DATA PROTECTION POLICY AND LEGAL INFORMATION

We are pleased that you are visiting our website, viennaairport.com. Flughafen Wien Aktiengesellschaft (hereinafter: "we" or "Vienna Airport") takes data protection very seriously. Data is being processed and used in compliance with the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679; GDPR) and the Austrian Data Protection Act [Datenschutzgesetz/DSG].

Please find below more detailed information on how your data will be used:

I. NAME AND ADDRESS OF THE CONTROLLER

The Controller as defined in the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:

Flughafen Wien Aktiengesellschaft
Flughafen 1300 Vienna Airport, Austria
Phone: +43 1 7007-0
Website: www.viennaairport.com

II. THE DATA PROTECTION OFFICER

FWAG's data protection officer can be reached at:

datenschutz@viennaairport.com

and by post: Flughafen Wien AG, Postfach 1, 1300 Vienna Airport with the addition “General Secretariat / Data Protection Officer”.

III. PROCESSOR

In some cases we use external service providers (so-called processors) to process personal data. They have been carefully selected and instructed by us, are bound by our instructions and checked regularly.

IV. TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EEA

In the following cases we will transfer data to recipients whose registered office is not in the European Economic Area:

• Your data will also be transmitted to Facebook Inc. ("Facebook"), whose registered office is at 1601 S. California Ave, Palo Alto, CA 94304, USA, such as your IP address (where applicable in an anonymised form), information on access to websites (URL) and estimates regarding demography and age. The legal basis for such transfer is our legitimate interest in a statistical analysis of user behaviour for optimisation and marketing purposes (Art 6(1)(f) GDPR).

V. GENERAL INFORMATION ON DATA PROCESSING

1. Extent of the processing of personal data

As a matter of principle we collect and use our users' personal data only to the extent this is necessary to provide an operable website, our contents and services. Our users' personal data is collected and used regularly only upon the consent of the user. A derogation applies to cases where prior obtaining of consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.

2. Legal basis for the processing of personal data

To the extent that we obtain the consent of the data subject to processing activities Art. 6(1)(a) of the General Data Protection Regulation (GDPR) is the legal basis for the processing of personal data.

For the processing of personal data which is necessary to perform a contract to which the data subject is a party Art. 6(1)(b) GDPR is the legal basis. This also applies to processing activities which are necessary to implement pre-contractual measures.

To the extent that processing of personal data is necessary to fulfil a legal obligation of our company Art. 6(1)(c) GDPR is the legal basis.

In the case that processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person Art. 6(1)(d) GDPR is the legal basis.

Art. 6(1)(f) GDPR is the legal basis for data processing where processing is necessary for safeguarding our legitimate interests or those of a third party and where the interests, fundamental rights or fundamental freedoms of the data subject do not prevail over such interests.

3. Erasure of data; Storage period

The data subject's personal data will be erased or access to such data will be blocked if and when it is no longer needed in relation to the storage purpose. Storage beyond that period may occur if provided for by the European or national legislator in EU Regulations, statutes or other provisions that must be observed by the Controller. The data will also be blocked or erased if and when a storage period prescribed by the said legislation expires, unless continued storage of the data is required for conclusion or performance of a contract.

VI. PROVISION OF THE WEBSITE AND CREATION OF LOGFILES

1. Nature and scope of data processing

Every time our website is retrieved our system will automatically collect data and information from the computer system of the retrieving computer.

In this connection the following data will be collected:

• information on the browser type and the version used

• language and version of the browser software

• the user's operating system and its user interface

• the user's IP address

• date and time of access and time zone difference to Greenwich Mean Time (GMT)

• transmitted data volume

• websites from which the user's system is redirected to our website

• websites retrieved by the user's system via our website

• access status/HTTP status code

Such data will also be stored in the logfiles of our system. Such data will not be stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for temporary storage of data and logfiles is Art. 6(1)(f) GDPR.

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary for delivery of the website to the user's computer. For that purpose the user’s IP address must be stored for the duration of the session.

Storing log files is done to ensure the website’s functionality. In addition, such data helps us to optimise the website and ensure security of the IT systems. In this connection the data will not be analysed for marketing purposes.

