as of 22 April 2021
Data privacy statement
The Serfaus-Fiss-Ladis Tourist Board (hereinafter: SFL TB) maintains this website for the purpose of comprehensive information about the tourist region of Serfaus-Fiss-Ladis and as a tool for booking accommodation, sports equipment, transport, catering, events etc. The providers that can be contacted via this website are partners of the SFL TB and jointly responsible for the scope of their offers with the SFL TB in terms of data protection law. Only providers based in the Serfaus-Fiss-Ladis region are admitted as partners.
The SFL TB takes the protection of personal data very seriously. Compliance with applicable laws on data protection, i.e. the EU Data Protection Regulation (EU) 2016/679 (GDPR) and the Austrian Data Protection Act, Federal Law Gazette I 165/1999 as amended, is a matter of course for us. Our Data Protection Officer is available for questions about data protection on our website at tel.: + 43 / 5476/ 6239 or via email: firstname.lastname@example.org.
This privacy statement informs users of the www.serfaus-fiss-ladis.at about the purpose, type, scope and legal basis for the collection and use of data by the Serfaus-Fiss-Ladis Tourist Board (hereinafter also: operator) and its jointly responsible partners.
In the course of processing your request, the operator can pass on data to the following third parties:
Elements.at New Media Solution GmbH (Gusswerk Halle 6 / Söllheimerstraße 16 / A-5020 Salzburg)
Feratel Media Technologies AG (Maria-Theresia-Straße 8 / A-6020 Innsbruck)
Dialogschmiede GmbH (Ungargasse 64-66/110, A-1030 Wien)
PEAKNET GmbH (Hanuschgasse 1/4/6, A-2540 Bad Vöslau)
General Solutions (Bruggfeldstraße 5/3, A-6500 Landeck)
PlusServer AG (Lautenschlagerstrasse 23a, D-70173 Stuttgart)
Datatrans AG (Kreuzbühlstrasse 26, CH-8008 Zürich) (credit card verification company)
Europäische Reiseversicherung AG (Kratochwjlestraße 4, A-1220 Wien)
Skischule Serfaus (Dorfbahnstrasse 79, A-6534 Serfaus)
Skischule Fiss-Ladis KG (Seilbahnstrasse 40, A-6533 Fiss)
Skidata AG (Soodstrasse 53, CH-8134 Adliswil/Zürich)
INCERT eTourismus GmbH & Co KG (Leonfeldnerstraße 328, A-4040 Linz)
Members / landlords of the Serfaus-Fiss-Ladis Tourist Board
Depending on the request or booking, your personal data will be passed on to the members or landlords of the Serfaus-Fiss-Ladis region. This is necessary to process your request.
The website is administrated by Serfaus-Fiss-Ladis Marketing GmbH using additional contract processors on behalf of SFL TB and its partners. We remain responsible for the protection of your data even if contract processors are involved. Contracts in accordance with Article 28 of the GDPR, to ensure compliance with data protection, were concluded with the contract processors. We only use contract processors from outside the European Union where there is a valid decision by the European Commission on the existence of adequate data protection in the respective third country (– this is especially the case with regard to Switzerland).
The security of your personal data
Personal data is information about a person that is associated with this person's identity data, e.g. a statement or information about a person that includes their name and/or e.g. their home address and/or a telephone number or an email address or other identifier. We protect your personal data from unauthorised access, use or disclosure. We ensure that the personal data we store is used in a controlled, secure environment that prevents unauthorised access or disclosure.
This website uses SSL or TLS encryption for security reasons and for the protection of the transmission of confidential content, such as orders or the enquiries you send to us as the website operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
The purposes of data processing
1. The operator processes the data necessary for the establishment and maintenance of communication every time a user visits the website, in particular the following data: requested file, data/time, transferred data volume, report of successful retrieval, browser type/version, operating system and IP address. The legal basis of this data processing is section 96 para 3, sentence 3 TKG 2003, Federal Law Gazette I 70/2003 as amended: the processing is necessary in order to enable the communication with the website desired by the user, and is therefore admissible. The data processed for this purpose is stored for 7 days.
