Data Privacy Policy
Personal user data (e.g. name, email address, etc.) is processed by Schloß Schönbrunn Kultur- und Betriebsgesellschaft mbH (hereinafter referred to as "Schönbrunn Group") solely in accordance with the provisions of Austrian data protection law and the EU GDPR.
We set out below in detail the scope and purpose of data processing by us as well as your rights as data subject. Please therefore read through this Data Privacy Policy carefully before continuing to use our websites and give your consent to data processing as appropriate.
1. DATA CONTROLLER AND CONTACT
The data controller is:
Schloß Schönbrunn Kultur- u. Betriebsges.m.b.H.
Schönbrunner Schloßstraße 47
1130 Vienna
datenschutz@schoenbrunn-group.com
ECHOCAST
From 1 January 2021 to 31 December 2025, Schloss Schönbrunn Kultur- u. Betriebsges.m.b.H. is operator of the organisational office for the ECHOCAST network as well as the website https://echocast.eu, responsible for recruiting new members, ongoing improvement and expansion of modules, certification and quality assurance.
As at 1 January 2021, cooperation partners consisted of the following institutions:
- KHM-Museumsverband, wAöR (public scientific institution)
- Naturhistorisches Museum Wien, wAöR (Natural History Museum Vienna, public scientific institution)
- Österreichische Galerie Belvedere, wAöR (Austrian Gallery Belvedere, public scientific institution)
- Schallaburg KulturbetriebsGmbH
- Schönbrunn Group/Schloß Schönbrunn Kultur- und Betriebsgesellschaft m.b.H.
- Staatliche Kunstsammlungen Dresden
2. PERSONAL DATA
In general, our websites may be used without providing any personal data. However, in order to use some services, different provisions may apply, in which case you will be notified accordingly.
Apart from the cookies described below in detail, in principle we will therefore only collect and store the data notified by you personally when you input such data into forms, or through another type of interaction initiated by you with our websites.
Personal data means all information relating to an identified or identifiable natural person. This includes, for example, your name, your address, your telephone number or your date of birth, as well as your IP address or geolocation data, permitting information to be derived concerning your person.
We will only process personal data extending over and above the information stored via the cookies listed below if you have voluntarily communicated such information to us, for example, if you register with us, enter into a contractual relationship with us, or otherwise make contact with us. This information consists exclusively of contact details and information on the matters with regard to which you have contacted us.
We use the personal data provided by you exclusively to the extent permitted by law (in particular Art. 6 EU GDPR) as required in order to fulfil the respective purpose of processing (e.g. sending promotional and information material to existing customers).
Data processing takes place in particular in the following instances:
- In order to process contracts concluded via our ticket shop and online shop (Art. 6(1)(b) EU GDPR)
- To respond to enquiries (Art. 6(1)(b) EU GDPR)
- For marketing purposes (Art. 6(1)(a) or (f) EU GDPR)
- In order to optimise our web presence and services (Art. 6(1)(f) EU GDPR)
- For scientific research purposes (Art. 89 EU GDPR and Sec. 7 of the Austrian Data Protection Act (Datenschutzgesetz, DSG))
Any further use of your data will only take place with your express prior written consent. As set out in detail below, you may withdraw your consent at any time with future effect.
In so far as, in the context of processing by us, we grant third parties (in particular processors) access to data, this is either on the basis of legal authorisation (e.g. if transfer of data to third parties, including payment service providers, is necessary for contractual fulfilment), or if you have given your consent, or if a legal obligation so requires, or on the basis of our legitimate interests (e.g. when using web hosting services, CRM tools, newsletter distribution tools, etc.).
Do we transfer data to the USA?
We offer several services that involve or may involve the transfer of data to the USA. However, unless another justification exists, such as the fulfilment of contractual obligations, in order to be able to use these services you will be required to consent to possible use in the USA of personal data collected via these services (Art. 49(1)(a) EU GDPR). Depending on the service in question, we obtain this consent either via our cookie banner or separately, based on a corresponding declaration of consent, immediately prior to use of the service offered.
