Privacy policy
The protection of your personal data is of particular concern to Wiener Staatsoper GmbH, Opernring 2, 1010 Vienna ("Staatsoper", "we", "us"). The State Opera observes the applicable legal provisions for the protection, lawful handling and confidentiality of personal data, as well as for data security, in particular the Austrian Data Protection Act ("DSG"), the EU General Data Protection Regulation ("GDPR") and the Telecommunications Act ("TKG").
In the following, we would like to inform you about the type, scope and purpose of the collection and use of your personal data and about your rights.
1. Personal data
According to the GDPR, personal data is any information relating to an identified or identifiable natural person, such as name, email address, customer number, etc. We may collect and process the following of your personal data
- Master data
As master data, we process salutation, title, name, address, date of birth, gender, language, e-mail address, telephone number, bank details (account holder, IBAN, BIC, bank name) and data for the use of special offers (e.g. proof of eligibility for discounts or booking certain cards). This applies to legal entities if data can be traced back to a natural person (e.g. name, telephone number, e-mail address of a contact person in the company). We receive master data from you if you actively contact us (e.g. by purchasing a ticket) or from cooperation partners (e.g. for processing cooperation events).
In the event that tickets are issued on a personalized basis, we also process the names and contact details (telephone number and/or email address) of event visitors as master data. - Payment and sales data
In addition to the master data, we process the specific payment processing data (bank details, credit card details) and general sales data (e.g. selected event or product, ticket and delivery type) in the case of orders and purchases. Credit card data is only processed by our certified payment service providers; we only store the credit card number in masked form (e.g. 454818********11). - Customer relationship data
We process data that arises in the course of our communication and customer relationship, such as correspondence data (e.g. e-mail correspondence), type and duration of memberships (e.g. Official Circle of Friends), data relating to print media (e.g. receipt of program previews) or data of contact persons (e.g. from schools). - Image data
When attending events, photographs and/or video recordings may be made of you (e.g. as part of television broadcasts).
For information on the processing of personal data through the use of our website or our social media channels, please refer to our cookie statement, which should be read in conjunction with this privacy policy.
2. Purposes and legal bases of data processing
In the following, we would like to inform you about the purposes for which we process your personal data. We only process your personal data in accordance with Art. 6 and Art. 9 GDPR if
- if you have given us your consent (pursuant to Art. 6 para. 1 lit. a or Art. 9 lit. a GDPR) for data processing for one or more specific purposes,
- if we need your data for the fulfillment of a contract or for the implementation of pre-contractual measures (pursuant to Art. 6 para. 1 lit. b GDPR)
- if the processing is necessary for compliance with a legal obligation (pursuant to Art. 6 para. 1 lit. c GDPR), or
- if there is a legitimate interest on our part (pursuant to Art. 6 para. 1 lit. f GDPR).
2.1. ticket purchase
General information on ticket purchases
We use the information you provide when purchasing tickets for events (this also applies to the purchase of subscriptions, cycles, vouchers, ticket orders, etc.) to perform and process the contractual service in accordance with Art. 6 para. 1 lit. b GDPR and to maintain the customer relationship (see separate point).
We process personal data relating to physical or mental health and from which information about the state of health can be obtained in order to make use of special discounts based on a disability pass or to book wheelchair spaces. The data processing is based on your express and voluntary consent in accordance with Art. 9 para. 2 lit. a GDPR. If you do not give your consent to data processing, you will not be able to obtain cards at discounted or special conditions.
We process your master data together with other companies of the Bundestheater Group (Volksoper Wien, Burgtheater and Bundestheater-Holding) in a joint database. The legal basis is the fulfillment of our (pre-)contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR and our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. The data processing serves, among other things, to process cross-stage offers (e.g. mixing cycles) and to ensure that your data is correct, up-to-date and uniform in order to offer you a corresponding level of convenience when purchasing tickets. If your master data also contains sensitive data (e.g. for the use of discounted tickets due to a disabled pass), the processing is carried out exclusively on the basis of your express consent in accordance with Art. 9 para. 2 lit. a GDPR. Together with Volksoper Wien GmbH, Burgtheater GmbH and Bundestheater-Holding GmbH, we are therefore joint controllers within the meaning of Art. 26 GDPR. Accordingly, we have concluded an agreement with Wiener Staatsoper GmbH, Burgtheater GmbH and Bundestheater-Holding GmbH in accordance with Art. 26 GDPR ("Joint Controller Agreement"), which regulates the distribution of tasks and obligations under data protection law. As joint controllers, we are equally responsible for compliance with the legal provisions, in particular for the lawfulness of data processing. You can address questions about data processing in connection with your ticket purchase to any of the joint controllers. You also have the right to assert your claims against each controller independently of the joint controller agreement. In addition to this joint responsibility, Bundestheater-Holding also has access to the payment and sales data for internal administrative purposes (e.g. for monitoring internal group requirements).
If you order or purchase tickets in the name or on behalf of other persons, please ensure that you are allowed to provide us with their personal data.
