Data Privacy Policy

1. General

Your personal data ("data") is safe with us, Haus des Meeres Aqua Terra Zoo GmbH and Haus des Meeres Betriebs GmbH (hereinafter: "we"). We are required to protect your data and take this requirement very seriously. Please take the time to read this Data Privacy Policy and find out why we collect your data when you visit our website and how we will process it. This text is for your information and does not establish any contractual rights or duties.

2. What is personal data?

Personal data means any information relating to an identified or identifiable natural person (e.g. name, contact details, invoice data, IP address).

3. Display, improvement and security of the website

3.1. Categories of data; Purposes and legal bases

When you visit our website, the following data will be processed to display the website to you. Data will be processed to provide you with a service expressly requested by you, namely our website (Section 165(3) of the Austrian Telecommunications Act [Telekommunikationsgesetz], hereinafter: TKG):

address of the website retrieved (URL)
IP address of the website visitor
date and time of request
identification data of the browser used (user agent)

Provision of the data listed above is neither prescribed by law or contract nor required for concluding a contract. You are under no obligation to provide this data. Please bear in mind that we will not be able to display the website to you if you do not provide the relevant data.

We create log files where we will store the data stated above and link them to other data for three (3) months. The purpose of log files is to identify or track cyberattacks or other unauthorised access. We will process this data on the basis of our legitimate interest in the security of our website (Article 6(1)(f) GDPR).

3.2. Storage period; Duration of processing

Data will be processed to display our website for the duration of your visit to our website. Data stored in log files will be processed by us for a period of three (3) years from entry into the log file to identify or track cyberattacks or other unauthorised access.

For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

4. Contact form

4.1. Categories of data; Purposes and legal bases

When you send a request via the contact form on our website, the following data will be processed for you to be able to use the contact form and submit your request to us. Data will be processed to provide you with a service expressly requested by you, namely our contact form (Section 165(3) TKG):

IP address of the website visitor
email address
name
contact details
message

Provision of the data listed above is neither prescribed by law or contract nor required for concluding a contract. You are under no obligation to provide this data. Please bear in mind that the contact form will not work and we will not be able to process your request if you do not provide the relevant data.

4.2. Storage period; Duration of processing

For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

5. Online shop (sale of tickets and vouchers)

5.1. Categories of data; Purposes and legal bases

When you buy tickets or vouchers in our online shop, we will process your data on a (pre-)contractual basis (Article 6(1)(b) GDPR), namely for the purposes of starting, maintaining and handling the business relationship. The following categories of data will be processed in connection with our business relationships with customers for the above-mentioned purposes, unless you represent a legal entity or other person having a legal personality:

name
contact details
date of birth
delivery address
date and selected timeslot
voucher number
voucher value
data relating to the ticket type (adult, child)
additional remarks in the purchase order, e.g. special needs (wheelchair, etc.), if applicable
discount code, if applicable
membership of Ö1 Club, if applicable
different invoice address, if applicable
payment details

5.2. Storage period; Duration of processing

Provision of the above data is not prescribed by law. It is, however, necessary for concluding a contract. If you maintain a contract with us, you will be required to provide such data for us to handle the contractual relationship, i.e. the provision of data is required under the contract insofar. Please bear in mind that we will not be able to process transactions if the necessary above-mentioned personal data is not available to us.

If you provide additional data, we will process the same to safeguard our legitimate interests (Article 6(1)(f) GDPR) in improving the quality of our contractual relationship and our performance.

In order to perform the contract we will process your data until performance of the contract by both parties.

We will process your data for our bookkeeping to fulfil our business-law and tax-law obligations to safeguard our legitimate interest in fulfilling our bookkeeping requirements defined in Section 190 of the Austrian Business Code [Unternehmensgesetzbuch/UGB] (Article 6(1)(f) GDPR) and the duty to file VAT returns. For reasons of business law (Section 212 UGB) and tax law (Section 132 of the Austrian Federal Tax Code [Bundesabgabenordnung/BAO]) we retain our bookkeeping records for seven (7) years from the end of the financial year in which the relevant transaction took place.

