Privacy Policy

The Belvedere processes personal data strictly according to statutory requirement as set by the GDPR. In the following section, you will learn what kind of data is collected when visiting our website or other services (contact, social media, applications) and how this data is being used.

We reserve the right to adapt this privacy statement to reflect any new technical developments or legal changes and, if necessary, to update it when new services or products become available.

 

Responsible Party

Österreichische Galerie Belvedere
Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Strasse 27
1030 Wien

On any matter relating to privacy or the exercise of your rights, you may contact the privacy officer at datenschutz@belvedere.at.

Data Access

Each time you access our website, your browser automatically transmits, for technical reasons, the data listed below to our web servers. The data is stored exclusively for statistical and technical purposes; for example, to evaluate the frequency of page visits or to detect malfunctions in server operations. The following data is logged and evaluated:

  • Request (file name of the requested file)
  • Browser type and browser version
  • Operating system used
  • Referrer URL, i.e., the website that directed you to our website
  • IP address
  • Date and time of your visit
  • The particular webpages visited within our website

We collect this data in accordance with our legitimate interest (see Article 6(1)(f) GDPR) and store the information in "server log files" on our website server. The server log files are stored for a maximum of one week and are subsequently deleted. If data must be stored to provide evidence, e.g., to clarify security breaches, such is excluded from deletion until the incident is conclusively resolved.

For the technical and organizational implementation of our internet presence as well as newsletter distribution, we make use of selected contracted data processing companies. All contracted data processing companies are contractually obligated to treat your personal data confidentially and to process it only within the scope of the service provision in accordance with our instructions. Data processing is conducted exclusively within the EU or EEA.

 

(Online) Purchase of Products and Tickets

If you purchase tickets or other products on our website or directly at the museum locations, your data may be collected (name, address, telephone number, e-mail address) as part of this purchase, insofar as this is necessary to fulfill the purchase contract. This data is collected for the purpose of ordering and order processing, personalization of products and delivery and stored until the expiry of the legal obligation to keep records. Data will only be passed on to third parties if this is necessary for the processing of the contract. As such, data for processing may be disclosed to payment service providers (mPAY24 GmbH, 1050 Vienna, Grüngasse 16, Unzer GmbH, Schöneberger Str. 21 a, 10963 Berlin) and deliverers or carriers for the shipment of the purchased products. In connection with event tickets, please also refer to the section "Event Registration".

In addition, personal data may be passed on to us when products are purchased via third parties (e.g. booking platforms, travel agencies). This data is necessary for the fulfillment of the contract. For information on data protection, please refer to the respective privacy policy of the provider.

The legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Without the supply of the data, we are not able to fulfill the contract.

Personal data will be stored for as long as it is necessary for the purposes for which it is processed, moreover, for as long as there are legal obligations to retain it or for as long as it appears necessary for the assertion, exercise or defense of legal claims.

Contact Management of Business Partners

The responsible party processes your personal data (name, professional contact details, function, responsibilities within the company, company affiliation, contractual or work performance, UID, account data, correspondence) to fulfil the business purpose of ordering offers, order confirmations, invoices, goods and services and to maintain business contact. The legal basis in the case of an ongoing contractual relationship is Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. c GDPR due to tax law requirements.

Under certain circumstances, the data in question may not have been provided by the persons affected themselves but by their employer, sales partner or similar.

Personal data may be passed on to public authorities (in particular the tax office, the Austrian Court of Audit, the Austrian Federal Ministry of the Arts, Culture, Civil Service and Sport), banks, tax consultants, auditors and other service providers, customers or funding bodies if the business activity requires coordination.

Personal data will be stored for as long as is necessary for the purposes for which it is processed, moreover for as long as there are legal obligations to retain it or for as long as it appears necessary for the assertion, exercise or defense of legal claims.

