data security

 

1.    General

This data protection info sheet informs you which personal data FMTG Services GmbH processes, in what way and for what purpose, in an automated manner, and what your rights as affected person (data subject) are.

2.    Controller (Responsible)

Controller (hereinafter referred to as “the Controller”) is the FMTG Services GmbH, Columbusplatz 7-8, A-1100 Vienna, Austria / Tel.: +43 (5) 09911 11 999 / Email: dataprotection@falkensteiner.com.

3.    Collection and processing of persona data 

The protection of your personal data is a matter of special importance to us. Your personal data will therefore only be processed to the extent that is permitted by law and required for the fulfillment of the respective purpose (registration, provision of services, medical treatments, fulfillment of legal obligations and legitimate interests, sending information material and advertising, sending a newsletter, customer analyzes).

Following personal data is collected and processed for the purpose of providing our services: 

1.    For the purposes of hotel registration and registration to the competent authority:

•    First name and last name
•    date of birth
•    place of birth
•    residence: city, state and zip code
•    nationality
•    gender (male or female)
•    ID type (ID card or passport) and ID number 
•    name of children: first and last name, date and place of birth, gender, nationality,
•    ID details of spouse


2.    For the purpose of fulfilling the contractual obligations and obligations deriving from the business relationship:

•    First name and last name,
•    gender, 
•    title, 
•    personal address,
•    nationality, 
•    region, 
•    telephone number, 
•    email-address, 
•    birthday, 
•    car plate number/ license plate, 
•    travel document, 
•    issuing authority, 
•    date of issue, 
•    expiry date, 
•    company, 
•    occupation, 
•    tax number, 
•    member or loyalty card, 
•    photo, 
•    remarks, 
•    family relationship to other profiles
•    name of spouse, date and place of birth,
•    allergies
•    special requirements
•    credit card/payment details 
•    copy of ID card for exchange office transactions
•    other ways of transportation: flight number, arrival time, GPS co-ordinates
•    guest preferences (sea view or park view, room type)
•    additional packages (baby sitter, wellness, …)
•    date of birth, various anniversaries, divorces, family death cases
•    room set up: romantic, corporate clients

We need your explicit consent in order to process the above-listed health data (allergies and special requirements). You can revoke your consent at any time. Please note that in the event that you do not give your consent or revoke it during our business relationship, we cannot fully provide our services, hence, you take advantage of our services at your own risk.

3.    For the purposes of providing health care services and/or medical treatment:

Following health data is mandatory for the risk-free performance of a diagnostic examination, for the professional medical treatment plan and for the daily support of our medical staff at the Hotel Grand MedSpa, Marienbad: general health information, information on allergies, diabetes, medications, hemophiliacs, anticoagulants, infectious diseases, pregnancy, operations (what and when), accidents (what and when), currently undergoing medical treatment, smoker (number of cigarettes per day), alcohol consumption (how much? how often?), insomnia, indigestion, complaints when urinating, heart disease (f.e. heart attack, Angina Pectoris, arrhythmia, heart pacemaker), circulatory diseases, epilepsy, headache, weight change of min. 2 kg during last 4 weeks, complaints in following areas: sense organs, nervous system, thorax, lung, abdominal organs, head, neck, heart, circulation, spinal column, limbs, varicose vein, blood pressure, pulse.

We need your explicit consent in order to process the above-listed health data. You can revoke your consent at any time. Please note that in the event that you do not give your consent or revoke it during our business relationship, we cannot fully provide our services, hence, you take advantage of our services at your own risk.

4.    For the purpose of being informed about offers and services of the Falkensteiner Group and to be contacted for customer surveys:

•    name
•    postal address 
•    mobile phone number 
•    e-mail address 

In doing so, we use the following communication channels: e-mail, post and sms

In order to inform you about offers and services and to contact you for customer surveys we need your consent which you give in a Double-Opt-In-form. Without providing us the data listed above (point 4.) and without giving your consent we cannot send you any information or contact you in this regard.   

