According to Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person (e.g. name, date of birth, residential address, email address, billing data, IP address, etc.).

The controller within the meaning of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is

Burgenland Tourismus GmbH
Johann Permayer-Straße 13
A-7000 Eisenstadt
Tel.: +43 2682 633 840
Email: info@burgenland.info
Website: https://www.burgenland.info/

Group Data Protection Officer
Landesholding Burgenland GmbH,
Horst Lesacher, LL.M.
Tel.: +43 5 9010 8018
E-mail: datenschutz@landesholding-burgenland.at

The Burgenland Tourismus GmbH website uses cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified via the unique cookie ID. Through the use of cookies, Burgenland Tourismus GmbH can provide users of this website with more user-friendly services that would not be possible without the setting of cookies.

By means of a cookie, the information and offers on our website can be optimized for the benefit of the user. As already mentioned, cookies enable us to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter their access data each time they visit the website because this is taken over by the website and the cookie stored on the user's computer system. Another example is the cookie for a shopping basket in an online store. The online store remembers the items that a customer has placed in the virtual shopping cart via a cookie. The data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

Each time the Burgenland Tourismus GmbH website is accessed by a data subject, the following access data ("log files") provided by your internet provider is automatically collected, stored and analyzed using a website analysis tool:

- Internet service provider of the accessing system;
- IP address and IP location;
- browser type, version and operating system;
- referrer URL (previously and subsequently visited website);
- sub-websites which are accessed via an accessing system on our website;
- date, time and duration of access to the website (interactions) and
- other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information, Burgenland Tourismus GmbH does not draw any conclusions about the data subject. Rather, this information is required to
- correctly deliver the content of our website;
- optimize the content of our website and the advertising for it;
- ensure the long-term functionality of our information technology systems and the technology of our website and
- to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

Therefore, Burgenland Tourismus GmbH analyzes anonymously collected data and information statistically, with the aim of increasing the data protection and data security of our enterprise, and to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject. The web server is located in Austria. The legal basis for this processing is the overriding legitimate interest of the controller pursuant to Article 6(1)(f) GDPR.

In order to achieve the above-mentioned purposes, it may be necessary for us to transfer your data to the following recipients on a case-by-case basis:
Recipient - Registered office (country) - Basis for third country transfer
PixelPoint - Austria -
Cookiebot - Copenhagen -

The website of Burgenland Tourismus GmbH contains information that enables a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by email, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

On the website of the Burgenland Tourismus GmbH, users are given the opportunity to subscribe to our enterprise's newsletter. The input mask used for this purpose determines what personal data are transmitted to the controller when the newsletter is ordered. In addition, the behavior of the data subjects (e.g. click behavior in the newsletter, inquiry and booking behavior, etc.) and interest in individual products are processed for the purpose of advertising products offered in the form of an individual and specific newsletter.

We use the newsletter tool "NumBirds" from NumBirds CRM GmbH, Brixner Straße 3/3, A-6020 Innsbruck to send the newsletter. The data protection provisions published by NumBirds GmbH are available at numbirds.com/datenschutz/. Beyond this, the personal data collected as part of the newsletter service will not be passed on to third parties.

Burgenland Tourismus GmbH informs its customers and business partners at regular intervals by means of a general newsletter about company offers and news in the entire destination of Burgenland, including related offers, competitions and events. Furthermore, the data subjects receive individual and specific newsletters based on their responses in the general newsletter. The newsletter of our company can only be received by the data subject if (1) the data subject has a valid email address and (2) the data subject registers to receive the newsletter or if Burgenland Tourismus GmbH has an overriding legitimate interest in sending the newsletter as a result of a contractual relationship.

In the case of active registration for the newsletter, a confirmation email will be sent to the email address entered by a data subject for the first time for the newsletter mailing using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address as the data subject has authorized the receipt of the newsletter. You will also receive our newsletter if you have provided us with your email address when making your booking or if you have ordered the Burgenland Card or brochures and vouchers via our website. The legal basis for this is the legitimate interest of the controller pursuant to Article 6(1)(f) GDPR.

