Data Protection Declaration

Personal user data (for instance name, e-mail address…) is processed by the Schloss Schönbrunn Kultur- und Betriebsgesellschaft mbH (in the following “Schloss Schönbrunn", "Hofburg Wien", "Hofmobiliendepot" (Imperial Furniture Collection), “Schloss Hof” solely according to the provisions of the Austrian Data Protection Law and the GDPR General Data Protection Regulation. 

In the following we provide you with detailed information on the scope and purpose of our data processing and your rights as the party affected by the data processing. Please read our Data Protection Declaration very carefully before you continue using our website and if necessary give your consent to a data processing procedure.


1. Data controller and contact

The data controller is:

Schloß Schönbrunn Kultur- u. Betriebsges.m.b.H. 
Schönbrunner Schloßstraße 47
1130 Vienna


2. Person-related Data

The use of our website is possible in principle without specification of person-related data. However, in order to use individual services deviating rulings may result, which we wish to point out separately.

Therefore as a matter of principle we only register and store the data – apart from the cookies described in detail below – that you yourself communicate to us by your adding it to our input masks or by your actively interacting with our website in some other way.

Person-related data includes all information that relate to an identified or identifiable individual person. It includes for instance your name, your address, your telephone number or your date of birth, also your IP address or geolocation data, which allow statistical inferences about you.

Person-related data that go beyond the information stored via the cookies described below is processed by us only if you voluntarily tell us of this, for instance when you register with us, when you enter into a contractual relationship with us, or otherwise enter into contact with us. This only concerns contact data and information on the matter you wish to communicate to us.

We use the person-related date specified by you exclusively within the framework of fulfilment of the relevant purpose of the processing as legally required (especially according to Art. 6 EU-GDPR; for instance the sending of advertising material and information material to existing clients.

Data processing takes place in particular in the following cases:

  • processing of contracts between our ticket shop and also our online shop (Art. 6  [1] lit. b. GDPR)
  • answering questions (Art. 6 [1] lit. b. GDPR)
  • for marketing purposes (Art. 6  [1] lit. a. or f. GDPR)
  • for optimising our web presence and our services. (Art. 6  [1] lit. f. GDPR)
  • for scientific research purposes. (Art. 89 GDPR and Sect. 2 para. 7 DSG)

Any use of your data going beyond this only takes place if you have expressly given your previous consent. You can withdraw your consent – as is explained in a more detailed form below – any time in the future.

In so far as we grant access to data to a third party within the scope of our processing (in particular order processors), this is done either based on legal permission (e.g. when data transfer to a third party and also to a payment service is required to fulfil the contract), or if you have consented, or if a legal obligation provides for this, or on the basis of our legitimate interests (e.g. in the use of web hosts, CRM tools, newsletter dispatch tools, etc.)


3. Legal bases & storage duration

In the case of concluded contracts and queries, personal data is processed because this is required in order to fulfil the contract, or, as the case may be, to process the query (Art. 6 [1] lit b GDPR – General Data Protection Regulation)

Your contact data is only processed for the purpose of direct advertising via e-mail or telephone with your permission according to Art. 6 [1] lit a of the General Data Protection Regulation (“GDPR”).

Otherwise we process your personal data on the basis of our overriding legitimate interest, in order to achieve the purposes stated in this declaration (Art. 6 [1] lit f GDPR).

We generally store data that you have made available to us exclusively for customer care, respectively marketing and information purposes until three years have elapsed since our last contact. If you do not wish this, we shall delete your data also before this term elapses, in so far as there is no legal hindrance preventing this.

In the case of a contract initiation or completion we process your person-related data after completed contract processing until the expiry of the guarantee, limitation and legal storage terms that apply to us, furthermore until the end of all possible legal disputes needing the data as evidence.

Your contact data is processed for the purpose of scientific research according to Art. 89 GDPR as well as Sect. 2 para. 7 (1) DSG. In regard to the principle of data minimisation, the goal is not to obtain results in a form relating to specific data subjects. According to Sect. 2 para. 7 (1) lit. 2. DSG, the controller may process personal data that has been lawfully collected for other purposes (e.g. Art. 6 [1] lit. b. GDPR) . The data we process is anonymised as soon as it is no longer required for the purpose of scientific research and so far as there is no legal hindrance preventing this.


