A. Master data sheet
Name and contact information of the parties responsible for the processing (jointly)
a. Name(s) and address(es):
Hotelbetriebsgesellschaft Metzler GmbH
Ziggamweg 227
6791 St. Gallenkirch
b. E-Mail-Adsress(es) (and any other contact details such as telephone number):
info@zamangspitze.at
Tel: 05557-6238
Fax: 05557-6238-5
c. Name and contact details (address, e-mail and any other contact details such as telephone number) of the party responsible for data protection[1]:
none
d. Name and contact details(address, e-mail and any other contact details such as telephone number) of the respresentative of the responsible party:[2]
none
B. Data processing /Purpose of data processing
1.Purpose and description of the data processing[3]:
1. Accounting and business processing:
Processing and transmission of data within the framework of business relationships with customers and suppliers, including automatically generated and archived text documents (such as correspondence or contracts) in these matters.
2. Personnel administration
Processing and transmission of data for personnel planning, personnel employment, personnel remuneration as well as personnel development and the associated processing and transmissions for wage, salary, payroll accounting and compliance with recording, information and reporting obligations under labour and social law, including automatically generated and archived text documents (e.g. correspondence, letters of application, service certificates, test results, job descriptions) in these matters.
3. Marketing:
Processing and transmission of data for advertising purposes
4. Guest database:
Processing of data for the preparation of offers, reservations
5. Employee recruiting:
Processing and transmission of data of persons who are interested in employment with the Hotelbetriebsges. Metzler GmbH (curriculum vitae and applications)
Concierge:
-
Processing and transmission of data for the creation of ski passes or Montafon Brandnertal Card, as well as booking of guided tours, sporting activities, or guided and non-guided mountain adventures
2. Has a data protection impact assessment been carried out?[4]
Yes¨ No¨X
Yes¨ No¨X
If yes, when?
If not, why not?[5] Prerequisite lacking
C. Detailed information to 1.
(Insertion of the specific data processing from the B sheet, e.g. the data processing purpose "Accounting"; the C sheet can then be used for each of the data processing purposes specified in the B sheet without having to repeat the general data from the A and B sheets)
1. Categories of data subjects
Serial.No.Description of categories of data subjects
1. Customers and suppliers incl. contact persons at the customer's and supplier's premises.
2. Administrator at the responsible office
3. Third parties involved in the business transaction, including contact persons with the third parties
Legal bases[6]
Art 6 Abs 1 a (consent of data subjects), b (required for performance of contract), c (egal obligations under BAO and UGB), f (legitimate interests of data controller) DSGVO
- § 132 BAO
- §§ 190, 212 UGB
3. Contracts, declarations of consent or other documents (eg fulfilment of information duties[7]) are filed:[8] (voluntary)
Documents regarding upright business transactions as well as invoices in the reception, completed business cases in the archive. Contracts with contract processors are, depending on the topic, in the reception and/or archive.
4. Categories of processed data and periods of deletion or retenttion[9]
a. Categories of data processed and whether they will be communicated to recipients
|
Categories of the groups of involved persons from point 1 of the C-sheet
|
Running No. |
Data categories |
Special data categories iSd Art 9 DSGVO[11], relevant to criminal law defined in Art 10 DSGVO[12] |
Banks |
Legal representatives in business case |
Chartered accountant |
Courts for specific casesl |
Administrative authorities for specific cases |
Debt collection company for specific cases |
Tourism partners (mountain railways, MT) |
Participation contractual and business partners |
Insurance or specific cases |
Provider (ID-service provider) |
|
1 |
1 |
Name, company or other business name |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
2 |
Address |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
3 |
Contact details |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
4 |
Company register data |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
5 |
Creditworthiness data including dunning and claim data |
No |
|
X |
|
X |
|
|
|
|
|
|
|
|
6 |
Bank details |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
|
7 |
Credit card number and company |
No |
X |
X |
X |
X |
|
|
|
|
|
|
|
|
8 |
UID-Nummer |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
|
9 |
Name of the contact person |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
|
10 |
Contact information of the contact person (tel., mail, fax, adress, usw.) |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
11 |
Contract texts and business correspondence |
No |
X |
X |
X |
X |
X |
X |
X |
|
X |
|
|
|
2 |
12
|
Name |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
13 |
Function of the involved responsible person at the responsible office
|
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
14 |
Cases processed by the responsible person involved
|
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
15 |
Extent of poser of representation
|
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
3 |
16
|
Name, company or other business designation
|
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
17 |
Address |
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
18 |
Contact information (Tel., mail, fax etc.)
|
No |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
19 |
Company register data
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
20 |
Name of the contact person
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
21 |
Contact information of the contact person (Tel., mail, fax, address, etc.)
