Trust is important – particularly when it concerns your data. We consider ourselves obliged to manage your data with the utmost due care and to do everything to protect your information from misuse.
We strictly follow the data privacy guidelines during the collection and processing of your data. The following information explains in detail what data are collected during your visit to our website and how we use them.
2. What data are processed and from what sources do these data originate?
We shall process the personal data we receive from you within the parameters of a business relationship. In addition, we shall process the data we have permissibly received from other companies within the parameters of a concrete fulfilment of a contractual agreement and from publicly accessible sources (e.g. company register, association register, land register, media).
The personal data shall include:
Your personal information (name, address, contact data, birthdate, nationality, etc.)
Moreover, they may also include the following data:
- Order data (e.g. booking orders, shipping orders) - Data from the fulfilment of our contractual obligation (e.g. sales data during payment transactions) - Advertising and sales data - Documentation data (e.g. logs of booking requests) - Information from your electronic correspondence with INVENT - Processing results which INVENT itself generates - Data regarding the fulfilment of statutory and regulatory requirements
3. For what purposes and upon what legal basis are the data processed?
We shall process your personal data in accordance with the data privacy guidelines:
- In order to fulfil contractual obligations (Art. 6 Para. 1b GDPR): The processing of your data (personal data, Art. 4 No. 2 GDPR) shall be required so that we are able to process the purchase of our products as well as the brokerage of hotel services for you. In addition, we require them for the implementation of our contractual agreements with you and our partners as well as for the implementation of your orders.
The purposes of the data processing shall be primarily based upon the specific product (e.g. Urlaubsbox) and shall encompass, among others:
Requirements analyses Consulting Implementation of requests and bookings
You can find the concrete details of the purposes of the data processing in the respective contractual documents and business terms and conditions.
- In order to fulfil legal obligations (Art. 6 Para. 1c GDPR): Certain statutory obligations may require the processing of personal data. Such obligations can, for example, be derived from retention obligations or tax guidelines.
- Within the parameters of your consent (Art. 6 Para. 1a GDPR): If you have granted us consent for the processing of your personal data, processing shall be done only in accordance with the purposes specified in the Declaration of Consent and in the therein-agreed scope. Any consent that has been issued may be revoked at any time, effective then and in the future (e.g. you may object to the processing of your personal data for marketing and advertising purposes if you are no longer in agreement with that processing in the future).
- In order to safeguard legitimate interests (Art. 6 Para. 1f GDPR): If, in order to safeguard the legitimate interests of INVENT or of a third party, it should be necessary for your data to be processed beyond the fulfilment of the contractual agreement, then data processing shall be done in the following cases:
Auditing and optimisation of procedures for the purposes of requirements analysis and direct customer contact Advertising or market and opinion research, insofar as you have not lodged an objection to the usage of your data in accordance with Art. 21 GDPR Telephone call recordings and logging of conversations (e.g. for complaints) Measures for the purposes of business management and the continued development of services and products Measures for the protection of employees For legal prosecutions
4. Who receives your data?
Within INVENT, those departments resp. employees shall receive your data who require them for the fulfilment of the contractual, statutory and supervisory obligations and to safeguard legitimate interests, as well as any contracted data processors we have commissioned (particularly IT, as well as back office service providers) to process your data insofar as they require them for the fulfilment of their respective tasks. All contracted data processors shall be accordingly contractually obliged to handle your data confidentially and process them only for the purpose of rendering the contractual services.
For booking requests to our hotel partners, we shall transmit the data required for the booking requests to these hotel partners.
Insofar as a statutory or supervisory law obligation exists in this regard, public offices and institutions may also receive your personal data.
5. How long are your data stored and processed?
For the duration of the entire business relationship (from the initiation to the implementation to the ending of a contractual agreement), as well as beyond in accordance with the statutory retention and documentation obligations. They shall be based upon, among others:
The Austrian Commercial Code (UGB) The Austrian Federal Fiscal Code (BAO)
In addition, with regards to the storage duration, the legal statute-of-limitations periods must be taken into consideration. In some cases, in accordance with the Austrian General Civil Code (ABGB), these may amount to up to 30 years (the general statute-of-limitations period is three years).
6. What data privacy rights do you have?
You shall have, at any time:
- The rights of information, correction, deletion or restriction of the processing of your stored data - A right of objection to the processing - A right of data portability in accordance with the requirements of data privacy law - You may submit complaints to the Austrian Data Protection Agency: www.dsb.gv.at
7. Are you obliged to provide data?
You must provide those personal data which are required for the initiation and implementation of our business relationship and which we are obliged to collect by law.
Insofar as you do not wish to provide us with these data, as a rule, we must reject the conclusion of the contractual agreement or the implementation of the order. In this case, we may also no longer implement an existing contractual agreement and must consequently end it.
