This privacy policy applies to all persons who use the services of Come in OG – hereinafter referred to as come in. We inform you about the nature, scope and purpose of the collection and use of your personal data by our company. The protection of your personal data is of particular concern to us - we respect your privacy and strive to comply with the legal requirements for the processing of your personal data. To this end, we have implemented organizational and technical protective measures, which we adapt if necessary.

1. General provisions
This privacy policy applies to all persons who use the services of Come in OG – hereinafter referred to as come in. We inform you about the nature, scope and purpose of the collection and use of your personal data by our company. The protection of your personal data is of particular concern to us - we respect your privacy and strive to comply with the legal requirements for the processing of your personal data. To this end, we have implemented organizational and technical protective measures, which we adapt if necessary.

1.1. Personal data:

Your personal data voluntarily provided directly, by telephone, e-mail, in person or by a third party (group coordinator, employer, family members or other travel organizers) will be collected, stored and processed in accordance with the most recent data protection legislation (EU GDPR). This is done both automation-supported and in the form of archived text documents (correspondence, booking confirmations, personalized invoices, manual files).

Flight bookings, hotel bookings and additional travel services: A booking with come in is not possible without the collection, storage, and processing of your personal data. This is done exclusively for the purpose of organizing and carrying out the travel booking. Your data will only be passed on to third parties who are directly involved in the booking process and if the organizational process makes this necessary – according to the requirements of your bookings (airline, hotel, transport company, travel insurance, etc.).

1.2. Images/films:

By signing the contract, you grant come in permission to use photos/films taken by you or your company presence during the event by our official photographer (team) for marketing purposes (event reports, promotion of follow-up events & own marketing) for an indefinite period. If you do not want any photos/films in which you have been photographed to be published, you can contact us at any time:  welcome@come-in.at

1.3. Links to other websites:
Links provided by come in (program booklets, invitation management, travel documents, travel information, travel insurance, entry formalities, etc.) may contain links to other websites. come in is not responsible for the data you enter on other websites. Like us, our partner companies are subject to the EU GDPR, but the implementation of this is the responsibility of each company itself. Our Privacy Policy applies only to data for which we (come in) are responsible.

2. Obligation to provide information in accordance with Articles 12-14 of the EU GDPR

We are happy to provide you with all information describing the type, purpose, and scope of the processing activities of your personal data.

2.1. Controller:

come in OG

1090 Wien, Alserstrasse 32/20

Mag(FH) Ronald Prohazka

Managing Director

2.2. Purposes of data processing:

Depending on the scope of the booking of the data subjects, their data will be required, stored, and processed for one or more of the purposes listed below.

2.3. Legal basis of the data processing purposes:

2.4. Third party data recipients - categories:

Your data will only be forwarded if the organisational process or a legal obligation makes this necessary - in accordance with the requirements of your bookings - and if a valid legal basis exists. The recipients only receive the data details necessary for them, not full data sets. In the context of service contracts with companies, this may also be your employer or its service partner in order to comply with travel policies.

2.5. Transfer of data to third countries:

Based on Art 49, 1b: transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures at the request of the data subject. Only data that are actually needed for the stated purpose can be collected and processed.

2.6. Storage period of personal data:

The duration of storage is measured according to the duration of the business relationship and, in addition, according to the statutory retention obligations applicable to us. We emphasise that in the case of regular cooperation, we strive to know your customer requirements already communicated to us so well that we can continue to offer our best possible customer service on an ongoing and permanent basis.

Sensitive data (special dietary requirements) which must be collected for the purpose of carrying out the booking will be irretrievably deleted at the End of the event follow-up.

All other data will be kept for 7 years in order to comply with the legal retention period according to the Value Added Tax Act 1994, or according to any further legal retention obligations that apply beyond this. After expiry of the retention periods, the corresponding data will be routinely deleted if it is no longer required for the fulfillment or initiation of the contract.

3. Rights of the data subjects

We are happy to inform you about your rights according to the EU Data Protection Regulation:

3.1. Data subject rights according to Art. 15-21 EU-DSGVO:

• Right to information
• Right to rectification
• Right to erasure/right to be forgotten
• Right to restriction of processing
• Right to data portability
• Right to object (in case of legitimate interest of the data controller)

Detailed descriptions can be found here:

http://eur-lex.europa.eu/legal-ontent/DE/TXT/HTML/?uri=CELEX:32016R0679&from=DE

© European Union, http://eur-lex.europa.eu/,  1998-2018'

https://www.wko.at/service/wirtschaftsrecht-gewerberecht/EU-Datenschutz-Grundverordnung:-Betroffenenrechte.html

3.2. Right of withdrawal pursuant to Art. 7 EU GDPR:  

Depending on your category of person, we ask you for various declarations of consent. These will be requested in the course of a travel booking, a possible online registration or directly from the person concerned/group coordinator/company representative. The declarations of consent are not obligatory according to the EU Data Protection Regulation. Every data subject has the right to revoke his/her given consent(s) at any time. The revocation of the declaration of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3.3. Right to lodge a complaint with a supervisory authority pursuant to Art. 77 EU GDPR

Any data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the EU GDPR.

4. Description of other purposes

Legitimate interests of the controller pursuant to Art. 6 (1) f) EU GDPR

4.1. Advertising/Marketing:

Processing of personal data of the data subject in order to inform him/her about the above mentioned travel bookings, as well as about similar products and services.

