Kesselspitze GmbH & Co KG
Kesselspitze GmbH & Co KG with its headquarters in Alpenstraße 1 5562 Obertauern (hereinafter: “KESSELSPITZE” or “we” or “our”, “the controller” or “the data controller”) as owner of Hotel Kesselspitze 5*, respects the privacy of every person from whom it collects personal data. We would like to inform you about what personal data we collect as the data controller, for what purpose, how we protect the data and what your rights are.
DATA CONTROLLER AND LEGAL FRAMEWORK
As the data controller, KESSELSPITZE, is committed to protecting your personal data. The collection and storage of data is carried out in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “the Regulation”), TKG (Telecommunications Law 2021) and other regulations governing the subject area, which are applied in the Republic of Austria.
SCOPE OF APPLICATION
This Policy applies to any processing of personal data performed by KESSELSPITZE as the data controller, unless another policy or other KESSELSPITZE document prescribes otherwise for particular processing.
This Policy is divided into two parts: the General Section and the Specific Section.
The basic principles of personal data processing, contact details and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing, regardless of whether such processing is specifically processed in the Specific Section of this Policy or not.
The Specific Section of the Policy deals, in more detail, with specific cases of data processing that represent the majority of all processing by KESSELSPITZE.
CONTACT FOR DATA PROTECTION REQUESTS
Regarding issues related to personal data protection and for the exercising of rights guaranteed by the Regulation, please contact KESSELSPITZE at any time via e-mail: email@example.com or by mail to the address Kesselspitze GmbH & Co KG, 5562 Obertauern, Alpenstraße 1.
All requests not related to data protection that are delivered to this address, e.g. offers of job candidates, booking inquiries for Hotel Kesselspitze 5*, etc. will be forwarded directly to the relevant departments.
PERSONAL DATA PROTECTION PRINCIPLES
KESSELSPITZE has recognised the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. KESSELSPITZE processes data observing:
- Lawfulness – by processing data only if allowed by law and within the limits prescribed by law.
- Fairness – by considering the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
- Transparency – by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data.
- Purpose limitation – by processing personal data for the purposes for which they were collected and for other purposes only if the conditions of the Regulation have been met. Data may be processed for matching purposes only considering (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and KESSELSPITZE; (c) the nature of the personal data; (d) the possible consequences for the data subjects of the intended continuation of processing; and (e) the existence of appropriate protection measures.
- Storage limitation – by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
- Data minimisation – by processing data if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for whose processing there is no justifiable reason.
- Accuracy – by keeping data accurate and up to date, and erasing inaccurate data within the scope of possibility.
- Integrity and Confidentiality – by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied considering the risk of each type of data processing.
LEGALITY OF PERSONAL DATA PROCESSING
In order to respect the lawfulness of processing personal data, KESSELSPITZE processes personal data only if and to the extent that at least one of the following criteria is met:
- Processing is necessary for the performance of the contract to which the data subject is a party or in order to act at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing, with an existing contractual relationship or a contractual relationship in negotiation as its basis.
- Processing is necessary to comply with the legal obligations of the data controller. As a legal entity, KESSELSPITZE has a number of obligations prescribed by various regulations. These obligations include the collection and often the submission of data to public authorities.
- Processing is necessary for the legitimate interests of the data controller or a third party, except where those interests take precedence over the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, considering reasonable expectations of data subjects based on their relationship with the data controller, especially if the data subject is a child. In applying this legal basis, KESSELSPITZE assesses that the processing is appropriate to business needs, that it is the least invasive possible and that the interests of the data subjects do not exceed the legitimate interests of KESSELSPITZE or a third party. Examples of such processing are processing for administrative purposes, or the purposes of maintaining computer network security. The data subject always has the right to object to such processing in these situations.
- Processing is necessary to protect key interests of the data subject or other natural person. The right to personal data protection is not an absolute right and KESSELSPITZE equates it with other fundamental rights in accordance with the principle of proportionality.
