The protection of your privacy and your personal data is of great importance to Donauturm Aussichtsturm- und Restaurantbetriebsgesellschaft m.b.H.
Information Notice
With this document, we inform you about your rights and obligations as well as how your data is processed within our company, Donauturm Aussichtsturm- und Restaurantbetriebsgesellschaft m.b.H, Donauturmplatz 1, 1220 Vienna, Austria.
Controller for Data Processing
Donauturm Aussichtsturm- und Restaurantbetriebsgesellschaft m.b.H
Donauturmplatz 1
1220 Vienna
Austria
Phone: +43 1 2633572
E-mail: reservierungen@donauturm.at
Data Protection Officer
In accordance with the provisions of the GDPR, no Data Protection Officer is required for our company, as the processing of personal data does not constitute one of our core activities.
Purposes of Processing
Your data is processed in our company for the following purposes:
- Marketing and direct marketing (by post, e-mail, SMS, telephone)
- Accounting and business administration
- Statistical analyses and customer insights
- Documentation of our services and products
- Order processing and customer communication
Legal Bases
The processing of your personal data is based on the following legal grounds:
- Art. 6 (1) (a) GDPR – consent of the data subject (e.g. newsletters, marketing)
- Art. 6 (1) (b) GDPR – performance of a contract or pre-contractual measures (e.g. reservations, orders)
- Art. 6 (1) (c) GDPR – compliance with legal obligations (e.g. tax and commercial retention obligations under § 132 BAO and §§ 190, 212 UGB)
- Art. 6 (1) (f) GDPR – legitimate interests (e.g. direct marketing, quality assurance, IT security, video surveillance)
- Art. 9 (2) (a) GDPR – explicit consent for the processing of special categories of personal data (e.g. health data such as dietary requirements or allergies)
- Art. 6 (1) (d) GDPR – protection of vital interests (e.g. disclosure of medically relevant data in case of emergency)
Categories of Data
We process the following categories of personal data:
- Master data (title, salutation, name, gender, date of birth)
- Contact details (address, telephone, e-mail, website, photo if applicable)
- Payment and financial data (bank details, credit card information, invoicing data)
- Contract and order data (customer history, bookings, services)
- Preferences and interests (e.g. dietary requirements, hobbies, occasions such as anniversaries)
Recipients of Data
Your data will only be shared with recipients where necessary for the fulfilment of the purposes stated above, such as:
- Public authorities, courts, lawyers, insurance companies (where applicable)
- Internal recipients (management, employees)
- External service providers (printing companies, delivery services, IT providers, cloud services, software suppliers)
- Financial service providers (banks, tax advisors, accounting services)
- Marketing and communication agencies
Retention Period
Your data will be stored for as long as required by statutory retention obligations or as necessary to fulfil the respective purpose of processing.
Profiling of Data Subjects
No automated decision-making, including profiling, pursuant to Art. 22 GDPR takes place.
Data Protection Information Regarding the Processing of Personal Data on Our Website
Below we inform you about the processing of personal data on our website. Processing is carried out on the basis of the applicable legal provisions (General Data Protection Regulation – GDPR and Telecommunications Act 2003).
Contact
If you contact us by e-mail or via an online form (e.g. application form), we process and store the personal data you provide for the purpose of handling your request and any subsequent follow-up. Your data will only be passed on to third parties with your explicit consent.
Data Security
Donauturm Aussichtsturm- und Restaurantbetriebsgesellschaft m.b.H protects your personal data from unauthorized access, use or disclosure through appropriate technical and organizational measures. These include, among others, storage in a secure server environment and the encryption of security-relevant data transmissions via Secure Socket Layer (SSL).
Cookies and Consent Management
In accordance with the applicable legal requirements and our understanding of data protection-compliant processing, only technically necessary cookies are set without your consent. All other cookies (e.g. for statistics, marketing or personalization) are used exclusively on the basis of your explicit consent.
We use a consent management tool that allows you to individually determine which categories of cookies you wish to accept or reject. Your decision will be stored for 14 months. After this period, you will be asked to provide your consent again. If no confirmation is given, previously granted consents will be automatically deleted and cookies requiring consent will no longer be set.
Contract Processing
For the use of our goods and services, we process the data you provide for the purpose of contract fulfilment. Without this data, the conclusion or performance of a contract is not possible. Where necessary, we transmit your data to the transport company commissioned with delivery or to the payment service provider.
Customer Account / Registration
If you create a customer account on our website, we store the personal data you provide (e.g. name, address, e-mail address) as well as your IP address, date and time of registration. These data are used exclusively for pre-contractual services, contract performance and customer care. They will not be shared with third parties. During registration, your consent will be obtained and reference will be made to this privacy policy.