5.    For the purpose of providing and improving the services and personalizing the offers and services to suit your needs (profiling): 

•    name
•    title
•    gender
•    date of birth
•    nationality
•    residence
•    spouse 
•    children 
•    dates of anniversaries, shoe and T-shirt size for MICE group participants
•    enrolling into animation activities (puzzle games, camps, competition …)

4.    Profiling

Profiling is the process in which a responsible person (data controller) collects process personal data for the purpose of providing and improving the services and personalizing the offers and services to suit guest’s needs. However, no decisions which could have legal effect or could harm you in any way will be made by automated means.
We can process the following data in our system Protel: Name, gender, title, personal address, nationality, region, telephone number, email-address, birthday, license plate, travel document, issuing authority, date of issue, expiry date, company, occupation, tax number, member card, photo, remarks, family relationship to other profiles. 
We can allocate the following reservation-related data to your profile: past reservations, future reservations, invoices, offers, confirmations, notes and questionnaires.
Personal data you provide will be processed until you revoke your consent. 
You can revoke your consent at any time, free of charge and without stating reasons at the hotel reception, by email to dataprotection@falkensteiner.com or by phone to number +43 (5) 09911 11 999

5.    Taking photos at events and courses 

We have a legitimate interest to take photos at events and courses and to publish them on our website for marketing purposes. 
If you do not agree with this, you can object to this processing and the publication any time at the hotel reception, by email to dataprotection@falkensteiner.com or by phone under +43 (5) 09911 11 999

6.    Video surveillance 
For the purpose of public security there may be video surveillance at the hotel entrance, hotel reception, exchange offices, kitchen areas, garage entrances, beach and pool-bars, area around wellness buildings and staff houses. Videos are stored on stand-alone hard disks at each location, and access is provided to external security companies, IT administration person and GM hotels.
Taken videos can be stored for the maximum period of 45 days (Croatia), 72 hours (Austria), 7-14 days (Czech Republic), 15 days (Slovakia) or 7 days (Italy).  Taken videos at the exchange office legally have to be stored minimum 72 hours in Croatia.
For the purpose of public security in tourist resorts, there may be a main entrance gate to the resort, where guest needs to provide the name and/ or reservation number in order to proceed, car registration plates/ license plates are input into registration list manually.

7.    Transmitting personal data to third parties 

Your personal data are not transmitted to third parties except in the following cases: 

-    when we are legally obliged to transmit the data based on e.g. Criminal Law, Criminal Procedure Law, 
-    for services outside the hotel area, upon your request (e.g. taxi, restaurant reservation, yacht,  etc.) 
-    in case of medical emergencies, data has to be transmitted to authorized medical personnel; 
-    based on your explicit, written consent; 
-    Individual hotels of the FMTG - Falkensteiner Michaeler Tourism Group AG (FMTG): you can request more details on the businesses (hotels) belonging to the FMTG which process your data on our website: www.falkensteiner.com or send your enquiries to dataprotection@falkensteiner.com.
For payment processing purposes, your bank details are forwarded to electronic payment services.


8.    Data processing on behalf of the Controller 

Where processing is to be carried out on behalf of the Controller by the Processor, the Controller remains liable for the protection of your personal data.  

All direct and indirect subsidiaries or sister companies of FMTG Services GmbH that are operating under the Brand “Falkensteiner Hotels & Residences” are Processors pursuant to the Art 28 GDPR. 
External Processors are arranged only to perform activities that are necessary to provide our services, such as mailing services, services provided by tourist agencies, tourist guides etc. All external Processors are committed to comply with the applicable data protection regulations.  Processing agreement based on Article 28 GDPR has been concluded with every external data processor. 

