PRIVACY POLICY
Valamar Obertauern GmbH

Valamar Obertauern GmbH with its headquarters at Gamsleitenstrasse 6, 5562 Obertauern, Austria, FN 195893d, UID AT U50245104, (hereinafter: OBERTAUERN or we or our or controller) as owner of Valamar Obertauern Hotel 4*, respects the privacy of every person from whom collects personal data. We would like to inform you about what personal data we collect as the data controller, for what purpose, how we protect the data and what your rights are.

As the data controller, OBERTAUERN is committed to protect your personal data. The collection and storage of data is carried out in accordance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: Regulation), TKG (Telecommunications Law 2021) and other regulations governing the subject area, which are applied in the Republic of Austria.

This Policy applies to any processing of personal data performed by OBERTAUERN as the data controller, unless another policy or other OBERTAUERN document prescribes otherwise for a particular processing.

This Policy is divided into two parts: The General Section and the Specific section.

The basic principles of personal data processing, contact details and other provisions specified in the General Section of this Policy are applied without exception to any personal data processing regardless of whether such processing is specifically processed in the Specific Section of this Policy or not.

The Specific Section of the Policy deals, in more detail, with specific cases of data processing which represent the majority of all processing by OBERTAUERN.

Regarding issues related to personal data protection and for exercising their rights guaranteed by the Regulation please contact OBERTAUERN at any time via e-mail:dsgvo.obertauern@valamar.at or by mail to the address OBERTAUERN, 5562 Obertauern, Gamsleitenstrasse 6.

All requests not related to data protection, which are delivered to this address, e.g. offers of job candidates, booking inquiries in Hotel Valamar Obertauern 4*, etc. will be provided directly to the relevant departments.

OBERTAUERN has recognized the principles of data processing as basic values that must be respected throughout the cycle of personal data processing, from their collection to their destruction or other cessation of processing. OBERTAUERN processes data:

• Lawfully - by processing data only if allowed by law and within the limits prescribed by law.
• Fairly - by considering the specifics of each relationship, applying all appropriate measures to protect personal information and privacy in general and not impeding data subjects in exercising their rights.
• Transparently - by informing data subjects about the processing of personal data. From the start of the data collection process, when data subjects are informed about all aspects of data processing, until its termination, data subjects are provided easy and fast access to their own data.
• Purpose limitation - by processing personal data for the purposes they were collected for and for other purposes only if the conditions of the Regulation are met. Data may be processed for matching purposes only considering (a) any link between the purposes of the collection of personal data and the purposes of the intended continuation of the processing; (b) the context in which the personal data was collected, in particular concerning the relationship between the data subjects and OBERTAUERN; (c) the nature of the personal data; (d) the possible consequences of the intended continuation of processing for the data subjects; and (e) the existence of appropriate protection measures.
• Storage limitation - by storing data in a form which permits identification of data subjects for no longer than is necessary for the initial purposes, and longer only if permitted by the Regulation.
• Data minimization - by processing data if it is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Particular attention is given to not collecting data for which there is no justifiable reason for processing.
• Accuracy - by keeping data accurate and up-to-date, and erasing inaccurate data in the scope of possibility.
• Integrity and Confidentiality - by using appropriate technical and organisational measures to ensure appropriate personal data protection, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Relevant measures are applied considering the risk of each type of data processing.

In order to respect the lawfulness of processing personal data, OBERTAUERN processes personal data only if and to the extent that at least one of the following is met:

• Processing is necessary for the performance of the contract to which the data subject is a party or in order to act at the request of the data subject prior to the conclusion of the contract; this is the most common purpose of data processing with an existing contractual relationship or a contractual relationship in negotiations as its basis.
• Processing is necessary to comply with the legal obligations of the data controller. As a legal entity, OBERTAUERN has a number of obligations prescribed by various regulations. This obligation includes the collection and often the submission of data to public authorities.
• Processing is necessary for the legitimate interests of the data controller or a third party, except where those interests are stronger than the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data, considering reasonable expectations of data subjects based on their relationship with the data controller, especially if the data subject is a child. In applying this legal basis, OBERTAUERN assesses that the processing is appropriate to business needs, that it is the least invasive as possible and that the interests of the data subjects do not exceed the legitimate interests of OBERTAUERN or a third party. Examples of such processing are processing for administrative purposes, the purposes of maintaining computer network security. The data subject always has the right to object to such processing in these situations.
• Processing is necessary to protect key interests of the data subject or other natural person.The right to personal data protection is not an absolute right and OBERTAUERN equates it with other fundamental rights in accordance with the principle of proportionality.
• The data subject has consented to the processing of his or her personal data for one or more specific purposes. When processing personal data on the basis of consent, OBERTAUERN provides that these are situations in which there are no, formal or informal, consequences for giving, refusing or denying consent. When processing is based on consent, the data subject may withdraw consent at any time without negative consequences. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Specific categories of personal data: shall be processed only if the conditions set out in Article 9 of the Regulation are met.

