Privacy Policy

The Belvedere processes personal data strictly according to statutory requirement as set by the GDPR. In the following section, you will learn what kind of data is collected when visiting our website or other services (contact, social media, applications) and how this data is being used.

We reserve the right to adapt this privacy statement to reflect any new technical developments or legal changes and, if necessary, to update it when new services or products become available.


Responsible Party

Österreichische Galerie Belvedere
Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Strasse 27
1030 Wien

On any matter relating to privacy or the exercise of your rights, you may contact the privacy officer at

Data Access

Each time you access our website, your browser automatically transmits, for technical reasons, the data listed below to our web servers. The data is stored exclusively for statistical and technical purposes; for example, to evaluate the frequency of page visits or to detect malfunctions in server operations. The following data is logged and evaluated:

  • Request (file name of the requested file)
  • Browser type and browser version
  • Operating system used
  • Referrer URL, i.e., the website that directed you to our website
  • IP address
  • Date and time of your visit
  • The particular webpages visited within our website

We collect this data in accordance with our legitimate interest (see Article 6(1)(f) GDPR) and store the information in "server log files" on our website server. The server log files are stored for a maximum of one week and are subsequently deleted. If data must be stored to provide evidence, e.g., to clarify security breaches, such is excluded from deletion until the incident is conclusively resolved.

For the technical and organizational implementation of our internet presence as well as newsletter distribution, we make use of selected contracted data processing companies. All contracted data processing companies are contractually obligated to treat your personal data confidentially and to process it only within the scope of the service provision in accordance with our instructions. Data processing is conducted exclusively within the EU or EEA.


Online Purchases

When purchasing tickets and other products online on our website, your personal information (name, address, phone number, e-mail address) is collected and, provided you place the order, stored. This information is captured to handle purchase orders and their processing and is stored until the expiration of statutory storage obligations, but is not disclosed to any third party unless it is necessary for the fulfillment of contract processing. Your information is forwarded to our payment service provider (mPAY24 GmbH, Grüngasse 16, 1050 Vienna), and any delivery agent or carrier handling the shipment of items purchased.

Further, when purchasing our products via third parties (e.g., booking platforms, travel agencies), personal data shall be passed on to us. This data is necessary to fulfill the contract requirements.  Information on privacy can be found in the respective privacy declarations of such providers.

If the data requested is not provided, we will be unable to assume fulfillment of the contract.


Disclosure of Third-Party Data

You agree to inform third parties whose data you provide to the Österreichische Galerie Belvedere about the processing of their personal data by the Österreichische Galerie Belvedere and to obtain any required consent from such third parties. For example, when purchasing an annual ticket as a gift.

Direct Advertising

The responsible party uses authorized address publishers or public sources for the purposes of sending direct-mail advertising about products, services, and events. According to Article 6(1)(f) GDPR, the act of direct advertising is a legitimate interest of the responsible party for the purpose of efficiently reaching, in alignment with marketing strategies, customers, interested parties, and partners, as well as for the purpose of customer recovery. The use of data at the conclusion of a contract, with the aim of returning to a (pre-)contractual relationship, also falls within the scope of legitimate interest. Unless you object to the use of your data for this purpose, your data will be deleted seven years from the date of your last contact with the responsible party – earlier, in the event of objection. Such data will not be passed on to third parties who might use it for their own purposes without your consent.


For the purpose of sending electronic mail in accordance with Article 107(3) TKG [telecommunications act], the data available to the responsible party resulting from the contractual relationship will be processed unless you object to this at the time of collection. When using this data, the responsible party complies with the provisions of the telecommunications act, in particular with Article 107 TKG.


You are given the opportunity to register for our newsletter directly on our website. During this process, we capture your e-mail address, your name, title, the desired newsletter language, and newsletter preferences.

Immediately after ordering the newsletter, you will receive further information. As soon as you have registered for the newsletter, we will send you a confirmation e-mail with a link to confirm your registration. You will receive the newsletter only once you have confirmed your registration. If no confirmation is received, the data will be deleted.