When registering for the newsletter, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject's e-mail address at a later date and therefore serves as legal protection for the controller.

The personal data collected when registering for the newsletter is used exclusively to send our newsletter. Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or in the event of a change in technical circumstances. The subscription to our newsletter can be canceled by the data subject at any time. The consent to the storage of personal data, which the data subject has given us for the newsletter dispatch, can be revoked at any time. There is a corresponding link in every newsletter for the purpose of revoking consent. It is also possible to unsubscribe from the newsletter at any time directly on the controller's website or to inform the controller of this in another way.

The newsletters of Burgenland Tourismus GmbH contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in e-mails sent in HTML format to enable log file recording and analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns to be carried out. Based on the embedded tracking pixel, the Burgenland Tourismus GmbH may see if and when an e-mail was opened by a data subject, and which links in the e-mail were called up by data subjects. Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the data controller in order to optimize the newsletter dispatch and to adapt the content of future newsletters even better to the interests of the data subject.

Furthermore, as part of the processing of a current booking, customers receive transaction communications about the booked product and additional products by email to the contact details provided in the booking. Customers also receive regular product recommendations from us by email after the trip has been completed. Existing customers receive these product recommendations regardless of whether they have subscribed to a newsletter or whether they have consented to marketing communication by email. In this way, customers are informed about products from our range according to their respective interests.

The product recommendations by e-mail to existing customers are based on the legal basis of Art. 6 para. 1 lit. f GDPR in conjunction with the relevant national laws.

We use the "NumBirds" service from NumBirds CRM GmbH, A-6020 Innsbruck, Brixnerstraße 3/3 to create the newsletter and product recommendations. To protect the confidentiality of your personal data, we have concluded a data processing agreement with the company. However, your data will not be passed on to third parties beyond this. Data subjects are entitled to revoke the declaration of consent given via the double opt-in procedure at any time. After revocation, the personal data will be deleted by the controller. Burgenland Tourismus GmbH automatically regards a withdrawal from the receipt of the newsletter as a revocation.

The name, address, email address, telephone number, gender and age of the data subjects are processed when the controller carries out and runs competitions. The legal basis for the processing of personal data in the execution and processing of competitions is consent in accordance with Art. 6 para. 1 lit. a GDPR. The personal data of the data subjects will not be passed on to third parties, apart from the dispatch of prizes by Austrian Post. The personal data of the data subjects (with the exception of the winners) will be deleted immediately after the evaluation and termination of the competition, at the latest within 14 days. The personal data disclosed by the individual winners will be stored for the purpose of answering queries about the prizes and for the duration of the warranty period (but for no longer than 3 years from the date on which the prize is sent).

We use the web analysis service "Matomo" on our website, which is operated by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, to anonymously analyze website usage by users. Among other things, a web analysis service collects data about the website from which a user came to a website (so-called "referrer"), which subpages of the website were accessed or how often and for how long a subpage was viewed. Web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

Matomo is an open source software that we host on-premise on our own server (100% data ownership). In addition, we use the IP anonymization function offered by Matomo, which shortens the IPv4 network address by two bytes. This shortening eliminates the personal reference to your IP address and your personal usage data is therefore processed anonymously. We also activate the option "Replace user ID with pseudonym". It is therefore technically impossible for us to identify you personally. The Matomo software uses the anonymous information collected to analyze website usage and website activity and provides services related to Internet usage.

Further information on Matomo's data protection can be found at: https://matomo.org/privacy/.

