Privacy Policy

1. General

In this data protection declaration, you will find out which personal data FMTG Development GmbH processes automatically, in what way and for what purpose, and what rights you, as the person concerned, have.

2. Controller (Responsible)

Responsible is the FMTG Development GmbH, Walcherstraße 1A, A-1020 Wien, Österreich

Phone:. +43 (1) 605 40 1156


3. Collection and processing of personal data

The protection of your personal data is particularly important to us. Your personal data will therefore only be processed to the extent permitted by law and to fulfill the respective purpose (registration, provision of services, medical treatments, contract processing, fulfillment of legal obligations, sending information material and advertising, sending a newsletter, carrying out customer analysis) is required.

For registering at the hotel and reporting to the responsible authorities
  • First and Last Name
  • Birth date
  • Place of birth
  • Address (State, Country, ZIP)
  • Nationality
  • Gender (male or female)
  • ID type (ID card or passport)
  • First and last name of the child/children, date of birth, place of birth, gender, nationality
  • Spouse’s identification details
For the purpose of contractual obligations and obligations arising from the business relationship
  • First name and surname
  • Gender
  • Title
  • Citizenship
  • Federal State
  • Phone number
  • Email adress
  • Birth date
  • License Plate
  • Travel document
  • Issuing authority
  • Date of issue
  • Expiry date
  • Company
  • Profession
  • Tax number
  • Loyalty card or membership card
  • Photo
  • Other remarks
  • Relationship to other profiles
  • Husband’s name, date of birth and place of birth
  • Allergies
  • Special needs
  • Credit Card/Payment Details
  • Copy of a valid photo ID for currency exchange transactions
  • Other means of transport: flight number, arrival time, GPS coordinates
  • Guest preferences (lake view, park view, room type)
  • Additional services (babysitter, wellness, …)
  • Date of birth, anniversaries, divorces, deaths in the family
  • Room facilities: romantic, business client
To process your health data (allergies and special needs), we need your express consent, which you can revoke at any time. Please note that if you do not give your consent or revoke it during our contractual relationship, we will not be able to provide our services to the usual extent, after which you will use our services at your own risk.
Zum Zweck der Erbringung medizinischer Leistungen und/oder medizinischer Behandlungen

The following health data must be provided for the risk-free performance of medical examinations, the professional creation of a treatment plan and the daily support of our medical staff at the Hotel Grand MedSpa Marienbad: General health information, information on allergies, diabetes, medication, hemophiliacs, anticoagulants, infectious diseases, pregnancy, operations (when and which ones), accidents (when and what kind?), current medical treatment, smoking (number of cigarettes per day), alcohol consumption (how much? how often?), sleep disorders, digestive problems, difficulty urinating, heart disease (e.g. heart attack , angina pectoris, arrhythmia, cardiac pacemaker), circulatory diseases, epilepsy, headaches, weight fluctuations of more than 2 kg within the past four weeks, complaints in the following areas: sensory organs, nervous system, thorax, lungs, abdominal organs, head, neck, heart, circulation , spine, limbs, varicose veins, blood pressure, pulse.


To process the above health data, we need your express consent, which you can revoke at any time. Please note that if you do not give your consent or revoke it during our contractual relationship, we will not be able to provide our services to the usual extent, after which you will use our services at your own risk

Zur Zusendung von Informationen über Leistungen und Produkte unseres Unternehmens und zur Kontaktaufnahme durch den Kundendienst
  • Name
  • Adress
  • Email adress
  • Mobile phone number

We use the following communication channels, if you have given us these: e-mail, post and SMS.

In order to inform you about offers and services and to contact you for customer surveys, we need your express consent, which you can give in a “double-opt-in” form. Without you providing us with the data mentioned in point 4 and giving your express consent, we cannot send you any information or contact you in this regard.

Pardot Marketing Automation System (“Pardot MAS”)

We use the Pardot Marketing Automation System (“Pardot MAS”), a special software for recording and evaluating the use of a website by website visitors and for sending advertising newsletters.

