GDPR Compliance
Last Updated: December 5, 2025
Our Commitment to GDPR
RiFa Holding & Advertising GmbH ("LobbyFlight", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) (EU) 2016/679. This page outlines how we comply with GDPR requirements and protect your rights as a data subject.
Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
1. Right to Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data, and if so, access to the data and information about how it is processed.
2. Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data and to have incomplete personal data completed.
3. Right to Erasure/"Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw consent.
4. Right to Restrict Processing (Article 18)
You have the right to request that we limit the processing of your personal data under certain circumstances.
5. Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
6. Right to Object (Article 21)
You have the right to object to the processing of your personal data for direct marketing purposes or based on legitimate interests.
7. Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you.
Legal Basis for Processing
We process personal data based on the following legal grounds:
- Consent (Article 6(1)(a)): When you explicitly agree to our processing of your personal data for specific purposes
- Contract (Article 6(1)(b)): When processing is necessary for the performance of our service agreement with you
- Legal Obligation (Article 6(1)(c)): When we are required by law to process your data
- Legitimate Interests (Article 6(1)(f)): When processing is necessary for our legitimate interests, except where overridden by your rights
Data Protection Measures
We implement appropriate technical and organizational measures to ensure the security of your personal data:
Technical Measures
- • End-to-end encryption for data transmission
- • Secure password hashing (bcrypt)
- • Regular security updates and patches
- • Firewall and intrusion detection systems
- • Regular data backups
Organizational Measures
- • Staff training on data protection
- • Access control and authorization
- • Data processing agreements with partners
- • Regular privacy impact assessments
- • Incident response procedures
Data Processing Activities
| Data Category | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Account Information | Service provision | Contract | Duration of contract + 6 years |
| Payment Data | Billing and invoicing | Contract, Legal obligation | 10 years (tax law) |
| Usage Data | Service improvement | Legitimate interest | 90 days |
| Marketing Data | Newsletter, promotions | Consent | Until consent withdrawn |
| Support Data | Customer service | Contract, Legitimate interest | 3 years |
International Data Transfers
When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards:
- EU-US Data Privacy Framework certification for US transfers
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for countries with equivalent data protection levels
- Binding Corporate Rules (BCRs) for intra-group transfers
Third-Party Data Processors
We work with carefully selected third-party processors who are GDPR compliant:
Stripe (Payment Processing)
Location: USA | Safeguard: Privacy Shield, SCCs
Vercel (Hosting & Infrastructure)
Location: USA | Safeguard: SCCs, ISO 27001
Google Analytics (Analytics)
Location: USA | Safeguard: Privacy Shield, SCCs
AviationStack (Flight Data API)
Location: Germany | Safeguard: EU-based processing
Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Document all breaches, including facts, effects, and remedial actions taken
- Notify affected data subjects without undue delay if the breach is likely to result in high risk
- Cooperate fully with supervisory authorities in their investigation
Privacy by Design and Default
We implement privacy by design principles in all our operations:
- Data minimization - we only collect data necessary for specified purposes
- Purpose limitation - data is only used for stated purposes
- Privacy settings are set to the most protective by default
- Regular privacy impact assessments for new features
- Pseudonymization and encryption where possible
Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information.
Exercising Your Rights
To exercise any of your GDPR rights, please contact us using the information below. We will respond to your request within one month, though complex requests may require up to three months.
Important: To protect your privacy, we may need to verify your identity before processing your request. We will never charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.
Data Protection Officer
We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance:
Data Protection Officer
RiFa Holding & Advertising GmbH
E.v. Behringstraße 14
9500 Villach, Austria
Email: dpo@lobbyflight.com
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe your rights have been violated. The lead supervisory authority for our organization is:
Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
Updates to This Policy
We may update this GDPR compliance information from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the new information on this page and updating the "Last Updated" date.