Data Protection Declaration

Last update: June 2021

Provision of information pursuant to Art 13 of the General Data Protection Regulation (EU) 2016/679 (“GDPR“) by VIVAMAYR Marketing GmbH (“we“) regarding the processing of personal data in the context of accessing and using the website https://www.vivamayr.com/ (“Website“).

In this Data Protection Declaration, we, as a controller in the sense of Art 4 item 7 GDPR, describe which data we collect while you visit our Website and for what purpose we process them. For all relevant contact information, please refer to point 6 of this Data Protection Declaration. The protection of your personal data is a particular concern of ours and therefore we comply with the regulations of the GDPR in conjunction with the Austrian Data Protection Act (Datenschutzgesetz “DSG“), the Austrian Telecommunication Act (Telekommunikationsgesetzes 2003 “TKG“) and other relevant legal provisions when collecting and processing your personal data.

Data protection laws are generally relevant as far as any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of “processing” of personal data means any operation or set of operations performed on personal data. Any information allowing us or third parties – in a review or by additional knowledge – to potentially identify you in person (in particular makes it possible to find out your full name) can be considered personal data, in which case you are to be regarded as a data subject in the sense of Art 4 item 1 GDPR.

You are not obligated to provide data. Apart from data processed automatically as described below, we principally only collect and store data that you provide to us by entering them in our entry form or actively interacting with our Website in any other way. As far as you would like to make use of one of our offers, the disclosure of some of your data is necessary for the performance of the respective contract.

1. Data processing operations

1.1 Processing of access data when visiting our Website

Type and extent of data processing: You can visit our Website without providing any personal information. When you access our Website, only certain access data are processed automatically in so-called server log files. In particular, the following data are processed in this context: (i) name of visited website; (ii) browser type/version used; (iii) operating system of the user; (iv) previously visited website (referrer URL); (v) time of the server request; (vi) data volume transferred; (vii) host name of the accessing computer (IP address used). This information does not allow us to identify you personally; however, IP addresses are considered personal data within the meaning of the GDPR.

Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security in regards of our Website and to generate non-personal statistical information. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR) in achieving the mentioned purposes.

Storage period: The server log files are, in general, automatically deleted after fourteen (14) days, at the latest.

1.2 Making contact; requests/bookings

According to the terms of the GDPR, personal data can be further divided into special categories, created by Art 9 GDPR, which are subject to stricter regulations (also: sensitive data). Due to the alignment of our occupation with the area of health care and medical diagnosis, we have to rely on the processing of sensitive data concerning health (data relating to the physical/mental health) of the guests of our facilities. Please be aware that information, which you provide beforehand via our Website in the course of requests and bookings, may already enable us to draw conclusions about your state of health. Furthermore, we process data concerning health within the framework of our Website in the event that you make use of our telemedicine services.

1.2.1 Making contact

Type and extent of data processing: When contacting us via the contact information provided in the course of this Data Protection Declaration respectively on our Website, we will use your data as indicated in order to process your contact request and to deal with it. The data processing involved is necessary to issue a response in respect of your request, as we would otherwise not be able to contact you.

Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website. We answer your request on the basis of our legitimate interest (Art 6 para 1 lit f GDPR) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services.

Storage period: We delete your requests as well as your contact data if the request has been completed. Your data are, in general, stored for a period of six (6) months and subsequently erased if we do not receive follow-up requests and if the data must not be further processed for different purposes.

1.2.2 Booking requests/bookings; precare/postcare

Type and extent of data processing: Via our Website, you have the opportunity to send us requests about booking a stay in one of our facilities or booking our precare/postcare services; depending on availability, you can also place your bookings directly online. Mandatory information that we require to correctly assign and process your request/booking is marked with a “*” symbol. Please be aware that the selection and specification of the program or the selected precare service, that you would like to receive, may already enable us to draw conclusions about your state of health and therefore, in the specific context, data concerning health in the sense of Art 9 GDPR may be processed. If necessary, additional data concerning health, which are necessary for the provision of our services, will be processed in the course of online conversations (precare/postcare).

