Personal user data (for instance name, e-mail address…) is processed by the Schloss Schönbrunn Kultur- und Betriebsgesellschaft mbH (in the following “Schönbrunn Group"), solely according to the provisions of the Austrian Data Protection Law and the GDPR General Data Protection Regulation.
In the following we provide you with detailed information on the scope and purpose of our data processing and your rights as the party affected by the data processing. Please read our Data Protection Declaration very carefully before you continue using our website and if necessary give your consent to a data processing procedure.
1. Data controller and contact
The data controller is:
Schloß Schönbrunn Kultur- u. Betriebsges.m.b.H.
Schönbrunner Schloßstraße 47
2. Person-related Data
The use of our website is possible in principle without specification of person-related data. However, in order to use individual services deviating rulings may result, which we wish to point out separately.
Therefore as a matter of principle we only register and store the data – apart from the cookies described in detail below – that you yourself communicate to us by your adding it to our input masks or by your actively interacting with our website in some other way.
Person-related data includes all information that relate to an identified or identifiable individual person. It includes for instance your name, your address, your telephone number or your date of birth, also your IP address or geolocation data, which allow statistical inferences about you.
Person-related data that go beyond the information stored via the cookies described below is processed by us only if you voluntarily tell us of this, for instance when you register with us, when you enter into a contractual relationship with us, or otherwise enter into contact with us. This only concerns contact data and information on the matter you wish to communicate to us.
We use the person-related date specified by you exclusively within the framework of fulfilment of the relevant purpose of the processing as legally required (especially according to Art. 6 EU-GDPR; for instance the sending of advertising material and information material to existing clients.
Data processing takes place in particular in the following cases:
- processing of contracts between our ticket shop and also our online shop (Art. 6  lit. b. GDPR)
- answering questions (Art. 6  lit. b. GDPR)
- for marketing purposes (Art. 6  lit. a. or f. GDPR)
- for optimising our web presence and our services. (Art. 6  lit. f. GDPR)
- for scientific research purposes. (Art. 89 GDPR and Sect. 2 para. 7 DSG)
Any use of your data going beyond this only takes place if you have expressly given your previous consent. You can withdraw your consent – as is explained in a more detailed form below – any time in the future.
In so far as we grant access to data to a third party within the scope of our processing (in particular order processors), this is done either based on legal permission (e.g. when data transfer to a third party and also to a payment service is required to fulfil the contract), or if you have consented, or if a legal obligation provides for this, or on the basis of our legitimate interests (e.g. in the use of web hosts, CRM tools, newsletter dispatch tools, etc.)
Do we transfer data to the USA?
We offer several services that involve or may involve the transfer of data to the USA. However, unless another justification exists such as the fulfilment of contractual obligations, in order to be able to use these services you will be required to consent to possible use in the USA of personal data collected via these services (Art. 49(1)(a) GDPR). Depending on the service in question, we obtain this consent either via our cookie banner or separately based on a corresponding declaration of consent immediately prior to use of the service offered.
Your consent is required since, based on recent official and judicial decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection in the context of personal data processing (CJEU Case C-311/18, Schrems II). These official and judicial decisions take a critical view of how access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and determine that no relevant legal remedies are available to data subjects in the event of infringements.
Apart from the contracts concluded with US service providers, we have no direct influence on access by US authorities to personal data transferred to service providers in the USA in the context of use of services. Even if we assume that, in accordance with the contractual agreements made with us, our service providers take the necessary steps to ensure the promised level of protection, nevertheless, access by the US authorities to data processed in the USA cannot be ruled out.
Prior to using these services, we therefore ask for your consent to the processing of data in the USA.
3. Legal bases & storage duration
In the case of concluded contracts and queries, personal data is processed because this is required in order to fulfil the contract, or, as the case may be, to process the query (Art. 6  lit b GDPR – General Data Protection Regulation)
Your contact data is only processed for the purpose of direct advertising via e-mail or telephone with your permission according to Art. 6  lit a of the General Data Protection Regulation (“GDPR”).
Otherwise we process your personal data on the basis of our overriding legitimate interest, in order to achieve the purposes stated in this declaration (Art. 6  lit f GDPR).
We generally store data that you have made available to us exclusively for customer care, respectively marketing and information purposes until three years have elapsed since our last contact. If you do not wish this, we shall delete your data also before this term elapses, in so far as there is no legal hindrance preventing this.
In the case of a contract initiation or completion we process your person-related data after completed contract processing until the expiry of the guarantee, limitation and legal storage terms that apply to us, furthermore until the end of all possible legal disputes needing the data as evidence.
