Data protection information

The protection of your personal data is of particular concern to us. We therefore process your data exclusively in a lawful manner on the basis of the statutory provisions (in particular GDPR, DSG 2018, TKG 2021). In this data protection information, we inform you about the most important aspects of data processing - type, scope and purposes of the collection and use of personal data - in the context of the use of our website and other services of our company.

The controller (within the meaning of Art. 4(7) GDPR) for the processing of your personal data (personal data within the meaning of Art. 4(1) GDPR) is

Hochkönig Tourismus GmbH
Am Gemeindeplatz 7
A-5761 Maria Alm
Phone: +43 (0) 6584 20388
E-mail: datenschutz@hochkoenig.at

Data protection officer:
We take the protection of personal data seriously and have appointed an external data protection officer for this purpose. Our data protection officer is MMag. Martin Zeppezauer, Thurnbichlweg 54, A-6353 Going am Wilden Kaiser(www.zepedes.com). You can contact our data protection officer at the e-mail address martin@zepedes.com.

Purposes of the processing
The purposes of processing your personal data generally result from our business activities as a tourism organisation: providing our online offers, processing customer enquiries / orders / bookings, accounting, communication with business partners and customers. Detailed information on the purposes of processing and, if applicable, further processing for other compatible purposes as well as the categories of data processed can be found in the detailed descriptions of the individual data processing processes

General data categories

- Personal master data (e.g. name, date of birth and age, address)
- Contact data (e.g. e-mail address, telephone number, fax number)
- Communication data (time and content of communication)
- Order or booking data (e.g. goods ordered or services commissioned and invoice data such as performance period, method of payment, invoice date, tax identification number, etc.)
- Payment data (e.g. account number, credit card details)
- Contract data (contents of contracts of any kind)
- Web usage data (e.g. server data, log files and cookies)

Special categories of data ("sensitive data") pursuant to Art. 9 GDPR

- Health data (only if you provide us with this data with your express consent to process your order (e.g. arranging a hotel specialising in guests with food intolerances or allergies))

Legal basis for the processing
In principle, there is no obligation to provide the data for the data processing described in this privacy policy. The only consequence of not providing this data is that we will not be able to offer these services. The legal basis for the processing of your personal data required to fulfil a contract with you or an order you have placed with us is Art. 6 (1) lit. b GDPR. Insofar as the processing of personal data is necessary to fulfil a legal obligation on our part (accounting obligation, bookkeeping obligation or other legal documentation obligations), Art. 6 (1) lit. c GDPR serves as the legal basis. If we process your data to fulfil a task assigned to us in the public interest ("sovereign action"), the legal basis is Art. 6 (1) lit. e GDPR. If the processing is necessary to safeguard a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh our interests, Art. 6 (1) lit. f GDPR ("legitimate interest") serves as the legal basis for the processing. In this case, we will also inform you of our legitimate interests. If we have no other legal basis for the processing of personal data as explained above, we will ask you for your consent to data processing, which in these cases is based on Art. 6 (1) lit. a GDPR or, in the case of the processing of sensitive data, on Art. 9 (2) lit. a GDPR as the legal basis. You can withdraw this consent at any time free of charge without affecting the lawfulness of processing based on consent before its withdrawal.

We process your personal data with the support of processors who support us in the provision of our services. These processors are bound by a corresponding agreement within the meaning of Art. Art. 28 GDPR with us to strictly protect your personal data and may not process your personal data for any purpose other than to provide our services. You can find out which processors are involved in the detailed descriptions of the individual data processing processes.

Your personal data is passed on to companies other than our processors to typical commercial service providers such as banks, tax consultants or auditors. Personal data is only transferred to state institutions and authorities within the framework of mandatory national legislation.

Depending on your order (e.g. bookings and enquiries), your personal data may also be transferred to hotel partners or other tourism service providers (members of our organisation) only to the extent necessary to fulfil your order. The personal data transmitted varies depending on the service.

In principle, we process your personal data within the EU. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of our processors or third parties, this will only take place if the requirements of Art. 44 et seq. GDPR for the transfer to third countries are met: i.e. on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to the EU or in compliance with officially recognised contractual obligations, the so-called "EU standard contractual clauses". If we refer to the EU standard contractual clauses as the legal basis for the transfer of your personal data, we will also check the permissibility of this data transfer as part of a comprehensive risk assessment. If we come to a negative conclusion, we will not transfer this data to a third country without your express consent in accordance with Art. 49 para. 1 lit. a GDPR.

Your personal data will be deleted by us as soon as the purpose for which we collected your data no longer applies. Data may also be stored if we continue to process the data for a purpose compatible with the original purpose. It may also be stored if this is provided for by laws, regulations or other provisions to which our company is subject.

