Data Protection

Lipizzaner Illustration

Privacy Policy

The protection of your privacy is important to the Spanish Riding School – Lipizzaner Stud Piber, a public-law institution (hereinafter: SRS-LGP). Below, we explain what we do to protect your data and which data we collect. In accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR), we inform you in particular about the scope and purposes of the processing of personal data. You will also find information about the cookies we use.

As a rule, we process personal data within the legal framework provided by the GDPR and the Austrian Data Protection Act (DSG). Data stored by us is only shared with third parties in compliance with statutory provisions. Your personal data will, of course, not be sold to advertising companies.

Overview

  • General information and contact
  • What are personal data?
  • What are special categories of personal data?
  • Legal bases of data protection law
  • Source of data
  • Presentation, protection, and improvement of our website
  • Communication and contact form
  • Newsletter
  • Participation in competitions
  • Press
  • Cookies
  • Usercentrics cookie banner
  • Google Tag Manager
  • Google Ads and Google Conversion Tracking
  • Web analytics with Matomo
  • Use of our webshops
  • Applicant management and job vacancies
  • Whistleblower protection
  • Embedding of videos
  • Sponsoring and sponsorships
  • Corporate magazines
  • Storage period
  • Place of data processing
  • Data disclosure
  • Data security
  • Your rights
  • Version

General Information and Contact

The controller for the data processing described in this privacy policy is:

Spanish Riding School – Lipizzaner Stud Piber, public-law institution
Michaelerplatz 1
1010 Vienna
Telephone: +43 1 533 90 31
E-mail: datenschutz@srs.at

As a matter of principle, there is no obligation to provide personal data. However, failure to do so may mean you are unable to use our services (for example, our website) or can only do so to a limited extent.

What Are Personal Data?

The term “personal data” is defined in Article 4(1) GDPR. It includes all information relating to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, for example by an identifier or identification number. Personal data include, for example, name, date of birth, address, and contact details such as telephone number and e-mail address.

The opposite of personal data is anonymous data, which cannot be attributed to an identified or identifiable person. Such data is not subject to data protection law.

What Are Special Categories of Personal Data?

Special categories of personal data are defined in Article 9(1) GDPR and enjoy enhanced protection. They include sensitive data revealing, for example:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for uniquely identifying a natural person
  • health data
  • data concerning a person’s sex life or sexual orientation

Legal Bases of Data Protection Law

For processing of personal data to be lawful, at least one legal basis under Article 6(1) GDPR must apply. We therefore only process your personal data if:

  • processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract (Art. 6(1)(b) GDPR; e.g. for organising events and selling tickets);
  • processing is necessary for the purposes of our legitimate interests or those of a third party (Art. 6(1)(f) GDPR; e.g. protecting our website against hacker attacks or preventing fraud or misuse);
  • processing is necessary for the performance of a task carried out in the public interest (Art. 6(1)(e) GDPR);
  • you have given consent to the processing (Art. 6(1)(a) GDPR; e.g. for our newsletter); or
  • a legal obligation applies (Art. 6(1)(c) GDPR; e.g. corporate or tax law retention requirements).

If personal data fall under special categories, processing additionally requires a legal basis under Article 9(2) GDPR.

Source of Data

Unless otherwise stated in this privacy policy, we obtain the personal data that we process directly from you.

Presentation, Protection and Improvement of Our Website

In order to provide you with the best possible user experience, we process personal data when you visit our website. This includes, in particular, the use of essential cookies, which are required for the proper functioning of our website and do not create a personally identifiable user profile of you.

When you visit our website, the following information is automatically transmitted through your browser and temporarily stored in a log file:

  • date and time of access,
  • your IP address,
  • the address of the accessed website (URL),
  • the address of the website from which you were referred (referrer URL),
  • information about the type and version of your web browser, operating system and Internet service provider.

We process this personal data to:

  • identify, prevent and investigate malicious attacks on the website,
  • ensure the security of the system,
  • enable and optimise the functionality of the website, and
  • compile statistical evaluations (in anonymised form).

