Book now
Book now

Data Protection

General information on the protection of personal data at WOOP! Funpark Graz GmbH, FN 648474 p, Weblinger Gürtel 25, 8054 Graz.

1. Introduction

You are important to us! Therefore, the protection of your personal data has the highest priority for us, and we strive with all our strength and utmost care to protect these rights.

At WOOP! Funpark Graz GmbH, we are aware of the importance of protecting personal data and therefore always treat personal data strictly in accordance with all applicable laws and regulations for the protection of personal data.

We have implemented numerous technical and organizational measures to ensure the most comprehensive protection possible of the personal data processed. Our security measures are continuously improved in accordance with technological developments.

The following privacy policy provides you with detailed information, (in particular) about:

  1. which of your personal data, for what purpose, to what extent, in what manner, for what duration and on what legal basis are processed, as well as the recipients of this data; this applies when visiting our WOOP! FUN PARK on-site as well as when using our online offering (use of our website graz.woop.fun, online ticket purchase) and informing you about your related data protection rights.
  2. what specific rights you have as a data subject.
  3. name and contact details of the controller.
  4. the contact details of the data protection coordinator.

Changes in legislation or changes in our internal company processes, in particular the further development of our website and the implementation of new technologies, may require an adjustment of this privacy policy. Therefore, we ask you to read our privacy policy regularly. You can find the currently valid version of our privacy policy at graz.woop.fun, where it can be constantly accessed, saved and printed. If you have questions, please feel free to contact us at dpo@graz.woop.fun.

2. Controller for Data Processing

The controller for data processing is:

  • WOOP! Funpark Graz GmbH, FN 648474p
  • Weblinger Gürtel 25
  • 8054 Graz
  • Tel.: 0664-1226885
  • Email address: dpo@graz.woop.fun

3. Data Protection Coordinator

We have appointed a data protection coordinator. You can contact them directly at any time with questions and suggestions regarding data protection at: dpo@graz.woop.fun

4. General Term Explanations

What is personal data?

Personal data is all information relating to an identified or identifiable natural person. This includes, for example, information such as your name, your age, your address, your telephone number, your date of birth, your email address or your IP address. Information for which we cannot (or can only with disproportionate effort) establish a connection to your person, e.g., through anonymization of the information, is not personal data. The processing of personal data (e.g., collection, querying, use, storage or transmission) always requires a legal basis or your consent.

What are special categories of personal data according to Art 9 GDPR?

The processing of special categories of personal data, i.e., those from which racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership emerge, as well as the processing of genetic data, biometric data for the unique identification of a natural person, health data or data concerning the sex life or sexual orientation of a natural person, is fundamentally prohibited and only permitted in special cases; for example, if you give explicit consent or the processing is necessary for the establishment, exercise or defense of legal claims.

What does processing mean?

Processing is any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What does controller mean?

Controller is any person who alone or jointly with others determines the purposes and means of the processing of personal data.

What does processor mean?

Processor is any person who processes data on behalf of the controller.

5. Data Types, Purposes and Legal Bases of Data Processing

We process exclusively your (categories of personal data listed here) for purposes specified in this privacy policy and only to the extent that is absolutely necessary for the fulfillment of these purposes. Therefore, in the interest of your highest data security, we pursue comprehensive purpose limitation of data processing as well as data minimization in accordance with the GDPR.

a) Registration: For registration, the following data is processed:

First and last name, nickname, date of birth, email address, telephone number, postal code, address.

The legal basis for processing personal data for this purpose is contract fulfillment according to Art 6 Para 1 lit. b GDPR as well as additionally your explicit consent according to Art 6 Para 1 lit. a GDPR.

Registration can be carried out online at graz.woop.fun or on-site at reception and serves to process the purchase of services, i.e., admission tickets for attractions (fun park, bowling, escape rooms, pixel, VR and others) and for birthday parties.

During registration, you have the option (opt-in) to voluntarily give your explicit consent for WOOP! Funpark Graz GmbH to send you emails with offers and benefits directly to the email address you have provided. You can revoke this consent at any time informally at dpo@graz.woop.fun.

b) Visit to WOOP! premises or use of services: When purchasing services or registering for summer holidays, the academy and other organized events, in addition to the personal data during registration, the data necessary for purchasing the service is also processed; this data includes first name, last name and date of birth of the child as well as first name, last name, email address and telephone number of the parent.

