“Hunter meets Hunter”

(1) Processing activities

Online service for information about hunting events and for purchasing tickets for hunting events

(2) Controller

Hunter meets Hunter GmbH

Sprinzenstein 4, 4150 Rohrbach-Berg


(3) Contact person responsible for data protection or the Data Protection Officer

Lelio Spannocchi, General manager

(4) Responsible for the contract of the event

With the purchase of tickets for hunting events, an “event contract” is created between the user and the organiser, for the fulfillment and processing of which the organiser alone is responsible; in case of an exchange both contracting parties are organisers. The organiser will be shown separately (as responsible person) when a ticket is purchased. The transmission of the data necessary for the execution of the purchase contract to the organiser (and vice versa) is absolutely necessary for the fulfillment of the purpose of the contract.

When handling the ticket sales contracts, Hunter meets Hunter GmbH acts as processor for the organiser and bases its data processing on a contract data processing contract.

5) Purposes of data processing

5.1 on the legal basis of performance or preparation of contracts

(a) Keeping information about hunting event retrievable

(b) Providing services for recommending events based on the interests of the user (with opt-out at any time)

(c) Availability of online shops and online exchanges of the organizer for the purchase/exchange of tickets (see the comments under point 4)

(d) Providing communication channels for disseminating the content and servicing the customer relationship

(e) Fulfillment of the contractual obligations from the service contract to the person responsible

(f) Fulfillment of the contractual obligations arising from the purchase and event contract concluded with the organizer

5.2 on the legal basis of the (overriding) legitimate interests

(g) Distribution of (including advertising) information for services and events by means of direct marketing (“marketing purposes”), to the extent permitted by law

(h) Maintaining and increasing customer satisfaction and retention by analyzing usage patterns to improve service offerings using Google Analytics

(i) Provision of (also advertising) newsletters to customers on the legal basis of § 107 (3) TKG with opt-out possibility at any time

(j) Transmission of user’s electronic identification data to third parties for incorporating content through posts on social networks (e.g., youTube) and other applications (e.g., Google Maps, advertising network partners).

(k) Transmission of the user’s electronic identification data via Facebook Pixel to Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2

5.3 of consent

(l) Provision of (also promotional) newsletters to customers based on their consent with opt-out at any time

(6) Legal basis for data processing

6.1 Performance of the contract

a) Online use:The use of the online service is already based on a contract as defined in Art. 6 (1) (b) GDPR (Kühling/Buchner DS-GVO [GDPR] 2017, Art. 6 (59)) ; a registration relationship is established upon registration.

b) Conclusion of ticket purchase contracts: In the case of the purchase of tickets, the data processing of the organizer is based on the contract concluded in each case and serves the purpose of fulfilling the contract (see the comments under point 4).

6.2) Additional services: consent . For individual services (such as newsletters), the person responsible explicitly solicits the customer’s consent. This consent can be withdrawn at any time with effect for the future.

6.3) Predominant legitimate interests (see point 7)

(7) Description of (overriding) legitimate interests for the purposes

7.1 of IT security:

The controller will store the IP addresses of its customers for a period of 7 days in order to protect against targeted attacks in the form of server overloads (Denial of Service attacks) or other damage to the systems. The controller has an overriding legitimate interest in such data processing for the purposes of maintaining the functionality of its online services (Recital 49 GDPR).

7.2 the distribution of information / direct marketing

The person responsible processes the customer data (but not children’s or special categories of personal data in the sense of Art 9 GDPR (“sensitive data”) in order to use them for purposes of direct advertising for (further) offers by the person in charge. The Responsible person has a legitimate interest in the processing of personal data for the purpose of direct advertising (Recital 47, last sentence of the GDPR). In this case, only those customer data are processed which the person in charge has a contractual relationship and for which the storage period is still running. An extension of the retention period does not take place. The primary objective of the data processing is the acquisition of customers, whereby the person responsible relies on his conventionally and constitutionally protected freedom of work (Article 6 StGG) and freedom of communication (in Art 10 ECHR, which also protects advertising measures) and on the rights

• for the transmission of postal advertising;

• for the transmission of electronic mail after consent and in accordance with § 107 para. 3 TKG.