These data are processed due to our overriding legitimate interest (Art. 6(1)(f) GDPR) in ensuring the functioning and security of our website. After seven days at the latest, the data is anonymised by shortening the IP address, so that no personal reference can be made, even indirectly.

We also process your data to analyse user behaviour and improve our website. In doing so, certain technologies may process personal data for marketing and statistical purposes.
Such technologies only become active if you have given your consent via the cookie banner.
In these cases, processing is based on your consent (Art. 6(1)(a) GDPR).

If you would like to manage, revoke or adjust your cookie consent, you can do so at any time via our cookie settings(accessible through the cookie banner).

8. Communication and Contact Form

You have various options to contact us (e.g. by telephone, e-mail, post or via the contact form on our website).

When you contact us, we process the personal data you provide, which generally include:

  • name,
  • contact details (e-mail address, telephone number),
  • content of your enquiry,
  • any attachments you send.

We process this data in order to handle your request and communicate with you. The legal bases for this processing are:

  • Contract performance or pre-contractual steps according to Art. 6(1)(b) GDPR, if your enquiry relates to the conclusion or performance of a contract;
  • Our legitimate interest in processing and responding to your request according to Art. 6(1)(f) GDPR;
  • Your consent under Art. 6(1)(a) GDPR, if you have given such consent (e.g. by ticking a box).

Correspondence may be archived in accordance with statutory retention obligations and in legitimate interest to ensure proper documentation.

Newsletter

You can subscribe to our newsletter through our website.

To send you the newsletter, we process:

  • your e-mail address,
  • your name (if provided voluntarily),
  • proof of your consent (time stamp, IP address).

The newsletter includes information about:

  • events and performances,
  • ticket sales,
  • activities of the Spanish Riding School and the Lipizzaner Stud Piber,
  • offers and promotions.

We process your data based on your consent (Art. 6(1)(a) GDPR).
You can withdraw your consent at any time, effective for the future, by clicking the unsubscribe link in every newsletter or by contacting us.

Upon unsubscribing, we will immediately stop sending newsletters and delete your data unless we are legally obliged to retain them (e.g. for documentation purposes under corporate or tax law).

Participation in Competitions

When you participate in competitions organised by us, we process the personal data required to carry out the competition. This generally includes:

  • name,
  • contact details (e-mail address, telephone number),
  • information necessary for prize allocation,
  • your submitted entries (e.g. photos, texts).

We process this data to implement the competition, determine the winners, notify them and hand over prizes. The legal basis is performance of a contract (Art. 6(1)(b) GDPR), as participation constitutes a contractual relationship.

If you give additional consent during the competition (e.g. for advertising purposes, publication of photos or names), this processing is based on your consent (Art. 6(1)(a) GDPR).
Such consent can be withdrawn at any time.

Press

For press work, we process personal data of journalists and media representatives. The data processed typically include:

  • name,
  • contact details,
  • media affiliation,
  • press enquiries,
  • participation in press events.

We use this data to answer media enquiries, distribute press releases, organise press conferences and maintain professional relationships with media representatives.

Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in conducting effective press and public relations work. If individual processing requires consent (e.g. inclusion in a press mailing list), such processing is based on your consent (Art. 6(1)(a) GDPR).

Cookies

To make our website user-friendly and to ensure its full functionality, we use cookies. Cookies are small text files stored on your device when you visit our website. They serve to recognise your device, store preferences, or enable technical functions.

Cookies may be:

  • Essential (necessary) cookies:
    Required for the operation of our website. These do not require your consent.
  • Functional or preference cookies:
    Used to store settings or improve user experience.
  • Statistical cookies:
    Help us understand how visitors interact with our website (e.g. via analytics tools).
  • Marketing cookies:
    Used to display personalised advertising or measure the effectiveness of ads.

Where cookies involve the processing of personal data and are not strictly necessary for the provision of our website, they are used only with your consent (Art. 6(1)(a) GDPR) provided via the cookie banner.

You can withdraw or modify your consent at any time through the cookie settings.

Cookies that are essential for operating the website are used on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in ensuring the functionality, security and usability of our website.

