Data Protection Statement
Center Smart Tourism GmbH
c/o S u. K Asset Management GbR
Represented by the Managing Director: Danel Issengeldina
Status: July 2019
- Basic Information on Data Processing and Legal Bases
1.2 The terms used, such as “personal data” or their “processing” refer to the definitions in Art. 4 of the Data Protection Basic Regulation (DSGVO).
1.3 The personal user data processed within the scope of this online offer include inventory data (e.g. names and addresses of customers), contract data (e.g. services used, names of clerks, payment information), usage data (e.g. websites visited on our online offer, interest in our products) and content data (e.g. entries in the contact form).
1.4 The term “user” covers all categories of persons affected by data processing. These include our business partners, customers, interested parties and other visitors to our online services. The terms used, such as “user” for example, are to be understood gender-neutrally.
1.5 We process personal user data only in compliance with the relevant data protection regulations. That means, the data of the users are processed only with existence of a legal permission. I.e., in particular if the data processing is necessary for the provision of our contractual services (e.g. processing of orders) as well as online services, or is legally prescribed, a consent of the users, as well as due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online services within the meaning of Art. 6 Para. 1 lit. f. of the German Data Protection Act). DSGVO, in particular for range measurement, the creation of profiles for advertising and marketing purposes as well as the collection of access data and the use of third-party services.
1.6 We point out that the legal basis for the consents Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for the processing to fulfill our services and implementation of contractual measures Art. 6 para. 1 lit. b., the legal basis for the processing to fulfill our services and implementation of contractual measures Art. 6 para. 1 lit. b. and Art. 7 DSGVO are not applicable. DSGVO, the legal basis for processing to fulfil our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to safeguard our legitimate interests Art. 6 para. 1 lit. f. DSGVO.
- Security Measures
2.1 We shall take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of the data protection laws are complied with and to protect the data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
2.2 The security measures include in particular the encrypted transmission of data between your browser and our server.
- Transfer of Data to Third Parties and Third-party Providers
3.1 Data shall only be passed on to third parties within the scope of the statutory provisions. We will only pass on user data to third parties if this is done, for example, on the basis of Art. 6 Para. 1 lit. b. DSGVO is required for contractual purposes or on the basis of legitimate interests pursuant to Art. 6 Para. 1 lit. f. DSGVO in the economic and effective operation of our business.
3.2 Where we use subcontractors to provide our services, we shall take appropriate legal precautions and take appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
3.3 If content, tools or other means from other providers (hereinafter jointly referred to as “Third Party Providers”) are used within the scope of this data protection declaration and their registered office is located in a third country, it is to be assumed that a data transfer to the registered offices of the Third Party Providers takes place. Third countries are countries in which the DSGVO is not a directly applicable law, i.e. basically countries outside the EU or the European Economic Area. Data is transferred to third countries either if there is an appropriate level of data protection, user consent or other legal permission.
- Provision of Contractual Services
4.1 We process inventory data (e.g. names and addresses as well as contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 Para. 1 lit b. DSGVO.
4.2 Users may optionally create a user account, in particular by viewing their orders. Within the scope of registration, the required mandatory information will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with regard to the user account, subject to its retention for commercial or tax reasons pursuant to Art. 6 para. 1 lit. c DSGVO. It is the responsibility of the users to secure their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
4.3 Within the scope of registration and renewed registrations as well as use of our online services, the IP address and the time of the respective user action will be stored. The storage is based on our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. These data will not be passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation pursuant to Art. 6 para. 1 lit. c DSGVO.
4.4 We process usage data (e.g. the visited websites of our online offer, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile in order to show the user, e.g. product information, based on the services they have previously used.
- Establishing Contact
5.1 When establishing contact with us (via contact form or e-mail), the user’s details are processed for processing the contact request and its completion in accordance with Art. 6 Para. 1 lit. b) DSGVO.
5.2 The user’s details can be stored in our Customer Relationship Management System (“CRM System”) or comparable inquiry organisation.
- Comments and Contributions
6.1 If users leave comments or other contributions, their IP addresses will be used on the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. DSGVO for 7 days.
6.2 This is done for our safety if someone leaves illegal contents (insults, forbidden political propaganda, etc.) in comments and contributions. In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author.
- Collection of Access Data and Log Files
7.1 On the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. DSGVO, we collect data on each access to the server on which this service is available (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
7.2 Log file information is stored for a maximum of seven days for security reasons (e.g. to clarify misuse or fraud) and then deleted. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
- Cookies & Range Measurement
8.1 Cookies are pieces of information that are transmitted from our web server or third-party web servers to the user’s web browser and stored there for later retrieval. Cookies may be small files or other types of information storage.
8.2 We use “session cookies” which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status or the shopping basket function and thus the use of our online offer at all). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online service and log out or close your browser, for example.
context of this data protection declaration.
8.4 If the users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
- Google Analytics
9.2 Google will use this information on our behalf to evaluate the use of our website by users, to compile reports on activities within this website and to provide us with other services relating to the use of this website and the internet. Pseudonymous user profiles can be created from the processed data.
9.3 We use Google Analytics only with activated IP anonymisation. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to and truncated by Google on servers in the United States.