For establishing, exercising or defending legal claims we will retain data regarding gift voucher purchases or unused tickets which are converted into vouchers for a period of 30 years due to the 30-year period of statutory limitation. For processing for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

6. Issue and administration of annual passes

6.1. Categories of data; Purposes and legal bases

We will process your personal data listed below for issuing and managing annual passes on a (pre-)contractual basis (Article 6(1)(b) GDPR), namely for starting, maintaining and handling the business relationship.

name
date of birth
postal code
term of validity
for card payments: purchase amount, date, bank details (encrypted)

6.2. Storage period; Duration of processing

In order to perform the contract we will process your data until performance of the contract by both parties. Data regarding card payments will be stored by us for ten (10) days.

We will process your data for our bookkeeping to fulfil our business-law and tax-law obligations to safeguard our legitimate interest in fulfilling our bookkeeping requirements defined in Section 190 UGB (Article 6(1)(f) GDPR) and the duty to file VAT returns. For reasons of business law (Section 212 UGB) and tax law (Section 132 BAO) we retain our bookkeeping records for seven (7) years from the end of the financial year in which the relevant transaction took place.

For processing for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

7. Registration and bookings

7.1. Categories of data; Purposes and legal bases

We will process your data listed below for processing your booking and for registration in connection with your visit to the zoo and/or restaurant. Processing will occur on a (pre-)contractual basis (Article 6(1)(b) GDPR), namely to handle the booking and registration of your visit.

name
contact details
date of birth

8. Events

8.1. Categories of data; Purposes and legal bases

If you book an event with us, we will process your personal data on a (pre-)contractual basis (Article 6(1)(b) GDPR), namely for the purposes of starting, maintaining and handling the business relationship. The following categories of data will be processed in connection with our business relationship for the above-mentioned purposes, unless you represent a legal entity or other person having a legal personality:

type of event
setting of the event
number of visitors
description of the event (free text field)
date and time
name and contact details
VAT number, if applicable
references, if applicable

If you book tickets for a Kultur und Me(e)hr event, please refer to Clause 5.

8.2. Storage period; Duration of processing

In order to perform the contract we will process your data until performance of the contract by both parties. Data regarding card payments will be stored by us for ten (10) days.

We will process your data for our bookkeeping to fulfil our business-law and tax-law obligations to safeguard our legitimate interest in fulfilling our bookkeeping requirements defined in Section 190 UGB (Article 6(1)(f) GDPR) and the duty to file VAT returns. For reasons of business law (Section 212 UGB) and tax law (Section 132 BAO) we retain our bookkeeping records for seven (7) years from the end of the financial year in which the relevant transaction took place.

For processing for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

9. Prize draws

9.1. Categories of data; Purposes and legal bases

If you participate in one of our prize draws, we will process your data listed below for handling the prize draw and relating correspondence. Processing will occur on a (pre-)contractual basis (Article 6(1)(b) GDPR), namely to handle the prize draw and awarding the prize.

name
contact details
prize

9.2. Storage period; Duration of processing

We will process your above-mentioned data until conclusion of the prize draw. If you have won, we will process your data until the prize has been awarded. For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) in the case that you win please refer to Clause 13.

10. Press and public relations, including social media presence

10.1. Categories of data; Purposes and legal bases

Upon your consent (for the purposes of Article 6(1)(a) GDPR) we will process your data stated below to periodically inform you through a newsletter via Brevo and about upcoming events.

name
contact details
dates of subscribing to and unsubscribing from the newsletter
newsletters sent

For analysing the newsletters sent, the following data about you will be collected and processed when you read the newsletter:

IP address (of the device on which the newsletter is read)
preferences when reading the newsletter (click behaviour)
blocking and marking as spam
time at which the newsletter is opened
clicks on links from the newsletter
delivery failures

If you do not wish to provide those details, please do not subscribe to the newsletter. You may unsubscribe from the newsletter at any time by sending an email using the subject "Unsubscribe Newsletter" to the mailbox office@haus-des-meeres.at or by clicking on the relevant link contained in every newsletter sent and thus withdraw your consent.

