Privacy statement

Privacy statement

 

Information on data protection

On this page, you will find information on data protection in connection with our online offer, particularly regarding the personal data that is regularly collected when visiting our website or in response to specific requests. We will also provide you with information regarding the purpose of the respective data processing and the legal basis for it, as well as the rights conceded to you in this regard as a visitor to the website.
We have tried to keep the explanations as clear as possible and will be happy to answer your queries. You will find the appropriate contact details at the end of this document.

Note: If terms such as “controller”, “data subject”, “personal data”, “processing”, etc. appear hereinafter, we use the definitions from Article 4 of the European General Data Protection Regulation (EU GDPR) at these points. You can find that text of the EU GDPR here, for example: https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=CELEX:02016R0679-20160504.

 

Processing of personal data

We wish to use our online offer to inform you about our services and offers and to make it possible for you to easily contact us or take up our services. Insofar as we process personal data within the framework of our online offer, this will also be done beyond the scope of this core purpose for the purposes stated in each case in this privacy statement.

Calling up our online offer
In order to be able to transmit the contents of our online offer (e.g. images, text, documents) that you have requested to your computer, we will record the IP address assigned to your computer at the time of retrieval. The legal basis for this processing is Article 6.1(b) of the GDPR. We also use these data to safeguard against improper use and prosecute related offences and in this respect refer to Article 6.1 (f) (Our legitimate interest in this case: Ensuring proper data processing and the availability of our online offer).

Other purposes
If you provide us with personal data (names, addresses, contact details) within the scope of a query, booking or order, these will be processed exclusively for the processing of this request, the issuing of an offer requested by you or for the settlement of a resulting contractual relationship. The legal basis for this processing is therefore Article 6.1 (b) of the GDPR. Without having and processing these data, it is not possible to process your query, booking or order. Nevertheless, if the processing of your data in individual cases is based on consent (Article 6.1 (a) of the GDPR), you can revoke this consent at any time. However, this does not affect the legality of the processing up to the point of revocation.

Passing on to third parties

If we disclose your personal data to other persons and companies (processors or third parties) in the course of processing, transfer data to them or otherwise grant access to these data, this will in any case only be based on legal permission. This may result from contractual fulfilment (Article 6.1 (b) of the GDPR), of consent granted by you (Article 6.1 (a) of the GDPR), a legal obligation (Article 6.1 (c) of the GDPR) or our legitimate interests (Article 6.1 (f) of the GDPR). This may involve, for example, service providers in the areas of web-hosting, email marketing, software development or customer service/order processing.

If we commission third parties to process your personal data, this is always done on the basis of a corresponding contract or order processing pursuant to Article 28 of the GDPR. We select service providers carefully and regularly check that these partners are complying with data protection. When transmitting data, we take precautions to exclude the possibility of anyone other than contractually bound service providers receive knowledge of your personal data. The service providers we commission are obligated by the order processing contract to process your data exclusively in accordance with our instructions and the data protection standards as applicable. In addition, they are prohibited from processing the data for purposes other than those agreed.

We do not sell your data to third parties or market them in any other way.

If it is necessary to investigate the illegal use of our online offer or to prosecute, we will pass on your personal data to law enforcement authorities and, if necessary, to injured third parties, even without your explicit consent, provided that there are specific indications of unlawful or abusive behaviour. The data may also be passed on if this is used to enforce the Terms of Use or other agreements. In addition, we are obliged by law to provide information to certain public offices on request. These are law enforcement agencies, authorities prosecuting fines and the tax authorities. In these cases, your data are passed on, on the basis of our legitimate interest in combating misuse, prosecuting offences and securing, asserting and enforcing claims (Article 6.1 (f) of the GDPR) or to fulfil a corresponding legal obligation (Article 6.1 (c) of the GDPR).

