The Belvedere processes personal data strictly according to statutory requirement as set by the GDPR. In the following section, you will learn what kind of data is collected when visiting our website or other services (contact, social media, applications) and how this data is being used.

We reserve the right to adapt this privacy statement to reflect any new technical developments or legal changes and, if necessary, to update it when new services or products become available.


Responsible Party

The responsible party for processing data is

Österreichische Galerie Belvedere

Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Straße 27
1030 Vienna

On any matter relating to privacy or the exercise of your rights, you may contact the privacy officer at

Data Access

Each time you access our website, your browser automatically transmits, for technical reasons, the data listed below to our web servers. The data is stored exclusively for statistical and technical purposes; for example, to evaluate the frequency of page visits or to detect malfunctions in server operations. The following data is logged and evaluated:

  • Request (file name of the requested file)
  • Browser type and browser version
  • Operating system used
  • Referrer URL, i.e., the website that directed you to our website
  • IP address
  • Date and time of your visit
  • The particular webpages visited within our website

We collect this data in accordance with our legitimate interest (see Article 6(1)(f) GDPR) and store the information in "server log files" on our website server. The server log files are stored for a maximum of one week and are subsequently deleted. If data must be stored to provide evidence, e.g., to clarify security breaches, such is excluded from deletion until the incident is conclusively resolved.

For the technical and organizational implementation of our internet presence as well as newsletter distribution, we make use of selected contracted data processing companies. All contracted data processing companies are contractually obligated to treat your personal data confidentially and to process it only within the scope of the service provision in accordance with our instructions. Data processing is conducted exclusively within the EU or EEA.


Online Purchases

When purchasing tickets and other products online on our website, your personal information (name, address, phone number, e-mail address) is collected and, provided you place the order, stored. This information is captured to handle purchase orders and their processing and is stored until the expiration of statutory storage obligations, but is not disclosed to any third party unless it is necessary for the fulfillment of contract processing. Your information is forwarded to our payment service provider (mPAY24 GmbH, Grüngasse 16, 1050 Vienna), and any delivery agent or carrier handling the shipment of items purchased.

Further, when purchasing our products via third parties (e.g., booking platforms, travel agencies), personal data shall be passed on to us. This data is necessary to fulfill the contract requirements.  Information on privacy can be found in the respective privacy declarations of such providers.

If the data requested is not provided, we will be unable to assume fulfillment of the contract.


Disclosure of Third-Party Data

You agree to inform third parties whose data you provide to the Österreichische Galerie Belvedere about the processing of their personal data by the Österreichische Galerie Belvedere and to obtain any required consent from such third parties. For example, when purchasing an annual ticket as a gift.

Direct Advertising

The responsible party uses authorized address publishers or public sources for the purposes of sending direct-mail advertising about products, services, and events. According to Article 6(1)(f) GDPR, the act of direct advertising is a legitimate interest of the responsible party for the purpose of efficiently reaching, in alignment with marketing strategies, customers, interested parties, and partners, as well as for the purpose of customer recovery. The use of data at the conclusion of a contract, with the aim of returning to a (pre-)contractual relationship, also falls within the scope of legitimate interest. Unless you object to the use of your data for this purpose, your data will be deleted seven years from the date of your last contact with the responsible party – earlier, in the event of objection. Such data will not be passed on to third parties who might use it for their own purposes without your consent.


For the purpose of sending electronic mail in accordance with Article 107(3) TKG [telecommunications act], the data available to the responsible party resulting from the contractual relationship will be processed unless you object to this at the time of collection. When using this data, the responsible party complies with the provisions of the telecommunications act, in particular with Article 107 TKG.


You are given the opportunity to register for our newsletter directly on our website. During this process, we capture your e-mail address, your name, title, the desired newsletter language, and newsletter preferences.

Immediately after ordering the newsletter, you will receive further information. As soon as you have registered for the newsletter, we will send you a confirmation e-mail with a link to confirm your registration. You will receive the newsletter only once you have confirmed your registration. If no confirmation is received, the data will be deleted.

