Data Privacy Policy

Protection of the personal privacy and personally identifiable data of our Schladming-Dachstein Sommercard users is a top priority for us. Consequently, we process your data exclusively in accordance with statutory requirements (Regulation [EU] 2016/679 of the European Parliament and Council dated 27.04.2016 for the protection of natural persons pertinent to the processing of personally identifiable data, free movement of data, and repeal of directive 95/46/EEC [GDPR], Data Privacy Act 2018 [“DSG 2018”] and the Telecommunication Act 2021 [“TKG 2021”]).

Within the scope of this data privacy policy, we inform you about the processing of your personally identifiable data as well as your rights within the context of the Schladming-Dachstein Sommercard and Herbstcard (hereinafter referred to as: Sommercard). In particular, we inform you about what data is processed, who processes this data and/or has access to such data, which forms of data processing are required, which forms of data processing require your consent as well as how you can revoke such consent.
In addition to the Sommercard for guests, the following cards are also valid for the entire Sommercard season: “Vermieterkarte”, “Freizeitcard” as well as employee- and benefit cards. The included services and specific conditions of these cards vary from those of the guest Sommercard. Furthermore, these season cards are not issued by Sommercard hosts, but rather directly at the ARGE Schladming-Dachstein Sommercard office, or they can also be purchased online. The data privacy policy applies to the guest card and season cards.
This data privacy policy supplements the General Terms & Conditions of the Sommercard, to which we refer in particular with regard to the terms used (e.g. Sommercard host).

The responsible party for data privacy with respect to the Sommercard pursuant to Art 4 (7) GDPR is ARGE Schladming-Dachstein Card, Rohrmoosstraße 234, A-8970 Schladming.

Unless otherwise stipulated, the responsible party and the members of ARGE Schladming-Dachstein Sommercard are jointly responsible for the processing of your personally identifiable data consistent with Art 26 GDPR.

The responsible party and members of ARGE Schladming-Dachstein Sommercard have entered into agreements which include provisions pertaining to who bears responsibility for the various obligations addressed by GDPR. 

The responsible party is always available to you as a point of contact for any data privacy questions or concerns you might have with respect to the Sommercard. In particular, you may assert your rights consistent with GDPR (Pt. 7) against the responsible party. This in no way affects your opportunities to assert your rights against members of ARGE Schladming-Dachstein Sommercard.

The responsible party may be contacted by the following means:

Tel.: +43 (0) 3687 23310
Fax: +43 (0) 3687 23232
Email: info@schladming-dachstein.at 
Post: Rohrmoosstraße 234, A-8970 Schladming

A non-binding listing of current members of the ARGE Schladming-Dachstein Sommercard can be found on the website https://www.schladming-dachstein.at/de/Sommer/Sommercard/Datenschutz?#ARGE-Mitglieder. A nonbinding listing of current Sommercard hosts can be found on the Schladming-Dachstein website.

3.1.    Data Categories

Within the framework of Sommercard usage, the following personally identifiable data is processed:

3.1.1.    Basic Data

- Family name
- First name
- Gender (optional)
- Date of birth
- Nationality
- Primary or customary place of residence
- Arrival and departure dates
- Email address (optional)
- Consent to the General Terms & Conditions

3.1.2.    Usage Data

- Identification number (of the Sommercard)
- Sommercard usage data (Sommercard service providers where the card was used, time of use, etc.)
- Time period of use
- Usage frequency
- Use of the digital Sommercard

3.2.    Purpose and Legal Foundation of Data Processing 

3.2.1.    Collection and processing of basic data 

When processing a booking at a lodging establishment in the Schladming-Dachstein Region that is a designated Sommercard host, your data is collected in the guest registry in accordance with legal requirements and further transmitted to the responsible party pursuant to issuance of a Sommercard.

If you book your accommodation in an accommodation establishment in the Schladming-Dachstein vacation region that issues your Sommercard as a digital Sommercard, you will receive a message to the e-mail you have provided with a link to download the Schladming-Dachstein Sommercard app (hereinafter: app). You can use the app to create the digital Sommercard and use it on your smartphone etc.
The user is also entitled to install the app on their (mobile) device and to create use a digital Sommercard by scanning their physical Sommercard.