Furthermore, we use the information you already provided to verify and answer your requests and to process the booking you have made. If you subsequently stay in one of our facilities, we process the respective data within the framework of the execution of the hosting and treatment contract (compatible change of purpose in the sense of Art 6 para 4 GDPR). As far as it is necessary to send goods (e.g. precare laboratory kits) in the course of bookings, the explanations under point 1.3 apply accordingly.

Legal basis and purpose: We process your personal data on the basis of your prior explicit consent in the sense of Art 6 para 1 lit a GDPR in conjunction with Art 9 para 2 lit a GDPR for the purpose of processing and answering your corresponding request or for the processing of a booking that has been made, and, if necessary, additionally for the performance of precare/postcare consultations that have been booked.

Storage period: We delete your requests as well as your contact data in general after six (6) months, if the subsequent conclusion of the hosting and treatment contract should not take place. In the case of bookings or the subsequent conclusion of contracts, we further process your data in the course of the administration of patient or guest data.

Data that have been processed in the course of precare/postcare consultations is stored in the course of our patient documentation for the duration of the respective retention periods under health law (e.g. § 51 Austrian Medical Act).

1.3 Customer orders; customer account; telemedicine

Type and extent of data processing: Should you have decided to make use of our offer, you will be required to provide certain information for the execution of the contract. You may create a customer account, but you can also place an order without such customer account. If you purchase a product without creating a customer account, you must at least provide the following personal data: (i) full name; (ii) email address; (iii) shipping/billing address, (iv) telephone number, (v) payment details. On our Website or in our online shop you also have the possibility to register a customer account in order to facilitate the ordering process for future purchases. Mandatory fields are marked with a “*” symbol. In any case, we require the information that is necessary for billing and delivery of the purchased products.

If you purchase one of our telemedicine services via our online shop, you will be contacted by our team to make an appointment. For the execution of the service, it is also necessary that we collect and process data concerning health within the meaning of Art 9 GDPR in the context of the consultation. The consultations are conducted by our doctors or other health professionals (consultants, specialists) who are professionally bound to secrecy. Other employees, which may come into contact with sensitive data are expressly bound by contract to maintain confidentiality.

Legal basis and purpose: We are processing your data for the purpose of conducting our business activity and to be able to provide our services as offered. The processing is necessary to fulfil the purchase contract concluded with you and is, thus, based on Art 6 para 1 lit b GDPR. Additional data processing due to the creation of a customer account is based on our legitimate interest (Art 6 para 1 lit f GDPR), which consists in enabling us to provide users with a service which is usually expected from an online shop and in the facilitation of the ordering process for our customers as the purpose of data processing.

Within the scope of our telemedicine services, we also process the data collected during the acquired consultation for the purpose of executing the consultation contract concluded with us in this regard pursuant to Art 6 para 1 lit b GDPR in conjunction with Art 9 para 2 lit h GDPR.

Storage period: Data collected in the course of guest orders are stored for the period of three (3) years and will be erased thereafter, as long as follow-up contact has not been established in the meantime. Data processed in the framework of a customer account are stored for the existence of the customer account; however, in the case of completely inactive accounts, data will not be stored longer than seven (7) years. A customer account can be deleted at any time by contacting us. Longer storage periods may be the result of legal retention periods (see point 1.5) or in case of legal claims.

Data processed in the course of implementing our telemedicine service are stored as part of our patient documentation for the duration of the respective retention periods under healthcare law (e.g. § 51 Austrian Medical Act).

1.4 Newsletter

Type and extent of data processing: You may subscribe to our newsletter via the Website. Mandatory fields are marked with a “*” symbol, you may provide more details voluntarily. The newsletter provides you with news about our services; it will solely be sent to email addresses having been indicated by interested users themselves and validated by double opt-in process. If you no longer wish to receive the newsletter, you can unsubscribe at any time (withdrawing your consent) by notifying us of your wish via the contact address specified under point 6 or by clicking on the respective link at the end of a newsletter.

We also use the newsletter for statistical evaluations in connection with your personal data and assess the performance of the newsletter by analysing opening and click behaviour as well as information on the technical deliverability of the newsletter (newsletter-tracking). For this purpose, our newsletter contain tracking pixel (see point 1.6.3), which detect your email client, your operating system and geolocation on the basis of the IP address. Moreover, it can be detected if and when an email has been opened and which links within the email have been followed.