Direct Advertising

The responsible party uses authorized address publishers or public sources for the purposes of sending direct-mail advertising about products, services, and events. According to Article 6(1)(f) GDPR, the act of direct advertising is a legitimate interest of the responsible party for the purpose of efficiently reaching, in alignment with marketing strategies, customers, interested parties, and partners, as well as for the purpose of customer recovery. The use of data at the conclusion of a contract, with the aim of returning to a (pre-)contractual relationship, also falls within the scope of legitimate interest. Unless you object to the use of your data for this purpose, your data will be deleted seven years from the date of your last contact with the responsible party – earlier, in the event of objection. Such data will not be passed on to third parties who might use it for their own purposes without your consent. To assert your objection, please use the contact details provided.

For the purpose of sending electronic mail - including text messages - the data available to the responsible party from the contractual relationship will be processed unless you object at the time the data is collected. When using this data, the responsible party complies with the provisions of communications law, in particular § 174 (4) TKG.

Newsletter

You are given the opportunity to register for our newsletter directly on our website. During this process, we capture your e-mail address, your name, title, the desired newsletter language, and newsletter preferences.

Immediately after ordering the newsletter, you will receive further information. As soon as you have registered for the newsletter, we will send you a confirmation e-mail with a link to confirm your registration. You will receive the newsletter only once you have confirmed your registration. If no confirmation is received, the data will be deleted.

The open and click rate can be recorded to analyse the newsletter interaction. An open rate shows how many of the recipients actually opened the email sent. For this purpose, a so-called "web beacon" with an individual recipient ID is integrated into the HTML code of the email (also known as a "measurement or tracking pixel"). In order to find out which links in the emails were clicked on by the recipients and how often, the links contain an individual recipient ID, which is registered on the server when selected. This analysis enables us to customise our newsletter offer according to the use and wishes of the subscribers.

The legal basis for the processing of your data to receive the newsletter is your consent pursuant to Art. 6 (1)(a) GDPR.

Personal data will be stored as long as it is necessary for the purposes for which it is processed, and as long as there are statutory retention obligations or these appear necessary for the assertion, exercise or defense of legal claims.

You can revoke your consent at any time without giving reasons, either directly via the unsubscribe link in any of the newsletters or by e-mail to crm@belvedere.at.

To dispatch the newsletter, we work together with Emarsys eMarketing Systems AG, Märzstrasse 1, 1150 Vienna, Austria.

Raffle Participation

In the course of a raffle, personal data (in particular, name, date of birth, address, e-mail address, telephone number) is collected in order to check compliance with the conditions of participation (e.g. newsletter registration, compliance with minimum age) and to enable contact and the dispatch of a prize after the drawing of the winners, if applicable.

The legal basis for the processing of your data within the raffle participation is your consent pursuant to Art. 6 (1)(a) GDPR. You can revoke your consent at any time without giving reasons.

In the context of newsletter raffles, you will be informed that the newsletter registration also leads to an automatic participation in the raffle. This is based on our legitimate interest according to Art. 6 (1)(f) GDPR in increasing newsletter subscriptions and addressing potential customers in the future, as well as, marketing of products and services. If you do not wish this, you can object to participating in the raffle at any time and you will not be included in the drawing.

Personal data will be stored as long as it is necessary for the purposes for which it is processed, moreover, as long as there are statutory retention obligations or these appear necessary for the assertion, exercise or defense of legal claims.

You can send your revocation or objection to crm@belvedere.at.

Contact Form

When you contact us via the options made available (e.g., contact form, telephone, e-mail, or social media), your information (name, contact data, subject, and inquiry) will be processed to answer your inquiry.

The legal basis is the fulfilment of (pre-)contractual obligations pursuant to Art. 6(1)(b) GDPR or because of our legitimate interest pursuant to Art. 6(1)(f) GDPR in processing and answering inquiries from customers, interested parties, and partners.

Your data will be kept for the duration of the handling process and for a maximum of three years.

Such data will not be passed on to third parties without your consent.