Upon your consent (as defined in Article 6(1)(a) GDPR) we will process photos and videos, including publication of the same on the website and via social media channels and print media, in particular for public relations, to raise the awareness of Haus des Meeres.

Provision of the data listed above is neither prescribed by law or contract nor required for concluding a contract. You are under no obligation to provide this data. Where we process your data based on your consent, you have the right to withdraw your consent at any time by sending an email to office@haus-des-meeres.at or a letter to Fritz-Grünbaum-Platz 1, 1060 Vienna. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

10.2. Storage period; Duration of processing

We will process the above-mentioned data until you withdraw your consent.

We expressly point out that on the conditions of Section 174(4) TKG we may be authorised to send you the newsletter even without your prior express consent (see Clause 11). Any withdrawal of your consent to receipt of the newsletter described herein will also be considered by us as withdrawal for the purposes of Section 174(4) TKG.

For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

11. Electronic direct marketing on the basis of Section 174(4) TKG

11.1. Categories of data; Purposes and legal bases

We process our customers' data for purposes of electronic direct marketing by way of emails (sending newsletters about our own similar products/services, satisfaction surveys, congratulation letters, statistical analyses).

The following data will be processed for direct marketing by email:

salutation
first name, surname
email address
data regarding products or services purchased from us before

We would like to expressly inform you that you may object to processing of your data for the purposes of electronic direct marketing at the time we collect your electronic contact details and with any transmission by email to office@haus-des-meeres.at or sending a letter to Fritz-Grünbaum-Platz 1, 1060 Vienna.

11.2. Storage period; Duration of processing

We will process your data for the purpose of direct marketing pursuant to Section 174(4) TKG only until you object to such data processing. If you do not object, we will process your data for that purpose for three (3) years from the last contact. Retention of your data for the purpose of future direct marketing serves the purpose of safeguarding our legitimate interest in keeping records of contacts for sending direct marketing emails (Article 6(1)(f) GDPR).

For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

12. CCTV surveillance

12.1. Categories of data; Purposes and legal bases

For the purposes of protecting ourselves (protection of property and staff) and complying with our responsibilities (discharge of the duty to maintain safety, contractual liability vis-à-vis visitors, etc.) and for the purposes of preventing, containing and clearing up criminal conduct we will process your data in connection with CCTV surveillance. The legal basis of processing is our legitimate interests in protecting ourselves and complying with our responsibilities (Article 6(1)(f) GDPR, Article 10 GDPR in conjunction with Section 4(3) No. 2 of the Austrian Data Protection Act [Datenschutzgesetz/DSG]. Data will be analysed exclusively in cases defined by the purpose. The following categories of data will be processed for that purpose:

CCTV data (appearance, conduct)
place of CCTV recording
time of CCTV recording
identity of the person recorded, if identifiable based on the recordings
role of the person recorded (e.g. victim, offender, witness), if identifiable based on the recordings

12.2. Storage period; Duration of processing

CCTV surveillance data will be stored for 72 hours and then erased. For the option of a longer processing period for purposes of establishing, exercising or defending legal claims and for proceedings before public authorities (including courts) please refer to Clause 13.

13. Data processing for the establishment, exercise or defence of legal claims, proceedings before public authorities (including courts)

13.1. Categories of data; Purposes and legal bases

Where applicable, we may process data also for the purposes of establishing, exercising or defending legal claims or handling proceedings before public authorities (including courts) on the basis of our legitimate interest (Article 6(1)(f) GDPR). Our legitimate interest lies in enforcing existing claims and defending non-existing claims and handling proceedings before public authorities (including courts) to protect our legal position.

