AX Travel Management GmbH

1 Processing Activities Travel management[1], passenger data management, payment processing, operation of the website as well as mobile web applications, marketing of products and services, compliance with legal requirements
2 Data Controller AX Travel Management GmbH („AX”)
Stella-Klein-Löw-Weg 13/ OG 3, A-1020 Wien
Telephone: +43 1 516 51 – 2110
3 Contractual relations AX has a contractual relationship with companies for whose employees (travelers) services are offered in connection with travel activities. As a travel agent, AX arranges travel contracts for travel services (individual services, travel arrangements) between the traveler on the one hand and the service provider on the other (business procurement contract). Personal data required to fulfill the contractual service is provided and processed by the company or by the person concerned. The data is passed on to group companies, travel providers, travel agencies, service providers and external booking platforms for the purpose of fulfilling the contract. Data will not be passed on to third parties for any other purpose.


Purposes of Data Processing

·         On the legal basis of fulfilling or preparing the contractual agreement a) Travel organization for business travel management (Business travel), congresses, events und group travels
b) Organization of travel related services upon client request (e.g. residence permits – Visa, event organization, Checking of rights based on Regulation (EEC) No 295/91 for compensation and assistance to passengers)
c) Meeting individual requests for additional offers, recommendations and services of third-party providers
d) Risk management, observing caring duties[2]
e) Global travel management and reporting2 (Data Generation in Global Distribution Systems – GDS)
f) Management of global Air travel program (e.g. PRISM)
g) Dissemination of proprietary and third-party advertisements, directly or within online information offerings and products
h) Answer customer questions via the website
i) Operation and improvement of the website and its applications
j) Provision of self-booking tools and customer databases for direct entry (in the case of direct use of the customer databases by data subjects, a separate data protection information is provided for the respective tool)
·         On the legal basis of a (overriding) legitimate interest a) Handling of claims and complaints
b) Development of statistics and appraisals, and creation of internal reports
c) Familiarity with and managing the preferences of internal reports
·         On the legal basis of (overriding) legitimate interests of AX for direct advertisement[3] a) Re-acquiring old customers and acquiring new customers and travelers
b) Gathering of user numbers for services for the purposes of documenting reach
c) Maintaining customer satisfaction and customer retention (by using profiling, see Point 8 and 9.)
d) Disseminating/playing advertisement for offers and services of AX by use of direct advertisement („marketing purposes“)

insofar as this is legally permissible

e) Analyzing user conduct and personal preferences of customers using organized of managed travels for targeted dissemination of advertisement with the goal of avoiding dispersion losses (by using profiling, see Point 8 and 9.)
f) Improving the services of AX by conducting surveys and analyzing questionnaires, managing claims/complaints and offering the benefits of loyalty programs
·         On the basis of legal obligation a) Creating and storing legally-prescribed documents in observance of accounting principles
b) Sending PNR-Data to the Central office of passenger data for further processing according to regulation (EU) 2016/681
5 Changes to purpose (Forwarding) Direct advertisement: AX hereby informs that it processes customers’ and traveler’s personal data for the purposes of direct advertisement (incl. profiling). AX intends to use direct advertisement to aid in the marketing of adver tised (proprietary or third-party) services and products. The data will not be passed onto any (non-group-affiliated) third parties for this purpose. There is no incompatibility with the purpose of the original data


6 Objecting to processing for the purposes of direct advertisement: The customer and the individual traveler can object to the use of their personal data for direct advertisement (including “profiling”) at any time without providing any reasons to the controller. By lodging an objection, AX will no longer use the customer’s or travelers personal detail for these purposes in future.
7 Legal basis of data pro cessing


·         Consent

Additional service: The controller explicitly solicits the customer’s and traveler´s consent for individual services (electronic newsletter, transfer of the data into the marketing system). This consent can be revoked at any time with future effect.


Description of the (over- riding) legitimate inter- ests for the purposes of direct advertisement: AX also processes customer and traveler’s data (however, not the data of children or special categories personal data within the meaning of Art. 9 GDPR (“sensitive data”)) to use said data for the purposes of direct advertisement for (further) products of companies affiliated with AX (see also Point 8.). Messages for this purpose can be sent via the website, mobile applications (customer portal) or by e-mail.

AX has a legitimate interest in processing personal data for the purposes of direct advertisement (Recital 47, last section of GDPR). This solely involves the processing of customer data in the possession of AX from the contractual relationship and for which the retention period still applies. This does not involve an extension to the retention period.

