Privacy Policy

The purpose of this notice is to inform you of your rights regarding our collection and processing of your personal data. This information is provided in accordance with Article 13 of the General Data Protection Regulation (GDPR).

1. Who is responsible for data processing, and who can you contact if you have questions?
Golm Silvretta Lünersee Tourismus GmbH, Weidachstraße 6, 6900 Bregenz, Austria, Commercial Register No. 59898k, is the data controller. If you have any questions regarding the processing of your data or other data protection concerns, our Data Protection Officer is available to assist you by mail at the above-mentioned address of the controller—with the addition “Data Protection Officer”—or by email at datenschutz@gsl-tourismus.at.

2. What data is processed and where does this data come from?
We process the personal data we receive from you in the course of our (business) relationship. We also process data that we have lawfully obtained from publicly accessible sources (e.g., the Commercial Register, the Register of Associations, the Land Register).
This personal data includes:

• Master data (first name, last name, title, date of birth, address, phone number, email address),
• Business contact data (date, means of communication, content),
• Ski pass data (WTP number, price, validity, access to the ski lifts),
• Offer and contract data (offer date, delivery or service, delivery address, technical data, powers of attorney, consideration),
• Event data (location and date, registration data, photographs),
• Opinions (feedback, surveys),
• Invoice data (item, prices, invoice amounts, voucher data),
• Photographs (“Actioncam” at the Alpine Coaster, photo capture system at turnstile entry control)
• Payment processing data (bank details, SEPA mandate, account details of our business partner’s accounting department, payment reminders).
• Statistics and marketing cookie data (IP address, website title, browser-specific information, information about website usage, device data).

We collect and process only the necessary data. In some cases, less data than described above may be sufficient.

3. Web Analytics
3.1. Cookies and Google Analytics When Using Our Website

• Our websites use cookies. These are small text files that are stored on your device via your browser. They do not cause any harm. We use cookies to make our website more user-friendly. Some cookies remain stored on your device until you delete them. They allow us to recognize your browser the next time you visit. If you do not wish this, you can configure your browser to notify you when cookies are set and to allow them only on a case-by-case basis. For more information about cookies, including how to see which cookies have been used and how to manage, block, and delete them, please visit allaboutcookies.org and review our Cookie Policy, which you can access via any of our websites. You may also be able to configure your browser to not accept cookies; however, you should be aware that this may limit your use of our website and online services.
  
  The processing of necessary cookies is based on the legal basis of legitimate interest, and the processing of other cookies is based on the legal basis of the website user’s consent, which is given by actively clicking “Yes, I agree to all cookies” or by selecting specific cookies and actively clicking “Accept selected cookies.”

Our websites use features provided by web analytics services

• Google Analytics, Google Tag Manager, DoubleClick Ad, Google Fonts, Google Translate, Google Syndication, YouTube Video, and Google Remarketing (web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). The information generated by the cookie regarding your use of this website (including your IP address) is transmitted to a Google server in the United States and stored there. Google then truncates the IP address by the last three digits; from this point on, it is no longer possible to uniquely identify the IP address. Detailed information on how Google Analytics handles user data can be found in the Google Privacy Policy or the Google Analytics Privacy Policy.
• Usercentrics Consent Management Platform from Usercentrics GmbH (Sendlinger Str. 7, 80331 Munich, Germany) also uses cookies necessary for the operation of the website. You can find more privacy information at https://usercentrics.com/de/datenschutzerklaerung/
• Intermaps (INTERMAPS AG, Untere Paulistrasse 6b, 8834 Schindellegi, Switzerland) for the integration of Intermaps. You can find more privacy information at https://www.intermaps.com/de/Privacy.html
• Panomax (Panomax GmbH, Landesstraße 23, 5302 Henndorf a. W.) for the integration of Panomax content. You can find more privacy information at https://www.panomax.com/datenschutz.html

3.2. Custom Audience
We use Facebook’s “ Custom Audience” technology, Facebook Pixel, and Facebook Social Plugins (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland). The data collected through the integration of cookies, web beacons, or similar third-party technologies allows us to measure and design our advertising activities on Facebook more effectively and, for example, to display posts or advertisements only to visitors of our website. To collect this data, we use exclusively cookies, web beacons, and similar, proven, and widely used third-party technologies. We do not share lists containing personal data with Facebook or upload such lists to Facebook. The data collected in this process is transmitted to Facebook only in encrypted form. We cannot view any personal data of individual users. For more information, please refer to Facebook’s Privacy Policy at facebook.com/about/privacy. If you do not wish to have your data collected via “Custom Audience,” you can disable “Custom Audience” here: facebook.com/settings/?tab=ads.
We use these web analytics services to continuously improve our features and services. Only non-personal data is used for analysis and reporting purposes. We do not combine this data with other personal data.

3.3 Transfer to Third Countries
There is a risk that no data protection supervisory authority has been established in the third country in question, that data subjects’ rights may not be enforceable under certain circumstances, and that U.S. authorities may access the data as part of surveillance programs. By selecting “Allow cookies,” you consent to the transfer of data in connection with services integrated into our website (plug-ins; video, access statistics) to Google Analytics, Google LLC, and YouTube LLC in the United States (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as a third country.

3.4 Withdrawal of Consent
You can withdraw your consent at any time. To do so, simply open the cookie banner in the left corner of the website and click “Decline.”

