Data Protection Declaration
Personal user data (for instance name, e-mail address…) is processed by the Schloss Schönbrunn Kultur- und Betriebsgesellschaft mbH (in the following “Schönbrunn Group"), solely according to the provisions of the Austrian Data Protection Law and the GDPR General Data Protection Regulation.
In the following we provide you with detailed information on the scope and purpose of our data processing and your rights as the party affected by the data processing. Please read our Data Protection Declaration very carefully before you continue using our website and if necessary give your consent to a data processing procedure.
1. Data controller and contact
The data controller is:
Schloss Schönbrunn Kultur- und Betriebsgesellschaft mbH
Schloss Schönbrunn, Kavalierstrakt
2. Person-related Data
The use of our website is possible in principle without specification of person-related data. However, in order to use individual services deviating rulings may result, which we wish to point out separately.
Therefore as a matter of principle we only register and store the data – apart from the cookies described in detail below – that you yourself communicate to us by your adding it to our input masks or by your actively interacting with our website in some other way.
Person-related data includes all information that relate to an identified or identifiable individual person. It includes for instance your name, your address, your telephone number or your date of birth, also your IP address or geolocation data, which allow statistical inferences about you.
Person-related data that go beyond the information stored via the cookies described below is processed by us only if you voluntarily tell us of this, for instance when you register with us, when you enter into a contractual relationship with us, or otherwise enter into contact with us. This only concerns contact data and information on the matter you wish to communicate to us.
We use the person-related date specified by you exclusively within the framework of fulfilment of the relevant purpose of the processing as legally required (especially according to Art. 6 EU-GDPR; for instance the sending of advertising material and information material to existing clients.
Data processing takes place in particular in the following cases:
- processing of contracts between our ticket shop and also our online shop (Art. 6  lit. b. GDPR)
- answering questions (Art. 6  lit. b. GDPR)
- for marketing purposes (Art. 6  lit. a. or f. GDPR)
- for optimising our web presence and our services. (Art. 6  lit. f. GDPR)
- for scientific research purposes. (Art. 89 GDPR and Sect. 2 para. 7 DSG)
Any use of your data going beyond this only takes place if you have expressly given your previous consent. You can withdraw your consent – as is explained in a more detailed form below – any time in the future.
In so far as we grant access to data to a third party within the scope of our processing (in particular order processors), this is done either based on legal permission (e.g. when data transfer to a third party and also to a payment service is required to fulfil the contract), or if you have consented, or if a legal obligation provides for this, or on the basis of our legitimate interests (e.g. in the use of web hosts, CRM tools, newsletter dispatch tools, etc.)
Do we transfer data to the USA?
We offer several services that involve or may involve the transfer of data to the USA. However, unless another justification exists such as the fulfilment of contractual obligations, in order to be able to use these services you will be required to consent to possible use in the USA of personal data collected via these services (Art. 49(1)(a) GDPR). Depending on the service in question, we obtain this consent either via our cookie banner or separately based on a corresponding declaration of consent immediately prior to use of the service offered.
Your consent is required since, based on recent official and judicial decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection in the context of personal data processing (CJEU Case C-311/18, Schrems II). These official and judicial decisions take a critical view of how access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and determine that no relevant legal remedies are available to data subjects in the event of infringements.
Apart from the contracts concluded with US service providers, we have no direct influence on access by US authorities to personal data transferred to service providers in the USA in the context of use of services. Even if we assume that, in accordance with the contractual agreements made with us, our service providers take the necessary steps to ensure the promised level of protection, nevertheless, access by the US authorities to data processed in the USA cannot be ruled out.
Prior to using these services, we therefore ask for your consent to the processing of data in the USA.
3. Legal Bases & Storage Duration
In the case of concluded contracts and queries, personal data is processed because this is required in order to fulfil the contract, or, as the case may be, to process the query (Art. 6  lit b GDPR – General Data Protection Regulation)
Your contact data is only processed for the purpose of direct advertising via e-mail or telephone with your permission according to Art. 6  lit a of the General Data Protection Regulation (“GDPR”).