4. Hosting

Our website is hosted by Abaton EDV-Dienstleistungs GmbH, Hans-Resel-Gasse 17, 8020 Graz. Our host provider provides us with the IT infrastructure services, disk space, computing capacity, technical security and maintenance services that we need to cover the range of options of this web presence. The user data is processed in the context of these services within the framework of our legitimate interests (Art. 6 [1] f GDPR) in enabling the provision of our online services.


5. Automatic data acquisition

For technical reasons, the usage data that a user’s Internet browser transfers to Schloss Schönbrunn, Hofburg Wien, Hofmobiliendepot and Schloss Hof includes the following:

This data is stored separate from any user data communicated (in particular name, address, telephone number, e-mail address, language) and is evaluated for statistical purposes in order to optimise the Internet presence and services at,,,,,, ,, and (for more details, see below).

6. Date processing

6.1 During the ordering process, the following personal data is requested:

name, address, telephone number, e-mail address, language, age (adult or children’s ticket), membership of a family or group (for family, student, group tickets). For press accreditations the medium, working title and short description of the project must be stated. For online reservations by event organisers the event organiser’s PIN must be stated.

The personal data notified in the course of the order processing is used exclusively for contract processing (Art. 6 [1] lit b GDPR); payment information is protected by encryption and used solely for the payment management.

6.2 The following data is acquired when using contact forms and participation in competitions (Art 6 [1] b GDPR):

name, e-mail, telephone number if needed, postal address if needed. This data is used exclusively for the reply to the contact and to manage the competition in question.

6.3 In registering for newsletters and company newspapers, the following data is acquired (Art. 6 [1] a GDPR): 

name; e-mail address for newsletters and the postal address for company newspapers. This data is used exclusively for despatching the ordered newsletters / company magazines.

Our newsletters is only sent after a double opt-in, i.e., after registering in our newsletter list you will receive another, separate confirmation e-mail in order to conclude the registration for the newsletter.

6.4. Press accreditation (Art. 6 [1] lit. b. GDPR)

Besides the general contact information, press credentials, the respective medium, work title, short description of the project and planned publication date must be specified.

6.5. Online reservations of organisers (Art. 6 [1] lit. b. GDPR)

Besides the general contact information the organiser’s PIN must be specified.

6.6. Tourist guide accreditation (Art. 6 [1] lit. b. GDPR)

Besides the general contact information passport photo and tourist guide credentials are to be specified

6.7. To establish contact for the purpose of scientific research (Art. 89 GDPR and Sect. 2 para. 7 DSG)

For the purpose of sending out invitations to take part in scientific research projects personal contact data (name, e-mail address) is processed in combination with order and visitation data (date, time and tour of visit).


7. Cookies

Schloss Schönbrunn, Hofburg Wien, Hofmobiliendepot and Schloss Hof uses cookies for the provision of its services (Art. 6 Abs [1] lit f GDPR). 

Cookies are small text files that the user’s Internet browser places and stores on his or her computer.

Supplementing the aforementioned data and technical information, first and third party cookies are stored on your computer when using our website with the corresponding consent; these are small text files that can be stored on your hard disk assigned to the browser you use.

The place set by a cookie (this is done through us and the third party specified below) accordingly receives certain information. We need these cookies on one hand to recognise you as user of the website and on the other to make the use of our services transparent and practical. Finally, we use cookies for marketing purposes in order to analyse user behaviour and in certain cases to be able to communicate to you specifically targeted advertising.

Basically we can distinguish between first party cookies, third party cookies and third party requests:

  • First party cookies

First party cookies are stored by us ourselves or our website on your browser in order to offer you an optimal user experience. In particular they tend to be functional cookies, for instance shopping basket cookies.

  • Third party cookies

Third party cookies are stored by a third provider on your browser. They mostly concern tracking or marketing tools that on one hand evaluate your user behaviour and on the other offer the third provider the option of recognising you again on other websites you may visit. Retarget marketing, for example, is generally based on the function of this type of cookie.

  • Third party requests

Third party requests concern all questions that you as website user of our website put to a third party – for instance if you activate social networks with plug-ins or use the options offered by a payment service. In this case, although cookies are not stored on your browser, it cannot be excluded that through the interaction, person-related data is sent to this third provider. For this reason we inform you in detail in of our Data Protection Declaration about the tools and applications we use.


