Data Protection

Privacy policy
for website, contacting, direct marketing and for events in accordance with Art. 13 and 14 GDPR

The protection of your personal data is of particular concern to OTTO Immobilien GmbH (“OTTO”, “we”, “us”). We therefore process your personal data exclusively on the basis of the statutory provisions, in particular the General Data Protection Regulation (“GDPR”), the applicable Data Protection Act (“DPA”) and the Telecommunications Act (“TCA”). Below you will find out what information we collect, process and use, including when you visit our website luxury.otto.at (“Website”).

1. name and address of the person responsible

The person responsible for processing your personal data in accordance with data protection regulations is:
OTTO Immobilien GmbH
Riemergasse 8,
1010 Vienna
Tel: + 43 1 512 77 77
E-mail: office@otto.at

Please contact us directly if you have any questions about data processing concerning you.

2. data processing website

2.1 Scope of the processing of personal data when using the website
In the course of your visit to our website, we will automatically collect the following personal data about you:

• The date and time a page on our website was accessed;
• Data about your end device (Devide ID);
• IP address;
• Name and version of your web browser;
• Session ID.

For information on the cookies we collect when you visit our website, please refer to our cookie statement .

2.2 Legal bases for the processing of personal data
As far as the data of your visit to our website and online services is concerned, we rely on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to justify the processing, which consists of making our website user-friendly and protecting you from attacks.

2.3 Purpose of data processing
We process your data in connection with your visit to our website for the following purposes:

• to provide you with our website, including its functions, and to further improve and develop this website;
• to be able to create usage statistics;
• to recognise, prevent and investigate attacks on our website and online services.

2.4 Duration of storage
We will generally store your data relating to your visit to the website for a period of 14 days.
Data will only be stored for longer if this is necessary to investigate any attacks on our website and only until the end of any applicable limitation periods, statutory retention periods or any legal disputes.

2.5 Recipients of data
We regularly use IT service providers to operate and manage the website, who may also have access to personal data on our behalf and in accordance with our instructions in order to be able to provide the commissioned IT services.
We also transfer your personal data to the following recipients:

• to other external third parties to the extent necessary (e.g. auditors, insurance companies in the event of an insurance claim, legal representatives in the event of a claim, etc.);
• to authorities and other public bodies to the extent required by law (e.g. tax authorities, etc.).

Your data will not be passed on to any other third parties for their own purposes without your consent.
If we process your data in a third country outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services, this will only take place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. We have implemented suitable and appropriate safeguards to ensure that the transfer of your data to the respective third country complies with data protection regulations. At your request, we will provide you with a copy of these appropriate safeguards if we process or have your data processed in third countries.
Insofar as this involves a transfer to countries without an adequacy decision pursuant to Art. 45 para. 3 GDPR and without suitable guarantees pursuant to Art. 46 GDPR, such as the USA in particular, we would like to point out that there is a risk that your data transferred in this way may be subject to access by authorities in these third countries for control and monitoring purposes and that no effective legal remedies are available against this.

3. data processing contacting

3.1 Scope of the processing of personal data when contacting us
If you contact us by e-mail, telephone, fax, post, via our social media channels or via our contact form, we process the personal data you provide (e-mail, name, telephone, etc.) and the content of your enquiry.
If you contact us via our social media pages on Facebook, Instagram or LinkedIn, we will receive your personal data from the respective operators of the social media platform and will also transmit your personal data to the respective operators.

3.2 Legal basis for the processing of personal data
In order to be able to answer your enquiry, we rely on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR to justify the processing, which consists of answering your question in a satisfactory manner.

3.3 Purpose of data processing
We process your data in connection with your enquiry for the purpose of providing you with a personalised and satisfactory response.

3.4 Duration of storage
We will generally store your data in connection with inquiries and contacts for a period of six months after answering the inquiry in order to be able to respond to any follow-up questions. Data will only be stored for longer if this is necessary to investigate any attacks on our website and only until the end of any applicable limitation periods, statutory retention periods or any legal disputes.

3.5 Recipients of data
To answer enquiries, we regularly use IT service providers who may also have access to personal data on our behalf and in accordance with our instructions in order to be able to provide the commissioned IT services.
We also transfer your personal data to the following recipients:

• to other external third parties to the extent necessary (e.g. auditors, insurance companies in the event of an insurance claim, legal representatives in the event of a claim, etc.);
• to authorities and other public bodies to the extent required by law (e.g. tax authorities, etc.).

Your data will not be passed on to any other third parties for their own purposes without your consent.
If we process your data in a third country outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services, this will only take place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. We have implemented suitable and appropriate safeguards to ensure that the transfer of your data to the respective third country complies with data protection regulations. At your request, we will provide you with a copy of these appropriate safeguards if we process or have your data processed in third countries.
Insofar as this involves a transfer to countries without an adequacy decision pursuant to Art. 45 para. 3 GDPR and without suitable guarantees pursuant to Art. 46 GDPR, such as the USA in particular, we would like to point out that there is a risk that your data transferred in this way may be subject to access by authorities in these third countries for control and monitoring purposes and that no effective legal remedies are available against this.

4. data processing for direct marketing

4.1 Scope of the processing of personal data for direct marketing
If you give us your voluntary consent to contact you for marketing purposes, we will process your email address, name, telephone number, title and title for the purpose of sending you direct marketing materials about properties and related offers, in-depth market reports, events and similar propertyrelated services by e-mail and telephone.
If you receive a download link for documents via our CRM system in this context, we can also see whether and when (date and time) you have downloaded the files.

4.2 Legal basis for the processing of personal data
We process your data in connection with direct marketing only on the basis of your express consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to advertising contact at any time without giving reasons for all or individual purposes and with effect for the future (e.g. via a link at the end of each newsletter).