We generally collect your personal data from you. We also receive personal data from some of our partners. Information on this can be found in the respective detailed information in this data protection information.

We do not use any procedures for automated decision-making or profiling that have a legal effect on you or significantly affect you in a similar way. However, with your consent, we will use your usage data to get to know your interests better and thus be able to show you information of interest to you or make you customised offers or show you corresponding information on third-party websites or social media platforms.

In accordance with the GDPR, you have the right to information, correction, deletion and restriction of the processing of your personal data. If the legal basis for the processing of your personal data is your consent or a contract concluded with you, you also have the right to data portability. You have the right to withdraw any consent you may have given to the processing of your personal data. This does not affect the lawfulness of the processing of your personal data up to the time of revocation. You have the right to object to the processing of your personal data for the purpose of direct marketing. If you object, your personal data will no longer be processed for the purpose of direct marketing. A detailed explanation of these rights can be found here in Chapter III.

Right to lodge a complaint

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the competent supervisory authority. In Austria, this is the data protection authority (Barichgasse 40-42, A-1030 Vienna, e-mail: dsb@dsb.gv.at).

In this section, we inform you how we process your personal data when you visit our website.

Server data
For technical reasons, the following data, which your Internet browser transmits to us or to our web space provider, is collected on the legal basis of § 165 (3) S 3 TKG 2021 (required for the operation of our website) (so-called "server log files"):

- Browser type and version
- Operating system and device type used (e.g. desktop / mobile)
- Website from which you visit us (referrer URL)
- Website that you visit
- Date and time of your access
- Your internet protocol address (IP address)

This data, which is anonymous for us, is stored separately from any personal data you may have provided and therefore does not allow us to draw any conclusions about a specific person. It is evaluated for statistical purposes in order to optimise our website and our offers.

SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" or by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Technical service providers
We create and edit the content of our website with the help of the following service providers, which we have obliged to do so by a corresponding agreement within the meaning of Art. 28 GDPR. Art. 28 GDPR to process your data exclusively within the scope of our order:
Technical conception:
- MICADO DIGITAL SOLUTIONS GMBH (Hammerschmiedstraße 5, A-6370 Kitzbühel). More information on data protection at: https: //www.micado.cc/de/informationen-ueber-cookies-und-datenschutz.html
Webhosting:
- Camyno GmbH (Aue 144, A-6405 Pfaffenhofen). Further information on data protection can be found at: https: //www.camyno.com/

Cookie Banner - Cookies on our website
Our website uses cookies to help us make our website more user-friendly and efficient for you, to carry out statistical analyses of the use of our website and to show you content that may be of interest to you on other websites. Cookies are small data records that are used to store information during or about visits to websites and are stored on the website visitor's computer. The legal basis for cookies that are absolutely necessary for the proper operation of our website (e.g. shopping basket cookie) is § 165 (3) S 3 TKG 2021. Cookies that are not necessary for the function of our website (e.g. analysis or marketing cookies) are deactivated and are only activated by your consent in accordance with Art. 6 (1) lit. a GDPR in our cookie banner ("Accept"). You can activate or deactivate individual cookies or cookie groups by clicking on "Settings". If you restrict the use of cookies on our website, you may no longer be able to use all the functions of our website to their full extent. Detailed information about the cookies used on our website can be found in our cookie banner.

The legal basis for the use of this cookie banner (consent management platform) to control and document your consent or settings regarding cookies and other tools requiring consent to access our website is our legal obligation pursuant to Art. 6 (1) lit. c GDPR. When you access our website, a connection is established with the server of the provider of our cookie banner and a cookie is subsequently stored in your browser to save your cookie settings. The processed data is stored until the specified storage period expires or you delete these cookies.

We use the following cookie banner / provider:

- Consent Management System from MICADO DIGITAL SOLUTIONS GMBH (Hammerschmiedstraße 5, A-6370 Kitzbühel). More information on data protection at: https: //www.micado.cc/de/informationen-ueber-cookies-und-datenschutz.html

Changing the cookie settings in your web browser
You can specify how the web browser you are using handles cookies, i.e. which cookies are permitted or rejected, in the settings of your web browser. You can also delete cookies already stored on your computer/device yourself at any time. Where exactly these settings are located depends on the respective web browser. Detailed information on this can be accessed via the help function of the respective web browser.
It is also possible to generally object to cookies and similar tracking technologies via the services listed below by setting your individual preferences - which technologies you wish to allow for usage and interest-based advertising:

- European Interactive Digital Advertising Alliance (EDAA): https: //www.youronlinechoices.com/de/praferenzmanagement/
- Network Advertising Initiative (NAI):
https://optout.networkadvertising.org/?c=1#!%2F

