Privacy policy in accordance with GDPR
1. Name and address of the controller
Your contact in terms of the European Union's General Data Protection Regulation (GDPR), other national data protection legislation within member states, and any other data protection provisions is as follows:
THERME ERDING Service GmbH
Thermenallee 1
85435 Erding
Telephone: 08122 550 - 0
Fax: 08122 550– 2219
Email: kundenservice@therme-erding.de
(hereafter referred to as “we” or “our”)
2. Name and address of the data protection officer
Protecting your personal data is very important to us. To show our commitment to this, we have appointed a consultancy that specialises in data protection and security to take responsibility for this key issue. We are being advised by:
actago GmbH
Maximilian Nuss
Straubinger Straße 7
94405 Landau an der Isar
Email: datenschutz@therme-erding.de
3. General information on data processing
3.1 Scope of the personal data processing
We only process your personal data insofar as this is necessary to perform our services. Your personal data can normally only be processed based on your consent. Exceptions to this include cases where practical reasons meant it was not possible to obtain your prior consent, or where a legal provision allows for your data to be processed.
3.2 Legal basis for processing personal data
If we obtain your consent for the processing of your personal data, Art. 6(1)(a) GDPR serves as the legal basis.
When processing personal data that are required for the performance of a contract between us, Art. 6(1)(b) GDPR serves as the legal basis. This also applies for processing required to carry out precontractual actions.
Insofar as personal data must be processed to fulfil a legal obligation that we are subject to, Art. 6(1)(c) GDPR serves as the legal basis.
In the event that you or another natural person have vital interests that require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.
If the processing is required to protect a legitimate interest of ours or of a third party, and if your interests, fundamental rights and freedoms do not outweigh the former interest, Art. 6(1)(f) GDPR serves as the legal basis for processing.
3.3 Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose for storage no longer applies. Data can be stored beyond this period if we are subject to a provision to this effect from the European or national legislator, as set out in European Union regulations, laws or other provisions. The data will also be blocked or deleted at the end of the storage period prescribed by the standards referred to above, unless it is necessary to retain the data for the conclusion or performance of a contract.
4. Provision of the website and creation of log files
4.1 Description and scope of data processing
Whenever a request is made to our website, our system automatically captures information from the computer system making the request. The following data are collected here:
- information about the type and version of browser being used
- user’s operating system
- user’s internet service provider
- user’s IP address
- date and time of the access
- volume of data being transmitted
- referrer URL
These data are also stored in log files on our system. These data will not be stored with any of the user’s other personal data.
4.2 Legal basis for data processing
The legal basis for processing your personal data as part of providing the website and creating log files is Art. 6(1)(f) GDPR.
4.3 Purpose of the data processing
The temporary storage of your personal data by us is necessary in order to provide our website to your computer. Consequently, your personal data need to be stored for the duration of the session.
The storage of your personal data in log files is done to ensure the functionality of the website. In addition, your personal data serve to help us optimise the website and to ensure the security of our information technology systems. Your personal data will not be evaluated for marketing purposes in this context.
For these purposes, our legitimate interest in data processing is also based on Art. 6(1)(f) GDPR.
4.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected. In the case of collecting your personal data for providing the website, this will apply as soon as the relevant session has ended.
Where your personal data are stored in log files, these will be deleted after a period of no longer than seven days. Storage beyond this period is possible. In this case, your personal data will be deleted or altered so that it is no longer possible to link the data to the requesting client.
4.5 Opt-out and removal options
It is essential to collect your personal data to provide the website and to store your personal data in log files in order to operate the website. Consequently, there are no opt-out options available to you.
5. Use of cookies
When you access this website, we store cookies (small files) on your device. These are valid for the following periods:
Name: | Storage period: |
__cfduid | 29 days |
CookieConsent | 1 year |
fe_typo_user | end of the session |
spamshield | end of the session |
collect | end of the session |
_ga | 2 years |
_gat | 1 day |
_gid | 1 day |
yt-player-headers-readable | persistent |
TDCPM | 1 year |
TDID | 1 year |
IDE | 1 year |
RUL | 1 year |
test_cookie | 1 day |
fr | 3 months |
tr | end of the session |
pagead/1p-user-list/# | end of the session |
misc/img | session |
mt_misc | 29 days |
uuid | 1 year |
_fbp | 3 months |
_gcl_aw | 3 months |
TADCID | 1 day |
VISITOR_INFO1_LIVE | 179 days |
YSC | end of the session |
yt.innertube::nextId | persistent |
yt.innertube::request | persistent |
yt-player-bandaid-host | persistent |
ads/ga-audiences | end of the session |
_gac_UA-# | 3 months |
These are used to improve the use of the site and to offer users more functionality. Most browsers are configured to accept the use of cookies, however, you can alter your browser settings to disable this function for the current session or permanently.
6. Newsletter
6.1 Description and scope of data processing
Our website offers you a newsletter containing information about the latest events and offers. If you wish to subscribe to the newsletter, you will need to provide a valid email address. When you subscribe to the newsletter, you are consenting to the process outlined, including receipt of the newsletter.
The technical process for newsletter mailing is supported by Emarsys, who provide the software and infrastructure for sending out electronic messages based on users’ consent.
After registering, Emarsys will send you an email to confirm your subscription (“double opt-in”). If you no longer wish to receive our newsletter, you can unsubscribe at any time by clicking the unsubscribe link contained in every email. Further information on data protection at Emarsys can be found here: https://www.emarsys.com/de/datenschutzrichtlinie/
6.2 Legal basis for data processing
The legal basis for processing your personal data as part of the newsletter mailing is Art. 6(1)(a) GDPR, where consent has been provided, or the statutory permission in Section 7 para 3 of UWG [Gesetz gegen den unlauteren Wettbewerb: German Act against Unfair Competition] due to the sale of goods or services.
6.3 Purpose of the data processing
Your personal data are collected in order to send you the newsletter. The purpose of processing your personal data as part of the newsletter mailing is to promote the sale of goods or services.
6.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected. Accordingly, your personal data will be stored as long as your newsletter subscription is active.
6.5 Opt-out and removal options
You can cancel your newsletter subscription at any time. A link for this purpose is included in every newsletter. By cancelling the subscription, you are also revoking your consent.
7. Registration
7.1 Description and scope of data processing
You can register for the ThermenCard on our website to speed up completion of the contract. Your personal data will thus be processed for performance of the contract or to carry out precontractual measures.