However, you shall not be obliged to grant consent for the processing of those data which are not relevant for contractual fulfilment and/or not required by law and/or government regulations.
8. Is there automated decision-making, including profiling?
We shall use no automated decision-making, in accordance with Art. 22 GDPR, in order to render a decision regarding the substantiation and implementation of the business relationship.
9. Cookies, retargeting and web analytics
In order to design our offerings to be as convenient as possible for you, cookies are used. Cookies are small text files which enable identification of the user during subsequent visits to the website. You may prevent the installation of cookies by correspondingly adjusting the settings on your browser software.
In order to analyse and improve the layout and the navigation of our Internet site as well as to customise it to the requirements of our customers and provide you with tailored advertising offerings suitable for your individual requirements, we have commissioned various service providers (Google, Mouseflow, Criteo) to create records via cookies on the INVENT websites. In so doing, our service providers receive only anonymous data and are not able to create correlations to your person.
As a result, INVENT shall receive statistical evaluations which we shall use in order to analyse the requirements-based design of our website.
For the purpose of individual and improved newsletter design, we shall link various communication channels while using cookies, which enable us to notify our newsletter subscribers of requirement-based and current products and offers. The records created shall serve merely for the purpose of analytical evaluations and shall not be passed on to unauthorised third parties.
You shall nonetheless have the option of objecting to these recordings and not using the aforementioned services:
Please keep in mind that, in the case that you lodge an objection, you may not be able to comprehensively use all functions of our website. By using this website, you hereby declare your consent for the processing of the data collected about you by our service providers.
10. Social media
On our website, we utilise the c’t project Shariff. Shariff shall replace the customary share buttons for the social networks and shall thus protect surfing behaviour.
Shariff shall integrate the share buttons for the social networks into our website merely as a graphic which contains a link to the corresponding social network. By clicking on the corresponding graphic, you will be guided to the service of the respective network. The Shariff button only creates direct contact between the social network and our visitors if a visitor actively clicks on the share button. Only then shall your data be transmitted to the respective social network. If, conversely, the Shariff button is not clicked, no data exchange whatsoever shall be undertaken between you and the social networks. You can find additional information about the c’t project Shariff at http://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html.
We have integrated the following social networks with Shariff into our website: Facebook, Google+, Instagram, Twitter and YouTube
11. Integration of the Trusted Shops Trustbadge
In order to display our Trusted Shops quality seal and any amassed ratings as well as for the offering of the Trusted Shops products for buyers after an order is made, the Trusted Shops Trustbadge has been integrated into this website. Within the parameters of a balancing of interests, this serves the purpose of safeguarding our prevailing legitimate interests in optimal marketing of our offerings. The Trustbadge and the promoted services are an offering from Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.
When accessing the Trustbadge, the web server automatically stores a server log file, which, for example, contains your IP address, the date and time of day of access, transferred data quantity and the inquiring provider (access data) and also documents the access. These access data shall not be evaluated and shall automatically be overwritten by no later than seven days after the end of your webpage visit.
Additional personal data shall be transmitted to Trusted Shops merely insofar as you, after concluding an order, have opted for the usage of Trusted Shops products or have already registered for the usage. In this case, the contractual agreement concluded between you and Trusted Shops shall be valid.
12. Offers from Sovendus GmbH
For the selection of a current voucher offer that is interesting to you, we shall transmit the hash value of your e-mail address and your IP address to Sovendus GmbH, Moltkestr. 11, 76133 Karlsruhe, Germany (Sovendus) (Art. 6 Para.1 f GDPR) in pseudonymised and encrypted form. The pseudonymised hash value of the e-mail address shall be used by Sovendus in order to take into consideration any possible objection to advertising (Art. 21 Para. 3, Art. 6 Para. 1 c GDPR). The IP address shall be used by Sovendus exclusively for the purposes of data security and, as a rule, anonymised after seven days (Art. 6 Para. 1 f GDPR). Moreover, for accounting purposes, we shall transmit the following in pseudonymised form to Sovendus: order number, order value with currency, session ID, coupon code and time stamp (Art. 6 Para. 1 f GDPR). If you are also interested in a voucher offer from Sovendus, no objection to advertising exists for your e-mail address and you click on the voucher banner that is displayed, then and only then shall we transmit the following in encrypted fashion to Sovendus in order to prepare the voucher: form of address, name and your e-mail address (Art. 6 Para.1 b, f GDPR).
You can find additional information regarding the processing of your data by Sovendus by reviewing the online data privacy guidelines at www.sovendus.at/datenschutz.
13. Data security
Your data security is our highest concern. Our declared goal is to undertake all required technical and organisational measures in order to guarantee the security of the data processing and to process your personal data in such a manner that they are protected from unauthorised third-party accesses. By using the most modern security software, coding and encryption procedures, our IT infrastructure meets the international security standards. In addition, we shall promote the security of your data by utilising risk-minimising measures and preventative protection measures.