Job Application Sent to the Österreichische Galerie Belvedere

To process your inquiry, handle the application process, and fill vacancies within our company, we process the personal data you provide us with, such as your name, title, address, telephone number, date of birth, education, professional experience, salary expectations, and any data and images contained in your cover letter, your curriculum vitae, certificates, or other documents sent. This takes place to fulfill (pre-)contractual obligations (Article 6(1)(b) GDPR. Please note that you may be contacted by our employees either by telephone and/or e-mail to ensure that the application process runs smoothly. You affirm that all information provided is truthful. Incorrect information found after employment has been offered can lead to termination.

As a matter of principle, your data will only be forwarded to those internal offices and competent departments within our company responsible for specific application procedures. Your personal application data will not be passed on to third parties.

If the Österreichische Galerie Belvedere enters into an employment agreement with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with statutory provisions.

If no employment contract is established with the applicant, the application documents will be deleted seven months after notification of the refusal decision, unless consent has been given for the storage of records in accordance with Article 6(1)(a) GDPR. This consent is obtained separately. Your consent may be revoked at any time without the need to provide reasons under the aforementioned contact.

Donation Management

The responsible party processes your personal data (name, date of birth, addresse, contact details, donation amount and donation purpose, bank details, communication and donation history, classifications (based on donation amount, frequency, last donation), consent if applicable) to process your donation, fulfil the purpose of the donation, comply with tax regulations (Federal Fiscal Code, Austrian Commercial Code), for transmission to the tax office so that you can claim your donation for tax purposes and to fulfil the non-profit or charitable objectives of the organisation.

The legal basis for this data processing is the fulfilment of a contract pursuant to Art. 6(1)(b) GDPR as well as legal obligations pursuant to Art. 6(1)(c) GDPR, in particular, Federal Fiscal Code, and our legitimate interest pursuant to Art. 6(1)(f) GDPR in the acquisition of donations by winning new and winning back donors and in the fulfilment of the statutory organisational objectives. Providing name details and dates of birth is required for the donation to be taken into account in the automated employee tax assessment. If not provided, donations cannot be taken into account as special expenses for tax purposes.

Personal data will be stored as long as it is necessary for the purposes for which it is processed, and as long as there are statutory retention obligations or these appear necessary for the assertion, exercise or defense of legal claims.

Film, Photo, and Audio Recording during Our Events

Please note that the Österreichische Galerie Belvedere reserves the right, unrestricted to time or place, to use any film, audio, or photo material recorded during an event for the purpose of documentation, information, and reporting on the event and to publish such material in print publications, on the website, in newsletters, and on social media.

In addition, your data will be passed on to internal departments (IT, marketing) and contract processors who, out of necessity, must receive such data for production, processing, and publication tasks. The data will also be shared with third parties (in particular media) for the purpose of providing information and press coverage. The data will not be disclosed to recipients who pursue their own purposes with this data.  In the case of social media channels, however, the respective social media service may be granted the right to use the published data.

The processing, publication, and dissemination is based on our legitimate interest to show our activities and conduct public relations work and thus to increase awareness, as defined in Article 6(1)(f) GDPR, as well as in accordance with Sections 12 and 13 DSG [Austrian Privacy Act]. You are entitled to object to processing. The objection can be directed to the responsible persons or photographers on-site or to datenschutz@belvedere.at.

Care is taken for the rights and freedoms of persons depicted in the creation and use of the photos. We make this known specifically upfront by posting a notice in our invitations and directly on-site. We ensure that no legitimate interests of persons depicted are violated. Should, however, the rights and freedoms of a depicted person be violated for reasons particularly worthy of consideration, we will refrain from further processing by means of suitable measures. Images in print media already distributed cannot be made unrecognizable. Deletions on the website or social media channels will be carried out within the scope of technical feasibility.

Video Surveillance

Österreichische Galerie Belvedere surveils critical areas of the museum site. This involves taking video recordings, including time-stamped details, of people present in this area. In the course of viewing the video recordings, the first and last names and circumstances of the recordings, the role of the persons concerned (e.g. perpetrator, victim, witness) and suspected criminal offences of filmed persons can be known or collected. Affected persons are informed about the video surveillance before entering the filmed area. This is done by means of a sign and a reference to the website with more detailed information.