Transmission to third countries
If we process data in a third country (i.e. outside of the European Union or European Economic Area), or use them as part of using services from third parties or data is disclosed/transmitted to third parties, we ensure that this only occurs within the framework of the aforementioned legal authorisations, i.e. generally, for the fulfilment of (pre-)contractual duties, based on your consent, due to a legal obligation or on the basis of our legitimate interest.  In addition, we ensure that we only process your data in a third country if particular prerequisites pursuant to Article 44 et seq. of the GDPR are met, i.e. in particular, on the basis of particular guarantees, such as determining a data protection level in line with that of the European Union. This also includes compliance with officially recognised contractual obligations (standard contractual clauses of the European Union).

 

Data processing security

We put in place technical and organisational security measures in order to protect the personal data you provide from accidental or intentional manipulation, loss, destruction or unauthorised access by third parties. We also require these precautions on a contractual basis from our service providers who have or may come into contact with personal data. If you have the option of communicating personal data within the context of our online offer (contact form, or similar), the data are transmitted with the use of strong encryption.

 

Time limits for the deletion of data

We routinely delete personal data when time limits for retention requirements set by law expire. If your personal data are unaffected by this, they are deleted or anonymised if the purposes named within the context of this privacy statement cease to exist. If this privacy statement does not contain any other, contrary terms regarding the storage of data, the data we collect are stored for as long as necessary for the purposes for which it was collected.

 

Identification and prosecution of misuse

We hold information for identifying misuse and for prosecuting misuse, particularly the IP address recorded when retrieving information from our online offer, for a maximum of 7 days. The legal basis for this is Article 6.1 (f) of the GDPR. Our legitimate interest lies in the smooth operation of our online offer, as well as defence against misuse or attacks on our online offer.

 

Foregoing automated decision making or profiling

We forego profiling and do not carry out any kind of automated decision making.

 

Use of cookies

It is possible that we will use cookies in some areas in order to make our online presence user-friendly for you and to align it perfectly with your needs. “Cookies” denotes small files stored on the user’s computer when using our online offer. Various information can be stored within the cookies; primarily, it helps us to store the information about a user (or the device on which the cookie is stored) during or even after their visit to an online offer.
Temporary cookies (session cookies) are generally of crucial importance for the functioning of our website. This is, for example, the assignment of anonymous session IDs to bundle multiple queries to a web server or the error-free function of registrations and orders. These temporary cookies are automatically deleted at the end of your visit. Other (persistent) cookies remain stored on your terminal until you delete them. These cookies make it possible for us to recognise your browser the next time you visit.
You can configure your browser in such a way that you are informed about the placement of cookies and only allow cookies on a case-by-case basis, can preclude the acceptance of cookies for certain cases or generally and activate the automatic deletion of cookies when closing the browser. The functionality of this website may be restricted by deactivating cookies.
Cookies required for the provision of certain functions (e.g. basket function) are stored on the basis of Article 6.1 (f) of the GDPR.  As the provider of these functions, we have a legitimate interest in the storage of these cookies for the technically correct, optimum provision of our services. If other cookies (e.g. cookies for analysing your surfing behaviour) are stored, they will be indicated separately in a different part of this privacy statement.
If you do not wish for cookies to be stored on your computer, you can deactivate the appropriate option in your browser’s system settings. Cookies already stored can be deleted in the browser’s system settings. Irrespective of this, you can also generally file an objection against the use of cookies for direct marketing and any potential associated tracking on sites such as, for example,
http://www.aboutads.info/choices/ (USA) or
http://www.youronlinechoices.com/.

 

Your rights with regard to the processing of personal data

Right to information

You have the right to request information as to whether we process personal data about you. If that is the case, pursuant to Article 15.1 of the GDPR, to provide you with information about

  • the purposes of the processing;
  • the categories of personal data processed;
  • the recipients or categories of recipients to whom the personal data were disclosed or are still disclosed, particularly in the case of recipients in third countries or international organisations;
  • if possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for setting this duration;
  • the existence of a right to correction or deletion of the personal data concerning you or to restriction of the processing by the controller or a right to opt out of this processing;
  • the existence of a right to make a complaint to a regulatory authority;
  • if the personal data were not collected from you, all available information about the origin of the data;
  • the existence of automated decision making, including profiling, pursuant to Article 22.1 and 22.4 of the GDPR and – at least in these cases – meaningful information about the rationale involved, as well as the implications and the intended effects of this kind of processing for you as the data subject.

