Privacy Policy

As a tourism association, we process the personal data of our members, supporters, prospective customers, business partners, and other persons (collectively referred to as “data subjects”) where we maintain a membership or other business relationship with them and perform our duties, and where we are recipients of services, grants or contributions.

In addition, we process personal data with due care on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR, e.g. for administrative purposes or public relations activities.

The data processed in this context, as well as the nature, scope, purpose and necessity of the processing, are determined by the underlying membership or contractual relationship, which also establishes the obligation to provide certain data.

We delete data that is no longer required for the performance of our tasks under the Tiroler Tourismusgesetz (Tyrolean Tourism Act) or for other operational purposes. The applicable retention period is determined by the respective tasks and contractual relationships. Data is retained for as long as it remains relevant to business operations or for the purpose of addressing potential warranty or liability obligations, based on our legitimate interests in the clarification and settlement of such obligations. The necessity of retaining personal data is reviewed regularly. In all other cases, statutory retention periods apply. Please also refer to the section “General information on data storage and deletion”

Categories of data processed

• Member data (e.g. full name, company name, contact details including address, etc.)
• Contact data (e.g. postal addresses, email addresses or telephone numbers)
• Information relating to membership fees, participation in events, etc.)
• Payment data (e.g. bank details, invoices, payment history)
• Content data (e.g. text or image-based messages and posts, and related information)

Data subjects

• Members
• Communication partners
• Purposes of processing
• Safeguarding, promotion and representation of local and regional tourism interests in accordance with Section 3 of the Tiroler Tourismusgesetz (Tyrolean Tourism Act) 2006
• Communication
• Organisational and administrative procedures

Public relations and information purposes
This includes all business processes and operational procedures required for these purposes. 

Legal bases
Legitimate interests (Article 6(1)(f) GDPR); Legal obligation (Article 6(1)(c) GDPR).

Further information on processing activities, procedures and services:

Membership administration
Procedures required for member administration include the acquisition and admission of new members, the development and implementation of member retention measures, and ensuring effective communication with members. These activities involve the careful collection and maintenance of member data, the regular updating of member information, and the management of membership contributions, including invoicing and settlement.
Legal bases
Legitimate interests (Article 6(1)(f) GDPR), Membership contract (articles of association) (Article 6(1)(b) GDPR).

Contribution management
Processing activities required for managing membership fees include recording contribution data upon admission of a member, tracking membership payments and systematically updating payment status, processing payment transactions, handling reminders for overdue payments, reconciling accounts in the context of receivables and payables, and maintaining the relevant books and records.

Legal bases
Legal obligation (Article 6(1)(c) GDPR), Legitimate interests (Article 6(1)(f) GDPR), Membership contract (articles of association) (Article 6(1)(b) GDPR).
 

Events and organisational operations

• Planning, execution, and follow-up of events, as well as the general management of statutory activities.
• Planning includes the collection and processing of participant data, coordination of logistical requirements, and determination of the event agenda.
• Implementation includes managing participant registration, updating participant information during the event, and recording attendance and participant activities.
• Post-event follow-up includes analysing participant data to evaluate event success, preparing reports, and archiving relevant event information.
• General organisational operations include managing member data, communicating with members and prospective members, and organising internal meetings and sessions.

Legal bases

• Legitimate interests (Article 6(1)(f) GDPR),
• Membership contract (articles of association) (Article 6(1)(b) GDPR).

Public relations
Processing activities include creating and distributing informational materials, maintaining contact data for press and media relations, and organising and conducting press conferences and public events.
The creation of informational materials involves gathering and preparing information for press releases, newsletters, reports, and other publications.
Distribution takes place via digital and traditional channels, including email distribution lists, websites, and social media. The maintenance of contact data includes collecting and updating data relating to media contacts and other relevant stakeholder groups.
The organisation of press conferences and events includes the planning and execution of these events, managing invitations, and coordinating event logistics.
Interaction with media and stakeholder groups takes place through direct communication with journalists, bloggers, and other opinion leaders, by responding to enquiries, and by providing information.

Legal bases

• Legitimate interests (Article 6(1)(f) GDPR),
• Membership contract (articles of association) (Article 6(1)(b) GDPR)

The personal data of service recipients and clients, business partners, and other third parties is processed in the context of contractual and comparable legal relationships, as well as in connection with pre-contractual measures such as the initiation of business relationships. This processing supports and facilitates business operations in areas such as customer management, sales, payment processing, accounting, and project management.

The collected data is used to fulfil contractual obligations and to ensure efficient and effective business processes. This includes the processing of business transactions, the management of customer relationships, the optimisation of sales strategies, and the management of internal accounting and financial processes. 

