GENERAL DATA PROTECTION INFORMATION
Vagabond Club GmbH
Thank you for your interest in our company and our website.
Vagabond Club GmbH, with the business address Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria, (hereinafter referred to as “Vagabond Club”), operates an online portal for its customers and interested parties at the web address “www.vagabondclub.com”. Further information about Vagabond Club can be found in the imprint of this page.
This privacy notice applies to all data processing carried out on behalf of Vagabond Club in our subsidiary hotels or hotels under our management, as well as to the customer offers, reservation websites and newsletter services provided on the online portal.
Vagabond Club is part of a group of companies. In order to fulfil its obligations, Vagabond Club also uses affiliated companies in a division of labour.
OBJECT OF THE INFORMATION
This general data protection information describes and explains our basic commitment to data protection and general security measures. We fulfil our data protection information obligations by means of separate data protection information for the individual customer offers, which form an integral part of this data protection information. Further information and a link to the documents can be found below under “Data protection information by customer offer”.
Personal data is information that relates to an identified or identifiable natural person. Examples of such data include their name, date of birth, home address, telephone number, etc., as well as any user data provided to Vagabond Club when registering and setting up their customer account.
OUR CUSTOMER GROUPS ARE:
Vagabond Club respects the privacy of the users of its website. The protection of your personal data and information that may lead to the identification of your identity is of particular importance to us. Vagabond Club’s goal is to continually meet our customers’ expectations of our products and services. This includes treating the data entrusted to us in the context of our customer relationship with the utmost care and due responsibility. We undertake to protect your data in accordance with the applicable data protection laws. This also applies in particular to our cooperation with partners and third parties.
For this reason, we are constantly reviewing and improving our technical and physical security rules. In an “Information Security Management System” – “ISMS” for short, we have implemented security measures through rules and precautions to protect your personal data on all Vagabond Club operated websites and servers from accidental loss, misuse and alteration while under our control.
We also ensure compliance with data protection requirements through regular training of our staff, the provision of a data protection officer and through the written assignment of the obligation to maintain data confidentiality to employees and external order processors.
We do not intend the unauthorised collection of personal data from minors; unfortunately, however, we cannot always verify the age of the persons accessing and using our websites. If a minor submits his or her data to us without the permission of the parent or guardian, we will ask the parent or guardian to contact us so that this data can be deleted and the minor can no longer be contacted by us (e.g. advertising material).
DATA PROTECTION INFORMATION ACCORDING TO CUSTOMER GROUPS
In order to fulfil our data protection information obligations, we have created separate data protection information for our customer groups for better readability and transparency. By navigating to the bottom of this page you can find the information regarding our customer groups.
In the data protection information by customer group, we provide detailed information about
- who we are and how you can get in touch with us,
- which products the data protection information relates to,
- what categories of personal data we process,
- from which sources we obtain data,
- the purposes for which we process personal data (also within the group of companies),
- on what legal basis we do this,
- to whom we may transfer personal data,
- how long we store personal data; and
- what rights you have in relation to the personal data processed.
Where the data protection information refers to the fact that we process data based on your consent, this naturally presupposes that you have effectively given us this consent. If you have not given your consent, we will not process your personal data on the basis of your consent.
Of course, our online offers (websites) can also be visited without providing personal information about the user. In this case, but also in the case of use of the online offer by registered users, access data without personal reference (e.g. name of the Internet service provider, the page from which the user visits the websites, the anonymised IP address, date and time of the visit) are stored. Data protection information on this type of data processing can be found in the “Cookie Information”. This information also includes explanations regarding “social plug-ins”, which can be used to share the content of our website with other websites.
If you would like to update your information, data usage or preferred method of communication, or if you no longer wish to receive marketing communications from Vagabond Club, you can contact us as follows:
By e-mail: email@example.com
By phone: +43-1-333 73 73 -0
By mail: Vagabond Club GmbH, Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria
If you have any comments or questions about Vagabond Club’s privacy practices or our privacy information, you can contact us using one of the methods below:
By e-mail: firstname.lastname@example.org
By phone: +43-1-333 73 73 -0
DATA PROTECTION INFORMATION “ONLINE SERVICES
Keeping information about the responsible person’s company available online for interested parties and customers
Vagabond Club GmbH, Janis-Joplin-Promenade 26 / Door 801, 1220 Vienna, Austria
Purposes of data processing on the legal basis of performance or preparation of the contract
- Keeping information and advertising about the company of the responsible person available for retrieval
- Provision of communication and booking channels for the dissemination of content, servicing of customer relationships, implementation of booking and vouchers
- Maintaining and increasing customer satisfaction and loyalty by analysing user behaviour with the aim of improving the service offer
- Survey of user numbers to document the reach of the website
Legal basis of the data processing
- Online use: Contract performance
- The use of the online media and the responsible person is based on a contract iSd Art 6 para 1 lit b DS-GVO , through registration a registration relationship arises. The responsible person discloses that third party content (such as links, pixels, plug-ins) is integrated in the provision of the contractual services. Due to the technical circumstances when calling up the content or the Internet, electronic identification data, in particular the IP address and the user’s browser settings, are automatically transmitted to third parties when the page is set up, and these third parties process the data under their own responsibility. When using social media channels of the responsible party, the primary contractual relationship is with the respective service provider.
