Data Privacy Policy

Data Privacy Policy


Protecting your personal data is of particular concern to Bundestheater-Holding GmbH, Goethegasse 1, 1010 Vienna. Bundestheater-Holding GmbH complies with the applicable legal provisions on the protection, lawful handling and confidentiality of personal data, as well as on data security, in particular with the Austrian Data Protection Act (“Datenschutzgesetz, DSG”), the EU General Data Protection Regulation (“GDPR”) and the Austrian Telecommunications Act (“Telekommunikationsgesetz, TKG”). 

In the following, we would like to inform you about the type, scope and purpose of the collection and use of your personal data as well as your rights.

For information on the processing of personal data through the use of our website, please refer to our Cookie Statement, which should be read in conjunction with this Data Privacy Policy.

Data processing, purposes and legal bases

According to the GDPR, personal data is any information relating to an identified or identifiable natural person, such as name, e-mail address, customer number, etc.

Bundestheater-Holding GmbH processes personal data of employees, partners, representatives of public authorities, interested parties, customers, suppliers and service providers for the purpose of providing business activities and fulfilling the related legal and contractual requirements:

  • Communication with representatives of public authorities, interested parties, business partners within the scope of services, cooperations and projects, e.g. processing of enquiries, selection procedures for applicants;
  • Initiation, processing and administration of (contractual) business relationships as well as maintenance of business relationships, e.g. in order to process services, collect payments, for accounting, billing and debt collection purposes and to carry out deliveries, maintenance activities or repairs;
  • Conducting customer surveys and market analyses;
  • Maintaining and protecting the security of services as well as of websites, preventing and detecting security risks, fraudulent activity, or other criminal or harmful activity;
  • Compliance with (i) statutory requirements (e.g., obligations based on the Federal Theatres Organization Act (“Bundestheaterorganisationsgesetz”) or tax, corporate and company law retention requirements), and (ii) guidelines of the Federal Theatres Group;
  • Settling of disputes, enforcing existing contracts, and asserting, exercising, and defending legal claims;
  • Communication with the representatives of Group companies and the members of Group bodies (e.g. managing directors, supervisory board members) as well as coordination within the framework of the statutory holding function (e.g. organisation of supervisory board and shareholders' meetings, documentation including minute-taking);
  • Together with the theatre companies of the Federal Theatres Group (Vienna State Opera, Burgtheater and Volksoper Wien GmbH), Bundestheater-Holding GmbH processes customer data in a joint database. This serves, among other things, to process cross-theatre offers (e.g. mixed cycles) between the theatre companies and to ensure that data is kept correctly, up-to-date and uniformly in order to offer a corresponding level of convenience when purchasing tickets. Together with Wiener Staatsoper GmbH, Burgtheater GmbH and Volksoper Wien GmbH, Bundestheater-Holding GmbH is therefore a joint controller within the meaning of Article 26 GDPR and equally responsible for compliance with the legal provisions, in particular for the lawfulness of data processing. Customers may address questions regarding data processing in connection with ticket purchases to any of the joint controllers. In addition to this joint responsibility, Bundestheater-Holding GmbH also has access to the payment and sales data for internal administrative purposes (such as for controlling internal group requirements).

In order to achieve the aforementioned purposes, the following categories of personal data may be processed:

  • Professional contact information, such as name, contact address, telephone number or e-mail address;
  • Payment data, such as information required to process payment transactions or prevent fraud;
  • Information collected from publicly available sources and information databases, such as the Austrian Business Database (Unternehmenskataster Österreich, ANKÖ);
  • Other personal data, the processing of which is necessary for initiating, handling and administering (contractual) business relationships as well as for maintaining business relationships or which you have provided on a voluntary basis, such as orders placed, order details, enquiries made or project details, correspondence, other data on cooperation;

The legal basis for data processing is:

  • Article 6 (1) (a) GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • or Article 6 (1) (b) GDPR: Processing is necessary for the performance of a contract to which the data subject is party or  in order to take steps at the request of the data subject prior to entering into a contract; 
  • and Article 6 (1) (f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Contacting us
If you contact us by e-mail, fax, telephone or other means of communication, your personal data and information that you provide when contacting us will be used exclusively for processing your request or any resulting pre-contractual measures. It is at your entire discretion whether you wish to provide us with this data. Corresponding information regarding data protection is provided directly on the respective website/application – e.g. under the heading “Career”.