When registering, the following data are saved:
- title
- first name*
- surname*
- date of birth
- email*
- password*
- password confirmation*
7.2 Legal basis for data processing
The legal basis for processing your personal data as part of registration is Art. 6(1)(b) GDPR.
7.3 Purpose of the data processing
Your registration makes it easier to put in place contractual agreements between us. Consequently, the processing of your personal data as part of registration is necessary to perform a contract between us or to carry out precontractual measures.
7.4 Duration of storage
Your data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected. For data collected during the registration process that are required for contract performance or to carry out precontractual measures, this will be the case when your personal data are no longer required to implement the contract. It may be necessary to store a contractual partner’s personal data after completion of the contract to comply with contractual or legal obligations.
7.5 Opt-out and removal options
You may cancel your registration at any time. You can have your personal data amended at any time. If your personal data are required to perform a contract or to carry out precontractual measures, the premature deletion of your personal data is only possible insofar as this does not contravene any contractual or legal obligations.
8. Getting in touch by email
8.1 Description and scope of data processing
It is possible to get in contact via the email address provided. In this case, your personal data that are transmitted with the email will be stored. These data will not be passed on to any third party in this context. These data will be used exclusively to handle the correspondence.
8.2 Legal basis
The legal basis for processing your personal data transmitted during email contact is Art. 6(1)(f) GDPR. If the communication via the contact form or email is aimed at concluding a contract, then Art. 6(1)(b) GDPR serves as an additional legal basis for the data processing.
8.3 Purpose of the data processing
In the event of contact being made via the contact form or via email, your personal data will only be processed in order to handle this correspondence.
8.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected.
For personal data sent via email, this is the case once the conversation has ended. The conversation is ended when it can be determined that the relevant situation has been clarified conclusively.
Any additional personal data collected during the dispatch process will be deleted after a period of no more than seven days.
8.5 Opt-out and removal options
You may object to the processing of your personal data as part of an email correspondence at any time with future effect. In this case, it will not be possible to continue the conversation between us. Any personal data that were stored during the contact process will be deleted in this event.
9. Web tracking and analysis by Google Analytics
9.1 Handling the processing
This website uses Google Analytics, the web analysis service from Google Inc. (hereinafter referred to as “Google”). Google Analytics uses so-called “cookies”, text files that are stored on your computer and enable analysis of your use of the website. The information created by the cookies about your use of this website is generally transmitted to a Google server in the USA, where it is stored. However, if IP anonymization is enabled on this website, your IP address will first be truncated by Google within a member state of the European Union or in a country covered by the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website to analyse your use of the website, to create reports about website activity, and to provide the website operator with services relating to use of the website and their online offering. The IP address transmitted by your browser as part of Google Analytics will not be associated with any other data by Google.
Furthermore, you may prevent the transmission and processing of data created by the cookie relating to your use of this website (including your IP address) by downloading and installing the available browser plugin.
You can prevent data collection by Google Analytics by clicking the following link. This places an opt-out cookie on your device that prevents the future collection of your data when visiting this website.
- Disabling Google Analytics
More detailed information can be found under Google’s terms of use and privacy policy.
9.2 Legal basis for data processing
The legal basis for processing your personal data is Art. 6(1)(f) GDPR.
9.3 Purpose of the data processing
Processing your personal data allows us to analyse your browsing behaviour. By evaluating the data obtained, we can collate information about the use of individual components on our website. This helps us constantly improve our website to make it more user friendly. This purpose is the basis of our legitimate interest in processing your personal data in accordance with Art. 6(1)(f) GDPR. Your interest in protecting your personal data is taken sufficiently into account through the anonymization of your IP address.
9.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required for the aforementioned purposes.
9.5 Opt-out and removal options
Users of this website who do not want their data collected by Google Analytics can install the browser add-on to disable Google Analytics. This add-on instructs the Google Analytics JavaScript functions (ga.js, analytics.js and dc.js) that run on the website not to allow information to be sent to Google Analytics.
If you wish to disable Google Analytics, visit this page, and install the add-on to disable Google Analytics for your browser. More detailed information on installing and uninstalling the add-on can be found in the relevant Help resources for your browser.
Browser and operating system updates may result in the add-on no longer disabling this functionality as intended. You can find more information on managing add-ons for Chrome here. If you do not use Chrome, consult the creator of your browser directly to find out whether the add-on will work in the version of the browser you are using.
The latest versions of Internet Explorer sometimes only load the add-on to disable Google Analytics after the data have been sent to Google. Consequently, if you use Internet Explorer the add-on will install cookies on your computer. These cookies ensure that any data collected will be deleted without undue delay from the relevant server. Make sure that third-party cookies are not disabled for Internet Explorer. If you delete your cookies, these cookies will be restored within a short period by the add-on to ensure that your Google Analytics browser add-on continues to work properly.
The browser add-on to disable Google Analytics will not prevent data being sent to the website or to other web analysis services.
More detailed information on the terms of use and on data protection can be found at www.google.com/analytics/terms/de.html and at support.google.com/analytics/answer/6004245 IP anonymization is enabled on this website.
10. Google Fonts
This website can use so-called Google Fonts to enable a consistent typeface presentation.
When using these fonts, your browser downloads the required fonts from our website system. These are then stored temporarily in the so-called browser cache to enable the correct display.
No connection is made between your browser and Google’s servers when doing this. This ensures Google does not obtain any information about your request or your IP address.
11. Use of YouTube videos
Our website incorporates videos from the external video platform YouTube. By default, only the disabled images from the YouTube channel are embedded, which do not create an automatic link to the YouTube servers. This means the operator does not receive any data from the user when visiting the web pages.
You can decide for yourself whether to enable YouTube videos. Only when you approve the video for playing by clicking “Permanently enable” do you consent to the necessary data (including the internet address for the current page plus the user’s IP address) being transmitted to the operator.
To save the user’s desired setting, we save a cookie to record this parameter. However, no personal data are stored when saving this cookie; it simply contains anonymised data to customise your browser. The videos are then enabled and can be played by the user. If you wish to disable the automatic loading of YouTube videos, you can untick the box consenting to this under the data protection symbol. This also updates the cookie settings.
YouTube is a product from YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA. Further information on the purpose and scope of the data processing (including outside the European Union and outside the USA) plus information on settings options to protect your privacy can be found in the privacy policy:
https://policies.google.com/privacy?hl=de&gl=de
12. Use of 360 Grad Team
On the website, we use the application 360 Grad Team, which is produced by the company 360 Grad Team GmbH based at August-Bebel-Straße 16, 09376 Oelsnitz/Erzgeb.