Your contact data is processed for the purpose of scientific research according to Art. 89 GDPR as well as Sect. 2 para. 7 (1) DSG. In regard to the principle of data minimisation, the goal is not to obtain results in a form relating to specific data subjects. According to Sect. 2 para. 7 (1) lit. 2. DSG, the controller may process personal data that has been lawfully collected for other purposes (e.g. Art. 6  lit. b. GDPR) . The data we process is anonymised as soon as it is no longer required for the purpose of scientific research and so far as there is no legal hindrance preventing this.
Our website is hosted by Abaton EDV-Dienstleistungs GmbH, Hans-Resel-Gasse 17, 8020 Graz. Our host provider provides us with the IT infrastructure services, disk space, computing capacity, technical security and maintenance services that we need to cover the range of options of this web presence. The user data is processed in the context of these services within the framework of our legitimate interests (Art. 6  f GDPR) in enabling the provision of our online services.
5. Automatic data acquisition
For technical reasons, the usage data that a user’s Internet browser transfers to Schönbrunn Group includes the following:
- browser type and version;
- operating system being used;
- website from which the user visits www.schoenbrunn-group.com, www.schoenbrunn.at, www.schoenbrunnmeetings.com, www.kindermuseumschoenbrunn.at/, www.hofburg-wien.at, www.sisimuseum-hofburg.at, www.hofmobiliendepot.at, www.moebelmuseumwien.at, www.schlosshof.at, www.habsburger.net, ww1.habsburger.net (referer URL)
- website visited by the user;
- date and time of access;
- Internet protocol (IP) address of the user’s computer.
This data is stored separate from any user data communicated (in particular name, address, telephone number, e-mail address, language) and is evaluated for statistical purposes in order to optimise the Internet presence and services at www.schoenbrunn-group.com, www.schoenbrunn.at, www.schoenbrunnmeetings.com, www.kindermuseumschoenbrunn.at/, www.hofburg-wien.at, www.sisimuseum-hofburg.at, www.hofmobiliedepot.at, www.moebelmuseumwien.at , www.schlosshof.at, www.habsburger.net and ww1.habsburger.net (for more details, see below).
6. Date processing
6.1 During the ordering process, the following personal data is requested:
name, address, telephone number, e-mail address, language, age (adult or children’s ticket), membership of a family or group (for family, student, group tickets). For press accreditations the medium, working title and short description of the project must be stated. For online reservations by event organisers the event organiser’s PIN must be stated.
The personal data notified in the course of the order processing is used exclusively for contract processing (Art. 6  lit b GDPR); payment information is protected by encryption and used solely for the payment management.
6.2 The following data is acquired when using contact forms and participation in competitions (Art 6  b GDPR):
name, e-mail, telephone number if needed, postal address if needed. This data is used exclusively for the reply to the contact and to manage the competition in question.
6.3 In registering for newsletters and company newspapers, the following data is acquired (Art. 6  a GDPR):
name; e-mail address for newsletters and the postal address for company newspapers. This data is used exclusively for despatching the ordered newsletters / company magazines.
Our newsletters is only sent after a double opt-in, i.e., after registering in our newsletter list you will receive another, separate confirmation e-mail in order to conclude the registration for the newsletter.
6.4. Press accreditation (Art. 6  lit. b. GDPR)
Besides the general contact information, press credentials, the respective medium, work title, short description of the project and planned publication date must be specified.
6.5. Online reservations of organisers (Art. 6  lit. b. GDPR)
Besides the general contact information the organiser’s PIN must be specified.
6.6. Tourist guide accreditation (Art. 6  lit. b. GDPR)
Besides the general contact information passport photo and tourist guide credentials are to be specified
6.7. To establish contact for the purpose of scientific research (Art. 89 GDPR and Sect. 2 para. 7 DSG)
For the purpose of sending out invitations to take part in scientific research projects personal contact data (name, e-mail address) is processed in combination with order and visitation data (date, time and tour of visit).
Cookies are small text files that the user’s Internet browser places and stores on his or her computer.
Supplementing the aforementioned data and technical information, first and third party cookies are stored on your computer when using our website with the corresponding consent; these are small text files that can be stored on your hard disk assigned to the browser you use.
Basically we can distinguish between first party cookies, third party cookies and third party requests:
- First party cookies
First party cookies are stored by us ourselves or our website on your browser in order to offer you an optimal user experience. In particular they tend to be functional cookies, for instance shopping basket cookies.
- Third party cookies
Third party cookies are stored by a third provider on your browser. They mostly concern tracking or marketing tools that on one hand evaluate your user behaviour and on the other offer the third provider the option of recognising you again on other websites you may visit. Retarget marketing, for example, is generally based on the function of this type of cookie.
