Privacy Policy

1. Privacy at a glance

General information

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, name, email address, IP address, technical usage data or information you provide to us in connection with an enquiry or newsletter subscription.

We process personal data only on the basis of applicable legal provisions, in particular the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Austrian Telecommunications Act 2021 (TKG 2021).

How do we collect your data?

Some data is collected when you actively provide it to us, for example by email, through a newsletter subscription or in connection with another form of contact. Other data is collected automatically or for technical reasons when you visit the website, in particular server log data, security data and technically required cookies.

What do we use your data for?

We use data to technically provide and secure the website, handle enquiries, manage and send the newsletter, maintain the content management system, display editorial content and comply with legal obligations.

What rights do you have?

Subject to the statutory requirements, you have rights of access, rectification, erasure, restriction of processing, data portability, objection and withdrawal of consent. Details can be found in the section "Your rights".

2. Controller

The controller responsible for data processing on this website is:
Bundesverband Österreichische Traditionsweingüter
Austrian association register number: 1439602723
c/o Kloster Und
Undstraße 6, A-3500 Krems
Austria
Email: info@oetw.at

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

3. Legal bases for processing

Depending on the processing activity, we rely on different legal bases for processing personal data:

• Consent pursuant to Art. 6(1)(a) GDPR: where you voluntarily consent to a specific processing activity, for example when subscribing to the newsletter.
• Contract performance or pre-contractual measures pursuant to Art. 6(1)(b) GDPR: where processing is necessary to handle an enquiry, perform an agreement or prepare a collaboration.
• Legal obligation pursuant to Art. 6(1)(c) GDPR: where we are legally required to retain or disclose data.
• Legitimate interest pursuant to Art. 6(1)(f) GDPR: where processing is necessary for the secure, stable and user-friendly provision of the website, abuse prevention, administration or protection of our rights and your interests do not override ours.
• § 165 TKG 2021: where information is stored on or accessed from your device, for example through cookies. Technically necessary operations are permitted without consent. Non-essential cookies or comparable technologies are used only in accordance with statutory requirements.

4. Hosting and technical delivery

External hosting

This website is operated on technical infrastructure provided by external service providers. Data required for website delivery, system stability, technical security and error analysis is processed.

Server log files

When you access the website, information may automatically be processed in so-called server log files. This includes in particular:

• IP address of the requesting device
• date and time of access
• requested page or file
• amount of data transferred
• referrer URL, where transmitted
• browser type, browser version and operating system
• status code or information on whether the request was successful

This data is not merged with other data sources. Processing is based on our legitimate interest in the secure and technically error-free provision of the website pursuant to Art. 6(1)(f) GDPR. Log data is stored only as long as necessary for operation, security and error analysis and is then deleted or anonymised unless statutory obligations or legitimate security interests require longer retention.

Media, downloads and object storage

Depending on the production configuration, Cloudflare R2 or another S3-compatible object storage service may be used for media and download files. When such files are accessed, technical access data may be processed so that the file can be delivered and the service can be protected. Processing is based on Art. 6(1)(f) GDPR.

Processing on our behalf

Where external service providers act as processors, we enter into agreements pursuant to Art. 28 GDPR. The service providers process personal data only to the extent required and in accordance with our instructions.

5. Cookies and website technologies

What are cookies?

Cookies are small text files that your browser stores on your device. They can serve different purposes: some cookies are technically required for website operation, others store functional settings or, where used, support analytics or marketing.

What types of cookies exist?

• Technically necessary cookies: They enable core functions such as security, sessions, form protection or language and display functions. Without them, a website often cannot operate correctly.
• Functional cookies: They store requested settings so that a website can be used more comfortably, for example a selected display.
• Analytics cookies: They are used to statistically evaluate website usage. This website uses analytics cookies and comparable technologies only if you have given prior consent.
• Marketing cookies: They are used for interest-based advertising or profiling. This website currently does not use marketing cookies.

Which cookies do we use?

This website uses technically necessary and functional cookies and comparable storage mechanisms. Analytics cookies and comparable technologies are used only if you consent via the cookie notice. Marketing cookies are currently not used.