When using this data, the responsible person complies with the communication regulations, in particular § 107 TKG.

7.3 of Retargeting:

Facebook uses the “Facebook pixel” set by the person responsible in its services in order to store cookies on the user’s device and to read out existing cookies, other identifiers and to enrich the profile created for the identifier or user. The responsible person has access to these data collected by Facebook, but uses them to show advertising to the target group of those interested in the service of the responsible person.

(8) Change of purpose

Dissemination of Information / Advertising: The person responsible informs that he also processes the personal data of the customer for the purpose of disseminating information / direct mail and for purposes of retargeting. The responsible person wants to inform about their own services and events of the organizers and to promote them. For this purpose, these data will not be left to third parties under its responsibility. There is no inconsistency with the purpose of the original data collection. The customer may object to the use of his personal data for the purposes of direct advertising at any time and without giving reasons.

(9) Evaluating personal aspects of the customer (profiling)

For the purpose of compiling suitable recommendations the controller processes and evaluates search and user behaviour, and draws conclusions about specific personal interests. The controller uses those evaluated interests to send the customer targeted recommendations. The customer may object to the use of his personal data for the purpose of profiling at any time and without having to state reasons. Upon objection the controller will no longer use the customer’s personal data for the purposes of profiling.

(10) Obligation to provide data

The customer is under no obligation to provide data. Reasonable use of the platform is, however, inconceivable without entering any data.

(11) Automated decision-making

The customer is subject to noautomated decision-making, which would become legally effective vis-à-vis him.

(12) Processed types of data

12.1 provided by the customer

Place of interest

Name/Company name, academic degree

Email address

Password (encrypted)

Date of birth Information on newsletter subscription

Payment data, voucher data

Content of messages or reviews from the customer

Address, phone number


Voluntary information (photo, age, gender, interests, …)

12.2 additionally collected by the controller

IP addresses (log files)

User ID, Push ID, Device ID

Browser used

Equipment used

Communications protocol

Information on account use (e.g. date created, number of logins, date of the last request)

Information about the tickets purchased

Behavior data of the user (View, Fav, Rate, Add to Cart, Buy)

Origin of downloads

(13) Data sources

(to the extent not provided by the customer nor collected by the controller)


Source: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

Data types: IP location, preferred email client, source of registration, campaign details (receipt, opening, click)

Facebook login:

Source: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304

Types of data: Facebook ID and email address

14) External recipients of data

A) Integration of third-party services in the platform: Transmission of electronic identification data, in particular IP address:

Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA,

Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA,

Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA,

YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA

Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland

Buyer / Exchange Business Partner (will be indicated at the time of purchase / exchange): E-mail, name, address, telephone number, information about the order

Buyer / exchange business partner (are specified in the purchase process / exchange transaction): E-mail, name, address, telephone number, information about the order

C) Processor:

Domainfactory GmbH, Parkring 10, A-1010 Vienna, Austria

Google Analytics (with “anonymize IP”): Google LLC, 1600 Amphitheater Parkway Mountain View, CA 94043, USA

Hotjar Ltd, Level 2, St Julian’s Business Center, 3, Elia Zammit Street, St Julians STJ 3155, Malta, Europe

Mailchimp email campaign sent to: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

Firstlead GmbH (Adcell), Rosenfelder St. 15-16, 10315 Berlin

Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin

All external contract data processors can be contacted via the contact details provided if they have any questions about their data protection.

The person responsible expressly reserves the right to use further order data processors. These are then reported in the update of the privacy policy following the start of the operation. These data processes of the contract data processors take place under the responsibility of the responsible person.

