DATA PROTECTION POLICY AND LEGAL INFORMATION

We are pleased that you are visiting our website, viennaairport.com. Flughafen Wien Aktiengesellschaft (hereinafter: "we" or "Vienna Airport") takes data protection very seriously. Data is being processed and used in compliance with the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679; GDPR) and the Austrian Data Protection Act [Datenschutzgesetz/DSG].

Please find below more detailed information on how your data will be used:

I. NAME AND ADDRESS OF THE CONTROLLER

The Controller as defined in the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:

Flughafen Wien Aktiengesellschaft
Flughafen 1300 Vienna Airport, Austria
Phone: +43 1 7007-0
Website: www.viennaairport.com

II. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER

The Controller's Data Protection Officer is:
Mr. David Ruf
datenschutz@viennaairport.com

Letters to:​ Flughafen Wien AG,
to the attention of "Generalsekretariat / Datenschutzbeauftragter" 

P.O. Box 1,
1300 Vienna Airport

You may also reach the Data Protection Officer at the Controller's postal address by adding "the Data Protection Officer".

III. PROCESSOR

In some cases we use external service providers (so-called processors) to process personal data. They have been carefully selected and instructed by us, are bound by our instructions and checked regularly.


IV. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EEA

In the following cases we will transfer data to recipients whose registered office is not in the European Economic Area:

  • Google LLC ("Google"), whose registered office is at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA processes data on our behalf. We will transmit your IP address (where applicable, in an anonymised form), information on access to websites (URL) and estimates regarding demography and age to Google. The legal basis for such transfer is our legitimate interest in a statistical analysis of user behaviour for optimisation and marketing purposes (Art 6(1)(f) GDPR).

    Google has been certified for the US-European "Privacy Shield" data protection agreement, which warrants compliance with the data protection level applicable in the European Union. Apart from our general and group-wide security measures, data will be transmitted only in a pseudonymised form. Therefore, it is not possible to specifically attribute data to your person.

  • Your data will also be transmitted to Facebook Inc. ("Facebook"), whose registered office is at 1601 S. California Ave, Palo Alto, CA 94304, USA, such as your IP address (where applicable in an anonymised form), information on access to websites (URL) and estimates regarding demography and age. The legal basis for such transfer is our legitimate interest in a statistical analysis of user behaviour for optimisation and marketing purposes (Art 6(1)(f) GDPR).

V. GENERAL INFORMATION ON DATA PROCESSING

1. Extent of the processing of personal data

As a matter of principle we collect and use our users' personal data only to the extent this is necessary to provide an operable website, our contents and services. Our users' personal data is collected and used regularly only upon the consent of the user. A derogation applies to cases where prior obtaining of consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

2. Legal basis for the processing of personal data

To the extent that we obtain the consent of the data subject to processing activities Art. 6(1)(a) of the General Data Protection Regulation (GDPR) is the legal basis for the processing of personal data.

For the processing of personal data which is necessary to perform a contract to which the data subject is a party Art. 6(1)(b) GDPR is the legal basis. This also applies to processing activities which are necessary to implement pre-contractual measures.

To the extent that processing of personal data is necessary to fulfil a legal obligation of our company Art. 6(1)(c) GDPR is the legal basis.

In the case that processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person Art. 6(1)(d) GDPR is the legal basis.

Art. 6(1)(f) GDPR is the legal basis for data processing where processing is necessary for safeguarding our legitimate interests or those of a third party and where the interests, fundamental rights or fundamental freedoms of the data subject do not prevail over such interests.

3. Erasure of data; Storage period

The data subject's personal data will be erased or access to such data will be blocked if and when it is no longer needed in relation to the storage purpose. Storage beyond that period may occur if provided for by the European or national legislator in EU Regulations, statutes or other provisions that must be observed by the Controller. The data will also be blocked or erased if and when a storage period prescribed by the said legislation expires, unless continued storage of the data is required for conclusion or performance of a contract.