4. What is the legal basis for data processing, and for what purposes is it carried out?
We process your personal data to fulfill contractual obligations (e.g., sale of mountain railway tickets, sponsorship agreements, sale of gift certificates, event contracts, parking and ski storage rental agreements, sweepstakes), to fulfill other legal obligations (accident reports), based on your consent and/or on legitimate interests (guest services, consultation, photography, feedback, newsletters, cookies, web analytics, social media posts, Golmi-Post), unless your interest in confidentiality outweighs these interests.

• To fulfill contractual obligations ( Article 6(1)(b) of the GDPR):
  We process personal data to fulfill our contractual obligations, in particular to execute our contracts with you and to carry out all activities necessary for the operation and management of a tourism business. The purposes of data processing for the fulfillment of contracts primarily include the handling of sponsorships, sales (ski passes, tickets, and vouchers), and bookings (accommodations, events), billing, debt collection, and the management of contracts and contacts with business partners, as well as the administration of a contest, since the processing of your data is necessary to enable participation in the contest.
• To fulfill legal obligations (Article 6(1)(c) GDPR):
  The processing of personal data also takes place to fulfill legal obligations, such as corporate and tax law retention requirements, security measures, and, where applicable, the provision of information to law enforcement authorities and courts.
• Based on your consent (Article 6(1)(a) GDPR):
  If you have given us your consent to process your personal data, processing will only take place in accordance with the purposes specified in the consent and to the extent agreed therein. You may revoke your consent at any time with future effect.
• To safeguard legitimate interests ( Article 6(1)(f) GDPR)
  We also process your data to promote our own products, to sell images captured by the action camera, to monitor access at the Golmerbahn turnstiles via image capture, and for market and opinion surveys. To tailor advertising or offers better to your needs, we analyze the data relevant to our marketing purposes. Our legitimate interest consists, on the one hand, in offering product contracts and services tailored to the needs of existing or potential business partners (e.g., events, offers) and, on the other hand, in preventing the misuse of admission tickets.

Photo Capture System For access control purposes, a reference photo is taken of you the first time you pass through a turnstile equipped with a camera. A verification photo is taken each time you subsequently pass through such a turnstile. Our staff compare the reference photo with the verification photos to verify access authorization. The reference photo is deleted immediately after the ticket expires, and the verification photos are deleted no later than 30 minutes after passing through the turnstile. All data is stored in encrypted form. This data processing is based on the legitimate interest of the data controller (Art. 6(1)(f) GDPR) to prevent the unauthorized transfer of tickets, as this is expressly prohibited by contract.

You have the right to object to the processing of your personal data for direct marketing purposes (see Section 7 for more details).

To capture your Alpine Coaster experience, photos will be taken during your ride, which you can then purchase. The photos will be automatically deleted after 72 hours. However, they can also be deleted immediately upon request.

5. Who will your data be shared with?
If you have purchased a Montafon Brandnertal WildPass , all members of this pool have access to your data (click this link to see a list of which cable car operators have access to your data). This is necessary so that you can use the services offered by the other pool members and so that we can internally settle the fees you have paid. Access by the other pool members is provided through a data processor commissioned by us.

Pursuant to a separate agreement on the processing of personal data, your data is collected and processed on our behalf by INCERT eTourismus GmbH & Co KG, Leonfeldner Strasse 328, 4040 Linz, as part of a data processing arrangement under Article 28 of the GDPR, in accordance with the relevant legal requirements. As a data processor in the context of support measures, Incert eTourismus also has access to your data; however, it may only use this data for the purpose of support measures and not for its own purposes.

In addition, other processors we have engaged (e.g., IT service providers such as Team Axess AG in Austria, debt collection agencies, and affiliated companies such as illwerke vkw AG) will receive your data to the extent necessary to perform the respective service or to fulfill the data processing purposes specified in this Privacy Policy. All processors are contractually obligated to treat your data confidentially and to process it only within the scope of the assignment we have given them.
If necessary for the conduct of our (business) relationship, your data will also be shared with third parties (e.g., shipping companies, suppliers, postal services).

Where required by law, we disclose personal data to public authorities and institutions (e.g., law enforcement agencies, courts).

6. How long will your data be processed and stored?
We process your personal data only for as long as necessary. As soon as your data is no longer needed, it will be automatically deleted or anonymized. In any case, we store the personal data necessary for the performance of the contract for the duration of the entire business relationship and beyond, in accordance with statutory retention and documentation requirements.

7. What rights do you have?

Right of Access
If we process your personal data, you have the right to obtain information regarding the purposes of processing, the categories of personal data processed, the recipients of such personal data, the retention period, your rights, the source of the personal data, and whether automated decision-making is used.

Correction and Deletion
You have the right to request the correction of inaccurate or incomplete personal data concerning you. You also have the right to request the deletion of personal data concerning you, provided that the processing of the data is not lawful and there are no legal obligations on our part that prevent such deletion.

Restriction of processing
You have the right to request that the processing of your data be restricted.

Data Portability
You have the right to request that we provide you with the personal data you have provided to us in a structured, commonly used, and machine-readable format of our choosing. You have the right to request that we transmit your personal data directly to another controller, provided this is technically feasible.

Objection
Even if the personal data concerning you is accurate and complete and is being processed by us lawfully, you may object to the processing of this data in specific individual cases for reasons you provide. You may also object at any time to the receipt of direct marketing communications.

Exercising Data Subject Rights
Data subjects may exercise all rights as described in Section 1. Data subjects must identify themselves and provide the necessary information for identification to ensure that the response is provided to the correct data subject.

Complaints
You have the right to file a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, +43 1 52 152-0, email: dsb@dsb.gv.at , if your data protection rights are violated. You also have the right to file a complaint with the supervisory authority in your place of residence or workplace.

March 2025