Your personal data is transmitted to the following external data processors:

-    Protel Hotelsoftware Austria GmbH
-    Reservation Assistant, TAC Informationstechnologie GmbH, Hartberg
-    Delegate Technology GmbH, Wien; contract for software maintenance
-    ProASP Professional Application Services Providing GmbH, Bad Vöslau
-    Elements.at New Media Solutions GmbH, Salzburg
-    Thomas International Österreich GmbH, Wien
-    Prescreen International GmbH, Wien
-    m.consulting Anita Maslo, Wien
-    HGC Hotellerie & Gastronomie Consulting GmbH, Innsbruck
-    A1 Telekom Austria AG, Wien
-    Rubatscher Steuerberatungs- und Wirtschaftsprüfungsgesellschaft m.b.H, Innsbruck
-    BMD Systemhaus GmbH, Steyr
-    Confida Süd Wirtschaftsprüfungsgesellschaft m.b.H, Graz
-    adserve digital advertising services GmbH, Wien
-    G.A. Service GmbH, Salzburg
-    Incert e-Tourismus GmbH & Co. KG, Linz
-    Workflow EDV GmbH, Wien
-    Die Socialisten – Social Software Development GmbH, Wien
-    Nexxchange GmbH, Wien
-    IB Grant Thornton Audit s.r.o., Bratislava, SK
-    Nexell GmbH, Zug, CH
-    Salesforce.com EMEA Limited, München, DE
-    AffiliRed S.L., Palma de Mallorca, ES
-    The Reach Group GmbH, Berlin, DE
-    Auditor spol. s.r.o., Prag, CZ
-    Laser Line d.o.o., Umag, HR
-    MC Sistemi d.o.o., Ljubljana, SLO 
-    BMB Leitner s.r.o., Bratislava, SK
-    Adria Scan d.o.o., Sveta Nedjelja, HR
-    Infolink d.o.o. Beograd, Belgrad, SRB
-    Metadata d.o.o., Belgrad, SRB
-    IRECKON U B.V. – Hospitality solutions, Amsterdam, NL
-    Miles & More GmbH, Frankfurt am Main, DE
-    Dailypoint Central Data Management, München, DE
-    Teodt, Dr. Selk & Coll. GmbH, München, DE 
-    Premiere Global Services, Inc. and subsidiaries // Premiere Conferencing Ireland Ltd; Cork, IRL
-    Adara Inc., London, UK
-    All About Cards S&K Solutions GmbH & Co. KG, 94032 Passau, DE
-    Revinate Inc., San Francisco, CA, USA
-    Facebook Inc., Menlo Park, CA, USA
-    Instagram Inc., San Francisco, CA, USA
-    Twitter Inc., San Francisco, CA, USA
-    YouTube LLC, San Bruno, CA, USA
-    Helmuth Thaler GmbH, Bruneck, Südtirol 

We primarily arrange external processors within the European Union. We will only arrange processors outside the European Union if (i) there is a European Commission adequacy decision for the third country concerned or (ii) we refer to the standard contractual clauses of the European Commission or (iii) if there are appropriate guarantees, e.g. the EU / US privacy shield with the third country or (iv) there are binding internal contractual data protection clauses with the processor.

For further information about the external processors you can send your enquiries to dataprotection@falkensteiner.com .

9.    Google Analytics

Our websites use Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies" (text files stored on users' computers) which allow an analysis of the website usage. The information generated by the cookies about the use of the websites by the users are usually transmitted to a Google server in the USA and are stored there.

In the case of the IP anonymization activation on our websites, the Google users IP address will be shortened beforehand within European Union member states or in other states members of the European Economic Area. Only in exceptional cases the full IP address will be transmitted to a Google server in the US and shortened there. IP anonymization is active on our websites. On behalf of the operator of our websites, Google will use this information to evaluate the use of the websites by the users, to compile reports on the website activities and to provide further services relating to website usage and internet usage to the website operator.
The shortened IP address provided by Google Analytics within the User Browser will not be merged with any other data provided by Google. Users can prevent the storage of cookies by the opt-out function on the Falkensteiner website or alternatively by an appropriate setting of their browser software; FMTG Services GmbH, however, points out to users that in this case, not all functions of our websites may be fully utilized. Furthermore, users can prevent the collection of data (including their IP address) generated by the cookies as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: tools.google.com/dlpage/gaoptout.