For establishing, exercising or defending legal claims and for handling proceedings before public authorities (including courts) we will process all data categories that are necessary for that purpose. Potentially they are all categories of data of you which we already process for other purposes.

13.2. Storage period; Duration of processing

We will process data that is required to establish, exercise or defend legal claims for that purpose even up to 30 years after termination of the business relationship.

If data subjects claim rights under the GDPR (for details see Clause 17), we will store the relevant data for three (3) years from the last contact in connection with claiming of rights by a data subject.

In the case of proceedings before public authorities or the courts we will store your data for the duration of the proceedings and, depending on the subject matter and outcome of the proceedings, in addition for 30 years from final/non-appealable conclusion of the same.

14. Recipients of data

For the above purposes we are required to disclose your data to the following recipients for the following purposes. Such disclosure may occur by way of transmission, transfer, dissemination or any other form of provision. The recipients:

Recipient	Data categories	Purpose	Legal basis
incert eTourismus GmbH & Co KG	All data as per Clauses 3, 4, 5, 7, 8, 10, 11	Ensuring the availability, security and efficiency of our online shop	No legal basis necessary due to the data processing agreement
Amepheas AG	All data as per Clause 5	Ticket administration	No legal basis necessary due to the data processing agreement
Techtime GmbH	All data categories	Support and remote maintenance of our IT	No legal basis necessary due to the data processing agreement
PAYONE GmbH	Card payment data	Card payment management	Contractual basis (Article 6(1)(b) GDPR): payment processing upon request
Lawyers and tax advisors	All data categories	Evaluation and bringing about compliance with legal obligations	Legitimate interests (Article 6(1)(f) GDPR): compliance with the legal obligations to which we are subject
Public authorities (including courts)	All data categories	Handling proceedings and legal disputes	Legal obligations (Article 6(1)(c) GDPR); Legitimate interests: establishment, exercise or defence of legal claims (Article 6(1)(f) GDPR) and compliance with legal obligations (in particular procedural law)

Recipient	incert eTourismus GmbH & Co KG
Data categories	All data as per Clauses 3, 4, 5, 7, 8, 10, 11
Purpose	Ensuring the availability, security and efficiency of our online shop
Legal basis	No legal basis necessary due to the data processing agreement
Recipient	Amepheas AG
Data categories	All data as per Clause 5
Purpose	Ticket administration
Legal basis	No legal basis necessary due to the data processing agreement
Recipient	Techtime GmbH
Data categories	All data categories
Purpose	Support and remote maintenance of our IT
Legal basis	No legal basis necessary due to the data processing agreement
Recipient	PAYONE GmbH
Data categories	Card payment data
Purpose	Card payment management
Legal basis	Contractual basis (Article 6(1)(b) GDPR): payment processing upon request
Recipient	Lawyers and tax advisors
Data categories	All data categories
Purpose	Evaluation and bringing about compliance with legal obligations
Legal basis	Legitimate interests (Article 6(1)(f) GDPR): compliance with the legal obligations to which we are subject
Recipient	Public authorities (including courts)
Data categories	All data categories
Purpose	Handling proceedings and legal disputes
Legal basis	Legal obligations (Article 6(1)(c) GDPR); Legitimate interests: establishment, exercise or defence of legal claims (Article 6(1)(f) GDPR) and compliance with legal obligations (in particular procedural law)

15. Cookies on our website

Cookies are text files stored on your computer or mobile terminal device, independent of whether they concern personal data or not. They serve the purpose of recognising the website user and storing temporary information. Without your consent we will exclusively use cookies that are essential for displaying the website. We will use non-essential cookies for other purposes only upon your consent.