The legal basis for processing personal data for this purpose is the General Terms and Conditions or the contract — Article 6/I(b) of the General Data Protection Regulation.

The legal basis for processing personal data for this purpose is contract fulfillment according to Art 6 Para 1 lit. b GDPR.

c) Publication of general photos and videos:

We take general photos and videos in the general areas (excluding restrooms and changing rooms) of the fun park without bringing specific persons into the foreground/focus and publish these for marketing purposes on the website graz.woop.fun and on our social networks (Facebook https://www.facebook.com/profile.php?id=61578581694711int, Instagram https://www.instagram.com/woopgraz/, Youtube https://www.youtube.com/@woopgraz and TikTok https://www.tiktok.com/@woop.graz).

The legal basis is our legitimate interest according to Art 6 Para 1 lit f GDPR.

The photos and videos are deleted after 3 years at the latest.

d) Publication of (portrait) photos and videos (in which you are the focus as a person): If you have explicitly consented to the publication of individual (portrait) photos, videos (in which you are the focus as a person) and first and last names of you and/or your children, these will be published on the website graz.woop.fun and on our social networks (Facebook https://www.facebook.com/profile.php?id=61578581694711int, Instagram https://www.instagram.com/woopgraz/, Youtube https://www.youtube.com/@woopgraz and TikTok https://www.tiktok.com/@woop.graz). The legal basis is your explicit consent according to Article 6 Para 1 lit. a GDPR or Art 9 Para 2 lit a GDPR.

When publishing individual (portrait) photos and videos (in which you are the focus as a person), special categories of personal data according to Art 9 GDPR (see point 4 general term explanations) may also be processed under certain circumstances. Data processing therefore only takes place if you give your explicit consent to this.

You can revoke your explicit consent at any time informally at dpo@graz.woop.fun. We will then delete the data immediately.

All publications will be deleted within one year of granting consent for publication. After granting consent for publication and recording of data by WOOP, this data will be temporarily cached by WOOP and then published as quickly as possible, but at the latest within 4 weeks.

e) Cookies: Our website uses cookies. Cookies are small text files that are stored on your computer system via your internet browser. A specific internet browser can be recognized and identified via the unique cookie ID.

The legal basis for this data processing is contract fulfillment Art 6 Para 1 lit. b GDPR for technically necessary cookies and your explicit consent according to Art 6 Para 1 lit. a GDPR for technically non-necessary cookies.

Please refer to our cookie policy at https://graz.woop.fun/datenschutz/ for additional information.

f) Video surveillance: We use video surveillance to ensure the safety of our employees and visitors as well as their and our property.

To prevent theft, we have installed cameras at all entrances/exits and cash registers. In the fun park and the attractions themselves, we have installed security cameras to prevent and clarify accidents. The image, date and time of recording are stored. We store the data for a maximum of 14 days. If a theft or accident occurs and this was recorded by the cameras, the relevant video material is kept until the extrajudicial or judicial final clarification of the case.

The legal basis for data processing is the legitimate interest in maintaining security and preventing/clarifying accidents and theft according to Art 6 Para 1 lit f GDPR as well as Art 9 Para 2 lit f GDPR.

g) (RFID) Wristband or Card

All visitors must purchase a special (RFID) wristband or card before using the attractions in the fun park. The wristband/card enables access to certain areas of the games, control of the games, control of whether safety videos have been watched and use of the lockers. Each wristband/card has a unique number that is assigned to the respective customer profile. The ticket information as well as whether the customers have watched the safety videos and the locker information are stored on the wristband.

If visitors have not watched the respective safety videos, the turnstile, which is opened with the wristband/card, will not let them enter the attraction/the turnstile will not open.

The data on the wristband/card is deleted immediately after your visit with us.

The legal basis for data processing for this purpose is contract fulfillment according to Art 6 Para 1 lit. b GDPR

h) Data analysis: The analysis of usage data (attractions visited, time of visit, date of birth) is carried out on the basis of pseudonymized data, with the results being used for strategic and tactical marketing decisions. The legal basis is legitimate interest — Article 6/I(f) of the General Data Protection Regulation and your explicit consent according to Art 6/I (a) of the General Data Protection Regulation.

