Hotel Naudererhof

Privacy policy

We’re so glad you’re interested in our business. Use of the Hotel Naudererhof website is fundamentally possible without entering personal data. Insofar as a data subject would like to use particular services available on our website, it may be necessary to process personal data. If it is necessary to process personal data and there is no statutory basis for such processing, we will generally ask the data subject for their consent.

Personal data, such as a data subject’s name, address, email address or telephone number, is always processed in accordance with the General Data Protection Regulation and the data protection regulations specific to the Hotel Naudererhof’s location. With this data protection policy, our business would like to inform you of the nature, scope and purpose of personal data collected, used and processed by us. Furthermore, data subjects can also use this privacy policy to learn about their rights.

As controller, Hotel Naudererhof has introduced countless technical and organisational measures for this processing to ensure the best possible protection of personal data processed via this website. Nevertheless, internet-based data transfers are fundamentally prone to security breaches, so complete protection cannot be guaranteed. For this reason, each data subject is free to provide us with data using alternative methods, such as telephone.

1.    Definition of terms
The Hotel Naudererhof privacy policy is based on the terms used by the European authorities in the General Data Protection Regulation. Our privacy policy is intended to be easy for the public, our customers and business partners to read and understand. To guarantee this, we’d like to first explain the terms used.

In this privacy policy, we use the following terms:
a)    Personal data
Personal data comprises any information related to an identifiable natural entity (hereafter ‘data subject’). A natural entity is considered identifiable if they can be directly or indirectly identified through the allocation of information such as a name, ID number, location data, online name, one or more special characteristics, expression of physical, genetic, psychological, economic, cultural or social identity of this natural entity.

b)    Data subject
A data subject is any identifiable or identified natural identity whose personal data is being processed by the controller.

c)    Processing
Processing is any operation or series of operations carried out with or without automated processes in relation to personal data, such as collecting, gathering, organising, filing, storing, editing or changing, reading, calling up, using, disclosing through transfer, distribution or any other form of provision, comparing or linking, restricting, deleting or destroying.

d)    Restriction of processing
Restriction of processing is the labelling of stored personal data with the aim of limiting any future processing hereof.

e)    Profiling
Profiling is any kind of automated processing of personal data whereby this personal data is used to evaluate certain personal aspects of a natural entity in particular in order to analyse or predict this natural entity’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence or change of residence.

f)    Pseudonymisation
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be allocated to a specific data subject without additional information, insofar as this additional information is stored separately and subject to technical and organisational measures that guarantee that the personal data is not allocated to an identified or identifiable natural entity.

g)    Controller
The controller is the natural or legal entity, authority, body or other entity that is solely responsible or responsible in conjunction with others for the aims and means of the processing of personal data.
If the aims and means of this processing are regulated by EU law or the law of member states, the controller or the specific criteria the controller has dictated may be assigned under such EU or member state law.

h)    Processor
A processor is a natural or legal entity, authority, organisation or other body that processes personal data on behalf of the controller.

i)    Recipient
A recipient is a natural or legal entity, authority, organisation or other body to whom personal data is disclosed, regardless of whether this is a third party or not. Authorities that may receive personal data as part of an investigation under EU law or the law of member states are not considered recipients.

j)    Third parties
A third party is a natural or legal entity, authority, organisation or other body apart from the data subject, the controller or processor and people tasked with processing personal data on direct behalf of the controller or processor.

k)    Consent
Consent is any clear, informed permission granted by the data subject voluntarily for the specific case in the form of a declaration or other clear confirmation that the data subject provides to confirm that they agree to the processing of their personal data.

2.    The name and address of the controller in the sense of the General Data Protection Regulation, other applicable data protection laws for EU member states and other provisions with any data protection relevance is as follows:

Naudererhof Alpin Art & Spa Hotel ****S
Kurt Kleinhans and family
Tschiggfreystr. 160 A-6543 Nauders

T +43 (0) 5473 / 8 77 04
F +43 (0) 5473 / 8 77 77
E info@naudererhof.at
ATU41641407

3.    Cookies
The Hotel Naudererhof website uses cookies. Cookies are small text files that are stored to a computer system via an internet browser. Countless websites and servers use cookies. Many cookies contain a cookie ID. A cookie ID is a clear label used to identify the cookie. It is made up of a string of characters that websites and servers can allocate to a specific browser where the cookie is saved. This lets the websites and servers differentiate between different data subjects using different browsers containing other cookies. A certain internet browser can be recognised and identified by the distinct cookie ID.