Of course, you may withdraw your consent at any time, either directly via the unsubscribe link in any of the newsletters or by e-mail to


To dispatch the newsletter, we work together with Emarsys eMarketing Systems AG, Märzstrasse 1, 1150 Vienna, Austria.

Contact Form

When you contact us via the options made available (e.g., contact form, telephone, e-mail, or social media), your information (name, contact data, subject, and inquiry) will be processed to answer your inquiry. We handle your data to fulfill (pre-)contractual obligations or because of our legitimate interest in processing and answering inquiries from customers, interested parties, and partners. Your data will be kept for the duration of the handling process and for a maximum of three years. Such data will not be passed on to third parties without your consent.

Job Application Sent to the Österreichische Galerie Belvedere

To process your inquiry, handle the application process, and fill vacancies within our company, we process the personal data you provide us with, such as your name, title, address, telephone number, date of birth, education, professional experience, salary expectations, and any data and images contained in your cover letter, your curriculum vitae, certificates, or other documents sent. This takes place to fulfill (pre-)contractual obligations (Article 6(1)(b) GDPR. Please note that you may be contacted by our employees either by telephone and/or e-mail to ensure that the application process runs smoothly. You affirm that all information provided is truthful. Incorrect information found after employment has been offered can lead to termination.

As a matter of principle, your data will only be forwarded to those internal offices and competent departments within our company responsible for specific application procedures. Your personal application data will not be passed on to third parties.

If the Österreichische Galerie Belvedere enters into an employment agreement with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with statutory provisions.

If no employment contract is established with the applicant, the application documents will be deleted six months after notification of the refusal decision, unless consent has been given for the storage of records in accordance with Article 6(1)(a) GDPR. This consent is obtained separately. Your consent may be revoked at any time without the need to provide reasons under the aforementioned contact.


The following information is processed from donors and prospective donors: Name, date of birth, address, contact details, donation history, and communication history. The purpose of this data processing is to contact donors and prospective donors and to administer donations made. If your donation is to be processed within the automated tax assessment system, your name and date of birth is a required submission to the tax office. Failure to disclose this information will result in donations being excluded as special expenses for tax purposes. The legal basis for this data processing is the legitimate interest as defined in article 6(1)(f) GDPR for the acquisition of donations by recruiting and retaining donors, the fulfillment of a contract as defined in article 6 (1)(b) GDPR, and the fulfillment of a legal obligation as defined in article 6(1)(c) GDPR (federal fiscal code, museum regulations). Your data will be stored for the duration of the statutory retention period.

Film, Photo, and Audio Recording during Our Events

Please note that the Österreichische Galerie Belvedere reserves the right, unrestricted to time or place, to use any film, audio, or photo material recorded during an event for the purpose of documentation, information, and reporting on the event and to publish such material in print publications, on the website, in newsletters, and on social media.


In addition, your data will be passed on to internal departments (IT, marketing) and contract processors who, out of necessity, must receive such data for production, processing, and publication tasks. The data will also be shared with third parties (in particular media) for the purpose of providing information and press coverage. The data will not be disclosed to recipients who pursue their own purposes with this data.  In the case of social media channels, however, the respective social media service may be granted the right to use the published data.


The processing, publication, and dissemination is based on our legitimate interest to show our activities and conduct public relations work and thus to increase awareness, as defined in Article 6(1)(f) GDPR, as well as in accordance with Sections 12 and 13 DSG [Austrian Privacy Act]. You are entitled to object to processing. The objection can be directed to the responsible persons or photographers on-site or to


Care is taken for the rights and freedoms of persons depicted in the creation and use of the photos. We make this known specifically upfront by posting a notice in our invitations and directly on-site. We ensure that no legitimate interests of persons depicted are violated. Should, however, the rights and freedoms of a depicted person be violated for reasons particularly worthy of consideration, we will refrain from further processing by means of suitable measures. Images in print media already distributed cannot be made unrecognizable. Deletions on the website or social media channels will be carried out within the scope of technical feasibility.

