics or marketing cookies) are disabled and are only activated upon your consent in accordance with Article 6(1)(a) of the GDPR via our cookie banner (“Accept”). By clicking on “Settings”, you can enable or disable individual cookies or groups of cookies. If you restrict the use of cookies on our website, you may no longer be able to use all functions of our website to their full extent. You can find detailed information about the cookies used on our website in our cookie banner.

Changing cookie settings in your web browser You can specify in your

web browser’s settings how your browser handles cookies, i.e. which cookies are accepted or rejected. You can also delete cookies already stored on your computer or device at any time. The exact location of these settings depends on the web browser in question. Detailed information on this can be accessed via the help function of the respective web browser.

In addition, you have the option of generally objecting to cookies and similar tracking technologies via the services listed below by setting your individual preferences – which technologies for usage- and interest-based advertising you wish to allow:

• European Interactive Digital Advertising Alliance (EDAA): https://www.youronlinechoices.com/de/praferenzmanagement/
• Network Advertising Initiative (NAI): https://optout.networkadvertising.org/

Contact form and email

We offer you the option on our website to get in touch with us via email and/or a contact form. In this case, the information you provide will be processed for the purpose of handling your enquiry on the legal basis of the performance of a contract in accordance with Article 6(1)(b) of the GDPR. We have a legitimate interest pursuant to Article 6(1)(f) of the GDPR in using a contact form. This legitimate interest lies in offering our website visitors a means of contacting us that does not require them to open their own email client. In the case of contact/order forms where we request your title in addition to your first name and surname, we do so on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our interest lies in addressing our customers and business partners in a personalised and polite manner. There is no legal or contractual obligation to provide this personal data. Failure to provide this data simply means that you cannot submit your enquiry and we cannot process it. Data will only be disclosed to third parties if this is stated on the website or in this privacy policy, or if it is necessary for the performance of a contract, or if required by law. We only store your data for as long as is necessary to process your enquiries or for

For the purpose of providing contractual services, as well as their payment and fulfilment in connection with online purchases, bookings and brochure orders, we process your personal details, contractual and payment data, and communication data (IP address and server log files) on the legal basis of Article 6(1)(b) of the GDPR (performance of a contract) and Article 6(1)(c) GDPR (legal obligation to provide invoices and archive records).

We store this data for as long as the purpose requires, or as long as statutory provisions so require (retention period for invoices pursuant to Section 132 of the Austrian Federal Tax Code (BAO) for 7 years; voucher orders for 30 years until the expiry of the redemption period) or we require this data on the legal basis of Article 6(1)(f) GDPR (legitimate interest) to defend against potential liability claims. Should you cancel the ordering process, we will store the data for 14 days to clarify any issues that may have arisen during the ordering process.

There is no legal or contractual obligation to provide personal data. Failure to provide such data simply means that we cannot process your bookings/orders.

Feratel DESKLINE Online bookings, booking enquiries and brochure orders

To process online bookings, brochure orders and enquiries, we process your personal data in order to provide you with the services you have booked, with the assistance of our service provider feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck). To this end, we store and process master data, communication data, contract data and payment data relating to our customers, prospective customers and other business partners. Processing is carried out for the purpose of providing contractual services or fulfilling pre-contractual obligations on the legal basis of Article 6(1)(b) of the GDPR (booking processes, responding to enquiries and sending brochures) and Article 6(1)(c) of the GDPR (statutory retention periods for bookings and invoices). The data fields marked as required are necessary for the establishment and performance of the contract. We disclose your personal data to third parties (hotel partners or other tourism service providers) in the context of this data processing on the legal basis of Article 6(1)(b) GDPR (where necessary to process a booking), or on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR for the use of relevant booking software. We have concluded a corresponding agreement with the company feratel pursuant to Article 28 of the GDPR as a data processor, which ensures that your data is processed exclusively within the scope of our mandate. Further information on feratel’s data protection can be found at: https://www.feratel.com/datenschutz.

feratel Webshop

To process orders/bookings for holiday vouchers, merchandise and tourism services, we use the system provided by feratel Media Technologies AG (Maria-Theresien-Straße 8, A-6020 Innsbruck) as our data processor. The following details are required to process orders/bookings: title, first name and surname, address, email address. We have concluded a corresponding agreement with feratel as a data processor in accordance with Article 28 of the GDPR, which ensures that your data is processed exclusively within the scope of our mandate. Further information on feratel’s data protection can be found at: https://www.feratel.com/datenschutz.