We must provide this information within a month of receiving your request. Please note that we may require proof of your identity in order to be able to fulfil this request.

Right to correction of inaccurate data
Should the personal data relating to you be inaccurate, you have a right to this being corrected by us without delay (Article 16 of the GDPR).

Right to deletion
Under certain conditions, you have a right to the immediate deletion of the personal data relating to you. This is the case, for example, if the personal data are no longer needed for the purposes for which they were originally collected, you have revoked the necessary consent for the processing or a legal basis necessary for the processing does not exist for other reasons. Insofar as you have objected to the processing and there are no primary reasons for the processing of your personal data, the data must also be deleted. In the case of direct advertising, the data must be deleted in every case if you have objected to the processing. Article 17 of the GDPR gives further details.

Right to restrict processing
Under certain conditions, you have a right to restrict the processing of the personal data relating to you (Article 18 of the GDPR). This is the case, for example, if the processing by us is not lawful but you decline deletion of the data and request to restrict its use instead. The processing must also be restricted while we check your objection as to whether our legitimate reasons for the processing outweigh yours.

Right to data portability
Article 20 of the GDPR gives you the right to receive the data relating to you that you have provided to us in a common, structured and machine-readable format or to transfer these to another responsible entity, for example another service provider. However, this presupposes that the processing of these data is based on consent or a contract and is carried out using automated procedures.

Right to object
Pursuant to Article 21 of the GDPR, you have the right, for reasons arising from your particular situation, to file an objection at any time to the processing of the personal data relating to you on the basis of Article 6.1 (e) or (f) of the GDPR. This also applies to profiling based on these provisions. In this case, we will stop processing the data if we are unable to provide evidence of compelling, legitimate reasons for the processing, which outweigh your interests, right and freedoms or if the processing serves the purposes of asserting, exercising or defending legal claims.

You can assert all the aforementioned rights by post or email addressed to us. You will find the appropriate contact details at the end of this document.

Right to make a complaint to a regulatory authority

You have the option of contacting a regulatory authority if you have concerns or concrete complaints with regard to the processing of your personal data that we are carrying out. For example, you can contact the regulatory authority relevant to us:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
(State Commissioner for the Protection of Data and Freedom of Information of North Rhine-Westphalia)
Postfach 20 04 44
40102 Düsseldorf
Germany
Tel: +49 (0)211/38424-0
Fax: +49 (0)211/38424-10
E-Mail: poststelle@ldi.nrw.de

 

External payment service providers

We use the external payment service Wirecard (Wirecard AG, Einsteinring 35, 85609 Aschheim, Germany, Imprint: https://www.wirecard.com/imprint/). You can find Wirecard’s privacy policy here: https://www.wirecard.com/privacy-protection/

Within the scope of fulfilling contracts, we use the payment service provider on the basis of Article 6.1 (b) of the GDPR. Furthermore, we use external payment service providers on the basis of our legitimate interests pursuant to Article 6.1 (b) of the GDPR in order to offer our users effective and secure payment options.

Amongst the data processed by the payment service providers are inventory data, e.g. the name and the address, bank data, such as, for example, account numbers or credit card numbers, passwords, TANs and checksums, as well as information regarding the contract, sums and recipient. The information is needed to carry out the transaction. The data submitted are, however, only processed and stored by the payment service provider. In other words, we do not receive any information regarding accounts or credit cards but just information that the payment has been approved or declined. These data may possibly be transmitted to credit agencies by the payment service provider. The purpose of this transmission is to carry out an identity and credit check. We refer you to the Terms and Conditions and privacy notice of the payment service provider in this regard.

The Terms and Conditions and privacy notice of the relevant payment service provider apply for payment transactions; these can be retrieved from the relevant websites or transaction applications. We also refer you to these for further information and assertion of rights of revocation, information and other data subject rights.

