Notes on data protection

II. Personal Data, Purposes of Processing, and Legal Bases

 

Personal data refers to all information that relates to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the identity of that natural person.

 

Personal data is processed on our website when it is necessary for the following purposes:

 

• Based on your request and granted consent (Legal basis: Article 6(1)(a) of the General Data Protection Regulation - hereinafter referred to as GDPR),
• For the use of the website (Legal basis: Article 6(1)(b) GDPR),
• To safeguard our interest in improving user experience, promoting our services, and maintaining usage security (Legal basis: Article 6(1)(f) GDPR),
• For the use of services offered on the website, as well as for pre-contractual measures, especially for your inquiries (Legal basis: Article 6(1)(a) and/or Article 6(1)(b) GDPR),
• For the conclusion and performance of a contract (Legal basis: Article 6(1)(b) GDPR) and/or
• To fulfill a legal obligation to which we are subject (such as tax requirements and retention obligations, Legal basis: Article 6(1)(c) GDPR).

 

For further details regarding data processing, please refer to the respective headings below:

 

 

1. Access Data/Server Logfiles

 

When you visit our website, the servers of our website host automatically store the information that your browser sends, known as server logfiles. The information includes the following:

 

• Referrer (previously visited webpage)
• Requested webpage or file
• Browser type and version
• Operating system used
• Device type used
• Time of access
• IP address in anonymized form (used solely to determine the location of access)

 

The temporary processing of this data by the system is necessary to enable the delivery of the website to your device. For this purpose, the IP address must be processed in particular. There is no merging of this data with other data sources. The information is used solely to control the website traffic and to maintain the technical operation of the servers and the network of our host, including abuse prevention. The legal basis for this is Article 6(1)(f) GDPR. For more information, please refer to the website of our host.

 

 

2. Cookies

 

Our website partly uses so-called cookies or other technologies, especially those that are absolutely necessary or functional cookies, to provide you with the accessed website and its functions, § 25(2) Clause 2 Telecommunications and Telemedia Data Protection Act (TTDSG), Article 6(1)(f) GDPR.

 

If you give consent for optional services and non-essential cookies, the legal basis is § 25(1) TTDSG, Article 6(1)(a) GDPR (consent). You can find additional information regarding these cookies and services in our implemented consent management tool, and you can revoke consents at any time without disadvantage. You can change your settings at any time using the icon at the bottom left. However, please note that our website may not function as intended without the use of these cookies.

 

Furthermore, most browsers offer an option to restrict or prevent the storage of cookies. However, please be aware that the usage and especially the user experience may be limited without cookies.

 

Instructions for common browsers:

 

Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren   

Google Chrome: https://support.google.com/accounts/answer/61416?hl=de   

Apple Safari: https://support.apple.com/de-at/HT201265   

Microsoft Edge: https://support.microsoft.com/de-de/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy   

 

 

3. Contact via Email, Forms, or Other Means

 

If you send us inquiries via email, form submissions (booking/reservation tools), or other means, the information you provide, including the data you provide there, will be processed for the purpose of handling the inquiry and possibly for follow-up questions. The legal basis for this is Article 6(1)(b) GDPR.

 

 

4. Integration of Third-Party Services and Content

 

It is possible that within our online offerings, content from third parties from other websites may be integrated. This always requires the providers of this content (hereinafter referred to as "third-party providers") to perceive the IP address of the users. Because without the IP address, they could not send the content to the respective user's browser. The IP address is therefore necessary for the display of this content. We strive to only use content from providers who use the IP address solely for the purpose of delivering the content. Third-party providers may store the IP address, for example, for statistical purposes.

 

We partially integrate the following services and content from third parties, for which you can also view additional service providers and information in our consent tool (icon at the bottom left) and revoke consents:

 

Consentmanager

For managing your possible consents, we use the consent tool of consentmanager AB, Håltegelvägen 1b, 72348 Västerås. You can find the data protection information there: https://www.consentmanager.net/datenschutz/

 

For this purpose, the following categories of data may be processed for the verifiability of your possible consent: timestamp, IP address, user agent, language, visited website, timezone.

 

The legal basis is our legitimate interest in the option of consent management, Article 6(1)(f) GDPR

 

 

AddEvent

AddEvent is an "Add to Calendar" service and registration platform provided by AddEvent, Inc., 400 Concar Drive, San Mateo, CA 94402. Through the platform and tools, organizers can provide easily accessible tools to their customers for adding events to their calendars and registering for events. For more information on privacy, please visit: https://www.addevent.com/privacy

 

The legal basis is Article 6(1)(a) GDPR (consent) and possibly pre-contractual measures, Article 6(1)(b) GDPR.

 

 

Google Web Fonts / Adobe Typekit

Our website uses so-called web fonts provided by Google and Adobe for a consistent display of fonts. In the case of Google, it is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, and its affiliated companies. For users who have their habitual residence in the European Economic Area or Switzerland, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, EU, is responsible for Google services. Therefore, Google Ireland Limited is the affiliated company of Google LLC that provides the services and also complies with the GDPR.