Thanks to the use of cookies, Hotel Naudererhof can provide users of this website more user-friendly services that would not be possible without cookies. Information and services on our website can be optimised for the user using cookies. As already mentioned, cookies let us recognise users of our website. The purpose of this recognition is to make it easier for the user to use our website. The user of a website using cookies must not enter their access data upon each visit, for example, as this is taken care of by the website and the cookies stored on the user’s computer system. Another example is the basket cookie used on online shops. The online shop records the items that a customer has placed in their virtual basket using a cookie.

The data subject can prevent the storage of cookies by our website at any time using the appropriate settings in their internet browser so that the storage of cookies is rejected. Furthermore, any existing cookies can be deleted using a browser or other software programme. This is possible in all standard internet browsers. If the data subject deactivates the storage of cookies in their browser, not all functions of our website may be usable in full.

4.    Gathering of general data and information
The Hotel Naudererhof website collects a range of general data and information every time a data subject or an automated system visits the website. This general data and information is saved in server log files. The following may be collected: (1) the browser type and version used, (2) the operating system used by the system requesting access, (3) the website from which an accessing system visited our website (referrer), (4) the subpages from which an accessing system visited our website, (5) the date and time of website access, (6) an internet protocol address (IP address), (7) the accessing system’s internet service provider and (8) other similar data or information that serves to prevent damage in the case of an attack on our IT systems.

When using this general data and information, Hotel Naudererhof does not identify the data subject. This information is simply required to (1) properly deliver the content of our website, (2) optimise the content of our website and advertising, (3) guarantee the ongoing functionality of our IT systems and technology of our website, (4) provide necessary information for investigations to the authorities in the case of a cyber attack. This anonymously collected data and information is therefore analysed by Hotel Naudererhof statistically and furthermore with the aim of increasing data protection and security in our company in order to ensure an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data entered by the data subject.

5.    Subscription to our newsletter
On the Hotel Naudererhof website, users are given the opportunity to subscribe to our newsletter. What personal data is transferred for the provision of the newsletter to the controller can be established from the forms used for this purpose.

Hotel Naudererhof shall inform its customers and business partners at regular intervals of offers from our company in the form of a newsletter. Our newsletter can in principle be received by the data subject only when (1) the data subject has a valid email address and (2) the data subject has signed up for the newsletter. The email address entered by the data subject to receive the newsletter will receive a confirmation email as part of a double opt-in process. This confirmation email serves to check that the owner of the email address has authorised the receipt of our newsletter as the data subject.

When subscribing to the newsletter, we also save the IP address set by the internet service provider (ISP) for the computer system used by the data subject at the time of subscription as well as the time and date of subscription. It is necessary for this data to be collected in order to track any possible misuse of a data subject’s email address at a later date, thus ensuring legal safety for the controller.

The personal data collected as part of a subscription to the newsletter is solely used to send our newsletter. Furthermore, subscribers to the newsletter may be informed via email if necessary for the operation of the newsletter service or any related registration, as may be the case for changes to the newsletter service or changes to technical circumstances. Personal data collected as part of the newsletter service is not passed on to third parties. Subscriptions to our newsletter can be cancelled by the data subject at any time. Consent for the storage of personal data disclosed to us by the data subject for the provision of the newsletter can be revoked at any time. To revoke this consent, there is a link in each newsletter. Furthermore, there is the opportunity to unsubscribe from the newsletter directly on the controller’s website or to inform the controller in another way.

6.    Newsletter tracking
The Hotel Naudererhof newsletter contains tracking pixels. A tracking pixel is a miniature graphic embedded in emails sent in HTML format in order to facilitate the logging and analysis of a log file.
This means that a statistical evaluation of the success or failure of online marketing campaigns. Embedded tracking pixels let Hotel Naudererhof recognise if and when an email is opened by a data subject and what links the data subject used in the email.