- Additional services: Consent For individual services on the online platform (e.g. electronic newsletter), the responsible party expressly obtains consent from the customer. This consent can be revoked at any time with effect for the future.
- Overriding legitimate interests (see point 6.)
Change of purpose
The Controller shall not change the purpose of the processing of personal data.
Description of the (overriding) legitimate interests for IT security purposes:
The controller stores the IP addresses of the users for a period of 7 days in order to be able to respond to targeted attacks in the form of server overload (“denial of service” attacks) and other damage to the systems. The controller has an overriding legitimate interest in this data processing for the purpose of maintaining the functionality of its services provided online (recital 49 of the GDPR).
Assessments of personal aspects of the client
An evaluation of personal aspects of the customer does not take place.
Obligation to provide data
The customer is under no obligation to provide data.
Automated decision making
The client is not subject to any automated decision that has legal effect vis-à-vis him.
Types of data processed by the data controller: IP addresses (log files); terminal device data; browser used; device used; communication protocol; account usage information (e.g. creation date, number of logins, date of last request); newsletter subscription information; user ID; Facebook user ID; Facebook email address; Facebook profile link; date of last Facebook match; location.
Data sources (unless disclosed by the client or collected by the data controller)
e.g. login via Facebook; social media channels: (for more information see point 12)
External recipients of data Categories of external economic service providers (order processors) IT service providers:
Banks- Payment service providers: Payment information
Telecommunications companies: Shipping addresses
IT service provider for voucher booking processing: Booking details
Google Analytics, services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland: anonymised IP address, website title, browser-specific information, information about website usage.
“Social-plug-ins” (Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Youtube LLC, principal place of business at 901 Cherry Avenue, San Bruno, CA 94066, USA – represented by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; LinkedIn Ireland UC.; Wilton Place,Dublin 2, Ireland): IP address, URLs, cookies and browser settings data.
The following data is transferred to countries outside the EU in the course of data processing:
Country | Application | Data types
USA (EU-US Privacy Shield) | Google Analytics | anonymised IP address, website title, browser-specific information, information on website use
USA (EU-US Privacy Shield) | Facebook, Twitter, Instagram, Youtube, LinkedIn | Social plug-ins (after consent by double click: IP address, website title, browser-specific information, information on website usage with opt-in
The personal data (especially IP address) of (unregistered) website visitors are stored for 7 days for IT security purposes.
Registered customers (newsletter subscribers):
The data of registered customers are processed by the responsible party on the basis of the above-mentioned legal basis for the duration of the contractual relationship. The data can be changed and deleted by the responsible person at any time. The user contract ends in any case by the cancellation of the newsletter subscription; this leads to an immediate deletion.
Rights of the data subject
Art 15 GDPR “Information”: The customer has the right to request information about whether personal data about him or her are being processed.
Art 16 DSGVO “rectification”: The customer has the right to request the rectification of inaccurate personal data or its completion without delay.
Art 17 DSGVO “Deletion”: The customer has the right to demand that the personal data be deleted without delay, provided that the reasons stated in Art 17 (1) DSGVO are fulfilled.
Art 18 GDPR “Restriction”: The customer has the right to request that the processing of personal data is restricted, provided that the reasons stated in Art 18 (1) GDPR are fulfilled.
Art 20 DSGVO “Data portability”: The customer has the right to receive his personal data in a structured, common and machine-readable format.
Art 21 DSGVO “Objection” The customer has the right to object at any time to the processing of his personal data on the basis of overriding legitimate interest.
Objection to direct advertising: The customer has the right to object at any time to the processing of his/her personal data for the purpose of direct advertising.
Right of appeal
Art 77 GDPR:
Every customer has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data concerning him or her infringes this Regulation.
Regulatory Authority Austria
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Tel.: +43 1 52 152-0
Federal Commissioner for Data Protection and Freedom of Information
Phone: +49 228 997799 0; +49 228 81995 0
Fax: +49 228 997799 550; +49 228 81995 550
The competence for complaints is split among different data protection supervisory authorities in Germany. Competent authorities can be identified according to the list provided under datenschutz-wiki.de.
Last update: August 2021