The said purposes also constitute our legitimate interest in data processing as defined in Art. 6(1)(f) GDPR.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. If data is collected for provision of the website this will be the case as soon as the relevant session is terminated.

In the case of storage of data in logfiles this will be the case after a maximum of seven days. Storage beyond that period is possible. In that case the IP address of the users will be erased or alienated so that it can no longer be attributed to the retrieving client.

5. Possibility of objection and removal

Collection of data for provision of the website and storage of data in logfiles is mandatory for operation of the website. Accordingly, the user has no possibility to object.

VII. USE OF COOKIES

1. Nature and scope of data processing

Our website uses cookies. Cookies are text files which are stored in the user's computer system in or by the internet browser. When a user retrieves a website, a cookie may be stored on the user's operating system. That cookie contains a characteristic string of characters which allows unambiguous identification of the browser when the website is retrieved again.

We use cookies to make the website more user-friendly. Some elements of our website require the possibility to identify the retrieving browser even after moving to another website ("First Party Cookies"). We process such cookies on the basis of a legitimate interest (Art. 6(1)(f) GDPR) because it would not be possible to display the website without such cookies.

In addition, our website uses cookies which allow an analysis of the users' browsing behaviour. Sometimes such cookies are placed and used by third parties ("Third-Party Cookies"). Data processing of such cookies is done on the basis of your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time.

The user data which is collected in this way is pseudonymised by technical measures. Consequently, the data can no longer be attributed to the retrieving user. The data will not be stored together with other personal data of the users.

When retrieving our website the user is informed about the use of cookies for analysing purposes and the user's consent to the processing of personal data used in this connection will be obtained. In that connection reference is also made to this Data Protection Policy.

In detail we use the following cookies:

2. Legal basis

The legal basis for processing personal data by using technically necessary cookies is Art. 6(1)(f) GDPR.

The legal basis for processing personal data by using cookies for analytical purposes is Art. 6(1)(a) GDPR, provided that the user has given his/her consent.

3. Purpose

The purpose of using technically necessary cookies is to make use of websites easier for users. Some features of our website cannot be offered without the use of cookies. For those it is necessary for the browser to be recognised even after a move to another website.

The user data collected by technically necessary cookies will not be used to create user profiles.

The analytical cookies are used for the purpose of enhancing the quality and contents of our website. By means of analytical cookies we learn how the website is used and are thus able to constantly optimise our offer.

4. Storage; Erasure; Possibility of objection and removal

Cookies are stored on the user's computer and transmitted from there to our website. Thus, you as the user have full control over the use of cookies. By changing the settings in your internet browser you can deactivate or restrict transmission of cookies. Cookies which have been stored already can be deleted at any time. This may also be done automatically. If cookies are deactivated for our website, not all of the website's features may be fully used anymore.

Each browser manages the cookie settings differently. This is described in the help menu of every browser, which will explain to you how you may change your cookie settings. They can be found for the relevant browsers via the following links:

Internet Explorer: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies

Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Chrome: https://support.google.com/chrome/answer/95647?hl=en-GB&hlrm=en

Safari: https://support.apple.com/kb/ph21411?locale=en_GB

Opera: http://help.opera.com/Windows/10.20/en/cookies.html

VIII. CONTACT FORM AND EMAIL CONTACT

1. Nature and scope of data processing

Our website provides a contact form which may be used for contacting us electronically. If a user chooses this option, the data entered in the entry mask will be transmitted to us and stored. The relevant data includes:

• Salutation

• Title

• Name

• Email

• address

• Comment

When the message is sent, the following data will be stored in addition:

• Date and time of registration

In connection with the sending process your consent to data processing will be obtained with reference to this Data Protection Policy.

Alternatively, you may contact us via the email address provided in this document. In that case the personal data of the user transmitted with the email message will be stored.

In this connection no data will be forwarded to third parties. Data will exclusively be used to process the conversation.

2. Legal basis for data processing

The legal basis for data processing is Art. 6(1)(a) GDPR, provided that the user has given his/her consent thereto.

The legal basis for processing data that is transmitted in the course of transmission of an email is Art. 6(1)(f) GDPR. If the purpose of the email contact is conclusion of a contract, Art. 6(1)(b) GDPR is an additional legal basis for processing.