Personal data received via the tracking pixels contained in newsletters is stored and evaluated by the controller in order to optimise the sending of the newsletter and adapt the content of future newsletters to the data subject’s interests in future. This personal data is not passed on to third parties. Data subjects are permitted to revoke this special consent granted via the double opt-in process at any time. After revoking, the controller shall delete the personal data. Hotel Naudererhof considers unsubscribing from the newsletter revocation.

7.    Contact via the website
For legal reasons, the Hotel Naudererhof website contains information that permits speedy electronic contact with our business as well as direct communication with us, including a general email address. Insofar as a data subject contacts the controller via a contact form or email, the personal data transferred by the data subject will be saved automatically. Personal data provided voluntarily to the controller by a data subject shall be stored for the purpose of processing contact with the data subject. This personal data is not passed on to third parties.

8.    Routine deletion and freezing of personal data
The controller processes and stores the data subject’s personal data only while required to achieve the aim of storage or insofar as required by the European authorities or other lawmaker in laws or regulations to which the controller is subject.
If the purpose of storage no longer applies or the retention period set by the European authorities or other lawmaker expires, personal data is routinely frozen or deleted in compliance with statutory requirements.

9.    Data subject rights
a)    Right to confirmation
European authorities and lawmakers grant each data subject the right to request from the controller a confirmation regarding whether their personal data is being processed. If a data subject would like to take advantage of this right of confirmation, they may contact an employee of the controller at any time.

b)    Right to information
According to the European authorities and lawmakers, each data subject affected by the processing of personal data has the right to receive free information about the personal data stored about them as well as a copy of this information from the controller.
Furthermore, the European authorities and lawmakers have allowed data subjects the right to the following information:
-    Purpose of processing
-    Categories of personal data being processed
-    Recipients or categories of recipients to whom personal data has been disclosed or will be disclosed, in particular recipients in third countries or international organisations
-    If possible, the planned duration of storage of personal data or, if this is not possible, the criteria to deduce this duration
-    The existence of a right to correct or delete personal data about them or a restriction of processing by the controller or the right to object to this processing
-    The existence of a right to complain to a supervisory authority
-    If the personal data is not collected via the data subject: all available information about the data’s origin
-    The existence of any automatic decision-making, including profiling in accordance with article 22 paragraphs 1 and 4 of the GDPR and — at least in these cases — clear information about the logic involved as well as the consequences and intended impacts of such processing for the data subject

Furthermore, the data subject has the right to information regarding whether personal data is transferred to a third country or to an international organisation. If this is the case, the data subject shall also have the right to receive information about the suitable guarantees relating to the transfer.
If a data subject would like to take advantage of this right of information, they may contact an employee of the controller at any time.

c)    Right to correction
Each data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to immediate correction of any incorrect personal data regarding their person. Furthermore, the data subject has the right to request the completion of incomplete personal data, taking the purpose of processing into consideration — also in the form of a supplementary explanation.
If a data subject would like to take advantage of this right of correction, they may contact an employee of the controller at any time.

d)    Right to deletion (right to be forgotten)
Any data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to request that the controller immediately delete their personal data insofar as one of the following reasons applies and processing is not required:
-    The personal data was collected or otherwise processed for purposes for which it is no longer required.
-    The data subject has revoked the consent on which the processing was based in accordance with article 6 paragraph 1 letter a of the GDPR or article 9 paragraph 2 letter a of the GDPR, and there is no other legal basis for the processing.
-    According to article 21 paragraph 1 of the GDPR, the data subject has objected to the processing and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing in accordance with article 21 paragraph 2 of the GDPR.
-    The personal data has been improperly processed.
-    The deletion of personal data is required to fulfil a legal obligation under EU law or the law of the member state to which the controller is subject.
-    The personal data was collected based on information society services in accordance with article 8 paragraph 1 of the GDPR.

Insofar as one of the above reasons applies and a data subject would like to request the deletion of personal data stored by Hotel Naudererhof, they can contact an employee of the controller at any time. The Hotel Naudererhof employee shall see to the data’s immediate deletion.

