Preamble
The protection of your personal data is important to us. We therefore process your data exclusively on the basis of the statutory provisions (GDPR, DSG, TKG 2021). In this Privacy Policy, we inform you about how we process your personal data in the course of our business activities, on our website, and in our app.
This information is non-binding and does not constitute a contractual relationship, but merely serves to inform you about the data processing activities.
ÖRAG Österreichische Realitäten-Aktiengesellschaft, ÖRAG Immobilien Vermittlung GmbH, Friedrich & Padelek Gesellschaft m.b.H. and ÖRAG Immobilien West GmbH are independent companies that are affiliated with each other (collectively referred to below as the “ÖRAG Group”). The companies of the ÖRAG Group jointly determine the purposes and means of the processing and are therefore joint controllers (Art. 26 para. 1 GDPR). The joint controllers have essentially agreed that ÖRAG Österreichische Realitäten-Aktiengesellschaft fulfills the obligations under the GDPR.
The controllers for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) are therefore:
ÖRAG Österreichische Realitäten-Aktiengesellschaft
A: Herrengasse 17,
1010 Vienna,
Austria
T: +43/1/534 73 - 0
E: office@oerag.at
ÖRAG Immobilien Vermittlung GmbH
A: Bankgasse 1, 1010 Vienna, Austria
T: +43/1/534 73 - 100
E: immobilienvermittlung@oerag.at
Österreichische Facility Management Gesellschaft mbH
A: Herrengasse 17, 1010 Vienna, Austria
T: +43/1/534 73 – 400
E: office@oefm.at
Friedrich & Padelek Ges.m.b.H
A: Teinfaltstraße 9/4, 1010 Vienna, Austria
T: +43/1/533 56 86 – 0
E: office@friedrich-padelek.at
ÖRAG Immobilien West GmbH
A: Franz-Josef-Straße 15, 5020 Salzburg, Austria
T: +43/662/877 666 – 0
E: west@oerag.at
The joint controllers process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and all other applicable laws (e.g. TKG 2021).
Subject and Purpose of Data Processing
When you access our website, information and data are automatically collected by the computer system of the accessing device. The processing of this information and data is necessary in order to deliver the contents of our website to your device. In addition, this serves the purpose of monitoring the technical functionality and increasing the operational security of the server.
We store this information in anonymized form in so-called log files.
Categories of Data Subjects and Personal Data
For these purposes, we process the following personal data of website users:
IP address
User agent string
Accessed content
Time of server request
Browser type / browser version
Operating system used
Referrer URL
Legal Basis
The data processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR or the technical necessity pursuant to § 165 para. 3 TKG 2021. Our legitimate interest lies in ensuring the functionality and operational security of the website.
Storage Period / Deletion
These data are processed in a personal reference only temporarily for the duration of the website session. After leaving the website, the data are anonymized and no longer contain any personal reference.
Recipients
To provide our website, we use service providers who process your personal data on our behalf. We use the following service provider:
Bit Breakfast Ltd (t/a Servd Hosting)
6th Floor, Pomegranate Consulting
49 Peter Street
Manchester, United Kingdom, M2 3NG
support@servd.host
Subject and Purpose of Data Processing
When visiting our website, cookies and similar technologies (e.g. LocalStorage and SessionStorage, hereinafter collectively referred to as “cookies”) are used. This makes our website more user-friendly and efficient, enabling us to provide you with an optimal website experience.
Cookies are small text files that are stored on your device using the browser. These data packets control the display and operation of the site and are also used to obtain useful information about the use of this website. Some cookies are stored only temporarily and are deleted when the browser is closed. Other cookies (so-called “persistent cookies”) are stored for a longer period or permanently until an expiration date is reached or they are manually deleted from your browser cache.
Depending on their purpose and function, cookies are divided into the following categories:
Technically necessary cookies, which ensure the technical operation and basic functions of this website and are essential for operating the website.
Analytics cookies, to understand how visitors interact with this website. This information is collected and analyzed in anonymized form. This allows us to gain valuable insights to optimize both the website and our products and services.