- The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, KESSELSPITZE provides that these are situations in which there are no formal or informal consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
TYPES OF PERSONAL DATA PROCESSED
Special categories of personal data shall be processed only if the conditions set out in Article 9 of the Regulation are met.
Data relating to criminal convictions and offences shall be processed only under the control of an official authority and in accordance with Article 10 of the Regulation.
Personal data that are not included in the previous two groups: the kind of data that makes up most processed data. The most common types of data are identification and contact data such as name, surname, e-mail address and data that are related to your relation with us (accommodation etc.).
Most of the personal data that we collect is provided by the data subjects themselves. Therefore, we kindly ask you that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you thereby give your express consent to the collection and use of such information in the ways described in this Policy or in the manner described at the time of disclosure of that information.
THE ROLE OF VALAMAR RIVIERA d.d.
KESSELSPITZE concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: “Valamar”) a Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: “Management Contract”) on the basis of which Valamar manages certain business segments of KESSELSPITZE.
For example, Valamar may manage the reservation function through the Valamar reservation centre (call centre) and via the website www.valamar.com, and in these cases Valamar is an independent data controller (and data subjects will be informed on the spot about that fact); however, all this information related to Hotel Kesselspitze 5* is and has to be also processed by KESSELSPITZE as owner and an independent data controller.
Furthermore, Valamar has a legitimate interest in the processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by email, SMS and/or instant messaging platform (Viber, Whatsapp, etc.). On the basis of legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar’s management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in a prize game (should there be one), joined the Valamar loyalty programme, filled out a satisfaction questionnaire about accommodation or otherwise had a relationship with Valamar.
Following the above, in certain cases Hotel Kesselspitze 5* guests can expect to receive from Valamar newsletters containing information about all other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service emails. For Hotel Kesselspitze 5* guests, prize games can be organised from time to time by Valamar, in which case guests’ personal data will be collected only if guests decide to participate in the prize game.
Valamar’s Plus Club Loyalty Programme can be applied for KESSELSPITZE. The conditions of membership are contained in Valamar’s loyalty programme terms and conditions, which can be found at https://www.valamar.com/cmsmedia/loyalty/terms-conditions-en.pdf .
Also, on the basis of the Management Contract, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates for employment in KESSELSPITZE for the purpose of managing the business processes in its hospitality operations.
DATA DELIVERY TO THIRD ENTITIES
KESSELSPITZE shares personal information with others only when permitted.
KESSELSPITZE is obliged by law to provide data to third parties, for example, delivering guest data and employee data to the competent institutions.
It is possible to deliver data to business entities – processors – who process the data upon the instruction of KESSELSPITZE, which acts as the data processor. Most often, these are KESSELSPITZE’s business partners who provide IT services, and who store certain data in their databases or have the opportunity to access personal data until the end of processing. In these cases a detailed contract shall be concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.
In certain situations, it is possible for external entities and KESSELSPITZE to jointly determine the purposes and methods of personal data processing, in which cases these external partners and KESSELSPITZE are joint data controllers. In these relations, the joint data controllers shall determine their responsibilities for complying with their obligations under the Regulation transparently, in particular with regard to the exercise of data subjects’ rights and their duties to respect the transparency of processing, unless such responsibilities are established by law.
A special case of data delivery to third parties is the fact that KESSELSPITZE has the Management Contract with Valamar (see chapter: ROLE OF VALAMAR RIVIERA d.d.).
If data are transferred to third countries as part of data processing, KESSELSPITZE ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.
DATA STORAGE PERIOD
Personal data are processed and stored for the period in accordance with applicable legal regulations when the retention obligation is prescribed (for example, accounting documents), and in situations where KESSELSPITZE is authorised to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of KESSELSPITZE and the interests of the data subjects in the deletion of the data.
RIGHTS OF THE DATA SUBJECTS
Regardless of the basis for data collection, all data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:
Right to information: The data subject has the right to be informed about the processing and its purposes. KESSELSPITZE provides the data subjects with all the information necessary to ensure fair and transparent processing, considering the context of processing.