For delivery of the newsletter and for the processing of data in the extent described above we use the newsletter service “eyepin”, which is provided by eyepin GmbH, Billrothstraße 52, 1190 Vienna, Austria. For this purpose, your voluntarily disclosed personal data will be processed for us by the provider, which consequently acts as our processor within the meaning of Art 28 GDPR.

Legal basis and purpose: The data mentioned above are processed in the form of a newsletter for the purpose of direct marketing and are necessary to send the newsletter and to contact you in the correct manner. A newsletter or other electronic advertisements will in no case be sent without your prior consent (Art 6 para 1 lit a GDPR) which we obtain from you directly on our Website. With the withdrawal of the consent to receive the newsletter, the consent to newsletter tracking is also withdrawn.

Storage period: All data having been collected for the delivery of the newsletter shall be erased within fourteen (14) days after unsubscribing from the newsletter. Furthermore, we automatically erase your data in case you are inactive for a period of three (3) years (in which you do not interact with any newsletter provided by us).

1.5 Legal retention and documentation periods

Type and extent of data processing: Even after an active customer relationship with us ceases to exist, we may not be allowed to delete all of your data due to legal requirements. Within this context, different types of data are affected to a varying extent. This concerns, in particular, your accounting data, which has to be stored by us, among other things, because of retention and documentation periods set by relevant fiscal and commercial law.

Legal basis and purpose: We process your data in this context on the basis of Art 6 para 1 lit c GDPR (legal obligation). This processing of your data is conducted for the purpose of complying with our own statutory duties.

Storage period: Due to legal retention and documentation obligations, which are arising under fiscal and commercial law, your data are generally stored for a period of seven (7) years. In case the data in question are relevant for a pending (tax) proceeding, they might be stored for longer. As a result of other legal requirements, storage periods may deviate for certain data.

1.6 Storage technologies

1.6.1 Cookies

If you give us your express consent pursuant to Art 6 para 1 lit a GDPR, so-called “cookies” are used on our Website (you may withdraw you previously given consent at any time [see point 5 “right to withdraw”]); in case you decline to provide us with your consent, we shall limit our use of cookies to those cookies being technically necessary and essential for the proper functioning of our Website (see below) and process your data on the basis of our accompanying legitimate interest (Art 6 para 1 lit f GDPR), as far as personal data are involved.

Cookies are small data sets that are stored on your end device. They help us to make our offer more user-friendly. They are placed by a web server and sent back to it as soon as a new connection is established in order to recognise the user and his settings. In this sense, a cookie is a small local text file that assigns a specific identity consisting of numbers and letters to your end device.

Cookies can fulfil different purposes, e.g. helping to maintain the functionality of websites with regard to state of the art functions and user experience. The actual content of a specific cookie is always determined by the website that created it.

Cookies always contain the following information:

name of the cookie;
name of the server the cookie originates from;
ID number of the cookie;
an end date at the end of which the cookie is automatically deleted.

Cookies can be differentiated according to type and purpose as follows:

Essential cookies: Essential (also: technically necessary) cookies are required for the proper functioning of websites by enabling basic functions, such as site navigation and access to protected areas. Without such cookies, a website regularly fails to be fully functional. Necessary cookies are always first-party cookies. They can only be deactivated in the settings of your browser by rejecting all cookies without exception (see below) and are also used on our Website legally permissible without obtaining prior consent.
Functionality cookies: These cookies allow websites to remember information that affects the way a website behaves or looks, like preferences in the language settings or the geographical region from which the website is accessed. ). If you consent to the placement of these cookies, functionality cookies may be placed on your device as specified in the cookie consent tool and our cookie description.
Performance cookies: These types of cookies allow website operators to understand how visitors interact with their website by collecting and analysing information about user behaviour anonymously. Such cookies are thus used to collect information on user behaviour. In particular, the following information may be stored: accessed sub-pages (duration and frequency); order of pages visited; search terms used having led to the visit of the respective website; mouse movements (scrolling and clicking); country and region of access. These cookies allow to determine what a user is interested in and thereby adapt the content and functionality of the website to individual user needs. If you consent to the placement of these cookies, performance cookies may be placed on your device as specified in the cookie consent tool and our cookie description.
Tracking cookies: These cookies allow tracking of visitors when accessing Websites. The intention behind this is to display advertisements that are relevant and appealing to the respective. This can be achieved by analysing user behaviour and display of personalised advertising based on the interests determined. If you consent to the placement of these cookies, tracking cookies may be placed on your device as specified in the cookie consent tool and our cookie description.