If the personal data has been made public by Hotel Naudererhof, and our business as the controller is obliged to delete the personal data in accordance with article 17 paragraph 1 of the GDPR, Hotel Naudererhof shall undertake reasonable measures considering the available technology and implementation costs in order to inform other processors that process the disclosed personal data that the data subject has requested that these other processors delete all links to this personal data or copies or replications of this personal data insofar as processing is not required. The Hotel Naudererhof employee will initiate the necessary on a case by case basis.

e)    Right to the restriction of processing
Each data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to request that the controller restrict processing if one of the following conditions applies:
-    The data subject is contesting the correctness of the personal data, for a duration that allows the controller to review the correctness of the personal data.
-    The processing is unlawful but the data subject refuses the deletion of their personal data and instead requests a restriction of the processing of their personal data.
-    The controller no longer requires the personal data for the purpose of processing, the data subject requires it to exercise, assert or defend legal claims.
-    The data subject has objected to the processing in accordance with article 21 paragraph 1 of the GDPR and is not yet certain whether the controller’s legitimate reasons outweigh those of the data subject.

Insofar as one of the above conditions applies and a data subject would like to request the restriction of the processing of personal data stored by Hotel Naudererhof, they can contact an employee of the controller at any time. The Hotel Naudererhof employee shall see to the restriction of the processing of the personal data.

f)    Right to data portability
Any data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to receive personal data concerning them provided by the data subject to a controller in a structured, standard and machine-readable format. They also have the right to have this data transferred to another controller without hindrance from the controller to which the personal data was provided, insofar as the processing is based on consent in accordance with article 6 paragraph 1 letter a of the GDPR or article 9 paragraph 2 letter a of the GDPR or a contract in accordance with article 6 paragraph 1 letter b of the GDPR and the processing takes place with the aid of automated processes, insofar as the processing is not required for the exercising of a task in the public interest or to carry out an official order directed to the controller.

Furthermore, in exercising their right to data portability, in accordance with article 20 paragraph 1 of the GDPR, the data subject has the right to have the personal data directly transferred from one controller to another controller, insofar as this is technically feasible and no other person’s rights or freedoms are hereby impaired. To exercise the right to data portability, the data subject can contact an employee of Hotel Naudererhof at any time.

g)    Right to object
Each data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to object to the processing of personal data impacting them being carried out based on article 6 paragraph 1 letter e or f of the GDPR for reasons arising from their particular situation. This also applies to any profiling based on these provisions.

In the case of objection, Hotel Naudererhof no longer processes the personal data unless we can prove a compelling reason worthy of protection for the processing that outweighs the data subject’s interests, rights and freedoms or unless processing serves to assert, exercise or defend legal claims.

If Hotel Naudererhof processes personal data in order to operate direct advertising, the data subject has the right to object to the processing of their personal data for the purpose of such advertising. This also applies to profiling insofar as this is related to such direct advertising. If the data subject objects to processing by Hotel Naudererhof for the purposes of direct advertising, Hotel Naudererhof shall no longer process the personal data for this purpose.

The data subject also has the right, based on reasons arising from their particular situation, to object to the processing of their personal data carried out by Hotel Naudererhof for academic or historical research purposes or statistical purposes in accordance with article 89 paragraph 1 of the GDPR, unless such processing is required to fulfil a task in the public interest.

To exercise this right to object, the data subject can also directly contact any employee of Hotel Naudererhof. The data subject is also free to exercise their right to object using automated processes using technical specifications in relation to the use of information society services, regardless of directive 2002/58/EG.

h)    Automated decision-making, including profiling
Any data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to not be subjected to exclusively automated decisions — including profiling — that may have legal consequences or otherwise significantly impact them insofar as the decision (1) is not required for the completion or fulfilment of a contract between the data subject and controller or (2) is permitted based on the legal regulations of the EU or member states to which the controller is subject, and these legal requirements encompass reasonable measures to uphold the rights, freedoms and legitimate interests of the data subject or (3) is made with the data subject’s express permission.

If the decision (1) is required for the commencement or completion of a contract between the data subject and controller or (2) is made with the data subject’s express permission, Hotel Naudererhof shall undertake reasonable measures to uphold the data subject’s rights, freedoms and legitimate interests, whereby at least included are the right to initiate a person’s interference on the part of the controller, to represent one’s own perspective and to challenge the decision. If a data subject would like to exercise rights relating to automated decisions, they may contact an employee of the controller at any time.

i)    Right to revoke data protection consent
Each data subject impacted by the processing of personal data has been granted by the European authorities and lawmakers the right to revoke consent for the processing of personal data. If a data subject would like to revoke their consent, they may contact an employee of the controller at any time.

