Data Protection Policy

We are pleased that you are visiting our website, viennaairport.com. Flughafen Wien Aktiengesellschaft (hereinafter: "we" or "Vienna Airport") takes data protection very seriously. Data is being processed and used in compliance with the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679; GDPR) and the Austrian Data Protection Act [Datenschutzgesetz/DSG].

Please find below more detailed information on how your data will be used:

I. NAME AND ADDRESS OF THE CONTROLLER

The Controller as defined in the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:

Flughafen Wien Aktiengesellschaft
Flughafen 1300 Vienna Airport, Austria
Phone: +43 1 7007-0
Website: www.viennaairport.com

II. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER

The Controller's Data Protection Officer is:
Mr. Dominik Prieler
datenschutz@viennaairport.com

Letters to:​ Flughafen Wien AG,
to the attention of "Generalsekretariat / Datenschutzbeauftragter" 
P.O. Box 1,
1300 Vienna Airport

You may also reach the Data Protection Officer at the Controller's postal address by adding "the Data Protection Officer".

III. PROCESSOR

In some cases we use external service providers (so-called processors) to process personal data. They have been carefully selected and instructed by us, are bound by our instructions and checked regularly.

IV. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EEA

In the following cases we will transfer data to recipients whose registered office is not in the European Economic Area:

  • Your data will also be transmitted to Facebook Inc. ("Facebook"), whose registered office is at 1601 S. California Ave, Palo Alto, CA 94304, USA, such as your IP address (where applicable in an anonymised form), information on access to websites (URL) and estimates regarding demography and age. The legal basis for such transfer is our legitimate interest in a statistical analysis of user behaviour for optimisation and marketing purposes (Art 6(1)(f) GDPR).

V. GENERAL INFORMATION ON DATA PROCESSING

1. Extent of the processing of personal data

As a matter of principle we collect and use our users' personal data only to the extent this is necessary to provide an operable website, our contents and services. Our users' personal data is collected and used regularly only upon the consent of the user. A derogation applies to cases where prior obtaining of consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

2. Legal basis for the processing of personal data

To the extent that we obtain the consent of the data subject to processing activities Art. 6(1)(a) of the General Data Protection Regulation (GDPR) is the legal basis for the processing of personal data.

For the processing of personal data which is necessary to perform a contract to which the data subject is a party Art. 6(1)(b) GDPR is the legal basis. This also applies to processing activities which are necessary to implement pre-contractual measures.

To the extent that processing of personal data is necessary to fulfil a legal obligation of our company Art. 6(1)(c) GDPR is the legal basis.

In the case that processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person Art. 6(1)(d) GDPR is the legal basis.

Art. 6(1)(f) GDPR is the legal basis for data processing where processing is necessary for safeguarding our legitimate interests or those of a third party and where the interests, fundamental rights or fundamental freedoms of the data subject do not prevail over such interests.

3. Erasure of data; Storage period

The data subject's personal data will be erased or access to such data will be blocked if and when it is no longer needed in relation to the storage purpose. Storage beyond that period may occur if provided for by the European or national legislator in EU Regulations, statutes or other provisions that must be observed by the Controller. The data will also be blocked or erased if and when a storage period prescribed by the said legislation expires, unless continued storage of the data is required for conclusion or performance of a contract.

VI. PROVISION OF THE WEBSITE AND CREATION OF LOGFILES

1. Nature and scope of data processing

Every time our website is retrieved our system will automatically collect data and information from the computer system of the retrieving computer.

In this connection the following data will be collected:

  • information on the browser type and the version used
  • language and version of the browser software
  • the user's operating system and its user interface
  • the user's IP address
  • date and time of access and time zone difference to Greenwich Mean Time (GMT)
  • transmitted data volume
  • websites from which the user's system is redirected to our website
  • websites retrieved by the user's system via our website
  • access status/HTTP status code

Such data will also be stored in the logfiles of our system. Such data will not be stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for temporary storage of data and logfiles is Art. 6(1)(f) GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary for delivery of the website to the user's computer. For that purpose the user’s IP address must be stored for the duration of the session.

Storing log files is done to ensure the website’s functionality. In addition, such data helps us to optimise the website and ensure security of the IT systems. In this connection the data will not be analysed for marketing purposes.

The said purposes also constitute our legitimate interest in data processing as defined in Art. 6(1)(f) GDPR.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. If data is collected for provision of the website this will be the case as soon as the relevant session is terminated.