4.3 Purpose of data processing
We process your data in connection with direct marketing for the purpose of providing you with information about property and related offers, in-depth market reports, events and similar services from the property sector by e-mail and telephone.

4.4 Duration of storage
If you have only registered to receive newsletters and direct marketing and are not a customer of ours, we will store your personal data until you cancel your registration and for a maximum of three years.

4.5 Recipients of data
For the use of direct marketing, we regularly use IT service providers and other service providers who support us in the provision of our services and act on our behalf (including providers of marketing tools, marketing agencies, communication service providers and call centres) (processors).
We also transfer your personal data to the following recipients:

• to other external third parties to the extent necessary (e.g. auditors, insurance companies in the event of an insurance claim, legal representatives in the event of a claim, etc.);
• to authorities and other public bodies to the extent required by law (e.g. tax authorities, etc.).

If we process your data in a third country outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services, this will only take place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. We have implemented suitable and appropriate safeguards to ensure that the transfer of your data to the respective third country complies with data protection regulations. At your request, we will provide you with a copy of these appropriate safeguards if we process or have your data processed in third countries.
Insofar as this involves a transfer to countries without an adequacy decision pursuant to Art. 45 para. 3 GDPR and without suitable guarantees pursuant to Art. 46 GDPR, such as the USA in particular, we would like to point out that there is a risk that your data transferred in this way may be subject to access by authorities in these third countries for control and monitoring purposes and that no effective legal remedies are available against this.

5. data processing events

5.1 Scope of the processing of personal data at events
Photographs and/or films/videos may be taken by us or on our behalf as part of events. By registering for an event, you acknowledge that photographs and video material in which you are depicted will be stored, used for press coverage and published in various (social) media, publications and on OTTO Immobilien websites (including in blog posts).

5.2 Legal basis for the processing of personal data
We (as the organiser) base the processing of your personal data on our legitimate interest in documentation pursuant to Art. 6 (1) (f) GDPR.

5.3 Purpose of data processing
We process your data for the purposes of documenting the event and for marketing purposes.

5.4 Duration of storage
We store photographs and/or films/videos of events for three years from the date of the event.

5.5 Recipients of data
For the creation of photographs, films/videos, press reports, publications and content for our various (social) media and for the OTTO Immobilien websites (including blog posts), we regularly use (IT) service providers who may also have access to personal data on our behalf and in accordance with our instructions in order to be able to provide the commissioned (IT) services.
We also transfer your personal data to the following recipients:

• to other external third parties to the extent necessary (e.g. auditors, insurance companies in the event of an insurance claim, legal representatives in the event of a claim, etc.);
• to authorities and other public bodies to the extent required by law (e.g. tax authorities, etc.).

Your data will not be passed on to any other third parties for their own purposes without your consent.
If we process your data in a third country outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services, this will only take place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. We have implemented suitable and appropriate safeguards to ensure that the transfer of your data to the respective third country complies with data protection regulations. At your request, we will provide you with a copy of these appropriate safeguards if we process or have your data processed in third countries.
Insofar as this involves a transfer to countries without an adequacy decision pursuant to Art. 45 para. 3 GDPR and without suitable guarantees pursuant to Art. 46 GDPR, such as the USA in particular, we would like to point out that there is a risk that your data transferred in this way may be subject to access by authorities in these third countries for control and monitoring purposes and that no effective legal remedies are available against this.

6. data security

We take appropriate technical and organisational security measures to protect your personal data against unintentional or unauthorised deletion, modification or against loss, theft and unauthorised inspection, disclosure, reproduction, use, modification or access. In addition, we and our employees are obliged to maintain data secrecy and confidentiality. Likewise, our processors, who must have access to your personal data in order to fulfil their professional duties, will be granted access and will be subject to the same obligations to maintain data secrecy and confidentiality.

7. Your rights as a data subject

7.1 Right to information
You have the right to request information from us about all personal data concerning you that is processed by us. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

7.2 Right to rectification and right to restriction of processing
You may request the rectification or completion of incorrect or incomplete data. Under certain circumstances, for example if the accuracy of data is disputed until the accuracy has been verified, you may request that the processing of data be restricted so that it may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

7.3 Right to data portability
You may request that we send you – or, where technically feasible, a third party designated by you – a copy of your data in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and
(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to obtain that the personal data concerning you be transmitted directly by us to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.

7.4 Right to cancellation
You have the right to erasure of data in certain circumstances, for example if it is not processed in accordance with data protection requirements.
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

7.5 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR.
In this case, we will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

7.6 Right to revoke the declaration of consent under data protection law
You have the right to revoke any declaration of consent given under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before ist withdrawal.

7.7 Supervisory authority
Irrespective of any other legal remedies, you have the right to lodge a complaint with the national supervisory authority of your place of residence if unlawful processing of personal data is assumed. In Austria, the data protection authority, Barichgasse 40-42, 1030 Vienna, e-mail: dsb@dsb.gv.at, telephone: +43 1 52 152-0 is responsible.

7.8 Assertion of your rights
To enable us to process your request regarding your above-mentioned rights and to ensure that personal data is not disclosed to unauthorised third parties, please formulate the request by clearly identifying yourself and providing a brief description of the scope of the exercise of your data subject rights listed above.

Status: September 2023

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
aka_debug		This cookie is set by the provider Vimeo.This cookie is essential for the website to play video functionality. The cookie collects statistical information like how many times the video is displayed and what settings are used for playback.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-chekbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy_updated	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_HRF70MQTBP	2 years	No description
_gat_UA-191250039-1	1 minute	No description
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Privacy policy for website, contacting, direct marketing and for events in accordance with Art. 13 and 14 GDPR