10.    Data protection for applications and the application process
The controller collects and processes personal data from applicants for the purpose of processing the application. Processing may be electronic. This particularly applies if an applicant transfers relevant application documents to the controller electronically, e.g. via email or a form on a website. If the controller enters into an employment contract with an applicant, the transferred data will be stored for the purposes of processing the employment relationship in compliance with statutory regulations. If the controller does not enter into an employment contract with the applicant, the application documents shall be automatically deleted after two months from the notification of this decision insofar as the controller has no legitimate interest to the contrary. Another legitimate interest in this sense may comprise an obligation to provide evidence in a process under the General Equal Treatment Act (AGG).

11.    Data protection policies on the use of Facebook
The controller has integrated components provided by Facebook into this website. Facebook is a social network. A social network is a social meeting point operated on the internet, an online community that generally lets users communicate with one another and interact within a virtual space. A social network can be used as a platform for the exchanging of opinions and experiences or allow the online community to share personal or professional information. Facebook lets users of the social network create private profiles, upload photos and network via friend requests.

Facebook is operated by Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller responsible for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

By visiting one of the pages of this website operated by the controller and on which Facebook components (Facebook plugins) are integrated, the browser on the data subject’s IT system will automatically download a visual of the relevant Facebook components from Facebook. An overview of all Facebook plugins is available here: developers.facebook.com. Within the scope of this technical process, Facebook finds out what specific subpages of our website the data subject has visited.

If the data subject is logged into Facebook at this time, Facebook will be able to recognise with each visit to our website and during the full duration of each visit which specific subpages of our website the data subject visits. This information is collected via the Facebook components and assigned to the data subject’s Facebook account. If the data subject uses one of the Facebook buttons integrated into our website, such as the ‘Like’ button, or comments, Facebook will allocate this information to the data subject’s personal Facebook user account and saves this personal data.

Facebook always receives information from the Facebook component regarding the data subject’s visit to our website if the data subject is logged into Facebook at the time of their visit to our website; this takes place regardless of whether the data subject clicks on the Facebook components or not. If the data subject does not want this type of transfer of information to Facebook to take place, they can prevent such transfer by logging out of their Facebook account before visiting our website.

The privacy policy published by Facebook at de- de.facebook.com/about/privacy/ provides insight into Facebook’s collection, processing and use of personal data. Furthermore, it also explains what settings can be used to protect the data subject’s privacy. There are also various applications that allow users to supress data transfer to Facebook. Such applications can be used by data subjects to supress data transfer to Facebook.

12.    Data protection on the use of Google Analytics (with anonymisation function)
The controller has integrated components of Google Analytics (with anonymisation function) into this website. Google Analytics is a web analysis service. Web analysis is the collection, gathering and evaluation of data regarding the visitors of websites. A web analysis service collects data, including from which website a data subject was referred (referrer), which website subpages were accessed and how often a subpage was viewed as well as the duration of this viewing. Web analysis is primarily used to optimise a website as well as for a cost-benefit analysis of online advertising.

Google-Analytics components are operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The controller uses the Google Analytics add-on ‘_gat._anonymizeIp’ for web analysis. This add-on is used to shorten and anonymise the IP address of the data subject’s internet connection if access to our website is from a European Union member state or European Economic Area.

The purpose of Google Analytics components is to analyse the stream of visitors to our website. Google uses the data and information obtained to evaluate the use of our website in order to provide us with online reports showing activities on our websites and to provide other services related to the use of our website.

Google Analytics places a cookie on the data subject’s IT system. Cookies have already been explained above. By placing the cookie, Google facilitates the analysis of the use of our website. By visiting one of the pages of this website operated by the controller and on which Google Analytics components are integrated, the browser on the data subject’s IT system will automatically transfer data to Google for the purposes of online analysis through the relevant Google Analytics component. As part of this technical process, Google becomes aware of personal data, such as the data subject’s IP address, which allows Google to track the origins of users and clicks as well as facilitating the payment of commission.

The cookie is used to store personal information, such as time of access, location from which access originated and the frequency of visits to our website by the data subject. For each visit to our website, this personal data, including the data subject’s IP address, is transferred to Google in the United States of America. This personal data is stored by Google in the USA. Google may pass the personal data collected using this technical process to third parties in some circumstances.