With regard to storage period cookies can be further differentiated as follows:

Session-Cookies: Such cookies will be deleted without any action on your part as soon as you close your current browser session.
Persistent Cookies: Such cookies (e.g. to save your language settings) remain stored on your end device until a previously defined expiration date or until you have them manually removed.

Furthermore, cookies may be differentiated by their subject of attribution:

First-party cookies: Such cookies are used by ourselves and placed directly from our Website. Browsers generally do not make them accessible across domains which is why the user can only be recognised by the page from which the cookie originates.
Third-party cookies: Such cookies are not placed by the website operator itself, but by third parties when visiting a specific website, in particular, for advertising purposes (e.g. to track surfing behaviour). They allow, for example, to evaluate different page views as well as their frequency.

Most browsers automatically accept cookies. However, you have the option to customise your browser settings so that cookies are either generally declined or only allowed in certain ways (e.g. limiting refusal to third party cookies). However, if you change your browser’s cookie settings, some websites may no longer be fully usable. You also have the option of deleting all cookies already stored in your end device via the browser settings. This also corresponds to a withdrawal of your consent. Furthermore, the cookie consent tool can be accessed via the following link change cookie settings, which also allows subsequent adjustments and withdrawal.

1.6.2 Local Storage; Session Storage

We also use the so-called Local Storage or Session Storage, in order to store certain data on your end device (or in order to access such data). Your browser creates separate Local Storage or Sessions Storage for different domains. In contrast to cookies (see point 1.6.1), this method is faster and more secure, since data is not automatically transferred to the respective server with every HTTP request, but is merely stored by your browser software. In addition, the Local Storage and Session Storage each offer up to 5 megabytes of storage volume, while a single cookie can be a maximum of 4096 bytes.

Section 1.6.1 applies correspondingly, in particular also with regard to the possibility of withdrawing your consent once you have given it, since the functionalities have technical and legal similarities to cookies. Please note that information in Local Storage does not have an expiration date (it is comparable to persistent cookies). Manually removing data from local storage or session storage works in the same way as manually removing cookies within the settings of most browsers, since cookies are usually grouped together with other website data within this option (e.g. “Cookies and other website data”); in this respect, please refer to the explanations above under point 1.6.1.

1.6.3 Tracking pixel

We also use so-called tracking pixels (also: pixel tags or web beacons) to collect certain data via our Website. Tracking pixels are transparent images which are practically invisible as they consist of a single pixel. The tracking pixel is placed on a server and loaded therefrom as soon as a respective sub-page of our Website is accessed. They allow us to track that a subpage is accessed as well as any subsequent user activity on this page and allow us to conduct target orientated marketing. By means of the tracking pixel, in particular, the following information can be collected: (i) operating system used; (ii) browser type/version used; (iii) time of access; (iv) user behaviour on the visited page; (v) IP address and approximate location of the user.

Tracking pixels are used on our Website on the basis of our legitimate interest (Art 6 para 1 lit f GDPR) in analysing user accesses in a state of the art manner. As a tracking pixel is merely an image loaded from a server, its lifetime is limited to your current browser session. However, information collected via a tracking pixel may be subsequently stored in cookies (see point 1.6.1).

1.7 Third-party services

1.7.1 Google Analytics

If you give us your consent in the sense of Art 6 para 1 lit a GDPR via the cookie consent tool embedded on our Website, we use a web analysis and online marketing tool of Google Ireland Limited, Barrow Street, Dublin 4, Ireland (“Google Ireland“) on our Website, namely “Google Analytics“, which enables us to analyse how you use this Website. The tool tracks, for example, the time users spend on a subpage of our Website or which links are being clicked by them. The tracking takes place via JavaScript libraries provided by Google Ireland. Google Analytics uses cookies (respectively similar storage technologies). In respect of Google Analytics, Google Ireland acts as our processor in the sense of Art 28 GDPR.