Video surveillance is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to prevent damage to employees, works of art, equipment and third parties, to document unauthorized access, vandalism, theft and to use it to investigate criminal offences and cases of damage.

If necessary, data may be transmitted to competent authorities, competent courts or public prosecutors' offices for the purpose of securing evidence in criminal law cases, for security police purposes and for securing evidence in civil law cases.

The data is stored for the duration to fulfil the purpose and then deleted. Data will only be stored for longer if this appears necessary for the assertion, exercise or defense of legal claims.

Whistleblowing Reporting Channel

Österreichische Galerie Belvedere offers a Whistleblowing Reporting Channel at https://hinweis.sagedpw.at/212472_en/. This platform is not intended for handling general inquiries or complaints, but exclusively for reporting specific violations of law pursuant to §3 of the Austrian Whistleblower Protection Act (HSchG).

This Whistleblowing Reporting Channel is technically operated by the processor Sage GmbH, Stella-Klein-Löw-Weg 15, 1020 Vienna, and the content is managed by Jank Weiler Operenyi Rechtsanwälte GmbH (Deloitte Legal), Schottengasse 1, 1010 Vienna.  Sage GmbH and Deloitte Legal guarantee the secure, confidential and independent processing of your report, which you can also submit completely anonymously, if you wish. Österreichische Galerie Belvedere will only be informed in the event of a reportable violation, whereby, of course, your identity will remain preserved.

In the context of your report, contact data (optional), the report itself as well as personal data contained in the report (e.g. in the text or in documents) may be processed by the processors.

The legal basis for the processing is Art. 6 (1)(c) GDPR (fulfillment of a legal obligation; providing or processing of the data is expressly permitted under the provisions of § 8 HSchG).

Reports are stored for a period of five years and beyond, insofar as the storage is necessary to carry out administrative or judicial proceedings that have already been initiated or investigative proceedings pursuant to the Austrian Code of Criminal Procedure (StPO).

Rights of Affected Persons

In connection with the submission of a right of affected persons (see "Your rights"), we record your name, the request, correspondence and notes, the response to your request. This is done on the basis of legal obligations pursuant to Art. 6 (1)(c) GDPR resulting from the General Data Protection Regulation and the legitimate interest pursuant to Art. 6(1)(f) GDPR to provide evidence of the processing of the request.

In case of an event, data may be passed on to the competent authorities and courts. If data has been rectified, deleted or restricted at the request of an affected person, the responsible party must inform anyone else to whom the data has been disclosed of the assertion of these claims.

The personal data listed will be stored for a period of 3 years after the request submitted has been processed. Data will only be stored for a longer period if this appears necessary for the assertion, exercise or defense of legal claims.

Data Security

Safeguarding your data in our systems is a matter of utmost priority. It is our goal to manage your data with the greatest of care, taking all necessary technical and organizational security measures to protect your personal data from loss and misuse.

Access to our website is secured via HTTPS if your browser supports SSL. This means that communication between your terminal device and our servers is encrypted. Should you wish to contact us or our employees by e-mail, we would like to remind you that the confidentiality of the information transmitted cannot be guaranteed. Due to their technical design, the contents of e-mails can be viewed by third parties unless special technical security measures are taken.

To ensure appropriate information and system security and to detect malware, e-mail traffic protocol data is stored. When you send an e-mail to one of our addresses, the following data are logged: e-mail and IP address of both the recipient and the sender, number of recipients, subject, date and time of receipt at the server, file name of any attachments, size of the message, risk classification for spam, and delivery status. In a first step, e-mails are checked purely automatically. Only if there is a suspicion of danger for the security of the IT systems are individual e-mails manually checked by responsible persons.

The legal basis for the processing is our legitimate interest pursuant to Art. 6 (1)(f) GDPR.
Personal data will be stored as long as it is necessary for the purposes for which it is processed, and as long as there are statutory retention obligations or these appear necessary for the assertion, exercise or defense of legal claims.