15.1. Use of essential cookies

To enable interaction with us via our website it is necessary to store the cookies listed in the table below on your terminal device (e.g. computer, mobile phone or tablet) for the duration and for the purposes stated in the table and to read out such data. Cookies will be stored on your terminal device on the legal basis of Section 165(3) TKG for the purpose of displaying the website as it is a service expressly requested by you as defined in Section 165(3) TKG.

The following essential cookies are used on our website:

Description	Recipient	Data categories	Purpose	Legal basis for transfers to third countries	Storage period
data_privacy_settings	Haus des Meeres Betriebs GmbH	IP address, dwell time	Storage of cookie and data privacy settings	Not necessary because the recipient is situated within the EEA.	One year

Description	data_privacy_settings
Recipient	Haus des Meeres Betriebs GmbH
Data categories	IP address, dwell time
Purpose	Storage of cookie and data privacy settings
Legal basis for transfers to third countries	Not necessary because the recipient is situated within the EEA.
Storage period	One year

Provision of the data listed in the table is neither prescribed by law or contract nor required for concluding a contract. You are under no obligation to provide this data. If you do not consent to these cookies being set or read out, we will not be able to display the website to you.

15.2. Use of non-essential cookies

Non-essential cookies will be stored based on your voluntary consent, which you may give via the cookie banner, and then used accordingly.

They allow us, for example, to merge your "browsing behaviour" beyond the limits of our website with data from other websites. Thus, we will be able to offer you products and services tailored to your needs. You may object to such data processing at any time with effect for the future.

We also use cookies which may be set or read out by recipients of data. In that case those recipients will receive your data. For the relevant details please see the table on non-essential cookies further below.

Storage and use of the non-essential cookies described in the table below will exclusively be effected on the basis of your consent pursuant to Section 165 TKG 2021 in conjunction with Article 6(1)(a) GDPR.

You may withdraw your consent at any time. You may do so by changing the cookie settings (by refusing all non-essential cookies) of the website www.haus-des-meeres.at by clicking on the "Cookie Settings" menu item in the footer.

You may also contact us by phone on +43 1 587 14 17, by email office@haus-des-meeres.at or by letter to Fritz-Grünbaum-Platz 1, 1060 Vienna. If you contact us by phone or letter, we will unfortunately not be able to fully comply with your withdrawal of consent remotely for technical reasons because removal of cookies that have been set before may, for example, concern a configuration which is only possible via access to your device. We are happy to provide you with detailed instructions on how to remove set cookies. However, due to withdrawal of your consent we will in any case erase all data in our sphere of control which we have processed on the basis of your consent and refrain from any future data processing for which your consent would be required.

Withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

The following non-essential cookies will be used on our website only upon your consent:

Description	Recipient	Data categories	Purpose	Legal basis for transfers to third countries	Storage period
Google Tag Manager	Google Ireland Ltd. (Irland); Google LLC (USA)	IP address, dwell time, origin of visitors	Interactions on the website will be collected and forwarded to the linked tools. Tag Manager analysis is not possible.	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.	One year
Google Maps	Google Ireland Ltd. (Ireland); Google LLC (USA)	IP address, dwell time, origin of visitors	Embedding of the map	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.	One year
YouTube (Google)	Google Ireland Ltd. (Ireland); Google LLC (USA)	IP address, retrieved website, dwell time	Embedding of videos via YouTube	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.
Clicky	Roxr Software, Ltd (USA)	IP address, date, time, retrieved site, browser information, data regarding website use and click logging	Analysis of user behaviour and optimisation of the website	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.	One year