Marketing cookies, to provide targeted advertising activities to users on our website or to improve the user experience, for example by embedding videos.
Further information about cookies and their purposes can be found in the cookie settings, which you can access and adjust at any time at the bottom right of the website.
LocalStorage and SessionStorage store user data in your browser. These are stored either until the end of the session (SessionStorage) or without a defined end date (LocalStorage).
Legal Basis
The processing of your personal data is based on:
Technically necessary cookies: our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with § 165 para. 3 TKG 2021 in providing a functional website, its technically flawless operation, and smooth functionality;
Analytics and marketing cookies: your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with § 165 para. 3 TKG 2021.
Without certain cookies, functions that enable an optimal user experience, such as Google Maps, are not available. You can revoke your consent at any time with effect for the future in the cookie settings without stating reasons by adjusting the checkbox for analytics and marketing cookies accordingly.
You can also adjust your consent and cookie settings at any time in your browser settings and thereby prevent the use of cookies. However, this may result in restrictions in the technically flawless use of the website.
Below you will find links to information on disabling cookies in commonly used browsers:
Mozilla Firefox: https://support.mozilla.org/de...
Internet Explorer: https://support.microsoft.com/...
Google Chrome: https://support.google.com/acc...
Safari: https://support.apple.com/de-a...
Opera: https://help.opera.com/de/latest/web-preferences/#cookies
Storage Period / Deletion
Information on the specific storage duration of cookies and thus of your personal data can be found in the cookie list below.
Recipients
When using Google services (Google Analytics, Google Tag Manager), data are transferred to Google Ireland Limited. It cannot be ruled out that Google Ireland Limited may transfer the data to Google LLC, based in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google LLC is certified under the “Data Privacy Framework” and therefore the international data transfer is based on the adequacy decision of the European Commission pursuant to Art. 45 GDPR. In addition, Google uses the standard contractual clauses issued by the European Commission as a basis for international data transfers to countries outside the European Economic Area for which no adequacy decision pursuant to Art. 45 GDPR exists. These standard contractual clauses oblige Google to provide a level of protection for personal data processing outside the European Economic Area that is adequate under the GDPR. You can find the standard contractual clauses here.
Please note that we have no influence on data processing by Google. Detailed information on how Google Analytics handles user data can be found in Google’s privacy policy and the Google Analytics terms of use.
Übersicht über die im Einsatz befindlichen Cookies
Cookie name | Purpose | Processed data | Domain | Cookie expiration (storage duration) | Provide |
Provider’s privacy policy
| |||
Functionally necessary cookies | |||||||||
Craft CMS Cookie | Content management system | Session data | End of session | Craft CMS – Pixel & Tonic | See privacy policy | ||||
Klaro-Cookie | Stores the user’s consent selections in the cookie settings | IP address, cookie settings selection, Klaro I | 120 days | Klaro! – KIProtect GmbH | See privacy policy | ||||
Non-essential cookies | |||||||||
_ga_ YL6BNTYMPJ | Marketing | Collects data on how often a user has visited a website, as well as data for the first and last visit. Used by Google Analytics | .oerag.at | 400 days | Google Analytics – Google LLC | See privacy policy | |||
_ga | Marketing | Registers a unique ID used to generate statistical data on how the visitor uses the website | .oerag.at | 400 days | Google Analytics – Google LLC | See privacy policy | |||
_gcl_aw | Marketing | This cookie is set by Google when a user arrives at the website via a click on a Google advertisement. It contains information about which ad was clicked so that successes such as orders or contact inquiries can be attributed to the ad | .oerag.at | 90 days | Google Ads | See privacy policy | |||
_gcl_gs | Marketing | This cookie is set by Google when a user arrives at the website via a click on a Google advertisement. It contains information about which ad was clicked so that successes such as orders or contact inquiries can be attributed to the ad | .oerag.at | 90 days | Google Ads | See privacy policy | |||
On our website, we use, among other things, the following services, which are employed for the provision of non-essential services:
We use Google Analytics on our website, a web analytics service provided by Google. According to Google, Google will use the collected data to evaluate the use of the website, to compile reports on website activity, and to provide other services related to website usage and internet usage. Detailed information on how Google Analytics handles user data can be found in Google’s privacy policy and the Google Analytics terms of use.