The legal foundation for this data processing is fulfillment of a legal obligation consistent with Art 6 (1) (c) GDPR, contractual fulfillment consistent with Art 6 (1) (b) GDPR as well as our legitimate interest consistent with Art 6 (1) (f) GDPR in improving the Sommercard through provision of a digital version.

3.2.2.    Collection and Processing of Usage Data 

If you utilize services associated with the Schladming-Dachstein Sommercard, the respective Sommercard service provider whom you have utilized will collect your usage data and share this with the responsible party.

The legal basis for this data processing is the fulfillment of the contract within the meaning of iSd Art. 6 para. 1 lit b GDPR, as the usage data is required for billing with the individual service partners.

3.2.3.    Advertising (without profiling)

The controller processes your basic data to send advertising, information and special offers. No profiling takes place for this type of advertising.

The legal foundation for this data processing is our legitimate interest consistent with Art 6 (1) (f) GDPR pursuant to provision of information, special offers and advertising related to the Schladming-Dachstein Region, in order to enhance customer loyalty within the framework of the Sommercard.

In order to provide many of the services which come within the scope of the Sommercard, the responsible party, the ARGE Schladming-Dachstein Sommercard and Sommercard hosts make use of various data-processing contractors consistent with Art 28 GDPR (e.g. IT service providers required for issuance of the Sommercard, transmission of data between responsible entities and ARGE Schladming-Dachstein Sommercard as well as Sommercard hosts, issuance of the digital Sommercard, storage of your data, the sending of information, suppliers, marketing research institutes etc.). The responsible party has entered into data-processing contracts with various data-processing companies. These contracts are continuously monitored with respect to their conformity with the most current data privacy laws as well as compliance with existing data privacy statutes on the part of the contractor. Contractors process your personally identifiable data exclusively at the direction of the responsible party and only insofar as this is absolutely necessary in order to fulfill their contract. Your personal data will be deleted by the processor after termination of the cooperation with the respective processor. Any further processing of your personally identifiable data by the data-processing contractor is excluded.

The responsible party only avails itself (as circumstances permit) of data-processing contractors who are headquartered within the European Union and are subject to the provisions of the GDPR. If, under exceptional circumstances, the responsible party avails itself of the services of a data-processing contract from a third-party country (consistent with GDPR), less stringent data-privacy rules may potentially apply. Insofar as your personally identifiable data is processed in a country that does not possess data-privacy protections equivalent to those in the European Union, the responsible party ensures that your personally identifiable data is protected through appropriate contractual provi-sions or by means of other legally binding instruments.

Within the framework of processing the analog and digital Sommercard, we currently utilize the following contractors to collect and process personally identifiable data:

•    Feratel media technologies AG, FN 72841w, Laubichl 60, 5452 Pfarrwerfen, CardSystem to operate the Sommercard as well as collect basic data as well as data about utilization and usage 
•    Grizzly Creative GmbH, FN 281913 d, Mondscheingasse 6, 8010 Graz, provision of an app allowing usage of the digital Sommercard, collection of basic data and usage data

The security of your personally identifiable data is especially important to us. The responsible party, the members of ARGE Schladming-Dachstein Sommercard and the Sommercard, taking into account the current status of technology, implementation costs and the nature, scope, circumstances and purposes of processing as well as the probability and severity of risk with respect to the rights and freedoms of natural persons, adopt the following appropriate technical and organizational measures consistent with Art 32 GDPR in order to protect your data from loss, destruction, access, changes or processing by unauthorized persons:

• Encryption of personal data or anonymization of data after the preset storage period has expired
• Safeguarding of confidentiality, integrity, availability and resiliency of systems and services within the context of processing;
• Ensuring rapid restoration of access to personally identifiable data in the event of a physical or technical incident;
• Implementation of a process to regularly monitor, analyze and evaluate the effectiveness of technical and organizational measures intended to assure the security of processing.

Please note that the responsible party, the members of ARGE Schladming-Dachstein Sommercard and the Sommercard hosts accept no liability for the disclosure of information due to errors not caused or attributable to them in the process of data transmission and/or unauthorized access by third-parties, e.g. hacker attacks.