Cookies

The website uses technologies such as web analytics and cookies to evaluate and improve the structure and navigation of our web presence and to customize it to suit your needs. You can revoke your consent at any time. Cookies are small data files stored on your device so that you can be automatically re-identified when you return to our website. Cookies can be stored permanently or only during a session. Two types of cookies are being used: strictly necessary cookies, which provide basic functions of the website, and target-oriented cookies, which help us to optimize the structure and navigation of our website and thus improve the quality of service. With both cookie applications, your IP address is immediately shortened and thus made anonymous so that it can no longer be assigned to you. Therefore, no personal data is collected or evaluated, nor is it linked to other such data. You can also prevent the installation of all types of cookies by adjusting your browser settings accordingly.

You may object in principle to the placement of cookies used for online marketing purposes for a variety of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, you may deactivate the storage of cookies in your browser settings. If you choose such a setting, you may not be able to use all functions of our website to their full extent.
 

Google Analytics

This website uses Google Analytics, a web analysis service offered by Google Inc. (‘Google’). Google Analytics uses cookies – text files placed on your computer – to help the website analyze how users are utilizing the site.
For the collection of data, we rely on your consent pursuant to Article 6 (1) (a) EU GDPR for the corresponding data processing, which you may of course revoke at any time.

The information generated by the cookie tracking your use of the website is generally transmitted to and stored by Google on servers in the United States. The Belvedere website uses IP anonymization. Google, therefore, in accordance with the European Economic Area agreement, will truncate IP addresses within member states of the European Union or other signatory states before transmission to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and subsequently shortened there. On behalf of the website operator, Google will analyze this information to evaluate your use of the website, to compile reports on website activity, and to provide the website operator with other services relating to website usage and internet usage. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this you may not be able to use the full functionality of the website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your anonymized IP address) and from processing this data by downloading and installing the browser plug-in available under the following link: (http://tools.google.com/dlpage/gaoptout?hlde).
 

Google Remarketing

We use the remarketing or "Similar Audiences" function from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter referred to as "Google." 

We use this feature to deliver interest-based, personalized advertising to third-party websites that also participate in Google's advertising network.

To facilitate this advertising service, Google stores a cookie containing a sequence of numbers on your end device when you visit our web presence via your internet browser. This cookie records both your visit and the use of our website in an anonymous form. Personal data will not be disclosed to third parties. When you subsequently visit the website of a third party who also uses Google's advertising network, it may be possible that you will see advertisements that are related to our website or to the services we offer on that site.

For the collection of data, we rely on your consent pursuant to Article 6 (1) (a) EU GDPR for the corresponding data processing, which you may of course revoke at any time. Data may be transferred via a third country party into the USA.

To permanently deactivate this function, Google offers a browser plug-in for the most common internet browsers at https://www.google.com/settings/ads/plugin.
Google's cross-device marketing feature may enable tracking your usage behavior across multiple devices so that you may see interest-based, personalized advertising even when you switch devices. However, this presupposes that you have agreed to have your browsing history linked to your existing Google Account.
 

Enable or Disable Cookies

We also use cookies to make our services as customer-friendly as possible. Cookies are small text files that are stored on your device to allow our website to recognize you [or your browser] each time you use our website. Cookies can be stored permanently or for one session only. Two types of cookies are used: essential cookies that provide basic functions of the website, and targeted cookies, which help us optimize the structure and navigation of our website and thus improve the quality of service. With both cookie applications, your IP address is immediately shortened and made anonymous so that it can no longer be assigned to you. This means that personal data is not recorded or evaluated, nor is it linked to other such data.

In addition, you can prevent the installation of all types of cookies by setting your browser accordingly.

A general objection to the use of cookies for online marketing purposes can be raised for many services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/

or the EU website http://www.youronlinechoices.com/. Furthermore, stored cookies can be deactivated by configuring your browser settings. If you choose such a setting, our website may not be able to fully support all functions.

Social Media – Plug-Ins

This website uses social media plug-ins, such as facebook.com, twitter.com, instagram.com, plus.google.com, and youtube.com. You may recognize them by each provider’s corresponding logo.