VI. PROVISION OF THE WEBSITE AND CREATION OF LOGFILES

1. Nature and scope of data processing

Every time our website is retrieved our system will automatically collect data and information from the computer system of the retrieving computer.

In this connection the following data will be collected:

  • information on the browser type and the version used

  • language and version of the browser software

  • the user's operating system and its user interface

  • the user's IP address

  • date and time of access and time zone difference to Greenwich Mean Time (GMT)

  • transmitted data volume

  • websites from which the user's system is redirected to our website

  • websites retrieved by the user's system via our website

  • access status/HTTP status code

Such data will also be stored in the logfiles of our system. Such data will not be stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for temporary storage of data and logfiles is Art. 6(1)(f) GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary for delivery of the website to the user's computer. For that purpose the user’s IP address must be stored for the duration of the session.

Storing log files is done to ensure the website’s functionality. In addition, such data helps us to optimise the website and ensure security of the IT systems. In this connection the data will not be analysed for marketing purposes.

The said purposes also constitute our legitimate interest in data processing as defined in Art. 6(1)(f) GDPR.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. If data is collected for provision of the website this will be the case as soon as the relevant session is terminated.

In the case of storage of data in logfiles this will be the case after a maximum of seven days. Storage beyond that period is possible. In that case the IP address of the users will be erased or alienated so that it can no longer be attributed to the retrieving client.

5. Possibility of objection and removal

Collection of data for provision of the website and storage of data in logfiles is mandatory for operation of the website. Accordingly, the user has no possibility to object.

VII. USE OF COOKIES

1. Nature and scope of data processing

Our website uses cookies. Cookies are text files which are stored in the user's computer system in or by the internet browser. When a user retrieves a website, a cookie may be stored on the user's operating system. That cookie contains a characteristic string of characters which allows unambiguous identification of the browser when the website is retrieved again.

We use cookies to make the website more user-friendly. Some elements of our website require the possibility to identify the retrieving browser even after moving to another website ("First Party Cookies"). We process such cookies on the basis of a legitimate interest (Art. 6(1)(f) GDPR) because it would not be possible to display the website without such cookies.

In addition, our website uses cookies which allow an analysis of the users' browsing behaviour. Sometimes such cookies are placed and used by third parties ("Third-Party Cookies"). Data processing of such cookies is done on the basis of your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.

The user data which is collected in this way is pseudonymised by technical measures. Consequently, the data can no longer be attributed to the retrieving user. The data will not be stored together with other personal data of the users.

When retrieving our website the user is informed about the use of cookies for analysing purposes and the user's consent to the processing of personal data used in this connection will be obtained. In that connection reference is also made to this Data Protection Policy.

In detail we use the following cookies:


serving-sys.com / Activityinfo2 & serving-sys.com / u2

COOKIE LIFESPAN: 3 months

EXPLANATORY NOTES: Cookies are used to operate the website and also to offer customers targeted advertising. Cookies collect information such as the IP address, operating system, browser software, information on websites retrieved and time of retrieval, estimates regarding gender and age of the data subject, internet activities for purposes of targeted advertising based on existing data or estimates which are derived from the data. Cookies are also used to check whether a specific advertisement has been displayed for the user before and to limit the frequency of displaying a specific advertisement.

RECIPIENT OF / ACCESS TO DATA STORED: Sizmek (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Sizmek (DE)

Adnxs.com / anj

COOKIE LIFESPAN: 3 months

EXPLANATORY NOTES: The platform uses cookies to obtain information on the browser and the device used.

THE COOKIE RECORDS: The cookie contains a data identifier, which identifies whether a cookie ID which is synchronised with a partner ID allows the partner to use the data outside the platform.

RECIPIENT OF / ACCESS TO DATA STORED: Appnexus

EXTERNAL PROVIDER (STORAGE PLACE): Appnexus (global)

Adnxs.com / sess

COOKIE LIFESPAN: 3 months

EXPLANATORY NOTES: The platform uses cookies to obtain information on the browser and the device used.