Contact form and e-mail
On our website, we offer you the option of contacting us by e-mail and/or via a contact form. In this case, the information you provide will be processed for the purpose of processing your contact on the legal basis of contract fulfilment pursuant to Art. 6 (1) lit. b GDPR. We have a legitimate interest pursuant to Art. 6 (1) lit. f GDPR in the use of a contact form. The legitimate interest lies in offering our website visitors a way to contact us that does not require them to open their own email client. In the case of contact/order forms in which we request first and last names as well as the salutation, we do this on the basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR. Our interest lies in addressing our customers and business partners in a personalised, polite manner. There is no legal or contractual obligation to provide this personal data. The only consequence of not providing this data is that you will not be able to submit your request and we will not be able to process it. Data will only be passed on to third parties if this is stated on the website or in this data protection declaration or is necessary for the fulfilment of the contract or is required by law. We only store your data for as long as is necessary to process your enquiry or for any queries you may have.

E-mail newsletter (Numbirds)
You can register for our newsletter on our website. The legal basis for sending the newsletter is your consent within the meaning of Art. Art. 6 (1) lit. a GDPR. Registration for our newsletter takes place using the double opt-in procedure. This ensures that no-one can register with other people's email addresses (e.g. your email address). Your consent can be revoked at any time free of charge by clicking on the "Unsubscribe link" at the end of each mailing. The legality of the data processing operations that have already taken place up to that point remains unaffected by the cancellation. After cancellation of your e-mail address, we will continue to store it for 3 years on the basis of our legitimate interest (Art. 6 (1) lit. f GDPR) in order to be able to prove your originally given consent if necessary. We use the service provider "NumBirds", a tool from NumBirds CRM GmbH (Brixnerstraße 3/3, A-6020 Innsbruck), to send out our newsletter. With the help of NumBirds, we can analyse our newsletter campaigns. When an email sent with the NumBirds newsletter tool is opened, a connection is established with the NumBirds servers. This allows us to determine whether a newsletter message has been opened and which links have been clicked on, if any. The purpose of these analyses is to better adapt future newsletters to the interests of the recipients. In addition, technical information such as the time of retrieval, IP address, browser type and operating system of the recipient are registered. In addition, we use information from some of our other systems, such as our feratel booking system, which is linked to your e-mail address in order to be able to adapt your personalised newsletter even more individually to your interests. We have concluded a processor agreement with NumBirds CRM GmbH within the meaning of Art. Art. 28 GDPR to ensure that your data is only processed to the extent desired by us and authorised by you. General data protection information from NumBirds at: https://www.sports-tourism.at/de-DE/datenschutz-cookies.

Google Tag Manager
We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags via a common tool. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies or collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on Google's data protection at: https://www.google.com/policies/privacy/. More information on how Google uses personal data: https://business.safety.google/privacy/.

Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland). The legal basis for the use of this service is your consent in accordance with Art. 6 (1) lit a GDPR. Google Analytics uses cookies that are stored on the website visitor's computer and that enable the use of our website by the website visitor to be analysed. The information generated by the cookie about your use of our website is generally stored on European servers and only transmitted to a Google server in the USA and stored there in exceptional cases. We use Google Analytics with activated IP anonymisation. This means that your IP address is generally truncated by Google within the European Union and only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. The IP address transmitted by the corresponding browser as part of Google Analytics is not merged with other Google data. On our behalf, Google will use the information collected to analyse the use of the website in order to compile reports on website activity. The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be cancelled at any time with effect for the future. The corresponding browser plugin can be downloaded and installed at the following link: https://tools.google.com/dlpage/gaoptout. User data is stored for 14 months. Further information on the use of data by Google, setting and objection options can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of adverts by Google (https://adssettings.google.com/authenticated). More information on how Google uses personal data: https://business.safety.google/privacy/.

Google Ads conversion tracking
Our website uses the "Google Ads Conversion Tracking" service of the provider. Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland). When we place adverts on Google, we use what is known as conversion tracking. If you click on an advert placed by Google, a cookie is set for conversion tracking (storage period 30 days). This enables us to recognise that you have clicked on one of our ads and have been redirected to our site. However, we do not receive any personal information, but only the total number of users who clicked on one of our adverts and were redirected to a page with a conversion tracking tag. We use Google Ads Conversion Tracking on the legal basis of your consent (settings via our cookie banner) in accordance with Art. 6 (1) lit. a GDPR. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on the use of data by Google, setting and objection options, can be found in Google's privacy policy(https://policies.google.com/privacy) and in the settings for the display of advertisements by Google(https://adssettings.google.com/authenticated). More information on how Google uses personal data: https://business.safety.google/privacy/.