We use the "Google Analytics" service on our website to analyze website usage by users, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The service uses "cookies" - text files that are stored on your end device (for cookies, see point 3.). Among other things, a web analysis service collects data about the website from which a data subject came to a website (so-called "referrer"), which subpages of the website were accessed or how often and for how long a subpage was viewed. Web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

We always use the "gat._anonymizeIp" add-on (anonymization function) for web analysis via Google Analytics. By means of this addition, the IP address of the data subject's Internet connection is shortened and anonymized by Google Ireland Limited if our website is accessed from a member state of the European Union or from another state party to the Agreement on the European Economic Area. This truncation eliminates the personal reference to your IP address. Google Ireland Limited uses the information collected to analyze website usage and website activity and to provide services related to internet usage.

In addition, we use the extended feature "Google Signals" as part of "Google Analytics", which enables cross-device user tracking. This means that visits to a website can be assigned to a user, even if the user accesses the content via different devices. However, this requires that the user is logged into their Google profile - e.g. in the browser or on YouTube - and has also activated or agreed to the "personalized advertising" option in their Google account. It should be noted that we, as the website operator, receive the reports on cross-device user tracking from Google exclusively in anonymized form and we therefore do not process any personal data or user profiles.

The information generated may be transferred to Google's servers in the USA and stored there. Data processing in connection with Google Analytics incl. the extended feature "Google Signals" as well as any data transfer to the USA is based on your consent in accordance with Art. 6 para. 1 lit a in conjunction with Art. 49 para. 1 lit a GDPR via the cookie banner. You can revoke your consent at any time with effect for the future by adjusting your preferences under "Edit cookie settings" on our website. If you do not wish to use "Google Signals", you can deactivate the "personalized advertising" option in your Google account settings.

You can find more information on the use of data by Google Ireland Limited here: https://policies.google.com/privacy?hl=de

We use the service of the provider Google Ireland Limited ("Google") (Gordon House, Barrow Street, Dublin 4, Ireland) to manage website tags via a common tool. The Google Tag Manager tool itself (which implements the tags) is a domain that does not set cookies or collect any other personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least in some cases) data transfers to the USA is therefore an adequacy decision by the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. Further information on Google's data protection at: https://www.google.com/policies/privacy/. More information on how Google uses personal data: https://business.safety.google/privacy/.

Our website uses the Google Maps service provided by Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland). This function makes it possible to display corresponding map material within our website. Your IP address and information on the browser version and language settings are transmitted to the servers of Google Ireland Ltd. According to Google's own information, the data is stored by Google for 1 year. There is a legitimate interest on our part iSd. Art. 6 (1) lit. f GDPR for the use of Google Maps. Our legitimate interest lies in a uniform and visually appealing presentation of our website and in a geographical presentation of the offers in our region. However, we only use Google Maps if you have consented to this. The legal basis for the processing of your data is therefore your consent in accordance with Art. 6 (1) lit. a GDPR. Google is a certified partner of the EU-US Data Privacy Framework. The legal basis for (at least occasional) data transfers to the USA is therefore an adequacy decision of the European Commission within the meaning of Art. 45 (3) GDPR. Art. 45 (3) GDPR, with which the European Commission certifies that the USA has an adequate level of data protection. You can find more information about Google's privacy policy at: https://www.google.com/intl/de/policies/privacy/. More information on how Google uses personal data: https://business.safety.google/privacy/.

The data controller has integrated Google Remarketing services on this website. Google Remarketing is a function of Google AdWords that enables a company to display advertisements to Internet users who have previously visited the company's website. The integration of Google Remarketing therefore allows a company to create user-related advertising and consequently to display advertisements relevant to the interests of the Internet user.

The operating company of the Google Remarketing services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing enables us to display advertisements via the Google advertising network or to have them displayed on other websites that are tailored to the individual needs and interests of Internet users.
Google Remarketing places a cookie on the information technology system of the data subject. What cookies are has already been explained above. By setting the cookie, Google is able to recognize the visitor to our website when he or she subsequently visits websites that are also members of the Google advertising network. Each time a website on which the Google Remarketing service has been integrated is accessed, the data subject's internet browser automatically identifies itself to Google. As part of this technical process, Google obtains knowledge of personal data, such as the IP address or the surfing behavior of the user, which Google uses, among other things, to display interest-relevant advertising.