8. Analysis of the Schönbrunn Palace, Sisi Museum, Imperial Furniture Collection Vienna and Schloss Hof Estate Internet presence and marketing tools

In so far as you have given your consent to the use of marketing and analysis cookies on entering our website, we use the following analysis and marketing tools:

We use Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This service uses cookies whose functionality has already been explained in detail above. The information generated by these cookies on your use of this website is normally transmitted to a Google server and stored there.

On our commission, Google uses this information to evaluate your use of our website, to compile reports on website activities, and furthermore to make services associated with website usage and Internet usage available with respect to the website operator. The IP addresses transmitted within the framework of Google Analytics to your browser is not merged with other Google data.

You can prevent the storage of the cookies needed by Google Analytics by an appropriate setting in your browser software; however, we point out that in this case you might not be able to make use of all the functions of this website. You can also prevent the acquisition of data generated by the cookie and associated with your use of the website (incl. your IP address) also its transfer and processing through Google by downloading and installing the plug-in available through this link:

If you need further information on the kind, scope and purpose of data collected by Google, we recommend you read their Data Protection Guidelines:

Google processes your data also in the USA and is subject to the EU-US Privacy Shield.

b. We also use the service of Google Ads to draw attention to our attractive offers and products with the aid of ads on external websites. This tool enables us precisely to ascertain in what relationship the individual advertising strategies are in their connection to concrete campaigns. We therefore pursue the interest of displaying to you customised ads that are appropriate to your interests and, within this framework, of attaining a fair settlement of advertising costs.

The ads displayed to you are switched through Google via so called ‘Ad Servers’. For this purpose we use Ad Server cookies through which specific parameters such as displaying ads or user clicks can be measured in order to ascertain the success of advertising campaigns. This functions so that in cases where you have accessed our website via a Google ad, a cookie is stored on your browser by Google Ads, which normally loses validity after 30 days. This cookie is not used to identify you personally but to store, for purposes of analysis, the unique cookie ID, the number of ad impressions per placement, the last impression (relevant for post-view conversions), and also opt-out information.

We ourselves neither collect nor process person-related date within the framework of Google Ads, but receive from Google merely statistical evaluations through which we can determine which of the advertising campaigns we implement are particularly effective.

You can prevent participation in this tracking procedure supplementary to the aforementioned measures by deactivating cookies for conversion tracking, by adjusting your browser so that cookies are blocked from the domain ‘

’ or by permanent deactivation on your browsers Firefox, Internet Explorer or Google Chrome via the link:

c.  In addition we use the application Google Remarketing: this is a process we would like to point out to you when you leave our website again. This means that after visiting our website our ads are displayed during your further use of the Internet. This is done by means of cookies stored on your browser through which your user behaviour is ascertained and evaluated by Google when visiting various websites.

In this way Google can determine your previous visit to our website, but, according to Google, in the case of remarketing, a pseudonym replaces the processed person-related data

d. We place links to other websites as well on our website; this is done only for purposes of information. We do not control these websites, therefore they are not subject to the directives of this Data Protection Declaration. If you should however activate a link, it is possible that the provider of this website collects data about you and processes it according to its data protection declaration, which may deviate from ours. Please always inform yourselves about the current data protection directives of the websites linked on our website.


9. Integration of services and contents of third parties

We place links to other websites as well on our website; this is done only for purposes of information. We do not control these websites, therefore they are not subject to the directives of this Data Protection Declaration. If you should however activate a link, it is possible that the provider of this website collects data about you and processes it according to its data protection declaration, which may deviate from ours. Please always inform yourselves about the current data protection directives of the websites linked on our website.

On our website there is also the option available of interacting with different social networks via embedded contents. They are:

  • Facebook and Instagram, operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Youtube, operated by Youtube LLC, 901 Cherry Avenue, San Bruno, CA 94066 USA


If you click the content of one of these social networks, this is activated and a connection to the relevant server of this network is set up, as described above. We have no influence on the scope and content of the data transmitted by clicking the plug-in to the relevant operator of this social network.

If you wish to be informed about the type, scope and purpose of the data collected by the operators of these social networks, we recommend you read the data protection directives of the relevant social network.

9.1 Instagram

We also embed contributions of the platform ‘Instagram’, the operator being Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland.