Newsletter
If you subscribe to our newsletter, we process your e-mail address and – if provided – your name and postal address. In addition, we store the IP address, date and time of registration. The data are used exclusively for sending the newsletter. You may unsubscribe at any time, either via the link included in each newsletter or by contacting us directly.
User Contributions, Comments and Reviews
If you publish contributions (e.g. comments or reviews) on our website, we process and store the content of the contribution, date and time, and, where applicable, your chosen pseudonym. In addition, we process your IP address and e-mail address in order to be able to investigate misuse (e.g. legal infringements).
Online Applications / Publication of Job Advertisements
If you apply to us online, we will process your applicant data exclusively for the purpose of the recruitment procedure.
-
In the event of employment, the data will be stored in your personnel file.
-
In the event of rejection, the data will be deleted no later than seven months after notification of the decision, unless a longer retention period is required by law (e.g. evidentiary obligations under the Equal Treatment Act).
-
With your explicit consent, we may retain your data for a longer period (e.g. in an applicant pool). You may withdraw this consent at any time with effect for the future.
Agency Services – Social Recruiting
For the performance of certain activities (e.g. social recruiting, marketing campaigns, data analyses, consultancy, or software services), we engage external agencies and service providers. These act exclusively on the basis of a data processing agreement in accordance with Art. 28 GDPR and are contractually obliged to maintain confidentiality as well as to comply with data protection requirements.
The processing of personal data is carried out solely for the purposes required within the scope of the respective assignment. Independent use of the data by the contracted agencies is excluded. Personal data will be deleted after completion of the assignment or after the expiry of statutory retention periods. If longer storage is legally required (e.g. retention obligations under the Austrian Federal Fiscal Code – BAO or the Austrian Commercial Code – UGB), deletion will take place after expiry of these periods.
Video Surveillance at the Car Park and Inside Donauturm
To protect visitors, employees, and our property, video surveillance is carried out in the car park and within Donauturm. This may involve image and, where applicable, audio recordings that also contain personal data. Processing is carried out exclusively for security purposes. The data will be automatically deleted after 24 hours, unless they are required for the investigation of incidents or to comply with legal obligations. Access to the recordings is strictly limited to authorised personnel. Disclosure to third parties only takes place within the legally permissible framework. Legal basis: our legitimate interest in safety and protection pursuant to Art. 6 (1) (f) GDPR.
Photography and Photo Points
During your visit to Donauturm, it is possible that you may be photographed by our photographer or when using our photo points. These photos are intended to enhance and improve your visitor experience. The recordings will be treated confidentially and automatically deleted from our systems no later than four hours afterwards, unless further consent has been given by you.
Competitions / Prize Draws
If you participate in our competitions, we will process the data you provide exclusively for the purpose of carrying out and managing the competition. For the purpose of prize fulfilment, we will pass on your data, where necessary, to the transport company commissioned with delivery or to the financial service provider responsible for the payout. Your data will only be published if you have given your explicit prior consent. You may withdraw your consent to the processing of your data in connection with a competition at any time with effect for the future (Art. 7 (3) GDPR). A simple informal notification to us is sufficient.
Social Media
We maintain online presences on various social networks and platforms in order to communicate with interested parties and to present our company. In doing so, personal data (e.g. usage data, IP address, communication content) may be processed by the respective platform providers, possibly also outside the European Union (e.g. in the USA or China). The providers are primarily responsible for data processing on these platforms. Please note that we do not have full access to the data collected by the providers. Legal basis: our legitimate interest in public relations and communication pursuant to Art. 6 (1) (f) GDPR. Where consent is required, processing takes place on the basis of Art. 6 (1) (a) GDPR.
Facebook & Instagram
We operate company pages on Facebook and Instagram, services of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Meta processes user data for advertising and analytical purposes. Through "Page Insights" we are jointly responsible with Meta for the statistical analysis of certain data. Privacy policies: https://www.facebook.com/privacy/explanation
X (formerly Twitter)
We use functions of the network X, operated by Twitter International Unlimited Company, One Cumberland Place, Dublin 2, Ireland. Data may also be transferred to the USA. Privacy policy: https://x.com/en/privacy
YouTube
We use YouTube, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (subsidiary of Google LLC, USA). Embedded videos are displayed in "extended data protection mode," so that a transfer of data to Google only takes place when you play a video.
Privacy policy: https://policies.google.com/privacy
TikTok
We operate an online presence on TikTok, provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland. Processing of data by the parent company ByteDance Ltd. in China cannot be excluded. TikTok processes personal data (e.g. profile data, interaction data, IP address) for advertising and analytical purposes. European supervisory authorities have already sanctioned TikTok for insufficient data protection; further proceedings on data transfers to China are ongoing. Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de
Analysis and Marketing Tools
We use various services on our websites to analyze user behavior and to optimize our online offering. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in analysis, optimization and economic operation). Where consent is required (e.g. cookies), processing is based on Art. 6 (1) (a) GDPR.