2. The data that users provide in order to conclude contracts with service providers via the website are processed by these providers for the purposes of contract fulfilment. The same applies to requests made of these providers. The legal basis for providers processing data is the contract conclusion and/or the pre-contract relationship within the meaning of article 6 (1) (b) GDPR. The function of the SFL TB website is, in this context, that of a tool by means of which the data is collected and the connection is made for providers’ data processing. The duration of provider data storage depends on the subject matter of the contractual or pre-contractual relationship. Data protection details are provided on the partners’ websites.
The data provided by the user in the present context will only be processed and used by the website operator to the extent that it is necessary for processing the request and/or for providing the requested service and its transparency. Under no circumstances will this data be sold or disclosed to anyone other than the partners. The legal basis of this data processing by the website operator is section 96 para 3, sentence 3 TKG 2003, Federal Law Gazette I 70/2003 as amended: the processing serves to enable a service explicitly requested by the user (enquiries or bookings via the website).
The duration of storage by the operator is 24 months after receipt of the site user’s request. Earlier deletion can be requested by the user at any time by sending a deletion request to email@example.com.
Encrypted payments on this website
If you enter into a contract which obliges you to send us your payment information (e.g. credit card number), this data will only be used for payment processing.
Payment transactions using common means of payment (Visa/Mastercard, direct debits) are only made via encrypted SSL or TLS connections so that the payment information you provide to us cannot be read by third parties. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
3. If you contact us by e-mail, phone or fax, your enquiry including all ensuing personal data (name, contact information, enquiry content) will be processed by us for the purposes of processing your request. We will not share this data without your permission.
This data is processed on the basis of article 6 para 1 (b) GDPR, provided your request is related to the performance of a contract or necessary for the implementation of pre-contractual arrangements. In all other cases, the processing is based on either our legitimate interest in the effective processing of enquiries addressed to us (article 6 para 1 (f) GDPR).
We store data from enquiries as long as it is necessary to process your request but no longer than six months, unless mandatory statutory provisions – in particular statutory retention periods – require longer storage.
4. A website operator has the technological option of observing and analysing (“tracking”) the behaviour of website visitors by placing “cookies” (or similar technology) on the terminals of website users. This allows information to be obtained about the general usability and acceptance of the website (“range analysis”), but also about the website visitors themselves, such as their interests or regional distribution etc. These findings can be used to improve the website, but also to provide targeted, personalised information to the website users, which significantly increases the relevance of the information found by the website users (“individualisation” of communication). Information individualised to website users like this can also be repeated (“re-marketed”) on certain other websites (“partner websites”).
Information on cookie setting and disabling options
Users can disable the storage of cookies in general in their browser, limit storage to specific websites or adjust their browser so that it notifies them before a cookie is saved. Users can also delete cookies from their terminal’s hard disk using their browser’s data protection function.
Cookies are only used on the SFL TB website if the website user consented to it upon or during registering for the digital service concept of the website, mySFL (see section 5). Consent for all or selected cookies can be granted in the cookie banner.
The purposes of tracking via cookies on this website are as follows:
a) Improving user experience is achieved on our websites (e.g. noting log-in data or language settings) using HOTJAR software.
b) SFL TB also processes data obtained via cookies for website statistics purposes in connection with monitoring website functionality and range. In this case, only pseudonymous data is acquired and only aggregated data is produced (i.e. information about a larger number of people, e.g. “23% of website users come from the region of Bavaria”). Our website uses GOOGLE ANALYTICS, MATOMO and CAPTURE MEDIA as software for this purpose.
c) Individualised user information via interest detection when using the website: SFL TB offers and information can be tailored to the user by observing their surfing and click behaviour, which significantly increases the informational value of the website for individual users. The software products we use are: MATOMO, GOOGLE ANALYTICS, CAPTURE MEDIA
d) Individualised user information on this website is also used for the functions of GOOGLE AD REMARKETING and OUTBRAIN: if users who have visited our website have shown interest in winter sports, for example, they can be shown ads containing related information and offers for winter sports in the SFL region on our partner websites using remarketing tools regardless of terminal. The SFL TB only uses your data for advertisements related to the Serfaus-Fiss-Ladis region.