Online ticket purchase & webshop
To purchase tickets online (website or app) and to purchase products and services in our webshop, you must first register. You can also use your account later for other orders. You can view or change your personal data at any time after logging in again.
To register, we require your e-mail address, title, first name and surname, postal address and details relating to the respective payment method. The legal basis for data processing is the fulfillment of our (pre-)contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR.
This data is used to identify you when you register in your account, to issue and, if necessary, send tickets and to process payment. Other voluntary information (such as your telephone number) helps us to provide you with the best possible service.
If you no longer need your account, you can simply inform us by sending an e-mail to datenschutz@wiener-staatsoper.at and your account will be deleted, taking into account any outstanding business transactions. In the event of deletion, we will only retain the legally required data for a period of 7 years.
2.2. maintenance of the customer relationship
We process your non-sensitive master data, payment and sales data and customer relationship data for customer advice and support, such as e-mail information on booked performances, the sending of print media (e.g. program previews), support within the framework of memberships (e.g. Official Circle of Friends, BundestheaterCard), satisfaction surveys, event invitations, birthday greetings and other forms of customer relationship management. We also process this data for the purpose of internal market research and statistical analysis.
As part of the customer relationship, you will receive information and offers about our ideas and products from us by post and digitally.
The legal basis for postal mailings is our legitimate interest in maintaining our customer relationships. If you do not want this, you can object to data processing at any time (e.g. by sending us a message).
In addition, we process your personal data for electronic marketing mailings about products or services that are similar to the products or services you have already purchased. The legal basis for this data processing is our legitimate interest in direct marketing pursuant to Art. 6 para. 1 lit. f GDPR. We will inform you of your right to object both when we receive your personal data and in every marketing mailing. You can easily object to data processing, e.g. via the link in the digital mailing or by sending an email to marketing@wiener-staatsoper.at .
2.3. contacting us
If you contact us via the contact forms on our website (e.g. ticket order, registration for the Official Circle of Friends, etc.), by email, telephone or other means of communication, your personal data and information that you provide to us when contacting us will be used to process your request. The legal basis for data processing is the fulfillment of our (pre-)contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR.
2.4 Newsletter
Our free newsletter informs you regularly about the program schedule, offers and services.
Based on your consent pursuant to Art. 6 para. 1 lit. a GDPR to receive our newsletter, we will process your voluntarily provided data (e-mail address and optionally name) for sending the newsletter. In order to improve our offer for you, we record the opening and clicking behavior in relation to the newsletter for statistical purposes.
You can revoke your consent at any time and without giving reasons. The revocation can be made, for example, simply via a link in each newsletter itself or by e-mail to marketing@wiener-staatsoper.at.
If you register for a newsletter with an email address that you already use for a customer account with us (or vice versa), we will merge these data records.
2.5 Photo and video recordings
We use photos and video recordings made during our events exclusively in accordance with your personal rights. These recordings are primarily used for internal documentation. We also use these recordings for TV broadcasts, streaming and for recording performances on DVD. In exceptional cases, we also use photos of people to announce and advertise our events and activities in both digital and print media, which generally makes them known to the general public. The legal basis is our overriding legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR (i) for internal documentation and (ii) for internal and external reporting on the events and activities.
If we cannot base the use of images on legitimate interests, we will obtain separate consent from you in accordance with Art. 6 para. 1 lit. a GDPR. We will only process photographs and video recordings in which children or other particularly vulnerable persons are recognizable with the consent of the persons depicted or their legal representatives.
2.6 Video surveillance
We also process video recordings that are used exclusively for the preventive protection of persons and property as well as to assist in the investigation of criminal offenses (e.g. damage to property, vandalism, burglary) and the protection of domiciliary rights as well as to fulfill legal duties of care, including the preservation of evidence. For this purpose, we have installed video cameras in the entrance foyer and in the checkout area. This data processing is based on our legitimate interest pursuant to Art. 6 para. 1 lit.f GDPR in conjunction with § 12 DSG, 353 ff ABGB (protection of property) and § 80 StPO as well as to fulfill legal obligations according to Art. 6 para. 1 lit. c GDPR. If you are in the video-monitored area, we process your image data (appearance, behavior), location of the image recording (premises, location of the camera) and time of the image recording (date, time, start/end of the image recording). In the event of a criminal offense, for example, we also process your identity, if recognizable, and your role (e.g. perpetrator, victim, witness).
Only a few selected employees have documented access to the video surveillance recordings. This access is only granted in the event of an incident, in particular for the investigation of criminal offenses. If a suspicion of a criminal offense is confirmed, the data may also be passed on to our insurance company and state authorities.
In addition, we process video recordings for theater and security purposes and thus on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR. Primarily, parts of the ensemble are filmed in order to optimize the performance (e.g. live transmission of the conductor for musicians and stagehands who would otherwise not be able to see him/her from their location). Due to the orientation of the cameras, it is possible that some visitors may be visible on the recordings. However, the video recordings are not stored permanently and are deleted immediately after the performance.