HubSpot
Provider: HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA; HubSpot Ireland Limited, Dublin, Ireland. Purposes: newsletter distribution, contact management (CRM), forms, landing pages, user analytics. Data categories: name, e-mail address, telephone number, IP address, device information, interaction data (clicks, page visits). Legal bases: Art. 6 (1) (a) GDPR (consent), Art. 6 (1) (b) GDPR (contract), Art. 6 (1) (f) GDPR (legitimate interest). Data transfer: to the USA possible; HubSpot is certified under the EU-US Data Privacy Framework. Privacy policy: https://legal.hubspot.com/de/privacy-policy
Google Analytics
Provider: Google Ireland Limited, Dublin, Ireland (subsidiary of Google LLC, USA). Purpose: analysis of user behavior, website statistics. Feature: IP anonymization (shortening of IP addresses within the EU/EAA). Data transfer: to the USA possible. Privacy policy: https://policies.google.com/privacy
Google Ads & Conversion Tracking
We use Google Ads to place online advertising. When you click on an ad, a conversion cookie (valid for 30 days) is set. Purpose: measurement and optimization of advertising campaigns. Legal basis: Art. 6 (1) (f) GDPR. Privacy policy: https://policies.google.com/technologies/ads
Google Remarketing ("Similar Audiences")
We use Google Remarketing to display interest-based advertising within the Google advertising network, including cross-device advertising (if a Google account is used). Privacy policy: https://policies.google.com/technologies/ads
Google Maps
We use Google Maps for displaying our location and route planning. This may involve setting cookies and transferring data (e.g. IP address) to the USA. Privacy policy: https://policies.google.com/privacy
YouTube Ads
We place targeted advertising campaigns via YouTube, provided by Google Ireland Limited (subsidiary of Google LLC, USA). Purpose: increase of reach and target group-oriented communication. Data categories: usage and interaction data (e.g. video views, clicks).Privacy policy: https://policies.google.com/privacy
Meta Ads (Facebook & Instagram)
We use Meta Ads, provided by Meta Platforms Ireland Limited, Dublin, Ireland, to run targeted advertising on Facebook and Instagram. Purpose: targeted communication and reach measurement. Data categories: user and profile data, interactions (e.g. clicks, likes). Data transfer: possible to the USA. Privacy policy: https://www.facebook.com/privacy/explanation
TikTok Ads
We use TikTok Ads, provided by TikTok Technology Limited, Dublin, Ireland, for advertising campaigns. Purposes: ad placement, reach measurement, campaign analysis. Data categories: profile data, usage and interaction data, IP address, device information.
Data transfer: processing by parent company ByteDance Ltd., China, possible (increased access risks). Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de
swat.io (Social Media Management)
Provider: Swat.io GmbH, Schönbrunner Straße 213–215, 1120 Vienna, Austria. Purpose: efficient community management, structured handling of requests, interaction analytics. Data categories: comments, messages, profile information, posts, timestamps (from social media platforms). Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in efficient communication). Processor: swat.io acts solely on our behalf under Art. 28 GDPR. Data processing: within the EU; no disclosure to third parties. Retention: only as long as necessary for communication or due to legal obligations. Privacy policy: https://swat.io/de/legal/
walls.io (Social Media Wall)
Provider: Walls.io GmbH, Schönbrunner Straße 213/215, 1120 Vienna, Austria. Purpose: aggregation and display of social media content on our website. Data categories: username, profile picture, published posts, images, videos, interaction data (likes, comments, timestamps). Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in modern public relations). Processor: walls.io acts solely on our behalf under Art. 28 GDPR. Processing: within the EU; no disclosure to third parties. Retention: data stored only as long as necessary for display; deletion follows settings of the social media platforms. Privacy policy: https://walls.io/privacy
Google Marketing Platform (GMP)
Provider: Google Ireland Limited, Dublin, Ireland. Purposes: campaign performance measurement, frequency capping, interest-based advertising, campaign optimization. Data categories: time of visit, ads clicked, prior browsing behavior on third-party sites. Legal basis: Art. 6 (1) (a) GDPR (consent), Art. 6 (1) (f) GDPR (legitimate interest). Data transfer: possible to the USA; Google is certified under the EU-US Data Privacy Framework. Opt-out: https://www.google.com/settings/ads/
Links to Other Websites
Our websites may contain links to external websites over which we have no control in terms of content or data protection practices. Please consult the respective privacy policies of the external providers, as we do not assume any responsibility for their content or data processing.