External payment service providers

To process payments for orders/bookings, we use external payment service providers on the legal basis of Article 6(1)(b) GDPR (performance of a contract), via whose platforms you can make your payments. The payment details you enter as part of the order (e.g. account numbers, credit card numbers including security codes, passwords / TANs, etc.) are processed exclusively by our payment service providers and are not visible to us. We receive only a confirmation of the completed payment or a notification that the payment could not be processed via our payment service providers. Further information on data protection and the terms and conditions of our payment service providers can be found at:

Datatrans AG, Kreuzbühlstrasse 26, CH-8008 Zurich.
Tel. +41 44 256 81 91
Email: info@datatrans.ch
https://www.datatrans.ch/de/datenschutzbestimmungen

Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
Email: support@stripe.com
https://stripe.com/at/privacy

hobex AG, Josef-Brandstätter-Straße 2b, A-5020 Salzburg
Tel. +43 662 2255-0
Email: office@hobex.at
https://www.hobex.at/datenschutz/

Sale of mountain railway tickets and vouchers

For the sale of mountain railway tickets (season tickets, multi-day tickets and day tickets) as well as for the sale of mountain railway ticket vouchers, we provide a link on our website to the online ticket shop of Oberpinzgauer Fremdenverkehrsförderungs- und Bergbahnen AG (Wildkogelbahnstraße 343, A-5741 Neukirchen am Großvenediger). This link is integrated into our page using an HTML link. When you click on the link, a new browser window opens and the page of the Oberpinzgauer Fremdenverkehrsförderungs- und Bergbahnen AG online ticket shop opens. Further processing of your personal data in connection with the purchase of mountain railway tickets is the responsibility of the data controller, Oberpinzgauer Fremdenverkehrsförderungs- und Bergbahnen AG.
Further information on data protection at Oberpinzgauer Fremdenverkehrsförderungs- und Bergbahnen AG can be found at: https://bergbahnen-wildkogel.skiperformance.com/

Sale of ski passes and day tickets (Starjack)

For the sale of ski passes (day and multi-day passes as well as toboggan run tickets), we provide a link on our website to the online ticket shop of SJack GmbH (Am Bühel 6, A-6830 Rankweil). This link is integrated into our page using an HTML link. When you click on the link, a new browser window opens and the SJack GmbH online ticket shop page appears. Further processing of your personal data in connection with the ticket purchase is the responsibility of SJack GmbH, the data controller. Further information on SJack GmbH’s data protection policy can be found at: https://starjack.com/

On our website, you can sign up for our newsletter. The legal basis for sending the newsletter is your consent within the meaning of Article 6(1)(a) of the GDPR. Signing up for our newsletter is done via the so-called double opt-in procedure. This ensures that nobody can subscribe using someone else’s email address (e.g. your email address). You may withdraw your consent at any time free of charge by clicking on the ‘unsubscribe link’ at the end of each newsletter. The lawfulness of any data processing carried out up to that point remains unaffected by the withdrawal. After you unsubscribe, we will retain your email address for a further 3 years on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in order to be able to prove your original consent if necessary. We use “Brevo”, a service provided by Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin. With the help of Brevo, we can analyse our newsletter campaigns. When an email sent via Brevo is opened, a connection is established with Brevo’s servers – located in Berlin, Germany. This allows us to determine whether a newsletter message has been opened and which links, if any, have been clicked. The purpose of these analyses is to better tailor future newsletters to the interests of the recipients. In addition, technical information such as the time of access, the IP address, browser type and operating system of the recipient is recorded. Sendinblue GmbH’s technical and organisational data protection measures are certified annually by TÜV Rheinlandpfalz. We have entered into a data processing agreement with Sendinblue GmbH within the meaning of Article 28 of the GDPR to ensure that your data is processed only to the extent we require and to which you have consented. General data protection information from Brevo is available at: https://www.brevo.com.

Google Tag Manager

We use the service provided by Google Ireland Limited (“Google”) (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags via a centralised tool. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies and does not collect any other personal data. The tool triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in effect for all tracking tags implemented using Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, whereby the European Commission certifies that the USA provides an adequate level of data protection. Further information on Google’s data protection can be found at: https://policies.google.com/privacy. More information on how Google uses personal data: https://business.safety.google/privacy/.

