Data protection information "Salzkammergut Tickets" according to Art. 13 and 14 GDPR

1. In general

The protection of your personal data is of particular concern to us. We therefore process your data exclusively in a lawful manner on the basis of the statutory provisions (in particular GDPR, DSG 2018, TKG 2021). In this data protection information, we inform you about the most important aspects of data processing - type, scope and purposes of the collection and use of personal data - in the context of the use of our website and other services of our company.

1.1 Controller responsible for the processing of your data

The controller (within the meaning of Art. 4(7) GDPR) for the processing of your personal data (personal data within the meaning of Art. 4(1) GDPR) is

Tourismusverband Bad Ischl
Auböckplatz 5
A-4820 Bad Ischl
Phone: +43 6132 27757
Email: tickets@salzkammergut.at
Web: www.badischl.at

As part of our "Salzkammergut Tickets" project, we process your data as "joint controllers" with the partners named here and have also concluded an agreement with these partners within the meaning of Art. 26 GDPR, which obliges all partners, among other things, to provide you with the relevant information about this joint processing within the meaning of Art. 12 to 14 GDPR. Art. 12 to 14 GDPR, to ensure appropriate protection of this data and to enable you to exercise your rights as a data subject within the meaning of Art. 15-21 GDPR. Art. 15-21 GDPR. To exercise your rights as a data subject, you can contact us (Tourismusverband Bad Ischl) as well as our partners listed below:

Salzkammergut Tourismus-Marketing GmbH
Salinenplatz 1
A-4820 Bad Ischl
Tel. +43 6132 26909
Email: info@salzkammergut.at

Inneres Salzkammergut Tourism Association
Kirchengasse 4
4822 Bad Goisern am Hallstättersee
Tel. +43 5 95095
Email: info@dachstein-salzkammergut.at
Tourismusverband Fuschlseeregion
Dorfplatz 1
5330 Fuschl am See
Tel.: +43-6226-8384
Email: info@fuschlseeregion.com

MondSeeLand Mondsee - Irrsee Tourism Association
Dr Franz Müller Straße 3
A-5310 Mondsee
Tel.: +43 (0) 6232 2270
Email: info@mondsee.at

Tourismusverband Attersee-Attergau
Attergaustraße 3
A-4880 St. Georgen im Attergau
Phone: +43 7666 7719-0
Email: info@attersee.at

Tourismusverband Traunsee-Almtal
Toscanapark 1
4810 Gmunden
Tel.: +43 7612 74451
E-Mail: info@traunsee-almtal.at

Wolfgangsee Tourismus Gesellschaft mbH
Au 140
5360 St. Wolfgang
Tel.: +43 6138 8003
E-Mail: info@wolfgangsee.at

Data protection officer

We take the protection of personal data seriously and have appointed an external data protection officer for this purpose. Our data protection officer is Mr Martin Zeppezauer, Thurnbichlweg 50, A-6353 Going am Wilden Kaiser(www.zepedes.com). You can contact our data protection officer at the following email address: martin@zepedes.com

1.2 Purposes, data categories and legal bases for the processing of personal data

Purposes of the processing

The purpose of processing your personal data results from the sale of event tickets and other items and services via the sales platform on this website or in our guest information offices.

General data categories

• Personal master data (salutation, title, first name, surname, address, date of birth and age if applicable, company)
• Contact data (e-mail address, telephone number)
• Communication data (time and content of communication)
• Order or booking data (tickets ordered or other items and services, payment method / payment data, invoice date, tax identification number (for companies))
• Web usage data (e.g. server data, log files and cookies)

Legal basis for the processing

In principle, there is no obligation to provide the data for the data processing described in this privacy policy. The only consequence of not providing this data is that we will not be able to offer these services. The legal basis for the processing of your personal data required to fulfil a contract with you or an order you have placed with us is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary to fulfil a legal obligation on our part (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interests, Art. 6 (1) lit. f GDPR ("legitimate interest") serves as the legal basis for the processing. In this case, we will also inform you of our legitimate interests. If we have no other legal basis for the processing of personal data as explained above, we will ask you for your consent to data processing, which in these cases is based on Art. 6 (1) lit. a GDPR or, in the case of the processing of sensitive data, on Art. 9 (2) lit. a GDPR as the legal basis. You can withdraw this consent at any time free of charge without affecting the lawfulness of processing based on consent before its withdrawal.