Data processing in connection with Google Remarketing and any data transfer to the USA takes place on the basis of your consent in accordance with Art. 6 para. 1 lit. a in conjunction with Art. 49 para. 1 lit. a GDPR via the cookie banner. You can revoke your consent at any time with effect for the future by adjusting your preferences under "Edit cookie settings" on our website.

Cookies are used to store personal information, such as the websites visited by the data subject. Each time you visit our website, personal data, including the IP address of the internet connection used by the data subject, may be transmitted to Google in the USA. This personal data may be stored by Google in the USA. Google may pass on this personal data collected via the technical process to third parties.

The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a cookie on the data subject's IT system. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.
Furthermore, the data subject has the option of objecting to interest-based advertising by Google. To do this, the data subject must call up the link www.google.de/settings/ads from each of the Internet browsers they use and make the desired settings there.

Further information and the applicable data protection provisions of Google may be retrieved under www.google.de/intl/de/policies/privacy/.

The controller uses the CAPTCHA software solution (Completely Automated Public Turing Test to tell Computers and Humans Apart) from Captcha GmbH, FN 602312d, Muthgasse 2, 1190 Vienna as a security mechanism, which is also known as challenge-response authentication. Captcha GmbH acts as a contract data processor on behalf of the controller and provides the security mechanism in the form of a Software-as-a-Service (SaaS) service. During authentication, the user's IP address is transmitted to Captcha GmbH and deleted immediately after authentication. The controller has a legitimate interest in authentication within the meaning of Article 6(1)(f) GDPR.

The data controller has integrated Google Ads on this website. Google Ads is an internet advertising service that allows advertisers to place ads both in Google's search engine results and in the Google advertising network. Google Ads allows an advertiser to specify certain keywords in advance, which are used to display an ad in Google's search engine results only when the user uses the search engine to retrieve a keyword-relevant search result. In the Google advertising network, the ads are distributed to relevant websites using an automatic algorithm and taking into account the previously defined keywords.

The operating company of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of Google Ads is to advertise our website by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine and by displaying third-party advertising on our website.

If a data subject reaches our website via a Google ad, a so-called conversion cookie is stored on the data subject's IT system by Google. What cookies are has already been explained above. A conversion cookie loses its validity after thirty days and is not used to identify the data subject. If the cookie has not yet expired, the conversion cookie is used to track whether certain sub-pages, such as the shopping cart from an online store system, have been accessed on our website. The conversion cookie enables both us and Google to track whether a data subject who has reached our website via an Ads ad has generated sales, i.e. completed or canceled a purchase.

The data and information collected through the use of the conversion cookie is used by Google to compile visit statistics for our website. These visit statistics are in turn used by us to determine the total number of users who were referred to us via Ads ads, i.e. to determine the success or failure of the respective AdWords ad and to optimize our Ads ads for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify the data subject.

Data processing in connection with Google AdWords and any data transfer to the USA is based on your consent in accordance with Art. 6 para. 1 lit. a in conjunction with Art. 49 para. 1 lit. a GDPR via the cookie banner. You can revoke your consent at any time with effect for the future by adjusting your preferences under "Edit cookie settings" on our website.

The conversion cookie is used to store personal information, such as the web pages visited by the data subject. Each time our website is visited, personal data, including the IP address of the internet connection used by the data subject, is therefore transmitted to Google in the USA. This personal data is stored by Google in the USA. Google may pass on this personal data collected via the technical process to third parties.

The data subject may, as stated above, prevent the setting of cookies through our website at any time by means of a corresponding adjustment of the web browser used and thus permanently deny the setting of cookies. Such a setting of the Internet browser used would also prevent Google from placing a conversion cookie on the data subject's IT system. In addition, a cookie already set by Google Ads can be deleted at any time via the Internet browser or other software programs.