Google Analytics

This website uses features of the web analytics service Google Analytics. The provider of this service is Google Ireland Limited (“Google”) (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent pursuant to Article 6(1)(a) of the GDPR. Google Analytics uses cookies that are stored on the website visitor’s computer and enable an analysis of the visitor’s use of our website. The information generated by the cookie regarding your use of our website is generally stored on European servers and is only transferred to and stored on a Google server in the USA in exceptional cases. We use Google Analytics with IP anonymisation enabled. This means that your IP address is generally truncated by Google whilst still within the European Union, and only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, by which the European Commission certifies that the USA provides an adequate level of data protection. The IP address transmitted by the relevant browser within the scope of Google Analytics is not merged with other data held by Google. On our behalf, Google will use the information collected to evaluate the use of the website and to compile reports on website activity. Collection by Google Analytics can be prevented by the website visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be objected to at any time with future effect. The relevant browser plugin can be downloaded and installed via the following link: https://tools.google.com/dlpage/gaoptout. Further information on Google’s use of data, as well as options for settings and opting out, can be found in Google’s Privacy Policy (https://policies.google.com/privacy) and in the settings for the display of Google ads (https://adssettings.google.com/authenticated). More information on how Google uses personal data: https://business.safety.google/privacy/

Our website uses the functions of ‘Google Analytics Remarketing’ in conjunction with the cross-device functions of Google AdWords and Google DoubleClick, based on the legal basis of your consent in accordance with Article 6(1)(a) of the GDPR. The provider is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). This function enables the advertising target groups created with Google Analytics Remarketing to be linked to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalised advertising messages, which have been tailored to you based on your previous usage and browsing behaviour on one device (e.g. mobile phone), can also be displayed on another of your devices (e.g. tablet or PC). If you have given your consent, Google will link your web and app browsing history to your Google Account for this purpose. This allows the same personalised advertising messages to be displayed on any device on which you sign in with your Google Account. To support this function, Google Analytics collects Google-authenticated user IDs, which are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising. Cookies are deleted after 1 year. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, whereby the European Commission certifies that the USA provides an adequate level of data protection. You can permanently opt out of cross-device remarketing/targeting by disabling personalised advertising in your Google Account; to do so, follow this link: https://myadcenter.google.com/. The aggregation of the data collected in your Google Account is based solely on your consent, which you can give or withdraw via Google (Article 6(1)(a) GDPR). Further information on Google’s data protection can be found at: https://policies.google.com/privacy. More information on how Google uses personal data: https://business.safety.google/privacy/.

Meta Pixel

In order to display targeted advertisements on Meta platforms (Facebook and Instagram) and to track user actions after they have viewed or clicked on a Meta advertisement, we use the Meta Pixel from Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). This enables us to display information of interest to you on Meta platforms and to evaluate and optimise our Meta advertisements using the data collected in this way, which is anonymous to us (we do not see the personal data of individual users, but only the overall impact). Storage period: max. 12 months. According to its privacy policy, Meta links this data to the Meta user’s Meta account and can thereby display content that matches their interests. Meta is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, whereby the European Commission certifies that the USA provides an adequate level of data protection. Specific information on how the Meta Pixel works can be found in Meta’s help section at: https://de-de.facebook.com/business/help/651294705016616. You can adjust your settings regarding usage-based advertising on Meta platforms yourself in your Meta account: https://www.facebook.com/settings?tab=ads. Further information can be found in Facebook’s privacy policy at: https://www.facebook.com/privacy/explanation.

We use so-called ‘embedded’ social media plug-ins (interfaces to social networks) on our website. When you visit individual pages of our website on which these plug-ins are embedded, software may establish connections to the servers of the respective plug-in providers and transmit data about your use of our website to their servers. This enables you to share our website content with others via social networks and allows us, where applicable, to display content of interest to you on these social networks. The legal basis for this data processing is your consent in accordance with Article 6(1)(a) of the GDPR. We have embedded these plug-ins using the Shariff solution. This means that direct contact between you and the social media platform is only established once you actively click on the button (HTML link). Information on the purpose and scope of the further processing and use of the data by the providers of the embedded social networks, as well as further information within the meaning of Articles 13 and 14 of the GDPR, can be found via the information links listed below.