1.3 Data transfer to processors and third parties

We process your personal data with the support of processors who assist us in providing our services. These processors are bound by a corresponding agreement within the meaning of Art. Art. 28 GDPR with us to strictly protect your personal data and may not process your personal data for any purpose other than to provide our services. You can find out which processors are involved in the detailed descriptions of the individual data processing processes.

Your personal data will only be transferred to the extent necessary to the respective organiser whose tickets you purchase from us.

Your personal data will be passed on to companies other than our processors to typical commercial service providers such as banks, tax consultants or auditors. Personal data will only be transferred to state institutions and authorities within the framework of mandatory national legislation.

1.4 Transfers to third countries

In principle, we process your personal data within the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of our processors or third parties, this will only take place if the requirements of Art. 44 et seq. GDPR for the transfer to third countries are met: i.e. on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or in compliance with officially recognised contractual obligations, the so-called "EU standard contractual clauses". If we rely on the EU standard contractual clauses as the legal basis for the transfer of your personal data, we will also check the permissibility of this data transfer as part of a comprehensive risk assessment. If we come to a negative conclusion, we will not transfer this data to a third country without your express consent in accordance with Art. 49 (1) lit. a GDPR.

1.5 Data erasure and storage period

Your personal data will be deleted by us as soon as the purpose for which we collected your data no longer applies. Data may also be stored if we continue to process the data for a purpose compatible with the original purpose. It may also be stored if this is provided for by laws, regulations or other provisions to which our company is subject.

1.6 Data sources

We collect your personal data exclusively from you and do not use any other data sources.

1.7 Profiling

We do not use any procedures for automated decision-making or profiling that have a legal effect on you or significantly affect you in a similar way. On the legal basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, we will use information on the ticket purchases you have made or, with your consent pursuant to Art. 6 (1) lit. a GDPR, your web usage data to better understand your interests and thus be able to display information of interest to you or make you customised offers or to display corresponding information on third-party websites or social media platforms.

1.8 Safeguarding your data protection rights

In principle, you have the right to information, correction, deletion and restriction of the processing of personal data in accordance with the GDPR. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to withdraw any consent you may have given to the processing of your personal data. This does not affect the lawfulness of the processing of your personal data up to the time of revocation. You have the right to object to the processing of your personal data for the purpose of direct marketing. If you object, your personal data will no longer be processed for the purpose of direct marketing. A detailed explanation of these rights can be found here in Chapter III.

Right to lodge a complaint

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the competent supervisory authority. In Austria, this is the data protection authority (Wickenburggasse 8, 1080 Vienna, e-mail: dsb@dsb.gv.at).

2. Visiting our website

In this section we inform you how we process your personal data when you visit our website.

2.1 Presentation of the website

Server data

For technical reasons, on the legal basis of Section 165 (3) sentence 3 TKG 2021 (required for the operation of our website), the following data, which your Internet browser transmits to us or to our web space provider, is collected (so-called "server log files")

• Browser type and version
• Operating system and device type used (e.g. desktop / mobile)
• Website from which you visit us (referrer URL)
• Website that you visit
• Date and time of your access
• Your internet protocol address (IP address)

This data, which is anonymous for us, is stored separately from any personal data you may have provided for 7 days and therefore does not allow us to draw any conclusions about a specific person. It is evaluated for statistical purposes in order to optimise our website and our offers.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" or by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Technical service providers

