DEOnline booking

Data protection

Thank you for your interest in the information on our website!

With the help of this data protection declaration, we would like to inform all persons who use this website about the type, scope and purposes of the processing of personal data. Personal data in this context is all information with which you as a user:can be personally identified on our website (theoretically, possibly via detours or by linking various data), including your IP address. Information that is stored in cookies is generally not personal or is only personal in exceptional cases; however, this is covered by a special regulation that makes the permissibility of the use of cookies - depending on their purpose - largely dependent on the active consent of the user.

In a general section of this privacy policy, we provide you with information on data protection that generally applies to our processing of data, including the collection of data on our website. In particular, you as the data subject will be informed about the rights to which you are entitled.
We endeavour to provide this information in gender-neutral language. If individual formulations do not yet take this into account, we would like to point out that this information applies to all people of all genders.

The terms used in our privacy policy and our data protection practices are based on the provisions of the EU General Data Protection Regulation (‘GDPR’) and other relevant national legislation.

Responsible in the sense of the GDPR
Damüls Ski School OG
FN 269910 b
Uga 60
6884 Damüls
Austria

E: info@skischule-damuels.at
T: +43 5510 295

Data collection on our website
On the one hand, personal data is collected from you if you expressly provide it to us; on the other hand, data, in particular technical data, is collected automatically when you visit our website. Some of this data is collected to ensure the error-free functioning of our website. Other data may be used for analysis purposes. However, you can generally use our website without having to provide any personal data.

Technologies on our website - General information on data protection
The following provisions apply not only to the collection of data on our website, but also to the processing of personal data in general.

Personal data
Personal data is information that can be assigned to you individually. Examples of this include your address, name, postal address, e-mail address or telephone number. Information such as the number of users who visit a website is not personal data because it cannot be assigned to an individual person.

Legal bases for the processing of personal data
Unless more specific information is provided in this privacy policy (e.g. for the technologies used), we may process your personal data on the basis of the following legal bases:
- Consent pursuant to Art. 6 para. 1 lit. a GDPR - the data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Contract fulfilment and pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract.
- Legal obligation pursuant to Art. 6 para. 1 lit. c GDPR - Processing is necessary for compliance with a legal obligation.
- Protection of vital interests pursuant to Art. 6 para. 1 lit. d GDPR - Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR - Processing is necessary for the purposes of the legitimate interests pursued by the controller(s) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our home country may apply.

Transfer of personal data
Your personal data will not be transferred to third parties for purposes other than those listed in this privacy policy.

We only pass on your personal data to third parties if:

- you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR,
- the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary to safeguard legitimate interests and for the establishment, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
- there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 lit. c GDPR and this is permitted by law and / or
- it is necessary for the processing of contractual relationships with you in accordance with Art. 6 para. 1 lit. b GDPR.

Cooperation with processors
We carefully select our service providers who process personal data on our behalf. If we commission third parties to process personal data on the basis of an order processing contract, this is done in accordance with Art. 28 GDPR.

Transfer to third countries
If we process data in a third country or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons or companies, this will only take place on the basis of the legal bases described above for the transfer of data.

Subject to express consent or contractual necessity, we process or have the data processed in accordance with Art. 44-49 GDPR only in third countries with a level of data protection recognised as adequate or on the basis of special guarantees, such as a contractual obligation through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection regulations.

Data transfer to the USA
We would like to expressly point out that on 10 July 2023, the EU Commission issued an adequacy decision on the EU-US data protection framework (Data Privacy Framework) in accordance with Art. 45 para. 1 GDPR. Accordingly, organisations or companies (as data importers) in the USA that are registered in a public list as part of the self-certification of the Data Privacy Framework offer an adequate level of protection for data transfers. You can find out whether the specific provider of a service is already certified here: https://www.dataprivacyframework.gov/s/participant-search

The Data Privacy Framework provides a valid legal basis for the transfer of personal data to the USA. This creates binding safeguards to fulfil all the requirements of the ECJ; for example, it provides that the access of US intelligence services to EU data is limited to a necessary and proportionate level and that a data protection review court is created to which individuals in the EU also have access.

If we transfer data to the USA at all or if we use a service provider based in the USA, we explicitly refer to this in this privacy policy (see in particular the description of the technologies on our website).