5. No registration is required for using our website, however registering on mySFL, the digital service concept of the Serfaus-Fiss-Ladis region, offers some great benefits. After registering on this website, users receive individualised information and assistance for their planned stay in the Serfaus-Fiss-Ladis region:
The digital service concept for the Serfaus-Fiss-Ladis tourist region (mySFL) wants to offer optimum support to interested parties and visitors so that
- offers of interest to the user can be found as simply and quickly as possible, i.e. through pre-selection using their interests
- selected offers can be booked quickly due to the fact that registered data is automatically made available
- users themselves can keep track of their bookings and interesting offers at all times
- the user can participate in the loyalty program of the region Serfaus-Fiss-Ladis
The data provided in connection with registering on mySFL (full name, address, telephone number, email address and optional credit card information) are stored by the operator and used for the following purposes:
- if a user has registered on mySFL, which initially only requires the provision of an email address, mySFL stores the data the user subsequently provides in order to be able to automatically make it available to providers appearing on the website if the respective user enables the use of the data via their password in each case of a booking.
- An overview of their current bookings or reservations is then presented to the users in the “Order History” and “Bookmarks” sections.
The legal basis for data processing in mySFL is the consent of the registered user, who has conclusively provided this by registering after having been provided with information on the website. This consent can be withdrawn at any time by sending a deletion request to firstname.lastname@example.org.
The data collected in connection with mySFL remain stored as long as the user does not request deletion via the email@example.com address, or until 2 years after the last use of mySFL by the person concerned.
6. Any customer registered on mySFL can use the entirety of the mySFL app by entering their login details. The mySFL app provides users with individual information on holidays in the Serfaus-Fiss-Ladis tourist region: the app acts as a digital holiday companion.
Using the mySFL app is also possible without registration or login. In this case, the offer of information and services is limited to generally available content. Individualised information is not made available in this case. Users who have not registered or logged in can manage their consent to the collection and processing of their personal data via the cookie banner provided in the mySFL app (see point B4). If a user who does not yet have a mySFL account registers in the mySFL app, a mySFL customer account as described in point B5 is automatically created.The legal basis for data processing in the mySFL app is the consent of the registered user, who has conclusively provided this by registering after having been provided with information in the app. This consent may be withdrawn by deletion request at any time.
The data collected in connection with mySFL remain stored as long as the user does not request deletion via the firstname.lastname@example.org address, or until 2 years after the last use of mySFL by the person concerned.
7. When a user subscribes to the operator’s newsletter, the user’s personal data, namely full name and email address the newsletter is to be sent to, are processed. By subscribing to the newsletter, the user grants conclusive consent in accordance with article 6 para 1 (a) GDPR that their data may be used for the regular sending of the newsletter. We use a what is called the double opt-in method for newsletter registrations. After registration, the user will receive a confirmation and authorisation email to the email address they provided, requesting that they click on the link contained therein. This ensures that only the authorised user of the specified email address is using it for the newsletter. MySFL users receive an individualised form of the newsletter, i.e. with information and offers from the operator that are tailored to the user.
The user can unsubscribe from the newsletter by sending an email to email@example.com at any time. There is also a link at the end of every newsletter that users can use to unsubscribe. After unsubscribing from the newsletter, the user’s personal data is immediately deleted from the newsletter distribution list.
8. Personal data (full name, address, email address) is collected when participating in a competition offered on this website. By participating in the competition, the user grants their conclusive consent in accordance with article 6 para 1 (a) GDPR for the operator to store the personal data the user has provided and that it may be used for the implementation of the competition and for the determination and notification of the winners. If you consented to it when registering for participation in the competition, your first name and country of origin will be published in connection with your prize on the Serfaus-Fiss-Ladis region’s public social media channels (Facebook, Instagram).