Your consent is required since, based on recent official and judicial decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection in the context of personal data processing (CJEU Case C-311/18, Schrems II). These official and judicial decisions take a critical view of how access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and determine that no relevant legal remedies are available to data subjects in the event of infringements.
Apart from the contracts concluded with US service providers, we have no direct influence on access by US authorities to personal data transferred to service providers in the USA in the context of use of services. Even if we assume that, in accordance with the contractual agreements made with us, our service providers take the necessary steps to ensure the promised level of protection, nevertheless, access by the US authorities to data processed in the USA cannot be ruled out.
Prior to using these services, we therefore ask for your consent to the processing of data in the USA.
3. LEGAL BASIS AND DURATION OF STORAGE
In the case of concluded contracts and enquiries, personal data is processed because this is necessary in order to fulfil the contract in question or to process the relevant enquiry (Art. 6(1)(b) EU GDPR).
Your contact details are processed for the purpose of direct advertising via email or telephone only with your consent under the terms of Art. 6(1)(a) EU GDPR.
In other respects, we process your personal data on the basis of our overriding legitimate interest in achieving the purposes stated in this Policy (Art. 6(1)(f) EU GDPR).
In general, we store data which you have provided to us exclusively for customer care or for marketing and information purposes until the expiry of a period of three years following our last contact. However, if you so wish, we will delete your data prior to expiry of the above period, provided there exists no legal obstacle to deletion.
When a contract is initiated or concluded, we process your personal data following completed contract processing until expiry of the guarantee, warranty and limitation period as well as the statutory retention periods by which we are bound, and furthermore until the conclusion of any legal disputes in respect of which such data is required as evidence.
On the basis of Art. 89(1) EU GDPR as well as Sec. 7(1) of the Austrian Data Protection Act, your contact details may be processed for scientific research purposes which, observing the principle of data minimisation, are not aimed at generating any personalised results. Under Sec. 7(1) clause 2 of the Austrian Data Protection Act, personal data is also processed for this purpose which has been legitimately obtained for other purposes (e.g. Art. 6(1)(b) EU GDPR). Unless otherwise expressly specified in law, the data is anonymised as soon as, for the purposes of the scientific work in question, no personal reference is any longer required.
4. HOSTING
Our websites are hosted by Abaton EDV-Dienstleistungs GmbH, Hans-Resel-Gasse 17, 8020 Graz. Our hosting service provider supplies us with IT infrastructure services, storage space, computing capacity, technical security services and maintenance services which we require in order to offer our web services on these websites. The processing of user data as part of these services is undertaken within the framework of our legitimate interests (Art. 6(1)(f) EU GDPR) in enabling the provision of our web services.
https://emuseum.schoenbrunn-group.com is hosted by Schloss Schönbrunn Kultur und Betriebsges.m.b.H., Schönbrunner Schlossstraße 47, 1130 Vienna. The IT infrastructure services, storage space, computing capacity, technical security services and maintenance services which we require in order to provide this website are supplied by us. Processing of user data in the context of this service is undertaken within the framework of our legitimate interests (Art. 6(1)(f) EU GDPR) in enabling the provision of our web services.
5. AUTOMATIC DATA COLLECTION
For technical reasons, the usage data transferred by a user's browser to the Schönbrunn Group includes the following:
- Browser type and version
- Operating system used
- Websites from which the user visits www.schoenbrunn-group.com, www.schoenbrunn.at, www.schoenbrunnmeetings.com, www.kindermuseumschoenbrunn.at, www.sisimuseum-hofburg.at, www.moebelmuseumwien.at, www.schlosshof.at, www.habsburger.net, ww1.habsburger.net, www.echocast.eu and emuseum.schoenbrunn-group.com (known as referrer URLs)
- Websites visited by the user
- Date and time of access
- Internet protocol (IP) address of the user's computer.