Data Security

Safeguarding your data in our systems is a matter of utmost priority. It is our goal to manage your data with the greatest of care, taking all necessary technical and organizational security measures to protect your personal data from loss and misuse.


Access to our website is secured via HTTPS if your browser supports SSL. This means that communication between your terminal device and our servers is encrypted. Should you wish to contact us or our employees by e-mail, we would like to remind you that the confidentiality of the information transmitted cannot be guaranteed. Due to their technical design, the contents of e-mails can be viewed by third parties unless special technical security measures are taken.


To ensure appropriate information and system security and to detect malware, e-mail traffic protocol data is stored. When you send an e-mail to one of our addresses, the following data are logged: e-mail and IP address of both the recipient and the sender, number of recipients, subject, date and time of receipt at the server, file name of any attachments, size of the message, risk classification for spam, and delivery status. In a first step, e-mails are checked purely automatically. Only if there is a suspicion of danger for the security of the IT systems are individual e-mails manually checked by responsible persons.


The website uses technologies such as web analytics and cookies to evaluate and improve the structure and navigation of our web presence and to customize it to suit your needs. You can revoke your consent at any time. Cookies are small data files stored on your device so that you can be automatically re-identified when you return to our website. Cookies can be stored permanently or only during a session. Two types of cookies are being used: strictly necessary cookies, which provide basic functions of the website, and target-oriented cookies, which help us to optimize the structure and navigation of our website and thus improve the quality of service. With both cookie applications, your IP address is immediately shortened and thus made anonymous so that it can no longer be assigned to you. Therefore, no personal data is collected or evaluated, nor is it linked to other such data. You can also prevent the installation of all types of cookies by adjusting your browser settings accordingly.
You may object in principle to the placement of cookies used for online marketing purposes for a variety of services, especially in the case of tracking, via the US site or the EU site Furthermore, you may deactivate the storage of cookies in your browser settings. If you choose such a setting, you may not be able to use all functions of our website to their full extent.

Google Analytics

This website uses Google Analytics, a web analysis service offered by Google Inc. (‘Google’). Google Analytics uses cookies – text files placed on your computer – to help the website analyze how users are utilizing the site.
For the collection of data, we rely on your consent pursuant to Article 6 (1) (a) EU GDPR for the corresponding data processing, which you may of course revoke at any time.
The information generated by the cookie tracking your use of the website is generally transmitted to and stored by Google on servers in the United States. The Belvedere website uses IP anonymization. Google, therefore, in accordance with the European Economic Area agreement, will truncate IP addresses within member states of the European Union or other signatory states before transmission to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and subsequently shortened there. On behalf of the website operator, Google will analyze this information to evaluate your use of the website, to compile reports on website activity, and to provide the website operator with other services relating to website usage and internet usage. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this you may not be able to use the full functionality of the website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your anonymized IP address) and from processing this data by downloading and installing the browser plug-in available under the following link: (

Google Remarketing

We use the remarketing or "Similar Audiences" function from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, hereinafter referred to as "Google." 
We use this feature to deliver interest-based, personalized advertising to third-party websites that also participate in Google's advertising network.
To facilitate this advertising service, Google stores a cookie containing a sequence of numbers on your end device when you visit our web presence via your internet browser. This cookie records both your visit and the use of our website in an anonymous form. Personal data will not be disclosed to third parties. When you subsequently visit the website of a third party who also uses Google's advertising network, it may be possible that you will see advertisements that are related to our website or to the services we offer on that site.
For the collection of data, we rely on your consent pursuant to Article 6 (1) (a) EU GDPR for the corresponding data processing, which you may of course revoke at any time. Data may be transferred via a third country party into the USA.
To permanently deactivate this function, Google offers a browser plug-in for the most common internet browsers at
Google's cross-device marketing feature may enable tracking your usage behavior across multiple devices so that you may see interest-based, personalized advertising even when you switch devices. However, this presupposes that you have agreed to have your browsing history linked to your existing Google Account.