Data relating to criminal convictions and offenses: shall be processed only under the control of official authority and in accordance with Article 10 of the Regulation.

Personal data that are not included in the previous two groups: that kind of data makes most of the processed data. The most common types of data are identification and contact data such as name, surname, e-mail address and data that are related with your relation with us (accommodation etc.).

Most of the personal data that we collect is provided by the data subjects themselves. Therefore, we kindly ask you that you do not provide sensitive information (such as race or ethnic origin, political opinions, religious or philosophical beliefs, etc.) when this is not necessary. If you nevertheless provide sensitive information for any reason, you hereby give your express consent to the collection and use of such information in the ways described in these Policy or in the manner described at the time of disclosure of that information.

OBERTAUERN concluded with the company Valamar Riviera d.d. with its registered office in Poreč, Stancija Kaligari 1 OIB: 36201212847 (hereinafter: Valamar) Contract in relation to the management of hotel and tourist facilities and contents (hereinafter: Management contract) based on which Valamar manages certain business segments of OBERTAUERN.

Due to such Management contract, when managing Hotel Valamar Obertauern 4*, Valamar sometimes directly manages certain activities, including the management of some of the activities described in the Special Section of this Privacy Policy, in particular Valamar can process the personal data of the guests for providing the sales and marketing services. In addition, Valamar sometimes receives data from OBERTAUERN and has a right of access to relevant data base to perform certain activities where it subsequently comes to personal data processing.

For example, Valamar can manage the reservation function through the Valamar reservation center (call center) and via the websites www.valamar.com, and in these cases Valamar is an independent data controller (and data subjects will be informed on the spot about that fact) however, all this information related to Hotel Valamar Obertauern 4* are and have to be also processed by OBERTAUERN as an owner and independent data controller.

Furthermore, Valamar has a legitimate interest in processing of personal data carried out for the purposes of direct marketing, primarily for the purpose of sending marketing messages (newsletters) by e-mail, SMS and / or instant messaging platform (Viber, Whatsapp, etc.). Based on a legitimate interest, Valamar may send different newsletters depending on the relationship that respondents have with Valamar or the facilities under Valamar's management. For this purpose, personal data is collected from guests and persons who have asked for an offer or booked accommodation, persons who have participated in the prize game (if there will be any), joined the Valamar`s loyalty program, filled out a satisfaction questionnaire about accommodation in or otherwise had a relationship with Valamar.

Following the above, in certain cases Hotel Valamar Obertauern 4* guests can expect to receive from Valamar newsletters containing information about all other hotels and facilities managed by Valamar, as well as accommodation quality questionnaires and other service e-mails. For Hotel Valamar Obertauern 4* guests, prize games can be organized from time to time, which can be organized by Valamar, in which case guests personal data will be collected only if guests decide to participate in the prize game.

Valamar's Plus Club Loyalty Program can be applied for the OBERTAUERN. The conditions of membership are contained in Valamar's loyalty programme terms and conditions, which can be found at https://www.valamar.com/cmsmedia/loyalty/terms-conditions-en.pdf .

Also, based on the Management contract, Valamar has certain rights and obligations related to human resources, so in these cases Valamar has the right to process personal data of employees and candidates for employment in OBERTAUERN for the purpose of managing the business processes in the Hospitality Operations.

When Valamar acts as the data controller, the Valamar Privacy Policy applies, which can be found at: https://www.valamar.com/en/privacy-policy / https://www.valamar.com/hr/izjava-o-privatnosti.

OBERTAUERN shares personal information with others only when permitted.

OBERTAUERN is obliged by law to provide data to third parties. For example, delivering guest data and employee data to the competent institutions.

It is possible to deliver data to business entities, processors, who process the data upon instruction of OBERTAUERN, which acts as the data processor. Most often, these are OBERTAUERN's business partners who provide IT services, who store certain data in their databases or have the possibility of accessing personal data until the end of processing. In that cases a detailed contract shall be concluded with such subjects regarding their powers and obligations in the processing of personal data, in accordance with the requirements of the Regulation.

In certain situations, it is possible for external entities and OBERTAUERN to jointly determine the purposes and methods of personal data processing, in which case these external partners and OBERTAUERN are joint data controllers. In these relations, the joint data controllers shall transparently determine their responsibilities for complying with the obligations under the Regulation, in particular with regard to the exercise of data subject`s rights and their duties to respect the transparency of processing, unless responsibilities are established by law.