In the case of storage of data in logfiles this will be the case after a maximum of seven days. Storage beyond that period is possible. In that case the IP address of the users will be erased or alienated so that it can no longer be attributed to the retrieving client.

5. Possibility of objection and removal

Collection of data for provision of the website and storage of data in logfiles is mandatory for operation of the website. Accordingly, the user has no possibility to object.

VII. USE OF COOKIES

1. Nature and scope of data processing

Our website uses cookies. Cookies are text files which are stored in the user's computer system in or by the internet browser. When a user retrieves a website, a cookie may be stored on the user's operating system. That cookie contains a characteristic string of characters which allows unambiguous identification of the browser when the website is retrieved again.

We use cookies to make the website more user-friendly. Some elements of our website require the possibility to identify the retrieving browser even after moving to another website ("First Party Cookies"). We process such cookies on the basis of a legitimate interest (Art. 6(1)(f) GDPR) because it would not be possible to display the website without such cookies.

In addition, our website uses cookies which allow an analysis of the users' browsing behaviour. Sometimes such cookies are placed and used by third parties ("Third-Party Cookies"). Data processing of such cookies is done on the basis of your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.

The user data which is collected in this way is pseudonymised by technical measures. Consequently, the data can no longer be attributed to the retrieving user. The data will not be stored together with other personal data of the users.

When retrieving our website the user is informed about the use of cookies for analysing purposes and the user's consent to the processing of personal data used in this connection will be obtained. In that connection reference is also made to this Data Protection Policy.

In detail we use the following cookies:


2. Legal basis

The legal basis for processing personal data by using technically necessary cookies is Art. 6(1)(f) GDPR.

The legal basis for processing personal data by using cookies for analytical purposes is Art. 6(1)(a) GDPR, provided that the user has given his/her consent.

3. Purpose

The purpose of using technically necessary cookies is to make use of websites easier for users. Some features of our website cannot be offered without the use of cookies. For those it is necessary for the browser to be recognised even after a move to another website.

The user data collected by technically necessary cookies will not be used to create user profiles.

The analytical cookies are used for the purpose of enhancing the quality and contents of our website. By means of analytical cookies we learn how the website is used and are thus able to constantly optimise our offer.

4. Storage; Erasure; Possibility of objection and removal

Cookies are stored on the user's computer and transmitted from there to our website. Thus, you as the user have full control over the use of cookies. By changing the settings in your internet browser you can deactivate or restrict transmission of cookies. Cookies which have been stored already can be deleted at any time. This may also be done automatically. If cookies are deactivated for our website, not all of the website's features may be fully used anymore.

Each browser manages the cookie settings differently. This is described in the help menu of every browser, which will explain to you how you may change your cookie settings. They can be found for the relevant browsers via the following links:

VIII. CONTACT FORM AND EMAIL CONTACT

PLEASE NOTE: To the extent that they are business enterprises we kindly ask contracting and business partners to make data subjects (in particular employees) aware of this Data Protection Statement.

1. Nature and scope of data processing

Our website provides a contact form which may be used for contacting us electronically. If a user chooses this option, the data entered in the entry mask will be transmitted to us and stored. The relevant data includes:

  • Salutation
  • Title
  • Name
  • Email
  • Address
  • Comment
When the message is sent, the following data will be stored in addition:
  • Date and time of registration

In connection with the sending process your consent to data processing will be obtained with reference to this Data Protection Policy.

Alternatively, you may contact us via the email address provided in this document. In that case the personal data of the user transmitted with the email message will be stored.

In this connection no data will be forwarded to third parties. Data will exclusively be used to process the conversation.

2. Legal basis for data processing

The legal basis for data processing is Art. 6(1)(a) GDPR, provided that the user has given his/her consent thereto.

The legal basis for processing data that is transmitted in the course of transmission of an email is Art. 6(1)(f) GDPR. If the purpose of the email contact is conclusion of a contract, Art. 6(1)(b) GDPR is an additional legal basis for processing.

3. Purpose of data processing

Personal data from the entry mask is processed by us only to reply to your enquiry. If you contact us via email, this constitutes the required legitimate interest in data processing.

Other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. For personal data from the entry mask of the contact form and for data transmitted by email this is the case once the relevant conversation with the user is terminated. The conversation is deemed terminated if the circumstances suggest that the relevant matter has been clarified exhaustively and for traceability of up to 26 months.