Of course, you may withdraw your consent at any time, either directly via the unsubscribe link in any of the newsletters or by e-mail to


To dispatch the newsletter, we work together with Emarsys eMarketing Systems AG, Märzstrasse 1, 1150 Vienna, Austria.

Contact Form

When you contact us via the options made available (e.g., contact form, telephone, e-mail, or social media), your information (name, contact data, subject, and inquiry) will be processed to answer your inquiry. We handle your data to fulfill (pre-)contractual obligations or because of our legitimate interest in processing and answering inquiries from customers, interested parties, and partners. Your data will be kept for the duration of the handling process and for a maximum of three years. Such data will not be passed on to third parties without your consent.

ob Application Sent to the Österreichische Galerie Belvedere

To process your inquiry, handle the application process, and fill vacancies within our company, we process the personal data you provide us with, such as your name, title, address, telephone number, date of birth, education, professional experience, salary expectations, and any data and images contained in your cover letter, your curriculum vitae, certificates, or other documents sent. This takes place to fulfill (pre-)contractual obligations (Article 6(1)(b) GDPR. Please note that you may be contacted by our employees either by telephone and/or e-mail to ensure that the application process runs smoothly. You affirm that all information provided is truthful. Incorrect information found after employment has been offered can lead to termination.

As a matter of principle, your data will only be forwarded to those internal offices and competent departments within our company responsible for specific application procedures. Your personal application data will not be passed on to third parties.

If the Österreichische Galerie Belvedere enters into an employment agreement with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with statutory provisions.

If no employment contract is established with the applicant, the application documents will be deleted six months after notification of the refusal decision, unless consent has been given for the storage of records in accordance with Article 6(1)(a) GDPR. This consent is obtained separately. Your consent may be revoked at any time without the need to provide reasons under the aforementioned contact.


The following information is processed from donors and prospective donors: Name, date of birth, address, contact details, donation history, and communication history. The purpose of this data processing is to contact donors and prospective donors and to administer donations made. If your donation is to be processed within the automated tax assessment system, your name and date of birth is a required submission to the tax office. Failure to disclose this information will result in donations being excluded as special expenses for tax purposes. The legal basis for this data processing is the legitimate interest as defined in article 6(1)(f) GDPR for the acquisition of donations by recruiting and retaining donors, the fulfillment of a contract as defined in article 6 (1)(b) GDPR, and the fulfillment of a legal obligation as defined in article 6(1)(c) GDPR (federal fiscal code, museum regulations). Your data will be stored for the duration of the statutory retention period.

Film, Photo, and Audio Recording during Our Events

Please note that the Österreichische Galerie Belvedere reserves the right, unrestricted to time or place, to use any film, audio, or photo material recorded during an event for the purpose of documentation, information, and reporting on the event and to publish such material in print publications, on the website, in newsletters, and on social media.


In addition, your data will be passed on to internal departments (IT, marketing) and contract processors who, out of necessity, must receive such data for production, processing, and publication tasks. The data will also be shared with third parties (in particular media) for the purpose of providing information and press coverage. The data will not be disclosed to recipients who pursue their own purposes with this data.  In the case of social media channels, however, the respective social media service may be granted the right to use the published data.


The processing, publication, and dissemination is based on our legitimate interest to show our activities and conduct public relations work and thus to increase awareness, as defined in Article 6(1)(f) GDPR, as well as in accordance with Sections 12 and 13 DSG [Austrian Privacy Act]. You are entitled to object to processing. The objection can be directed to the responsible persons or photographers on-site or to


Care is taken for the rights and freedoms of persons depicted in the creation and use of the photos. We make this known specifically upfront by posting a notice in our invitations and directly on-site. We ensure that no legitimate interests of persons depicted are violated. Should, however, the rights and freedoms of a depicted person be violated for reasons particularly worthy of consideration, we will refrain from further processing by means of suitable measures. Images in print media already distributed cannot be made unrecognizable. Deletions on the website or social media channels will be carried out within the scope of technical feasibility.

Data Security

Safeguarding your data in our systems is a matter of utmost priority. It is our goal to manage your data with the greatest of care, taking all necessary technical and organizational security measures to protect your personal data from loss and misuse.


