Privacy Policy
Introduction
With the following privacy policy, we inform you about the types of your personal data (hereinafter also referred to as “data”) we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us.
Last update: 18 November 2022
Responsible party
Style Appartement BeLLeArTi GmbH
E-mail address: office@bellearti.at
Phone: +43 1 317 6565
Legal notice: https://www.apartment-wien.at/en/imprint/
Relevant legal basis
The following provides you with an overview of the legal bases of the GDPR on the basis of which we process personal data.
• Consent (Art. 6 para. 1 p. 1 lit. a) GDPR) – The respective person consents to a specific data processing for a specific purpose.
• Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR) – The processing is necessary for the performance of a contract with the respective person or for the performance of pre-contractual measures.
• Legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the responsible party is subject.
• Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR) – The processing is necessary to protect the legitimate interests of the responsible party or a third party.
In addition to the data protection regulations of the GDPR, national regulations on data protection in Austria apply, in particular the Federal Act on the Protection of Individuals with regard to the processing of personal data (Datenschutzgesetz [Data Protection Act] – DSG).
Security measures
We take appropriate technical and organisational measures, taking into account the technical state of the art, the implementation costs and the nature of the processing, to ensure a level of protection appropriate to the risk.
These include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access as well as access, input, disclosure, ensuring their availability and separation.
TLS encryption (https): In order to protect your data transmitted via our online offer, we use TLS encryption. Such an encrypted connection can be identified by the prefix https:// in the address bar of your browser.
Transmission of personal data
In the course of our data processing, it may happen that data is transferred to third parties (e.g., service providers commissioned with IT tasks) or disclosed to them. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Data processing in third countries
If we process data in a third country (i.e. outside the EEA) or the processing takes place in the context of using third-party services, this will only be done in accordance with the legal requirements. Subject to explicit consent or contractually or legally required transfer, data is only processed in third countries with a recognised level of data protection or with contractual obligations through so-called standard protection clauses of the EU Commission or in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GPDR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
Deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as the underlying consent is revoked, or other requirements cease to apply. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes.
Use of cookies
Cookies are small text files or other means of storage that store information on end devices and read information from the end devices, e.g., to store the login status in a user account, the contents of a shopping basket in an e-shop, the contents accessed, or the functions used in an online offer. Cookies can be used for various purposes, e.g., for the purpose of functionality, security, and comfort of online offers as well as the creation of analyses of visitor flows.
Notes on consent: We request prior consent from users except where this is not required by law, for example where cookies are strictly necessary to provide users with an offer they have specifically requested.
Information on the legal basis for data protection: If users consent to the use of cookies, this is the legal basis for the processing. Otherwise, data is processed on the basis of our legitimate interests (e.g., in the economic management of our online offer and improvement of its usability).
Duration of storage: In terms of storage duration, the following types of cookies are distinguished:
• Temporary cookies (also: Session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (e.g., browser or mobile app).
• Permanent cookies: Permanent cookies remain stored even after the terminal device is closed (e.g., when saving the login status). In the absence of explicit information on the type and storage period of cookies, users should assume that cookies are permanent, and that the storage duration can be up to two years.
General information on revocation and objection (opt-out): Users can revoke their consent at any time and object to the processing (e.g., by deactivating cookies in the internet browser). An objection to the use of cookies for online marketing purposes is also possible via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/ .
Further information on processing procedures, practices and services:
• Processing of cookie data based on consent: We use a cookie consent management process which allows consent to be obtained from users and can be managed and revoked by users. Consent is stored so that it does not have to be repeated. The storage can take place on the server and/or in a cookie. Subject to individual information on the providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. For this purpose, a pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.
Business services
We process data of our contractual and business partners, e.g., customers and interested parties, in order to fulfil our contractual obligations. This includes, in particular, the obligation to provide the agreed services as well as the processing of data in the event of warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of the administrative tasks associated with these obligations as well as the company organisation. Furthermore, we process the data on the basis of our legitimate interests in a proper and economic management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).
We delete the data after the expiry of legal warranty and comparable obligations, i.e., in principle after 4 years, unless the data must be retained for legal archiving reasons. The statutory retention period for documents relevant under tax law is seven years. The period begins with the expiry of the calendar year in which the last entry was made.