• CookieShield: CookieShield is the consent management tool used on this website. We use CookieShield to collect, document and manage cookie consent. CookieShield may store your choice in a cookie or comparable storage mechanism on your device so that your decision can be respected on future visits.
• PostHog: PostHog is the website analytics tool used on this website. PostHog is used only if you consent to analytics cookies or comparable analytics technologies via CookieShield.
• oetw_bg_color: This functional cookie may be set on the posts overview page. It briefly stores the selected background colour of the view so that the display remains consistent when navigating between pages. Storage period: 3 hours. Legal basis: legitimate interest pursuant to Art. 6(1)(f) GDPR.
• Admin and session cookies: In the protected administration area, technically necessary cookies may be set for login, session management, security and CMS functionality. These cookies only affect authorised users of the content management system.

Website analytics with PostHog

If you consent to analytics cookies, we use PostHog to statistically evaluate website usage. This may include page views, interactions with the website, technical browser and device information, referrers, approximate location information and pseudonymous user or session identifiers. We use PostHog Cloud EU. Processing is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 165(3) TKG 2021. You can withdraw your consent at any time via the cookie settings.

Cookie settings in your browser

You can configure your browser so that you are informed when cookies are set, allow cookies only in individual cases, exclude cookies for certain cases or in general, or automatically delete cookies when closing the browser. If technically necessary cookies are disabled, the functionality of this website may be limited.

JavaScript and local functions

This website uses JavaScript for interactive functions such as navigation, forms, media controls, dynamic content, cookie settings and, after your consent, website analytics.

6. Newsletter

If you subscribe to the ÖTW newsletter, we process your data for subscription, delivery and management of the newsletter. This includes in particular email address, language and, optionally, first name, last name, industry and country.

Subscription is only possible if you accept the privacy notice. You can unsubscribe from the newsletter at any time via the unsubscribe link in the newsletter or by email to info@oetw.at.

Mailchimp

We use Mailchimp, a service of The Rocket Science Group LLC and the Intuit group, to send the newsletter. The data entered is transmitted to Mailchimp and processed there for newsletter delivery, unsubscribe management and technical delivery.

Mailchimp may also process data in the United States. According to the provider, appropriate safeguards are used for this purpose, in particular the EU-U.S. Data Privacy Framework and standard contractual clauses. Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. Your data is stored until withdrawal or unsubscription unless statutory retention obligations apply.

Spam and abuse prevention

To protect against misuse, the newsletter form also processes technical data such as the time the form was started, security checks, an invisible honeypot field and a temporary rate-limit check based on IP address and email address. This processing is based on our legitimate interest in spam and abuse prevention pursuant to Art. 6(1)(f) GDPR.

7. Contacting us

If you contact us by email or via other listed contact channels, we process your information to handle the request and any follow-up questions. This includes in particular name, contact details, message content and technical communication data.

The legal basis is Art. 6(1)(b) GDPR where your request relates to a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in efficiently handling enquiries pursuant to Art. 6(1)(f) GDPR or, where obtained, on your consent pursuant to Art. 6(1)(a) GDPR.

The data is deleted once the purpose of processing no longer applies, unless statutory retention obligations or legitimate interests require further storage.

8. Content management system and admin area

This website is operated with a content management system. For authorised editors and administrators, personal data required for user management, login, role and rights management, password reset, email verification, logging and secure CMS operation is processed.

This may include name, email address, role, encrypted credentials, session data, technical log data, content changes and timestamps of administrative actions.

The legal bases are contract performance or pre-contractual measures pursuant to Art. 6(1)(b) GDPR, legal obligations pursuant to Art. 6(1)(c) GDPR and our legitimate interest in secure administration, traceability and protection of the CMS pursuant to Art. 6(1)(f) GDPR.

9. Embedded content and external links

Embedded content

Posts may contain embedded content from external providers, such as videos, maps, audio players, social media content or other editorial embeds. Such content technically behaves as if you were visiting the provider's website directly.

Personal data such as IP address, browser information, device information, time of access and the page visited may be transmitted to the respective provider. External providers may also set their own cookies or comparable technologies if their content is loaded.

Where external content is embedded, this is done to present editorial content clearly and on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR, unless consent is required. The privacy policies of the respective providers apply to their further processing.