We create and edit the content of our website with the help of the following service providers, which we have obliged to do so by a corresponding agreement within the meaning of Art. 28 GDPR. Art. 28 GDPR to process your data exclusively within the scope of our order:

Technical conception:

• TTG Tourismus Technologie GmbH (Freistädter Str. 119, A-4040 Linz). More information on data protection at: https://www.ttg.at/datenschutz

Web hosting:

• Mittwald CM Service GmbH & Co KG (Königsberger Str. 4 - 6, D-32339 Espelkamp). Further information on data protection can be found at: https://www.mittwald.de/datenschutz

2.2 Cookies

Cookie Banner - Cookies on our website

Our website uses cookies that help us to make our website more user-friendly and efficient for you, to carry out statistical analyses of the use of our website or to show you content that may be of interest to you on other websites. Cookies are small data records that are used to store information during or about visits to websites and are stored on the website visitor's computer. The legal basis for cookies that are absolutely necessary for the proper operation of our website (e.g. shopping basket cookie) is § 165 (3) S 3 TKG 2021. Cookies that are not necessary for the function of our website (e.g. analysis or marketing cookies) are deactivated and are only activated by your consent in accordance with Art. 6 (1) lit. a GDPR in our cookie banner ("Accept"). You can activate or deactivate individual cookies or cookie groups by clicking on "Settings". If you restrict the use of cookies on our website, you may no longer be able to use all the functions of our website to their full extent. Detailed information about the cookies used on our website can be found in our cookie banner.

Changing the cookie settings in your web browser

You can specify how the web browser you are using handles cookies, i.e. which cookies are permitted or rejected, in the settings of your web browser. You can also delete cookies already stored on your computer/device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be accessed via the help function of the respective web browser.

It is also possible to generally object to cookies and similar tracking technologies via the services listed below by setting your individual preferences - which technologies you wish to allow for usage and interest-based advertising:

• European Interactive Digital Advertising Alliance (EDAA): https://www.youronlinechoices.com/de/praferenzmanagement/
• Network Advertising Initiative (NAI):
  https://optout.networkadvertising.org/?c=1#!%2F

2.3 Communication with us

E-mail

On our website, we offer you the option of contacting us by e-mail. In this case, the information you provide will be processed for the purpose of processing your contact on the legal basis of contract fulfilment pursuant to Art. 6 (1) lit. b GDPR. There is no legal or contractual obligation to provide this personal data. The only consequence of not providing this data is that you will not be able to submit your request and we will not be able to process it. Data will only be passed on to third parties if this is stated on the website or in this privacy policy or is necessary for the fulfilment of the contract or is required by law. We only store your data for as long as is necessary to process your enquiry or for any queries you may have.

2.4 Online shop(s) / booking portal(s)

We process your personal master data, contract and payment data as well as communication data (IP address and server log files) for the purpose of providing contractual services and their payment and execution in the context of online purchases, bookings and brochure orders on the basis of the legal bases of Art. 6 (1) lit. b GDPR (fulfilment of contract) and Art. 6 (1) lit. c GDPR (legal obligation for invoicing and archiving).

We store this data as long as the purpose requires it, legal regulations provide for this (retention period of invoices according to § 132 BAO for 7 years; voucher orders until the expiry of the redemption period for 30 years) or we need this data on the legal basis of Art. 6 (1) lit. f GDPR (legitimate interest) to defend against possible liability claims. If you cancel the order process, we store the data for 14 days to clarify possible problems during the order process.

There is no legal or contractual obligation to provide personal data. The only consequence of not providing this data is that we will not be able to process your bookings/orders.