 

Data processing for travel booking

We make downloadable forms available to you on our website, with which you can communicate personal data to us for making use of services. The processing of these data is required to draw up quotes or to fulfil a contract (e.g. flight bookings) and is therefore based on Article 6.1 (b) of the GDPR.  The data transmitted are deleted as soon as the processing ceases to be necessary and there are no contradictory legal retention requirements regarding the deletion.

 

Contact

When making contact with us (e.g. by contact form, email, phone or via social media), personal data you have transmitted are processed in order to process your contact request and the response to it, pursuant to Article 6.1 (b) of the GDPR.
These personal data are not passed on to third parties if this is not required to process the request and is therefore covered by the authorisation according to Article 6.1 (b) of the GDPR.
We delete the requests if the processing is no longer required. We check the requirement every two years; furthermore, the legal archiving obligations apply.

 

Hosting

We make use of hosting services from an external provider in order to provide this online offer. In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data from clients, prospective clients and visitors to this online offer on the basis of our legitimate interest in the efficient and secure provision of this online offer pursuant to Article 6.1 (f) of the GDPR.
We have concluded an agreement regarding order processing with the relevant provider pursuant to Article 28 of the GDPR and therefore guarantee that data protection is also practised by the provider.

 

Collection of access data and logfile

We or the hosting provider collect reports and statistics each time the server on which our online offer is provided is accessed. These access data include the name of the website viewed, data file, date and time of the visit, data volume transferred, report from a successful visit, browser type plus version, the user’s operating system, referrer URL (the site you previously visited), IP address and the provider making the request. The legal basis for this processing is Article 6.1 (f) of the GDPR. Our legitimate interest resides in the technically correct provision of this online offer, as well as the investigation of misuse or offences.

For security reasons, the aforementioned information (e.g. for investigating misuse or acts of fraud) are stored for a maximum of 7 days and subsequently deleted or entirely anonymised.  Data, the further retention of which is required for evidential purposes, shall be exempted from deletion until final clarification of the relevant incident.

 

Integration of third-party services and content

Within our online offer, we use content or service offers from third-party providers in order to integrate their content and services, such as, for example, videos or fonts. This always requires the IP address of visitors to our website to be transmitted to these third-party providers, as they could not send the content to their browser without the IP address. The IP address is therefore required to display this content. The legal basis for this transmission is our legitimate interest in the analysis, optimisation and cost-effective operation of our online offer in the sense of Article 6.1 (f) of the GDPR.
We endeavour to only use content, the respective providers of which use the IP address solely for the delivery of the content. Depending on the offer, third-party providers may use so-called pixel tags (invisible graphics) for statistical or marketing purposes. Using these “pixel tags” means that usage information regarding our online offer is also inevitably transmitted to the third-party provider. The pseudonymous information may also be stored in cookies on the device you have used. Among other things, these cookies may contain technical information about the browser and operating system, referring websites, visiting time, as well as other information about the use of our online offer, as well as third-party information from such other sources.

 

Google Fonts

For the uniform presentation of fonts, we use so-called Web Fonts, specifically fonts from the provider, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google Fonts”). When visiting a site, your browser loads the necessary Web Fonts from the provider (Google)’s servers into your browser cache, in order to display text and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers, thereby transmitting your IP address to Google. The use of Google Web Fonts takes place on the basis of our legitimate interest in the uniform and appealing presentation of our online offers in the sense of Article 6.1 (f) of the GDPR. If your browser doesn’t support Web Fonts, a default font from your computer is used.
You can find further information about Google Web Fonts at https://developers.google.com/fonts/faq and in Google’s privacy statement: https://www.google.com/policies/privacy/. Opt-out option: https://adssettings.google.com/authenticated.

 

Controller

Peter Straub
Poststraße 23
83435 Bad Reichenhall
Germany
Tel +49 (0)228/18087878
Fax +49 (0)228/18087879
Email info@travelman.de

Imprint: https://www.travelman.de/impressum

This privacy notice is valid as at 25 May 2018.