The primary goal of data processing is acquiring customers with the ob jective of bringing them into a (preliminary) contractual relationship and retaining them as customers. AX relies on its constitutionally protected freedom of running a business (Art. 6 StGG (Austrian Constitution)) and freedom of communication (particularly Art. 10 ECHR, which also pro- tects advertising measures), and on those rights

·         To send postal advertisement;

·         To make advertising calls following consent;

·         To send electronic mail following consent;

·         To send electronic mail in accordance with Section 107 Para. 3 of the Telecommunication Act (TKG);

AX complies with legal, communication-related requirements while using this data, particularly those of Section 107 TKG.

Data processing within the group: AX is part of a corporate group. AX uses group-affiliated companies  on a collaborative basis to fulfil its extensive obligations (processing bookings via a central booking system, payment systems, marketing, accounting, etc.). AX has a legitimate interest therein (Recital 48 of GDPR).

This particularly relates to the management of booking data from all group-affiliated companies performed via a central booking system. This database is maintained by AX; data is saved and managed centrally. Units of group-affiliated companies have access to this database or personal data only for the purposes of contractual and legal fulfilment as well as to protect legitimate interests. These units have a contractual obligation to observe all applicable legal conditions for data protection.

IT security: AX saves the IP addresses of its customers for a period of 7 days in order to defend against targeted attacks in the form of overloading serv- ers (denial of service attacks) and other damage to systems. AX has a legitimate interest in this form of data processing for the purposes of maintaining the functionality of its services provided online (Recital 49 of GDPR).
9 Analyses of personal aspects of the customer (“profiling”) Type Description
“Gathering and storing” AX stores customer activities (e.g. travel data, flight data, travel destinations, information concerning the organization of congresses, events and group travels, complaints, special services, personal prefer- ences, response to offers etc.) to enable optimal customer care and to ensure relevant and targeted measures can be used to improve satisfaction and customer retention, and to adjust the service on an

individual basis.

“Analysis of personal interests” AX stores customer behavior, special services, personal preferences, and thus deduces specific personal interests in order to prevent dispersion losses (and to minimize data processing operations) when playing advertising content and within direct marketing. AX uses these analyzed interests in order to communicate targeted, interest-specific offers and advertising to customers and thus prevent

dispersion loss in advertising.

10 Objecting to “profiling”: The customer and the traveler can object to the use of their personal data for the purposes of profiling at any time without providing any reasons to the controller. By lodging an objection, AX will no longer use the

customer’s personal data for the purpose of profiling in future.

11 Obligation to provide data Customers are under no obligation to provide data except to fulfil legal reporting obligations. Without the provision of data the contracted ser- vices cannot be provided.
12 Automated decision-


The customer is not subject to any automated decision that has a legal effect upon them.
13 Types of data processed The processed customer data are stored in a customer database after a master data collection, or by direct entry of the data by the customers or the traveler in a profile. This serves the management of the data to carry out the bookings and provide the contractual service.
Disclosed mandatorily by the customer, traveler or a customer related third party (e.g. Company travel management) Gathered by AX additionally
Personal data according to passport data (first and last name, maiden name, academic titles, date of birth) Origin of data provided
Gender (f,m,d) Additional services used
Contact details (Address(es), Telephone, Email address(es)) Preferences (e.g. eating/dietary habits)
Passenger booking-code Claims, complaints
Employer, additional administrative data (cost center, office phone number, company e-mail, booking person) Travel agency details
Booking data (booking, ticket issue, scheduled departure-

arrival time)

Flight ticket data (Flight ticket number, issue date, single flight, tariff display) Status of passenger travel (Travel confirmation, Check-in status, no show flights)
Nationality Split and shared passenger data
Adress(es) Seat number, other seat information
Accompanying person Code-Sharing data
Age of children Number an name(s) of fellow travel- er(s) as part of passenger data
Other personal preferences for the journey Accompanying airport personnel on arrival/departure
Possibly gathered additional data (Advanced Passenger

Information Data)[4]

IP-addresses (Logfiles)
Type, number, issuing country, expiry date of identity documents End device data (device ID)
Nationality Browser used
Sex Usage behavior (website, mobile applications), sometimes through the use of cookies and similar technologies Browser used
Airline company
Day time of departure and arrival, airport of departure and arrival
Payment information (credit card details, including expiry dates, other information) including invoice address
Total route of travel
Driver license data
Frequent flyer data, Memberships Frequent Flyer Programs, Car Rental Memberships, Hotel Club – Memberships
Data of unaccompanied minors (under 18 years of age)
Languages, name and contact details of accompanying person at departure/arrival
Travel data Railway information:

ÖBB Card Nr.