Tixly Performing Arts and Event Ticketing Software

To process your ticket orders, we process your personal data in order to be able to provide you with the tickets you have booked with the help of our service provider Tix Eu ehf (One New Street, Wells Somerset BA5 2LA, United Kingdom). For this purpose, we store and process personal master data (salutation, title, first name, surname, address, date of birth and age if applicable, company), contact data (e-mail address, telephone number), communication data (time and content of communication) and order or booking data (tickets ordered or other items and services, method of payment / payment data, invoice date, tax identification number (for companies)) of our customers. The processing is carried out for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the legal basis of Art. 6 (1) lit. b GDPR (processing of the order process) and Art. 6 (1) lit. c GDPR (legally required retention periods for orders or invoices). For this purpose, the data fields marked as required are necessary for the establishment and fulfilment of the contract. We disclose your personal data to third parties (organisers) as part of this data processing on the legal basis of Art. 6 (1) lit. b GDPR (if it is necessary to process a booking process), or on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR for the use of corresponding booking software. We have concluded a corresponding agreement with the company Tix Eu ehf. in accordance with Art. 28 GDPR as a processor, which ensures that your data is processed exclusively within the scope of our order. In principle, the European Commission has certified that the United Kingdom has an equivalent level of protection as the European Union. The legal basis for data transfer to the UK is therefore Art. 45 GDPR. Further information on data protection at Tix Eu ehf. can be found at: https://tixly.com/legal/privacy-policy.

External payment service providers

We use external payment service providers on the basis of the legal basis of Art. 6 (1) lit. b GDPR (fulfilment of contract) for the payment of order transactions / bookings, via whose platforms you can make your payments. The payment data you enter when placing an order (e.g. account numbers, credit card numbers incl. check digits, passwords / TANs etc.) are processed exclusively by our payment service providers and cannot be viewed by us. We only receive confirmation from our payment service providers that the payment has been made or information that the payment could not be made. Further information on data protection and the terms and conditions of our payment service providers can be found at

• Mollie B.V., Luise-Ullrich-Straße 20, 80636 Munich, Germany)
  Phone +49 89 20194095
  Email: info@mollie.com
  https://www.mollie.com/de/privacy

2.5 Web analysis - Statistical analyses of our website

Google Tag Manager

We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags via a common tool. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies or collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on Google's data protection can be found at: https://www.google.com/policies/privacy/.

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and that enable the use of our website by the website visitor to be analysed. The information generated by the cookie about your use of our website is generally stored on European servers and only transmitted to a Google server in the USA and stored there in exceptional cases. We use Google Analytics with activated IP anonymisation. This means that your IP address is generally truncated by Google within the European Union and only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. The IP address transmitted by the corresponding browser as part of Google Analytics is not merged with other Google data. On our behalf, Google will use the information collected to analyse the use of the website in order to compile reports on website activity. The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be cancelled at any time with effect for the future. The corresponding browser plugin can be downloaded and installed at the following link: https://tools.google.com/dlpage/gaoptout. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of advertisements by Google(https://adssettings.google.com/authenticated).

Google Ads conversion tracking

Our website uses the "Google Ads Conversion Tracking" service of the provider Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland). When we place adverts on Google, we use what is known as conversion tracking. If you click on an advert placed by Google, a cookie is set for conversion tracking (storage period 30 days). This enables us to recognise that you have clicked on one of our ads and have been redirected to our site. However, we do not receive any personal information, but only the total number of users who clicked on one of our adverts and were redirected to a page with a conversion tracking tag. We use Google Ads Conversion Tracking on the legal basis of your consent (settings via our cookie banner) in accordance with Art. 6 (1) lit. a GDPR. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of advertisements by Google(https://adssettings.google.com/authenticated).