Privacy Information on the Processing of Personal Data via aleno
Reservation Data Collection
For receiving and managing reservation requests, we use the restaurant management system aleno, operated by aleno AG, Switzerland. In this context, the following personal data (“guest data”) are collected:
- First and last name
- Telephone number and e-mail address
- Number of persons, date and time of reservation
The processing serves the purpose of handling your reservation, in particular assigning tables and contacting you in case of inquiries.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in efficient reservation management).
Guest data are not automatically deleted after the reservation has been completed but may be used to create a personal guest profile (see below). You may request the deletion of your data at any time. If the deletion occurs before the reservation date, the booking will automatically be cancelled.
Collection of Credit Card Information for Reservations
For binding online reservations, it may be necessary to provide a credit card as a guarantee. In this case, the following payment information is collected:
- Name of the card issuer
- Name of the cardholder
- Credit card number, security code, expiry date
Processing is carried out directly via aleno. The data are automatically anonymised and transmitted directly to aleno’s hosting provider. We do not have access to this information and do not store it in our systems.
Creation of Guest Profiles
Your guest data may be consolidated within aleno to create a personal guest profile in order to provide you with a tailored service. Such a profile may include additional information (“profile data”), such as:
- Preferred language, allergies, special requests
- Birthday, customer category, status
- Information on previous visits (date, duration, table, expenses, no-shows)
- Consolidated visit statistics (total visits, total expenses, no-shows)
The creation of such profiles serves the purpose of personalising our services and enhancing your visitor experience. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in personalised services).
Data within the guest profile are deleted or anonymised once they are no longer required for the stated purpose. You may request the deletion of your profile at any time.
Controller and Data Processing Agreement
For the collection and processing of guest data, payment information, and profile data within the scope of aleno, we, Donauturm Aussichtsturm- und Restaurantbetriebsgesellschaft m.b.H, are the controller pursuant to Art. 4 (7) GDPR. aleno AG processes the data on our behalf and is therefore considered a processor within the meaning of Art. 4 (8) GDPR. A data processing agreement in accordance with Art. 28 GDPR has been concluded. Further information can be found in aleno AG’s privacy policy: https://www.aleno.me/de/policy-index#Dataprivacy
Whistleblowing System
We have established a whistleblowing system through which employees, partners, and other persons associated with Donauturm may report possible violations of legal provisions or internal policies. For this purpose, the dedicated e-mail address whistleblower@donauturm.at is available.
Purpose of Processing
The processing of personal data within the whistleblowing system is carried out for the purpose of receiving, reviewing, and handling reports of misconduct, as well as initiating any necessary follow-up measures. This enables us to fulfil our legal obligations under the Austrian Whistleblower Protection Act (HSchG) as well as our internal compliance requirements.
Categories of Data Processed
- Information on the reporting person (if not anonymous, e.g. name, e-mail address)
- Content of the report (e.g. description of the incident, persons involved, evidence)
- Data of affected persons (e.g. name, role, actions in connection with the report)
- Communication data in the context of feedback, if expressly requested
Legal Bases
Processing is based on Art. 6 (1) (c) GDPR in conjunction with the HSchG (legal obligation), as well as Art. 6 (1) (f) GDPR (legitimate interest in the clarification and prevention of misconduct).
Retention Period
Reports and the related personal data are only stored for as long as necessary for the handling and documentation of the case. Longer retention takes place only if required by law or necessary for the establishment, exercise, or defence of legal claims.
Confidentiality and Data Security
All reports are treated with strict confidentiality. Access to the data is restricted to authorised persons responsible for handling the case. Technical and organisational measures are in place to ensure a high level of data protection.
Feedback
Please explicitly indicate in your report whether you wish to receive feedback. If this is not specified, we will treat the report as anonymous – even if a sender address is provided – and no feedback will be given.
Rights of Data Subjects
Data subjects generally have the rights of access, rectification, erasure, restriction of processing, objection, and data portability under the GDPR. Where the confidentiality of the whistleblower or the proper handling of the report would be compromised, these rights may be restricted in accordance with Art. 23 GDPR in conjunction with the HSchG.
As a data subject, you are particularly entitled to the following rights under the GDPR:
- Right of access to the processing of your personal data (Art. 15 GDPR)
- Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
- Right to erasure (“right to be forgotten”, Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
If you believe that the processing of your data violates data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Austria, this is the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna.
Changes to this Privacy Policy
We reserve the right to amend this privacy policy where necessary, e.g. due to changes in legal requirements or new services. The current version is always available on our website. In the event of significant changes, we will inform you before they take effect, on our website and – where legally required – via other communication channels.