Right to erasure (“right to be forgotten”): The data subject has the right to request the deletion of personal data relating to him/her, without undue delay, in accordance with the terms of the Regulation. Should you wish this to take place, please send your request to us in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases. You have the right to request the deletion of personal data relating to you where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent upon which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing, or the data subject objects ;
- the personal data have been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services.
In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the controller takes precedence over the interest of the data subjects or when there is an interest of the data controller to set, enforce or defend legal claims.
Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data have not been collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to data portability: The data subject has the right to receive personal data relating to him or her in a structured, commonly used and machine-readable format in accordance with the requirements of Article 20 of the Regulation.
Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her that is based on public interest and legitimate interests, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject.
In any case, data subjects also have the right:
- to submit a complaint time via email: firstname.lastname@example.org or by mail to the address Kesselspitze GmbH & Co KG, 5562 Obertauern, Alpenstraße 1
- to lodge a complaint with a supervisory authority (Austrian Data Protection Authority) if they believe that their rights to data protection have been violated.
KESSELSPITZE as the data controller has the right to protect the interests of the data controller as well as maintain the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant. KESSELSPITZE has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.
On request, KESSELSPITZE provides information on the actions taken in relation to the exercise of data subject’s rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, considering the complexity and number of applications. KESSELSPITZE shall notify the data subject of any such extension within one month of the date of receipt of the request, together with the reasons for the postponement.
If the data subject submits the request electronically, KESSELSPITZE provides the information electronically if possible, unless the data subject requests otherwise.
The data subject’s request is generally not charged, but if the data subject’s request is manifestly unfounded or excessive, and in particular in the event of its frequent repetition, KESSELSPITZE is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.
PROTECTION OF PERSONAL DATA OF CHILDREN
KESSELSPITZE advises parents and guardians to teach children about safe and responsible handling of personal data, especially on the internet. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
PERSONAL DATA SOURCES
Also, KESSELSPITZE receives personal data from other natural and legal persons, for example from Valamar as a company that manages certain commercial aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in the hotel, agencies for employment mediation and the assignment of workers, and from the holder of accommodation reservations for others’ guests, for whom the reservation is made.
TECHNICAL AND INTEGRATED DATA PROTECTION
KESSELSPITZE, as data controller, provides the highest organisational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organisational measures to enable the effective application of the principles of data protection are applied.
Also, KESSELSPITZE implements appropriate technical and organisational measures to ensure that only personal data necessary for each specific processing purpose are processed in an integrated manner. KESSELSPITZE applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.
In the case of a personal data breach, as the data controller, KESSELSPITZE shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in risk to the rights and freedoms of natural persons.
The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.
In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, KESSELSPITZE, as the data controller, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.
KESSELSPITZE’s main business activity is the provision of accommodation services in its Hotel Kesselspitze 5*. Therefore, KESSELSPITZE collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.
KESSELSPITZE, as the data controller, stores the personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In the event you do not provide KESSELSPITZE with the minimum data required for booking accommodation and for the registration to all competent registers, KESSELSPITZE will not be able to provide you with booking services or accommodation services in accordance with the contract and law.
Certain information is necessary in order to act at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, you have to receive an offer, for which personal data is needed: at least name, surname and e-mail address.
The personal data that KESSELSPITZE collects when booking in order to fulfil the reservation obligation usually are:
- Name and surname of the reservation holder • Date of birth • Number, type and place of issue of identification document • Citizenship • Number of accommodation units and type of accommodation unit (room type) • Date of arrival and departure • Number of persons per accommodation unit • Minors • Possibly other specifics depending on the request of the person booking the accommodation • email address, if the person has one • Language • Phone number • Membership in the Valamar loyalty programme, if it affects the price of accommodation or collecting points • Payment method and possible additional information needed to execute the transaction or secure payment. In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.
Upon arrival at the Hotel Kesselspitze 5*, guests have to check in and confirm data.
In addition, KESSELSPITZE is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with the personal data of each guest in accordance with legal regulations.