In the context of the application of Google Analytics, your IP address as well as other client data, namely information about your use of our Website, for example, browser type/version, operating system, the previously visited website or the time of the server request, are transferred to and stored on Google servers. Based on our instructions, Google Ireland will use the information collected to analyse the use of our Website, draft reports on website activities and provide us with further services connected to the use of our Website and the Internet. The data concerning the use of our Website are deleted automatically after the retention period of twenty-six (26) months, which we provided for, has expired.

The IP address transferred by your browser in the context of Google Analytics is not merged with other Google data. In order to protect you as comprehensively as possible, we utilise IP anonymisation by extending the code of our Website by “anonymizeIP”. This ensures masking of your IP address, wherefore all data concerned are collected anonymously. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there. Google Ireland intends to process data of users of the European Economic Area, where possible, in data centres situated in Europe; however, an outsourcing of processing activities to group companies may take place. An overview of Google data centres can be viewed under https://www.google.com/about/datacenters/inside/locations/?hl=en.

In regards to cookies (respectively similar storage technologies), please review the relevant information under point 1.6. You may prevent Google Ireland from collecting data generated by cookies and relating to your use of the Website (including your IP address) and from processing this data by downloading an appropriate browser plug-in (available for Microsoft Internet Explorer 11, Google Chrome, Mozilla Firefox, Apple Safari and Opera) and installing it (https://tools.google.com/dlpage/gaoptout?hl=en).

For further information on data usage by Google Ireland and affiliated companies as well as your options in terms of settings and objection, please review the data protection declaration of Google under https://policies.google.com/privacy?hl=en.

1.7.2 Facebook pixel

If you give us your consent in the sense of Art 6 para 1 lit a GDPR via the cookie consent tool embedded on our Website, we use the “Facebook pixel” within our offer. This is a Facebook business tool for which Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook Ireland“) acts as the controller from a data protection point of view in regards to the EEA region. The Facebook pixel is implemented on our Website as a JavaScript code snippet and allows us to track the activities of website users. Certain actions performed by a user are defined as so-called events and analysed by means of the Facebook pixel (in particular, access of a specific subpage of our Website, i.e. button click data); this allows us, for example, to determine the efficacy of the website structure as well as the effectiveness of our advertising measures (conversion tracking). The Facebook pixel is used for statistical as well as marketing purposes, in order to continuously optimise our offer. Within this context, Facebook Ireland acts as our processor in the sense of Art 28 GDPR.

The Facebook pixel collects event data as defined, all information present in HTTP headers (IP address, information about the web browser, page location, document, referrer and visit of the website) as well as a pixel ID and cookie information. Those data are exchanged with Facebook Ireland. The processing of your IP address is necessary, in order to send the desired contents to your browser. Our usage of the Facebook pixel and, thus, the data exchange with Facebook Ireland is solely limited to event data; a transfer of hashed contact information (e.g. within the framework of Facebook Custom Audiences and Lookalike Audiences) may only be carried out after obtaining your prior consent. The tracking is carried out via first-party and third-party cookies; thus, the placement of cookies, which are connected with the Facebook pixel, is not prevented by consenting to our use of cookies, while blocking third-party cookies in the respective settings of your browser software (see point 1.6). Eventually, other storage technologies such as tracking pixels might be utilised as well.

The data collected do not allow us to draw any conclusions on the identity of users. The data are stored and processed by Facebook Ireland on our behalf; Facebook itself makes use of event data, in particular, to personalise functions and contents (also advertisements and recommendations); however, this is strictly limited to data which have already been aggregated with data of other advertisers or other Facebook products. In this vein, non-personal clusters are formed and may be stored for longer periods. In case you have set up a Facebook account, you can configure settings regarding the personalisation of advertisements.