This data is stored separately from any user data communicated (in particular name, address, telephone number, email address, language) and is analysed for statistical purposes in order to optimise the web presence and services offered by www.schoenbrunn-group.com, www.schoenbrunn.at, www.schoenbrunnmeetings.com, www.kindermuseumschoenbrunn.at, www.sisimuseum-hofburg.at, www.moebelmuseumwien.at, www.schlosshof.at, www.habsburger.net, ww1.habsburger.net, www.echocast.eu and emuseum.schoenbrunn-group.com (for more details, see below).
6. DATA PROCESSING
6.1 DURING THE ORDER PROCESS (GROUP RESERVATIONS), THE FOLLOWING PERSONAL DATA IS REQUESTED:
Name, address, telephone number, email address, date and time of visit, language, age (adult or child ticket), membership of a family or group (in the case of family, student and group tickets).
The personal data communicated during order processes is exclusively used for purposes of contract processing (Art. 6(1)(b) EU GDPR); payment information is protected through encryption and used only for payment processing.
6.2 THE FOLLOWING DATA IS COLLECTED WHEN USING CONTACT FORMS AND PARTICIPATING IN COMPETITIONS (ART. 6(1)(b) EU GDPR):
Name, email, and possibly also telephone number and/or postal address. This data is exclusively used in order to respond to contact requests and in order to operate the competition in question.
6.3 THE FOLLOWING DATA IS COLLECTED WHEN REGISTERING FOR NEWSLETTERS AND CORPORATE MAGAZINES (Art. 6(1)(a) EU GDPR):
Name, and in the case of newsletters, email address, as well as postal address for corporate magazines. This data is used exclusively for sending newsletters or corporate magazines ordered.
Our newsletters are always sent out on a double opt-in basis, i.e. after registering for a newsletter, newsletter recipients will then receive a separate confirmation email enabling them to complete newsletter registration.
6.4. PRESS ACCREDITATION (Art. 6(1)(b) EU GDPR)
In addition to general contact information, press credentials, media title, work title, a brief project description and the planned publication date must be provided.
6.5. ONLINE RESERVATIONS BY EVENT ORGANISERS (ART. 6(1)(b) EU GDPR)
In addition to general contact information, the event organiser must provide their PIN.
6.6. TOUR GUIDE ACCREDITATION (ART. (6)(1)(b) EU GDPR)
In addition to general contact information, the tour guide's passport photo and credentials must be provided.
6.7. ECHOCAST MEMBERSHIP ADMINISTRATION (ART. 6(1)(b)/(f) EU GDPR)
In addition to contact information (first name, surname and email address), during the account creation process for the login area at www.echocast.eu, additional data is also processed, such as date of birth, current employer, completed Echocast training, certifications and awards, recertifications, and validity periods.
Processing is undertaken for the purpose of contractual fulfilment (Art. 6(1)(b) EU GDPR) and for purposes of administration with cooperation partners (Art. 6(1)(f) EU GDPR, Recital 48). This data is exclusively processed within the European Union.
6.8. REGISTRATION WITH emuseum.schoenbrunn-group.com (ART. 6(1)(a) EU GDPR)
When creating an account in order to log into emuseum.schoenbrunn-group.com, contact information (first name, surname and email address) plus username are processed. Registration is always on a double-opt-in basis, i.e. you will receive a separate confirmation email for the purpose of completing registration. Data is used exclusively on this website and not passed on to third parties. Accounts not confirmed within 180 days are deactivated. Deactivated accounts not reactivated within 360 days are deleted.
6.9. TO ESTABLISH CONTACT FOR THE PURPOSE OF SCIENTIFIC RESEARCH (ART. 89 EU GDPR AND SEC. 7 OF THE AUSTRIAN DATA PROTECTION ACT)
For the purpose of sending out invitations to participate in scientific research projects, contact information (name and email address) is processed together with associated data relating to orders and visits (dates, times, visit tours).