In addition, the data supports the protection of the controller’s rights and facilitates administrative tasks and the organisation of the company.

Personal data may be disclosed to third parties where this is necessary to fulfil the specified purposes or to comply with legal obligations. Data is deleted once statutory retention periods have expired or when the purpose of processing no longer applies. This also includes data that must be retained for longer periods in order to comply with tax, accounting, or other legal documentation requirements.

Categories of data processed:

• Account data (e.g. full name, residential address, contact information, customer number, etc.);
• payment data (e.g. bank details, invoices, payment history);
• contact data (e.g. postal addresses, email addresses or telephone numbers);
• content data (e.g. text or image-based messages and posts, and related information such as authorship details and creation timestamps);
• contract data (e.g. subject of the contract, contract duration, customer category);
• usage data (e.g. page views, time spent on pages, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions);
• metadata,
• communication data and
• procedural data (e.g. IP addresses, timestamps, identifiers, persons involved);
• log data (e.g. log files relating to logins, data retrieval or access times).

     

Categories of data subjects:

• Service recipients and clients;
• prospective customers;
• communication partners;
• business and contractual partners;
• third parties; users (e.g. website visitors, users of online services);
• employees (e.g. staff members, applicants, temporary workers and other personnel);
• clients and customers.

 

Purposes of processing: Performance of a contract and provision of contractual services; office and organisational procedures; business processes and business management; communication; marketing; sales promotion; public relations; financial and payment management; security measures; IT infrastructure (operation and provision of information systems and technical equipment such as computers, servers, etc.).

Retention and deletion: Deletion is carried out in accordance with the section “General information on data storage and deletion”.
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR); Legal obligation (Article 6(1)(c) GDPR).

Further information on processing activities, procedures and services:

Customer management and customer relationship management (CRM):
Processes required in the context of customer management and customer relationship management (CRM) (e.g. collecting prospective customer data in compliance with data protection regulations, implementing measures to promote customer retention and loyalty, ensuring effective customer communication, handling complaints and providing customer service in accordance with data protection standards, managing and analysing data to support customer relationships, administering CRM systems, maintaining secure account management, and performing customer and audience segmentation).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Contact management and maintenance: Procedures necessary for organising, maintaining, and securing contact information (e.g. establishing and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing appropriate data protection measures, ensuring access controls, performing backups and restoring contact data, training employees in the effective use of contact management software, regularly reviewing communication history, and adapting contact strategies).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).
 
General payment transactions: Procedures necessary for processing payments, monitoring bank accounts, and controlling payment flows (e.g. creating and verifying transfers, processing direct debits, reviewing bank statements, monitoring incoming and outgoing payments, managing chargebacks, reconciling accounts, and cash management).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).
 
Accounting, accounts payable, accounts receivable: Processes necessary for recording, processing, and monitoring business transactions in the areas of ​​accounts payable and accounts receivable (e.g. creating and verifying incoming and outgoing invoices, monitoring and managing outstanding items, processing payments, handling dunning procedures, reconciling accounts in relation to receivables and payables, and maintaining accounts payable and accounts receivable records).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legal obligation (Article 6(1)(c) GDPR); Legitimate interests (Article 6(1)(f) GDPR).
 
Financial accounting and taxes: Processes necessary for recording, managing, and monitoring financially relevant business transactions, as well as for calculating, reporting, and paying taxes (e.g. posting and recording transactions, preparing quarterly and annual financial statements, processing payments, handling dunning procedures, reconciling accounts, tax advisory measures, preparing and filing tax returns, and managing tax matters).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legal obligation (Article 6(1)(c) GDPR); Legitimate interests (Article 6(1)(f) GDPR).
 
Purchasing: Processes necessary for procuring goods or services (e.g. supplier selection and evaluation, price negotiations, order placement and monitoring, inspection and control of deliveries, invoice verification, order management, inventory management, and the creation and maintenance of purchasing policies).
Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legitimate interests (Article 6(1)(f) GDPR).
 
Processes necessary for marketing, advertising, and sales promotion (e.g. market analysis and target group definition, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management, and cost control).
Legal basis: Legitimate interests (Article 6(1)(f) GDPR)

Economic analyses and market research: For business and operational purposes, and in order to identify market trends as well as the needs and preferences of contractual partners and users, available data relating to business transactions, contracts, enquiries, etc. is analysed. The group of data subjects may include contractual partners, prospective customers, customers, visitors, and users of the controller’s online services. The analyses are conducted for business evaluation, marketing, and market research purposes (e.g. identifying visitor groups with different characteristics). Where available, profiles of registered users, including information on services used, may also be taken into account. The analyses are conducted exclusively for the controller’s internal purposes and are not disclosed externally, unless the results are anonymous and based on aggregated, i.e. anonymised, data. User privacy is respected at all times; data is pseudonymised for analysis purposes wherever possible and, where feasible, processed anonymously (e.g. in aggregated form).
Legal basis: Legitimate interests (Article 6(1)(f) GDPR).
 