1.7.3 Hotjar

If you give us your consent in the sense of Art 6 para 1 lit a GDPR via the cookie consent tool embedded on our Website, we use the web analysis tool of Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (“Hotjar“), through which we are able to analyse the usage of our Website. For this reason, we implement a corresponding tracking code on our Website, upon which Hotjar, as our data processor in the sense of Art 28 GDPR, collects and analyses specific data via a script. Hotjar enables us to track your interactions with our Website and therefore analyse your behaviour, e.g. by providing us with heatmaps. This allows us to improve our services and your user experience. We can also achieve the latter through the help of Hotjar via an improved collection of feedback. The collected data are transferred to Hotjar servers in Ireland and in general automatically deleted after a storage period of one (1) year. Through your browser, your IP address (in anonymised form), screen size, browser type and version, the country you are accessing from, your preferred language setting, sub-pages visited and the date and time of access are transmitted to Hotjar. Hotjar uses various cookies; further information can be found at https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookies. You can prevent the collection of your data through Hotjar by following the steps laid out at: https://www.hotjar.com/legal/compliance/opt-out. Please also note the data protection declaration of Hotjar: https://www.hotjar.com/legal/policies/privacy/.

1.7.4 Google reCAPTCHA

In order to protect input forms on our Website, we use Google’s “reCAPTCHA” service, which is operated by Google Ireland in the EWR region (see point 1.7.1). The use of this service makes it possible to differentiate between whether the relevant input is of human origin or whether it is misused by automated machine processing.

For this purpose, referrer URLs, the IP address, the behaviour of website visitors, information on the operating system, browser and length of visit, cookies, display instructions and scripts, the user’s input behaviour and mouse movements in the area of the reCAPTCHA checkbox are transferred to Google Ireland.

Google Ireland uses such information, among other things, to digitise books and other printed products and to optimize services such as Google Street View and Google Maps (e.g. house number and street name recognition).

Cookies are being used for the execution of the service. The IP address provided by reCAPTCHA will not be merged with any other data held by Google unless you are logged into your Google account at the time you use the reCAPTCHA plug-in – thus please log out from your Google account before visiting a respective page. The information obtained through the reCAPTCHA service is used in accordance with the Google Terms of Use. You can find further information on the protection of your data by Google Ireland at: https://policies.google.com/privacy?hl=en.

1.7.5 Piwik PRO Analytics Suite

We use the Piwik PRO analytics and customer data platform to analyze and optimize the user experience and digital customer journey data by offering you products, content or services tailored to you (“personalization”). We collect first-party data about website visitors based on cookies, IP addresses and so-called browser fingerprints; we create user profiles based on browsing history and calculate metrics related to website usage, such as bounce rate, intensity of visits, page views, etc. The tracking collects data on what content, pages and features you use on the website. The tracking is based solely on your consent pursuant to Article 6(1)(a) of the General Data Protection Regulation (“GDPR”).

If personal tracking takes place after you have voluntarily given your consent, you can revoke your consent via a corresponding setting in the electronic service Borlabs cookies, whereby the tracking data is anonymized and can no longer be assigned to your person. Your IP address will be anonymized immediately during this process, so that you as a user remain anonymous to us. You thus forgo the benefits of personalized use of the Electronic Service. The tracking data is collected exclusively via cloud services in the EU. [If the tracking data is processed using cloud services, we have concluded an agreement to this effect in order to fulfill our legal obligation under Article 28 GDPR].

1.8 YouTube components with privacy-enhanced mode

On our Website we use components (videos) of the video platform “YouTube“, which is operated by Google Ireland (see point 1.7.1) in the EWR region. In doing so, we use the “privacy-enhanced mode” option provided by YouTube.

When you access a subpage, which has an embedded video, a connection to YouTube servers is established and the content is displayed on the Website through communicating it to your browser. According to the information provided by YouTube, in the privacy-enhanced mode data is transferred exclusively to YouTube servers. Said data contain, in particular, which of our internet pages you have visited when you watch the video. If you are at the same time logged into YouTube, the respective data can be linked to your account. You can prevent this by logging out of your account before visiting our Website. Additional information concerning the protection of personal data by YouTube are provided by Google Ireland at: https://www.google.de/intl/de/policies/privacy/.

2. Transfer of your data; recipients

For the purposes executing the data processing activities as indicated in the course of this Data Protection Declaration, we will transfer your personal data to the following recipients or make them available to them:

Within our organisation, your data will only be provided to those employees who need them to fulfil their respectively our respective obligations.