Matomo (On-Premise) TTG

Our website uses the open source web analysis service Matomo from the provider Innocraft Inc, 150 Willis ST, 6011 Wellington, New Zealand). This enables us to anonymously analyse the user behaviour of our website visitors in order to optimise both our website and our advertising. We have installed Matomo on our own servers. This means that no data is passed on to Matomo. We process the following data: Your IP address (anonymised by shortening), previously visited URL (referrer - if transmitted by the browser), name and version of your operating system as well as the name, version and language setting of your browser. The use of the Matomo analysis tool is based on our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the anonymised analysis of the user behaviour of our website visitors in order to optimise both our website and our advertising. If you have given us your consent to set "analysis" cookies, Matomo will also set cookies. This allows us to recognise returning users and "analyse" their behaviour on our website in more detail. The processing of this data (storage for a maximum of 13 months) is based on Art. 6 (1) lit. a GDPR. You can revoke your consent at any time in the cookie settings. Further information on Matomo's data protection can be found at: https://matomo.org/gdpr-analytics/.

2.6 Web marketing

Google Remarketing

Our website uses the functions of "Google Analytics Remarketing" in conjunction with the cross-device functions of Google AdWords and Google DoubleClick on the legal basis of your consent in accordance with Art. 6 (1) lit. a GDPR. The provider is Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland). This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another of your end devices (e.g. tablet or PC). If you have given your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages can be displayed on every device on which you sign in with your Google account. To support this function, Google Analytics collects Google-authenticated IDs of users that are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising. Cookies are deleted after 1 year. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. You can permanently object to cross-device remarketing/targeting by deactivating personalised advertising in your Google account; follow this link: https://www.google.com/settings/ads/onweb/. The data collected in your Google account is summarised exclusively on the basis of your consent, which you can give or revoke at Google (Art. 6 (1) lit. a GDPR). Further information on data protection from Google can be found at: https://www.google.com/policies/privacy/.

Facebook pixel

In order to place targeted advertisements on Facebook and to be able to track user actions after they have seen or clicked on a Facebook advertisement, we use the Facebook pixel of Meta Platforms Ireland Ltd (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the legal basis of your consent in accordance with Art. 6 (1) lit. a GDPR within our website. This enables us to display information of interest to you on Facebook and to evaluate and optimise our Facebook ads with the anonymous data collected in this way (we do not see any personal data of individual users, only the overall effect). Storage period max. 12 months. Facebook links this data to the Facebook account of Facebook users according to their data protection information and can thus show them content that matches their interests. Meta is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. You can find specific information on how the Facebook Pixel works in the Facebook help section at: https://de-de.facebook.com/business/help/651294705016616. You can make settings regarding usage-based advertising on Facebook yourself in your Facebook account: https://www.facebook.com/settings?tab=ads. Further information can be found in Facebook's privacy policy at: https://www.facebook.com/privacy/explanation.

2.7 Integration of other third-party services and content

We integrate third-party content and functions within our website. This always presupposes that the providers of this content or functions recognise the IP address of the user. Without the IP address, they would not be able to send the content to the respective user's browser. The IP address is therefore required to display this content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. However, we have no influence over whether the third-party providers store the IP address for statistical purposes, for example. The legal basis for the use of these services, insofar as they are necessary for the function of our website, is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, otherwise your consent pursuant to Art. 6 (1) lit. a GDPR. Information on the purpose and scope of the further processing and use of the data by the providers of the embedded services/content as well as further information within the meaning of Art. Art. 13 and 14 GDPR can be found under the information links below. The following services/content are embedded in our website

destination.one Maps

We use the "destination.one" service of neusta destination.one GmbH (Münchenerstraße 1, D-86899 Landsberg am Lech) for the cartographic representation of the accommodation providers in our region. The map material is loaded from the destination.one server for this purpose. The following data is transmitted to destination.one: the page visited on our website, the IP address of your end device, the content of the request, location data, operating system and the language and version of the browser software. destination.one uses cookies that are stored on your browser to analyse your request. The legal basis for the processing of your data is Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest lies in an appealing presentation of our online offer and the geographical presentation of the offers in our region. In the case of location data from mobile devices, the legal basis is your consent in accordance with Art. 6 (1) lit. a GDPR by authorising the transfer of location data on your mobile device. Further information on destination.one's data protection can be found at: https://www.destination.one/datenschutz/.

Current version of the data protection information from 27/11/2023