3. Purpose of data processing

Personal data from the entry mask is processed by us only to reply to your enquiry. If you contact us via email, this constitutes the required legitimate interest in data processing.

Other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Storage period

The data will be erased as soon as it is no longer required for achieving the purpose of its collection. For personal data from the entry mask of the contact form and for data transmitted by email this is the case once the relevant conversation with the user is terminated. The conversation is deemed terminated if the circumstances suggest that the relevant matter has been clarified exhaustively and for traceability of up to 26 months.

5. Possibility of objection and removal

The user may withdraw his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she may object to storage of his/her personal data at any time. In such a case the conversation may not be continued.

In order to exercise your right to object, please send a message to  datenschutz@viennaairport.com. Upon receipt of your objection by us all personal data stored during our contact will be erased in that case.

IX. boarding pass control Paxcontrol

1. Description, scope aNd purpose of data processing

At the entrance to the airside, which is the area in the terminals that is only accessible to certain people (e.g. passengers, crew members, employees), your boarding pass is scanned to check whether you are authorised to enter the airside. This also serves airport security purposes. The following data will be processed: Name, PNR code, destination, airline, flight number, date, class, seat, sequence number (of the airline), status (if specified by the airline), frequent flyer number (if specified by the airline) and fast track indicator.

2. Legal basis for the data processing

The processing activity serves to fulfil our legal obligation under Commission Regulation No 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security (Article 6(1)(c) of the GDPR) as well as our legitimate interest, which lies in the pursuit of the above purposes, in particular airport security (Article 6(1)(f) of the GDPR). 

3. Recipient

In the context of boarding pass control, personal data is disclosed to the following recipients:

• IT service provider

4. Retention period

We keep the personal data for 24 hours, after which it is deleted again.

5. Right to objection and removal

Boarding pass checks are carried out because of compelling reasons worthy of protection, which lie in the pursuit of the above-mentioned purposes, in particular airport security. You can therefore not effectively exercise your right to object.

X. Biometric boarding pass control Paxcontrol “Star alliance Biometrics”

1. Description, scope aNd purpose of data processing

Star Alliance Biometrics (hereinafter “SBH”) is a Star Alliance Services GmbH product (Frankfurt Airport Center 1, 5th Floor, 60546 Frankfurt / Main; hereinafter: “Star Alliance”) and it enables the voluntary biometric identification (facial recognition) of the passenger at the airport. Flughafen Wien AG currently supports the use of the biometric identification services offered by SBH at individual, clearly identifiable boarding pass control gates before the security check (“Pre-security gates”).

If you wish to use the biometric identification service at these clearly identifiable gates, which integrate with the SBH biometric identification service, a short video sequence of you will be recorded, which will be subsequently transmitted to Star Alliance for the purpose of biometric matching with your SBH biometric profile.

The Star Alliance data protection statements, which can be found at  https://staralliance.com/de/apps-privacy-policy, shall apply for this subsequent data processing in connection with the biometric matching under the responsibility of Star Alliance as well as for the registration with SBH and the use of the corresponding Star Alliance Navigator App.

If your recorded facial images are successfully matched with the SBH database, Star Alliance will transmit all of the necessary data from your boarding pass (see section X) to Flughafen Wien AG, the gate will open and you may continue your journey.

Please note:

If you have not given your consent in the Star Alliance Navigator App or if you have revoked your consent, you will not be permitted or able to use the biometric identification service (successfully). You have alternative options for the boarding pass control (e.g. boarding pass scan). There is no obligation whatsoever to use the biometric identification service.

If, contrary to the express reference on the accordingly marked gates, you try to use the biometric identification service without being registered with SBH or without giving consent there to being identified at Vienna Airport, a video sequence/photo of you will still be recorded and transmitted to Star Alliance for biometric matching. However, the identification will then fail and the identification process will end with an error message. 

2. Legal basis for the data processing

The legal basis for this processing is the express consent you gave in the Star Alliance Navigator App to being identified via the Star Alliance biometric identification service at Vienna Airport (Art. 9 (2) lit. a of the GDPR). Star Alliance will take over the consent management for Flughafen Wien AG.