Otherwise we process your personal data on the basis of our overriding legitimate interest, in order to achieve the purposes stated in this declaration (Art. 6  lit f GDPR).
We generally store data that you have made available to us exclusively for customer care, respectively marketing and information purposes until three years have elapsed since our last contact. If you do not wish this, we shall delete your data also before this term elapses, in so far as there is no legal hindrance preventing this.
In the case of a contract initiation or completion we process your person-related data after completed contract processing until the expiry of the guarantee, limitation and legal storage terms that apply to us, furthermore until the end of all possible legal disputes needing the data as evidence.
Your contact data is processed for the purpose of scientific research according to Art. 89 GDPR as well as Sect. 2 para. 7 (1) DSG. In regard to the principle of data minimisation, the goal is not to obtain results in a form relating to specific data subjects. According to Sect. 2 para. 7 (1) lit. 2. DSG, the controller may process personal data that has been lawfully collected for other purposes (e.g. Art. 6  lit. b. GDPR) . The data we process is anonymised as soon as it is no longer required for the purpose of scientific research and so far as there is no legal hindrance preventing this.
Our website is hosted by Abaton EDV-Dienstleistungs GmbH, Hans-Resel-Gasse 17, 8020 Graz. Our host provider provides us with the IT infrastructure services, disk space, computing capacity, technical security and maintenance services that we need to cover the range of options of this web presence. The user data is processed in the context of these services within the framework of our legitimate interests (Art. 6  f GDPR) in enabling the provision of our online services.
5. Automatic data acquisition
For technical reasons, the usage data that a user’s Internet browser transfers to Schloss Schönbrunn, Hofburg Wien, Hofmobiliendepot and Schloss Hof includes the following:
- browser type and version;
- operating system being used;
- website from which the user visits WWW.SCHOENBRUNN-GROUP.COM, WWW.SCHOENBRUNN.AT, WWW.SCHOENBRUNNMEETINGS.COM, WWW.KINDERMUSEUMSCHOENBRUNN.AT/, WWW.HOFBURG-WIEN.AT, WWW.SISIMUSEUM-HOFBURG.AT, WWW.HOFMOBILIENDEPOT.AT, WWW.MOEBELMUSEUMWIEN.AT, WWW.SCHLOSSHOF.AT, WWW.HABSBURGER.NET, ww1.habsburger.net (referer URL)
- website visited by the user;
- date and time of access;
- Internet protocol (IP) address of the user’s computer.
This data is stored separate from any user data communicated (in particular name, address, telephone number, e-mail address, language) and is evaluated for statistical purposes in order to optimise the Internet presence and services at WWW.SCHOENBRUNN-GROUP.COM, WWW.SCHOENBRUNN.AT, WWW.SCHOENBRUNNMEETINGS.COM, WWW.KINDERMUSEUMSCHOENBRUNN.AT/, WWW.HOFBURG-WIEN.AT, WWW.SISIMUSEUM-HOFBURG.AT, www.hofmobiliedepot.at, WWW.MOEBELMUSEUMWIEN.AT , WWW.SCHLOSSHOF.AT, www.habsburger.net and ww1.habsburger.net (for more details, see below).
6. Data Processing
6.1 During the ordering process, the following personal data is requested:
name, address, telephone number, e-mail address, language, age (adult or children’s ticket), membership of a family or group (for family, student, group tickets). For press accreditations the medium, working title and short description of the project must be stated. For online reservations by event organisers the event organiser’s PIN must be stated.
The personal data notified in the course of the order processing is used exclusively for contract processing (Art. 6  lit b GDPR); payment information is protected by encryption and used solely for the payment management.
6.2 The following data is acquired when using contact forms and participation in competitions (Art 6  b GDPR):
name, e-mail, telephone number if needed, postal address if needed. This data is used exclusively for the reply to the contact and to manage the competition in question.