Types of data processed: Inventory data (e.g., names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data (e.g. subject matter of the contract, term, customer category).
• Persons concerned: Interested parties; business and contractual partners.
• Purposes of processing: Provision of contractual services and customer service; contact requests and communication; office and organisational procedures; administration and response to requests.
• Legal bases: Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 p. 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further information on processing procedures, practices, and services:
• Rental services: We process the data of our tenants and of prospective tenants in accordance with the underlying tenancy agreement. If required in the context of the tenancy, we also process information on the characteristics and circumstances of persons or property belonging to them (e.g., personal circumstances, movable or immovable property, financial situation). It may also be necessary for us to process special categories of data within the meaning of Art. 9 para. 1 of the GDPR, in particular health data. The processing is carried out in order to be able to protect the health interests of the tenants and otherwise only with the consent of the tenants. If required for the performance of the contract or required by law or approved by the tenants or on the basis of our legitimate interests, we disclose or transmit the tenants’ data in the context of coverage requests, conclusion and processing of contracts, e.g., to financial service providers, credit institutions, providers or authorities. Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Provision of the online offer and web hosting
We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.
• Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses); content data (e.g., entries in online forms).
• Persons concerned: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; IT-based infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).); security measures.
• Legal bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further information on processing procedures, practices, and services:
• Provision of the online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (Hetzner Online GmbH, Industriestrasse 25, 91710 Gunzenhausen, Germany); Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offer is recorded in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, for example, to prevent a server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the server utilisation and stability; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data that must be further stored for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
• E-mail transmission and hosting: The aforementioned web hosting services also include sending, receiving and storing e-mails. In the process, the addresses of the recipients as well as the senders and information regarding the e-mail dispatch (e.g., providers involved) as well as the contents of the respective e-mails are processed. As a rule, e-mails are encrypted in transit, but (unless a so-called end-to-end encryption procedure is used) not on the servers. We can therefore not assume any responsibility for the transmission path of the e-mails between the sender and the receipt on our server; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Contact and enquiry management
When contacting us (e.g., via contact form, e-mail, telephone) as well as in the context of existing business relations, data is processed to the extent necessary to respond.
• Types of data processed: Contact data (e.g., e-mail, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
Cloud services
We use software services executed on the servers of their providers (so-called “cloud services”) to store and manage content (e.g., document storage and management, exchange of documents).
In the process, personal data may be processed and stored on the servers of the providers, insofar as these are part of communication processes with us or are otherwise processed by us.
Insofar as we use the cloud services to provide other users or publicly accessible websites with forms or other documents or content, the providers may store cookies on the users’ devices for the purposes of web analytics or to remember the users’ settings (e.g., in the case of media control).
• Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., e-mail, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
• Persons concerned: Customers; employees (e.g., employees, applicants, former employees); prospective customers; communication partners.
• Purposes of processing: Office and organisational procedures; IT-based infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
• Legal bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further information on processing procedures, practices, and services:
• Microsoft Cloud Services: Cloud infrastructure services and cloud-based application software Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, Parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://microsoft.com/en-gb; Privacy Policy: https://privacy.microsoft.com/en-gb/privacystatement, Safety information: https://www.microsoft.com/en-gb/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard contractual clauses (ensuring the level of data protection in the case of processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Promotional communication via e-mail, post, fax, or telephone
We process personal data for the purposes of promotional communication, which may take place via various channels, such as e-mail, telephone, post, or fax, in accordance with legal requirements.
Recipients have the right to revoke consent given at any time or to object to promotional communication at any time.
After revocation or objection, we store the data required to prove the previous authorisation for contacting or sending for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defence against claims. Based on the legitimate interest of permanently observing the revocation or objection of the users, we further store the data required to avoid a renewed contact (e.g., depending on the communication channel, the e-mail address, telephone number, name).
• Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., e-mail, telephone numbers).
• Persons concerned: Communication partners.
• Purposes of processing: Direct marketing (e.g., by e-mail or post).
• Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Web analysis, monitoring and optimisation
Web analysis (also referred to as “range measurement”) is used to evaluate the flow of visitors to our online offer and may include information about behaviour, interests, or demographic information of visitors as pseudonymous values.