We incorporate third-party content and functions into our website. This always requires the providers of this content or these functions to collect users’ IP addresses. Without the IP address, they would be unable to send the content to the user’s browser. The IP address is therefore necessary for the display of this content. We endeavour to use only content where the respective providers use the IP address solely for the purpose of delivering the content. However, we have no influence over whether third-party providers store the IP address, for example for statistical purposes. The legal basis for the use of these services is, insofar as they are necessary for the functioning of our website, our legitimate interest pursuant to Article 6(1)(f) of the GDPR; otherwise, your consent pursuant to Article 6(1)(a) of the GDPR. Information on the purpose and scope of further processing and use of the data by the providers of the embedded services/content, as well as further information within the meaning of Articles 13 and 14 of the GDPR, can be found via the information links listed below. The following services/content are embedded in our website:

Outdoor Active

We use the “Outdoor Active” service provided by Outdooractive GmbH & Co. KG (Missener Straße 18, D-87509 Immenstadt) for the cartographic display of tours (e.g. hiking tours, ski tours, cycling and mountain biking tours, etc.). To do this, the map data is loaded from the Outdoor Active server. In doing so, the following data is transmitted to Outdoor Active: the page visited on our website, the IP address of your device, the content of the request, location data, operating system, and the language and version of the browser software. Outdoor Active uses cookies, which are stored on your browser, to process your request. The legal basis for the processing of your data is Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest lies in the attractive presentation of our online offering and the geographical presentation of the attractions in our region. In the case of location data from mobile devices, the legal basis is your consent under Article 6(1)(a) of the GDPR, in that you authorise the sharing of location data on your mobile device. Further information on data protection at Outdoor Active can be found at: https://corporate.outdooractive.com/de/datenschutzrichtlinien/ or https://www.outdooractive.com/de/privacy.html.

Intermaps

We use the “Intermaps” service provided by INTERMAPS Software GmbH (Schönbrunner Straße 80/6, A-1050 Vienna) for the cartographic representation of our region. To this end, the map data is loaded from the Intermaps server. In doing so, the following data is transmitted to Intermaps: the page visited on our website, the IP address of your device, the content of the request, location data, operating system, and the language and version of the browser software. Intermaps uses cookies, which are stored on your browser, to process your request. The legal basis for the processing of your data is Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest lies in the attractive presentation of our online offering and the geographical representation of the attractions in our region. In the case of location data from mobile devices, the legal basis is your consent under Article 6(1)(a) of the GDPR, in that you authorise the sharing of location data on your mobile device. Further information on data protection at Intermaps can be found at: https://www.intermaps.com/de/Privacy.html.

destination.one Maps

We use the “destination.one” service provided by neusta destination.one GmbH (Münchenerstraße 1, D-86899 Landsberg am Lech) for the cartographic display of accommodation providers in our region. To this end, the map data is loaded from the destination.one server. In doing so, the following data is transmitted to destination.one: the page visited on our website, the IP address of your device, the content of the request, location data, operating system, and the language and version of the browser software. destination.one uses cookies, which are stored on your browser, to analyse your request. The legal basis for the processing of your data is Article 6(1)(f) of the GDPR (legitimate interest). Our legitimate interest lies in the attractive presentation of our online offering and the geographical presentation of the offerings in our region. In the case of location data from mobile devices, the legal basis is your consent pursuant to Article 6(1)(a) of the GDPR, in that you authorise the sharing of location data on your mobile device. Further information on data protection at destination.one can be found at: https://www.destination.one/datenschutz/.

Google reCAPTCHA

To protect your orders submitted via the online form, this website uses the reCAPTCHA service provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). The verification process carried out serves to distinguish whether the input is made by a human or, abusively, through automated, machine-based processing. By activating IP anonymisation on this website, your IP address will be truncated by Google within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area beforehand, and only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google reCAPTCHA is not combined with other Google data. We have a legitimate interest within the meaning of Article 6(1)(f) of the GDPR in the use of Google reCAPTCHA. Our legitimate interest lies in protecting our website from spam software. However, we only use Google reCAPTCHA if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Article 6(1)(a) of the GDPR. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, whereby the European Commission certifies that the USA provides an adequate level of data protection. For more information on how Google uses personal data: https://business.safety.google/privacy/.