When you visit this website, Pardot MAS records your click path and uses it to create an individual usage profile using a pseudonym. For this purpose, cookies are used that allow your browser to be recognized. The legal basis is your consent, Art. 6 I 1 a DS-GVO.

However, you can deactivate the creation of pseudonymized usage profiles at any time by configuring your Internet browser so that cookies from the domain “” are not accepted. However, this may lead to certain restrictions in the functions and user-friendliness of our offer.

In order to provide you with the most interesting offer or product information possible, and provided that you actively consent to this, it is possible to merge your personal data with the data of a pseudonymized user profile via the cookies set, if you provide personal data – for example by ordering an advertising newsletter or filling out a form. You can object to this use of your personal data, such as name and address information, at any time in writing or by e-mail to You can revoke your consent at any time with effect for the future.

Promotional newsletters sent using Pardot MAS contain so-called web beacons. These are tiny graphics that allow us to analyze user behavior, such as opening and reading emails and clicking on links. This allows us to make our offered content more relevant and interesting for you.

4. Profiling

Profiling is the process in which the responsible person (controller or processor) collects and processes personal data for the purpose of providing and improving offers and services so that they can be better tailored to the needs of the customer. However, no decisions which may result in legal consequences or damage of any kind for the customer are made in an automated manner.
We can process the following data in our system called Protel: name, gender, title, address, telephone number, e-mail address, date of birth, license plate number, passport number, issuing authority, date of issue, expiration date, company, profession, tax number, membership card, Photo, comments and relationship to other profiles.

We can assign the following data related to your reservation to your profile: previous reservations, future reservations, invoices, offers, confirmations, notes and questionnaires. Personal data provided by you will be processed until you withdraw your consent. You can revoke your consent at any time, free of charge and without giving any reason, at the hotel reception, by email at: or by phone at +43 (1) 605 40 1156 

For the purpose of providing and improving services and personalizing offers and services to better meet your needs (profiling):
  • Surame
  • Title
  • Gender
  • Address
  • Birth date
  • Nationality
  • Spouse
  • Child/ren
  • Birthdays as well as shoe and t-shirt size for MICE group participants
  • Enrollment in group activities (puzzles, camps, competitions… )

5. Photographs at events

We have a legitimate interest in taking photos at events for marketing purposes and publishing them on our website. If you do not agree to this, you can always contact the hotel reception or send an email to or by phone ar +43 (1) 605 40 1156

6. Video surveillance

In the interest of public safety, there may be video surveillance in the area of ​​the hotel entrance, the reception, the exchange office, the kitchen area, the garage entrances and driveways, the pools and pool bars, in the area around the wellness buildings and around the staff areas. Videos are stored on independent hard drives at the respective location and access is granted to external security companies, the respective IT officer and the GM hotels.
Recorded videos can be stored for a maximum of 6 months (Croatia), 72 hours (Austria), 7-14 days (Czech Republic), 15 days (Slovakia) or 7 days (Italy). In Croatia, by law, videos recorded at the exchange office must be stored for a minimum of 72 hours. In the interests of public safety at resorts, there may be a main entrance gate to the resort where guests must provide their name or reservation number to enter the premises; License plates are entered manually in a registration list.

7. Transfer to third parties

Your personal data will not be passed on to third parties, except
  • we are legally obliged to do this, e.g. according to the TKG, StGB or the StPO.
  • to authorized medical personnel in medical emergencies.
  • based on their express written consent
  • für for services outside the hotel at your express request (e.g. for taxis, restaurant reservations, etc.)
  • individual hotels of the Falkensteiner Michaeler Tourism Group (FMTG); You can find more information about the companies (hotels) belonging to FMTG that process your data on our behalf on our website or at
For the purpose of payment processing, your bank details will be passed on to electronic payment service providers.

8. Data processing on behalf

If we engage a processor, we are still responsible for the protection of your personal data.


All direct or indirect subsidiaries and sister companies of FMTG Services GmbH operating under the brand “Falkensteiner Hotels & Residences” are processors according to Art. 28 GDPR.