This application allows us to offer 360-degree images in various Therme areas on the website, enabling website users to get a better insight into these different areas.
Personal data, such as IP addresses, are transmitted to 360 Grad GmbH in order to offer this functionality.
This is done based on a legitimate interest in accordance with Art. 6(1)(f) GDPR.
13. Google AdWords
As part of our use of Google AdWords, we use Google conversion tracking. This is an analytical service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
If you come to our website via a Google advert, Google AdWords will place a cookie on your device ("conversion cookie"). This cookie becomes invalid after 30 days. It is not used for personal identification purposes. If this cookie has not yet expired when certain pages on our site are visited, we and Google can detect that someone clicked on the advert and was directed to our site in this way. Each AdWords customer receives a different cookie. Consequently, cookies cannot be traced via AdWords customers' websites.
The information obtained from the conversion cookies serves to create conversion statistics for AdWords customers who have chosen conversion tracking. AdWords customers find out the total number of users who have clicked on their advert and been transferred to a page with a conversion tracking tag. They do not receive any information that could be used to identify the user in person. If you do not wish to participate in this tracking process, you can refuse to accept the relevant cookie – for example, by disabling cookies in general via your browser settings. You can also disable cookies for conversion tracking by configuring your browser to block cookies from the "googleadservices.com" domain.
Further information on privacy at Google is available at https://www.google.com/policies/?hl=de. Users can also disable or opt out of Google Ads in general or in part at http://www.google.com/settings/ads.
14. Google remarketing
By means of Google’s remarketing technology, users who have already visited our website are shown targeted ads on other sites in the Google Partner network. Cookies can be used to help analyse interests when visiting the website and to subsequently offer relevant product promotions.
If users have agreed to Google linking their web and app browser history to their Google account, and for information from our Google account to be used to personalise the advertising they see online, Google will combine data from these registered users with Google Analytics data to create and define remarketing content across all devices. To support this functionality, Google-authenticated IDs for these users will be saved by Google Analytics. These personal data from Google will be temporarily linked with Google Analytics data in order to form target groups.
More information and options for disabling these ad placements can be found at http://www.google.com/settings/u/0/ads/anonymous?hl=en (link “Ad settings”, then “Disable”).
15. The Trade Desk
Our website uses The Trade Desk tool from The UK Trade Desk Ltd (Company No. 8539108), 10th Floor, 1 Bartholomew Close, London EC1A 7BL, United Kingdom. The Trade Desk offers a technological solution known in the advertising sector as a demand-side platform (DSP). In simple terms, this allows the management of digital marketing campaigns via a number of channels such as websites, apps, audio platforms and smart TVs.
Cookies are used to collect pseudonymised data and other data that do not identify specific individuals and to transmit these data to The Trade Desk. These data include, but are not limited to, your truncated and thus pseudonymised IP address, the date and time of your website visit, the location of the device used to access our website (e.g. through the GPS signal, Bluetooth or Wi-Fi signal), page requests, interactions with the page, and the referring page (referrer). These data are transmitted to the demand-side platform, where they are linked to your pseudonymous ID. This happens across any websites on platforms that use this technology. The purpose of the data collection and processing is to show you exclusively adverts that are targeted around your prior interests, which will therefore be more relevant for you. Your personal data will be pseudonymised before transmission to The Trade Desk’s demand-side platform. There is third-country transmission to the USA.
More detailed information on the technology used by The Trade Desk and on privacy can be found via the following link: http://thetradedesk.com/general/privacy-policy.
Support for our data collection in this context is based on your consent to appropriate data processing in accordance with Art. 6(1)(a) GDPR, which you may naturally withdraw at any time by changing your personal privacy settings.
16. Google Maps
This site uses the Google Maps service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
It is necessary to store your IP address to use Google Maps functionality. This information is generally transmitted to a Google server in the USA, where it is stored. The provider of this page has no influence over this data transmission.
The use of Google Maps is done in the interest of presenting our online product as attractively as possible and to make it easier to find any locations specified on our website.
Google Maps is used exclusively based on consent in accordance with Art. 6(1)(a) GDPR.
More information about the way user data is handled can be found in Google’s privacy policy: https://www.google.de/intl/de/policies/privacy/.
17. ajax.googleapis.com / jQuery
On our web pages, we use the JavaScript library jQuery. To increase the loading speed for our website and thus offer a better user experience, we use the CDN (content delivery network) from Google to load this library.
It is highly likely that you have already used jQuery on another Google CDN page. In this case, your browser can reuse the copy saved in the cache rather having to download it again.
If your browser does not have a copy in its cache, or if the file is downloaded by the Google CDN for some other reason, data from your browser will once again be transmitted to Google Inc. (“Google”).
For more information about data processing by Google, please refer to Google’s data protection information, which can currently be found at: https://www.google.de/intl/de/policies/privacy/
18. cloudflare.com
This website uses services from “Cloudflare” (provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA).
Cloudflare runs a content delivery network (CDN) and provides security functionality for the website (web application firewall). Data is transferred between your browser and our servers via the Cloudflare infrastructure, where it is analysed to prevent attacks. Cloudflare uses cookies to enable you to access our website. This use of Cloudflare is done in the interest of ensuring it is safe to use our online product and to thwart harmful external attacks. This constitutes a legitimate interest in terms of Art. 6(1)(f) GDPR.
Further information can be found in Cloudflare's privacy policy: https://www.cloudflare.com/de-de/privacypolicy/
19. Online Shop
The personal data we collect will be passed to the designated shipping company as part of order processing if this is necessary to supply the goods.
As part of payment processing, we will pass on your payment data to the designated credit institution. Submissions to state institutions or public authorities will only be made due to mandatory national legal provisions.
We also process and use your data
- to contact you, if this is desired by you, or if it is necessary or legally permitted as part of the contractual relationship;
- to justify, develop the content of, modify or end a contractual relationship with you regarding services you have ordered and to meet our obligations under the terms of this contract, in particular, to process your order, perform the services ordered and to implement the payment process;
- to advertise similar services from Therme Erding by email, provided Therme Erding obtained your email address in relation to the sale of a service and you have not objected to the use of the email address. You can object to this use of your email address at any time without any transmission costs arising other than under the basic tariffs.