A special case of data delivery to third parties is the fact that OBERTAUERN has the Management contract with Valamar (see chapter: ROLE OF VALAMAR RIVIERA d.d.).

If data are transferred to third countries as part of data processing, OBERTAUERN ensures compliance with high protection standards in order to comply with the highest possible standard of personal data protection, in accordance with the strict requirements of the Regulation. Any transfer of personal data to third countries will be carried out in accordance with Chapter V of the Regulation.

Personal data are processed and stored for the period in accordance with applicable legal regulations when the retention obligation is prescribed (for example, accounting documents), and in situations where OBERTAUERN is authorized to set retention periods, data is stored as long as necessary for the purposes for which personal data is processed taking into account the purpose of processing, the legitimate interests of OBERTAUERN and the interests of the data subjects to delete the data.

Regardless of the basis for data collection, all data subjects can exercise the following rights free of charge within the limits prescribed by the Regulation:

Right to information: The data subject has the right to be informed about the processing and its purposes. OBERTAUERN provides the data subjects with all the information necessary to ensure fair and transparent processing, considering the context of processing.

Right to erasure (“right to be forgotten”): The data subject has the right to request to delete personal data relating to him/her, without undue delay in accordance with the terms of the Regulation. To do so, please send your request to us in writing, including an electronic form of communication. Please note that the request needs to specify what you wish to be deleted, since we can store your data on different legal bases. You have the right to request the deletion of personal data relating to you where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
• the data subject objects to the processing pursuant and there are no overriding legitimate grounds for the processing, or the data subject objects;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation;
• the personal data have been collected in relation to the offer of information society services.

In some cases, it will not be possible to fully comply with the deletion request, for example when there is a legal obligation for retention, when the legitimate interest of the controller is stronger than the interest of the data subjects, when there is an interest of the data controller to set, enforce or defend legal claims.

Right of access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to data portability: The data subject has the right to receive personal data relating to him in a structured, commonly used and machine-readable format in accordance with the requirements of the Article 20 of Regulation.

Right to object: The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public interest and legitimate interests, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

In any case, data subjects also have the right to:

• to submit a complaint time via e-mail: dsgvo.obertauern@valamar.at or by mail to the address OBERTAUERN Gmbh, Gamsleitenstrasse 6, 5562 Obertauern, Austria
• to lodge a complaint with a supervisory authority (Austrian Data Protection Authority) if they believe that their rights to data protection have been violated.

OBERTAUERN as the data controller has the right to protect the interests of the data controller as well as the protection of the data subjects and accordingly has the right to carry out the activities of establishing the identity of the applicant. OBERTAUERN has the right to publish a form that will be used to submit a request in order to process the request as efficiently as possible.

On request, OBERTAUERN provides information on the actions taken in relation to the exercise of data subject's rights without undue delay and in any case within one month from the date of receipt of the request. This period may be extended by an additional two months, considering the complexity and number of applications. OBERTAUERN shall notify the data subject of any such extension within one month from the date of receipt of the request, together with the reasons for the postponement.

If the data subject submits the request electronically, OBERTAUERN provides the information electronically if possible, unless the data subject requests otherwise.

The data subject's request is generally free of charge, but if the data subject's request is manifestly unfounded or excessive, and in particular because of their frequent repetition, OBERTAUERN is entitled to charge a reasonable fee based on administrative costs or refuse to act on the request.

OBERTAUERN advises parents and guardians to teach children about safe and responsible handling of personal data, especially on the Internet. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

OBERTAUERN receives personal data most often from data subjects. When providing personal data to OBERTAUERN, in any way (booking accommodation, job application…) you guarantee that the information you have provided is correct, that you are legally capable and authorized to dispose of the given information and that you fully agree that OBERTAUERN collects and uses your data in accordance with the regulations and terms of this Privacy Policy.

Also, OBERTAUERN receives personal data from other natural and legal persons, for example: from Valamar as a company that manages certain business aspects of business, from travel agencies that forward guest data for accommodation, guests who book accommodation for people with whom they will stay in hotel, agency for employment mediation and assignment of workers, from the holder of accommodation reservations for others guests for whom the reservation is made.

When providing personal data of other persons to OBERTAUERN, you guarantee that the information you provide is accurate, that you are legally capable and authorized to dispose of the information, that respondents whose personal data you forward to us agree that OBERTAUERN uses and collects their data in accordance with positive regulations and the terms of this Privacy Policy.