For more information about Google data usage for advertising purposes, settings and opt-out options, please visit Google's websites: https://www.google.com/intl/en/policies/privacy/partners/ ("How Google uses information from sites or apps that use our services"),  www.google.com/policies/technologies/ads (" Use of data for promotional purposes "), www.google.com/settings/ads (" Managing information, the Google uses to show you advertising ") and www.google.com/ads/preferences/ ("Determine which Google advertising shows you").

10.    Duration of the processing 

We process your personal data, health data, data concerning allergies and other special requirements - if necessary - for the duration of the entire business relationship (from the initiation, performance to the termination of a business relationship and until all open claims in connection with the business relationship have been satisfied in full).
The above listed data will be stored and processed until you withdraw your consent to this processing. The withdrawal of your consent has no effect on the lawfulness of the data processing up to this time.
After the business relationship ends, your data will be stored until expiry of the warranty, limitation and compensation periods as well as until expiry of legally binding retention periods and upon termination of any legal dispute in which the data is required as proof.   
The data that you have provided us for marketing and information purposes, such as for sending a newsletter, is stored until you revoke your consent.

11.    Data security 

We are implementing technical and organisational measures to secure your personal data from accidental or intentional manipulation, loss, destruction, alteration and unauthorised disclosure as pursuant to the Article 28 of the General Data Protection Regulation. The security measures are being continuously improved in line with technical progress. 

12.    Your rights

With regard to the processing of your data, you may claim the following rights under the General Data Protection Regulation and the national data protection law: 

a.    Right of access

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed. The confirmation contains the purposes of the processing, the categories of personal data concerned and recipients or categories of recipients to whom personal data have been or will be disclosed and the duration of the processing.

b.    Right to rectification

You have the right to obtain the rectification of inaccurate personal data concerning you and the right to have incomplete personal data completed, without undue delay. 

c.    Right to erasure 

You have the right to obtain the erasure of personal data concerning you without due delay when the personal data have been unlawfully processed, when the processing disproportionally interferes with your legitimate interests, when the personal data are no longer necessary in relation to the purposes for which they were collected and when you withdraw your consent on which the processing is based. Please note that there may be reasons that preclude immediate erasure, such as in the case of legal retention obligation.

d.    Right to restriction of processing 

You have the right to obtain the restriction of processing of your data when:
•    you contested the accuracy of the data, for a period enabling us to verify the accuracy of the data;
•    the processing is unlawful, you oppose the erasure and request the restriction of data usage instead;
•    we do no longer need the data for the purposes of the processing, but you require the data for the establishment, exercise or defense of legal claims, or 
•    you objected to processing of the data.
Where there is a request for the restriction of processing, this data will be processed only with your consent, or for the establishment, exercise or defense of legal claims.

e.    Right to data portability

You have the right to receive the personal data concerning you, which you provided to us, in a structured, commonly used and machine-readable format where:
•    we are processing the data based on your given and revocable consent or for a fulfillment of contract between us, and
•    the processing is carried out by automated means. 

f.    Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, necessary to safeguard your legitimate interests or legitimate interests of a third party. Your data shall no longer be processed unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is necessary for the establishment, exercise or defense of legal claims. 

You have the right to object to be targeted by the direct marketing at any time without stating grounds for the objection. 

g.    The right to lodge a complaint 

If you are of the opinion that we are processing your data contrary to national or European data protection legislation, you can contact us at any time. You also have the right to contact the relevant data protection authorities and as from 25.05.2018 you can contact or lodge a complaint with a supervisory authority within the EU. 
h.    Asserting your rights 

In order to assert one of the aforementioned rights, please use the following contact options:
-    Email to: dataprotection@falkensteiner.com
-    Letter to: FMTG – Falkensteiner Michaeler Tourism Group AG
   c/o Data Protection Officer
   Columbusplatz 7-8
   AT-1100 Vienna
    
-    Call: Phone +43 (5) 09911 11 999

If we cannot identify you based on the data which we hold, it may be necessary to request additional information to determine your identity (e.g. ID with photo). Any questions you may have will help protect your rights and privacy.