Public relations: Processes necessary for public relations activities (e.g. developing and implementing communication strategies, planning and conducting PR campaigns, creating and distributing press releases, maintaining media contacts, monitoring and analysing media coverage, organising press conferences and public events, crisis communication, creating content for social media and company websites, and managing corporate branding).
Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

Guest Wi-Fi: Processes necessary for establishing, operating, maintaining, and monitoring a wireless network for guests (e.g. installing and configuring Wi-Fi access points, creating and managing guest accounts, monitoring network connectivity, ensuring network security, troubleshooting connectivity issues, updating network software, and complying with data protection regulations).
Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); Legal obligation (Article 6(1)(c) GDPR); Legitimate interests (Article 6(1)(f) GDPR).

Privacy Policy and information pursuant to Article 13 of the General Data Protection Regulation (GDPR) for applicants

The controller responsible for processing your data is:

Tourismusverband Innsbruck und seine Feriendörfer
Burggraben 3
A-6020 Innsbruck
Austria
office@innsbruck.info

If you have any questions regarding data protection, you may contact our Data Protection Officer at the above address or at dsb@innsbruck.info.

General information

When you enter personal data or upload documents via our application portal as part of an online application for a job posting, this is done via an encrypted platform.

Within our organisation, your data will only be accessed by employees of the Human Resources department and the responsible managers involved in the applicant selection process.

If you submit an application for an advertised position or an unsolicited application via other channels, e.g. by email to jobs@innsbruck.info, your application is just as welcome and will be processed internally in accordance with the same principles. Naturally, all employees are bound by confidentiality obligations, and data processing is carried out in accordance with applicable security standards and the GDPR.

Data processing

Applications are generally processed electronically, and we distinguish between the following data categories:
 

• Identification data
• This includes the personal information you provide, such as your full name, address, contact details, etc.
• Application content data

This includes data that expresses your interest in one or more positions with us, information about your professional background, skills, qualifications, experience, etc., which we obtain from your cover letter or CV.


Other documents
Additional documents that you provide may include proof of your qualifications, employment certificates and references, letters of recommendation, etc. We expressly advise you not to send us copies of identification documents or criminal record certificates. These will be destroyed immediately because we have no legal basis under the GDPR to store them. Should it be necessary to review such documents in specific cases, for example to verify that you hold a valid driver’s licence, we will request that you present them during your interview. Even then, no copies will be made.
'
If the other documents include sensitive personal data (which the GDPR refers to as “special categories of data”), these will also be deleted immediately if there is no legal basis for processing them.

Purpose of data processing

Legal basis
By submitting a job application, you express your intention to enter into an employment relationship with us. We process your personal data for this purpose. Processing is therefore based on Article 6(1)(b) GDPR for the performance of pre-contractual measures during the application process, for establishing an employment relationship, or for issuing a rejection if we are unable to offer you an employment contract.

If your application is successful, the data you provided may be used for the purposes of the employment relationship. If your application is not successful, we may offer to retain your application on file for a maximum of two years. During this period, we may contact you if a suitable employment opportunity arises. In this case, processing after the initial application process is based on your explicit consent pursuant to Article 6(1)(a) GDPR. You therefore have the right at any time to request that we remove your application documents from our records and delete them. Such consent must be given explicitly; it is not automatically granted with your application.

Transfer of your personal data

Personal data processed in this context will generally not be disclosed to third parties. Exceptions apply only where we are legally obligated or authorised to do so. In specific cases, this may include specialised recruitment consultancies that assist us with personnel selection, or legal advisers for the defence or enforcement of legal claims, all of whom act as independent data controllers, as well as IT service providers with whom we have entered into data processing agreements pursuant to Article 28 GDPR.

Data retention periods and deletion of your personal data
Application documents are permanently deleted seven months after an application is rejected. If, despite a preliminary rejection, you accept our invitation and consent to us retaining your application data in our records, we will delete this data automatically after a maximum of two years without further notice, provided that we have not entered into an employment relationship with you by that time. If no employment relationship is established, you may withdraw your consent to the continued storage of your data in our application records at any time without providing reasons. The documents will then be deleted immediately after the seven-month retention period has expired.