We therefore only commission external processors to perform activities that are necessary for the provision of our services, such as for sending newsletters. These processors have committed themselves to us to comply with the applicable data protection regulations. An order processing contract was concluded in accordance with Art. 28 GDPR.


Your personal data will be shared with the following external data processors:

  • Protel Hotelsoftware Austria GmbH
  • Reservation Assistant, TAC Informationstechnologie GmbH, Hartberg
  • Delegate Technology GmbH, Wien; Vertrag über Softwarewartung
  • ProASP Professional Application Services Providing GmbH, Bad Vöslau
  • New Media Solutions GmbH, Salzburg
  • Thomas International Österreich GmbH, Wien
  • Prescreen International GmbH, Wien
  • Anita Maslo, Wien
  • HGC Hotellerie & Gastronomie Consulting GmbH, Innsbruck
  • A1 Telekom Austria AG, Wien
  • Rubatscher Steuerberatungs- und Wirtschaftsprüfungsgesellschaft m.b.H, Innsbruck
  • BMD Systemhaus GmbH, Steyr
  • Confida Süd Wirtschaftsprüfungsgesellschaft m.b.H, Graz
  • adserve digital advertising services GmbH, Wien
  • G.A. Service GmbH, Salzburg
  • Incert e-Tourismus GmbH & Co. KG, Linz
  • Workflow EDV GmbH, Wien
  • Die Socialisten – Social Software Development GmbH, Wien
  • Nexxchange GmbH, Wien
  • IB Grant Thornton Audit s.r.o., Bratislava, SK
  • Nexell GmbH, Zug, CH
  • EMEA Limited, München, DE
  • AffiliRed S.L., Palma de Mallorca, ES
  • The Reach Group GmbH, Berlin, DE
  • Auditor spol. s.r.o., Prag, CZ
  • Laser Line d.o.o., Umag, HR
  • MC Sistemi d.o.o., Ljubljana, SLO
  • BMB Leitner s.r.o., Bratislava, SK
  • Adria Scan d.o.o., Sveta Nedjelja, HR
  • Infolink d.o.o. Belgrad, SRB
  • Metadata d.o.o., Belgrad, SRB
  • IRECKON U B.V. – Hospitality solutions, Amsterdam, NL
  • Miles & More GmbH, Frankfurt am Main, DE
  • Dailypoint Central Data Management, München, DE
  • Teodt, Dr. Selk & Coll. GmbH, München, DE
  • Premiere Global Services, Inc. and subsidiaries // Premiere Conferencing Ireland Ltd; Cork, IRL
  • Adara Inc., London, UK
  • All About Cards S&K Solutions GmbH & Co. KG, 94032 Passau, DE
  • Revinate Inc., San Francisco, CA, USA
  • Facebook Inc., Menlo Park, CA, USA
  • Instagram Inc., San Francisco, CA, USA
  • Twitter Inc., San Francisco, CA, USA
  • YouTube LLC, San Bruno, CA, USA
  • Helmuth Thaler GmbH, Bruneck, Südtirol
  • Nor1 Inc; Santa Clara, CA, U.S.A.

We primarily use processors within the European Union. We only use processors outside the European Union if (i) the European Commission has issued an adequacy decision for the third country in question or (ii) we refer to the standard contractual clauses of the European Commission or (iii) if suitable guarantees, e.g. the EU/ US Privacy Shield, with the third country or (iv) we have agreed binding internal data protection regulations with the processor.

You can find more information about the processors commissioned by us at

9. Google Analytics

“Our websites use Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies” (text files that are stored on the user’s computer) which enable an analysis of the use of the website. The information generated by the cookie about the use of the website by users is usually transmitted to a Google server in the USA and stored there.


If IP anonymization is activated on our websites, the IP address of the user will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there. IP anonymization is active on our websites. On behalf of the operator of our website, Google will use this information to evaluate the use of the website by users, to compile reports on website activity and to provide other services related to website activity and internet usage to the website operator.