 

With "Adobe," it refers to Adobe Inc. More information: https://www.adobe.com/de/. If your residence is outside of North America, Adobe Systems Software Ireland Limited (Adobe Ireland) is responsible for processing personal data collected by Adobe and also complies with the GDPR.

 

When a page is loaded, your browser loads the necessary web fonts into your browser cache to correctly display texts and fonts. If your browser does not support web fonts, a default font will be used on your device. Further information on Google Web Fonts can be found here: https://developers.google.com/fonts/faq and in Google's Privacy Policy: https://policies.google.com/privacy

 

Further information on Adobe Fonts and the Typekit service can be found here: https://www.adobe.com/de/privacy/policies/adobe-fonts.html / https://www.adobe.com/de/privacy/policy.html

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

Google Tag Manager

This website uses the Google Tag Manager provided by Google (as mentioned above). The Google Tag Manager is a solution that allows us to manage so-called tags through an interface. The tool triggers other tags that also collect data within the scope of this privacy policy. The Google Tag Manager does not access this data. The anonymization of the IP address is done within the Google Tag Manager through an internal setting. It is not visible in the source code of this page. Further information can be found here: https://www.google.com/intl/de/tagmanager/use-policy.html / https://policies.google.com/privacy?hl=de&gl=de

 

The legal basis is Article 6(1)(f) GDPR (legitimate interest).

 

 

Google Ads

Google Ads is a service provided by Google (as mentioned above). Privacy policy: https://policies.google.com/privacy.

 

Google Ads allows us to measure our advertising measures and their effectiveness. The following data is processed for this purpose: click path; visibility of ads; mouse movement; timestamp; clicks on ads; conversion tracking; IP address; time and date; user location; visitor behavior; user agent; language; visited website; timezone.

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

Google Analytics

This website uses features of the web analytics service Google Analytics provided by Google (as mentioned above).

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

Google Analytics uses so-called "cookies" in part, as mentioned above. These are data records that are stored on your computer and allow an analysis of the use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server and stored there.

 

We use the version "Google Analytics 4". Google Analytics 4 allows privacy-friendly data collection even without cookies or other "identifiers". To the extent possible, we have made corresponding settings.

 

Furthermore, Google Analytics 4 anonymizes the IP address by default. By activating IP anonymization on this website, your IP address will be truncated by Google within member states of the European Union or other contracting parties to the Agreement on the European Economic Area before transmission.

 

The collected information is used to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

 

Google Analytics is only used based on your previously given consent. This is voluntary and can be revoked at any time (see below for the rights of data subjects).

 

You can change your settings at any time on our website for this purpose and also contact us. You can also prevent the storage of cookies by adjusting your browser software accordingly.

 

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available under the following link: Install Browser Plugin: https://tools.google.com/dlpage/gaoptout?hl=de

 

You can also prevent the collection by Google Analytics 4 by deactivating it in the Consent Tool.

 

Further information on terms of use and privacy for Google Analytics can be found at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de&gl=de as well as https://support.google.com/analytics/answer/9019185?hl=de#zippy=%2Cthemen-in-diesem-artikel

 

Additionally, we refer to the following information from Google: https://policies.google.com/privacy/frameworks?hl=de and https://support.google.com/adspolicy/answer/10042247?hl=de as well as https://support.google.com/analytics/answer/6004245

 

 

fontawesome.com

We use Font Awesome Icons from Fonticons, Inc., 710 Blackhorn Drive, Carl Junction, MO, 64834. These are libraries with free and paid icons. Privacy policy: https://fontawesome.com/privacy

 

By using the icons, we can process the following categories of data to evaluate our website and marketing measures: measure ad visibility; timestamp; track clicks on ads; IP address; user location; user agent; language; visited website; timezone.

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

Content Delivery Network (CDN)

We use the CDN jesDelivr provided by Prospect One, Krolewska 65a, Krakow, Malopolskie 30-081, PL (Privacy Policy: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net).

 

A Content Delivery Network, or Content Distribution Network, is a network of regionally distributed servers connected via the internet, used to deliver content – especially large media files. This allows us to display our content faster and more reliably on our website and optimize our marketing measures.

 

The following categories of data are processed:

Timestamp; IP address; timezone; time and date; user location; visitor behavior; user agent; language; visited website; timezone

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

Microsoft Advertising / Bing Ads

We use Microsoft Advertising / Bing Ads as a marketing measure. These are provided to us by Microsoft Way, Redmond, WA 98052 (Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement )

 

In this context, we process the following data:

Click path; ad visibility; mouse movement; timestamp; clicks on ads; conversion tracking; IP addresses; user device; visitor behavior; user agent; language; visited website; timezone

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

MyHotel Shop

We use the Myhotelshop tool from myhotelshop GmbH, Floßplatz 6, 04107 Leipzig. Myhotelsop is an online marketing system for hotels.