PayPal:
For payment via PayPal, credit card via PayPal, direct debit via PayPal or (if offered) "Kauf auf Rechnung” (purchase on account) via PayPal, we will pass on your payment data as part of payment processing to PayPal (Europe) S.à r.l et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").
PayPal reserves the right to conduct a credit rating check for the payment methods credit card via PayPal, direct debit via PayPal or (if offered) "Kauf auf Rechnung" via PayPal. PayPal uses the result of this credit check regarding the statistical probability of non-payment to decide whether to provide the relevant payment methods.
This credit check may contain probability values (so-called score values). Insofar as score values are fed into the result of the credit check, these are based on a scientifically recognised statistical procedure. Address details are included in the information used to calculate score values. For additional privacy information, including the credit agencies used, please refer to PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. This is necessary to provide certain content and services on our website.
Sofortüberweisung:
One of the payment methods offered on our website is “Sofortüberweisung”. This payment service is provided by Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereafter referred to as “Sofort GmbH”).
With the help of the “Sofortüberweisung” process, we receive payment confirmation in real time from Sofort GmbH and can proceed without undue delay with the fulfilment of our obligations.
If you choose the “Sofortüberweisung” payment method, you send the PIN and a valid TAN to Sofort GmbH, allowing them to log in to your online banking account. After logging in, Sofort GmbH checks the status of your account and initiates the transfer to us using the TAN you provided. They then send us an immediate transaction confirmation. After logging in, an automatic check will be conducted on your revenues, the credit limit on your overdraft facility, and the existence of other accounts and their balances.
In addition to the PIN and TAN, the payment data you entered and personal data will be transmitted to Sofort GmbH. These personal data involve first name and surname, address, telephone number(s), email address, IP address, and potentially other data required for payment processing. It is necessary to transmit these data to definitively prove your identity and prevent fraud.
The transmission of your data to Sofort GmbH is done based on Art. 6(1)(a) GDPR (consent) and Art. 6(1)(b) GDPR (processing for the performance of a contract). You may withdraw your consent to this data processing at any time. Such a withdrawal does not impact the effectiveness of any historical data processing.
Details on payment with “Sofortüberweisung” can be found via the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
Trusted Shops:
To display our Trusted Shops and any potential ratings, the Trusted Shops Trustbadge is incorporated in our website.
In the context of balancing interests, this serves to protect our overriding legitimate interest in the optimal marketing of our service in accordance with Art. 6(1)(1)(f) GDPR. The Trustbadge and associated services are products offered by Trusted Shops GmbH, Subbelrather Str 15C, 50823 Cologne.
When the Trustbadge is requested, the web server automatically saves a so-called server log file, which contains e.g. your IP address, the date and time of the request, the volume of data transmitted, and the requesting provider (access data) and documents the request. These access data are not evaluated and will be overwritten automatically no more than seven days after the end of your site visit.
Other personal data are only transmitted to Trusted Shops if you have given consent, or if you decide to use Trusted Shops products after the order has been completed, or if you have already registered to use these products. In this case, the contractual agreement made between you and Trusted Shops is applicable.
20. Booking a hotel or reserving a table at the hotel restaurant
If you book a hotel room on the website or if you reserve a table at the Restaurant Empire or Harbour Restaurant, the personal data you provide will be collected by Hotel Victory Therme Erding GmbH, Thermenallee 1a, 85435 Erding (hereinafter referred to as the “hotel”) and processed for the subsequent contract performance, including service provision. This includes booking, ordering and payment for goods and services associated with accommodation, catering and events as well as other hotel goods and services provided to the user and also the contact with the hotel.
When implementing a booking or an order, we collect the following personal data for the order, booking process, service performance and payment:
- customer's name (consisting of title, first name and surname)
- guest's name (consisting of title, first name and surname)
- company (optional)
- contact address (consisting of street, building number, postcode, town/city, country)
- contact address (consisting of street, building number, postcode, town/city, country) (optional)
- special booking details (for instance information on any allergies, shoe size etc.) (optional)
- telephone number
- email address
- credit card information
- VAT ID number (optional)
We also process and use your data
- to contact you, if this is desired by you, or if it is necessary or legally permitted as part of the contractual relationship;
- to justify, develop the content of, modify or end a contractual relationship with you regarding services you have ordered at the hotel, and to meet our obligations under the terms of this contract, in particular, to process your booking or order, perform the services ordered, and implement the payment process;
- to advertise the hotel's own offers by post;
- to advertise third-party offers by post, if the body responsible for using the data can be clearly identified from this marketing approach;
- to advertise our own similar hotel services by email, provided the hotel obtained your email address in relation to the sale of a service and you have not objected to the use of the email address. You can object to this use of your email address at any time without any transmission costs arising other than under the basic tariffs.
Emails associated with an existing booking, which may also be promotional in nature, are sent using “Revinate”, an email marketing service offered by the US provider Revinate, Inc., 1 Letterman Dr., Building C, Suite CM100, San Francisco, CA 94129, USA. Our guests’ email addresses and names, and other data outlined in these notes, will be stored on Revinate servers in the USA. Revinate uses this information to send out and evaluate the newsletter on our behalf, and to optimise or improve its own services (e.g. for technical enhancements to the mailing system and newsletter presentation). When the newsletter is opened, technical information is collected via a so-called “web beacon”, such as information about your browser and computer system, plus your IP address and the time of the request. This information is used to improve the service based on the technical details or the target groups and their reading behaviour based on retrieval locations (which can be determined using the IP address) or access times. We have put in place a data processing agreement with Revinate in accordance with Art. 28 GDPR, which requires Revinate to comply with adequate levels of data protection.
The legal basis for sending promotional emails and for postal promotions is our legitimate interest in accordance with Art. 6(1)(f) GDPR in compliance with the provisions in Section 7 para. 3 UWG (German Act against Unfair Competition). Promotional emails will only be sent if you have already been a guest with us, in other words if you have benefitted from hotel services. You can opt out of receiving the newsletter at any time in future. To do this, please send an email to datenschutz@victory-hotel.de. You will find a link to cancel the newsletter at the end of each newsletter. Once you have successfully opted out, you will no longer receive any promotional emails from us.
Personal data collected by Hotel Victory Therme Erding GmbH will only be passed on to third parties insofar as this is necessary for contract performance. A contract has been agreed in accordance with Art. 28 GDPR with each of the processers involved in terms of Art. 4(1)(8) GDPR to ensure secure data processing that complies with data protection requirements. Data will not be transmitted to third countries outside the European Union.