(15) Internal recipients

System administrator

General management


internal departments

(16) Transfer to third countries

The following data will be transmitted to countries outside of the EU in connection with data processing:

Country: USA

Application: Google (EU-US Privacy Shield)

Data types: Google Analytics: anonymized IP address, website title, browser-specific information, information about website usage

Google Maps: electronic identification data

Country: USA

Application: Mailchimp (EU-US Privacy Shield)

Types of data: email address, name, username, language

Country: USA

Application: Facebook

Types of data: Social plug-ins: IP address, website title, browser-specific information, information on website usage.

(17) Appearances on social media channels

The person responsible informs that he has independent online presence for the purpose of advertising and communication with the customers in social media channels. In these online appearances, the customer’s data may be processed outside of the European Union, which increases the risk of data breach. The operators of the social media channels have, as far as they are based in the US, largely subordinated to the EU-US Privacy Shield.

These online appearances are kept retrievable in the technical environment of the respective social media operator. The social media operators then use the customer’s online presence visit for their own purposes, in particular to play out (interest-based) advertising. The social media operators use the visit in order to store “cookies” on the customer’s terminal, to read out existing cookies / identifiers, to deduce the user’s behavior from the customer’s interests and thus to enrich the usage profile specified for the customer or identifier. The aim is to play out interest-based advertising to the customer, which can also be done on subsequently visited third party websites.

The personal data of the customer is processed on the basis of the legitimate interests of the person responsible for the advertising measures and the customer communication, which is governed by the freedom of work (Art. 6 StGG) and freedom of communication (in Art 10 ECHR, which also protects advertising measures) – and constitutionally protected. If the customers are users of the social media channels, the data processing can also be covered by the customer’s consent.

The responsible informs that she has no access to the data of the customer. The person responsible therefore recommends that the customer, in the event of the assertion of his rights to information, correction, deletion, restriction, opposition and data portability, address the relevant social media channel directly. The users of social media channels can also make changes themselves in the area of their privacy settings. The responsible person assists the customer if necessary.

Further information can be found at:

Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland)

Data protection declaration: Opt-Out: and

Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)

Data protection declaration:


Google / YouTube (Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA)

Data protection declaration:


Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)

Data protection declaration / opt-out:

Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA)

Data protection declaration / opt-out:

(18) Storage period

Unregistered customers : The personal data (especially IP address) of (unregistered) website visitors are stored for 7 days for the purpose of IT security and then deleted.

Legal basis contractual relationship : The data will be processed by the person responsible on the basis of the above-mentioned legal basis up to 40 months after the end of the contract (= 36 months possible contractual claims for damages + max. 4 months delivery time of a complaint) and then deleted (at least the personal reference). Insofar as there is a legal obligation to store data, in particular in accordance with Section 132 (1) BAO, personal data processing of billing-relevant data takes place in any case until the end of the statutory retention obligation (currently 7 years after the end of the financial year in which the accrual).

19) rights of the data subject

Art 15 GDPR “information”

The customer has the right to request information about whether and to what extent personal data is being processed by him.

Art 16 GDPR “Correction”

The customer has the right to immediately request the correction of incorrect personal data or their completion.

Art 17 GDPR “deletion”

The customer has the right to request that the personal data be deleted immediately, provided that the reasons stated in Art. 17 (1) GDPR are met.

Art 18 GDPR “restriction”

The customer has the right to request that the processing of personal data be restricted, provided that the reasons stated in Art 18 Paragraph 1 GDPR are met.

Art 21 GDPR “Objection”

The customer has the right to object to the processing of his personal data on the basis of the overriding legitimate interest.

Art 20 GDPR “data portability”

The customer has the right to receive his disclosed personal data in a structured, common and machine-readable format.

20) Right to complain

Art 77 GDPR § 24 GDPR

Every customer has the right to lodge a complaint with the supervisory authority if he is of the opinion that the processing of the personal data concerning him violates this regulation.

21) supervisory authority:

Austrian data protection authority

Wickenburggasse 8-10

A-1080 Vienna

Phone: +43 1 52 152-0