- Third party requests
Third party requests concern all questions that you as website user of our website put to a third party – for instance if you activate social networks with plug-ins or use the options offered by a payment service. In this case, although cookies are not stored on your browser, it cannot be excluded that through the interaction, person-related data is sent to this third provider. For this reason we inform you in detail in of our Data Protection Declaration about the tools and applications we use.
8. ANALYSIS OF THE Schönbrunn Group'S ONLINE PRESENCE AND MARKETING TOOLS
Web analysis using Matomo (formerly Piwik)
Scope of processing of personal data:
We use the software "Matomo" (www.matomo.org) on this website, a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. The software sets a cookie (a text file) on your computer, with which your browser can be recognized. If subpages of our website are called up, the following data is stored:
- the IP address of the user, shortened by the last two bytes (anonymized)
- the sub-page called up and the time of the call-up
- the page from which the user accessed our website (referrer)
- which browser with which plugins, which operating system and which screen resolution is used
- the time spent on the website
- the pages that are visited from the accessed sub-page
The data collected with Matomo is stored on servers within the EU. It is not passed on to third parties.
The legal basis on which we process personal data using Matomo is Art. 6 (1) lit. f of the DSGVO.
Purpose of the data processing
We need the data to analyze the surfing behavior of users and to obtain information about usage of the individual components of the website. This enables us to constantly optimize the website and its user-friendliness. These purposes are the basis of our legitimate interest according to Art. 6 para. 1 lit. f DSGVO. We use Matomo with the anonymization function "Automatically Anonymize Visitor IPs". This anonymization function shortens your IP address by two bytes, so that an assignment to you or to the Internet connection you are using is impossible. By anonymizing the IP address, we take your interest in the protection of your personal data into account. The data will never be used to identify you personally and will not be merged with other data.
Duration of storage:
The data is deleted when it is no longer needed for our purposes.
Possibility to object
You can object to the recording of data in the manner described above in three different ways:
1. you can completely prevent the storage of cookies in your browser. However, this means that you may no longer be able to use some functions of our website that require identification (shopping cart, orders, personal settings, etc.).
2. you can activate the "Do-not-Track" setting in your browser. Our Matomo system is configured to respect this setting.
3. you can enable opt-out in the cookie settings at the bottom of the page. Your visits to this website will not be collected by the web analytics tool. Please note that the Matomo deactivation cookie of this website will also be deleted if you remove the cookies stored in your browser. Moreover, if you use a different computer or a different web browser, you will have to complete the deactivation procedure again.
We use the services provided by Google Ads in order to draw attention to our attractive products and services with the help of advertisements on external websites. Using this tool, we can also establish precisely the connection between individual advertising measures and specific campaigns. In this context, we aim to show you personalised advertising tailored to your interests and thereby achieve a fair calculation of advertising costs.
The advertisements you see displayed are placed by Google via so-called "ad servers". For this purpose, we use ad server cookies via which particular parameters, such as display frequency or user clicks, can be measured in order to determine the success of advertising campaigns. The way this works is that when you access our websites via a Google advertisement, Google Ads stores a cookie on your browser that generally expires after 30 days. This cookie does not serve to identify you personally, but in order to store the unique cookie ID, number of ad impressions per placement, last impression (relevant for post-view conversions) and opt-out information for analytical purposes.
In addition to taking the steps described above, you can also opt out of participation in the tracking process by deactivating cookies for conversion tracking, adjusting your browser settings to block cookies from the domain "www.googleadservices.com" or by permanently deactivating them in Firefox, Internet Explorer or Google Chrome browsers under the link WWW.GOOGLE.COM/SETTINGS/ADS/PLUGIN.
9. INTEGRATION OF SERVICES AND CONTENT OF THIRD PARTIES
9.1. Social media
On our websites, we use integrated plug-ins from the social networks Facebook, Instagram, Twitter and YouTube exclusively in data protection mode, i.e. no information about website users is transferred to the social network in question, provided that only our websites are accessed. For this purpose, we use a two-stage process. Data is only transferred to third parties if users click on one of the icons displayed in the social media bar.
Social plug-ins from the following social networks are integrated into our websites:
- Instagram (Instagram from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
- Facebook (Facebook Inc. from Meta, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
- Twitter (Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA).
- Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland)
- YouTube (Google Inc., 901 Cherry Ave, San Bruno, CA 94066, USA)
If you click on a plug-in of one of the social networks listed above, it will be activated and, as described above, a connection will be established with the relevant network server.
When activating these plug-ins, you are also consenting to possible use in the USA of personal data collected via the plug-ins (Art. 49(1)(a) GDPR).
This is relevant to the extent that, based on recent official decisions as well as case law of the Court of Justice of the European Union, the USA is evidenced as not having an adequate level of data protection (Case C-311/18, Schrems II). Here, it should be borne in mind that access by US authorities (FISA 0702) is not comprehensively restricted by law and does not require the approval of an independent body, and that no relevant legal remedies are available to data subjects in the event of infringements.