OBERTAUERN, as data controller, provides the highest organizational and technical standards of data protection. Therefore, considering the latest developments, the cost of implementation and the nature, scope, context and purposes of processing, as well as risks of different levels of probability and seriousness for the rights and freedoms of individuals arising from data processing, at the time of processing, appropriate technical and organizational measures to enable the effective application of the principles of data protection are applied.

Also, OBERTAUERN implements appropriate technical and organizational measures to ensure that only personal data necessary for each specific purpose of processing are processed in an integrated manner. OBERTAUERN applies this measure to the amount of personal data collected, the scope of their processing, the retention period and their availability. Specifically, such measures ensure that personal data is not automatically, without the intervention of an individual, available to an unlimited number of individuals.

In the case of a personal data breach, as the data controller, OBERTAUERN shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The report submitted to the supervisory authority shall contain all information prescribed by the Regulation.

In the event of a personal data breach that is likely to pose a high risk to the rights and freedoms of individuals, OBERTAUERN, as the data controller, shall inform the data subjects of the personal data breach without undue delay. Sometimes, in cases where the Regulation prescribes, informing data subjects is not mandatory.

OBERTAUERN'S main business activity is the provision of accommodation services in its Hotel Valamar Obertauern 4*. Therefore, OBERTAUERN collects and processes your personal data for various purposes with the ultimate goal of providing quality accommodation and related services all according to the highest standards of tourism companies.

OBERTAUERN, as the data controller, stores your personal data that you must provide for accommodation services in its database for the purpose of fulfilling accommodation contracts and fulfilling legal obligations related to the hospitality business. In case you do not provide OBERTAUERN with the minimum data required for booking accommodation and for the registration to all competent registers, OBERTAUERN will not be able to provide you with booking services or accommodation services in accordance with the contract and law.

Certain information is necessary in order to act at the request of the data subject before concluding the accommodation contract. For example, before booking accommodation at the request of potential guests, you have to receive offer, for which personal data is needed, at least name, surname and e-mail address in order to be able to send an offer.

The personal data that OBERTAUERN collects when booking in order to fulfil the reservation obligation usually are:

• Name and surname of the reservation holder
• Date of birth
• Number, type of identification document and place of issue
• Citizenship
• Number of accommodation units, type of accommodation unit (room type)
• Date of arrival and departure
• Number of persons per accommodation unit
• Minors
• Possibly other specifics depending on the request of the person booking the accommodation
• e-mail if the person has one
• Language
• Phone number
• Membership in the Valamar`s Loyalty program, if it affects the price of accommodation or collecting points
• Payment method and possible additional information needed to execute the transaction or secure payment. In case of cancellation, we must save your data for the purpose of proving the reservation or cancellation.

Upon arrival at the Hotel OBERTAUERN 4*, guests have to check in and confirm data.

In addition, OBERTAUERN is obliged to keep all invoices, as well as the basis for issuing invoices issued to guests with personal data of the guest in accordance with legal regulations.

Other data related to the circumstances of your stay such as: mode of travel, who you are traveling with, marital status, number of children, pets, other interests, will also be collected and processed during your stay only when they have a direct connection with the accommodation service.

Before, during and after the stay OBERTAUERN as the data controller has the right based on the legitimate interest to send you so-called service messages – booking confirmations, reminders and other information closely related to the specific stay you have booked. Also, during and after the stay, OBERTAUERN as the data controller has the right based on the legitimate interest to send to you guest questionnaires about service satisfaction via e-mail, sms and/or instant messaging platforms (viber, whatsapp, etc.) which will be processed by us or through associates. The primary purpose of the service satisfaction questionnaire is to collect service data for the legitimate interest of service improvement by OBERTAUERN, and OBERTAUERN may depersonalize and process this data from the questionnaire for statistical purposes.

OBERTAUERN has the right, based on a legitimate interest, to collect certain data and use it for direct marketing.

Service messages and messages with service satisfaction questionnaires related to a specific stay of the guest are not considered newsletters for the purpose of sending OBERTAUERN marketing offers and news.

OBERTAUERN as the data controller, has a legitimate interest in implementing video surveillance measures to protect property and persons. We marked all places where video surveillance is installed in the prescribed manner. We are aware that the videos contain personal data of all persons moving around the perimeter of the camera, and therefore we keep them with special care, we have a regulated system of security, availability and our internal safety rules. Special regulations governing the area apply to all other details related to video surveillance.

When you contact us via email or via one of the forms on our website, data are processed and stored, in accordance with the purpose of processing.

This Privacy Policy is available at Valamar Riviera d.d. website https://www.valamar.com/en/privacy-policy-valamar-obertauern and also at reception of Hotel Valamar Obertauern 4*, (when hotel is operating).