Enable or Disable Cookies

We also use cookies to make our services as customer-friendly as possible. Cookies are small text files that are stored on your device to allow our website to recognize you [or your browser] each time you use our website. Cookies can be stored permanently or for one session only. Two types of cookies are used: essential cookies that provide basic functions of the website, and targeted cookies, which help us optimize the structure and navigation of our website and thus improve the quality of service. With both cookie applications, your IP address is immediately shortened and made anonymous so that it can no longer be assigned to you. This means that personal data is not recorded or evaluated, nor is it linked to other such data.

In addition, you can prevent the installation of all types of cookies by setting your browser accordingly.

A general objection to the use of cookies for online marketing purposes can be raised for many services, especially in the case of tracking, via the US website

or the EU website Furthermore, stored cookies can be deactivated by configuring your browser settings. If you choose such a setting, our website may not be able to fully support all functions.

Social Media – Plug-Ins

This website uses social media plug-ins, such as,,,, and You may recognize them by each provider’s corresponding logo.

As soon as you visit a page on which such a logo appears, a connection to the provider’s respective server is established informing the provider as to the specific page you are visiting. The website operator has no influence on what data is transmitted to the respective provider. This data transfer takes place independently from actively clicking the plug-in.

In the case that you are simultaneously logged into Facebook, Twitter, Instagram, or YouTube, the plug-in can generate a material connection with your account. As soon as you leave a comment on the website or submit a “like” to this plug-in, it transfers the information to the provider and associates it with your account. You may prevent this by unsubscribing your account from the provider before using the plug-ins.

For social media plug-ins, the individual provider’s privacy directives apply (see the links in the following section).


Afternoon classes/Workshops

The Österreichische Galerie Belvedere processes your personal data for the following purposes: registration, administration, and implementation of afternoon classes/workshops, support for participants, invoicing, attendance lists, and to inform contact persons in the event of an incident (especially medical emergencies). This is done on the basis of the underlying contractual relationship in accordance with Article 6 (1)(b) GDPR. In addition, we collect health data for the purpose of proper care and consideration of special needs, based on your consent in accordance with Article 6 (1) GDPR.


Without the provision of the requested data, participation in afternoon classes/workshops is not possible. 


Due to the current COVID-19 situation, the data will be reported to the 1450 Health Hotline if a suspected case or infection occurs.  This is based on the legitimate interest (Article 6(1)(f) GDPR) of the responsible party and the participants in health protection and rapid clarification. Furthermore, should a COVID-19 situation (case of infection, suspected case) occur, the data will be transmitted to the health authorities upon their request in accordance with Article 6 (1)(c) GDPR in conjunction with §5 para. 3 of the Epidemic Law 1950. Beyond this, no data will be passed on to third parties.


The billing data is stored for a period of seven years in accordance with tax law storage obligations (§132 BAO [Federal Tax Code], §§ 190, 212 UGB [Austrian Commercial Code]). Other data is deleted three years after the end of the afternoon class/workshop (§ 1489 AGBG [Standard Terms and Conditions of Business Law]). In the event of a possible cancellation without prior receipt of payment, the data provided by you will be stored for three years (§ 1489 AGBG [Standard Terms and Conditions of Business Law]).


For event management purposes we will process, in addition to your master and contact data, your acceptance or cancellation of an event, event participation, invitation and participation history, as well as any information you voluntarily provide regarding your participation (e.g., food preferences, allergies/intolerances, physical limitations). The legal basis for the processing of data is provided by Article 6(1)(a) (your consent) and Article 6(1)(f) (legitimate interests of the responsible party) GDPR. Our legitimate interests lie in the timely and demand-oriented organization, hosting, and follow-up of the event; meeting the participants' respective desires; and aligning marketing strategies for customer acquisition to enter into a (pre-contractual) contractual relationship. Special categories of personal data (e.g., allergies, physical limitations) are processed exclusively on the basis of your voluntary consent. Failure to provide consent may prevent special participant requests from being honored. You can revoke your consent at any time by sending an e-mail to the contact provided in detail below. Your data will be stored for a maximum of 3 years after the last contact. Your data may be transferred to contracted processors for the provision of services (e.g., catering, event management, registration of participants, security). These processors must comply with data protection regulations and delete the data after the contractual service has been performed. Data processing takes place exclusively within the EU or EEA.

