We appreciate your interest in CASAMARAI – Saalbach Appartements. Protecting your personal data is important to us. This statement provides information, in accordance with Articles 13/14 of the GDPR, about the type, scope, and purposes of data processing, the legal bases, recipients, storage duration, your rights, as well as the use of cookies/tracking pursuant to the Austrian Telecommunications Act (TKG 2021) and the German Telecommunications-Telemedia Data Protection Act (TTDSG).
1. Data Controller
CASAMARAI – Maria Breitfuss
Oberer Ronachweg 733, 5753 Saalbach, Österreich
Telefon: +43 664 28 26 150
E-Mail: maria.breitfuss@saalbach.net
Web: www.saalbach-appartement.at
(Kein Datenschutzbeauftragter bestellt, da gesetzlich nicht erforderlich.)
2. Legal Bases (Overview)
Art. 6 (1) (b) GDPR (contract / pre-contract), (c) (legal obligation), (f) (legitimate interest), (a) (consent).
Access to end devices / Cookies:
Austria: Section 165 (3) TKG 2021 (cookies required for technical operation without consent; all others only with consent)
Germany: Section 25 (1/2) TTDSG (same principle)
3. Processing Activities on this Website
3.1 Accessing the Website / Server Logs
Data: IP address, date/time, URL/referrer, user agent, status codes
Purposes: delivery of content, stability, security (e.g., defense against attacks)
Legal basis: Art. 6 (1) (f) GDPR (legitimate interests)
Storage period: 14–30 days
3.2 Contact (E-mail / Contact Form – Contact Form 7)
Data: name, e-mail address, phone number, message, timestamp
Purpose: processing your inquiry
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual/contractual measures) or Art. 6 (1) (f) GDPR (legitimate interests)
3.3 Bookings / Billing & Registration Obligations (AT)
Purpose: reservation, contract performance, guest registration/mandatory reporting
Legal basis: Art. 6 (1) (b) GDPR (contract) and Art. 6 (1) (c) GDPR (legal obligation)
3.4 Consent Management (Cookie Cracker)
Cookies: cookie-cracker_1, cookie-cracker_1_prefs
Purpose: documentation of the cookie selection
Storage period: 90 days
3.5 Web Analytics – Google Analytics 4
Cookies: _ga, _ga_
Legal basis: consent (Art. 6 (1) (a) GDPR)
GA4 ID: G-8QHQDBE80J
3.6 Marketing – Meta/Facebook Pixel
Cookies: fr, xs, wd, _fbp, datr, sb, locale
Pixel ID: 499502205843392
Legal basis: consent (Art. 6 (1) (a) GDPR)
3.7 External Media: Facebook Page Plugin
Cookies: _fbp, datr, fr, wd, oo, _js_datr, sb, locale
Provider: Meta Platforms Ireland Ltd.
3.8 External Media: Google Maps
Cookies: SSID, SAPISID, APISID, HSID, SID, __Secure-3PSID, CONSENT, 1P_JAR
Provider: Google Ireland Ltd.
3.9 WordPress System WPML
Cookies: wordpress_*, wordpress_logged_in_*, wp-settings-*, wordpress_test_cookie, _icl_*, wpml_*
Legal basis: strictly necessary (Art. 6 (1) (f) GDPR in conjunction with § 165 TKG 2021 / § 25 (2) TTDSG)
3.10 Comments Gravatar
Legal basis: consent (Art. 6 (1) (a) GDPR)
4. Cookies / Local Storage – Summary
Required (without consent): cookie-cracker_1, cookie-cracker_1_prefs, wordpress_test_cookie, wordpress_*, wordpress_logged_in_*, wp-settings-*, _icl_*, wpml_*, DSGVO-AIO-Keys (dsgvoaio, _uniqueuid …)
Optional (with consent): Google Analytics 4 (_ga, _gid, _gat, _gac_gb_*), Facebook Pixel Page Plugin (_fbp, datr, fr, wd, oo, sb, locale …), Google Maps (SSID, SAPISID …)
Recipients and Data Processing by Processors
Hosting provider, IT service providers, Google, Meta, Automattic, public authorities (registration/tourist tax obligations). Data processing agreements pursuant to Art. 28 GDPR have been concluded.
6. Transfers to Third Countries
Data transfers outside the EU/EEA are carried out on the basis of adequacy decisions, Standard Contractual Clauses (SCC), and, where applicable, the EU-U.S. Data Privacy Framework (DPF). A residual risk of access by U.S. authorities remains.
7. Storage Period
Data are processed only for as long as the purpose requires or as long as statutory obligations apply. Afterwards, the data will be deleted or anonymized.
8. Mandatory Information / Contractual Necessity
Certain information is required for inquiries/bookings. Without this information, it is not possible to make a reservation/booking.
9. No Automated Decision-Making
No solely automated decision-making, including profiling pursuant to Art. 22 GDPR, takes place.
10. Your Rights
Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), withdrawal of consent given (Art. 7 (3)).
11. Right to Lodge a Complaint
Austria: Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, www.dsb.gv.at
Germany: competent regional supervisory authority or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
12. Security (TOM – Technical and Organisational Measures)
Technical and organisational measures (access restrictions, encryption, backups). However, internet transmissions may still be subject to security vulnerabilities.
13. Updates / Changes
This statement will be updated in the event of changes. The current version can be found at /datenschutz.