As outlined above, the data subject can prevent the storage of cookies by our website at any time using the appropriate settings in their internet browser so that the storage of cookies is rejected. Such browser settings would also prevent Google from placing a cookie on the data subject’s IT system. Furthermore, any existing Google Analytics cookies can be deleted using a browser or other software programme.

In addition, the data subject has the option of objecting to the website use data created by Google Analytics being collected and processed by Google, preventing this from happening. To do so, the data subject must download and install a browser add-on available here: tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics via JavaScript that no data or information on visits to websites may be transferred to Google Analytics. The installation of the browser add-on is counted as an objection by Google. If the data subject’s IT system is deleted, reformatted or reinstalled at a later date, the data subject must reinstall the browser add-on in order to deactivate Google Analytics. If the browser add-on is uninstalled or deactivated by the data subject or another person within their sphere of influence, the browser add-on may be reinstalled or reactivated.

Further information and Google’s applicable privacy policy can be viewed here: www.google.de/intl/de/policies/privacy/and here: www.google.com/analytics/terms/de.html. Google Analytics is further explained here: www.google.com/intl/de_de/analytics/.

13.    Data protection provisions on the use of Google Remarketing
The controller has integrated Google Remarketing services on this website. Google Remarketing is a Google AdWords function that lets a business display advertising to internet users that have previously visited the company’s website. The integration of Google Remarketing therefore lets a company create user-specific advertising and display advertising relevant to the internet user’s interests as a result.

Google Remarketing services are operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing lets us display adverts from the Google advertising network or have these displayed on other websites based on the individual needs and interests of internet users.

Google Remarketing places a cookie on the data subject’s IT system. Cookies have already been explained above. By placing this cookie, Google can recognise the visitor to our website when this party views other websites that are also part of the Google advertising network. Each time a website is viewed that hosts the Google Remarketing service, Google will automatically identify the data subject’s internet browser. Within the scope of this technical process, Google becomes aware of personal data, such as the user’s IP address and surfing behaviour, which Google uses to display interest-based advertising among other things.

The cookie is used to store personal information, such as the websites visited by the data subject. For each visit to our website, this personal data, including the data subject’s IP address, is transferred to Google in the United States of America. This personal data is stored by Google in the USA. Google may pass the personal data collected using this technical process to third parties in some circumstances.

As outlined above, the data subject can prevent the storage of cookies by our website at any time using the appropriate settings in their internet browser so that the storage of cookies is rejected. Such browser settings would also prevent Google from placing a cookie on the data subject’s IT system. Furthermore, any existing Google Analytics cookies can be deleted using a browser or other software programme.

In addition, the data subject has the opportunity to object to interest-based advertising by Google. To do so, the data subject must follow this link and adjust the desired settings: www.google.de/settings/ads.
Further information and Google’s applicable privacy policy can be viewed here: www.google.de/intl/de/policies/privacy/.

14.    Data protection provisions on the use of Google AdWords
The controller has integrated Google AdWords on this website. Google AdWords is an online advertising service that allows advertisers to advertise in Google search engine results as well as the Google advertising network. Google AdWords lets an advertiser define certain keywords in advance for which an advert will be displayed in the Google search engine results when a user requests a search result relevant to the keyword. The adverts are distributed across relevant websites using an automatic algorithm based on the previously established keywords.

Google AdWords services are operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The purpose of Google AdWords is to advertise our website by displaying relevant advertisements on the websites of third party companies and in Google search engine results as well as integrating third party advertising onto our website.

If a data subject is referred to our website by a Google ad, a conversion cookie will be stored on the data subject’s IT system. Cookies have already been explained above. Conversion cookies expire after thirty days and are not used to identify the data subject. As long as the cookie has not yet expired, the conversion cookie is used to establish whether certain subpages, such as the basket page of an online shop system, are visited on our website.
The conversion cookie lets us and Google track whether a data subject that has accessed our website through an AdWords advertisement generated revenue or not, i.e. whether checkout was completed or not.

The data and information collected by use of the conversion cookie is used by Google to create usage statistics for our website. These usage statistics are used by us to establish the total number of users referred to us via AdWords, i.e. the success of the relevant AdWords advertisement, and in order to optimise our AdWords adverts in future. Neither our company nor other advertising users of Google AdWords receives information from Google that could be used to identify the data subject.