THE COOKIE RECORDS: The cookie contains the value "1". It is used to check whether the browser settings allow use of cookies.

RECIPIENT OF / ACCESS TO DATA STORED: Appnexus

EXTERNAL PROVIDER (STORAGE PLACE): Appnexus (global)

Adnxs.com / uuid2

COOKIE LIFESPAN: 3 months

EXPLANATORY NOTES: The platform uses cookies to obtain information on the browser and the device used.

THE COOKIE RECORDS: The cookie contains a unique random value which allows the platform to recognise the browser and the device. The data is aligned with other information such as the advertising interests segment and the advertisements which have been displayed in the browser or on the device in the past. Such data is also provided by third parties and stored on the platform. Such information is used to select certain advertisements and to measure the performance of the advertisements and for cost estimates regarding such advertisements. In addition, some of the information is also aligned with information from other cookies.

RECIPIENT OF / ACCESS TO DATA STORED: Appnexus

EXTERNAL PROVIDER (STORAGE PLACE): Appnexus (global)

Mookie1.com / id & Mookie1.com / mdata

COOKIE LIFESPAN: 13 months

EXPLANATORY NOTES: This cookie collects data regarding your browsing, your use and your interactions. We may also collect data which identifies the browsers and devices with which we have interacted previously. The relevant data which may be collected by such cookies may include the type of browser(s), the browser language and operating system used by you, the IP address of your device, unique identifiers on your device or belonging to your device, the type of connection, the region where your device is located, the network to which your device is connected, the longitude and latitude of a device, where relevant the mobile network operator, the website from which you were redirected to the retrieved website, the website visited thereafter, retrievals of an advertisement and data related to the website and the specific page you have retrieved. Relevant devices are computers, mobile phones, tablets, e-readers web-enabled digital devices.

THE COOKIE RECORDS:

RECIPIENT OF / ACCESS TO DATA STORED: GroupM / Xaxis

Doubleclick.net / IDE

COOKIE LIFESPAN: 13 months

EXPLANATORY NOTES: Google collects cookie-generated data for the following applications: ad-serving, ad-targeting, analysis/measures, customer-specific content, optimisation. More information: https://www.policies.google.com/technologies/cookies

RECIPIENT OF / ACCESS TO DATA STORED: Google (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Google (global)

Google.at / 1P_Jar

COOKIE LIFESPAN: 1 month

EXPLANATORY NOTES: More information: https://www.policies.google.com/technologies/cookies

RECIPIENT OF / ACCESS TO DATA STORED: Google (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Google (global)

Google.at / CONSENT

COOKIE LIFESPAN: 20 years

EXPLANATORY NOTES: More information: https://www.policies.google.com/technologies/cookies

RECIPIENT OF / ACCESS TO DATA STORED: Google (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Google (global)

NAME OF COOKIE: Google.at / NID

COOKIE LIFESPAN: 6 months

EXPLANATORY NOTES: More information: https://www.policies.google.com/technologies/cookies

RECIPIENT OF / ACCESS TO DATA STORED: Google (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Google (global)

NAME OF COOKIE: Facebook.com / fr

COOKIE LIFESPAN: 3 months

EXPLANATORY NOTES: Facebook collects cookie-generated data for the following applications: ad-serving, ad-targeting, analysis/measures, cross device tracking, customer-specific content, optimisation. More information: https://www.facebook.com/policies/cookies

RECIPIENT OF / ACCESS TO DATA STORED: Facebook (all data); GroupM (aggregated data)

EXTERNAL PROVIDER (STORAGE PLACE): Facebook (global)

2. Legal basis

The legal basis for processing personal data by using technically necessary cookies is Art. 6(1)(f) GDPR.

The legal basis for processing personal data by using cookies for analytical purposes is Art. 6(1)(a) GDPR, provided that the user has given his/her consent.