Your rights as the data subject are described under item 11 in this privacy policy, and enquiries in this regard can always be directed by email to datenschutz@victory-hotel.de. This is also the contact information for the hotel's data protection officer.
21. Galaxy Lounges reservations
If you use the website galaxy-lounges.de to reserve a lounge or private recliner, the data entered will be processed exclusively for the subsequent contract performance, including service provision. This includes the reservation and cancellation of the booked services and any other services performed in this context.
When implementing a reservation, we collect the following personal data for the reservation, booking process, service performance and payment:
- title
- surname, first name
- street, postcode, town/city, country
- telephone number
- email address
- password (optional, only if you create a customer account)
- reservation history
We also process and use your data
- to create a customer account (optional, only if you create a customer account);
- to contact you, if this is desired by you or if it is necessary or legally permitted as part of the contractual relationship.
Our processing, therefore, serves contract performance in terms of Art. 6(1)(b) GDPR.
The personal data collected by us are only passed on to third parties insofar as this is necessary for contract performance. Here, this is THERME ERDING Familienbad GmbH, Thermenallee 2, 85435 Erding, which performs services as a contractual partner.
A contract has been agreed in accordance with
Art. 28 GDPR with each of the processers involved to ensure secure data processing that complies with data protection requirements.
22. Reservation of Royal Day Spa Lounges
If you use the website lounges.therme-erding.de to reserve a Royal Day Spa Lounge, the data entered will be processed exclusively for the subsequent contract performance, including service provision. This includes the reservation and cancellation of the booked services and any other services performed in this context.
When implementing a reservation, we collect the following personal data for the reservation, booking process, service performance and payment:
- title
- surname, first name
- street, postcode, town/city, country
- telephone number
- email address
- password (optional, only if you create a customer account)
- reservation history
We also process and use your data
- to create a customer account (optional, only if you create a customer account);
- to contact you, if this is desired by you or if it is necessary or legally permitted as part of the contractual relationship.
Our processing, therefore, serves the performance of a contract in terms of Art. 6(1)(b) GDPR.
The personal data collected by us are only passed on to third parties insofar as this is necessary for contract performance. Here, this is THERME ERDING Vital GmbH, Thermenallee 4, 85435 Erding, which performs services as a contractual partner.
A contract has been agreed in accordance with Art. 28 GDPR with each of the processers involved to ensure secure data processing that complies with data protection requirements.
23. Booking swimming classes
Our website offers the option of booking swimming classes for you and your children. In order to handle your registration, we need some personal details from you (first name, surname, address, email address, telephone number, child’s first name and surname, child’s date of birth). You can enter these details directly in the relevant class registration form or create your own profile for future class registrations.
Your data will be used exclusively by Therme Erding employees for the purpose of handling the swimming class booking and will not be passed on to third parties. The legal basis for this data processing is Art. 6(1)(b) GDPR (contract performance).
After the swimming class has been completed, we will delete all your personal data unless there are commercial or tax legislation reasons requiring the retention of the data. In accordance with statutory requirements, data will be retained for 6 years pursuant to Section 257 para. 1 HGB [Handelsgesetzbuch: German Commercial Code] (e.g. commercial letters, accounting records, etc.) and for 10 years pursuant to Section 147 para. 1 AO [Abgabenordnung: German Tax Code] (e.g. commercial correspondence, tax-related documents).
24. Kids Club
All parents can register their children aged 0 to 15 years for the Kids Club on our website.
Registration for free membership of the Galaxy Kids Club is only permitted with consent from all legal guardians. The personal data that can be seen on the registration form (sex, name, address, date of birth, email address, telephone number) are used to send information (vouchers, discounts etc.) and to get in touch to deal with any membership issues via post and email newsletters. The legal basis for using these data is your consent in accordance with Art. 6(1)(a) GDPR.
You can withdraw your consent at any time with future effect by using the specified contact details. Withdrawal of consent only requires a statement from one legal guardian, even if both parents originally provided their consent. After consent has been withdrawn, your personal data processed in this context will be deleted unless there are other grounds to justify the ongoing processing of these data.
25. Tripadvisor
On our website, we use a social media plugin from Tripadvisor Inc., 400 1st Avenue, Needham, MA 02494 USA.
Tripadvisor is an online business that collects reviews from its users about tourist services. These reviews are combined with booking recommendations. We use the Tripadvisor widget to offer a neutral display of customer testimonials about us. This constitutes a legitimate interest in terms of Art. 6(1)(f) GDPR. Tripadvisor places a cookie on your computer as soon as you visit a page with the widget. Further information can be found in the Tripadvisor privacy policy: https://tripadvisor.mediaroom.com/CHDE-privacy-policy.
26. Use of Facebook Custom Audiences
We use the remarketing function “Custom Audiences” from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”).
This function serves to present users of this website with targeted ads when visiting the Facebook social network ("Facebook ads"). To do this, Facebook's remarketing tag is used on this website. This tag enables the creation of a direct link to Facebook's servers when visiting the website. Information will be transmitted to the Facebook server indicating that you have visited this website and Facebook assigns this information to your personal Facebook user account.
More details about the collection and use of data by Facebook, and about your relevant rights and the options for protecting your privacy can be found in Facebook’s privacy information at https://www.facebook.com/about/privacy/.
Alternatively, you can disable the “Custom Audiences” remarketing function at www.facebook.com/settings/;
To do this, you must be logged in to Facebook.
27. Presence on Facebook and social media plug-in
We offer a Facebook page to extend our online presence. This involves a service from Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
Please note, use of this Facebook page and its functionality is your own responsibility. This applies in particular to the use of interactive functionality (e.g. comments, shares, ratings).
When you visit our Facebook page, Facebook captures your IP address and other information, which is available in the form of cookies on your PC. This information is used to provide us, as the operator of the Facebook page, with statistical data about the use of the Facebook page. Facebook provides more detailed information on this via the following link: https://de-de.facebook.com/help/pages/insights.
The data collected in this context are processed by Facebook Ltd. and may be transmitted to countries outside the European Union. Facebook describes in general terms what information it receives and how this is used in its data use policy. This also includes information about ways to contact Facebook and the settings options for advertising. The data use policy can be found via the following link:
https://de-de.facebook.com/about/privacy
Facebook’s complete data policies can be found here:
https://de-de.facebook.com/help/568137493302217
Facebook does not give full, clear details about how it uses data from visiting Facebook pages for its own purposes, or the extent to which activities on Facebook pages are linked to individual users, or how long Facebook stores these data, or whether data from visiting a Facebook page are passed on to third parties and we are not aware of any such information.
