Data Protection
Information according to the EU General Data Protection Regulation (GDPR)
If this is the case, the data subject also has the right to obtain information about the appropriate safeguards related to the transfer. If a data subject wishes to exercise this right to information, they can contact our data protection officer at any time.
c) Right to rectification
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to demand the immediate correction of inaccurate personal data concerning them. Furthermore, the data subject has the right, taking into account the purposes of the processing, to request the completion of incomplete personal data - including by means of a supplementary statement. If a data subject wishes to exercise this right of rectification, they can contact our data protection officer at any time.
d) Right to erasure (right to be forgotten)
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to demand that the personal data concerning them be deleted immediately if one of the following reasons applies and to the extent that the processing is not necessary:
- The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject withdraws their consent, on which the processing pursuant to Art. 6 para. 1 letter a DSGVO or Art. 9 para. 2 letter a DSGVO is based, and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Art. 21 para. 1 DSGVO, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 para. 2 DSGVO.
- The personal data have been unlawfully processed.
- The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data have been collected in relation to information society services offered in accordance with Art. 8 para. 1 DSGVO.
If one of the above reasons applies and a data subject wishes to have the personal data stored by Apparthotel Sonne GmbH & Co KG deleted, they can contact our data protection officer at any time. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will ensure that the deletion request is immediately complied with. If the personal data of Apparthotel Sonne GmbH & Co KG have been made public and our company is obliged as the controller pursuant to Art. 17 para. 1 DSGVO to delete the personal data, Apparthotel Sonne GmbH & Co KG will, taking into account available technology and implementation costs, take appropriate measures, including of a technical nature, to inform other data controllers processing the published personal data that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data, to the extent that the processing is not necessary. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will take the necessary steps in individual cases.
e) Right to restriction of processing
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to request the controller to restrict processing if one of the following conditions is met:
- The data subject disputes the accuracy of the personal data for a period that allows the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject opposes the deletion of the personal data and requests instead the restriction of the use of the personal data.
- The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the assertion, exercise or defence of legal claims.
- The data subject has objected to the processing pursuant to Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate grounds of the controller outweigh those of the data subject.
If one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by Apparthotel Sonne GmbH & Co KG, they can contact our data protection officer at any time. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will initiate the restriction of processing.
f) Right to data portability
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to receive the personal data concerning them, which have been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Art. 6 para. 1 letter a DSGVO or Art. 9 para. 2 letter a DSGVO or on a contract pursuant to Art. 6 para. 1 letter b DSGVO and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, in exercising their right to data portability pursuant to Art. 20 para. 1 DSGVO, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others. To exercise the right to data portability, the data subject can contact the data protection officer appointed by Apparthotel Sonne GmbH & Co KG or another employee at any time.
g) Right to object
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them carried out on the basis of Art. 6 para. 1 letters e or f DSGVO. This also applies to profiling based on these provisions. Apparthotel Sonne GmbH & Co KG will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims. If Apparthotel Sonne GmbH & Co KG processes personal data to engage in direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling, insofar as it is related to such direct marketing. If the data subject objects to Apparthotel Sonne GmbH & Co KG processing for direct marketing purposes, Apparthotel Sonne GmbH & Co KG will no longer process the personal data for these purposes. The data subject also has the right, for reasons arising from their particular situation, to object to the processing of personal data concerning them by Apparthotel Sonne GmbH & Co KG for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, unless such processing is necessary for the performance of a task carried out in the public interest. To exercise the right to object, the data subject can directly contact the data protection officer of Apparthotel Sonne GmbH & Co KG or another employee. The data subject is also free to exercise their right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, using automated procedures where technical specifications are used.
h) Automated individual decision-making, including profiling
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority not to be subject to a decision based solely on automated processing - including profiling - which has legal effect concerning them or significantly affects them in a similar way, unless the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, or (3) is made with the data subject's explicit consent. If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller or (2) is made with the data subject's explicit consent, Apparthotel Sonne GmbH & Co KG will take appropriate measures to safeguard the data subject's rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person from the controller, to state their own position and to challenge the decision. If the data subject wishes to assert rights relating to automated decisions, they can contact our data protection officer at any time.
i) Right to revoke consent to data processing
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to withdraw consent to the processing of personal data at any time. If a data subject wishes to exercise their right to revoke consent, they can contact our data protection officer at any time.