7. COOKIES
Subject to your consent, the Schönbrunn Group uses cookies in order to provide services (Art. 6(1)(f) EU GDPR).
Cookies are small text files which a user's web browser places and stores on the user's computer. In addition to the data and technical information mentioned above, when you access our websites, subject to your consent, first party and third party cookies will be stored on your computer. These are small text files stored on your hard drive and assigned to the browser you are using.
The party that sets a cookie (in this case, either ourselves, or the third parties indicated below), is able to collect specific information. From our perspective, these cookies are needed firstly in order to recognise you as a website user, and secondly to make our services more user-friendly. Finally, we also use cookies for marketing purposes, to analyse usage and, where relevant, to provide you with targeted advertising.
There is a distinction between first party cookies, third party cookies and third party requests.
FIRST PARTY COOKIES
First party cookies are stored by us or our websites on your browser in order to offer you an optimised user experience. These consist in particular of functional cookies, such as shopping cart cookies.
THIRD PARTY COOKIES
Third party cookies are stored on your browser by a third party provider. These consist mainly of tracking or marketing tools which firstly analyse your user behaviour, and secondly offer the third party provider the opportunity to recognise you when you visit other websites. Retarget marketing, for instance, is generally based on the function of this type of cookie.
THIRD PARTY REQUESTS
Third party requests are all requests sent by you as the website user via our websites to a third party domain, for example, if you use social network plug-ins or the facilities offered by a payment service provider. In this case, although no cookies are stored on your browser, the possibility cannot be excluded that, as a result of your interaction, personal data will be sent to the third party provider in question. For this reason, in this Data Privacy Policy we set out below the tools and applications which we use.
8. ANALYSIS OF THE SCHÖNBRUNN GROUP'S WEB PRESENCE AND MARKETING TOOLS
WEB ANALYSIS USING MATOMO (FORMERLY PIWIK)
Scope of personal data processing:
On this website, we use the software "Matomo" (www.matomo.org), a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. The software places a cookie (text file) on your computer in order that your browser can be recognised on a second visit. If subpages of our websites are accessed, the following data is stored:
- User IP address, abbreviated by removing the last 2 bytes (anonymised)
- Subpage accessed and time of access
- The page from which the user accessed our website (referrer)
- Which browser, with which plug-ins, which operating system, and which monitor resolution are used
- Time spent on the website
- The pages visited from the accessed subpage.
The data collected via Matomo is stored on servers within the EU. No data is transferred to third parties.
Legal basis
The legal basis on which we process personal data using Matomo is Art. 6(1)(f) EU GDPR.
Purpose of data processing
We require the data in order to analyse user browsing behaviour and to obtain information on use of individual elements of our website. This enables us to continually optimise the website and improve user-friendliness. Our legitimate interest in these purposes is based on Art. 6(1)(f) EU GDPR. We use Matomo with the anonymisation function "Automatically Anonymize Visitor IPs". This anonymisation function abbreviates your IP address by 2 bytes in order to prevent attribution to you or to the web connection used by you. By anonymising your IP address, we are taking account of your interest in protection of your personal data. Data is never used to identify you personally and is not combined with other data.
Duration of storage:
Data is deleted once it is no longer required for our purposes.
Right to object
You can object to recording of your data in the manner as described above in three different ways:
1. You can reject all cookies on your browser. However, this will mean that you may no longer be able to use all of our website functions, such as those which require personal identification (shopping cart, orders, personal settings, etc.).
2. You can activate the setting "Do not track" in your browser. Our Matomo system is configured to observe this setting.
3. You can choose "opt-out" in the cookie settings at the bottom of the page. Your website visits will not be recorded by the web analysis tool. Please note that the Matomo deactivation cookie on the website will also be deleted if you remove the cookies stored in your browser. In addition, if you use another computer or another browser, you will need to repeat the deactivation procedure.