Google Analytics uses cookies that are stored on your computer and enable the analysis of your use of our website. In this context, we process the following information: IP address, country, language, operating system, pages accessed, length of stay, clicks, scroll duration, browser information, information about your device, referrer URL, user ID. These data are also transmitted to Google. An overview of the cookies set in this process can be found above.
We store the recorded data together with the randomly generated user ID, which allows the evaluation of pseudonymous user profiles. These user-related data are automatically deleted after 2 months. Other data remain stored in aggregated form for an unlimited period.
This website uses the “IP anonymization” function. As a result, your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and thus anonymized. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
You can generally prevent the collection of your usage data by Google Analytics on all websites by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=de
You can prevent the collection of your usage data by Google Analytics on this website only via the cookie settings, which can be accessed at any time via the link at the bottom right of our website.
We also use Google Tag Manager to manage services for usage-based advertising (such as Google Analytics and Google Ads). The Tag Manager tool itself is a cookieless domain and does not collect any personal data. The Tag Manager uses so-called tags, which are code snippets. These record interactions that occur on our website. The Tag Manager forwards these interactions to the connected tools (e.g. Google Analytics).
When using the Tag Manager, personal data of website users are processed. This includes the IP address and traffic data (i.e. accessed pages, language, country, operating system). These data are also transmitted to Google. In addition, cookies associated with the Tag Manager are used (see the list of cookies used above).
If you wish to object to the collection by Google marketing services, you can use the settings and opt-out options provided by Google as described here.
You can prevent the collection of your usage data by Google Tag Manager on this website only via the cookie settings, which can be accessed at any time via the link at the bottom right of our website.
Subject and Purpose of Data Processing
If you contact one of the companies of the ÖRAG Group for the purpose of receiving a real estate offer, your personal data will be processed in a joint data management system. The purpose of this data processing is to match your preferences with the respective real estate offers in order to identify potentially suitable properties and send them to you.
Categories of Data Subjects and Personal Data
For these purposes, we process the following personal data:
Name
Affiliated company
Address
E-mail address
Address
Telephone number
Preferences
Legal Basis
Management in the joint customer database is carried out on the basis of the legitimate interests of all joint controllers (Art. 6 para. 1 lit. f GDPR) to provide you with the best possible customer service and real estate portfolio. You may object to this processing of your personal data pursuant to Art. 21 GDPR.
The sending of further real estate offers is carried out on the basis of your consent (Art. 6 para. 1 lit. a GDPR in conjunction with § 174 TKG 2021). You may revoke this consent at any time with effect for the future without stating reasons by e-mail to datenschutz@oerag.at.
Storage Period / Deletion
The personal data you provide will be stored for 12 months.
Your consent to receive further real estate offers is valid for 3 years. Your data will be deleted 18 months after the last dispatch.
Recipients
The following processors are engaged for the processing of personal data:
onOffice Software GmbH, Hollandstraße 18/Top10, A-1020 Vienna (broker software)
timum GmbH, Große Hamburger Straße 28, 10115 Berlin, Germany (for the technical handling of appointment coordination). Further information on data processing by timum GmbH can be found here.
As part of this processing activity, your personal data will not be disclosed to any other third parties. No transfer of your personal data to a third country takes place.
Subject and Purpose of Data Processing
Via the information portal, accessible at https://infoportal.oerag.at/, authorized property management customers receive access to the up-to-date data of the properties they manage. The processing of personal data serves the secure provision and administration of these accesses as well as transparent information on property, tenant and billing data.
The aim is to enable owners or authorized representatives to conveniently and digitally access relevant administrative documents (e.g. property data, interest lists, tenant accounts, balance lists, incoming invoices and tenant file documents).