Usercentrics Cookie Banner

We use the Usercentrics Consent Management Platform to manage user consents for cookies and similar technologies.

When you access our website, the following data may be processed:

  • your consent or revocation of consent,
  • your IP address,
  • information about your device and browser,
  • date and time of your visit,
  • information about the banner display and behaviour.

These data are processed in order to store and manage your cookie preferences in a legally compliant manner. Processing is based on our legal obligation to document consent (Art. 6(1)(c) GDPR), and on our legitimate interestin implementing a user-friendly and legally compliant consent solution (Art. 6(1)(f) GDPR).

Usercentrics acts as our processor.

Google Tag Manager

We use Google Tag Manager, a service by Google Ireland Limited, to manage scripts and services on our website (such as analytics or marketing tools). Google Tag Manager itself does not process personal data beyond what is technically necessary to deliver the service, and does not access the data processed by downstream tools.

The legal basis for processing is our legitimate interest (Art. 6(1)(f) GDPR) in efficiently managing technical components of our website.

If tools controlled via Google Tag Manager require consent (e.g., Google Analytics, Google Ads), they will only be activated if you have given such consent.

Google Ads and Google Conversion Tracking

We use Google Ads for marketing purposes to display advertisements for our offers and services. In this context, we also use Google Conversion Tracking to measure the performance and reach of our advertising campaigns.

If you click on a Google ad, a conversion cookie is set. Through this cookie, Google and we can determine whether you performed certain actions on our website (e.g., completing a purchase or visiting a specific page).

The following data may be processed:

  • IP address,
  • cookie identifiers,
  • visited pages,
  • interactions on the website,
  • device and browser information.

We process these data based on your consent (Art. 6(1)(a) GDPR), which you can give via the cookie banner.

Google may transfer data to servers in the USA. The transfer is based on standard contractual clauses or other appropriate safeguards provided by Google.

Web Analytics with Matomo

To analyse and improve our website, we use Matomo, an open-source web analytics platform, which is hosted on our own servers, ensuring that data does not leave our sphere of control.

Matomo collects the following information:

  • pages visited,
  • length of visit,
  • returning vs. new visitors,
  • referrer URLs,
  • information about the device, browser, and operating system,
  • IP address (which is anonymised before storage).

If analytics cookies are used, processing is based on your consent (Art. 6(1)(a) GDPR).
If no cookies are used, processing may be based on our legitimate interest (Art. 6(1)(f) GDPR) in understanding the use of our website.

Use of Our Webshops

Through our webshops, you can purchase tickets, merchandise, vouchers and other products. For this purpose, we process the personal data necessary to complete your order. This includes, in particular:

  • name,
  • postal address,
  • billing address,
  • e-mail address,
  • telephone number (if provided),
  • ordered products and services,
  • payment information (depending on the payment method),
  • communication in connection with the order.

We process this data to conclude and fulfil the purchase contract, including processing payment, shipping goods, providing customer support, and handling returns or warranty claims. The legal basis is contract performance (Art. 6(1)(b) GDPR).

Payment data may be transmitted to the respective payment service providers (e.g. credit card companies, PayPal, Sofortüberweisung). These providers act as independent controllers. We only receive confirmation of payment status—not your full payment details.

If you create a customer account, we process your data based on your consent (Art. 6(1)(a) GDPR). You may delete your account at any time.

We may also process data based on our legitimate interest (Art. 6(1)(f) GDPR), e.g., to prevent fraud or misuse.

Applicant Management and Job Vacancies

If you apply for a position with us, whether by post, e-mail, online application form, or through recruitment platforms, we process the personal data you provide, particularly:

  • name,
  • address and contact details,
  • CV,
  • references and certificates,
  • application letter,
  • assessments and notes from interviews,
  • other documents submitted by you.

We process these data for the purpose of:

  • assessing your suitability,
  • conducting the application process,
  • corresponding with you,
  • documenting the recruitment procedure.