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
22 |
UID number
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
23 |
Bank details
|
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
|
24 |
Credit card number and company
|
|
X |
X |
X |
X |
|
|
|
|
|
|
|
|
25 |
Creditworthiness data including dunning and claim data
|
|
|
X |
X |
X |
|
|
|
|
|
|
b. Deletion and retention periods (if possible)
|
Data from 4.a. (running number) |
Specification or description of the deletion or retention periods |
|
1-4; 6-25;
|
Due to the legal retention periods, 7 years in any case; beyond that until the end of any legal dispute, |
|
5; 25;
|
Until termination of the business relationship |
5. Categories of recipients[13] to whom personal data are disclosed (including contract processing), in particular recipients in third countries. [14]
a. Categories of recipient and place of transmission (third country, international organisation such as UNO, OSCE)
a. Categories of recipient and place of transmission (third country, international organisation such as UNO, OSCE)
|
Categories of recipients or recipients in third countries or international organisations (from 4.a.) |
Third country (indication of third country, i.e. countries outside the EU) |
International organization (specify internal organization) |
|
Banks |
|
|
|
Legal representative in business case |
|
|
|
Chartered accountant |
|
|
|
Courts |
|
|
|
Administrative authorities |
|
|
|
Collection companies |
|
|
|
External financiers |
|
|
|
Participating contractual and business partners |
|
|
|
Insurance if necessaty |
|
|
|
Provider (IT service provider) |
|
|
b. Documentation of the appropriate guarantees given in the case of a transfer to third countries which do not comply with Art. 45, 46, 47 or 49(1) (1) DSGVO (especially if no adequacy decision of the European Commission is available, no standard contractual clauses of the European Commission or the national data protection authority are used or approved certification mechanisms are used, no corporate binding rules are applied (approved binding group internal data protection regulations), the transfer is not required for contract fulfilment purposes or no explicit consent is given):
D. General description of technical and organisational measures
a. Confidentiality [15]:
Access control: Protection against unauthorized access to data processing systems and to the data archive (digital and folder) with locking system and alarm system
Access control: Protection against unauthorized system use: Passwords
Access control: User administration or file administration (rights administration)
b. Integrity [16]:
Forward control: Encryption
Input control: logging and rights control of data processing programs
c. Availability and resilience: Availibility control: Backup strategy , Firewall, virus protection
d. Pseudonymization and encryption:
e. Evaluation measures:
Data protection management: training and analysis at the start of each season
[1] Where a data protection officer has been appointed on a mandatory or voluntary basis.
NOTE: If there is no obligation to appoint a data protection officer, but the person responsible wishes to appoint one voluntarily, all provisions of the DSGVO concerning the data protection officer must nevertheless be complied with; if this is not desired, the person appointed may not be called "data protection officer", but should be given a different name (e.g. "data protection coordinator"). This can, but does not have to, be included in the processing directory. See the WKO leaflet "Data Protection Officer".
[2] This includes representatives of responsible persons who are not established in the EU.
[3] For the term "processing", see the information sheet "Important definitions"; if data are also transferred to "third parties" or to contract processors, the purposes of these data transfers must also be documented in the processing directory.
[4] For the data protection impact assessment, see the information sheet "Data protection impact assessment". Information on the data protection impact assessment is not mandatory in the processing directory. For reasons of accountability, however, it is advisable to include basic information on this in the processing directory.
[5] A data protection impact assessment should not be carried out if the data processing is not likely to pose a high risk to the rights of the data subjects or if the data processing type is listed in the data protection authority's so-called "white list" (there is currently no "white list"); for more details see also the information sheet "Data protection impact assessment".
[6] DThe legal bases (e.g. legal obligation, consent, fulfilment of contract, vital interests of the data subject, no overriding legitimate interest of the data subject) are not mandatory under the DSGVO. However, the responsible processor is subject to a so-called accountability obligation. This means an obligation to provide evidence of compliance with the obligations under the DSGVO. This includes, among other things, proof that the data processing is carried out in accordance with the lawfulness principles laid down in the DSGVO. See the information sheet "Principles and lawfulness of processing".
[7] See the information sheet "Information duties".
[8] The indication of where the documents have been filed within the organization does not have to be documented in the processing directory, but makes it easier to find the decisive documents, especially in larger organizations with a division of labour (i.e. it only serves to facilitate work within the organization).
[9] According to the DSGVO, deletion or storage periods are to be included in the processing directory wherever possible. For example, in the case of open-ended contracts no concrete deletion period can be specified, since the concrete contract expiry is indefinite. However, it is advisable to specify an abstract deadline here (e.g. "after expiry of the contract").
[10] Only the "recipient categories" (e.g. "courts", "banks" or "social security institutions") are to be entered in the "recipient" section. When describing the recipient categories, care must be taken to ensure that the legality of the data can be verified (e.g. it will not be sufficient to simply state "group" as the recipient because it will not be possible to determine whether the data will be legally transferred to the parent company and/or sister companies).
[11] Data under Art. 9 DSGVO are special categories of data ("sensitive data"): racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data identifying a natural person, health data, data on sex life or sexual orientation.
[12] Processing of personal data relating to criminal convictions and crimes or related security measures under official supervision..
[13] Above all, the recipients of the transfer ("third parties") as well as the processors of the data are to be documented here. When describing the recipient categories, care must be taken to ensure that the legality of the data can be verified (for example, it will not be sufficient to simply state "group" as the recipient because it will not be possible to determine whether the data will be legally transferred to the parent company and/or sister companies).
[14] See the Information sheet "International Data Traffic". For recipients in third countries (especially in the USA because of the "Privacy Shield" system) it is advisable to name the recipient.
[15] Preventing (unintentional) disclosure or unauthorized access to personal data.
[16] Prevention of (accidental) destruction, (accidental) damage, (accidental) loss, (accidental) alteration of personal data.