Furthermore, the data subject has the option of objecting to interest-based advertising by Google. To do this, the data subject must call up the link https://adssettings.google.de/anonymous?hl=de from each of the Internet browsers they use and make the desired settings there.

Further information and the applicable data protection provisions of Google may be retrieved under www.google.de/intl/de/policies/privacy/.

On this website, the controller has integrated components of the enterprise Facebook. Facebook is a social network.
A social network is a social meeting place operated on the Internet, an online community that generally enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enable the Internet community to provide personal or company-related information. Among other things, Facebook allows users of the social network to create private profiles, upload photos and network via friend requests.
The operating company of Facebook is Meta Platforms Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour Dublin 2 Ireland. If a data subject lives outside the USA or Canada, the controller for the processing of personal data is Meta Platforms Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour Dublin 2 Ireland.
Each time one of the individual pages of this website is accessed, which is operated by the controller and on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Facebook component to download a representation of the corresponding Facebook component from Facebook. A complete overview of all Facebook plug-ins can be accessed at developers.facebook.com/docs/plugins/. During the course of this technical procedure, Facebook gains knowledge of what specific sub-page of our website was visited by the data subject.
If the data subject is logged in at the same time on Facebook, Facebook detects with every call-up to our website by the data subject-and for the entire duration of their stay on our Internet site-which specific sub-page of our Internet page was visited by the data subject. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the data subject. If the data subject clicks on one of the Facebook buttons integrated on our website, for example the "Like" button, or if the data subject makes a comment, Facebook assigns this information to the personal Facebook user account of the data subject and stores this personal data.
Facebook always receives information via the Facebook component that the data subject has visited our website if the data subject is logged in to Facebook at the same time as accessing our website; this occurs regardless of whether the data subject clicks on the Facebook component or not. If the data subject does not want this information to be transmitted to Facebook, they can prevent the transmission by logging out of their Facebook account before accessing our website.
The data policy published by Facebook, which is available at de-de.facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. It also explains the settings options Facebook offers to protect the privacy of the data subject. In addition, various applications are available that make it possible to suppress the transmission of data to Facebook. Such applications can be used by the data subject to suppress data transmission to Facebook.

The data controller has integrated components of the Instagram service on this website. Instagram is a service that qualifies as an audiovisual platform and allows users to share photos and videos and also to redistribute such data in other social networks.
The operating company of the Instagram services is Meta Platforms Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour Dublin 2 Ireland.
With each call-up to one of the individual pages of this Internet site, which is operated by the controller and on which an Instagram component (Insta button) was integrated, the Internet browser on the information technology system of the data subject is automatically prompted to the download of a display of the corresponding Instagram component of Instagram. As part of this technical process, Instagram receives information about which specific subpage of our website is visited by the data subject.
If the data subject is logged in at the same time on Instagram, Instagram detects with every call-up to our website by the data subject-and for the entire duration of their stay on our Internet site-which specific sub-page of our Internet page was visited by the data subject. This information is collected by the Instagram component and assigned by Instagram to the respective Instagram account of the data subject. If the data subject clicks on one of the Instagram buttons integrated on our website, the data and information transmitted with it is assigned to the personal Instagram user account of the data subject and stored and processed by Instagram.
Instagram always receives information via the Instagram component that the data subject has visited our website if the data subject is logged in to Instagram at the same time as accessing our website; this takes place regardless of whether the data subject clicks on the Instagram component or not. If the data subject does not want this information to be transmitted to Instagram, they can prevent the transmission by logging out of their Instagram account before accessing our website.
Further information and the applicable data protection provisions of Instagram may be retrieved under help.instagram.com/155833707900388 and www.instagram.com/about/legal/privacy/.