As soon as you visit a page on which such a logo appears, a connection to the provider’s respective server is established informing the provider as to the specific page you are visiting. The website operator has no influence on what data is transmitted to the respective provider. This data transfer takes place independently from actively clicking the plug-in.

In the case that you are simultaneously logged into Facebook, Twitter, Instagram, or YouTube, the plug-in can generate a material connection with your account. As soon as you leave a comment on the website or submit a “like” to this plug-in, it transfers the information to the provider and associates it with your account. You may prevent this by unsubscribing your account from the provider before using the plug-ins.

For social media plug-ins, the individual provider’s privacy directives apply (see the links in the following section).

 

Web-Based Augmented Reality Game - The Fantastic Palastics

The game „The Fantastic Palastics” is offered via the site games.belvedere.at and can only be used on site in the Belvedere Garden. You will need a smartphone with a camera and internet access.

It is not necessary to create a user account to use the game. In order to technically realise the game, cookies must be set and the location, camera and sensors of the smartphone must be accessed. Depending on the basic settings made or the operating system, you will be actively asked to enable the functionalities.

The legal basis for accessing the location, camera and motion sensors of the end device is your consent pursuant to Art. 6 (1)(a) GDPR. If you are under 14 years of age, your consent must be given by a person authorised to have custody of you. You can revoke your consent at any time without giving reasons.

The cookies do not contain any personal data and are technically necessary. All information on this can be found in the corresponding subsection.

We use processors to perform services on our behalf. Accordingly, we use the AR engine and hosting of 8th Wall, Inc. (250 Cambridge Ave 101, Palo AIto CA 94306, USA). More about data protection by 8th Wall, Inc.: https://www.8thwall.com/terms and https://www.8thwall.com/dpa. The processors may only process the data provided to them in accordance with our instructions and to the extent necessary to perform services for us. We contractually oblige these processors to ensure the confidentiality and security of the personal data processed within the scope of the assignment.

Afternoon classes/Workshops

The Österreichische Galerie Belvedere processes your personal data for the following purposes: registration, administration, and implementation of afternoon classes/workshops, support for participants, invoicing, attendance lists, and to inform contact persons in the event of an incident (especially medical emergencies). This is done on the basis of the underlying contractual relationship in accordance with Article 6 (1)(b) GDPR. In addition, we collect health data for the purpose of proper care and consideration of special needs, based on your consent in accordance with Article 6 (1) GDPR.

Without the provision of the requested data, participation in afternoon classes/workshops is not possible.

The billing data is stored for a period of seven years in accordance with tax law storage obligations (§132 BAO [Federal Tax Code], §§ 190, 212 UGB [Austrian Commercial Code]). Other data is deleted three years after the end of the afternoon class/workshop (§ 1489 AGBG [Standard Terms and Conditions of Business Law]). In the event of a possible cancellation without prior receipt of payment, the data provided by you will be stored for three years (§ 1489 AGBG [Standard Terms and Conditions of Business Law]).

Event Registration

For event management purposes we will process, in addition to your master and contact data, your acceptance or cancellation of an event, event participation, invitation and participation history, as well as any information you voluntarily provide regarding your participation (e.g., food preferences, allergies/intolerances, physical limitations). 

The  legal basis for the processing of data is provided by Article 6(1)(a) (your consent) and Article 6(1)(f) (legitimate interests of the responsible party) GDPR. Our legitimate interests lie in the timely and demand-oriented organization, hosting, and follow-up of the event; meeting the participants' respective desires; and aligning marketing strategies for customer acquisition to enter into a (pre-contractual) contractual relationship. 

Special  categories of personal data (e.g., allergies, physical limitations) are processed exclusively on the basis of your voluntary consent. Failure to provide consent may prevent special participant requests from being honored. You can revoke your consent at any time by sending an e-mail to the contact provided in detail below. 