3. Recipient 

The facial images will be transmitted to the Star Alliance identification service. Star Alliance generates the biometric characteristics from one of these facial images and matches these with the biometric template that is stored in its database and assigned to a particular passenger. A biometric database is required by the identification service. Star Alliance also provides this database. The passenger voluntarily registers there in advance by providing their personal data, taking a photo, scanning an identification document and selecting the airports and airlines, whereby the passenger wishes to be personally identified by the biometrics process described above. For more information regarding the processing of your data by Star Alliance:  https://staralliance.com/de/apps-privacy-policy 

4. Retention period 

The captured facial images are deleted immediately after transmission to Star Alliance and therefore not stored by Flughafen Wien AG.

5. Right to objection and removal

You may revoke your consent in the profile management section of the Star Alliance Navigator App at any time. The revocation of consent shall not affect the lawfulness of the processing carried out based on the consent until the revocation.

At Vienna Airport, you always have the option to use a conventional boarding pass control gate before the security check (“Pre-security gates”) and submit your electronic or paper boarding pass for verification. You are not obliged to pass through the clearly signed biometric gates. 

Important note:

However, we would like to point out once again that we immediately delete the captured facial images from our systems after transmission to Star Alliance in the context of the biometric identification process. For this reason alone, the above rights referred to in XII, which you are entitled to in accordance with the GDPR, normally cannot be implemented because your personal data no longer exists.

XI. RIGHTS OF THE DATA SUBJECT

According to the data protection legislation in force you have comprehensive rights as a data subject (right to information and intervention) vis-à-vis the Controller about which we will inform you below:

• Right of access to information pursuant to Art. 15 GDPR: In particular, you have the right to information on your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your personal data has been or will be disclosed, the envisaged period for which the personal data will be stored and/or the criteria used to determine that period, the existence of the right to rectification, erasure or restriction of processing, the right to object to processing, the right to lodge a complaint with a supervisory authority, the source of your data where it is not collected from you by us, the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you, and your right to be informed about what safeguards pursuant to Art. 46 GDPR exist in the case of transfer of your data to third countries.

• Right to rectification pursuant to Art. 16 GDPR: You have the right to immediate rectification of inaccurate data concerning you and/or to have completed your incomplete data stored by us.

• Right to erasure pursuant to Art. 17 GDPR: You have the right to request erasure of your personal data if the prerequisites of Art. 17(1) GDPR are fulfilled. However, this right does not apply in particular if processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

• Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request restriction of processing for as long as the contested accuracy of your data is being verified if you oppose the erasure of your data and request the restriction of their processing instead, if you need the data for the establishment, exercise or defence of legal claims, if we no longer need such data after the purposes has been achieved or if you have objected to processing due to your particular situation pending the verification whether our legitimate grounds override your grounds.

• Right to be notified pursuant to Art. 19 GDPR: If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the Controller, the Controller must notify all recipients to which personal data concerning you has been disclosed of such rectification or erasure of data or restriction of processing, unless this proves impossible or or involves disproportionate effort. You have the right to be informed about those recipients.

• Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data which you provided to us in a structured, commonly used and machine-readable format and may request that the data be transmitted to another controller, where technically feasible.

• Right to withdraw consents given pursuant to Art. 7(3) GDPR: You have the right to withdraw your previously given consent to processing of data at any time with effect for the future. In the case of withdrawal we will erase the data concerned without immediately, unless further processing may be based on a legal basis for processing for which no consent is required. The lawfulness of processing done up to the time of withdrawal shall not be affected by withdrawing consent.

• Right to lodge a complaint pursuant to Art. 77 GDPR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. In Austria the competent supervisory authority is the Data Protection Authority [Datenschutzbehörde].

• Right to object: If, considering the relevant interests, we process your personal data on the basis of our overriding legitimate interest, you have the right to object to such processing on grounds relating to your particular situation at any time with effect for the future.

If you exercise your right to object, we will stop processing the data concerned. Further processing shall, however, be reserved if we are able to prove compelling legitimate grounds for the processing which override your interests, fundamental rights and fundamental freedoms or if processing is necessary for the establishment, exercise or defence of legal claims.

If your personal data is processed by us for direct marketing purposes, you have the right to object to processing of the personal data relating to you for the purpose of such advertising at any time. You may raise your objection as described above.

If you exercise your right to object, we will stop processing the relevant data for direct marketing purposes.

Please address your enquiries in this connection to  datenschutz@viennaairport.com.