5. Possibility of objection and removal

The user may withdraw his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she may object to storage of his/her personal data at any time. In such a case the conversation may not be continued.

In order to exercise your right to object, please send a message to datenschutz@viennaairport.com. Upon receipt of your objection by us all personal data stored during our contact will be erased in that case.

X. Vehicle Registration (Frachtsicherheit)

PLEASE NOTE: To the extent that they are business enterprises we kindly ask contracting and business partners to make data subjects (in particular employees) aware of this Data Protection Statement.

1. Purpose and scope of data processing

In order to access the cargo area you must enter the registration number of your vehicles at https://vie.nallian.io/vehicledb. When entering the cargo area the registration number of the relevant vehicle will be automatically recorded and compared with the registration numbers you have advised. If the numbers match, the barrier will open. 

2. Legal basis of data processing

The legal basis for recording registration numbers is Art. 6 (1) (f) GDPR. Our legitimate interest is to ensure that only authorised vehicles enter the cargo area. 

3. Forwarding of data

The access data will not be forwarded to third parties; Messrs. Nallian NV (Kraaiven 7, 3140 Keerbergen, Belgium, VAT: BE 0845.779.622) act as processor and provide the system in which the registration numbers may be registered.

4. Storage period

The registration numbers will be stored in the system for as long as you require access to the cargo area. You can remove registration numbers from the database yourself at any time. Registration numbers which have not been used for two (2) years will be automatically erased.

IX. RIGHTS OF THE DATA SUBJECT

According to the data protection legislation in force you have comprehensive rights as a data subject (right to information and intervention) vis-à-vis the Controller about which we will inform you below:

  • Right of access to information pursuant to Art. 15 GDPR: In particular, you have the right to information on your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your personal data has been or will be disclosed, the envisaged period for which the personal data will be stored and/or the criteria used to determine that period, the existence of the right to rectification, erasure or restriction of processing, the right to object to processing, the right to lodge a complaint with a supervisory authority, the source of your data where it is not collected from you by us, the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, and your right to be informed about what safeguards pursuant to Art. 46 GDPR exist in the case of transfer of your data to third countries.
  • Right to rectification pursuant to Art. 16 GDPR: You have the right to immediate rectification of inaccurate data concerning you and/or to have completed your incomplete data stored by us.
  • Right to erasure pursuant to Art. 17 GDPR: You have the right to request erasure of your personal data if the prerequisites of Art. 17(1) GDPR are fulfilled. However, this right does not apply in particular if processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.
  • Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request restriction of processing for as long as the contested accuracy of your data is being verified if you oppose the erasure of your data and request the restriction of their processing instead, if you need the data for the establishment, exercise or defence of legal claims, if we no longer need such data after the purposes has been achieved or if you have objected to processing due to your particular situation pending the verification whether our legitimate grounds override your grounds.
  • Right to be notified pursuant to Art. 19 GDPR: If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the Controller, the Controller must notify all recipients to which personal data concerning you has been disclosed of such rectification or erasure of data or restriction of processing, unless this proves impossible or or involves disproportionate effort. You have the right to be informed about those recipients.
  • Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data which you provided to us in a structured, commonly used and machine-readable format and may request that the data be transmitted to another controller, where technically feasible.
  • Right to withdraw consents given pursuant to Art. 7(3) GDPR: You have the right to withdraw your previously given consent to processing of data at any time with effect for the future. In the case of withdrawal we will erase the data concerned without immediately, unless further processing may be based on a legal basis for processing for which no consent is required. The lawfulness of processing done up to the time of withdrawal shall not be affected by withdrawing consent.
  • Right to lodge a complaint pursuant to Art. 77 GDPR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. In Austria the competent supervisory authority is the Data Protection Authority [Datenschutzbehörde].
  • Right to object: If, considering the relevant interests, we process your personal data on the basis of our overriding legitimate interest, you have the right to object to such processing on grounds relating to your particular situation at any time with effect for the future.

If you exercise your right to object, we will stop processing the data concerned. Further processing shall, however, be reserved if we are able to prove compelling legitimate grounds for the processing which override your interests, fundamental rights and fundamental freedoms or if processing is necessary for the establishment, exercise or defence of legal claims.

If your personal data is processed by us for direct marketing purposes, you have the right to object to processing of the personal data relating to you for the purpose of such advertising at any time. You may raise your objection as described above.

If you exercise your right to object, we will stop processing the relevant data for direct marketing purposes.

Please address your enquiries in this connection to  datenschutz@viennaairport.com.