YouTube

We embed videos from the “YouTube” platform provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) in enhanced privacy mode. This is implemented on the basis of Article 6(1)(f) of the GDPR, whereby our interest lies in the seamless integration of the videos and the resulting appealing design of our website. However, we only use YouTube if you have given your consent. The legal basis for the processing of your data is therefore your consent in accordance with Article 6(1)(a) of the GDPR, which you may withdraw at any time with future effect. When you visit a page on which we have embedded a YouTube video, a connection is established with Google’s servers and the content is displayed on the website via a message sent to your browser. According to Google, in enhanced privacy mode, your data (in particular which of our web pages you have visited) and device-specific information, including your IP address, are only transmitted to the YouTube server when you watch the video. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, by which the European Commission certifies that the USA provides an adequate level of data protection. If you are logged in to Google at the same time, this information will be associated with your Google account. You can prevent this by logging out of your Google account before visiting our website or by adjusting your individual settings in your Google account via the following link: https://adssettings.google.com/authenticated. Further information on YouTube’s data protection can be found at: https://policies.google.com/privacy. More information on how Google uses personal data: https://business.safety.google/privacy/.

WordLift

Our website uses the WordLift plugin to analyse content and display metadata in our website’s source code for search engines, based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest lies in improving the discoverability of our website on various search engines. The WordLift plugin is a service provided by WordLift s.r.l (Via Giulia 117, 00186 Rome, Italy). The application does not collect any personal data; WordLift does not store your browser’s IP address. Further information on WordLift’s data protection policy can be found at: https://wordlift.io/gdpr/ or https://wordlift.io/privacy-policy/.

In this section, we provide information about other data processing activities outside our website.

The contact details and application documents submitted to us as part of a job application are processed by us exclusively internally for the purpose of selecting suitable candidates for employment. There is no legal or contractual obligation to provide personal data. Failure to provide such data simply means that you will not be able to submit your application and we will not be able to process it. The personal data provided in this context will be stored by us for a maximum of 6 months in accordance with legal provisions; however, if the applicant has given their express consent for us to retain the documents, they will be stored for a maximum of 2 years.

In addition to our website, we maintain an online presence on social media networks and platforms. The legal basis for using these services is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest lies in communicating with customers and business partners active on these platforms and informing them about our services via these networks. When accessing the respective networks and platforms, the terms and conditions and privacy policies of the respective operators of these networks apply. Further information on the processing of your personal data by the respective providers of these services (which personal data is processed for what purposes on what legal basis, how long this data is stored by the respective provider, and, where applicable, details regarding profiling and transfers to third countries) can be found below in the descriptions of the individual services or via the information links provided there.

Facebook Fan Page

We operate a Facebook Fan Page on the “Facebook” platform of Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The legal basis for the processing of the associated personal data is our legitimate interest within the meaning of Article 6(1)(f) of the GDPR. Our legitimate interest lies in providing customers and potential new customers with information about us and our offers via this information channel. Please note that you use this Facebook page and its functions at your own risk. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). When you visit our Facebook page, Facebook collects, amongst other things, your IP address and further information gathered via cookies or other tracking technologies. The data collected about you in this context is processed by Facebook and may be transferred (at least in part) to the USA. Facebook / Meta is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Article 45(3) of the GDPR, by which the European Commission certifies that the USA provides an adequate level of data protection. The ECJ has ruled that ‘Facebook’ and the operators of a Facebook fan page process this personal data as joint controllers within the meaning of Article 26 of the GDPR. Facebook makes the joint data processing agreement available via the following link: https://www.facebook.com/legal/terms/page_controller_addendum. As the operators of our fan page, we have no influence over the specific content of the agreement. Facebook describes in general terms in its Data Use Policy what information Facebook receives and how it is used (how Facebook uses data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are attributed to individual users to personalise content or advertising, how long Facebook stores this data, whether data from a visit to the Facebook page is passed on to third parties, and much more). There you will also find information on how to contact Facebook and on the settings options for advertisements. The privacy policy is available at the following link: https://www.facebook.com/privacy/policy/. As fan page operators, we do not receive any additional (non-public) information about individual Facebook users from Facebook’s analytics, but only statistically processed information (e.g. total number of page views, page activity, post reach, etc.), which helps us to make our posts more appealing.