The abbreviated IP address transmitted by the user’s browser as part of Google Analytics is not merged with other Google data. Users can prevent the storage of cookies by using the opt-out function on the Falkensteiner website or alternatively by setting your browser software accordingly; however, FMTG Services GmbH would like to point out to users that in this case not all functions of our website can be used to their full extent. Users can also prevent the data generated by the cookie and related to their use of the website (including their IP address) being sent to Google and the processing of this data by Google by using the browser plug-in available under the following link download and install:


You can find out more information about the use of data for advertising purposes by Google, setting and objection options on the Google websites: („How Google uses data when you use our partners’ websites or apps“), („Use of data for advertising purposes“), („Manage information that Google uses to show you ads“) and („Control what ads Google shows you“)“.

10. Adobe Fonts

External fonts from Typekit are used on our website to enable a uniform and appealing presentation of our online presence. Typekit is a service provided by Adobe Systems Software Ireland Limited Ltd., 6 Riverwalk, Naas Road 24, Dublin, Ireland (“Adobe”). The web fonts are integrated by a server call at Adobe. According to Typekit’s data protection declaration, no cookies are set when the fonts are loaded or visitor data (neither IP address nor other personal information) is recorded. The transmitted data serves to identify this website itself and the connected Typekit account. For more information, see Typekit’s privacy policy:

11. Duration of processing

We process your personal data – if necessary – for the duration of the entire business relationship (from the initiation and processing to the termination of a contract and the processing of outstanding claims). Once the contract has been completed, your data will be stored until the end of the warranty, statute of limitations, compensation for damages and statutory retention periods applicable to us, and until the end of any legal disputes in which the data is required as evidence.


We store data that you have made available to us for marketing and information purposes, such as sending a newsletter, until you revoke your consent.

12. Data security

We use technical and organizational security measures to protect your personal data against accidental or intentional manipulation, loss or destruction and against access by unauthorized persons, in accordance with Article 32 of the General Data Protection Regulation. Our security measures are continuously improved in line with technical progress.

13. Your rights

With regard to the processing of your data, you can assert the following rights under the General Data Protection Regulation and national data protection law:

a. Right of arrival

You can request confirmation from us as to whether and to what extent we are processing your data. This confirmation contains information about the purposes for which your data is processed, the categories of personal data processed, the recipients or categories of recipients of personal data, the duration of data processing.

b. Right to Rectification

You can request at any time that incorrect or incomplete data concerning you be corrected and/or completed immediately.

c. Right to Erasure

You can request us to delete your personal data if we are processing it unlawfully, the processing interferes disproportionately with your legitimate protection interests, the personal data is no longer necessary for the purposes for which it was collected, or you have revoked your consent. Please note that there may be reasons that prevent immediate deletion, such as statutory retention requirements.

d. Right to restriction of processing

You can ask us to restrict the processing of your data if
  • you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data;
  • the processing of the data is unlawful, but you refuse to delete it and instead request a restriction of data use;
  • we no longer need the data for the intended purpose, but you still need this data to assert, exercise or defend legal claims, orr
  • you have lodged an objection to the processing of the data.
From the request for restriction, this data will only be processed with individual consent or to assert and enforce legal claims.

e. Right to data portability

You can request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format, provided that
  • we process this data on the basis of revocable consent given by you or to fulfill a contract between us, and
  • This processing is carried out using automated procedures.

f. Right to object

For reasons arising from your particular situation, you can object at any time to the processing of personal data relating to you, which is necessary to protect our legitimate interests or those of a third party. Your data will no longer be processed after the objection, unless there are compelling legitimate reasons for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.


You can object to direct marketing at any time without giving reasons.

g. Right of appeal

If you believe that we are in breach of national or European data protection law when processing your data, you can contact us at any time. Of course, you also have the right to contact the responsible data protection authority and, from May 25, 2018, also the supervisory authority within the EU.

h. Asserting Your Rights

To assert one of the rights mentioned against us, please use the following contact options: If we cannot determine your identity based on the data we have on file, it may be necessary for us to request additional information to determine your identity (e.g. photo ID). Such inquiries serve to protect your rights and your privacy.