When you access a Facebook page, the IP address assigned to your device will be transmitted to Facebook. According to Facebook, this IP address will be anonymised (for “German” IP addresses) and deleted after 90 days. Facebook also stores information about the user’s device (e.g. as part of the “login notification” function); thus it is possible that Facebook could assign IP addresses to individual users.
If you are currently logged in to Facebook as a user, there will be a cookie on your device with your Facebook ID. This makes it possible for Facebook to identify that you have visited this page and see how you have used it. This also applies to all other Facebook pages. Using the Facebook buttons integrated in our website, it is possible for Facebook to record your visits to these web pages and to link this information with your Facebook profile. Based on these data, you can be offered customised content or advertising.
If you want to prevent this, you should log out of Facebook or disable the “stay logged in” function, delete cookies on your device, close and restart your browser. This will delete the Facebook information that would allow you to be identified directly. You will then be able to use our Facebook page without disclosing your Facebook ID. If you want to use the interactive functionality on the page (likes, comments, shares, news etc.) a Facebook login screen will appear. Once you have logged in, you will be recognisable to Facebook as a specific user again.
Details about how you can manage or delete the information about you can be found on the following Facebook support pages: https://de-de.facebook.com/about/privacy#
As the provider of the information service, we also collect and process the following data from your use of our service: publicly visible data from the data subject’s user profile. For example, this includes the username, profile picture, and content from comments added to our posts.
More information about Facebook and other social networks and about how to protect your data can also be found at www.youngdata.de.
28. Presence on Instagram and social media plug-in
We offer an Instagram page to extend our online presence. This involves a service from Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
Please note, use of this Instagram page and its functionality is your own responsibility. This applies in particular to the use of interactive functionality (e.g. comments, shares, ratings).
When you visit our Instagram page, Instagram captures your IP address and other information, which is available in the form of cookies on your PC. This information is used to provide us, as the operator of the Facebook page, with statistical data about the use of the Facebook page. Facebook provides more detailed information on this via the following link: https://help.instagram.com/1896641480634370?ref=ig.
The data collected in this context are processed by Facebook Ltd. and may be transmitted to countries outside the European Union. Instagram describes in general terms what information it receives and how this is used in its data use policy. This also includes information about ways to contact Instagram and the settings options for advertising. The privacy policy can be found via the following link:
Instagram does not give full, clear details about how it uses data from visiting Instagram pages for its own purposes, or the extent to which activities on Instagram pages are assigned to individual users, or how long Instagram stores these data, or whether data from visiting an Instagram page are passed on to third parties and we are not aware of any such information.
When you access an Instagram page, the IP address assigned to your device will be transmitted to Instagram. According to Facebook, this IP address will be anonymised (for “German” IP addresses) and deleted after 90 days. Instagram also stores information about the user’s device (e.g. as part of the “login notification” function); thus it is possible that Facebook could assign IP addresses to individual users.
If you are currently logged in to Instagram as a user, there will be a cookie on your device with your Instagram ID. This makes it possible for Instagram to identify that you have visited this page and see how you have used it. This also applies to all other Instagram pages.
If you want to prevent this, you should log out of Instagram or disable the “stay logged in” function, delete cookies on your device, close and restart your browser. This will delete Instagram information that would allow you to be identified directly. You will then be able to use our Instagram page without disclosing your Instagram ID. If you want to use the interactive functionality on the page (likes, comments, shares, news etc.) an Instagram login screen will appear. Once you have logged in, you will be recognisable to Instagram as a specific user again.
Details about how you can manage or delete the information about you can be found on the following Facebook support pages: https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram-Hilfebereich&bc[1]=Privatsph%C3%A4re%20und%20Sicherheit
As the provider of the information service, we also collect and process the following data from your use of our service: publicly visible data from the data subject’s user profile. For example, this includes the username, profile picture, and content from comments added to our posts.
More information about Instagram and other social networks and about how to protect your data can also be found at www.youngdata.de
29. Presence on Twitter and social media plug-in
We use the technical platform and services offered by Twitter to issue tweets, Inc.,1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
Please note, use of the Twitter message service and its functionality is your own responsibility. This applies in particular to the use of interactive functionality (e.g. shares, likes).
The data collected about you when you use this service are processed by Twitter Inc. and may be transmitted to countries outside the European Union. This includes your IP address, the application used, details about the device you used (including device ID and application ID), information about the websites requested, your location and your mobile phone provider.
These data will be linked with the data for your Twitter account or Twitter profile. We have no influence over the nature or scope of any data processed by Twitter, the type of processing, the use, or the onward transmission of these data to third parties. Information about which data are processed by Twitter and for what purpose can be found in Twitter’s privacy policy (https://twitter.com/privacy?lang=de). Details are also provided about ways to access your own Twitter data (https://help.twitter.com/de/managing-your-account/accessing-your-twitter-data).
You can also request information via Twitter’s privacy form or by using the archive request:
https://support.twitter.com/forms/privacy
https://help.twitter.com/de/managing-your-account/how-to-download-your-twitter-archive
Options for limiting the processing of your data are available via the general settings for your Twitter account and under “Privacy and security”. You can also use your mobile device settings (smartphones, tablets) to restrict Twitter’s access to contact and calendar data, photos, location data etc. However, this depends on the operating system being used. Further information on this is available from the following Twitter support pages:
https://support.twitter.com/articles/105576#
By using cookies and the Twitter buttons or widgets integrated in websites Twitter is able to record your visit to these web pages and link this to your Twitter profile. Based on these data, you can be offered customised content or advertising. Information about this and the settings options available can be found on the following Twitter support pages:
https://help.twitter.com/de/using-twitter/tailored-suggestions
https://help.twitter.com/de/rules-and-policies/twitter-cookies
Our website uses social media plugins ("plugins") from the social network Twitter, which is operated by Twitter Inc., 795 Folsom St. Sweet 600, San Francisco, CA 94107, USA ("Twitter"). By using Twitter and its “retweet” function, the websites you visit will be linked with your Twitter account and disclosed to other users. This also involves the transmission of data to Twitter.