GOOGLE ADS
We use the services provided by Google Ads in order to draw attention to our attractive products and services with the help of advertisements on external websites. Using this tool, we can also establish precisely the role of individual advertising measures within specific campaigns. In this context, we aim to show you personalised advertising tailored to your interests and thereby achieve a fair calculation of advertising costs.
The advertisements you see displayed are placed by Google via so-called "ad servers". For this purpose, we use ad server cookies via which particular parameters, such as display frequency or user clicks, can be measured in order to determine the success of advertising campaigns. The way this works is that when you access our websites via a Google ad, Google Ads stores a cookie on your browser that generally expires after 30 days. This cookie does not serve to identify you personally, but to store the unique cookie ID, number of ad impressions per placement, last impression (relevant for post-view conversions) and opt-out information for analytical purposes.
In addition to taking the steps described above, you can also opt out of participation in the tracking process by deactivating cookies for conversion tracking, adjusting your browser settings to block cookies from the domain www.googleadservices.com or by permanently deactivating them in Firefox, Internet Explorer or Google Chrome browsers under the link www.google.com/settings/ads/plugin.
9. INTEGRATION OF SERVICES AND CONTENT OF THIRD PARTIES
We also place links to other websites on our own websites; this is for information purposes only. These third party websites are not subject to our control and are therefore not covered by the terms of this Data Privacy Policy. Clicking on a link may mean that the operator of the website in question will collect your personal data and process this data in accordance with the operator's own privacy policy, which may differ from our own. Please always ensure that you are informed of relevant data policies on the websites to which we provide links.
9.1. SOCIAL MEDIA
On our websites, we use integrated plug-ins from the social networks Facebook, Instagram, X (formerly Twitter) and YouTube exclusively in data protection mode, i.e. no information about website users is transferred to the social network in question, provided that only our websites are accessed. For this purpose, we use a two-stage process. Data is only transferred to third parties if users click on one of the icons displayed in the social media bar.
Social plug-ins from the following social networks are integrated into our websites:
- Instagram (Instagram from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
- Facebook (Facebook Inc. from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
- X (formerly Twitter) (X, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA).
- Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland)
- YouTube (Google Inc., 901 Cherry Ave, San Bruno, CA 94066, USA)
If you click on a plug-in of one of the social networks listed above, it will be activated and, as described above, a connection will be established with the relevant network server.
When activating these plug-ins, you are also consenting to possible use in the USA of your personal data collected via the plug-ins (Art. 49(1)(a) EU GDPR).
This is relevant to the extent that, based on recent official decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection (Case C-311/18, Schrems II). Here, it should be borne in mind that access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and that no relevant legal remedies are available to data subjects in the event of infringements.
We have no influence on the scope and content of data transmitted to the respective operator of a social network as a result of clicking on the relevant plug-in, nor what data may subsequently be subject to access by US authorities.
If you would like to find out more about the nature, scope and purpose of data collected by the operators of the above social networks, we would recommend that you read the privacy policies of the social networks in question.
- www.facebook.com/about/privacy
- privacycenter.instagram.com/policy/
- twitter.com/en/privacy
- policy.pinterest.com/en
- policies.google.com/privacy
10. NEWSLETTER
We provide the option of subscribing to our free Newsletter. We require a valid email address in order to be able to send you the Newsletter.
We check using the email address entered by you during registration whether you wish to receive Newsletters. We do this by sending an email to the email address notified by you; you may then confirm receipt by clicking on the link provided. Once you have confirmed receipt of the email, you will be registered for our Newsletter (double opt-in).
When you first register for the Newsletter, we will store your email address, title, first name and surname, Newsletter selection, IP address, plus date and time of registration. This is done for security reasons to prevent a third party from misusing your email address and subscribing to our Newsletter without your knowledge. We will not collect or process any other data for Newsletter subscription purposes; your data will be used exclusively for sending the Newsletter.