The conversion cookie is used to store personal information, such as the websites visited by the data subject. For each visit to our website, this personal data, including the data subject’s IP address, is transferred to Google in the United States of America. This personal data is stored by Google in the USA. Google may pass the personal data collected using this technical process to third parties in some circumstances.

As outlined above, the data subject can prevent the storage of cookies by our website at any time using the appropriate settings in their internet browser so that the storage of cookies is rejected. Such browser settings would also prevent Google from placing a conversion cookie on the data subject’s IT system. Furthermore, any existing Google AdWords cookies can be deleted using a browser or other software programme.

In addition, the data subject has the opportunity to object to interest-based advertising by Google. To do so, the data subject must follow this link and adjust the desired settings: www.google.de/settings/ads. Further information and Google’s applicable privacy policy can be viewed here: www.google.de/intl/de/policies/privacy/.

15.    Data protection policies on the use of Instagram
The controller has integrated components provided by Instagram into this website. Instagram is a service qualified as an audiovisual platform, allowing users to share photos and videos as well as distribute such data within other social networks.

Instagram services are provided by Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.

By visiting one of the pages of this website operated by the controller and on which Instagram components (Insta button) are integrated, the browser on the data subject’s IT system will automatically download a visual of the relevant Instagram components from Instagram. Within the scope of this technical process, Instagram finds out what specific subpages of our website the data subject has visited.

If the data subject is logged into Instagram at this time, Instagram will be able to recognise with each visit to our website and during the full duration of each visit which specific subpages the data subject visits. This information is collected by the Instagram components and assigned to the data subject’s Instagram account. If the data subject uses one of the Instagram buttons integrated into our website, the data and information transferred will be allocated to their personal Instagram user account, and stored and processed by Instagram.

Instagram always receives information from the Instagram component regarding the data subject’s visit to our website if the data subject is logged into Instagram at the time of their visit to our website; this takes place regardless of whether the data subject clicks on the Instagram components or not. If the data subject does not want this type of transfer of information to Instagram to take place, they can prevent such transfer by logging out of their Instagram account before visiting our website.
Further information and Instagram’s applicable privacy policy can be accessed here: help.instagram.com/155833707900388 and here: www.instagram.com/about/legal/privacy/.

16.    Data protection policies on the use of Twitter
The controller has integrated components provided by Twitter into this website. Twitter is a multilingual, publicly accessible microblogging service on which users can publish and share Tweets, which are short messages limited to 280 characters. These short messages can be viewed by anyone, including those not registered with Twitter. These Tweets are also shown to the user’s followers. Followers are other Twitter users that follow all Tweets published by a user. Furthermore, Twitter allows the use of hashtags, links and Retweets to reach a wider audience.

Twitter is provided by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

By visiting one of the pages of this website operated by the controller and on which Twitter components (Twitter button) are integrated, the browser on the data subject’s IT system will automatically download a visual of the relevant Twitter components from Twitter. Further information about Twitter buttons can be accessed here: about.twitter.com/de/resources/buttons. Within the scope of this technical process, Twitter finds out what specific subpages of our website the data subject has visited. The purpose of the integration of Twitter components is to allow our users to share the content of this website, spread awareness of this website digitally and increase our visitor traffic.

If the data subject is logged into Twitter at this time, Twitter will be able to recognise with each visit to our website and during the full duration of each visit which specific subpages of our website the data subject visits. This information is collected by the Twitter components and assigned to the data subject’s Twitter account. If the data subject uses one of the Twitter buttons integrated into our website, the data and information transferred will be allocated to their personal Twitter user account, and stored and processed by Twitter.

Twitter always receives information from the Twitter component regarding the data subject’s visit to our website if the data subject is logged into Twitter at the time of their visit to our website; this takes place regardless of whether the data subject clicks on the Twitter components or not. If the data subject does not want this type of transfer of information to Twitter to take place, they can prevent such transfer by logging out of their Twitter account before visiting our website.
Twitter’s applicable privacy policy can be viewed here: twitter.com/privacy.