Categories of Data Subjects and Personal Data
Within the scope of this processing, the following personal data of the following categories of data subjects are processed:
Property owners and their employees:
Access data (username, password)
Master data of owners (name, address, contact details)
Property and contract data (property address, tenancy relationships, tenant lists, billing data)
Financial and accounting data (rent payments, balances)
Tenants of the respective owner
(these data are processed by the joint controllers as processors for the respective property owners):
Tenant master data
Information on the tenancy (property address, billing data, balances)
Legal Basis
Processing is carried out to fulfill the existing management agreement with the owners (Art. 6 para. 1 lit. b GDPR) or to optimize administration by employees of the respective owners based on legitimate interests (Art. 6 para. 1 lit. f GDPR).
Storage Period / Deletion
Personal data are displayed in the information portal until the termination of the business relationship.
However, data required for the business relationship are only deleted by the controller seven years after the termination of the business relationship.
Recipients
Your personal data will not be disclosed from the information portal to any external recipients or processors.
Subject and Purpose of Data Processing
We operate social media presences on LinkedIn, Facebook and Instagram. We use our social media presences to communicate with our employees, customers, business partners, interested parties and other users, to inform them about our company and services. In addition, through user interactions such as comments, messages and reactions to our posts, we may receive further information that we take into account for our social media activities.
Furthermore, when managing our social media presences, we use the associated analytics functions and receive statistical evaluations of our activities and users. The social media operators use cookies and similar technologies to identify registered users via a user code. The information stored for the respective user codes is used by the operators of the social media networks in accordance with their terms of use and privacy policies, in particular to provide services to advertising companies and subsequently to offer advertising.
Joint Controllership
As operators of our social media presences, we are joint controllers within the meaning of Art. 4 no. 7 GDPR with the following operators of the social media platforms. Further information on data processing and the allocation of responsibility can be found at the platform operators:
LinkedIn: With regard to the operation of our LinkedIn account, further information can be found here: LinkedIn Terms of Use, LinkedIn Privacy Policy, and the Addendum on Joint Controllership for LinkedIn Page Insights.
Facebook: With regard to the operation of our Facebook page, further information can be found here: Facebook Terms of Use, Meta Privacy Policy and the Addendum on Joint Controllership for Page Insights.
Instagram: With regard to the operation of our Instagram account, further information can be found here: Instagram Terms of Use, Meta Privacy Policy and the Addendum on Joint Controllership for Page Insights, which also applies due to its affiliation with the Meta Group.
From the agreements on joint controllership with Facebook / Instagram and LinkedIn, it follows that these are responsible for compliance with obligations pursuant to Art. 12 to 21 GDPR as well as Art. 32 to 34 GDPR. We are obliged to forward requests relating to data subject rights to Facebook / Instagram or LinkedIn. With the information provided here, we fulfill our obligation to provide information on our legitimate interests.
Categories of Data Subjects and Personal Data
With regard to the categories of data subjects and personal data, we refer to the information provided above for the respective social media platforms.
Legal Basis
The processing of your personal data in connection with visits to our social media presences is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our legitimate interests lie in improving our social media presence and in optimized and contemporary product and corporate presentation.
Storage Period / Deletion
We have access to the analytics functions of the respective social media platforms in accordance with the operators’ terms of use. Therefore, the storage period of your personal data results from the terms of use and privacy policies of the social media platform operators.
Recipients
In connection with our social media presences, your personal data are also processed by the respective platform operators:
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for Facebook and Instagram)
Based on the privacy policies of the recipients, it can be assumed that your data are transferred to companies in the USA. For the USA, there is an adequacy decision pursuant to Art. 45 GDPR by the European Commission, which means that the data transfer to companies certified under the “Data Privacy Framework” (Meta Platforms, Inc. for Facebook and Instagram and LinkedIn Corporation for LinkedIn) is based on the adequacy decision.
We have no influence on these processing operations and transfers and do not pass on personal data that we have received through our social media presences to third parties.
The controller for the processing of personal data within the scope of our tenant app within the meaning of the General Data Protection Regulation (GDPR) is:
ÖRAG Österreichische Realitäten-Aktiengesellschaft
A: Herrengasse 17,
1010 Vienna,
Austria
T: +43/1/534 73 - 0
E: office@oerag.at
Subject and Purpose of Data Processing
The purpose of the app is communication and administration of customer concerns within the scope of property management.