9.5 Further information on the use of data by Google, setting and objection options can be found on the websites of Google: https://www.google.com/intl/de/policies/privacy/partners (“Use of data by Google for your use of websites or apps of our partners”), http://www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), http://www.google.de/settings/ads (“Manage information that Google uses to show you advertising”).
- Rights of the Data Subject
If your personal data are processed, you are affected within the meaning of the DSGVO and entitled to the following rights towards the person responsible:
10.1 Right to Information
You can request confirmation from the person responsible as to whether personal data relating to you will be processed by us.
In the event of such processing, you may request the following information from the data controller:
(1) the purposes for which the personal data will be processed;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients to whom the personal data relating to you has been or will be disclosed;
(4) the planned duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this regard, criteria for determining the retention period;
(5) the existence of a right to rectify or delete personal data concerning you, a right to limit the processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) all available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) DSGVO and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 DSGVO in connection with the transfer.
10.2 Right to Rectification
You have the right to have your personal data corrected and/or completed by the data controller if the personal data processed concerning you is inaccurate or incomplete. The data controller must carry out the rectification immediately.
10.3 Right to Limit the Processing
Under the following conditions, you may request that the processing of your personal data be restricted:
(1) if you dispute the accuracy of the personal data concerning you for a period of time which allows the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to erase the personal data and instead request that the use of the personal data be restricted;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need them for the assertion, exercise or defence of legal claims;
(4) if you have objected to the processing pursuant to Art. 21 para. 1 DSGVO and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data – apart from their storage – may only be processed with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
If the processing restriction has been limited in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
10.4 Right of Deletion
a) Duty to delete
You may request the data controller to delete the personal data concerning you immediately and the data controller is obliged to delete this data immediately if one of the following reasons applies:
(1) Personal data relating to you shall no longer be necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent on which the processing pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DSGVO was based and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 para. 1 DSGVO and there are no overriding legitimate reasons for the processing or you object to the processing pursuant to Art. 21 para. 2 DSGVO.
(4) The personal data concerning you have been processed unlawfully.
(5) The deletion of your personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data relating to you have been collected in relation to information society services offered pursuant to Article 8(1) DSGVO.
b) Information to third parties
If the person responsible has made the personal data concerning you publicly available and is obliged to delete them in accordance with Art. 17 para. 1 DSGVO, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform the persons responsible for data processing who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.
The right to deletion does not exist if the processing is necessary.
(1) the exercise of freedom of expression and information;
(2) to fulfil a legal obligation which processing is subject to under the law of the Union or of the Member States to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 DSGVO;
(4) for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, insofar as the law referred to in Section a) presumably makes the attainment of the objectives of such processing impossible or seriously impairs them;
(5) to assert, exercise or defend legal claims.
10.5 Right to Information
If you have exercised your right to rectify, cancel or limit the processing of your personal data against the controller, the latter is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, cancellation or limitation, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of such recipients by the data controller.
10.6 Right to Transfer Data
You have the right to receive the personal data concerning you that you have provided to the responsible person in a structured, common and machine-readable format. In addition, you have the right to provide these data to another data controller without being restricted by the controller to whom the personal data have been provided, provided that
(1) the processing is based on a consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one responsible person to another responsible person, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data transfer does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
10.7 Right of Objection
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. e or f DSGVO; this also applies to profiling based on these provisions.
The person responsible will no longer process the personal data concerning you unless he can prove compelling reasons for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
You have the possibility to exercise your right of objection through automatic procedures using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.
10.8 Right to Cancel the Declaration of Consent Under Data Protection Law
You have the right to recall your data protection consent at any time. The legitimacy of the processing carried out on the basis of the consent up to the revocation is not affected by the revocation of the consent.
10.9 Automated Decision in Individual Cases Including Profiling
You have the right not to be subject to any decision based solely on automated processing, including profiling, that has any legal effect on you or similarly significantly affects you. This does not apply if the decision:
(1) is necessary for the conclusion or performance of a contract between you and the person responsible,
(2) is authorised by legislation of the Union or of the Member States to which the person responsible is subject and contains appropriate measures to safeguard your rights and freedoms and your legitimate interests; or
(3) with your express consent.
Certainly, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 DSGVO, unless Art. 9 para. 2 lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the person responsible, to state his own position and to challenge the decision.
10.10. Right to Appeal to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of presumed infringement, if you consider that the processing of your personal data is in breach of the DSGVO.
The supervisory authority with which the complaint was filed shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 DSGVO.
- Deletion of Data
11.1 The data stored by us will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them. If the user’s data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be stored for commercial or tax reasons.
11.2 In accordance with legal requirements, data shall be stored for 6 years in accordance with § 257 (1) HGB (German Commercial Code) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.) and for 10 years in accordance with § 147 (1) AO (German Tax Code) (books, records, management reports, accounting records, commercial and business letters, documents relevant to taxation, etc.).
- Right of Objection
Users may at any time object to the future processing of their personal data in accordance with the statutory provisions. The objection can be made in particular against the processing for purposes of direct marketing.
- Changes to the Data Protection Declaration
13.2 Users are requested to inform themselves regularly about the content of the data protection declaration.
Center Smart Tourism GmbH