This data protection info sheet informs you which personal data FMTG Services GmbH processes, in what way and for what purpose, in an automated manner, and what your rights as affected person (data subject) are.
2. Controller (Responsible)
Controller (hereinafter referred to as “the Controller”) is FMTG Services GmbH, Walcherstraße 1A. Stiege C2, Top 6.04, A-1020 Vienna, Austria/ Tel.: +43 (5) 09911 11 999 / Email: firstname.lastname@example.org.
3. Collection and processing of persona data
The protection of your personal data is a matter of special importance to us. Your personal data will therefore only be processed to the extent that is permitted by law and required for the fulfillment of the respective purpose (registration, provision of services, medical treatments, fulfillment of legal obligations and legitimate interests, sending information material and advertising, sending a newsletter, customer analyzes).
Following personal data is collected and processed for the purpose of providing our services:
1. For the purposes of hotel registration and registration to the competent authority:
• First name and last name
• date of birth
• place of birth
• residence: city, state and zip code
• gender (male or female)
• ID type (ID card or passport) and ID number
• name of children: first and last name, date and place of birth, gender, nationality,
• ID details of spouse
2. For the purpose of fulfilling the contractual obligations and obligations deriving from the business relationship:
• First name and last name,
• personal address,
• telephone number,
• car plate number/ license plate,
• travel document,
• issuing authority,
• date of issue,
• expiry date,
• tax number,
• member or loyalty card,
• family relationship to other profiles
• name of spouse, date and place of birth,
• special requirements
• credit card/payment details
• copy of ID card for exchange office transactions
• other ways of transportation: flight number, arrival time, GPS co-ordinates
• guest preferences (sea view or park view, room type)
• additional packages (baby sitter, wellness, …)
• date of birth, various anniversaries, divorces, family death cases
• room set up: romantic, corporate clients
We need your explicit consent in order to process the above-listed health data (allergies and special requirements). You can revoke your consent at any time. Please note that in the event that you do not give your consent or revoke it during our business relationship, we cannot fully provide our services, hence, you take advantage of our services at your own risk.
3. For the purposes of providing health care services and/or medical treatment:
Following health data is mandatory for the risk-free performance of a diagnostic examination, for the professional medical treatment plan and for the daily support of our medical staff at the Hotel Grand MedSpa, Marienbad: general health information, information on allergies, diabetes, medications, hemophiliacs, anticoagulants, infectious diseases, pregnancy, operations (what and when), accidents (what and when), currently undergoing medical treatment, smoker (number of cigarettes per day), alcohol consumption (how much? how often?), insomnia, indigestion, complaints when urinating, heart disease (f.e. heart attack, Angina Pectoris, arrhythmia, heart pacemaker), circulatory diseases, epilepsy, headache, weight change of min. 2 kg during last 4 weeks, complaints in following areas: sense organs, nervous system, thorax, lung, abdominal organs, head, neck, heart, circulation, spinal column, limbs, varicose vein, blood pressure, pulse.
We need your explicit consent in order to process the above-listed health data. You can revoke your consent at any time. Please note that in the event that you do not give your consent or revoke it during our business relationship, we cannot fully provide our services, hence, you take advantage of our services at your own risk.
4. For the purpose of being informed about offers and services of the Falkensteiner Group and to be contacted for customer surveys:
• postal address
• mobile phone number
• e-mail address
In doing so, we use the following communication channels: e-mail, post and sms
In order to inform you about offers and services and to contact you for customer surveys we need your consent which you give in a Double-Opt-In-form. Without providing us the data listed above (point 4.) and without giving your consent we cannot send you any information or contact you in this regard.
5. For the purpose of providing and improving the services and personalizing the offers and services to suit your needs (profiling):
• date of birth
• dates of anniversaries, shoe and T-shirt size for MICE group participants
• enrolling into animation activities (puzzle games, camps, competition …)
Profiling is the process in which a responsible person (data controller) collects process personal data for the purpose of providing and improving the services and personalizing the offers and services to suit guest’s needs. However, no decisions which could have legal effect or could harm you in any way will be made by automated means.
We can process the following data in our system Protel: Name, gender, title, personal address, nationality, region, telephone number, email-address, birthday, license plate, travel document, issuing authority, date of issue, expiry date, company, occupation, tax number, member card, photo, remarks, family relationship to other profiles.