Your data will only be passed on to third parties if this is necessary for the organization, implementation and holding of the event. Accordingly, cooperation partners (media, companies, artists, museums, individuals, etc.) may receive lists of participants. The cooperation partners of an event may be found in the event invitation. Furthermore, operators of event venues may receive lists of participants for safety reasons (events outside the Österreichische Galerie Belvedere).

As part of the event organization and implementation, your data may also be transferred to contracted processors for the provision of services (e.g. catering, event management, registration of participants, security). For example, catering companies receive information on participants and their food preferences or allergies/intolerances as required by the type of event (allocated seating at dinners, banquets, etc.). Contracted security companies receive lists of participants in order to carry out entry checks. These processors must comply with data protection regulations and delete the data after the contractual service has been performed. Data processing takes place exclusively within the EU or EEA.

Your data will be stored for a maximum of 3 years after the last contact. 

Online Presence in Social Media

We maintain an online presence on social networks and platforms to communicate and provide information about our services to those customers, interested parties, partners, and users who are active there.

The processing of users' personal data is performed based on our legitimate interests in effectively informing and communicating with our users in accordance with Article 6(1)(f) GDPR. In the event that the respective platform providers ask users for their consent to the aforementioned data processing, Articles 6(1)(a) and 7 of the GDPR provide legal basis.

As the creators of the online presence, please note that we do not make any decisions regarding the processing of user data and all other information pursuant to Article 13 GDPR, including the legal basis, identity of the responsible party, and storage period of cookies placed on user terminals. These are set by providers independently.

Please note that the user’s data may be processed outside of the European Union. This may entail risks for users, e.g., by making it more difficult to enforce users' rights. With respect to US providers certified under the Privacy Shield framework, note they are thereby obligated to comply with EU privacy standards.

Furthermore, user data is, as a rule, processed for the purposes of market research and advertising. For example, based on user behavior, the resulting information on interests may be used to create user profiles. User profiles can then be used, for example, to insert advertising inside and outside platforms that presumably correspond to the interests of the users. For these purposes, cookies storing the usage behavior and interests of the user are cached on the user’s computer. Furthermore, data can also be stored in user profiles independent of the devices employed by the users (particularly if the users are members of the respective platforms and are logged into them).

For a detailed description of the processing and opt-out options of respective platforms, we refer you to the linked information on providers listed below.

For cases of requests for information and the assertion of rights of persons affected, we advise you that these can be pursued in the most effective way directly with the providers. Providers are the only ones who have access to user data and can directly take appropriate measures and provide information. That recommendation notwithstanding, however, please be advised that persons affected can assert their rights against any individual responsible, i.e., against any party.


Facebook, -pages, -groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), based on an agreement on the joint processing of personal data

Data privacy statement: https://www.facebook.com/about/privacy/
Data privacy information for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data and https://www.facebook.com/legal/terms/page_controller_addendum
Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active


Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Data privacy statement:  https://policies.google.com/privacy
Opt-out: https://adssettings.google.com/authenticated
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active


Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Data privacy statement: https://help.instagram.com/155833707900388  
Opt-out: http://instagram.com/about/legal/privacy/


Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Data privacy statement: https://twitter.com/de/privacy
Opt-out: https://twitter.com/personalization
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active


TripAdvisor (TripAdvisor Inc., 400 1st Avenue, Needham, MA 02494 USA)
Data privacy statement: https://tripadvisor.mediaroom.com/AT-privacy-policy
Opt-out: http://info.evidon.com/pub_info/2719?v=1&nt=0

Your Rights

Regarding the processing of your data, you have the right to: information, correction, deletion, restriction, data transferability, revocation, and objection. The right of revocation applies to data processing that is based on your consent. The right to object exists in the case of data processing that is based on the legitimate interests of the responsible party or a third party. If you believe that the processing of your data violates privacy laws or your privacy claims have otherwise been violated in any way, you may lodge a complaint with the regulatory authority. In Austria, this is the Austrian Data Protection Authority. If you would like to exercise any of the above rights, you can also contact us at any time at datenschutz@belvedere.at or by mail at:

Österreichische Galerie Belvedere
Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Strasse 27
1030 Wien