Go to this link to find the data protection directives of the platform ‘Instagram’:

9.2 Youtube

We also embed videos of the platform ‘YouTube’, the operator being Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in our articles. Go to this link to find the data protection directives of the platform ‘Youtube’:

To ensure that no data of yours can be transmitted for the use of a third party, you can find an opt-out option here:


10. Social plugins & Facebook pages of Schönbrunn Palace, Vienna Hofburg, Imperial Furniture Collection and Schloss Hof

Schönbrunn Palace, Vienna Hofburg, Imperial Furniture Collection and Schloss Hof do not use any social plugins on their Internet sites (such as Share or Like buttons), in order to avoid data being unnecessarily transferred to a social network in a way that at present cannot be fully tracked by the users of social plugins.

These Internet sites only contain links to our Facebook, Twitter, Instagram and Pinterest pages. Please note that if you access these networks and platforms, the relevant operator’s terms of business and data processing regulations will apply.

We operate our Facebook page with the assistance of the technical platform and services of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If you visit our Facebook pages at, Facebook will, among other things, record your IP address and further information that is present on your computer in the form of cookies. These details are used to give us as operator of the Facebook pages statistical information about the use of the pages. For further details about this statistical information (Insights) see:

The data acquired about you in this context is processed by Facebook Ltd. and may be transferred to countries outside the European Union. Facebook Data Policy sets out in general terms the information it acquires and how it is used. It also contains information about how to contact Facebook and about the advertisement settings available. The Data Policy can be found at:

Facebook does not disclose exhaustively and clearly, nor do we know, the manner in which it uses Facebook visitor data for its own purposes, the extent to which activities on the Facebook page can be attributed to specific users and whether data from a Facebook visit is passed on to third parties.

When you access a Facebook page, the IP address allocated to your user device is sent to Facebook. According to Facebook, this IP address is anonymised and deleted after 90 days. In addition, Facebook  stores information about its users’ devices (e.g. as part of “Unrecognised login notifications”).

If you are currently registered as a Facebook user, your device contains a cookie with your Facebook ID. This enables Facebook to identify the fact you visited this page and how you used it. This applies to all other Facebook pages. In addition, Facebook buttons integrated in websites (such as Like, as well as other social plugins) allow Facebook to record your visits to these websites and link them to your Facebook profile (as stated above, we do not use such plugins on our company’s websites). All the data about you collected by Facebook can be used to present content or advertising customized to your profile.

Please bear in mind that when you visit Facebook you will in any event be presented with advertising. The data collection sketched out above means that this advertising can at least be adjusted to your assumed interests, with the result that you will not be troubled by completely irrelevant advertisements.

If you want to prevent Facebook collecting data on third-party sites, you should log out of Facebook, or deactivate the “Keep me signed in” function, delete the cookies stored on your device and close and restart your browser. This deletes Facebook information that allows you to be directly identified. As a result, you can use our Facebook page without your Facebook ID being disclosed. However, please note that if you use interactive functions on the page (Like, Comment, Share, Messages etc.), you will see a Facebook log-in mask. If you log in, you will once again be identifiable to Facebook as a specific user.

Information on how to administer or delete existing information about you can be found on the following Facebook support pages:


11. Newsletter Services

Our newsletters is sent through the Austrian despatch service dialog-Mail eMarketing Systems GmbH, Nussgasse 31, A-3434 Wilfersdorf. The use of the despatch service is based on our legitimate interests according to Art. 6  [1] f GDPR and an order processing contract according to Art. 28 [3 ,1] GDPR.

Our quiz-newsletter at is sent through the US despatch service MailChimp, The Rocket Science Group, LLC675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA. The use of the despatch service is based on our legitimate interests according to Art. 6 [1] f GDPR and an order processing contract according to Art. 28 [3 ,1] GDPR.

As soon as you have registered for the newsletter, we send you a confirmation e-mail with a link for you to confirm registration (double opt-in). Newsletter registrations are recorded (registration date and time, confirmation date and time, IP address), so that we can verify the registration process according to legal requirements.

The use of dialog-Mail represents a legitimate interest in the application of a secure, user-friendly newsletter service. The following user data is processed: e-mail address, name, title and, for the dialog-Mail newsletter, a salutation.

When dialog-Mail is used, statistical data about the recipient’s access tto the newsletter is communicated (opening, time of opening, what links were activated). This information serves the improvement of our newsletter. Data is not merged for creating individual user profiles.