We can allocate the following reservation-related data to your profile: past reservations, future reservations, invoices, offers, confirmations, notes and questionnaires.
Personal data you provide will be processed until you revoke your consent.
You can revoke your consent at any time, free of charge and without stating reasons at the hotel reception, by email to email@example.com or by phone to number +43 (5) 09911 11 999
5. Taking photos at events and courses
We have a legitimate interest to take photos at events and courses and to publish them on our website for marketing purposes.
If you do not agree with this, you can object to this processing and the publication any time at the hotel reception, by email to firstname.lastname@example.org or by phone under +43 (5) 09911 11 999.
6. Video surveillance
For the purpose of public security there may be video surveillance at the hotel entrance, hotel reception, exchange offices, kitchen areas, garage entrances, beach and pool-bars, area around wellness buildings and staff houses. Videos are stored on stand-alone hard disks at each location, and access is provided to external security companies, IT administration person and GM hotels.
Taken videos can be stored for the maximum period of 6 months (Croatia), 72 hours (Austria), 7-14 days (Czech Republic), 15 days (Slovakia) or 7 days (Italy). Taken videos at the exchange office legally have to be stored minimum 72 hours in Croatia.
For the purpose of public security in tourist resorts, there may be a main entrance gate to the resort, where guest needs to provide the name and/ or reservation number in order to proceed, car registration plates/ license plates are input into registration list manually.
7. Transmitting personal data to third parties
Your personal data are not transmitted to third parties except in the following cases:
- when we are legally obliged to transmit the data based on e.g. Criminal Law, Criminal Procedure Law,
- for services outside the hotel area, upon your request (e.g. taxi, restaurant reservation, yacht, etc.)
- in case of medical emergencies, data has to be transmitted to authorized medical personnel;
- based on your explicit, written consent;
- Individual hotels of the FMTG - Falkensteiner Michaeler Tourism Group AG (FMTG): you can request more details on the businesses (hotels) belonging to the FMTG which process your data on our website: www.falkensteiner.com or send your enquiries to email@example.com.
For payment processing purposes, your bank details are forwarded to electronic payment services.
8. Data processing on behalf of the Controller
Where processing is to be carried out on behalf of the Controller by the Processor, the Controller remains liable for the protection of your personal data.
All direct and indirect subsidiaries or sister companies of FMTG Services GmbH that are operating under the Brand “Falkensteiner Hotels & Residences” are Processors pursuant to the Art 28 GDPR.
External Processors are arranged only to perform activities that are necessary to provide our services, such as mailing services, services provided by tourist agencies, tourist guides etc. All external Processors are committed to comply with the applicable data protection regulations. Processing agreement based on Article 28 GDPR has been concluded with every external data processor.
Your personal data is transmitted to the following external data processors:
- A1 Telekom Austria AG, Wien, AT
- ADDITIVE d. Ebner Matthias & Leiter Joachim OHG, Südtirol, IT
- AdoptoTech d.o.o., Zagreb, HR
- Adria Scan d.o.o., Sveta Nedjelja, HR
- AffiliRed S.L., Palma de Mallorca, ES
- Aleno AG, Zürich, CH
- Auditor spol. s.r.o., Prag, CZ
- BMB Leitner s.r.o., Bratislava, SK
- BMD Systemhaus GmbH, Steyr
- Confida Süd Wirtschaftsprüfungsgesellschaft m.b.H, Graz
- Delegate Technology GmbH, Wien, AT
- Facebook Inc., Menlo Park, CA, USA
- Facelift, Hamburg, DE
- G.A. Service GmbH, Salzburg
- Google Inc., Dublin, IR
- Gustaffo digital services GmbH, Wien, AT
- Helmuth Thaler GmbH, Bruneck, Südtirol
- HGC Hotellerie & Gastronomie Consulting GmbH, Innsbruck
- Hotjar Ltd., MA
- Incert e-Tourismus GmbH & Co. KG, Linz
- Infolink d.o.o. Belgrad, SRB
- Instagram Inc., San Francisco, CA, USA
- Laser Line d.o.o., Umag, HR
- Linkster GmbH, Hamburg, DE
- m.consulting Anita Maslo, Wien
- MC Sistemi d.o.o., Ljubljana, SLO
- Metadata d.o.o., Belgrad, SRB
- Microsoft, Vienna, AT
- Nexell GmbH, Zug, CH
- Nexxchange GmbH, Wien
- ProASP Professional Application Services Providing GmbH, Bad Vöslau
- Protel Hotelsoftware Austria GmbH
- Reservation Assistant, TAC Informationstechnologie GmbH, Hartberg
- Revinate Inc., San Francisco, CA, USA
- Rubatscher Steuerberatungs- und Wirtschaftsprüfungsgesellschaft m.b.H, Innsbruck
- Salesforce.com EMEA Limited, München, DE
- Serenissima Informatica SpA.,Padova, IT
- THE HOTELS NETWORK, S.L, Barcelona, ES
- Travelclick Inc, New York,USA
- Workflow EDV GmbH, Wien
- YouTube LLC, San Bruno, CA, USA
We primarily arrange external processors within the European Union. We will only arrange processors outside the European Union if (i) there is a European Commission adequacy decision for the third country concerned or (ii) we refer to the standard contractual clauses of the European Commission or (iii) if there are appropriate guarantees, e.g. the EU / US privacy shield with the third country or (iv) there are binding internal contractual data protection clauses with the processor.