2.7 Video streams
On our streaming platform play.wiener-staatsoper.at, we offer selected performances as live streams or for viewing within 72 hours of the start of the broadcast. Access is free of charge worldwide after free registration with a user name and password.
Access to the offer on the streaming platform requires registration or the creation of a user account. With each registration, a verification query and a validity check of the user account is carried out by INTIO TV GmbH, the company commissioned to operate the platform.
The purpose of creating a customer account (e-mail address, password, first and last name) is to ensure access to video retrieval at all times, even in the event of a change of device or another login attempt, and to protect against misuse of our streaming platform.
The video player used is equipped with a statistics function that records usage - i.e. the number of video views and the actual minutes of film watched. No personal profiles are created at any time. We base this processing on the legal basis of the legitimate interest Art. 6 para. 1 f) GDPR to optimize our website and improve our offer planning.
Our processor for the operation of the streaming website, the corresponding apps for iOS and Android, and access control to our free streaming offer is the company INTIO TV GmbH. Compliance with data protection is contractually agreed. INTIO TV GmbH uses the cloud computing services of Amazon Web Services (AWS) for technical operations, specifically the server location in Frankfurt, Germany.
3. Data transfer
Your personal data will not be passed on to third parties unless you have expressly given your consent or we are legally obliged to do so or the data transfer is necessary to fulfill our obligations. For example, payment and sales data is transmitted to the Bundestheater-Holding for internal administrative purposes (e.g. for the control of internal group requirements).
To carry out certain tasks, we use selected service providers who work for us as processors and may be given access to your data to the extent necessary. This applies, for example, to areas such as ticket sales (e.g. ART for ART Theaterservice GmbH), marketing tools, software solutions, IT services, postal dispatch and similar services. All our processors process your data only on our behalf and on the basis of our instructions for the purposes described above. Furthermore, we ensure through contractual obligations that our processors comply with the legal provisions on data protection in the same way as we do.
If personal data is transferred to recipients in third countries outside the EU and there is no adequacy decision by the EU Commission for the third country in question pursuant to Art. 45 GDPR, the transfer will take place in individual cases subject to suitable guarantees pursuant to Art. 46 GDPR or, if necessary, by consent for specific purposes.
4. Data security
In addition to compliance with the principles of data protection and the obligation of our employees to maintain data secrecy, we take appropriate technical and organizational measures to ensure the security of data processing, i.e. the confidentiality, integrity, availability, resilience and rapid recoverability of the systems and services used, on a permanent basis.
5. Retention period
We store your data in accordance with the legal provisions. To this end, we only store your personal data for as long as is necessary for the purposes for which it is processed. This is usually the duration of the customer relationship. A longer retention period may result primarily from legal retention obligations (usually 7 years) or for the assertion of legal claims. In this case, we store your personal data for as long as legal claims can be asserted from the relationship between you and us or until the final clarification of a specific incident or legal dispute. This longer storage period is to protect our legitimate interests in the assertion, clarification and defense of legal claims.
We will retain data that we process with your consent or on the basis of our legitimate interests in direct marketing until you withdraw your consent or object. If you have not revoked your consent or objected, we will process your data for direct marketing purposes in accordance with the TKG for a maximum period of 4 years after the last time you contacted us.
The video surveillance recordings will be automatically deleted after 72 hours, unless the data is required for the prosecution of a criminal offense and the settlement of claims with our insurance company.
6. Your rights
Right to information
You have the right to information about the personal data we process about you.
Right to rectification
You have the right to rectification of your personal data that is no longer up to date, incomplete or incorrect.
Right to erasure ("right to be forgotten")
You have the right to erasure of your personal data, unless there are legal or legitimate reasons (such as retention obligations under tax law) to retain it.
Right to restriction of data processing
You have the right to request the restriction of the processing of your personal data if one of the conditions listed in Art. 18 GDPR is met.
Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.
Right to object
If we process your personal data on the basis of a legitimate interest, you have the right to object to this processing at any time on grounds relating to your particular situation. There may be compelling legitimate grounds on the part of the State Opera that outweigh yours, which is why we may continue to process your personal data. In addition, you have the right to object to the processing of your data at any time and without giving reasons if the processing is for the purpose of direct marketing.
Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data at any time and without giving reasons with effect for the future if the processing is based on your consent. You can withdraw your consent by sending an email to marketing@wiener-staatsoper.at , for example.
Questions and complaints
If you have any questions regarding your personal data, please contact us at datenschutz@wiener-staatsoper.at. You can also contact the Data Protection Officer of the Austrian Federal Theaters, Silvia Schauer MSc MBA, at datenschutz@bundestheater.at or by post at Data Protection Officer of the Austrian Federal Theaters, Goethegasse 1, 1010 Vienna.
You also have the option of lodging a complaint with a data protection supervisory authority. The data protection supervisory authority responsible for us is the Austrian Data Protection Authority.
7. Final provisions
Please note that the State Opera will continue to adapt this privacy policy (e.g. due to changes in legal regulations, use of new technologies, expansion of our offers and services). We therefore recommend that you consult this privacy policy regularly.
Status: June 2023