11. Data protection for applications & in the application process
The data controller collects and processes the personal data of applicants for the purpose of handling the application process. Processing can also take place electronically. This is particularly the case if an applicant submits corresponding application documents electronically, for example by email or via a web form on the website, to the controller. If the controller concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after notification of the rejection decision, provided that deletion does not conflict with other legitimate interests of the controller. Other legitimate interest in this sense is, for example, the burden of proof in a procedure under the General Equal Treatment Act (AGG).
12. Legal basis for processing
Art. 6 I lit. a DSGVO serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary to fulfil a contract to which the data subject is a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b DSGVO. The same applies to processing operations that are necessary to carry out pre-contractual measures, such as in cases of inquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c DSGVO. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our premises were injured and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d DSGVO. Finally, processing operations could be based on Art. 6 I lit. f DSGVO. Processing operations not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 sentence 2 DSGVO).
13. Legitimate interests pursued by the controller or a third party
If the processing of personal data is based on Article 6 I lit. f DSGVO, our legitimate interest is to carry out our business activities for the benefit of the well-being of all our employees and shareholders.
14. Duration for which the personal data will be stored
The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of the period, the relevant data will be routinely deleted, provided they are no longer required for the fulfilment of a contract or the initiation of a contract.
15. Legal or contractual provisions for providing personal data; necessity for concluding the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). It may sometimes be necessary for a contract to be concluded that a data subject provides us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data when our company concludes a contract with them. Failure to provide personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact our data protection officer. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract, whether there is an obligation to provide the personal data, and what the consequences would be if the personal data were not provided.
16. Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.
17. Competent authority
Austrian Data Protection Authority: Wickenburggasse 8, 1080 Vienna, Austria, email: dsb@dsb.gv.at. This privacy policy was generated by the privacy policy generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, in cooperation with the Lawyer for Data Protection Law Christian Solmecke.
c) Right to rectification
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to demand the immediate correction of inaccurate personal data concerning them. Furthermore, the data subject has the right, taking into account the purposes of the processing, to request the completion of incomplete personal data - including by means of a supplementary statement. If a data subject wishes to exercise this right of rectification, they can contact our data protection officer at any time.
d) Right to erasure (right to be forgotten)
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to demand that the personal data concerning them be deleted immediately if one of the following reasons applies and to the extent that the processing is not necessary:
- The personal data have been collected or otherwise processed for purposes for which they are no longer necessary.
- The data subject withdraws their consent, on which the processing pursuant to Art. 6 para. 1 letter a DSGVO or Art. 9 para. 2 letter a DSGVO is based, and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Art. 21 para. 1 DSGVO, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 para. 2 DSGVO.
- The personal data have been unlawfully processed.
- The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data have been collected in relation to information society services offered in accordance with Art. 8 para. 1 DSGVO.
If one of the above reasons applies and a data subject wishes to have the personal data stored by Apparthotel Sonne GmbH & Co KG deleted, they can contact our data protection officer at any time. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will ensure that the deletion request is immediately complied with. If the personal data of Apparthotel Sonne GmbH & Co KG have been made public and our company is obliged as the controller pursuant to Art. 17 para. 1 DSGVO to delete the personal data, Apparthotel Sonne GmbH & Co KG will, taking into account available technology and implementation costs, take appropriate measures, including of a technical nature, to inform other data controllers processing the published personal data that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data, to the extent that the processing is not necessary. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will take the necessary steps in individual cases.
e) Right to restriction of processing
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to request the controller to restrict processing if one of the following conditions is met:
- The data subject disputes the accuracy of the personal data for a period that allows the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject opposes the deletion of the personal data and requests instead the restriction of the use of the personal data.
- The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the assertion, exercise or defence of legal claims.
- The data subject has objected to the processing pursuant to Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate grounds of the controller outweigh those of the data subject.