17.    Data protection policies on the use of YouTube
The controller has integrated components provided by YouTube into this website. YouTube is an internet video portal that lets video publishers freely provide video clips and allows other users to freely watch these, submit evaluations and comments. YouTube permits the publication of all kinds of videos on its internet portal, so complete films and television programmes may be shown alongside music videos, trailers and videos made by users themselves.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

By visiting one of the pages of this website operated by the controller and on which YouTube components (YouTube video) are integrated, the browser on the data subject’s IT system will automatically download a visual of the relevant YouTube components from YouTube. Further information about YouTube can be found here: www.youtube.com/yt/about/de/. Within the scope of this technical process, YouTube and Google find out what specific subpages of our website the data subject has visited.

Insofar as the data subject is logged into YouTube at this time, YouTube shall become aware of the specific subpage of our website the data subject is visiting each time a subpage containing a YouTube video is accessed. This information is collected by YouTube and Google and assigned to the data subject’s YouTube account.

YouTube and Google always receive information from the YouTube components regarding the data subject’s visit to our website if the data subject is logged into YouTube at the time of their visit to our website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this type of transfer of information to YouTube and Google to take place, they can prevent such transfer by logging out of their YouTube account before visiting our website.
The privacy policy published by YouTube is available at www.google.de/intl/de/policies/privacy/ and provides information about the collection, processing and use of personal data by YouTube and Google.

18.    Legal basis of processing
Article 6 I a of the GDPR serves as the legal basis of our company’s processing for which we obtain consent for a certain processing purpose. If the processing of personal data is required to fulfil a contract whereby the data subject is a contractual party, e.g. as is the case for processing necessary to deliver goods or provide services or counter-services, the processing is based on article 6 I b of the GDPR. The same applies to such processing that is required to carry out pre-contractual measures, e.g. in the case of requests for our products or services. If our company is subject to any legal obligation that requires the processing of personal data, e.g. to fulfil tax obligations, processing is based on article 6 I c of the GDPR. In rare cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural entity. This would apply if a visitor was injured in our establishment and their name, age, health insurance information and any other vital information has to be passed onto a doctor, hospital or other third party. In this case, processing would be based on article 6 I d of the GDPR. Finally, processing may be based on article 6 I f of the GDPR. Processing is based on these legal foundations if none of the above legal bases can be established and when processing is required to uphold a legitimate interest of our company or a third party insofar as the data subject’s interests, fundamental rights or fundamental freedoms do not take precedence. Such processing is therefore particularly permitted as it has been expressly stated by European lawmakers. It therefore represents the concept that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47 sentence 2 of the GDPR).

19.    Legitimate interests for processing that may be pursued by the controller or a third party
If the processing of personal data is based on article 6 I f of the GDPR, our legitimate interest is the carrying out of our business for the wellbeing of all our staff and stakeholders.

20.    Duration for which personal data may be stored
The criterium for the duration for which personal data is stored is the relevant statutory retention period. After this period, the relevant data will be routinely deleted insofar as it is no longer required to fulfil or initiate a contract.

21.    Statutory or contractual regulations for the provision of personal data; requirement for conclusion of contract; data subject obligation to provide personal data; possible consequences of failure to provide
We must inform you that the provision of personal data may in part be required by law (e.g. tax regulations) or due to contractual requirements (e.g. information about contractual partner). Occasionally, the commencement of a contract may require that a data subject provide us with personal data that we must then process. The data subject is obliged, for example, to provide us with personal data if our company is entering into a contract with this party. Failure to provide personal data would result in the contract with the data subject not being able to commence. Before providing personal data, the data subject must contact one of our employees. Our employee can explain to the data subject whether the provision of their personal data in any particular case is required by law or for the contract, whether there is any obligation to provide personal data and what consequences there may be if personal data is not provided.

22.    Existence of automated decision-making
As a responsible business, we refrain from using any automated decision-making or profiling.

 

Online Booking Service

If you undertake a reservation on our website www.naudererhof.at, you can do so with the help of our online booking software, the “Webbox”, provided by the company Interalp Touristik GmbH. All personal information which you provide during the booking process (such as first name, last name, address, email address, specific personal information concerning your reservation, etc) will be transferred securely. This data will only be used and stored to process your reservation. The software provider Interalp Touristik obliges to handle your personal data with care and in accordance to the data protection regulations.

request
book