3. Purpose

The purpose of using technically necessary cookies is to make use of websites easier for users. Some features of our website cannot be offered without the use of cookies. For those it is necessary for the browser to be recognised even after a move to another website.

The user data collected by technically necessary cookies will not be used to create user profiles.

The analytical cookies are used for the purpose of enhancing the quality and contents of our website. By means of analytical cookies we learn how the website is used and are thus able to constantly optimise our offer.

4. Storage; Erasure; Possibility of objection and removal

Cookies are stored on the user's computer and transmitted from there to our website. Thus, you as the user have full control over the use of cookies. By changing the settings in your internet browser you can deactivate or restrict transmission of cookies. Cookies which have been stored already can be deleted at any time. This may also be done automatically. If cookies are deactivated for our website, not all of the website's features may be fully used anymore.

Each browser manages the cookie settings differently. This is described in the help menu of every browser, which will explain to you how you may change your cookie settings. They can be found for the relevant browsers via the following links:

VIII. CONTACT FORM AND EMAIL CONTACT

1. Nature and scope of data processing

Our website provides a contact form which may be used for contacting us electronically. If a user chooses this option, the data entered in the entry mask will be transmitted to us and stored. The relevant data includes:

  • Salutation

  • Title

  • Name

  • Email

  • address

  • Comment

When the message is sent, the following data will be stored in addition:

  • Date and time of registration

In connection with the sending process your consent to data processing will be obtained with reference to this Data Protection Policy.

Alternatively, you may contact us via the email address provided in this document. In that case the personal data of the user transmitted with the email message will be stored.

In this connection no data will be forwarded to third parties. Data will exclusively be used to process the conversation.

2. Legal basis for data processing

The legal basis for data processing is Art. 6(1)(a) GDPR, provided that the user has given his/her consent thereto.

The legal basis for processing data that is transmitted in the course of transmission of an email is Art. 6(1)(f) GDPR. If the purpose of the email contact is conclusion of a contract, Art. 6(1)(b) GDPR is an additional legal basis for processing.

3. Purpose of data processing

Personal data from the entry mask is processed by us only to reply to your enquiry. If you contact us via email, this constitutes the required legitimate interest in data processing.

Other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. For personal data from the entry mask of the contact form and for data transmitted by email this is the case once the relevant conversation with the user is terminated. The conversation is deemed terminated if the circumstances suggest that the relevant matter has been clarified exhaustively and for traceability of up to 26 months.

5. Possibility of objection and removal

The user may withdraw his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she may object to storage of his/her personal data at any time. In such a case the conversation may not be continued.

In order to exercise your right to object, please send a message to  datenschutz@viennaairport.com. Upon receipt of your objection by us all personal data stored during our contact will be erased in that case.

IX. GOOGLE ANALYTICS

1. Nature and scope of data processing

This website uses Google Analytics, a web analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses so-called cookies, i.e. text files which will be stored on your computer to analyse your use of the website. Information on your use of this website (including the truncated IP address) created by the cookie will normally be transmitted to and stored on a server of Google in the USA.

This website uses Google Analytics only with the extension "_anonymizeIp()", which ensures anonymisation of the IP address by truncation and excludes direct attribution to a specific person. In this way Google will first truncate your IP address in Member States of the European Union or in other countries that are parties to the Agreement on the European Economic Area. Only in exceptional cases will the entire IP address be transmitted to a Google server in the USA and truncated there.

2. Legal basis for data processing

In the exceptional cases in which the IP address is transmitted, data will be processed in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in a statistical analysis of user behaviour for optimisation and for marketing purposes.

3. Purpose of data processing

On our behalf Google will use such information to evaluate your use of the website, to prepare reports on website activities and to render other services related to use of the website and the internet for us. The IP address transmitted by your browser by means of Google Analytics will not be merged with other Google data.