ÖBB Austria Card Nr.

ÖAMTC Membership Nr.

DB Railcard

Booking class, Seat reservations

Place of arrival and departure, name of the service provider (e.g. airline, hotel, car rental company), other information required to complete the booking.
Specific information with regard to seating preferences, accessibility, meal requests, other services requested.  
14 Processed data from website visitors IP address of the requesting computer Internet page from which the access is made
Date and time of access Message whether retrieval was successful
Name and URL of the retrieved file Recognition data of the browser / operating system
Transferred amount of data  Logfiles
Retention Period / Deletion of data A transfer of this data does not take place. The data is only collected in the context of the visit to the website and deleted after 30 days at the latest.
15 Processed data from users of the mobile web applications Name Bookings, Booking data
E-Mail address Travel itinerary
Telephone number Data according to clause 14, insofar necessary to proceed with booking
Registration data
Retention Period / Deletion of data The legal basis for the processing of this data, which was voluntarily disclosed during registration, is the consent of the user. Otherwise, Art 6 b GDPR, the need for contract performance serves as the legal basis. The deletion of the data takes place as described in point 19.
16 External recipients of    data Receiver Data category
·         Service Provider


Service providers (by category)


Transportation companies (air, rail, bus, cab)

Hotel companies

Car rental companies

Marketing agencies

Gastronomy companies

Types of data according to pt. 12., if necessary for the provision of the contractual service (processing of reservations, issuance of tickets, credit card processing, travel-related services, etc.).
·         Ticket distribution systems – External booking platforms (GDS) AMADEUS IT GROUP, S.A. Calle Salvador de Madariaga, 1, 28027 Madrid Types of data according to pt. 12., if necessary for the provision of the contractual service (processing of reservations, issuance of tickets, credit card processing, travel-related services, etc.).
·         Affiliated companies



Unternehmensservice GmbH,

Europaplatz 1, 4020 Linz

Billing and accounting data, payment information
BTU Business Travel Unlimited GmbH (“BTU”)

Stella-Klein-Löw Weg 13,

1020 Wien

Types of data according to point 12 when taking over the processing of the contract at the customer’s request
·         Cost bearer


Employer or other sponsor of the traveler’s expenses Travel expenses

Service provider (hotel, transport company)

Travel dates (date, duration of the trip)

Name of the traveler

Profildata of traveler

– if necessary to fulfill contractual obligations towards the cost bearer as well as for the execution of the contract.

·         Social-Plug-ins, Analysetools, Cookies


Plausible – Analytics

Plausible Insights OÜ Västriku tn 2, 50403, Tartu, Estonia Registration number 14709274

Anonymized IP address, name of website, browser-specific information, information on website use

AX itself does not collect any personal data via “social plug-ins” and their use. However, it is possible that personal data about visitors to the AX website is collected via the plug-ins, transmitted to the respective service and linked to the visitor’s respective service. To prevent data from being transmitted to the service providers in the USA without the user’s knowledge, AX uses the so-called “Shariff solution” on its website. This has the effect that the plug-ins are initially only integrated as a graphic. The graphic contains a link to the website of the respective provider, and the user is only redirected to the provider’s service when he or she clicks on it. This prevents personal data from being automatically forwarded to the plug-in provider when the AX’s website is visited. Data can only be transmitted when the graphic is clicked. By clicking, the respective service provider receives the information that the user has visited the respective page of the AX’s online offering. You do not have to be logged in to the respective provider or have a user account for this. If you have such an account, the data collected by the plug-in provider can be directly assigned to your account there. We have no influence on whether and to what extent the service provider collects personal data. The scope, purpose and storage periods as well as the further processing and use of the data there are not known to us. This information and information on your data protection rights and setting options can be found in the data protection information directly from the website of the respective service


IP-address, URLs, cookies and data on browser settings


Meta Platforms Ireland Limited

4 Grand Canal Square

Grand Canal Harbour

Dublin 2, Irland


Twitter Inc., 1355 Market Street, Suite 900, San Francis- co, CA 94103, USA

Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA;


Youtube LLC, headquarter in 901 Cherry Avenue, San Bruno, CA 94066, USA – represented by Google, Mountain View, CA 94043, Google Inc. headquarterd in 1600 Amphitheatre Parkway

17 External data recipients Categories of external commercial services providers
    Tax consultants/accountants
Banks and payment service providers, insurance companies
Collection agencies
Telecommunication providers
External accounting platforms; book ing agents
Airline companies
Car rental companies
Hotel business companies
Travel compensation companies
Authorities in connection with resi dence permits
IT-Service Providers, Web-Application Provider
Contact can be made with all group companies and commissioned

data processors via AX for all data protection queries.