The data controller has integrated YouTube components on this website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programs as well as music videos, trailers or videos made by users themselves can be accessed via the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Each time one of the individual pages of this website is accessed, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information about YouTube can be found at
under www.youtube.com/yt/about/de/. During the course of this technical procedure, YouTube and Google gain knowledge of what specific sub-page of our website was visited by the data subject.
If the data subject is logged in at the same time on YouTube, YouTube recognizes with each call-up to a sub-page that contains a YouTube video, which specific sub-page of our Internet site was visited by the data subject. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.
YouTube and Google always receive information via the YouTube component that the data subject has visited our website if the data subject is logged in to YouTube at the same time as accessing our website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube and Google, they can prevent the transmission by logging out of their YouTube account before accessing our website.
The data protection provisions published by YouTube, which can be accessed at www.google.de/intl/de/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.

Art. 6 para. 1 lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service or consideration, the processing is based on Art. 6 para. 1 lit. b GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and their name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. The processing would then be based on Art. 6 para. 1 lit. d GDPR. Ultimately, processing operations could be based on Art. 6 para. 1 lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 Sentence 2 GDPR).

The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period has expired, the corresponding data is routinely deleted, provided that it is no longer required for contract fulfillment or contract initiation.

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to.

If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data is routinely blocked or erased in accordance with the statutory provisions.

We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, the data subject must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data were not provided.

We process the behavior of the data subjects (e.g. click behavior in the newsletter, inquiry and booking behavior, etc.) as well as the interests of the data subjects in individual products for the purpose of advertising offered products in the form of an individual and specific newsletter (for more information, see point 7.). In addition to this individual and specific newsletter, the data subjects receive a general newsletter from Burgenland Tourismus GmbH.

The advantage for the data subject is that they receive advertising in which they are likely to be interested based on their behavior in the general newsletter. The data subject thus participates in advertising measures that are likely to be relevant to them, e.g. they receive more information about cycling and hiking trails as well as suitable events in the destination of Burgenland. For this purpose, the controller will process the personal master data, the e-mail address and the behavioral and interest data automatically in order to carry out individual and specific advertising and marketing measures.

This is data processing within the meaning of Art. 4(4) GDPR. The processing of personal aspects means the analysis of certain characteristics, e.g. to get to know certain leisure activities better. It should be noted that no assessments of the economic or social situation of data subjects are carried out. No location-based profiles are created about individual persons.

The legal basis for the processing of personal data by the controller is Article 6(1)(a) GDPR (consent). The data subject has the option of withdrawing their consent at any time - see point 29.

Furthermore, no profiling or automated decision-making takes place on our website.

As a data subject, you have the right to information about the processing of your personal data, correction, deletion, restriction, objection and data portability within the framework of the provisions of Art. 15 ff GDPR.

If we process your data on the basis of your consent, you have the right to revoke this consent at any time by sending an email to info@burgenland.info or by post to Burgenland Tourismus GmbH, Johann Permayer-Straße 13, 7000 Eisenstadt or to adjust your cookie settings yourself at any time. The legality of the data processing carried out up to this point in time is not affected by this in accordance with
Art. 7 Para. 3 GDPR.

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you are free to lodge a complaint with the Austrian Data Protection Authority.

In the course of registering for the Burgenland Card, you have provided us with the following personal data (necessary mandatory data and, if applicable, voluntary data):

• First name and last name
• Title presented/subsequent
  
• Street, house number, postal code, city
  
• gender
  
• Date of birth
  
• E-mail address (mandatory for digital map)
  
• Permission for newsletter
  
• signature
  
• Length of stay (arrival/departure)
  
• assigned accommodation partner business
  
• IP address at registration (as part of online pre-registration).

When using the Burgenland Card, the following additional personal data is processed:

• Reference to the registration data and the accommodation partner business.
• Card ID
• Card number
• Date of issue
• Card status
• Validity period
• Service usage (first and last use, bookings, transaction logging, usage cycle, billing data).
• Card type (mobile or digital card, printed card)
• Duplicates (date of creation, number)
• Date of card blocking/unblocking.