Privacy policy: https://www.myhotelshop.com/site-policy

 

With this tool, we can process the following data:

Timestamp; conversion tracking; IP address; user agent; language; visited website; timezone

 

The legal basis is Article 6(1)(a) GDPR (consent).

 

 

Contao

We use functional cookies for our website.

 

This serves to protect against cross-site request forgery attacks (csrf_https-contao_csrf_token).

Retains the user's states for all page requests (PHPSESSID).

 

The legal basis is Article 6(1)(f) GDPR (legitimate interest).

 

 

Booking Tool

The booking functionality on our website is provided by TourOnline AG, Borsigstraße 26, 73249 Wernau, Germany (www.dirs21.de). Privacy policy: https://www.dirs21.de/disclaimer/

In this context, technically necessary information (IP address) as well as the information you provide about your desired booking are processed. The legal basis is Article 6(1)(b) GDPR, as well as our legitimate interest in offering our users a booking tool.

 

III. Recipients of Personal Data and Transfers to Third Countries

 

Personal data is disclosed to the following categories of recipients:

 

Our employees and our data processors to the extent necessary, especially the host of our website IONOS SE, as well as individual named service providers if used on the website, see above under II. 4.

 

Furthermore, your personal data will not be shared with third parties without your explicit consent, unless we are legally obligated to do so or the data transfer is essential for the execution of a contractual relationship.

 

We process personal data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) if it is necessary for the fulfillment of our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. The same applies to processing by third parties on our behalf, the disclosure of your personal data to third parties, and their transfer to third parties. Service providers that process personal data on our behalf in a third country are also only used if there is an "adequacy decision" of the European Commission (Article 45 GDPR) for that third country, "appropriate safeguards" (Article 46 GDPR), or "binding corporate rules" (Article 47 GDPR) in place at the recipient. General information on adequacy decisions can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_de, on appropriate safeguards at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de, and on binding corporate rules at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_de. For further information, you can contact us.

 

IV. Duration of Storage

 

We delete personal data after the purpose has been achieved, the legal basis has ceased, or in the absence of a retention obligation.

 

Stored server log files and IP addresses are automatically deleted no later than eight weeks.

 

Session cookies are automatically deleted after the session ends. In addition, cookies with an expiration date on your device are stored, and you also have control over the use and deletion of cookies, as mentioned above.

 

Personal data from your inquiries via email or form inquiries or inquiries through other means are processed until your request is fully processed and resolved. After that, the information will be deleted. However, please note that due to a contractual relationship with you, certain data may be subject to commercial and tax retention obligations of at least six (§ 257 HGB) or ten (§147 AO) years, which may also apply to the content of contact inquiries and emails.

 

Furthermore, in relation to all tools used, a yearly review is conducted to determine if data can be deleted. This occurs when the purpose of processing and the prerequisites of the legal basis for processing have ceased, and no legal obligation for retention exists anymore.

 

V. Provision of Personal Data and Rights of Data Subjects

 

You are not legally obligated to provide personal data. However, providing data may be necessary for contract completion or website functionality. Failure to provide data may result in the inability to offer a contract or a function on the website. There is no automated decision-making on the website; profiling does not occur on our website. If you have given consent, an evaluation of usage may occur, as mentioned above, along with the Consent Tool.

 

The rights of data subjects arise, in particular, from Articles 15 to 23 and Article 77 of the GDPR, as well as from §§ 32 to 37 of the Federal Data Protection Act (new).

 

You have the right, under the statutory conditions, to the following concerning your personal data:

 

• Information, Article 15 of the GDPR,
• Rectification, Article 16 of the GDPR,
• Erasure, Article 17 of the GDPR,
• Restriction of Processing, Article 18 of the GDPR,
• Portability, Article 20 of the GDPR.

 

If you have given consent for the processing of personal data, you have the right of

 

• Withdrawal, Article 7 of the GDPR,

 

which will apply for the future.

 

You also have the right to

 

• Object, Article 21 of the GDPR

 

to the processing of personal data. Further information can be found separately under VI.

 

Please direct all inquiries, requests, and communications to us, as mentioned above under I.

 

If you believe that the processing of your personal data violates data protection law, you always have the

 

• Right to Lodge a Complaint

 

with the competent supervisory authority, in accordance with Article 77 of the GDPR. Without prejudice to any other administrative or judicial remedy, this right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, workplace, or the place of the alleged violation, is available to you if you believe that the processing of your personal data violates the GDPR.

 

The contact details of data protection officers in the federal states, supervisory authorities for the non-public sector, broadcasting, churches, in Europe, and abroad, as well as the Virtual Data Protection Office, can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

 

The supervisory authority responsible for us is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestraße 2-4, 40213 Düsseldorf.

 

VI. Information about the Right to Object according to Article 21 GDPR

 

1. You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you based on Article 6(1)(f) GDPR (processing for the purposes of legitimate interests).

 

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.

 

2. If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

 

The objection can be made in any form and should ideally be directed to us, as mentioned above under I.