18 Transfer to third countries (outside EU/EEA) “Social plug-ins”: The following data will be transmitted to countries outside the EU in the course of data processing after consent has been given or the graphic button of the service provider has been clicked (item 14):
  Country Application Types of data
  USA Twitter, Youtube, Instagram, Facebook Social plug-ins and Pixel: IP address, name of website, browser-specific information,

information on website use with opt-in / Shariff – Solution acc. Clause 17

Data processing to third states outside EU (Data transfer to service providers, external international booking platforms – GDS) due to request of global travel management will. Data transfers will only take according to the regulations stated in Chapter V GDPR, eg necessity to perform the contractual requirement or otherwise suitable guarantees have been provided to ensure data protection (e.g., conclusion of standard data protection clauses) are fulfilled.

However, the recipients of the data may be located in countries where the level of data protection guaranteed by law may be lower and the ability to enforce data subjects’ rights may be limited.

19 Hyperlinks to other Websites


Our website also contains so-called hyperlinks to websites of other providers. When activating hyperlinks, you will be redirected from our website directly to the website(s) of other providers. You will recognize this by the change of URL. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no influence on whether these companies comply with data protection regulations. Please refer to the websites of the other providers for more information.
20 Retention period Due to the legal bases mentioned above, AX generally continues to process guest data for an additional 40 months following the end of the agreement (= 36 months for potential contractual damage claims + max. 4 months to file suit) in a manner which is personally identifiable, and thereafter deletes the data (or at least the data which allows reference to be drawn to the data subject’s identity). Personally-identifiable processing of invoice data is then performed until the statutory retention, Termination of the contract shall be deemed to be termination of the contract for cooperation with the customer. The contractual relationship shall also be deemed terminated if a customer has not used the services of AX for the persons covered by the contract for more than 2 years.
21 Data subject rights Legal basis Content
Art. 15 GDPR “Right of      access” The customer has the right to obtain confirma tion as to whether their personal data is being processed.
Art. 16 GDPR “Right to Rectification” The customer has the right to have inaccurate or incomplete personal data rectified.
Art. 17 GDPR “Right to erasure” The customer has the right to demand the erasure of personal data without undue delay

where one of the grounds stated under Art. 17 Para. 1 GDPR applies.

Art. 18 GDPR “the right to restrict processing” The customer has the right to demand that the processing of personal data is restricted where one of the grounds stated under Art. 18 Para. 1 GDPR applies.
Art 21 GDPR “the right to object” Objecting to profiling: the customer has the right to lodge an objection at any time to the processing of their personal data for the purposes of profiling.

Objecting to direct advertisement: the customer has the right to lodge an objection at any time to the processing of their personal data for the purposes of direct advertisement.

Art 20 GDPR “the right to data portability” The customer has the right to receive their

personal data in a structured, commonly used and machine-readable format.

22 Right to lodge a com plaint Art 77 DSGVO

§ 24 DSG

Every customer has the right to lodge a com- plaint with a supervisory authority if they con- sider that the processing of personal data relating to them infringes this regulation.
23 Supervisory authority Austrian Data Protection Authority

Barichgasse 40-42, 1030 Vienna, Austria

Telephone: +43 1 52 152-0 Email:


24 Status December 2022
Notice to GBT Business and Meetings & Events Travelers: For employees, travelers, meeting participants of a corporate customer of American Ex-press Global Business Travel (GBT), AX acts as a processor of GBT with regard to the processing of personal data. The present data protection information is not applicable to this group of persons; the processing of personal data is subject to the data protection declaration of GBT Data subject rights are to be exercised vis-à-vis GBT as the responsible party under the contact details stated there.
NOTICE: This Data Protection Information is a translation of the German Data Protection Information of BTU into English language. In the event of interpretation difficulties, misunderstandings or loopholes, etc., the current German version of the GTC shall take precedence.

[1]Any references to natural persons within this data protection policy which are only provided in the male form relate equally to both women and men. The gender-specific form is to be used when referring to specific natural persons. Customers refer to both consumers and entrepreneurs.

[2] In these cases the data subject or controller demonstrably, commissions AX to forward the travel data to distinct, given third parties and/or to use distinct tools for fulfilling the agreement.

[3] Direct advertisement is any direct addressing of data subjects for advertising purposes, such as for sending letters or brochures, as well as telephone calls or electronic messages

[4] Advance Passenger information data will only be gathered if necessary because of special immigration regulations (e.g. immigration USA).

PDF to download