Furthermore, (external) processors deployed by us receive your data if they need these data to provide their respective services (whereby the mere possibility to access personal data is sufficient). All processors are contractually obliged to keep your data confidential and to process it only within the scope of service provision.

This includes the following categories of recipients:

Service provider for website tools/plugins (see point 1.7)
Newsletter administration (see point 1.4)
Hosting provider

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany

Technical support

EOR Digital GmbH, Künstlergasse 11, 1150 Vienna, Austria

For the processing of booking requests and bookings (see point 1.2.2) as well as for the preparation of our newsletter (see point 1.4), we use the media.tel Informationsdienstleistungsges.m.b.H, V19 Vienna Nineteen Centre, Mooslackengasse 17, 1190 Vienna, Austria within the service “MAILPILOT”.

All deployed processors will process your data under strict observance of the requirements of the GDPR and solely based on our explicit instructions. Please note that some of the recipients mentioned above are located outside of the European Union or process your (personal) data outside of the European Union. As far as no adequacy decision of the European Commission is in existence with regard to such cases, we shall legitimise the third-country transfer on the basis of standard contractual clauses or other appropriate safeguards in the sense of Art 46 GDPR, which we have agreed upon accordingly with the respective provider.

Lastly, we may transfer your data to independent controllers, as far as this is absolutely necessary and we are legally obliged to do so. This may include, in particular, payment service providers which we use in connection with payments placed in our online shop (Stripe, PayPal, SOFORT Überweisung), banking institutions entrusted with payments, our tax advisor, tax offices and courts or authorities within the in the course of their statutory competence might take place.

3. Links to third-party sites

On our Website, we use links to the websites of third parties. These are, in particular, links to our presences in social networks (e.g. Facebook). If you click on one of these links, you will be forwarded directly to the respective page. For the website operators it is only evident that you have accessed our Website beforehand. Accordingly, we refer you, in general, to the separate data protection declarations of these websites. For further information on our processing of your data in connection with our social media presences, please review point 4.

4. Social media presences

For the purpose of promoting our business activity and our service offer, we maintain presences in various social networks. The processing of your data in this context is based on our legitimate interest (Art 6 para 1 lit f GDPR) in expanding our reach as well as providing additional information and means of communication to users of social networks. In order to reach said purposes at the best possible rate, we may utilise functions provided by the respective service provider to measure our reach in detail (access statistics, identification of returning users, etc.).

In the course of accessing any of the online presences outlined subsequently, we process the general information being evident due to your profile in the respective network as well as additional continuance, contact or content data, as far as you provide us with such data by interacting with our online presence and its contents. We do not store those data separately outside of the respective social network.

Since we jointly decide with the relevant service provider (respectively entity expressly outlined as controller) upon purposes and means of data processing in the course of a respective online presence, we are to be considered joint controllers in the sense of Art 26 GDPR. The provider of each social network mentioned shall act as the primary point of contact with regard to all general and technical questions in respect of our online presences; this also applies to fulfilling rights of the data subjects in the sense of point 5. However, in case of requests concerning the specific operation of our online presences, your interactions with them or information published/collected via such channels, we shall be the primary point of contact; point 5 as well as other stipulations in this Data Protection Declaration apply correspondingly.

4.1 Facebook

The social network “Facebook” is operated by Facebook, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA and its group companies. Controller from a data protection point of view with regard to the EEA region is Facebook Ireland (see point 1.7.2). In respect of the operation of our Facebook fan pages “@vivamayr.altaussee” (https://www.facebook.com/vivamayr.altaussee/) as well as “@viva.mayr” (https://www.facebook.com/viva.mayr/) we are joint controllers in the sense of Art 26 GDPR with Facebook Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Facebook in order to personalise and maintain our Facebook fan page. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.facebook.com/terms) as well as the separate data protection declaration (https://www.facebook.com/policy.php) and consider the settings options in your Facebook account. In regards to any information provided by us via mechanisms made available by Facebook (posts, shares, etc.), we are naturally fully responsible.

