Privacy Policy
This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the websites, functions, and content associated with it, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). With regard to the terminology used, such as “processing” or “controller,” we refer to the definitions set out in Article 4 of the General Data Protection Regulation (GDPR).
Controller
Kolb & Goach GastgewerbebetriebsGmbH
Managing Director: Peter Goach
Pötzleinsdorferstrasse 127
1180 Wien
Österreich
Tel. +43 1 440 49 43
steirerstoeckl@jagawirt.at
Types of Processing
– Inventory data (e.g. names, addresses)
– Contact data (e.g. email addresses, phone numbers)
– Content data (e.g. text entries, photographs, videos)
– Usage data (e.g. visited websites, interest in content, access statistics)
– Meta/communication data (e.g. device information, IP addresses)
Categories of Data Subjects
Visitors and users of the online offering (hereinafter collectively referred to as “users”).
Purpose of Processing
– Provision of the online offering, its functions, and content
– Responding to contact inquiries and communicating with users
– Security measures
Terminology Used
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Relevant Legal Bases
In accordance with Article 13 GDPR, we inform you of the legal bases for our data processing activities. Unless the legal basis is expressly stated in this Privacy Policy, the following applies:
The legal basis for obtaining consent is Article 6(1)(a) GDPR in conjunction with Article 7 GDPR.
The legal basis for processing data for the fulfillment of our services, the implementation of contractual measures, and the response to inquiries is Article 6(1)(b) GDPR.
The legal basis for processing data in order to comply with our legal obligations is Article 6(1)(c) GDPR.
The legal basis for processing data to safeguard our legitimate interests is Article 6(1)(f) GDPR.
In cases where the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.
Security Measures
In accordance with Article 32 GDPR, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data as well as access to the data, input, disclosure, ensuring availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to threats to data security. In addition, we take into account the protection of personal data already during the development or selection of hardware, software, and processes, in accordance with the principles of data protection by design and by default (Article 25 GDPR).
Cooperation with Processors and Third Parties
If, in the course of our processing activities, we disclose data to other persons or companies (processors or third parties), transmit such data to them, or otherwise grant them access to the data, this shall only take place on the basis of a legal authorization. This includes, for example, cases where the transfer of data to third parties, such as payment service providers, is required pursuant to Article 6(1)(b) GDPR for the performance of a contract, where you have given your consent, where there is a legal obligation to do so, or where the transfer is based on our legitimate interests (e.g. when using agents, web hosting providers, etc.).
Where we engage third parties to process data on the basis of a so-called “data processing agreement,” this is done in accordance with Article 28 GDPR.
Our website is hosted by Kinsta Inc., 8605 Santa Monica Blvd #92581, West Hollywood, CA 90069, USA.
Kinsta uses data centers of the Google Cloud Platform located within the European Union.
In the course of hosting, log files are processed, including:
– IP address
– Date and time of access
– Browser type and operating system
– Pages visited
– Referrer URL
This data is technically necessary to ensure the secure and stable operation of the website.
Legal basis: Article 6(1)(f) GDPR (legitimate interest).
Further information on data protection at Kinsta:
https://kinsta.com/legal/privacy-policy/
Our website uses the services of Cloudflare, provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.
Cloudflare is used to protect our website (DDoS protection, firewall) and to optimize loading times through a global content delivery network (CDN). When visiting our website, data such as:
– IP address
– Browser information
– System configuration
– Date and time of the page access
is transmitted to Cloudflare and processed there.
Processing is carried out on the basis of our legitimate interest in the secure and reliable provision of our website in accordance with Article 6(1)(f) GDPR.
Further information:
https://www.cloudflare.com/de-de/privacypolicy/
For reservation and inquiry functions on our website, we use the tool Molzait, provided by molzait GmbH, Südtiroler Straße 18, 4020 Linz, Austria.
When using Molzait, the following personal data may be processed:
– Name
– Contact information (email address, telephone number)
– Date and time of the reservation
– Number of persons
– Additional information provided in the inquiry
The processing is carried out for the purpose of handling and managing reservation requests.
Legal basis: Article 6(1)(b) GDPR (pre-contractual measures).
Molzait acts as a processor in accordance with Article 28 GDPR.
Further information: https://molzait.com/privacy/
Rights of Data Subjects
You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to such data as well as further information and a copy of the data in accordance with Article 15 GDPR. In accordance with Article 16 GDPR, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data.
Pursuant to Article 17 GDPR, you have the right to request the immediate deletion of personal data concerning you or, alternatively, pursuant to Article 18 GDPR, to request the restriction of the processing of such data.