You have the right to revoke your consent at any time at dpo@graz.woop.fun or to object to this data processing at dpo@graz.woop.fun.

i) Competitions: If you participate in one of the competitions organized by WOOP!, you provide your personal data as part of the registration for the competition. We process this data for the purpose of conducting the competition and in connection with the competition. The data includes first and last name, address, email address, telephone number, year of birth and tax number (only if you have won a prize). By participating in the draw, you accept the general terms and conditions of the draw. The legal basis for processing personal data for the purpose of conducting the draw contract is Article 6 Para 1 lit b GDPR. We only use your data for direct marketing purposes if you have previously given us explicit written consent according to Article 6 Para 1 lit a GDPR. You can revoke this consent at any time informally at dpo@graz.woop.fun.

6. Order Processing and Data Transfer to Third Parties

We use the following processors:

  • SirPauls GmbH FN 418419 y Kaiser-Franz-Josef-Kai 24 8010 Graz
  • Business and Marketing Improvement NV (BMI Leisure) Molseweg 160 2440 Geel Belgium
  • Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland
  • Meta Platforms Technologies Ireland Limited Merrion Road Dublin 4 D04 X2K5 Ireland
  • TikTok Technology Limited Republic of Ireland 10 Earlsfort Terrace Dublin D02 T380 Ireland

Data is transferred to third parties as part of the publication of photos and videos on Facebook, Instagram and TikTok that you have explicitly consented to.

WOOP also passes on personal data to third parties if this is legally required (e.g., to the police, courts, etc.).

WOOP uses a cloud-based solution for sending emails, whereby there is a technical possibility of transmitting personal data (email addresses) to the USA. A contract for the processing of personal data is concluded with the provider, which contains standard contractual clauses for the transmission of data to third countries.

We do not transmit any other personal data to third countries.

Further information on the measures to be taken when transmitting personal data to third countries can be requested in writing from the data protection coordinator at dpo@graz.woop.fun.

7. Duration of Processing and Data Storage

Your personal data will be deleted immediately as soon as the purpose for which it was originally collected no longer exists and there is no legal retention period or legitimate interest on our part for the establishment, exercise or defense of legal claims for this data.

We therefore store and process your personal data for the duration of contract fulfillment/ongoing business relationship or until you revoke your consent or raise an objection according to Art 21 GDPR.

We store your data provided during registration for a maximum of 10 years after the last visit, published general photos and videos for a maximum of 3 years, published individual (portrait) photos and videos for a maximum of 1 year, data collected from competitions for a maximum of 2 months or (if a prize is paid out) for a maximum of 10 years.

9. Data Subject Rights

As a data subject, you have the following rights at any time:

  • Information, correction, deletion or restriction of processing of your stored data
  • Objection to processing
  • Data portability, right to revoke granted consent

For asserting your data subject rights, as well as for information of all kinds about the processing of your personal data, please contact us at:

dpo@graz.woop.fun

Right to Information — Art 15 GDPR

As a data subject, you have the right to receive free information from us at any time about the following:

  • the processing purposes
  • the categories of personal data processed by us
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed
  • if possible, the planned duration for which your personal data will be stored, or, if this is not possible, the criteria for determining this duration
  • the existence of your right to correction or deletion of personal data concerning you or to restriction of processing by us as controller or your right to object to such processing
  • the existence of a right to lodge a complaint with the competent supervisory authority; in Austria this is the Data Protection Authority
  • all available information about the origin of your data, provided your personal data are not collected from you as the data subject

Furthermore, as a data subject, you have a right to information about whether your personal data have been transferred to a third country or to an international organization. If this is the case, you have the right as a data subject to receive information about the appropriate safeguards relating to the transfer.

Furthermore, as a data subject, you have a right to information about the existence of automated decision-making including profiling and, if applicable, meaningful information about the details thereof.

You have the right to receive a copy of the personal data that are the subject of processing. For any additional copies you request, we may charge a reasonable fee based on administrative costs. If you submit the application electronically, the information should be provided in a common electronic format unless you specify otherwise.

Please contact us at any time!

Right to Rectification — Art 16 GDPR

As a data subject, you have the right to demand from us the immediate correction of incorrect personal data concerning you as well as the immediate completion of your personal data stored with us. You can contact us at any time for this purpose.