4.2 Instagram

The social network “Instagram” is operated by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, which is part of the Facebook group. Controller from a data protection point of view with regard to the EEA region is Facebook Ireland (see point 1.7.2). In respect of the operation of our Instagram account “vivamayraltaussee” (https://www.instagram.com/vivamayraltaussee/), “vivamayrmariawoerth” (https://www.instagram.com/vivamayrmariawoerth/) as well as “vivamayr” (https://www.instagram.com/vivamayr/), we are joint controllers in the sense of Art 26 GDPR with Facebook Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by Instagram in order to personalise and maintain our Instagram account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://help.instagram.com/581066165581870) as well as the separate data protection declaration (https://help.instagram.com/519522125107875) and consider the settings options in your Instagram account. In regards to any information provided by us via mechanisms made available by Instagram (postings, stories, etc.), we are naturally fully responsible.

4.3 LinkedIn

The social network “LinkedIn” is operated by LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA. For the EEA region, LinkedIn is operated and data processing is controlled by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn Ireland“). In respect of the operation of our LinkedIn account “VIVAMAYR” (https://www.linkedin.com/company/vivamayr), we are joint controllers in the sense of Art 26 GDPR with LinkedIn Ireland.

Please note that we have no influence on the programming and design of the social network; thus, we can only use the options provided by LinkedIn in order to personalise and maintain our LinkedIn account. Hence, please carefully review the terms which the service provider prescribes for the use of the social network (https://www.linkedin.com/legal/user-agreement?_l=en_EN) as well as the separate data protection declaration (https://www.linkedin.com/legal/privacy-policy) and consider the settings options in your LinkedIn account. In regards to any information provided by us via mechanisms made available by LinkedIn (postings, chats, etc.), we are naturally fully responsible.

4.4 YouTube

The video platform “YouTube” is operated by Google Ireland (see point 1.7.1) in regard to the EEA region. In respect of the operation of our YouTube channel “VIVAMAYR” (https://www.youtube.com/channel/UCLWHxR2c23pvO_dfGO85Fkg), we are joint controllers in the sense of Art 26 GDPR with Google Ireland.

Please note that we have no influence on the programming and design of YouTube; thus, we can only use the options provided by YouTube in order to personalise and maintain our YouTube channel. Hence, please carefully review the terms which the service provider prescribes for the use of the video platform (https://www.youtube.com/t/terms) as well as the separate data protection declaration (https://policies.google.com/privacy?hl=en-GB&gl=en) and consider the settings options in your YouTube account. In regards to videos and content provided by us, we are naturally fully responsible.

5. Rights of the data subject

You may decide to exercise any of the following rights concerning our processing of your personal data at any time free of charge by means of a notification being sent to one of the contact options outlined under point 6; we shall then answer your request as soon as possible and within one (1) month at the latest (in exceptional cases, restrictions on these rights are possible, for instance, if otherwise the rights of third parties would be affected):

access to and further information concerning your individual data processed by us (right of access, Art 15 GDPR);
rectification of wrongly recorded data or data that have become inaccurate or incomplete (right to rectification, Art 16 GDPR);
erasure of data which (i) are not necessary in light of the purpose of data processing, (ii) are processed unlawfully, (iii) must be erased due to a legal obligation or an objection to the processing (right to erasure, Art 17 GDPR);
temporary restriction of processing under certain circumstances (right to restriction of processing, Art 18 GDPR);
withdrawal of consent granted for the processing of your personal data at any time; however, please note that the withdrawal of your consent does not retroactively affect the lawfulness of data processing based on such consent – it solely affects subsequent processing activities (right to withdraw; Art 7 para 3 GDPR);
objection to any processing of your data being based on our legitimate interest (Art 6 para 1 lit f GDPR) on grounds relating to your particular situation or being executed for direct marketing purposes(right to object; Art 21 para 1 and 2 GDPR);
transfer of your personal data which are processed on the basis of your consent in a machine-readable format to you or directly to another controller upon request (right to data portability; Art 20 GDPR);
right to lodge a complaint with a supervisory authority in respect of our processing of your data; in Austria, a complaint has to meet the requirements laid out in § 24 Austrian Data Protection Act and has to be directed to the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, email: dsb@dsb.gv.at, Phone: +43 1 52 152-0 (for the simplification of this process, the Austrian Data Protection Authority provides forms at: https://www.dsb.gv.at/dokumente).