Description	Google Tag Manager
Recipient	Google Ireland Ltd. (Irland); Google LLC (USA)
Data categories	IP address, dwell time, origin of visitors
Purpose	Interactions on the website will be collected and forwarded to the linked tools. Tag Manager analysis is not possible.
Legal basis for transfers to third countries	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.
Storage period	One year
Description	Google Maps
Recipient	Google Ireland Ltd. (Ireland); Google LLC (USA)
Data categories	IP address, dwell time, origin of visitors
Purpose	Embedding of the map
Legal basis for transfers to third countries	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.
Storage period	One year
Description	YouTube (Google)
Recipient	Google Ireland Ltd. (Ireland); Google LLC (USA)
Data categories	IP address, retrieved website, dwell time
Purpose	Embedding of videos via YouTube
Legal basis for transfers to third countries	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.
Storage period
Description	Clicky
Recipient	Roxr Software, Ltd (USA)
Data categories	IP address, date, time, retrieved site, browser information, data regarding website use and click logging
Purpose	Analysis of user behaviour and optimisation of the website
Legal basis for transfers to third countries	Adequacy decision of the European Commission: The recipient is certified under the EU-U.S. Data Protection Framework.
Storage period	One year

Provision of the data listed above is neither prescribed by law or contract nor required for concluding a contract. You are under no obligation to provide this data.

16. Automated decision-making

We would like to inform you that no data processing as defined in Article 22 GDPR will take place. This means: we will make no decisions based on exclusively automated processing (including profiling) that would become legally effective vis-à-vis you or would significantly affect you detrimentally in a similar way; any decision having such an effect will be made by a natural person.

17. What rights do you have with respect to data processing?

We would like to inform you that you have the right

to request a confirmation as to whether we process your personal data or not and, where that is the case, you have access to information about such personal data and the information stated in Article 15(1) and (2) GDPR; as to the right to obtain a copy of your personal data which is the subject matter of processing see Article 15(3) and (4) GDPR;
to request rectification or completion of inaccurate or incomplete data (for more details see Article 16 GDPR);
to request erasure of your data, provided that there is no legal basis for future processing of your data (for more details see Article 17 GDPR); in this context we will not be able to comply with an erasure request if processing (retention) is required to fulfil a legal obligation (statutory retention duties) or if we are entitled to do so on the basis of overriding interests (e.g. establishment, exercise or defence of specific legal claims);
to request restriction of processing of your data if certain prerequisites are fulfilled (for more details see Article 18 GDPR);
to object to processing of your data where processing is necessary for safeguarding our legitimate interests or those of a third party (Article 6(1)(f) GDPR). In the case of an objection we will no longer process your data unless processing serves the purpose of establishing, exercising or defending legal claims or we demonstrate compelling legitimate grounds for the processing which override your interests (taking your special situation into account, where applicable). If you object to processing for the purpose of direct marketing (including profiling if linked to such direct marketing), we will no longer process your personal data for these purposes (for details see Article 21 GDPR);
to receive the personal data provided by you in a structured, commonly used and machine-readable format. However, the right to data portability exists only if processing is based on your consent or a contract (for more details see Article 20 GDPR).

You may claim any of the above rights either by sending an email to office@haus-des-meeres.at or a letter to Fritz-Grünbaum-Platz 1, 1060 Vienna.

Where we process your data based on your consent, you have the right to withdraw your consent at any time by sending an email to office@haus-des-meeres.at or a letter to Fritz-Grünbaum-Platz 1, 1060 Vienna. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

If despite our obligation to lawfully process your data you should unexpectedly be of the opinion that your personal data is not being lawfully processed, please contact us by letter or email (see the contact details below) to let us know your concerns for us to address the same. You may also lodge a complaint with the Austrian Data Protection Authority or another data protection regulator within the EU, in particular at your place of residence or work.

We hope that this information provides clarity as to the way in which and the purposes for which we will process your personal data. If you have any questions on the processing of your personal data, please contact us by sending an email to office@haus-des-meeres.at or a letter to Fritz-Grünbaum-Platz 1, 1060 Vienna.

Haus des Meeres Betriebs GmbH
Fritz-Grünbaum-Platz 1
1060 Vienna

Phone: +43 1 587 14 17 (you can reach us Monday to Friday from 9 a.m. to 4 p.m.)
office@haus-des-meeres.at
www.haus-des-meeres.at
VAT number: ATU 63511603