Covid-19 Disclosure

Data protection notice: To prevent the (further) spread of COVID-19 in the event of a suspected case, we collect your contact data as per Section 5c paragraph 3 of the Epidemic Act 1950, Federal Law Gazette No. 186/1950 as amended in conjunction with Section 17 of the COVID-19 Opening Ordinance, Federal Law Gazette II No. 214/2021 as amended. Upon request, the collected data will be transmitted exclusively to the competent authorities in accordance with Section 5 paragraph 3 of the Epidemic Act 1950. The collected data will be kept for a period of 28 days and then destroyed. Before the start of the event, proof of low epidemiological risk and, if necessary, data for establishing identity will be determined in accordance with Section 5c paragraph 3 of the Epidemic Act 1950, Federal Law Gazette No. 186/1950 as amended in conjunction with Section 21 of the COVID-19 Opening Ordinance, Federal Law Gazette II No. 214/2021 as amended. This data is not stored. For more information, your rights, and all contact details of the data controller and the data protection officer, please visit

Online Presence in Social Media

We maintain an online presence on social networks and platforms to communicate and provide information about our services to those customers, interested parties, partners, and users who are active there.


The processing of users' personal data is performed based on our legitimate interests in effectively informing and communicating with our users in accordance with Article 6(1)(f) GDPR. In the event that the respective platform providers ask users for their consent to the aforementioned data processing, Articles 6(1)(a) and 7 of the GDPR provide legal basis.


As the creators of the online presence, please note that we do not make any decisions regarding the processing of user data and all other information pursuant to Article 13 GDPR, including the legal basis, identity of the responsible party, and storage period of cookies placed on user terminals. These are set by providers independently.


Please note that the user’s data may be processed outside of the European Union. This may entail risks for users, e.g., by making it more difficult to enforce users' rights. With respect to US providers certified under the Privacy Shield framework, note they are thereby obligated to comply with EU privacy standards.


Furthermore, user data is, as a rule, processed for the purposes of market research and advertising. For example, based on user behavior, the resulting information on interests may be used to create user profiles. User profiles can then be used, for example, to insert advertising inside and outside platforms that presumably correspond to the interests of the users. For these purposes, cookies storing the usage behavior and interests of the user are cached on the user’s computer. Furthermore, data can also be stored in user profiles independent of the devices employed by the users (particularly if the users are members of the respective platforms and are logged into them).


For a detailed description of the processing and opt-out options of respective platforms, we refer you to the linked information on providers listed below.


For cases of requests for information and the assertion of rights of persons affected, we advise you that these can be pursued in the most effective way directly with the providers. Providers are the only ones who have access to user data and can directly take appropriate measures and provide information. That recommendation notwithstanding, however, please be advised that persons affected can assert their rights against any individual responsible, i.e., against any party.


Facebook, -pages, -groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), based on an agreement on the joint processing of personal data

Data privacy statement:
Data privacy information for pages: and
Opt-out: and
Privacy Shield:


Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Data privacy statement:
Privacy Shield:

Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Data privacy statement:  

Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Data privacy statement:
Privacy Shield:

TripAdvisor (TripAdvisor Inc., 400 1st Avenue, Needham, MA 02494 USA)
Data privacy statement:


Your Rights

Regarding the processing of your data, you have the right to: information, correction, deletion, restriction, data transferability, revocation, and objection. The right of revocation applies to data processing that is based on your consent. The right to object exists in the case of data processing that is based on the legitimate interests of the responsible party or a third party. If you believe that the processing of your data violates privacy laws or your privacy claims have otherwise been violated in any way, you may lodge a complaint with the regulatory authority. In Austria, this is the Austrian Data Protection Authority. If you would like to exercise any of the above rights, you can also contact us at any time at or by mail at:

Österreichische Galerie Belvedere
Wissenschaftliche Anstalt öffentlichen Rechts
Prinz Eugen-Strasse 27
1030 Wien