The data is required to establish identity on the one hand and to determine the period of validity of the Burgenland Card at the respective partner business on the other hand, and to enable billing of the benefits between partner businesses, Burgenland Tourismus GmbH and, if applicable, the accommodation partner businesses.

The processing of data for the purpose of registration and processing of the Burgenland Card is based on your consent (Art 6 para 1 lit a DSGVO). Any consent given can be revoked by you at any time with effect for the future by sending an e-mail to datenschutz@burgenland.info or by post to Burgenland Tourismus GmbH, Johann Permayer-Straße 13, 7000 Eisenstadt.

The processing of data for the purpose of sending advertising by post, e.g. advertising of tourist products or offers and competitions (see point 6) is based on the legitimate interest (Art 6 para 1 lit f DSGVO) of us and our partner companies. You have the right to object to the use of your data for advertising purposes. You can then still make use of all tourist services of the partner businesses to the extent offered at a reduced rate or free of charge.

In order to provide you with an exemplary service, we may disclose your personal data to natural and legal persons who are, however, obliged to process this data in accordance with the legal data protection regulations. Also, certain personal information about you may be provided to other companies with whom we have partnered in the tourism industry or who work on our behalf to provide products and services to you on our behalf. These companies may help us process information, deliver products to you, manage and maintain customer data or provide customer service, evaluate your interest in our products and services, conduct customer research, or conduct customer satisfaction surveys. These companies are also required to protect your personal information in accordance with our Privacy Policy to protect privacy rights. Similarly, we may be required by law or legal process to disclose your personal information.

A contract on the commissioned processing of personal data has been concluded with all processors, in which each processor guarantees you and us that it has taken all necessary technical and organizational measures to protect your data in accordance with the law and to use it exclusively for processing the Burgenland Card. The processors process personal data exclusively on the instructions of Burgenland Tourismus GmbH and are only given access to personal data to the extent that this is absolutely necessary for the fulfillment of their tasks.

We only use such processors that are based within the European Union and are subject to the GDPR.

In order to claim benefits, you must present the Burgenland Card, on which your data is displayed, to the service provider and thus, in principle, also disclose your personal data yourself. Your personal data will be transmitted by us to partner companies (see www.card.burgenland.info) or vice versa for the purpose of administration and processing of the Burgenland Card, if and to the extent that the Burgenland Card is used within the scope of a business relationship of the cardholder with the respective partner company.

In the course of processing the Burgenland Card, the following recipients will have access to your personal data:

· Accommodation partner businesses (issuance and issue of the Burgenland Card)

· Public issuing office (issuing and issuing of the Burgenland Card)

· Service, bonus and super bonus partner businesses that provide services on the basis of the Burgenland Card and where you make use of Burgenland Card services (verification of the validity of the Burgenland Card and thus of the entitlement to receive services).

· Tourismusverband Nordburgenland, Tourismusverband Mittelburgenland-Rosalia, Tourismusverband Südburgenland (technical support for partner businesses)

· Feratel media technologies AG, Maria-Theresien-Straße 8, 6020 Innsbruck (Technical System Provider)

· Mag. Gerfried Fleckl, Pladenfeld 11, 5112 Lamprechtshausen (preparation of accounting documents)

· For the 2021/22 season: Neusiedler See Tourismus GmbH and its partner businesses (verification of the validity of the Burgenland Card and thus of the entitlement to receive services)

· eyepin GmbH, Billrothstraße 52, 1190 Vienna (as service provider for newsletter delivery)

· NumBirds CRM GmbH, Brixner Straße 3/3, 6020 Innsbruck, Austria (as service provider for the newsletter delivery)

· Other processors: e.g. printing company, Österreichische Post AG (production of printed materials and postal dispatch of same)

· Employees of Burgenland Tourismus GmbH

· Public-law auditing bodies (e.g.: Court of Audit)

· Data Protection Officer

· Legal representative

Burgenland Tourismus GmbH takes precautions, including administrative, electronic and physical procedures, to protect your personal information from loss, theft and misuse, as well as from unauthorized access, disclosure, alteration and destruction.