Categories of Data Subjects and Personal Data
Employees of the controller:
First name, last name, e-mail address, IT usage data (login information), telephone number
Registered app users:
First name, last name, date of birth
Contact details: address, e-mail address, telephone number
Identification data
Personal data that may arise from accessible documents
Legal Basis
The processing of your personal data is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR) in efficient property management, the reduction of administrative effort, and improved communication with tenants.
If you have given us your consent to publish your contact details within the “house community” created in the app, this processing is based on your consent (Art. 6 para. 1 lit. a GDPR). This consent can be revoked at any time by e-mail to the controller or by selection in the app settings.
Storage Period / Deletion
Your personal data in the app will be deleted as soon as you deactivate the app, but at the latest 6 months after termination of your stored tenancy.
Recipients
Within the scope of the tenant app, we engage the following processor:
Idwell GmbH, Margaretenstraße 70/2/7, 1050 Vienna, Austria
As part of this processing activity, your personal data will not be disclosed to any other third parties.
The controller for the processing of personal data within the meaning of the GDPR in the context of our services is the company of the ÖRAG Group listed in section 1.1 of this privacy policy with which you are in a contractual relationship or in contact.
Subject and Purpose of Data Processing
Within the scope of providing our services in the areas of property and building management, real estate valuation, construction management & architecture, and facility management, we process personal data of our customers, business partners and service providers.
Processing is carried out to fulfill our contractual and organizational tasks – in particular for the preparation, execution and handling of service contracts, for communication with customers (owners) and third parties, for the preparation of offers, valuations and invoices, as well as for the administration and documentation of projects and properties.
In addition, processing serves to fulfill legal obligations (e.g. retention, information and documentation obligations under statutory provisions).
Note: For the processing of specific prospective customer data and tenant data, the respective owner is the data protection controller; the respective company of the ÖRAG Group acts as a processor for the respective owners.
Categories of Data Subjects and Personal Data
Data subjects:
Customers and clients (in particular owners, developers)
Business partners, suppliers and service providers and their employees
Processed personal data:
Master data: name, address, contact details (e-mail, telephone number), date of birth
Contract and project data: contract contents, order details, service descriptions, property and land data
Financial data: bank details, invoice and payment data
Communication data: correspondence, e-mails, telephone notes
Authority and verification data: identification data, permits, powers of attorney, if applicable evidence pursuant to anti-money laundering regulations
Legal Basis
The processing of personal data is based on:
Art. 6 para. 1 lit. b GDPR – for the fulfillment of a contract or for the implementation of pre-contractual measures
Art. 6 para. 1 lit. f GDPR – for the handling of business operations and optimization of processes
Storage Period / Deletion
Personal data are stored only as long as necessary to fulfill the respective purpose.
In particular, we store your personal data for the duration of the respective business relationship and thereafter in accordance with statutory retention obligations, generally seven years after its termination (e.g. pursuant to tax and corporate law provisions, § 132 para. 1 BAO and § 212 UGB).
Recipients
As part of this processing activity, your personal data will not be disclosed to any third parties.
For all data processing activities mentioned above, we engage, in addition to the specific processors named for each processing activity, partially general (technical) service providers, so-called processors. These are obliged to confidentiality, are carefully selected by us and are bound by our instructions.
In particular, we use the following processors:
IT Management Ing. Dietrich Andert, Helferstorferstraße 5, 1010 Vienna (IT management and consulting)
Microsoft Ireland Operations Limited, Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (document creation and processing, electronic communication, archiving and document retention)
In addition, further processors may be engaged on a case-by-case basis (e.g. IT consultants, etc.).
As a data subject, you have the following rights:
Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to certain processing activities (Art. 21 GDPR)
Right to withdraw consent if processing is based on your consent
If you wish to exercise any of these rights or have questions in this regard, please feel free to contact us at any time (using the contact details provided in section 1). If you believe that the processing of your personal data violates the GDPR, please do not hesitate to inform us of your concerns.
You also have the right to lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna.
Home