6.3 In registering for newsletters and company newspapers, the following data is acquired (Art. 6  a GDPR):
name; e-mail address for newsletters and the postal address for company newspapers. This data is used exclusively for despatching the ordered newsletters / company magazines.
Our newsletters is only sent after a double opt-in, i.e., after registering in our newsletter list you will receive another, separate confirmation e-mail in order to conclude the registration for the newsletter.
6.4. Press accreditation (Art. 6  lit. b. GDPR)
Besides the general contact information, press credentials, the respective medium, work title, short description of the project and planned publication date must be specified.
6.5. Online reservations of organisers (Art. 6  lit. b. GDPR)
Besides the general contact information the organiser’s PIN must be specified.
6.6. Tourist guide accreditation (Art. 6  lit. b. GDPR)
Besides the general contact information passport photo and tourist guide credentials are to be specified
6.7. To establish contact for the purpose of scientific research (Art. 89 GDPR and Sect. 2 para. 7 DSG)
For the purpose of sending out invitations to take part in scientific research projects personal contact data (name, e-mail address) is processed in combination with order and visitation data (date, time and tour of visit).
Cookies are small text files that the user’s Internet browser places and stores on his or her computer.
Supplementing the aforementioned data and technical information, first and third party cookies are stored on your computer when using our website with the corresponding consent; these are small text files that can be stored on your hard disk assigned to the browser you use.
Basically we can distinguish between first party cookies, third party cookies and third party requests:
First party cookies
First party cookies are stored by us ourselves or our website on your browser in order to offer you an optimal user experience. In particular they tend to be functional cookies, for instance shopping basket cookies.
Third party cookies
Third party cookies are stored by a third provider on your browser. They mostly concern tracking or marketing tools that on one hand evaluate your user behaviour and on the other offer the third provider the option of recognising you again on other websites you may visit. Retarget marketing, for example, is generally based on the function of this type of cookie.
Third party requests
Third party requests concern all questions that you as website user of our website put to a third party – for instance if you activate social networks with plug-ins or use the options offered by a payment service. In this case, although cookies are not stored on your browser, it cannot be excluded that through the interaction, person-related data is sent to this third provider. For this reason we inform you in detail in of our Data Protection Declaration about the tools and applications we use.
8. Analysis of the Schönbrunn Group's Internet Presence and Marketing Tools
On our websites, we use various web analysis and marketing tools provided by Google. You can prevent the installation of cookies from Google in a number of ways, including in particular by opting out in the cookie banner when visiting our website, or by adjusting your browser software settings.
Details on how to opt out can be found in the description of the tool in question, the first time you visit one of our websites. Please note that, by rejecting cookies, you may not be able to make full use of all website functions. Based on the web analysis and marketing tools used by us and described below, with your consent your browser will automatically establish a direct connection to the Google server. We have no influence over the scope of information transferred in this context, nor over subsequent use of data by Google. We set out for each of the tools our own understanding of the scope and purposes of processing.
If you are a registered user of a Google service, Google will be able to assign your website visit to your account. However, even if you are not registered with Google or are not logged in, the possibility still exists that the provider will identify and store your IP address.
Further information on the purpose and scope of data collection and processing by Google, as well as further information on your related rights and available settings may be obtained from: Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA. Google also processes data in the USA, and for this reason, in order to ensure suitable guarantees of legally-compliant data processing within the meaning of the GDPR, we have firstly concluded so-called "standard contractual clauses" with Google, and secondly, we ask for your consent under Art. 49 GDPR before your personal data is transferred to the USA.
The above standard data protection clauses generally set out in precise terms how Google undertakes the transfer and processing of data. Details may be found at paragraph 2, PERSONAL DATA: "Do we transfer data to the USA?", as well as at:
b. We use the services provided by Google Ads in order to draw attention to our attractive products and services with the help of advertisements on external websites. Using this tool, we can also establish precisely the connection between individual advertising measures and specific campaigns. In this context, we aim to show you personalised advertising tailored to your interests and thereby achieve a fair calculation of advertising costs.