If one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by Apparthotel Sonne GmbH & Co KG, they can contact our data protection officer at any time. The data protection officer of Apparthotel Sonne GmbH & Co KG or another employee will initiate the restriction of processing.
f) Right to data portability
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to receive the personal data concerning them, which have been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Art. 6 para. 1 letter a DSGVO or Art. 9 para. 2 letter a DSGVO or on a contract pursuant to Art. 6 para. 1 letter b DSGVO and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, in exercising their right to data portability pursuant to Art. 20 para. 1 DSGVO, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others. To exercise the right to data portability, the data subject can contact the data protection officer appointed by Apparthotel Sonne GmbH & Co KG or another employee at any time.
g) Right to object
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to object at any time, for reasons arising from their particular situation, to the processing of personal data concerning them carried out on the basis of Art. 6 para. 1 letters e or f DSGVO. This also applies to profiling based on these provisions. Apparthotel Sonne GmbH & Co KG will no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims. If Apparthotel Sonne GmbH & Co KG processes personal data to engage in direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling, insofar as it is related to such direct marketing. If the data subject objects to Apparthotel Sonne GmbH & Co KG processing for direct marketing purposes, Apparthotel Sonne GmbH & Co KG will no longer process the personal data for these purposes. The data subject also has the right, for reasons arising from their particular situation, to object to the processing of personal data concerning them by Apparthotel Sonne GmbH & Co KG for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, unless such processing is necessary for the performance of a task carried out in the public interest. To exercise the right to object, the data subject can directly contact the data protection officer of Apparthotel Sonne GmbH & Co KG or another employee. The data subject is also free to exercise their right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, using automated procedures where technical specifications are used.
h) Automated individual decision-making, including profiling
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority not to be subject to a decision based solely on automated processing - including profiling - which has legal effect concerning them or significantly affects them in a similar way, unless the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, or (3) is made with the data subject's explicit consent. If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller or (2) is made with the data subject's explicit consent, Apparthotel Sonne GmbH & Co KG will take appropriate measures to safeguard the data subject's rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person from the controller, to state their own position and to challenge the decision. If the data subject wishes to assert rights relating to automated decisions, they can contact our data protection officer at any time.
i) Right to revoke consent to data processing
Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulatory Authority to withdraw consent to the processing of personal data at any time. If a data subject wishes to exercise their right to revoke consent, they can contact our data protection officer at any time.
11. Data protection for applications & in the application process
The data controller collects and processes the personal data of applicants for the purpose of handling the application process. Processing can also take place electronically. This is particularly the case if an applicant submits corresponding application documents electronically, for example by email or via a web form on the website, to the controller. If the controller concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after notification of the rejection decision, provided that deletion does not conflict with other legitimate interests of the controller. Other legitimate interest in this sense is, for example, the burden of proof in a procedure under the General Equal Treatment Act (AGG).
12. Legal basis for processing
Art. 6 I lit. a DSGVO serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary to fulfil a contract to which the data subject is a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b DSGVO. The same applies to processing operations that are necessary to carry out pre-contractual measures, such as in cases of inquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c DSGVO. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our premises were injured and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 I lit. d DSGVO. Finally, processing operations could be based on Art. 6 I lit. f DSGVO. Processing operations not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not override. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 sentence 2 DSGVO).
13. Legitimate interests pursued by the controller or a third party
If the processing of personal data is based on Article 6 I lit. f DSGVO, our legitimate interest is to carry out our business activities for the benefit of the well-being of all our employees and shareholders.
14. Duration for which the personal data will be stored
The criterion for the duration of the storage of personal data is the respective legal retention period. After the expiry of the period, the relevant data will be routinely deleted, provided they are no longer required for the fulfilment of a contract or the initiation of a contract.
15. Legal or contractual provisions for providing personal data; necessity for concluding the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). It may sometimes be necessary for a contract to be concluded that a data subject provides us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data when our company concludes a contract with them. Failure to provide personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact our data protection officer. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of personal data is required by law or contract, whether there is an obligation to provide the personal data, and what the consequences would be if the personal data were not provided.
16. Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.
17. Competent authority
Austrian Data Protection Authority: Wickenburggasse 8, 1080 Vienna, Austria, email: dsb@dsb.gv.at. This privacy policy was generated by the privacy policy generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, in cooperation with the Lawyer for Data Protection Law Christian Solmecke.