Google Enhanced Conversions
We use Google Ads Conversion Tracking in the extended function ("Enhanced Conversions") in order to be able to record conversions even more precisely and subsequently optimise our advertising measures on Google. This function supplements existing conversion tags. It enables us to send self-collected conversion data from our website to Google as hash values in compliance with data protection regulations. For this purpose, a secure one-way hash algorithm is applied to our self-collected customer data (e.g. email addresses) before it is sent to Google. You can find more information about "Enhanced Conversions" at https://support.google.com/google-ads/answer/9888656?hl=de.

Google Remarketing
Our website uses the functions of "Google Analytics Remarketing" in conjunction with the cross-device functions of Google AdWords and Google DoubleClick on the legal basis of your consent in accordance with Art. 6 (1) lit. a GDPR. The provider is Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland). This function makes it possible to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another of your end devices (e.g. tablet or PC). If you have given your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages can be displayed on every device on which you sign in with your Google account. To support this function, Google Analytics collects Google-authenticated IDs of users that are temporarily linked to our Google Analytics data in order to define and create target groups for cross-device advertising. Cookies are deleted after 1 year. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. You can permanently object to cross-device remarketing/targeting by deactivating personalised advertising in your Google account; follow this link: https://www.google.com/settings/ads/onweb/. The data collected in your Google account is summarised exclusively on the basis of your consent, which you can give or revoke at Google (Art. 6 (1) lit. a GDPR). Further information on Google's data protection can be found at: https://www.google.com/policies/privacy/. More information on how Google uses personal data: https://business.safety.google/privacy/.

Adform
Our website uses the online marketing tool "Adform" from Adform A/S (Silkegade 3B, DK-1113 Copenhagen, Denmark) on the legal basis of your consent in accordance with Art. 6 (1) lit. a GDPR. By integrating the Adform pixel / cookie (storage period 13 months), Adform receives information about which pages of our website you have viewed and which of our adverts you have clicked on (conversion tracking). The processing serves the following purposes Analysis of user behaviour, evaluation of the effectiveness of online marketing campaigns and the automated display of advertisements on external platforms through real-time bidding, based on your individual user behaviour. You can revoke your consent to the collection and transmission of data to Adform at any time with effect for the future by changing the settings in our cookie banner or by making the appropriate settings in your browser. With your consent, this above-mentioned data will also be transferred from individual parts of our website to SalzburgerLand Tourismus GmbH (Wiener Bundesstraße 23, 5300 Hallwang(https://www.salzburgerland.com) for the purpose of online marketing activities of SalzburgerLand Tourismus GmbH. Further data processing is the sole responsibility of SalzburgerLand Tourismus GmbH, there is no joint responsibility within the meaning of Art. 26 GDPR. Art. 26 GDPR. Further information on data protection at SalzburgerLand Tourismus GmbH can be found at https://www.salzburgerland.com/de/impressum-und-datenschutz/ Further information on data protection at Adform can be found at https://site.adform.com/privacy-center/overview/.

We integrate third-party content and functions within our website. This always presupposes that the providers of this content or functions recognise the IP address of the user. Without the IP address, they would not be able to send the content to the respective user's browser. The IP address is therefore required to display this content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. However, we have no influence over whether the third-party providers store the IP address for statistical purposes, for example. The legal basis for the use of these services, insofar as they are necessary for the function of our website, is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR, otherwise your consent pursuant to Art. 6 (1) lit. a GDPR. Information on the purpose and scope of the further processing and use of the data by the providers of the embedded services/content as well as further information within the meaning of Art. Art. 13 and 14 GDPR can be found under the information links below. The following services/content are embedded in our website

YouTube
We embed videos from the "YouTube" platform of the provider Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland) in extended data protection mode. The implementation is based on Art. 6 (1) lit. f GDPR, whereby our interest lies in the smooth integration of the videos and the appealing design of our website. However, we only use YouTube if you have consented to this. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR, which you can revoke at any time for the future. When you access a page in which we have embedded a YouTube video, a connection to the Google servers is established and the content is displayed on the website by notifying your browser. According to Google, in extended data protection mode, your data (in particular which of our web pages you have visited) and device-specific information, including your IP address, are only transmitted to the YouTube server when you watch the video. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. If you are logged in to Google at the same time, this information will be assigned to your Google member account. You can prevent this by logging out of your member account before visiting our website or by making individual settings in your Google account under the following link: https://adssettings.google.com/authenticated. Further information on YouTube's data protection can be found at: https://www.google.com/policies/privacy/. More information on how Google uses personal data: https://business.safety.google/privacy/.

We inform you about other data processing processes in business and customer contact outside our website in our data protection information on our main website at: https: //www.hochkoenig.at/de/informationen-ueber-cookies-und-datenschutz-1.html