Information about your rights as a data subject

Articles 15 to 21 of the GDPR outline the rights of data subjects. These are:
 

• Right of access and rectification
  You have the right to obtain information about the personal data we process about you at any time. If the data is no longer correct or is incomplete, you have the right to request rectification or correction. Please inform us of this immediately. Where we have shared your data with third parties, we will also inform them of your request for access where there is a legal obligation to do so.
  •  Your right to erasure of your personal data'
    You have the right to request the erasure of your personal data where at least one of the following grounds applies:      
    • The purpose for which we collected the personal data no longer exists and we are no longer subject to any statutory retention periods.
    • The processing was based on consent and you have withdrawn this consent, insofar as no other legal basis for the processing applies.
    • You object to the processing and there are no overriding legitimate grounds for the processing.
    • Your personal data has been unlawfully processed.
    • There is a legal obligation to erase your data.                               

         
      

Your right to request the restriction of processing of your personal data

You have the right to request the restriction of processing of your data where one of the following grounds applies:

• The accuracy of your personal data stored by us is contested and we have had the opportunity to verify its accuracy.
• The processing is unlawful and, instead of requesting erasure, you request the restriction of use.
• We no longer need your data for processing purposes.
• You have objected to the processing and it has not yet been determined whether your interests override ours.

 

Your right to object to data processing

You have the right to object to the processing of your personal data, including where such processing is carried out lawfully. If you object, we will no longer process your data for the specified purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, e.g. processing is required for exercising or defending a legal claim. The objection may be submitted informally.
 

Your right to data portability

You have the right to receive personal data that you have provided to us, and that we process by automated means, in a structured, machine-readable, and portable format*), provided that no legal or confidentiality obligations prevent this.
*) Documents submitted to us in PDF format or scanned by us will be provided in PDF format.
 
Your right to lodge a complaint
If you are not satisfied with our response to a request, you may contact our Data Protection Officer at dsb@innsbruck.info or, of course, lodge a complaint with the competent supervisory authority. The Austrian Data Protection Authority (Österreichische Datenschutzbehörde), Barichgasse 40-42, A-1030 Vienna, Austria, is responsible.

Information pursuant to Article 13 of the General Data Protection Regulation (GDPR)

We process personal data provided in connection with registration and participation in the General Assembly solely for the purpose of organising and conducting the event, which must be convened in accordance with Section 9 of the Tyrolean Tourism Act.''

Accordingly, processing is carried out on the basis of a legal obligation (Article 6(1)(c) GDPR) to which we are subject and/or our legitimate interests in ensuring the smooth and efficient conduct of the event (Article 6(1)(f) GDPR).

Registration data will be shared only with our data processors and will be retained for a period of three years from the date of the event, after which it will be deleted. Under the GDPR, you have data subject rights (right of access, rectification, erasure, restriction of processing, data portability, and the right to object). These rights may be exercised against the data controller, i.e. us. 

If you have any questions regarding data protection or data security, you may contact our Data Protection Officer or exercise your right to lodge a complaint with a data protection authority of your choice.

Contact:

Controller: office@innsbruck.info
Data Protection Officer: dsb@innsbruck.info

General information on data protection can be found on our Privacy Policy page.

When participating in a competition or survey offered on one of our websites, personal data (first name, last name, email address) is collected. By participating in the competition or survey, the user gives his conclusive consent pursuant to Art 6 para 1 lit a DSGVO that his entered, personal data will be stored by the operator and used for the implementation of the competition or survey and for the determination and notification of winners.

They will be stored for the duration of the sweepstakes - but for a maximum of 36 months thereafter and then deleted. By participating, the user agrees that his or her name may be published on this website and on the public social media channels of Innsbruck and its vacation villages (Facebook, Instagram, etc.) in the event of winning. Additional conditions and data processing may be displayed separately for some sweepstakes or surveys and may supplement this point.

When participating in a competition or survey offered on one of our websites, personal data (first name, last name, email address) is collected. By participating in the competition or survey, the user gives his conclusive consent pursuant to Art 6 para 1 lit a DSGVO that his entered, personal data will be stored by the operator and used for the implementation of the competition or survey and for the determination and notification of winners.

They will be stored for the duration of the sweepstakes - but for a maximum of 36 months thereafter and then deleted. By participating, the user agrees that his or her name may be published on this website and on the public social media channels of Innsbruck and its vacation villages (Facebook, Instagram, etc.) in the event of winning. Additional conditions and data processing may be displayed separately for some sweepstakes or surveys and may supplement this point.