Additional conditions and data processing terms will be displayed separately where necessary and can supplement this point.
The data of the competition participants will be stored for the duration of the competition and then deleted.
Additional information on the types of processing and individual programs used
Cookies and similar technologies
Cookies are small pieces of text information that are stored on the user’s terminal in order to be able to access it again at a later time. The purpose of cookies can vary, some of them are necessary to maintain an electronic communication (called “session cookies”), some of them are for monitoring website functionality and range (“analysis cookies”), some of them simplify website usage for users by observing user behaviour (e.g. by restoring earlier user settings) and also make it more targeted (e.g. through individualisation). Just as the purpose of cookies can vary, so can the necessary legal basis.
In this context, we point out that only people who have completed their fourteenth year can give legally valid data protection consent to cookie use and the subsequent processing of personal data. Only parents or guardians can give consent for people younger than fourteen.
Information about the option of rejecting cookies
Users can disable the storage of cookies in general in their browser, limit storage to specific websites or adjust their browser so that it notifies them before a cookie is saved. Users can also delete cookies from their terminal’s hard disk using their browser’s data protection function. If you turn off cookies, however, the features and usability of a website may be limited.
Certain services offer the prevention of data storage and usage with what is known as an opt-out cookie (e.g. GOOGLE ANALYTICS). In this case, an opt-out cookie will be stored in your browser, which prevents this specific service from storing usage data. If you delete your cookies, this will mean that the opt-out cookie from the specific service will also be deleted. The opt-out cookie must therefore be reactivated when you re-visit this website if you wish to prevent the collection of user data.
You can prevent HOTJAR from processing data by withdrawing your consent in the cookie banner or by clicking on the following link: https://www.hotjar.com/opt-out. Please note that you must disable Hotjar for every browser and/or terminal separately. More information about data protection during data processing by Hotjar is available here: https://www.hotjar.com/legal/policies/privacy/
We use Acoustic Campaign from Acoustic to calculate personal interests. We also use commercially available technologies with which the interactions can be measured (e.g. clicked links and information on which type of message was responded to) in order to continuously improve our services. The legal basis for this processing of your data is our legitimate interest in optimizing our services and thus Art. 6 paragraph 1 lit. f. GDPR.
We use the Droid Creator (Droid Script) from Droid Marketing GmbH, Ungargasse 64-66 / 2/405, 1030 Vienna, as a basis for creating scorings and queries. The created data will be forwarded to Acoustic, to display personal content. Droid Creator reads the breadcrumbs or page category to provide the information.
This website uses the open source web analytics service Matomo. Using cookies, an analysis of website usage is carried out that shows e.g. which areas of the website interest user the most. User data is only processed in pseudonymised form; in particular, IP addresses are shortened before storing. The information generated by the cookies about the use of this website will not be disclosed to third parties. MATOMO cookies remain on your terminal until you delete them or withdraw your consent in the cookie banner.
This website uses the website analysis functions of Google Analytics, which is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland in the role of contract processor.
For this service, Google Analytics evaluates the usage of the website on behalf of the website operator in order to compile reports on its functionality, range and the activities of users on the site. The website visitors’ data necessary for the web analysis is collected as part of Google Analytics using cookies in a pseudonymous form, which means in particular without your name or address; IP addresses are also shortened prior to their use in the analysis, which anonymises them.
Where information about your use of this website is transmitted by Google to a Google server in the USA by Google in its role as contract processor as part of Google Analytics implementation, the following applies: Google has signed up to the “privacy shield” in terms of its processing of data from the EU in the USA and guarantees appropriate data protection in this context. The data collected on this website within the scope of Google Analytics are not associated with any other data held by Google.