Right to Erasure (or Right to be Forgotten) — Art 17 GDPR

As a data subject, you have the right to demand from us that personal data concerning you be deleted immediately, provided one of the following reasons applies and insofar as processing is not necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims:

  • Your personal data were collected for such purposes or otherwise processed for which they are no longer necessary.
  • As a data subject, you withdraw your consent on which the processing was based according to Art. 6 Para. 1 Letter a) GDPR or Art. 9 Para. 2 Letter a) GDPR, and there is no other legal basis for the processing.
  • As a data subject, you object to the processing according to Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing, or as a data subject you object to the processing according to Art. 21 Para. 2 GDPR.
  • Your personal data have been unlawfully processed.
  • The deletion of your personal data is necessary for compliance with a legal obligation under Union law or the law of the Republic of Austria to which we as controller are subject.

Right to Restriction of Processing — Art 18 GDPR

As a person affected by the processing of personal data, you have the right to demand from us as controller the restriction of processing if one of the following conditions is met:

  • The accuracy of the personal data is disputed by you as the data subject, for a period that enables us as controller to verify the accuracy of your personal data.
  • The processing is unlawful and you as the data subject refuse the deletion of your personal data and instead demand the restriction of the use of your personal data.
  • We as controller no longer need your personal data for the purposes of processing, but you as the data subject need them for the establishment, exercise or defense of legal claims.
  • You as the data subject have objected to processing according to Art. 21 Para. 1 GDPR and it is not yet established whether the legitimate grounds of the controller outweigh those of the data subject.

Right to Data Portability — Art 20 GDPR

As a person affected by the processing of personal data, you have the right to receive the personal data concerning you, which you have provided to us as controller, in a structured, commonly used and machine-readable format.

You also have the right to transmit this data to another controller without hindrance from us, provided

  1. the processing is based on consent according to Art. 6 Para. 1 Letter a) GDPR or Art. 9 Para. 2 Letter a) GDPR or on a contract according to Art. 6 Para. 1 Letter b) GDPR.
  2. and the processing is carried out using automated procedures, provided the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, as a data subject, when exercising your right to data portability according to Art. 20 Para. 1 GDPR, you have the right to have your personal data transmitted directly from us as controller to another controller, where technically feasible and provided this does not adversely affect the rights and freedoms of other persons.

Right to Object — Art 21 GDPR

As a data subject, you have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, which is based on Art. 6 Para. 1 Letters e (the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or f (the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) GDPR. You can contact us at any time for this purpose. We as controller will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Legal Remedy Information — Art 77 GDPR; § 24 DSG

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR or (for Austria) the DSG. In Austria, this supervisory authority is the Data Protection Authority. In Germany, the Federal Commissioner for Data Protection and Freedom of Information is available to you as the competent data protection authority at the federal level, and for the individual federal states, the respective state commissioners or in Bavaria the Bavarian State Office for Data Protection Supervision.

Right of Withdrawal — Art 7 Para 3 GDPR

You have the right to withdraw consent you have given at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can give a withdrawal — as you please — quite simply at any time informally at dpo@graz.woop.fun.

10. Data Security

The security of your data is a great concern to us. Therefore, we have taken all necessary technical and organizational measures to ensure the security of data processing as well as the confidentiality of your personal data and to protect your personal data from access by unauthorized third parties as best as possible and will continue to do so in the future. We regularly review the technical and organizational measures we have implemented in order to constantly adapt them to technological progress.

We achieve this on the one hand through the use of current security software, coding and encryption procedures within our IT infrastructure, and on the other hand we promote the security of your data through the use of risk-minimizing measures (data minimization in all areas) as well as preventive protective measures.

Commissioned processors may only process your personal data if they comply with these technical and organizational security measures.

11. Final Provisions

WOOP! Funpark Graz GmbH reserves the right to change or supplement this privacy policy to ensure compliance with applicable data protection laws. The currently applicable general data protection notices are available at the headquarters of WOOP! Funpark Graz GmbH, at Weblinger Gürtel 25, 8054, on its website at https://graz.woop.fun/ or from the data protection coordinator, who can be contacted at dpo@graz.woop.fun.