The advertisements you see displayed are placed by Google via so-called "ad servers". For this purpose, we use ad server cookies via which particular parameters, such as display frequency or user clicks, can be measured in order to determine the success of advertising campaigns. The way this works is that when you access our websites via a Google advertisement, Google Ads stores a cookie on your browser that generally expires after 30 days. This cookie does not serve to identify you personally, but in order to store the unique cookie ID, number of ad impressions per placement, last impression (relevant for post-view conversions) and opt-out information for analytical purposes.
In addition to taking the steps described above, you can also opt out of participation in the tracking process by deactivating cookies for conversion tracking, adjusting your browser settings to block cookies from the domain "www.googleadservices.com" or by permanently deactivating them in Firefox, Internet Explorer or Google Chrome browsers under the link WWW.GOOGLE.COM/SETTINGS/ADS/PLUGIN.
9. Integration of Services and Content of Third Parties
9.1. SOCIAL MEDIA
On our websites, we use integrated plug-ins from the social networks Facebook, Instagram, Twitter and YouTube exclusively in data protection mode, i.e. no information about website users is transferred to the social network in question, provided that only our websites are accessed. For this purpose, we use a two-stage process. Data is only transferred to third parties if users click on one of the icons displayed in the social media bar.
Social plug-ins from the following social networks are integrated into our websites:
Instagram (Instagram from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
Facebook (Facebook Inc. from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
Twitter (Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA).
Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland)
YouTube (Google Inc., 901 Cherry Ave, San Bruno, CA 94066, USA)
If you click on a plug-in of one of the social networks listed above, it will be activated and, as described above, a connection will be established with the relevant network server.
When activating these plug-ins, you are also consenting to possible use in the USA of personal data collected via the plug-ins (Art. 49(1)(a) GDPR).
This is relevant to the extent that, based on recent official decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection (Case C-311/18, Schrems II). Here, it should be borne in mind that access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and that no relevant legal remedies are available to data subjects in the event of infringements.
We have no influence on the scope and content of data transmitted to the respective operator of a social network as a result of clicking on the relevant plug-in, nor what data may subsequently be subject to access by US authorities.
If you would like to find out more about the nature, scope and purpose of data collected by the operators of the above social networks, we would recommend that you read the privacy policies of the social networks in question.
10. Newsletter Services
We provide the option of subscribing to our free Newsletter. We require a valid email address in order to be able to send you the Newsletter.
We check using the email address entered by you during registration whether you wish to receive Newsletters. We do this by sending an email to the email address notified by you; you may then confirm receipt by clicking on the link provided. Once you have confirmed receipt of the email, you will be registered for our Newsletter. (Double opt-in)
When you first register for the Newsletter, we will store your email address, title, first name and surname, Newsletter selection, IP address, plus date and time of registration. This is done for security reasons to prevent a third party from misusing your email address and subscribing to our Newsletter without your knowledge. We will not collect or process any other data for Newsletter subscription purposes; your data will be used exclusively for sending the Newsletter.
You may unsubscribe from our Newsletter at any time. Information on how to unsubscribe can be found in the confirmation email and in each Newsletter.
11. Use of the analysis and CRM tool swat.io
Schönbrunn Palace, the Sisi Museum, the Imperial Furniture Collection Vienna and the Schloss Hof Estate use the tool swat.io of the Vienna company ‘Die Socialisten’ Social Software Development GmbH, Andreasgasse 6, Top1 1070 Vienna for the storage, display and management of the data on its pages on the social media platforms Facebook, Pintarest, Instagram and Twitter.
‘Die Socialisten’ Social Software Development GmbH is directly subject and bound to the regime of the GDPR. A contract was drawn up for order data processing.