Instagram

Instagram is an online service for sharing photos and videos. We have a profile (account) on Instagram. The provider is Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). Further information on the processing of your personal data through the use of Instagram, as well as contact details, can be found at: https://privacycenter.instagram.com/policy/

Pinterest

Pinterest is a hybrid of a social network and a search engine, focusing on visual content, i.e. images and videos. We use this service to generate interest in other content of ours on the internet (in particular our website) using so-called Pins. The provider of this service is Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland). Further information on the processing of your personal data through the use of Pinterest, as well as contact details, can be found at: https://policy.pinterest.com/de/terms-of-service.

TikTok

TikTok is a video portal for short videos that also offers social networking features. We use this service to generate interest in our offerings through short videos. The provider is TikTok Technology Ltd. (10 Earlsfort Terrace, Dublin, D02 T380, Ireland). Further information on the processing of your personal data through the use of TikTok, as well as contact details, can be found at: https://www.tiktok.com/legal/page/eea/privacy-policy/de.

X

We use the short message service X (Twitter). The provider is X Corp. (1355 Market Street, Suite 900, San Francisco, CA 94103, USA). If you live in the European Union, the EFTA states or the United Kingdom, the controller responsible for your personal data is Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland). Further information on the processing of your personal data through the use of X, as well as contact details, can be found at: https://x.com/de/privacy.

YouTube

We use a YouTube channel on the ‘YouTube’ video portal to publish our videos. The service provider is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Further information on the processing of your personal data through the use of YouTube, as well as contact details, can be found at: https://policies.google.com/privacy.

The personal data you provide when entering our competitions (email address, name, postal address) will be used by us solely for the purpose of selecting a winner, informing them of their prize and sending the prize to them. Your data will not be passed on to third parties. The legal basis for the processing of your personal data is the performance of a contract in accordance with Article 6(1)(b) of the GDPR. There is no legal or contractual obligation to provide personal data. Failure to provide the data will simply mean that you cannot take part in the competition. Your data will be stored for the duration of the competition and – for the purpose of processing any claims for prizes or compensation – for a maximum of 3 years thereafter, after which it will be deleted. By taking part, you also agree that, should you win, your name will be published on our website and on our public social media channels.

At events, we may take photos and videos of the event, or commission photographers to do so, in which you may be recognisable as a participant. We require these photos/videos for the documentation and promotion of our events and will therefore publish them in our media (e.g. printed brochures, website and social media) and make them available to other media owners (print and online) for the promotion of our event. You are under no legal or contractual obligation to provide this data. The legal basis for the processing of your personal data (images and videos in which you are recognisable) is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interest lies in our right to public relations (presentation of our activities) and the promotion of our events. You have the right to object to the processing. Please send your objection to the email address provided by us in this privacy policy. However, it is to be assumed that our aforementioned interest in the use of the photos does not unduly interfere with your rights as the person depicted. This is particularly the case as we take these photos/videos in public spaces and draw attention to the creation and use of the photos/videos in advance of each event. We also always ensure that no legitimate interests of persons depicted are infringed. Should your personal rights and freedoms be infringed by an image or video created by us for reasons particularly worthy of consideration, we will refrain from further processing or publication. Removal from print media that has already been circulated is not possible. In such cases, however, we will delete the content from our website or social media channels. We generally delete photos and videos of events when we no longer require them for the documentation and promotion of those events.

We provide a freely accessible visitor Wi-Fi service in our offices. In order to provide this hotspot service, we need to process personal data from your device. In this context, the MAC addresses (Media Access Control addresses) of devices may also be stored temporarily. Furthermore, we may store log data (‘log files’) regarding the nature and extent of the use of the services for a period of 7 days. This data cannot be directly linked to you personally, but can be directly linked to the device you are using and thus indirectly linked to you. To provide this service, we use the services of OpIT GmbH (Gerlosstraße 17, 5730 Mittersill) as our data processor. We have concluded a corresponding agreement with our data processor in accordance with Article 28 of the GDPR, which ensures that your data is processed exclusively within the scope of our contract.

At our information offices, you can register for events organised by various providers in our region. For this purpose, we process your personal data (name, email address and telephone number). We process this data on the legal basis of Article 6(1)(b) of the GDPR (performance of a contract/pre-contractual measures) and also pass it on to the relevant organiser. We will delete or destroy this data after the event.