Simplecast

We use Simplecast to provide and play podcast or audio content. When a Simplecast player is loaded or played, personal data such as IP address, browser and device information, time of access, the page visited and usage or playback data may be transmitted to and processed by Simplecast. Simplecast may also use cookies or comparable technologies where this is required for the player, technical delivery, analytics or security.

The integration is used to present and play editorial audio content. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR, unless consent is required. Where Simplecast uses cookies or comparable technologies that require consent, processing is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 165(3) TKG 2021.

External links and social media

Links to Facebook, Instagram, Tour de Vin, shop offers, member wineries or other external websites are simple links. Data is only transmitted to these providers when you actively click the respective link. From that point on, the privacy policies of the respective external provider apply.

10. Recipients and processors

Personal data is transferred to third parties only where this is necessary to provide the website, handle your request, send the newsletter, comply with legal obligations or protect legitimate interests.

Recipients may include in particular:

• hosting and infrastructure providers
• email and newsletter service providers
• IT service providers and technical maintenance partners
• operators of media and download storage
• legal and tax advisors
• authorities, courts or public bodies where legally required
• external shop, payment or platform providers if you use their offers

Where required, we enter into agreements with processors pursuant to Art. 28 GDPR.

11. Transfers to third countries

Personal data is transferred to countries outside the European Economic Area only where an adequacy decision by the European Commission, appropriate safeguards such as standard contractual clauses, your explicit consent or another legal basis under Chapter V GDPR exists.

In the case of US service providers, a transfer may be based on the EU-U.S. Data Privacy Framework if the respective provider is certified accordingly. Standard contractual clauses may be used additionally or alternatively.

12. Retention period

We store personal data only for as long as necessary for the respective purposes. In addition, we store data where statutory retention obligations apply or where further storage is necessary to establish, exercise or defend legal claims.

If you assert a legitimate request for erasure or withdraw consent, the relevant data will be deleted unless statutory retention obligations or other legally permissible reasons for further storage apply.

13. Data security

We use appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure. Depending on the area, this includes access restrictions, role and rights concepts, encryption, secure passwords, logging, updates and organisational security measures.

Where technically possible, this website is transmitted securely via HTTPS. You can recognise an encrypted connection by the lock symbol and "https://" in your browser's address bar. Nevertheless, data transmission over the internet may have security vulnerabilities. Complete protection against access by third parties is not possible.

14. Your rights as a data subject

Subject to statutory requirements, you have the following rights:

Right of access pursuant to Art. 15 GDPR

You may request information as to whether we process personal data about you. If this is the case, you may request information in particular about processing purposes, data categories, recipients, storage period, origin of the data and the existence of further rights.

Right to rectification pursuant to Art. 16 GDPR

You may request the correction of inaccurate personal data or the completion of incomplete personal data.

Right to erasure pursuant to Art. 17 GDPR

You may request the erasure of your personal data unless there is a legal reason for further processing or retention.

Right to restriction of processing pursuant to Art. 18 GDPR

Under certain conditions, you may request that the processing of your personal data be restricted, for example while the accuracy of the data is being verified or if you have objected to processing.

Right to data portability pursuant to Art. 20 GDPR

You may request to receive data that you have provided to us in a structured, commonly used and machine-readable format or to have it transmitted to another controller, provided that the statutory requirements are met.

Right to object pursuant to Art. 21 GDPR

Where we process personal data on the basis of Art. 6(1)(e) or (f) GDPR, you may object at any time on grounds relating to your particular situation. We will then no longer process the affected data unless we can demonstrate compelling legitimate grounds or the processing serves the establishment, exercise or defence of legal claims.

If personal data is processed for direct marketing purposes, you may object to this processing at any time.

Withdrawal of consent

You may withdraw consent at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.

No automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

Contact for exercising your rights

To exercise your rights, please contact info@oetw.at or write to the address provided in the legal notice.

15. Right to lodge a complaint

If you believe that the processing of your personal data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority. In Austria, this is:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: dsb.gv.at

16. Changes to this privacy policy

We reserve the right to update this privacy policy if legal requirements, technical functions or our data processing activities change. The version published at the time of your visit applies.

17. Questions about data protection

If you have questions about this privacy policy or would like to learn more about the processing of your personal data, please contact us at info@oetw.at.