Preventing the collection of data by Google Analytics
In addition to the respective setting on your browser software, you can also prevent the collection of your data in connection with Google Analytics applications by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en
Data stored at Google on the user and event level which are linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) will be anonymised after 14 months or deleted. You can find more details on this at the following link: https://support.google.com/analytics/answer/7667196?hl=en
A tracking solution from Capture Media AG (hereinafter “Capture Media”) is also integrated on this website for range measurement. Capture Media is a Swiss company based in Zurich that measures the use of this website in terms of engagements and events. The tracking is done pseudonymously, so that no link can be established to specific individuals. Your data will only be used in Capture Media if you have agreed to it in the cookie banner or mySFL.
We use Google Ads Remarketing and Outbrain and Facebook Pixel to show visitors to our website ads about our products and services when they visit other websites (“remarketing”). The use of user data for remarketing only takes place is you have consented in the cookie banner or registered for mySFL.
Information on setting and disabling options
GOOGLE ADS REMARKETING
This website processes your data using GOOGLE ADS REMARKETING as long as you have consented to it. This is an advertising service offered by Google, which we use to show targeted ads to visitors to our website when they visit other websites. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
This website also uses Outbrain for remarketing purposes where consent has been obtained. The provider is Outbrain UK Limited, 5th Floor, The Place, 175 High Holborn, London, WC1V 7AA, United Kingdom.
You can deactivate the provision of individualised recommendations/information on websites by OUTBRAIN at any time (see LINK below). In OUTBRAIN’s “interests profile”, you will find a general representation of which of your data OUTBRAIN has and may use for recommendations. You also have the option of disabling individualised recommendations/information via the interests profile. https://my.outbrain.com/recommendations-settings/home
This website uses FACEBOOK PIXEL for measuring the success of an advertising campaign where we have your consent: if SFL TB launches a Facebook ad campaign and has specified the target group for it, Facebook will make available our marketing message to those Facebook users belonging to the target group. If a Facebook user clicks on a SFL TB ad that appears on Facebook, they will be taken to the SFL TB website; using the FACEBOOK PIXEL installed there, Facebook’s analysis services are then activated, which evaluate the efficacy of the Facebook advertisements for statistical and market research purposes, meaning future promotional activities can be optimised.
The information made available by Facebook is statistical information about the use of our website. This data is not personalised for us, we cannot link back to the user’s identity.
This service is provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. In terms of the processing of user data necessary for the provision of this service, we and Facebook are joint data controllers when we determine the characteristics of the ad campaign's target group. We have also concluded an agreement under article 26 GDPR for this purpose. We cannot influence any other processing of user data for service provision – this is the sole responsibility of Facebook.
You can find more details on the data use by Facebook described above at https://www.facebook.com/legal/terms/page_controller_addendum
You will find notes on protecting your privacy in the Facebook privacy policies: https://de-de.facebook.com/about/privacy/
You may also disable the remarketing feature "Custom Audiences" in the Ad Settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do so, you will first need to log into Facebook.
If you do not have a Facebook account, you can opt out of usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/
This website integrates third-party data processing (e.g. videos) from certain providers. A “plug-in”, special supporting software, is required so that we can display this content on our website.
The operator of the “YOUTUBE” service is Google Ireland Limited (“Google”). Gordon House, Barrow Street, Dublin 4, Ireland.
By clicking a YOUTUBE video on our website, the user confirms that they have requested a service from the YOUTUBE information provider within the meaning of the E-Commerce law, Law Gazette I 152/2001. No separate consent is required for the collection of data that is necessary for the provision of this service in accordance with section 96 para 3 TKG; unlike for any further additional data collection by Google in connection with the service provision. Google is the data controller for all data processing in the present context.
We use YouTube in the extended data protection mode: according to YouTube, this mode means that YouTube does not store any information about our website users before they have watched the video, i.e. before they have accessed the service through a positive action, namely clicking the video.