We have no information about the content of the data transmitted or its use by Twitter. Details about the purpose and scope of the data collection, the further processing and use of the data by Twitter, and your relevant rights and settings options to protect your privacy can be found in Twitter’s privacy policy: https://twitter.com/privacy?lang=de
30. Presence on Pinterest and social media plug-in
Please check carefully which personal data you share with us via Pinterest. We would like to point out explicitly that Pinterest stores its users’ data (e.g. personal information, IP addresses etc.) and may use this for commercial purposes. More detailed information on Pinterest’s data processing can be found in the privacy policy at https://policy.pinterest.com/de/privacy-policy.
We have no influence over Pinterest’s data collection and other processing. In addition, we cannot tell to what extent your data may be stored, in which location, for how long, to what extent Pinterest meets the existing obligations to delete data, what analyses and links will be undertaken for the data, nor to whom the data will be transferred. If you want to prevent Pinterest processing personal data that you transmit to us, please contact us in another way. Our complete contact details can be found in our legal declaration at Pinterest.
The controller for the data processing in terms of the General Data Protection Regulation (GDPR) is Therme Erding Service GmbH, Thermenallee 1, 85435 Erding, insofar as we exclusively process the data sent to us by you via Pinterest ourselves. Insofar as the data sent to us by you via Pinterest is also or exclusively processed by Pinterest, there is an additional controller besides us in terms of data processing under the General Data Protection Regulation (GDPR). This additional controller is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Our website also uses plugins from the Pinterest social network, which is operated by Pinterest Inc., 808 Brannan St, San Francisco, CA 94103, USA (“Pinterest").
By visiting our website using the integrated “Pin it” button, Pinterest receives information that you have requested the relevant page on our website. If you are logged in to Pinterest while you visit our website, Pinterest will be able to link your visit to your Pinterest account. If you click the “Pin it” button, the data transmitted will be stored by Pinterest. If you do not want this to happen, you will need to log out of Pinterest before visiting our website.
Details about the purpose and scope of the data collection, the further processing and use of the data by Pinterest, and your relevant rights and settings options to protect your privacy can be found in Pinterest’s privacy policy: https://about.pinterest.com/de/privacy-policy-0
31. Presence on YouTube and social media plug-in
We use the YouTube platform to incorporate our own videos and make these publicly accessible. YouTube is a service offered by a third-party provider that is not associated with us, namely Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Some web pages on our site contain links to the YouTube service. In general, we are not responsible for content on linked internet sites. If you follow a link to YouTube, please be aware that YouTube saves its users’ data (e.g. personal information, IP address) in accordance with its own data use policy and uses these data for commercial purposes.
YouTube content is only included in “enhanced privacy mode”. YouTube sets this up itself, thus guaranteeing that YouTube does not initially save any cookies to your device. Nonetheless, when the relevant pages are requested, the IP address and 4 other items of data specified in Section 4 will be transmitted, so information about which web pages you have visited is also revealed. However, this information cannot be linked to you provided you did not log in to YouTube or another Google service (e.g. Google+) prior to requesting the page and you are not logged in to such services on a permanent basis.
As soon as you start playing an embedded video by clicking on it, thanks to the enhanced privacy mode, YouTube will only save cookies to your device that do not contain any data that could be personally identified, unless you are currently logged in to a Google service. These cookies can be disabled using appropriate browser settings and extensions.
Address and link to the third-party provider’s privacy policy:
Google/YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland – privacy policy: https://policies.google.com/privacy
Opt-out: https://adssettings.google.com/authenticated
32. Presence on TikTok
We use the TikTok platform to incorporate our own videos and make these publicly accessible. TikTok is a service offered by a third-party provider that is not associated with us, namely TikTok Inc., 10100 Venice Blvd., Culver City, CA 90232, USA.
It is important to note that TikTok may use its own tracking tools, for which TikTok is responsible. Please refer here to TikTok’s privacy policy: https://www.tiktok.com/legal/privacy-policy?lang=de.
33. Direct marketing
33.1 Description and scope of data processing
Our company processes personal data, such as name and address, in order to send you postal advertising with the aim of achieving increased sales of goods or services.
33.2 Legal basis for data processing
The legal basis for processing your personal data as part of direct marketing is Art. 6(1)(f) GDPR.
33.3 Purpose of the data processing
The purpose of processing your personal data as part of direct marketing by post is to promote the sale of goods or services. For this purpose, our legitimate interest in data processing is based on Art. 6(1)(f) GDPR.
33.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected; in particular, this will apply in the event of receiving notification that you are opting out.
33.5 Opt-out and removal options
You can object to the processing of your personal data as part of direct marketing by post at any time with future effect.
34. Legal defence and enforcement
34.1 Description and scope of data processing
Our company will mount a legal defence to protect itself against unauthorised claims. In addition, we will assert rights and claims owed to us.
It is necessary to process personal data for this purpose.
This involves the data subject’s legally relevant data.
34.2 Purpose of the data processing
The purpose of processing your personal data as part of a legal defence or enforcement of rights is to defend ourselves against unauthorised claims or to legally enforce our own claims and rights. For this purpose, our legitimate interest in data processing is based on Art. 6(1)(f) GDPR.
34.3 Duration of storage
Your personal data will be deleted as soon as they are no longer required to fulfil the purpose for which they were collected.
34.4 Opt-out and removal options
It is essential to process your personal data as part of a legal defence or enforcement. Consequently, there are no opt-out options available to you.
35. Categories of recipient
Within our company, personal data are received by individuals in particular roles and by departments requiring these data for the aforementioned purposes. We also sometimes use various service providers and will transmit your personal data to other trustworthy recipients. For example, these could be:
- banks
- scanning services
- printing companies
- direct mail companies
- IT service providers
- lawyers and courts
36. Rights of the data subject
36.1 Right to information
You can ask the controller in accordance with Art. 15 GDPR to confirm whether your personal data are being processed by us.
If your data are being processed, you can demand the following information from the controller in accordance with Art. 15(1) GDPR:
- the purposes for which the personal data are being processed;
- the categories of personal data that are being processed;
- the recipient or categories of recipient to whom your personal data have been or will be disclosed;
- the planned storage period for your personal data or, if specific information is not available, the criteria for determining how long the data will be stored;
- the existence of a right to rectify or erase your personal data, the right to restrict processing by us, or the right to object to this processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- all available information about the origin of the data, if the personal data were not collected from the data subject;
- the existence of automated decision-making, including profiling, in accordance with Art. 22(1) and (4) GDPR and (at least in these cases) meaningful information about the logic involved, and the scope and expected impact of this kind of processing for you. You are entitled to demand information as to whether your personal data are transmitted to a third country or to an international organisation. In this context, you can demand to be informed about the appropriate guarantees pursuant to Art. 46 GDPR associated with this transmission.