6.1.    Basic Data

The responsible party and your lodging establishment in the Schladming-Dachstein Region, which is designated a Sommercard host, fundamentally store your basic data only for the duration of your stay and/or such time as your guest registration is submitted to the pertinent authorities. Furthermore, this data remains stored if it shall be necessary due to statutory retention require-ments (e.g. § 212 UGB and § 132 BAO) or for the conduct of litigation as may arise. For evidentiary purposes, your personally identifiable data may be processed until the expiration of applicable statutes of limitation insofar as this may be necessary within the framework of legal proceedings. As a rule, the applicable statute of limitations is 3 years.

6.2.    Usage Data

The responsible party fundamentally only stores your usage data and customer profile data for as long as your customer profile exists. Furthermore, this data continues to be stored if it is necessary to do so due to statutory retention obli-gations (e.g. § 212 UGB and § 132 BAO) or in the conduct of litigation as may arise. For evidentiary purposes, your data may be processed until expiration of statutes of invitations, insofar as this is necessary within the framework of legal proceedings. As a rule, the applicable statute of limitations is 3 years.

6.3.    Fundamental Data Storage Limits

In order to comply with fundamental data storage limits, the responsible party deletes your personally identifiable data – insofar as deletion does not contravene any compelling legal requirements – if you have no longer used the Sommercard after a period of more than 5 years.

According to GDPR, you enjoy the following rights which you may assert against the responsible party (or if necessary, the collective responsible entities):

7.1.    Right to Information (Art 15 GDPR) 

You have the right to demand a confirmation from the responsible party (or if necessary, the collective responsible entities) as to whether your personally identifiable data is being processed. Furthermore, you have the right to request additional information about the concrete purposes of processing, categories of personally identifiable data, recipients or the categories of recipients of personally identifiable data, duration of storage, the existence of a right to have your personally identifiable data deleted or corrected, the processing thereof restricted, the right to revocation, the existence of a right to complain as well as all available information about the origin of your data.

7.2.    Right to Correction (Art 16 GDPR)

You have the right to demand that the responsible party (or if necessary, the collective responsible entities) correct your personally identifiable data. This right encompasses the correction of inaccurate data and the supplementation of incomplete personally identifiable data.

7.3.    Right to Deletion (Art 17 GDPR)

You have the right to demand that the responsible party (or if necessary, the collective responsible entities) delete your personally identifiable data without delay, insofar as the reasons laid out in Art 17 (1) (a) through (f) GDPR are present and the processing of your personally identifiable data is not (no longer) required.

7.4.    Right to Restriction of Processing (Art 18 GDPR)

Furthermore, and subject to the requirements of Art 18 GDPR, you have the right to demand that the responsible party restrict the processing of your personally identifiable data.

7.5.    Right to Transferability (Art 20 GDPR)

You have the right to receive from the responsible party the personally identifiable data which you have supplied in a clearly structured, accessible format as well as the right to demand that said data be provided to another responsible party named by you.

7.6.    Right to Object (Art 21 GDPR)

In principle, you have the right to object to the processing of your personal data if we process it on the basis of our legitimate interest in accordance with Art. 6 (1) lit. f GDPR and the requirements of Art. 21 GDPR are met.

7.7.    Revocation of Consent Declarations (Art 7 GDPR)

You have the option to revoke consent declarations previously given to the responsible party at any time. By revoking your consent, the legality of any processing conducted prior to the moment of revocation shall remain unaffected.

7.8.    Right of Complaint

Furthermore, you may submit a complaint at any time to the Austrian Data Privacy Office (“Österreichische Datenschutzbehörde”), Barichgasse 40-42, 1030 Wien, Tel: +43 1 52 152-0, email: dsb@dsb.gv.at.

You may assert your rights with respect to the responsible party by means of the following contact channels:

Schladming-Dachstein Tourismusmarketing GmbH

Tel.: +43 (0) 3687 23310
Fax: +43 (0) 3687 23232
Email: info@sommercard.info; info@schladming-dachstein.at 
Post: Ramsauerstraße 756, A-8970 Schladming