You also have the right to receive the personal data concerning you that you have provided to us in accordance with Article 20 GDPR and to request the transfer of such data to another controller.
Furthermore, pursuant to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of Withdrawal
You have the right to withdraw any consent you have given in accordance with Article 7(3) GDPR with effect for the future.
Deletion of Data
The data processed by us is deleted or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this Privacy Policy, data stored by us is deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent its deletion.
If data is not deleted because it is required for other legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with statutory requirements in Austria, data is retained in particular for 7 years pursuant to Section 132(1) of the Austrian Federal Fiscal Code (BAO) (accounting records, vouchers/invoices, accounts, business documents, records of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for documents relating to electronically supplied services, telecommunications, broadcasting, and television services provided to non-entrepreneurs in EU Member States where the Mini One Stop Shop (MOSS) scheme is used.
Business-Related Processing
In addition, we process the following data of our customers, prospective customers, and business partners:
– Contractual data (e.g. subject matter of the contract, term, customer category)
– Payment data (e.g. bank details, payment history)
for the purpose of providing contractual services, customer service and support, customer relationship management, marketing, advertising, and market research.
Contractual Services
We process the data of our contractual partners and prospective customers as well as other clients, customers, principals, or contractual partners (hereinafter uniformly referred to as “contractual partners”) in accordance with Article 6(1)(b) GDPR for the purpose of providing our contractual or pre-contractual services.
The data processed in this context, the nature, scope, purpose, and necessity of the processing are determined by the underlying contractual relationship.
The processed data include the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers), as well as contractual data (e.g. services used, contract content, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history). Special categories of personal data are generally not processed unless they are part of a commissioned or contractually agreed processing activity.
We process data that are necessary for the establishment and fulfillment of the contractual services and point out the necessity of providing such data where this is not evident to the contractual partners. Disclosure to external persons or companies takes place only if this is required in the context of a contract. When processing data provided to us in the course of a commission, we act in accordance with the instructions of the commissioning party and the applicable legal requirements.
In the course of using our online services, we may store the IP address and the time of the respective user action. Storage is carried out on the basis of our legitimate interests as well as the interests of users in protection against misuse and other unauthorized use. Such data is generally not passed on to third parties unless this is necessary for the assertion of our claims pursuant to Article 6(1)(f) GDPR or there is a legal obligation to do so pursuant to Article 6(1)(c) GDPR.
Data is deleted when it is no longer required for the fulfillment of contractual or statutory duties of care or for handling any warranty or comparable obligations. The necessity of retaining the data is reviewed every three years; statutory retention obligations remain unaffected.
Administration, Financial Accounting, Office Organization, Contact Management
We process data in the context of administrative tasks as well as the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The legal bases for processing are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR.
The processing affects customers, prospective customers, business partners, and website visitors. The purpose of and our interest in the processing lies in administration, financial accounting, office organization, data archiving, and thus tasks that serve to maintain our business operations, perform our duties, and provide our services. The deletion of data with regard to contractual services and contractual communication is carried out in accordance with the information provided for these processing activities.
In this context, we disclose or transmit data to tax authorities, advisors such as tax consultants or auditors, as well as other fee-collecting bodies and payment service providers.
Furthermore, based on our legitimate business interests, we store information relating to suppliers, event organizers, and other business partners, for example for the purpose of future contact. This data, which is predominantly business-related, is generally stored on a long-term basis.
Contacting Us
When contacting us (e.g. via contact form, email, telephone, or social media), the information provided by the user is processed for the purpose of handling and responding to the contact request in accordance with Article 6(1)(b) GDPR (within the framework of contractual or pre-contractual relationships) and Article 6(1)(f) GDPR (other inquiries).
The information provided by users may be stored in a customer relationship management system (“CRM system”) or a comparable inquiry management system.
We delete inquiries once they are no longer required. We review the necessity of storing such data every two years. Statutory retention obligations remain unaffected.
Hosting and Email Services
The hosting services we use serve the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services, and technical maintenance services, which we use for the operation of this online offering.
In this context, we and/or our hosting provider process inventory data, contact data, content data, contractual data, usage data, as well as meta and communication data of customers, prospective customers, and visitors to this online offering, on the basis of our legitimate interests in an efficient and secure provision of this online offering pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
Collection of Access Data and Log Files
Based on our legitimate interests within the meaning of Article 6(1)(f) GDPR, we collect data about every access to the server on which this service is hosted (so-called server log files). The access data include the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and the requesting internet service provider.
This data is not assigned to specific individuals; therefore, we are not able to identify which user accessed which data. We also do not attempt to collect or evaluate this information in a personalized manner.
Please note that this Privacy Policy may be amended at any time.