If the data are transmitted to a third country or to an international organisation, you are entitled under Art. 15(2) GDPR to be notified about the appropriate guarantees pursuant to Art. 46 GDPR associated with this transmission.
36.2 Right to rectification
Under Art. 16 GDPR, you have the right to rectify and/or complete any personal data being processed by the controller if these data are incorrect or incomplete. We must undertake this correction without undue delay.
36.3 Right to restriction of processing
As is apparent from Art. 18(1) GDPR, you have the right to obtain from the controller restriction of processing under the following conditions:
- if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the data (Art. 18(1)(a) GDPR);
- if the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead (Art. 18(1)(b) GDPR);
- if we no longer need the personal data for the purposes of the processing, but they are required by you in order to establish, exercise or defend legal claims (Art. 18(1)(c) GDPR);
- if you have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been established whether our legitimate grounds override yours (Art. 18(1)(d) GDPR).
If the processing of your personal data has been restricted, these data (with the exception of storage) can only be processed with your consent, or to establish, exercise or defend legal claims, or to protect the rights of another natural person or legal entity, or for reasons of important public interest on the part of the European Union or a member state. (Art. 18(2) GDPR).
If processing has been restricted in accordance with the above conditions, you will be notified by us before this restriction is lifted. (Art. 18(3) GDPR).
36.4 Right to erasure
a) Erasure obligation
In accordance with Art. 17(1) GDPR, you can demand that we erase your personal data without undue delay. Furthermore, we are obliged to delete these data without undue delay, insofar as one of the following grounds applies:
- if your personal data are no longer necessary for the purposes for which they were collected or were otherwise being processed; (Art. 17(1)(a) GDPR)
- if you withdraw your consent on which the processing is based according to Art. 6(1)(a), or Art. 9(2)(a) GDPR, and if there are no other legal grounds for the processing; (Art. 17(1)(b) GDPR)
- if you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR; (Art. 17(1)(c) GDPR)
- if your personal data have been unlawfully processed; (Art. 17(1)(d) GDPR)
- if your personal data have to be erased to comply with a legal obligation under European Union law or under a Member State law to which the controller is subject; (Art. 17(1)(e) GDPR)
- if your personal data have been collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR; (Art. 17(1)(f) GDPR)
b) Information sent to third parties
If we have made your personal data public and we are obliged pursuant to Art. 17(1) GDPR to erase the personal data, we will take reasonable steps, including technical measures (taking account of the available technology and the cost of implementation), to inform controllers which are processing the personal data that you have asserted your right as the data subject to request the erasure of any links to or copies of these personal data. (Art. 17(2) GDPR)
c) Exceptions
The right to erasure does not exist if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information; (Art. 17(3)(a) GDPR)
- to comply with a legal obligation that requires the data processing in accordance with European Union law or a Member State law to which the controller is subject, or to perform a task carried out in the public interest or associated with the exercise of official authority vested in us; (Art. 17(3)(b) GDPR)
- for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR; (Art. 17(3)(c) GDPR)
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR, insofar as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of the processing; (Art. 17(3)(d) GDPR) or
- to establish, exercise or defend legal claims. (Art. 17(3)(e) GDPR)
36.5 Right to information
If you assert your right to rectification, erasure or restriction of processing, we are obliged pursuant to Art. 19 GDPR to inform all recipients to whom your personal data have been disclosed about the rectification, erasure or restriction of processing unless this is impossible or involves disproportionate effort. You are entitled to be informed about these recipients.
36.6 Right to data portability
Under Art. 20(1) GDPR, you have the right to receive the personal data you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit the personal data to another controller without hindrance from us, if
- the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and (Art. 20(1)(a) GDPR);
- the processing is carried out by automated means. (Art. 20(1)(b) GDPR)
Under Art. 20(2) GDPR, you also have the right to have your personal data transmitted directly from us to another controller, insofar as this is technically feasible.
Exercising the right referred to in Art. 20(1) GDPR shall be without prejudice to the right to erasure set out in Art. 17 GDPR. This does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. This is based on Art. 20(3) GDPR.
Pursuant to Art. 20(4) GDPR, the freedoms and rights of others must not be adversely affected by the above.
The right to data portability does not apply for the processing of personal data necessary to carry out a duty that is in the public interest or in the exercise of official authority vested in us.
36.7 Right to object
Pursuant to Art. 21(1) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.
We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or to establish, exercise or defend legal claims.
If your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing; this also includes profiling insofar as this is related to such direct marketing. (Art. 21(2) GDPR).
If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes. (Art. 21(3) GDPR).
In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications. (Art. 21(5) GDPR)
You also have the right to object, on grounds relating to your particular situation, to the processing of your personal data for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest. (Art. 21(6) GDPR).
36.8 Right to withdraw your consent under data protection legislation
Under Art. 7(3) GDPR, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You will be informed of this prior to giving consent.
36.9 Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and us;
- is permitted under European Union or Member State law to which we are subject, and which also includes suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
This is based on Art. 22(1), (2) GDPR.
Nevertheless, these decisions must not be based on special categories of personal data set out in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) applies and suitable measures have been put in place to safeguard your rights and freedoms and legitimate interests.
With regard to the cases referred to in (1) and (3), we will implement suitable measures to safeguard your rights and freedoms and legitimate interests, including at least the right to human intervention on the part of the controller, to express one’s own point of view, and to contest the decision. (Art. 21(3), (4) GDPR).
36.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, under Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the location of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR. (Art. 77 GDPR).
The supervisory authority for our company is: The Bavarian state official for data protection: The Bavarian State Office for Data Protection Supervision (BayLDA): https://www.datenschutz-bayern.de, poststelle@datenschutz-bayern.de
The supervisory authority to which you have submitted the complaint will inform you of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. You are welcome to contact our data protection officer with any queries.
37. Note on privacy policy
Unless stipulated otherwise, this privacy policy covers the use of all information that we have about you.
The company reserves the right to make ongoing changes to this privacy policy in accordance with the necessary security measures, and we will publish any potential updates here.
Status: April 2021