For further information about the external processors you can send your enquiries to firstname.lastname@example.org.
TikTok Data Protection
We also use TikTok, a social media and video channel. The service provider is the Chinese company Beijing Bytedance Technology Ltd. For the European region, the responsible entity is the Irish company TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.
TikTok processes data from you, including in the USA. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can be associated with various risks for the legality and security of data processing.
As the basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the USA) or data transfers to these countries, TikTok uses so-called Standard Contractual Clauses (= Art. 46(2) and (3) GDPR). Standard Contractual Clauses (SCC) are model templates provided by the European Commission and are intended to ensure that your data complies with European data protection standards even when transferred to and stored in third countries (such as the USA). Through these clauses, TikTok commits to maintaining the European data protection standards in the processing of your relevant data, even if the data is stored, processed, and managed in the USA. These clauses are based on an implementing decision by the European Commission. You can find the decision and the corresponding Standard Contractual Clauses, among other things, here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
9. Google Analytics
Our websites use Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies" (text files stored on users' computers) which allow an analysis of the website usage. The information generated by the cookies about the use of the websites by the users are usually transmitted to a Google server in the USA and are stored there.
In the case of the IP anonymization activation on our websites, the Google users IP address will be shortened beforehand within European Union member states or in other states members of the European Economic Area. Only in exceptional cases the full IP address will be transmitted to a Google server in the US and shortened there. IP anonymization is active on our websites. On behalf of the operator of our websites, Google will use this information to evaluate the use of the websites by the users, to compile reports on the website activities and to provide further services relating to website usage and internet usage to the website operator.
The shortened IP address provided by Google Analytics within the User Browser will not be merged with any other data provided by Google. Users can prevent the storage of cookies by the opt-out function on the Falkensteiner website or alternatively by an appropriate setting of their browser software; FMTG Services GmbH, however, points out to users that in this case, not all functions of our websites may be fully utilized. Furthermore, users can prevent the collection of data (including their IP address) generated by the cookies as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
For more information about Google data usage for advertising purposes, settings and opt-out options, please visit Google's websites: https://www.google.com/intl/en/policies/privacy/partners/ ("How Google uses information from sites or apps that use our services"), http://www.google.com/policies/technologies/ads (" Use of data for promotional purposes "), http://www.google.com/settings/ads (" Managing information, the Google uses to show you advertising ") and http://www.google.com/ads/preferences/ ("Determine which Google advertising shows you").