Data transfer
As a matter of principle, we do not pass on your personal data to third parties, unless we are legally obliged to do so or the data transfer is necessary to fulfil our obligations.
We use selected service providers to perform certain tasks who act for us as processors and who may have access to your data to the extent required in each case. This applies, for example, to software solutions, services within the scope of an IT support contract or services in the field of payroll accounting and financial accounting. All our processors process your data only on our behalf and on the basis of our instructions for the purposes described above. Moreover, we ensure through contractual obligations that our processors comply with the legal provisions on data protection in the same way as we do.

Data security
In addition to complying with the principles of data protection and the obligation of our employees to maintain data secrecy, we take appropriate technical and organisational measures to ensure the ongoing security of data processing, i.e. the confidentiality, integrity, availability, resilience and rapid recoverability of the systems and services used.

Retention period
We retain your data for a period of time in accordance with legal requirements. This is usually as long as the customer relationship lasts. A longer retention period may result primarily from legal retention obligations or for asserting legal claims. We retain data that we process with your consent until you withdraw your consent.

 Your rights

Right of access
You have the right to obtain access to the personal data we process about you.

Right to rectification
You have the right to your personal data that are out of date, incomplete or inaccurate being rectified.

Right to erasure (“right to be forgotten”)
You have the right to have your personal data erased, unless there are legal or legitimate reasons (such as tax or commercial law retention obligations or the assertion, exercise or defence of legal claims) to retain such data.  

Right to restriction of data processing
You have the right to request the restriction of the processing of your personal data if any of the conditions set out in Article 18 GDPR is met. 

Right to data portability
You have the right to receive the personal data you have provided in a structured, commonly used and machine-readable format. 

Right to object
If we process your personal data on the basis of legitimate interests, you have the right to object to this processing at any time on grounds relating to your particular situation. However, compelling legitimate grounds by Bundestheater-Holding GmbH may prevail, which may allow us to continue processing your personal data. In addition, you have the right to object to the processing of your data at any time if the processing is carried out for the purpose of direct marketing.

Right to withdraw consent
You have the right to withdraw your consent to the processing of personal data with effect for the future if the processing is based on your consent.

Question and complaints
If you have any questions regarding your personal data, please contact us at datenschutz@bundestheater.at. You may also contact the Data Protection Officer of the Austrian Federal Theatres, Dr. Günter Lackenbucher, at datenschutzbeauftragter@bundestheater.at or by mail at: Data Protection Officer of the Austrian Federal Theatres, Goethegasse 1, 1010 Vienna.

You may also file a complaint with a data protection supervisory authority. The data protection supervisory authority responsible for us is the Austrian Data Protection Authority.

Whistleblower system

Data processing within the framework of the whistleblower system serves the purpose of implementing the Whistleblower Protection Act - HSchG, which came into force on 25 February 2023, in the Austrian Federal Theatres and thereby fulfilling the legal obligation. The law serves the purpose of uncovering misconduct as defined by the HSchG and thus ensuring compliance with the law.

Legal basis: Art 6 para 1 lit c DSGVO (fulfilment of a legal obligation).

Type of data processed:

  • Contact details of the whistleblower (optional). 
  • Report of the whistleblower
  • Personal data included in the notification (e.g. in the body text or in documents). 
  • The provision or processing of this data is required by law.
The data will be forwarded to the following recipients:

  • Sage GmbH (order processor) 
  • Jank Weiler Operenyi Attorneys at Law GmbH

Rights of data subjects in the whistleblower system: Please note that the exercise of some of the rights of data subjects under the GDPR could hinder the effectiveness of the Whistleblower Protection Act, in particular the submission of reports, the setting of follow-up measures as well as the guarantee of anonymity of a whistleblower. Against this background, the Austrian legislator has taken measures to restrict the exercise of certain data protection rights of data subjects.

Click here for the whistleblower system

Final clauses

Please note that Bundestheater-Holding GmbH will continuously adapt this Data Privacy Policy (e.g. due to changes in legal provisions, the use of new technologies, the expansion of our offers and services). We therefore recommend that you consult this Data Privacy Policy from time to time.  

Data as of August 2023