Access to our website is secured via HTTPS if your browser supports SSL. This means that communication between your terminal device and our servers is encrypted. Should you wish to contact us or our employees by e-mail, we would like to remind you that the confidentiality of the information transmitted cannot be guaranteed. Due to their technical design, the contents of e-mails can be viewed by third parties unless special technical security measures are taken.


To ensure appropriate information and system security and to detect malware, e-mail traffic protocol data is stored. When you send an e-mail to one of our addresses, the following data are logged: e-mail and IP address of both the recipient and the sender, number of recipients, subject, date and time of receipt at the server, file name of any attachments, size of the message, risk classification for spam, and delivery status. In a first step, e-mails are checked purely automatically. Only if there is a suspicion of danger for the security of the IT systems are individual e-mails manually checked by responsible persons.



We use analytics tools and cookies based on our legitimate interest to help us analyze and improve the structure and navigation of our website in an effort to tailor our website to your needs.

This website uses Google Analytics, a web analysis service offered by Google Inc. (‘Google’). Google Analytics uses so-called cookies – text files which are stored on your computer – to help the website analyze how visitors are utilizing the site. The information produced by a cookie tracking your use of the website is generally transmitted to and stored by Google on servers in the United States. The Belvedere website uses IP anonymization.  Google therefore, in accordance with the European Economic Area agreement, will truncate IP addresses within member states of the European Union or other signatory states before transmission to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and subsequently shortened there.

IP anonymization is active on this website. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide the website operator with other services relating to website and internet use.

The IP address transmitted by your browser within the context of Google Analytics is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. You may prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data, by downloading and installing the browser plug-in available at the following link:

You may opt out of Google Analytics collecting your data on this website by clicking on the link below. An opt-out cookie is set to prevent your data from being collected in the future when you visit this website: Deactivate Google Analytics

Google Analytics uses the following cookies: _ga (storage time 2 years), _gat (storage time 10 minutes), _gid (storage time 24 hours).


By using this website, you agree to the reading, processing, transmission, and storage of information by cookies.


By using this website, you agree to the processing of data collected about you by web analysis services in the aforementioned manner and for the aforementioned purposes.

Enable or Disable Cookies

We also use cookies to make our services as customer-friendly as possible. Cookies are small text files that are stored on your device to allow our website to recognize you [or your browser] each time you use our website. Cookies can be stored permanently or for one session only. Two types of cookies are used: essential cookies that provide basic functions of the website, and targeted cookies, which help us optimize the structure and navigation of our website and thus improve the quality of service. With both cookie applications, your IP address is immediately shortened and made anonymous so that it can no longer be assigned to you. This means that personal data is not recorded or evaluated, nor is it linked to other such data.

In addition, you can prevent the installation of all types of cookies by setting your browser accordingly.

A general objection to the use of cookies for online marketing purposes can be raised for many services, especially in the case of tracking, via the US website

or the EU website Furthermore, stored cookies can be deactivated by configuring your browser settings. If you choose such a setting, our website may not be able to fully support all functions.

Social Media – Plug-Ins

This website uses social media plug-ins, such as,,,, and You may recognize them by each provider’s corresponding logo.

As soon as you visit a page on which such a logo appears, a connection to the provider’s respective server is established informing the provider as to the specific page you are visiting. The website operator has no influence on what data is transmitted to the respective provider. This data transfer takes place independently from actively clicking the plug-in.

In the case that you are simultaneously logged into Facebook, Twitter, Instagram, or YouTube, the plug-in can generate a material connection with your account. As soon as you leave a comment on the website or submit a “like” to this plug-in, it transfers the information to the provider and associates it with your account. You may prevent this by unsubscribing your account from the provider before using the plug-ins.

For social media plug-ins, the individual provider’s privacy directives apply (see the links in the following section).


Afternoon classes/Workshops

The Österreichische Galerie Belvedere processes your personal data for the following purposes: registration, administration, and implementation of afternoon classes/workshops, support for participants, invoicing, attendance lists, and to inform contact persons in the event of an incident (especially medical emergencies). This is done on the basis of the underlying contractual relationship in accordance with Article 6 (1)(b) GDPR. In addition, we collect health data for the purpose of proper care and consideration of special needs, based on your consent in accordance with Article 6 (1) GDPR.