The personal data processed for the Burgenland Card will be stored until your revocation, otherwise deleted or anonymized after 36 (thirty-six) months from registration for the Burgenland Card. Longer storage only takes place if and insofar as this is necessary due to mandatory corporate or tax law retention obligations, or for purposes of evidence.

If your data is processed for the purpose of sending electronic mail (e.g.: newsletter), we will delete it until you revoke it, otherwise 36 months after you last contacted us.

Name, e-mail address, gender and age are processed by those responsible for sending the electronic (general) newsletter about tourist products or offers, events and competitions (also of the partner companies). In addition, the behavior of the data subjects (e.g. click behavior in the newsletter, inquiry and booking behavior, etc.) as well as the interest in individual products is processed for the purpose of advertising offered products in the form of an individual and specific newsletter (for more information, see point 25. of the general privacy policy).

The partner company has given us an undertaking that it will not send you any electronic advertising based on the personal data we have provided to it from the Burgenland Card system or based on the issue and use of a Burgenland Card service. If you should wish to do so, this can only be done on the basis of your own consent to the partner company.

The legal basis for sending newsletters during an ongoing contractual relationship and for a period of 3 years beyond the contractual relationship is the overriding legitimate interest of the responsible party pursuant to Art 6 para 1 lit f GDPR. Before the expiry of these 3 years, the data subject may give his or her express consent in accordance with Art 6 (1) a GDPR for the sending of newsletters, provided that he or she wishes to continue to be served with newsletters from Burgenland Tourismus GmbH. Consent given can be revoked by you at any time with effect for the future in writing by sending an e-mail to datenschutz@burgenland.info or by post to Burgenland Tourismus GmbH, Johann Permayer-Straße 13, 7000 Eisenstadt.

Burgenland Tourismus has created suitable technical and organizational measures to secure the personal data processed within the framework of the Burgenland Card against loss, destruction and unauthorized access. The measures also relate to the storage of the Cardholder's personal data as well as to their transmission between Burgenland Tourismus GmbH and the partner businesses.

You have the following data subject rights within the meaning of the GDPR: Right to information, right to rectification, right to erasure, right to restriction of data processing, right to data portability, right to object as well as the right to revocation.

If we process your data unlawfully, you have the right to lodge a complaint with the Austrian Data Protection Authority.

The Burgenland Card is administered jointly by Burgenland Tourismus GmbH and the partner businesses [1] in accordance with Art 26 GDPR. For this reason, an agreement on joint data processing pursuant to Art 26 GDPR was concluded regarding the data processing "Burgenland Card". The applicable legal basis for the processing of personal data for Burgenland Tourismus GmbH and the partner businesses is Art 6 para 1 lit b GDPR (contract performance).

Responsible for the exercise of the rights of the data subjects as well as the information obligations within the meaning of the General Data Protection Regulation as defined in Art. 4 No. 7 GDPR and the Data Protection Act is the:

Burgenland Tourismus GmbH
Johann Permayer Straße 13
7000 Eisenstadt
Tel. +43 2682 63384
E-Mail: info@burgenland.info

For inquiries regarding data protection, you are welcome to contact us by e-mail at datenschutz@burgenland.info or by mail at Burgenland Tourismus GmbH, Johann Permayer-Straße 13, 7000 Eisenstadt. The data protection officer of Burgenland Tourismus GmbH can be reached at datenschutz@landesholding-burgenland.at.

[1] Partner businesses is the umbrella term for accommodation partner businesses, service partner businesses, super bonus businesses and bonus partner businesses. Accommodation partner businesses are accommodations in Burgenland that offer guests the Burgenland Card.

Service, bonus and super bonus partner businesses offer Burgenland Card holders free services, bonus services or discounts.

Subject to change, as of 29.06.2022