You may unsubscribe from our Newsletter at any time. Information on how to unsubscribe can be found in the confirmation email and in each Newsletter.
11. USE OF ANALYSIS AND CRM TOOL SWAT.IO
In order to store, display and manage its website data, the Group uses the tool swat.io developed by the Viennese company "Die Socialisten" Social Software Development GmbH, Andreasgasse 6, Top1 1070 Vienna in connection with social media platforms Facebook, Pinterest, Instagram and X (formerly Twitter). "Die Socialisten" Social Software Development GmbH is directly subject to and bound by the terms of the EU GDPR. A corresponding data processing contract has been concluded.
The swat.io tool serves firstly customer service purposes, for example in connection with replying to user comments in the context of social media posts. Here, the username chosen by the user and used in connection with their comments on the particular social media platform is used. It is not possible to derive actual names or addresses using the swat.io tool.
In addition, the tool is also used for purposes of collective processing and planning of content on the above platforms. Finally, the tool enables the success of our posts on social media platforms to be assessed (the reach of a post, the extent of interaction with posts, etc.). In this context, however, data of individual users is not revealed. Use of this customer service and of content tools takes place within the framework of overriding legitimate interest (Art. 6(1)(f) EU GDPR).
12. YOUR RIGHTS
Under the EU General Data Protection Regulation and the Austrian Data Protection Act, as a data subject, you have the following rights and legal remedies available to you:
RIGHT OF ACCESS (ART. 15 EU GDPR)
As the data subject in relation to the data processing described above, as well as other data processing, you have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where this is the case, confirmation of the personal data in question. For your own protection – in order that no one can gain illegitimate access to your data – prior to granting access, we will verify your identity in an appropriate manner.
RIGHT TO RECTIFICATION (ART. 16 EU GDPR) AND ERASURE (ART. 17 EU GDPR)
You have the right to request without undue delay the rectification of inaccurate personal data and/or – taking into account the purposes of data processing – completion of incomplete personal data, as well as erasure of your data ("right to be forgotten"), provided the criteria of Art. 17 EU GDPR are fulfilled.
RIGHT TO RESTRICTION OF PROCESSING (ART. 18 EU GDPR)
Subject to the legal rules, you have the right to restriction of processing of all personal data collected. With effect from the time of the restriction request, such data will henceforth only be processed with your specific consent or to assert and enforce legal claims.
RIGHT TO DATA PORTABILITY (ART. 20 EU GDPR)
You may request the prompt and unrestricted transfer to you or to a third party of personal data which you have provided to us.
RIGHT TO OBJECT (ART. 21 EU GDPR)
On grounds relating to your own particular circumstances, you have the right to object at any time to the processing of your personal data as required for the purposes of our legitimate interests or the legitimate interest of a third party. Following your objection, your data will no longer be processed unless there exist compelling legitimate grounds for processing which override your interests, rights and freedoms or unless processing serves the assertion, exercise or defence of legal claims. You may object at any time to data processing for the purposes of direct advertising with future effect.
WITHDRAWAL OF CONSENT
If you have given specific consent to processing of your data, you may withdraw this consent at any time. Such withdrawal will affect the legitimacy of processing your personal data with effect from your corresponding notification.
If you seek a measure to assert your above rights under the EU GDPR, we are required to respond with regard to the measure requested and/or to accede to your request without undue delay at the latest within a period of one month following receipt of your request.
Within the framework of the law, we will respond free of charge and as swiftly as possible to all reasonable requests.
The Austrian Data Protection Authority has jurisdiction with regard to applications concerning a breach of the right of access or a breach of rights of confidentiality, correction or erasure.
The relevant contact details are as follows:
Austrian Data Protection Authority/Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Vienna
dsb@dsb.gv.at
VERSION DATED: OCTOBER 2023