4. Possibilities for objection and removal

You may prevent storing of cookies by adjusting your browser software accordingly; however, please be informed that, in this case, you may not be able to use some of the website's functions in full. In addition, you can prevent data that is produced by the cookie and related to your use of the website (including your IP address) from being transmitted to and processed by Google by downloading and installing the browser plug-in that is available via the following link:  http://tools.google.com/dlpage/gaoptout?hl=de.

5. Storage period

Data will be stored for 26 months and erased automatically thereafter.

6. Warranty of data security in connection with transfers to third countries

Google LLC, whose registered office is in the USA, has been certified for the US-European "Privacy Shield" data protection agreement, which warrants compliance with the data protection level applicable in the European Union.

For more information on how Google Analytics handles user data please see Google's data protection policy:

https://support.google.com/analytics/answer/6004245?hl=en

X. RIGHTS OF THE DATA SUBJECT

According to the data protection legislation in force you have comprehensive rights as a data subject (right to information and intervention) vis-à-vis the Controller about which we will inform you below:

  • Right of access to information pursuant to Art. 15 GDPR: In particular, you have the right to information on your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your personal data has been or will be disclosed, the envisaged period for which the personal data will be stored and/or the criteria used to determine that period, the existence of the right to rectification, erasure or restriction of processing, the right to object to processing, the right to lodge a complaint with a supervisory authority, the source of your data where it is not collected from you by us, the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, and your right to be informed about what safeguards pursuant to Art. 46 GDPR exist in the case of transfer of your data to third countries.

  • Right to rectification pursuant to Art. 16 GDPR: You have the right to immediate rectification of inaccurate data concerning you and/or to have completed your incomplete data stored by us.

  • Right to erasure pursuant to Art. 17 GDPR: You have the right to request erasure of your personal data if the prerequisites of Art. 17(1) GDPR are fulfilled. However, this right does not apply in particular if processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

  • Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request restriction of processing for as long as the contested accuracy of your data is being verified if you oppose the erasure of your data and request the restriction of their processing instead, if you need the data for the establishment, exercise or defence of legal claims, if we no longer need such data after the purposes has been achieved or if you have objected to processing due to your particular situation pending the verification whether our legitimate grounds override your grounds.

  • Right to be notified pursuant to Art. 19 GDPR: If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the Controller, the Controller must notify all recipients to which personal data concerning you has been disclosed of such rectification or erasure of data or restriction of processing, unless this proves impossible or or involves disproportionate effort. You have the right to be informed about those recipients.

  • Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data which you provided to us in a structured, commonly used and machine-readable format and may request that the data be transmitted to another controller, where technically feasible.

  • Right to withdraw consents given pursuant to Art. 7(3) GDPR: You have the right to withdraw your previously given consent to processing of data at any time with effect for the future. In the case of withdrawal we will erase the data concerned without immediately, unless further processing may be based on a legal basis for processing for which no consent is required. The lawfulness of processing done up to the time of withdrawal shall not be affected by withdrawing consent.

  • Right to lodge a complaint pursuant to Art. 77 GDPR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. In Austria the competent supervisory authority is the Data Protection Authority [Datenschutzbehörde].

  • Right to object: If, considering the relevant interests, we process your personal data on the basis of our overriding legitimate interest, you have the right to object to such processing on grounds relating to your particular situation at any time with effect for the future.

If you exercise your right to object, we will stop processing the data concerned. Further processing shall, however, be reserved if we are able to prove compelling legitimate grounds for the processing which override your interests, fundamental rights and fundamental freedoms or if processing is necessary for the establishment, exercise or defence of legal claims.

If your personal data is processed by us for direct marketing purposes, you have the right to object to processing of the personal data relating to you for the purpose of such advertising at any time. You may raise your objection as described above.

If you exercise your right to object, we will stop processing the relevant data for direct marketing purposes.

Please address your enquiries in this connection to  datenschutz@viennaairport.com.