The swat.io tool firstly serves customer service purposes, thus assists us in answering user comments in the social media contributions. In this process, it deploys user names that are chosen by users on the relevant social medial platforms and whose comments are used. An inference as to real names and addresses is not possible with the swat.io tool.
In addition, the tool is used for purposes of the collective processing and planning of content on these platforms. Finally, the tool enables us to assess the success of our contributions on social media platforms (the range and scope of a contribution, the intensity of interaction it triggers, etc.). However, in the process it does not show individual users’ data. The use of this customer service and content tool is performed within the scope of an overriding legitimate interest (Art. 6  f GDPR).
12. Your rights
The following rights and entitlements of our data processing are available to you as affected person according to the basic directives on data protection and the Data Protection Law
Right of information (Art. 15 EU-GDPR)
As person affected by the data processing described above and other such processes, you are entitled to demand information whether, and if yes, which person-related data about you is being processed. For your own protection – so that no one receives unauthorised information about your data – we confirm your identity in the appropriate form before giving information.
Right of rectification (Art. 16) and erasure (Art. 17 EU-GDPR)
You have the right to demand without delay the rectification of incorrect person-related data relating to you and – taking the purposes of data processing into account – the completion of incomplete person-related data and also the erasure of your data, in so far as the criteria of Art. 17 EU-GDPR are fulfilled.
Right of restricting processing procedures (Art. 18 EU-GDPR)
You have the right according to legal prerequisites to restrict the processing of all collected person-related data. This data is then processed as of the restriction request only with your individual consent, or to validate and put legal claims into effect.
Right of data portability (Art. 20 EU-GDPR)
You can demand the prompt and unlimited transfer to you or to a third party of person-related data that you have made available to us.
Right of objection (Art. 21 EU-GDPR)
You can object any time for reasons arising from your special situation to the processing of your individual, person-related data, which is necessary to preserve our legitimate interests or those of a third party. Your data is no longer processed after the objection, unless there are cogent reasons for the processing procedure that are worthy of protection which override your interests, rights and freedoms, or the processing serves the validation, exercise and defence of our rights and claims. You can raise an objection any time against the data processing procedure for the purpose of direct advertising with effect for the future.
Withdrawal of consent
In case you have given consent separately to the processing of your data, you can cancel this at any time. Such a cancellation influences the admissibility of the processing of your person-related data, after you have expressed this to us.
If you take a measure to claim the aforementioned rights according to the GDPR, we are obliged to take position as regards the requested measure without delay, but at the latest within one month after receiving your request, respectively to act correspondingly to the request.
We shall react to all appropriate questions within the legal framework free of charge and that as promptly as possible.
With regard to requests, the data protection authority is responsible for infringement of the right of information, infringement of the rights of secrecy, rectification or erasure. Its contact details are as follows:
13. Data Transfer to Imperial Austria Palaces Service GmbH
Our ticketing system is handled by the Ticket Shop of Imperial Austria Palaces Service GmbH, whose headquarters are at our company location – Schloss Schönbrunn, Kavalierstrakt, 1130 Vienna. We are informed by Imperial Austria Palaces Service GmbH about ticket reservations made via WWW.IMPERIALTICKETS.COM.
Specifically, during this process we receive the following data: name, address, telephone number, e-mail address, language, age (adult or children’s ticket), membership of a family or group (for family, student, group tickets).
For press accreditations: the medium, working title and short description of the project must be stated.
For online reservations by event organisers: the event organiser’s PIN.
The personal data and contract data (contract subject, term, customer categories) notified in the course of the ordering process are used exclusively for contract processing; payment data is protected by encryption and used solely for payment management during the contract processing.
The use of the ticketing system is necessary for processing ticket reservations. We have entered into a contract for order data processing with Imperial Austria Palaces Service GmbH.
This data usage is based on Art. 6  b GDPR.
UPDATED AS AT: NOVEMBER 2022