Processing is based on:

  • pre-contractual measures (Art. 6(1)(b) GDPR),
  • our legitimate interests (Art. 6(1)(f) GDPR) in efficient recruitment,
  • legal obligations (Art. 6(1)(c) GDPR), e.g. documentation duties.

If your application includes special categories of data (Art. 9 GDPR), such processing is based on:

  • your explicit consent, or
  • our legal obligations under employment law.

Applicant data are stored for six months after the end of the selection process, unless you consent to inclusion in our talent pool.

Whistleblower Protection

We operate a whistleblowing system in accordance with the Austrian Whistleblower Protection Act (HSchG). In this context, we process data of whistleblowers and affected persons, including:

  • name and contact data (if provided),
  • content of the report,
  • documents and evidence submitted,
  • any persons named in the report.

Reports may also be submitted anonymously.

The purpose of the processing is:

  • receiving and examining reports,
  • conducting internal investigations,
  • taking appropriate follow-up measures required by law.

Processing is based on:

  • our legal obligation (Art. 6(1)(c) GDPR),
  • performance of a task carried out in the public interest (Art. 6(1)(e) GDPR).

Access to data is strictly limited to authorised persons.

Embedding of Videos

On our website, we embed videos from external platforms (e.g. YouTube, Vimeo). When you play such a video, the respective provider may collect data, such as:

  • IP address,
  • device and browser information,
  • activity on the video (e.g. play, pause),
  • cookies or tracking technologies (depending on your consent).

Videos are embedded in a way that no data is transmitted to the provider until you actively click to play the video.
Processing is based on your consent (Art. 6(1)(a) GDPR), which you give by playing the video.

External providers act as independent controllers.

Sponsoring and Sponsorships

If you sponsor us or enter into a cooperation agreement, we process personal data necessary to administer and document the cooperation, such as:

  • contact persons’ names,
  • contact details,
  • contract information,
  • communication with you,
  • billing and accounting data.

Processing is based on contract performance (Art. 6(1)(b) GDPR) and our legitimate interests (Art. 6(1)(f) GDPR) in publicly documenting and managing sponsorship relationships.

We may publish the names or logos of sponsors only if contractually agreed or with appropriate consent.

Corporate Magazines

If you subscribe to or receive our corporate magazines, newsletters or other publications by post or electronically, we process:

  • name,
  • postal address and/or e-mail address,
  • subscription details,
  • proof of consent (if required).

Processing is based on:

  • contract performance (Art. 6(1)(b) GDPR), or
  • your consent (Art. 6(1)(a) GDPR), depending on the type of distribution.

Storage Period

We only store your personal data for as long as necessary for the purposes for which we collected it, including:

  • fulfilling contractual obligations,
  • statutory retention obligations (e.g. tax and accounting law),
  • preserving evidence during statutory limitation periods,
  • fulfilling documentation duties (e.g. consent documentation).

After the relevant retention period expires, we delete or anonymise the data.

Place of Data Processing

We process your personal data primarily within the European Union.
If data are transferred to a country outside the EU/EEA, this is done only:

  • with your explicit consent,
  • to fulfil contractual obligations,
  • based on appropriate safeguards (e.g. EU Standard Contractual Clauses), or
  • if an adequacy decision exists.

Data Disclosure

We only share your personal data with third parties if:

  • it is necessary to fulfil a contract,
  • we are legally obliged to do so,
  • you have given your consent, or
  • the disclosure is based on a legitimate interest (e.g. IT service providers, web hosts, payment providers).

All third parties that process data on our behalf are bound by strict confidentiality and must process personal data only as instructed.

Data Security

We take appropriate technical and organisational measures to protect your personal data from:

  • loss,
  • misuse,
  • unauthorised access,
  • alteration,
  • destruction.

These measures include, among others:

  • encryption,
  • access controls,
  • secure storage systems,
  • regular security reviews.

Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent at any time (Art. 7 GDPR)

You also have the right to lodge a complaint with the Austrian Data Protection Authority.

To exercise your rights, contact:

datenschutz@srs.at

Version

This is the current version of our privacy policy.
We reserve the right to update this policy to reflect legal requirements or changes in data processing.

November 2025