Google Ads (Conversions)
We use Google Enhanced Conversions on our website. For the use of Google Ads Enhanced Conversions, encrypted user data (e.g., names, email addresses, addresses, custom identifiers) is shared with Google. When a user performs a conversion on our website, such as making a purchase, user data is collected, hashed, and sent to Google via conversion tracking tags for the purpose of improving conversion measurement. Google then compares whether the transmitted user data matches existing Google customers. Based on this information, users are assigned to the corresponding Google accounts they were logged into when interacting with one of your ads. We only receive statistical evaluations from "Google" for measuring the success of our advertising materials. "Google" processes the data in the USA. In this case, an adequate level of data protection is ensured through the use of the current version of the EU Commission's Standard Contractual Clauses pursuant to Article 46(2)(c) of the GDPR and participation in the EU-US Privacy Framework (Adequacy Decision for the USA). More information is available at https://policies.google.com/privacy/frameworks?hl=en
The legal basis for processing is your consent according to Article 6(1)(a) of the GDPR. Our legitimate interests in processing lie in the statistical analysis of website usage, reach measurement, optimization of advertisements, and in tracking and improving our advertising expenses. The storage duration at "Google" is a maximum of 90 days. Further information on data protection and storage duration at "Google" can be found at: https://support.google.com/google-ads/answer/6239119?hl=en
You can withdraw your consent to processing at any time by adjusting the slider in the "Advanced Settings" of the consent tool. The legality of processing based on your consent prior to withdrawal remains unaffected.
10. Duration of the processing
We process your personal data, health data, data concerning allergies and other special requirements - if necessary - for the duration of the entire business relationship (from the initiation, performance to the termination of a business relationship and until all open claims in connection with the business relationship have been satisfied in full).
The above listed data will be stored and processed until you withdraw your consent to this processing. The withdrawal of your consent has no effect on the lawfulness of the data processing up to this time.
After the business relationship ends, your data will be stored until expiry of the warranty, limitation and compensation periods as well as until expiry of legally binding retention periods and upon termination of any legal dispute in which the data is required as proof.
The data that you have provided us for marketing and information purposes, such as for sending a newsletter, is stored until you revoke your consent.
11. Data security
We are implementing technical and organisational measures to secure your personal data from accidental or intentional manipulation, loss, destruction, alteration and unauthorised disclosure as pursuant to the Article 28 of the General Data Protection Regulation. The security measures are being continuously improved in line with technical progress.
12. Your rights
With regard to the processing of your data, you may claim the following rights under the General Data Protection Regulation and the national data protection law:
a. Right of access
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed. The confirmation contains the purposes of the processing, the categories of personal data concerned and recipients or categories of recipients to whom personal data have been or will be disclosed and the duration of the processing.
b. Right to rectification
You have the right to obtain the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed, without undue delay.
c. Right to erasure
You have the right to obtain the erasure of personal data concerning you without due delay when the personal data have been unlawfully processed, when the processing disproportionally interferes with your legitimate interests, when the personal data are no longer necessary in relation to the purposes for which they were collected and when you withdraw your consent on which the processing is based. Please note that there may be reasons that preclude immediate erasure, such as in the case of legal retention obligation.
d. Right to restriction of processing
You have the right to obtain the restriction of processing of your data when:
• you contested the accuracy of the data, for a period enabling us to verify the accuracy of the data;
• the processing is unlawful, you oppose the erasure and request the restriction of data usage instead;
• we do no longer need the data for the purposes of the processing, but you require the data for the establishment, exercise or defense of legal claims, or
• you objected to processing of the data.
Where there is a request for the restriction of processing, this data will be processed only with your consent, or for the establishment, exercise or defense of legal claims.
e. Right to data portability
You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used and machine-readable format where:
• we are processing the data based on your given and revocable consent or for a fulfillment of contract between us, and
• the processing is carried out by automated means.
f. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, necessary to safeguard your legitimate interests or legitimate interests of a third party. Your data shall no longer be processed unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is necessary for the establishment, exercise or defense of legal claims.
You have the right to object to be targeted by the direct marketing at any time without stating grounds for the objection.
g. The right to lodge a complaint
If you are of the opinion that we are processing your data contrary to national or European data protection legislation, you can contact us at any time. You also have the right to contact the relevant data protection authorities and as from 25.05.2018 you can contact or lodge a complaint with a supervisory authority within the EU.
h. Asserting your rights
In order to assert one of the aforementioned rights, please use the following contact options:
- Email to: email@example.com
- Letter to: FMTG – Falkensteiner Michaeler Tourism Group AG
c/o Data Protection Officer
Walcherstraße 1A. Stiege C2, Top 6.04
- Call: Phone +43 (5) 09911 11 999
If we cannot identify you based on the data which we hold, it may be necessary to request additional information to determine your identity (e.g. ID with photo). Any questions you may have will help protect your rights and privacy.