4.2. Maintaining high standards of customer service  

e.g. frequent flyer information / travel preferences / informing customers of changes / customer feedback.

Annex: Provisions on commissioned data processing

These General Terms and Conditions contain the contract within the meaning of Art. 28 of Regulation (EU) 2016/679 ("General Data Protection Regulation", as amended: "GDPR") according to the will of come in OG as the processor and the client as the controller and regulate the rights and obligations of the processor and the claims of the controller in connection with data processing.

Subject of the agreement and the order

The processor processes personal data on behalf of the controller. According to the underlying framework agreement, the order includes all processing of personal data within the meaning of the GDPR and in accordance with all other (in particular national) provisions for the purpose of providing services to the end customer (services to event participants, organisation of hotel rooms and other services).

The following end customer data is processed as part of the aforementioned data processing: First name, surname, address data, email address, telephone number, booking data (transport/accommodation), payment data incl. payment history, device data incl. location data (GPS), IP address, cookie information if applicable (in accordance with our online cookie policy). The email address is used as an identifier when registering; invited guests receive a link with a pseudonymised token for personal and exclusive registration for the event beforehand.

The controller is responsible for assessing the permissibility of the data processing. The processor has the right to inform the controller of unlawful data processing. The controller is solely responsible for safeguarding the rights of data subjects. It shall inform the processor immediately if data subjects assert their rights (Art. 19 GDPR). The controller has the right to issue additional written instructions to the processor at any time regarding the type, scope and procedure of data processing. The controller may appoint persons authorised to issue instructions. These will be announced separately if required by the controller. The controller shall inform the processor immediately if it discovers errors or irregularities in connection with the processing of personal data by the processor. In the event that there is an obligation to inform the data subjects and any third parties in accordance with the relevant laws, the controller shall be responsible for compliance with this obligation.

In accordance with accounting retention periods, data is stored for 7 years until the end of the last full financial year, and beyond this period if there is a legitimate interest on the part of the controller.

The processor processes personal data exclusively within the framework of the agreements and declarations made and in compliance with any supplementary instructions issued by the controller and confirms compliance with the EU General Data Protection Regulation (GDPR). Copies or duplicates of the data will not be made without the knowledge of the controller. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory retention obligations, in particular accounting retention periods (7 years). The processor shall inform the controller if, in its opinion, an instruction issued by the controller violates legal regulations. The processor is authorised to suspend the implementation of the instruction in question until it is confirmed or amended by the controller. If the processor's co-operation is necessary for the controller to safeguard the rights of the data subject, the processor shall take the necessary measures in accordance with the controller's instructions. If the processor discovers that the protection of the personal data processed by it on behalf of the controller has been breached, it shall inform the controller immediately and fully of the circumstances of the incident(s).

The Controller shall have the right to monitor compliance with the statutory provisions on data protection and/or compliance with this Agreement and/or compliance with the instructions of the Controller by the Processor on the basis of internal documentation of the Processor. The Processor shall provide the Controller with information in this regard insofar as this is necessary to carry out the inspection.

Due to the special nature of travel services, the storage and forwarding of participants' personal data by the processor is expressly authorised by the controller. The controller and the person making the booking, if applicable, recognise that they may provide the processor with personal data of participants that is required for the provision of the agreed services (in particular the event processing and the arrangement of travel services) and accept the transfer of personal data for the correct execution of the ordered service:

• Booking platforms that are used to book tourism services;
• Service providers who provide tourism or other services;
• Public authorities and banks, for registration, tax and other statutory purposes.

If the data transfer of personal data is not carried out by the data subject himself/herself, but by representatives of the participant, end customer, person responsible (client), the person making the booking undertakes to inform the data subject of the data transfer to come in and of the transfer of the data to the categories of recipients described above.

The processor undertakes vis-à-vis the controller to comply with the technical and organisational measures required to comply with the applicable data protection regulations. Changes that negatively affect the integrity, confidentiality or availability of personal data must be made in agreement with the controller. Other measures may be implemented by the processor without consultation with the controller if they do not result in technical or organisational changes or do not adversely affect the integrity, confidentiality or availability of the personal data.

The processor may use the following sub-processors:

Nets A/S, Klausdalsbrovej 601, DK-2750 Ballerup, Denmark

Domainoffensive, Leinstr. 3, 31061 Alfeld (Leine), Germany

Postmark, AC PM LLC, 251 LITTLE FALLS DRIVE - WILMINGTON DE 19808, USA

The Processor shall conclude the necessary agreements within the meaning of Art. 28 GDPR with these sub-processors. The Processor shall obligate all employees who provide services in connection with the Controller's order in writing to treat the personal data processed for the Controller confidentially. The Processor undertakes to treat all information received in connection with the performance of the Framework Agreement and the data processing covered by this Agreement as confidential until the end of the business relationship and to use it only for the performance of the Framework Agreement. He is not authorised to use this information in whole or in part for purposes other than those just mentioned or to make this information accessible to third parties.

After termination of the framework agreement, the processor shall be obliged to hand over to the controller or (at the controller's discretion) to destroy on the controller's behalf all documents, processing results and data pertaining to the contractual relationship that have come into its possession. Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the processor beyond the end of the framework agreement in accordance with the respective retention periods.