This site enables the use of the GOOGLE MAPS map service via an interface (API/Application Programming Interface). The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
The service is initiated at the discretion of the visitors to our website, which means there is a request for a service of the information company from the website visitor, which does not require separate consent in accordance with section 96 (3) TKG 2003. Google is the data controller for the data processing for service provision. The operator of this website only makes available a technical option to the data subject, which they can access if they so choose.
It is necessary to save the user’s IP address in order to use the functions of Google Maps. This information is generally transmitted to a Google server in the USA and stored there. Google is a member of the “privacy shield” and guarantees appropriate data protection for the processing of EU data in the USA.
Data processing through social networks
We maintain publicly accessible profiles on social networks. The individual social networks we use are listed below.
We use our presence on a social network to present our offers, to post news, announce events etc. Visitors to our web presences on a social medium can submit recommendations or reviews, post photos, and enter into contact with us via the website, e.g. by subscribing to news. Social networks such as Facebook, Instagram etc. can generally comprehensively analyse your user behaviour if you visit our presence on the social network.
If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in to or do not have an account with the relevant social media portal. Data collection by the social media portals is, in this case, done via cookies that are stored on your terminal. The operators of social media portals use data collected in this way to create user profiles in which your preferences and interests are stored. In this way, interest-related advertising can be displayed inside and outside the relevant social media presence. If you have an account with the relevant social network, interest-based advertising can be displayed on all devices on which you are or were logged in.
Data controller and assertion of rights
Where we are joint data controllers with the social media portal, you can assert your rights (information, correction, deletion, limitation of processing, data portability and complaint) both to us and to the operator of the relevant social media portal (for example Facebook).
Social networks in detail
We have a profile on Facebook. This service is provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
We have an agreement with Facebook on shared data processing (Controller Addendum). This agreement determines which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement via the following link: https://www.facebook.com/legal/terms/page_controller_addendum
You can adjust your advertising settings independently in your Facebook user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads
Your rights with respect to the data controller
Under article 15 GDPR you have a right to information about whether and what data is processed about you by us.
Under article 16 GDPR you have the right to correct faulty or incomplete data.
Further, under article 17, you have the right to delete your data if it is unlawfully processed.
If the legality or correctness of data is in dispute, under article 18 a demand for the limitation of processing by the data controller can be made so that data cannot be further used and in particular not be changed – until dispute resolution.
Right to data portability
Article 20 provides the right to request from the data controller the data provided to the data controller by the data subject in a common machine-readable format for the purposes of data portability, where the processing is based on consent or a contract.
Right to object
Under article 21, an objection can be made to processing operations based on article 6 (1)(e) [legally mandated function] or (f) [legitimate interest] if, in the opinion of the objecting party, the processing violates their overriding and legitimate interests.
Asserting your rights
To assert one of these rights against us, please simply contact us via email to firstname.lastname@example.org
Verifying your identity: in order to protect your rights and your privacy, we are entitled to request proof of identity in case of doubt.
If you manifestly demand one of the above rights unjustifiably or particularly frequently, we are entitled to demand an appropriate processing fee or to refuse processing of the application.
If you think the processing of your personal data violates applicable data protection law, please contact us to clarify any questions at the email address email@example.com
Your trust matters to us. For this reason we will be pleased to respond to any questions you may have at any time concerning the processing of your personal data. If you have any questions which are not covered by this privacy statement or if you would like to receive more detailed information on any point, please do not hesitate to contact our team directly at firstname.lastname@example.org. We will be pleased to assist if you have any request for information, suggestions or complaints.
Right to complain to the Data Protection Authority
You also have the right of complaint to the Austrian Data Protection Authority (Barichgasse 40-42 1030 Vienna, email@example.com, https://www.data-protection-authority.gv.at/), if the operator of this website does not respond within a month to your enquiry.
Data protection officer
As a public corporation, the operator of this website is obliged to appoint a Data Protection Officer. They can be contacted at:
Serfaus-Fiss-Ladis Tourist Board
Attn. Data Protection Officer
6534 Serfaus, Austria
Phone: +43/5476/ 6239