Other data related to the circumstances of your stay, such as mode of travel, with whom you are travelling, marital status, number of children, pets, and other interests, will also be collected and processed during your stay only when they have a direct connection with the accommodation service.
Before, during and after your stay KESSELSPITZE as the data controller has the right based on legitimate interest to send you so-called service messages – booking confirmations, reminders and other information closely related to the specific stay you have booked. Also, during and after the stay, KESSELSPITZE as the data controller has the right based on legitimate interest to send to you guest questionnaires about service satisfaction via email, SMS and/or instant messaging platforms (Viber, Whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by KESSELSPITZE, and KESSELSPITZE may depersonalise and process this data from the questionnaire for statistical purposes.
KESSELSPITZE has the right, based on legitimate interest, to collect certain data and use it for direct marketing.
Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending KESSELSPITZE marketing offers and news.
KESSELSPITZE as the data controller has a legitimate interest in implementing video surveillance measures to protect property and persons. We have marked all places where video surveillance is installed in the prescribed manner. We are aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore we keep them with special care: we have a regulated system of security, availability and our internal safety rules. Special regulations governing the area apply to all other details related to video surveillance.
GETTING IN CONTACT WITH US
When you contact us via email or via one of the forms on our website, data are processed and stored in accordance with the processing purpose.
WEBSITE, COOKIES AND INTERNET TECHNOLOGIES
Visitors to the KESSELSPITZE website https://www.hotel-kesselspitze.at/ may obtain personal data that is used for the purposes for which they were provided in accordance with the information provided at the time of collection (or an obvious purpose that can be derived from the collection context). Users have control over the personal data they enter into web forms; the exception may be automatic processing due to cookies on the website as explained below.
If you do not agree with this practice, you can adjust your browser settings so that it will inform you before cookies are set. This will also enable you to permit specific cookies.
We use different types of cookies:
Cookies by function
- Essential cookies – they are necessary for the operation of the website, which cannot function without them. This means that a website cannot be opened or displayed without these cookies. These cookies are used for the purpose of transmitting communication or are necessary to provide an information society service that is explicitly required by the user of such a service. These cookies do not need and do not require your consent.
- Statistics cookies – these cookies enable basic analysis of web pages with the aim of improving the work of web pages through data that is completely anonymised, i.e. not based on your personal data or data that can be linked to you in any way. These cookies are used to analyse user behaviour and, on the basis of the anonymous data, can determine what website visitors view and want, so KESSELSPITZE is then able to customise the website and make its content and functionality as easy to use. These cookies require your consent.
- Marketing cookies – they are used to analyse your interests and wishes, and they serve the purpose of informing you about special and personalised offers, news and events organised through online channels (e-mail, internet, internet promotion). These cookies require your consent.
Cookies by source
- First-party cookies come from the internet site you are viewing, and can be permanent or temporary. With these cookies, internet sites can store data that will be used again upon the next visit to the internet site.
- Third-party cookies come from other internet sites, which are located on the internet site you are viewing. With these cookies, other internet sites can track internet usage on the internet site you are viewing for marketing or analytical purposes.
Cookies by duration
- Persistent cookies – Persistent or saved cookies remain on your computer after you close your internet browser program. They help internet sites store information, such as login and password, language settings, or cookie settings, so you do not have to re-enter them each time you visit. Persistent cookies can stay on your computer or mobile device for days, months, even years.
- Temporary cookies – Temporary cookies or session cookies are removed from your computer when you close your internet browser. They use internet sites to store temporary information, such as the last few pages you opened on the internet site you visited, or items in your shopping cart if you are on an internet site that specialises in internet sales.
Cookies are stored in the user’s browser for a maximum of 2 years.
If you have changed your mind about the cookie settings on our website, you can alter them at any time.
You can always delete cookies stored on your computer, thus preventing further processing of your personal data through such technology. Each web browser has its own procedure for deleting cookies, and below are links to deletion procedures in the most popular web browsers:
You can find more about cookies on the following pages:
In Obertauern, 08/07/2022.