It should be noted that, apart from significant improvements, the Data Privacy Framework only applies in part and only applies to data transfers to those data importers in the USA that appear in the public list of certified organisations / companies.

What can the transfer of personal data to the USA mean for you as a user and what risks exist in this context?

Risks for you as a user, as far as data importers in the USA are concerned, which are not covered by the Data Privacy Framework, are in any case the powers of the US intelligence services and the legal situation in the USA, which, according to the ECJ, currently no longer ensure an adequate level of data protection. These include the following points:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the intelligence services and no guarantees for non-US citizens.
- Presidential Policy Directive 28 (PPD-28) does not provide data subjects with effective legal remedies against measures taken by the US authorities and does not provide for any limits to ensure proportionate measures.
- The ombudsman's office provided for in the Privacy Shield does not have sufficient independence from the executive branch; it cannot issue binding orders to the intelligence services.

Legally compliant transfer of data to the USA based on the Standard Contractual Clauses for data importers not covered by the Data Privacy Framework?

In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) in Decision 2021/914/EU. These create a new legal basis for data transfers where the level of data protection is not the same as in the EU.

Legally compliant transfer of data to the USA on the basis of consent?

If data is transferred to a service provider based in the USA that is not covered by the Data Privacy Framework and this data transfer is based on explicit consent, we provide explicit information about this in this privacy policy, in particular in the description of the technologies used on our website.

What measures do we take to ensure that data transfer to the USA is legally compliant?

Where US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and cannot be accessed by US authorities.

Storage period in general
If no explicit storage period is specified when data is collected (e.g. as part of a declaration of consent), we are obliged to delete personal data as soon as the purpose of its processing no longer exists in accordance with Art. 5 para. 1 lit. e GDPR. In this context, we would like to point out that statutory retention obligations to which we are subject constitute a legitimate purpose for the further processing of the personal data collected.

In principle, we store and retain personal data until the end of a business relationship or until the expiry of applicable guarantee, warranty or limitation periods, and beyond that until the end of any legal disputes in which the data is required as evidence, or in any case until the end of the third year after the last contact with a business partner.

Storage period in particular
The description of individual technologies on our website contains specific information on the storage period of data. In our cookie table, you will be informed about the storage duration of individual cookies. In addition, you always have the option of asking us directly about the specific storage duration of data. To do so, please use the contact details provided in this privacy policy.

Rights of data subjects
Data subjects have the right to:

- (i) in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information on its details;
- (ii) in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
- (iii) in accordance with Art. 17 GDPR, under certain circumstances, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
- (iv) in accordance with Art. 18 GDPR, to request the (temporary) restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you oppose its deletion, we no longer need the data, but you need it to assert, exercise or defend legal claims, or you have objected to the processing in accordance with Art. 21 GDPR;
- (v) in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us from us in a structured, commonly used and machine-readable format or to request that it be transmitted directly to another responsible person; However, this only covers those of your personal data that we process with the help of automated processes after your consent or on the basis of a contract;
- (vi) in accordance with Art. 21 GDPR, if your personal data is processed on the basis of our legitimate interest, to object to the processing of your personal data, insofar as there are reasons for this arising from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which will be implemented by us without specifying a special situation;
- (vii) in accordance with Art. 7 para. 3 GDPR to revoke your consent at any time vis-à-vis us. As a result, we may no longer continue the data processing that was based on this consent in the future. Among other things, you have the option of revoking your consent to the use of cookies on our website with effect for the future by visiting our cookie settings;
- (viii) to complain to a supervisory authority in accordance with Art. 77 GDPR regarding the unlawful processing of your data by us. As a rule, you can contact the supervisory authority of your habitual place of residence or place of work or our company headquarters.

The competent supervisory authority for Skischule Damüls OG is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 52 152-0, dsb@dsb.gv.at

Assertion of rights of data subjects
You decide on the use of your personal data. Therefore, if you wish to exercise any of your above-mentioned rights against us, you are welcome to contact us by e-mail to info@skischule-damuels.at or by post, as well as by telephone.

Please support us in concretizing your request by answering questions from our responsible employee regarding the specific processing of your personal data. If there are justified doubts about your identity, we may request a copy of your ID.

If you have any questions about data protection, you can reach us at info@skischule-damuels.at or at the other contact details listed in this privacy policy.

Last Updated: August 22, 2024