12. Use of the analysis and CRM tool

Schönbrunn Palace, the Sisi Museum, the Imperial Furniture Collection Vienna and the Schloss Hof Estate use the tool of the Vienna company ‘Die Socialisten’ Social Software Development GmbH, Andreasgasse 6, Top1 1070 Vienna for the storage, display and management of the data on its pages on the social media platforms Facebook, Pintarest, Instagram and Twitter.

‘Die Socialisten’ Social Software Development GmbH is directly subject and bound to the regime of the GDPR. A contract was drawn up for order data processing.

The tool firstly serves customer service purposes, thus assists us in answering user comments in the social media contributions. In this process, it deploys user names that are chosen by users on the relevant social medial platforms and whose comments are used. An inference as to real names and addresses is not possible with the tool.

In addition, the tool is used for purposes of the collective processing and planning of content on these platforms. Finally, the tool enables us to assess the success of our contributions on social media platforms (the range and scope of a contribution, the intensity of interaction it triggers, etc.). However, in the process it does not show individual users’ data. The use of this customer service and content tool is performed within the scope of an overriding legitimate interest (Art. 6 [1] f GDPR).


13. Your rights

The following rights and entitlements of our data processing are available to you as affected person according to the basic directives on data protection and the Data Protection Law

  • Right of information (Art. 15 EU-GDPR)

As person affected by the data processing described above and other such processes, you are entitled to demand information whether, and if yes, which person-related data about you is being processed. For your own protection – so that no one receives unauthorised information about your data – we confirm your identity in the appropriate form before giving information.

  • Right of rectification (Art. 16) and erasure (Art. 17 EU-GDPR)

You have the right to demand without delay the rectification of incorrect person-related data relating to you and – taking the purposes of data processing into account – the completion of incomplete person-related data and also the erasure of your data, in so far as the criteria of Art. 17 EU-GDPR are fulfilled.

  • Right of restricting processing procedures (Art. 18 EU-GDPR)

You have the right according to legal prerequisites to restrict the processing of all collected person-related data. This data is then processed as of the restriction request only with your individual consent, or to validate and put legal claims into effect.

  • Right of data portability (Art. 20 EU-GDPR)

You can demand the prompt and unlimited transfer to you or to a third party of person-related data that you have made available to us.

  • Right of objection (Art. 21 EU-GDPR)

You can object any time for reasons arising from your special situation to the processing of your individual,  person-related data, which is necessary to preserve our legitimate interests or those of a third party. Your data is no longer processed after the objection, unless there are cogent reasons for the processing procedure that are worthy of protection which override your interests, rights and freedoms, or the processing serves the validation, exercise and defence of our rights and claims. You can raise an objection any time against the data processing procedure for the purpose of direct advertising with effect for the future.

  • Withdrawal of consent

In case you have given consent separately to the processing of your data, you can cancel this at any time. Such a cancellation influences the admissibility of the processing of your person-related data, after you have expressed this to us.

If you take a measure to claim the aforementioned rights according to the GDPR, we are obliged to take position as regards the requested measure without delay, but at the latest within one month after receiving your request, respectively to act correspondingly to the request.

We shall react to all appropriate questions within the legal framework free of charge and that as promptly as possible.

With regard to requests, the data protection authority is responsible for infringement of the right of information, infringement of the rights of secrecy, rectification or erasure. Its contact details are as follows:

Österrichische Datenschutzbehörde

Barichgasse 40-42

1030 Vienna 



14. Data transfer to Imperial Austria Palaces Service GmbH

Our ticketing system is handled by the Ticket Shop of Imperial Austria Palaces Service GmbH, whose headquarters are at our company location – Schloss Schönbrunn, Kavalierstrakt, 1130 Vienna. We are informed by Imperial Austria Palaces Service GmbH about ticket reservations made via

Specifically, during this process we receive the following data: name, address, telephone number, e-mail address, language, age (adult or children’s ticket), membership of a family or group (for family, student, group tickets).

For press accreditations: the medium, working title and short description of the project must be stated.

For online reservations by event organisers: the event organiser’s PIN.

The personal data and contract data (contract subject, term, customer categories) notified in the course of the ordering process are used exclusively for contract processing; payment data is protected by encryption and used solely for payment management during the contract processing.

The use of the ticketing system is necessary for processing ticket reservations. We have entered into a contract for order data processing with Imperial Austria Palaces Service GmbH.

This data usage is based on Art. 6 [1] b GDPR.

Schönbrunn Palace Mobile App


Mobile App