Without the provision of the requested data, participation in afternoon classes/workshops is not possible. 


Due to the current COVID-19 situation, the data will be reported to the 1450 Health Hotline if a suspected case or infection occurs.  This is based on the legitimate interest (Article 6(1)(f) GDPR) of the responsible party and the participants in health protection and rapid clarification. Furthermore, should a COVID-19 situation (case of infection, suspected case) occur, the data will be transmitted to the health authorities upon their request in accordance with Article 6 (1)(c) GDPR in conjunction with §5 para. 3 of the Epidemic Law 1950. Beyond this, no data will be passed on to third parties.


The billing data is stored for a period of seven years in accordance with tax law storage obligations (§132 BAO [Federal Tax Code], §§ 190, 212 UGB [Austrian Commercial Code]). Other data is deleted three years after the end of the afternoon class/workshop (§ 1489 AGBG [Standard Terms and Conditions of Business Law]). In the event of a possible cancellation without prior receipt of payment, the data provided by you will be stored for three years (§ 1489 AGBG [Standard Terms and Conditions of Business Law]).

Online Presence in Social Media

We maintain an online presence on social networks and platforms to communicate and provide information about our services to those customers, interested parties, partners, and users who are active there.


The processing of users' personal data is performed based on our legitimate interests in effectively informing and communicating with our users in accordance with Article 6(1)(f) GDPR. In the event that the respective platform providers ask users for their consent to the aforementioned data processing, Articles 6(1)(a) and 7 of the GDPR provide legal basis.


As the creators of the online presence, please note that we do not make any decisions regarding the processing of user data and all other information pursuant to Article 13 GDPR, including the legal basis, identity of the responsible party, and storage period of cookies placed on user terminals. These are set by providers independently.


Please note that the user’s data may be processed outside of the European Union. This may entail risks for users, e.g., by making it more difficult to enforce users' rights. With respect to US providers certified under the Privacy Shield framework, note they are thereby obligated to comply with EU privacy standards.


Furthermore, user data is, as a rule, processed for the purposes of market research and advertising. For example, based on user behavior, the resulting information on interests may be used to create user profiles. User profiles can then be used, for example, to insert advertising inside and outside platforms that presumably correspond to the interests of the users. For these purposes, cookies storing the usage behavior and interests of the user are cached on the user’s computer. Furthermore, data can also be stored in user profiles independent of the devices employed by the users (particularly if the users are members of the respective platforms and are logged into them).


For a detailed description of the processing and opt-out options of respective platforms, we refer you to the linked information on providers listed below.


For cases of requests for information and the assertion of rights of persons affected, we advise you that these can be pursued in the most effective way directly with the providers. Providers are the only ones who have access to user data and can directly take appropriate measures and provide information. That recommendation notwithstanding, however, please be advised that persons affected can assert their rights against any individual responsible, i.e., against any party.


Facebook, -pages, -groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), based on an agreement on the joint processing of personal data

Data privacy statement:
Data privacy information for pages: and
Opt-out: and
Privacy Shield:


Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Data privacy statement:
Privacy Shield:

Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Data privacy statement:  

Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Data privacy statement:
Privacy Shield:

TripAdvisor (TripAdvisor Inc., 400 1st Avenue, Needham, MA 02494 USA)
Data privacy statement:


Your Rights

Regarding the processing of your data, you have the right to: information, correction, deletion, restriction, data transferability, revocation, and objection. The right of revocation applies to data processing that is based on your consent. The right to object exists in the case of data processing that is based on the legitimate interests of the responsible party or a third party. If you believe that the processing of your data violates privacy laws or your privacy claims have otherwise been violated in any way, you may lodge a complaint with the regulatory authority. In Austria, this is the Austrian Data Protection Authority. If you would like to exercise any of the above rights, you can also contact us at any time at or by mail at:

Österreichische Galerie Belvedere

Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Straße 27
1030 Vienna