For these purposes, profiles, i.e., data summarised for a usage process, can be created and information can be stored in a browser or on an end device and read from it.
The information collected includes, in particular, websites visited, and elements used there as well as technical information such as the browser used, the computer system used and information on usage times.
The IP addresses of the users are also stored but are pseudonymised by shortening them. In general, no clear user data (such as e-mail addresses or names) is stored for web analysis, A/B testing and optimisation, but pseudonyms are stored.
Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
• Persons concerned: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics); profiles with user-related information; tracking (e.g., interest-based profiling, use of cookies); measurement of the effectiveness of marketing measures; marketing; determination of target groups relevant for marketing purposes; provision of our online offer and user-friendliness.
• Security measures: IP masking (pseudonymisation of the IP address).
• Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
Further information on processing procedures, practices, and services:
• Google Analytics 4: We use Google Analytics to conduct user analyses based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses, and enables the assignment of information to an end device (e.g., content accessed by the user, search terms used, time of use and its duration, technical aspects of the end devices and browsers). In the process, pseudonymous profiles are created with information from the use of different devices, whereby cookies can be used. In Analytics, higher level geographic location data is provided by collecting the following metadata based on IP search: “city” (and the derived latitude and longitude of the city), “continent”, “country”, “region”, “subcontinent” (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. User IP addresses are not logged and are truncated by the last two digits by default. The shortening of the IP address takes place on EU servers for EU users. In addition, all sensitive data collected from users in the EU will be deleted before being collected via EU domains and servers; Service providers: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Standard contractual clauses (ensuring the level of data protection in the case of processing in third countries): https://business.safety.google/adsprocessorterms; Option to object (Opt-Out): Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the display of advertisements: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing as well as data processed).
Online marketing
We process personal data for online marketing purposes.
For this purpose, user profiles are created and stored in a file (“cookies”) or similar procedures are used to store relevant information about the user (e.g. content viewed, websites visited, online networks used, communication partners, information about the device used, etc.).
The IP addresses of the users are also stored but are pseudonymised by shortening them. In general, no clear user data (such as e-mail addresses or names) is stored for online marketing procedures, but pseudonyms are stored.
The information in the profiles is usually stored in the cookies. These cookies can also be read and analysed on other websites or supplemented with further data and stored on the server of the online marketing procedure provider.
• Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
• Persons concerned: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics; tracking (e.g., interest-based profiling, use of cookies)); marketing; creation of user profiles.
• Security measures: IP masking (pseudonymisation of the IP address).
• Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
• Option to object (Opt-Out): We refer to the data privacy policies of the respective providers and the objection options (so-called “opt-out”) given for the providers. If no explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the functions of our online offer. We therefore recommend the following additional opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territorial: https://optout.aboutads.info.
Further information on processing procedures, practices, and services:
• Google Ads and conversion measurement: We use the online marketing method “Google Ads” to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads (so-called “conversion”). We also measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page marked with a so-called “conversion tracking tag”. We do not receive any information with which users can be identified; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further information: Types of processing as well as data processed: https://privacy.google.com/businesses/adsservices; Data processing conditions between responsible parties and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.
Amendment and updating of the data protection declaration
We adapt the content of our data protection declaration as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your involvement or other individual notification.
Rights of the persons concerned
As a person concerned, you are entitled to various rights according to the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
• Right of objection
You have the right to object, on grounds relating to your particular situation, to the processing of your data which is carried out on the basis of Art. 6 para. 1 lit. e or lit. f of the GDPR. If your data is processed for the purpose of direct marketing, you may object to the processing.
• Right of withdrawal in the case of consent
• Right to information
You have the right to request confirmation as to whether the data in question is being processed as well as to information about this data.
• Right to rectification
In accordance with the law, you have the right to request that data concerning you be completed or that inaccurate data concerning you be corrected.
• Right to deletion and restriction of processing
You have the right to request that data concerning you be deleted immediately or, alternatively, to request restriction of the processing of the data.
• Right to data portability
You have the right to receive data provided by you in a structured, common and machine-readable format or to request its transfer to another responsible party.
• Complaint to the supervisory authority
You also have the right to file a complaint with a data protection supervisory authority if you believe that your data has been processed unlawfully.