We have no influence on the scope and content of data transmitted to the respective operator of a social network as a result of clicking on the relevant plug-in, nor what data may subsequently be subject to access by US authorities.
If you would like to find out more about the nature, scope and purpose of data collected by the operators of the above social networks, we would recommend that you read the privacy policies of the social networks in question.
10. Newsletter Services
We provide the option of subscribing to our free Newsletter. We require a valid email address in order to be able to send you the Newsletter.
We check using the email address entered by you during registration whether you wish to receive Newsletters. We do this by sending an email to the email address notified by you; you may then confirm receipt by clicking on the link provided. Once you have confirmed receipt of the email, you will be registered for our Newsletter. (Double opt-in)
When you first register for the Newsletter, we will store your email address, title, first name and surname, Newsletter selection, IP address, plus date and time of registration. This is done for security reasons to prevent a third party from misusing your email address and subscribing to our Newsletter without your knowledge. We will not collect or process any other data for Newsletter subscription purposes; your data will be used exclusively for sending the Newsletter.
You may unsubscribe from our Newsletter at any time. Information on how to unsubscribe can be found in the confirmation email and in each Newsletter.
11. Use of the analysis and CRM tool swat.io
Schönbrunn Palace, the Sisi Museum, the Imperial Furniture Collection Vienna and the Schloss Hof Estate use the tool swat.io of the Vienna company ‘Die Socialisten’ Social Software Development GmbH, Andreasgasse 6, Top1 1070 Vienna for the storage, display and management of the data on its pages on the social media platforms Facebook, Pintarest, Instagram and Twitter.
‘Die Socialisten’ Social Software Development GmbH is directly subject and bound to the regime of the GDPR. A contract was drawn up for order data processing.
The swat.io tool firstly serves customer service purposes, thus assists us in answering user comments in the social media contributions. In this process, it deploys user names that are chosen by users on the relevant social medial platforms and whose comments are used. An inference as to real names and addresses is not possible with the swat.io tool.
In addition, the tool is used for purposes of the collective processing and planning of content on these platforms. Finally, the tool enables us to assess the success of our contributions on social media platforms (the range and scope of a contribution, the intensity of interaction it triggers, etc.). However, in the process it does not show individual users’ data. The use of this customer service and content tool is performed within the scope of an overriding legitimate interest (Art. 6  f GDPR).
12. Your rights
The following rights and entitlements of our data processing are available to you as affected person according to the basic directives on data protection and the Data Protection Law
- Right of information (Art. 15 EU-GDPR)
As person affected by the data processing described above and other such processes, you are entitled to demand information whether, and if yes, which person-related data about you is being processed. For your own protection – so that no one receives unauthorised information about your data – we confirm your identity in the appropriate form before giving information.
- Right of rectification (Art. 16) and erasure (Art. 17 EU-GDPR)
You have the right to demand without delay the rectification of incorrect person-related data relating to you and – taking the purposes of data processing into account – the completion of incomplete person-related data and also the erasure of your data, in so far as the criteria of Art. 17 EU-GDPR are fulfilled.
- Right of restricting processing procedures (Art. 18 EU-GDPR)
You have the right according to legal prerequisites to restrict the processing of all collected person-related data. This data is then processed as of the restriction request only with your individual consent, or to validate and put legal claims into effect.
- Right of data portability (Art. 20 EU-GDPR)
You can demand the prompt and unlimited transfer to you or to a third party of person-related data that you have made available to us.
- Right of objection (Art. 21 EU-GDPR)
You can object any time for reasons arising from your special situation to the processing of your individual, person-related data, which is necessary to preserve our legitimate interests or those of a third party. Your data is no longer processed after the objection, unless there are cogent reasons for the processing procedure that are worthy of protection which override your interests, rights and freedoms, or the processing serves the validation, exercise and defence of our rights and claims. You can raise an objection any time against the data processing procedure for the purpose of direct advertising with effect for the future.
- Withdrawal of consent
In case you have given consent separately to the processing of your data, you can cancel this at any time. Such a cancellation influences the admissibility of the processing of your person-related data, after you have expressed this to us.
If you take a measure to claim the aforementioned rights according to the GDPR, we are obliged to take position as regards the requested measure without delay, but at the latest within one month after receiving your request, respectively to act correspondingly to the request.
We shall react to all appropriate questions within the legal framework free of charge and that as promptly as possible.
With regard to requests, the data protection authority is responsible for infringement of the right of information, infringement of the rights of secrecy, rectification or erasure. Its contact details are as follows:
Updated as at: October 2023