We, TravelAppointments, Veit Spiegelberg, Schnellerstraße 101B, 12439 Berlin (hereinafter: "the company", "we" or "us") take the protection of your personal data seriously and would like to inform you about the data protection in our company.
As part of our data protection liability, additional obligations have been imposed on us as part of our data protection liability by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "DS-GMO") in order to ensure the protection of personal data of the data subject (we will also address you as a data subject below with "customer", "user", "you", "you" or "affected").
Insofar as we decide, either alone or jointly with others, on the purposes and means of data processing, this includes, above all, the obligation to inform you transparently about the nature, scope, purpose, duration and legal basis of the processing (see Articles 13 and 14 GDPR). With this declaration (hereinafter: "Privacy Notice") we inform you about how your personal data is processed by us.
Our data protection notices are modular. They consist of a general part for any processing of personal data and processing situations that come into effect each time a website is accessed (A. General) and a special part, the content of which refers only to the processing situation specified therein with the name of the respective offer or product, in particular the visit to websites (e.g. visit of websites).
In order to be able to find the relevant parts for you, please refer to the following overview of the breakdown of the data protection notices:
Following the example of Article 4 GDPR, these data protection notices are based on the following definitions:
- "Personal data" (Art. 4 No. 1 GDPR) is all information relating to an identified or identifiable natural person ("affected"). A person is identifiable if he or she can be identified directly or indirectly, in particular by assigning it to an identifier such as a name, identification number, online identifier, location data or by means of information on his physical, physiological, genetic, psychological, economic, cultural or social identity characteristics. The identification can also be given by means of a link of such information or other additional knowledge. It is not important to obtain, shape or embody the information (including photos, video or audio recordings may contain personal data).
- "Processing" (Art. 4 no. 2 GDPR) is any process in which personal data is handled, whether with or without the help of automated (i.e. technology-based) procedures. This includes, in particular, collection (i.e. procurement), collection, organisation, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or other provision, matching, linking, restriction, erasure or destruction of personal data, and changing a purpose or purpose that was originally used for data processing.
- "Responsible" (Art. 4 no. 7 GDPR) is the natural or legal person, authority, body or other body which decides alone or jointly with others on the purposes and means of the processing of personal data.
- 'third party' (Article 4(10) GDPR) means any natural or legal person, authority, body or other body other than the person concerned, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or processor; this includes other legal entities belonging to the Group.
- "Processor" (Art. 4 No. 8 GDPR) is a natural or legal person, authority, body or other body that processes personal data on behalf of the controller, in particular in accordance with his instructions (e.B. IT service providers). In the sense of data protection law, a processor is not a third party in particular.
- 'Consent' (Art. 4 no. 11 GDPR) of the data subject means any voluntary statement of intent in the form of a declaration or other clear affirmative act in the form of a declaration or other clear affirmative act in which the data subject indicates that he or she agrees to the processing of the personal data concerning him or her.
(2) Name and address of the controller
The body responsible for the processing of your personal data within the meaning of Article 4 No. 7 GDPR is:
Schnellerstraße 101B, 12439 Berlin
Telefon: +49 (0)173 6034787
Telefax: +49 (0)30 609 825 539
Weitere Angaben zu unserem Unternehmen entnehmen Sie bitte demImpressum auf unserer Internetseite.
(3) Legal bases of data processing
By law, any processing of personal data is prohibited by law and is only permitted if the processing of data falls within one of the following justifications:
- Article 6(1) p. 1 lit. a GDPR ('Consent'): If the person concerned has voluntarily, in an informed manner and unequivocally indicated by a declaration or other unambiguous affirmative act that he agrees to the processing of the personal data concerning him or her for one or more specific purposes;
- Article 6(1) p. 1 lit.b GDPR: if processing is necessary for the performance of a contract to which the person concerned is a party or for the implementation of pre-contractual measures taken at the request of the person concerned;
- Art. 6 sec. 1 p. 1 lit.c GDPR: If the processing is necessary to fulfil a legal obligation to which the controller is subject (e.B. a statutory retention obligation);
- Article 6(1) p. 1 lit. d GDPR: If processing is necessary to protect the vital interests of the person concerned or of another natural person;
- Article 6(1) p. 1 lit. e GDPR: If processing is necessary for the performance of a task which is in the public interest or in the exercise of official authority delegated to the controller, or
- Art. 6 sec. 1 lit. f GDPR ("Eligible Interests"): If the processing is necessary to safeguard the legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the person concerned prevail (in particular if the data subject is a minor).
For the processing operations carried out by us, we specify the applicable legal basis in each case. Processing may also be based on several legal bases.
(4) Data erasure and storage time
For the processing operations we perform, we specify in the following how long the data is stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage is omitted. In principle, your data will only be stored on our servers in Germany, subject to any disclosure in accordance with the regulations in A.(7) and A.(8).
However, storage may take place beyond the stated time in the event of a (threatening) dispute with you or any other legal procedure or if the storage is provided for by legal regulations to which we are subject as the controller (e.g. Section 257 of the German Commercial Code ( Section 147 AO). If the retention period prescribed by the statutory provisions expires, the personal data will be blocked or deleted, unless further storage by us is required and there is a legal basis for this.
(5) Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or total loss, destruction or unauthorized access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing, as well as the existing risks of a data breach (including its probability and impact). Our security measures are continuously improved in line with technological developments.
We will be happy to provide you with further information on request. Please contact our Data Protection Officer (see A.(3)).
(6) Cooperation with processors
As with any major company, we use external domestic and foreign service providers (e.B. for the areas of IT, logistics, telecommunications, sales and marketing) to handle our business transactions. These act only in accordance with our instructions and iSv Art. 28 GDPR was contractually obliged to comply with the data protection regulations.
If personal data is passed on by you through us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is due to existing order processing relationships.
(7) Conditions for the transfer of personal data to third countries
As part of our business relationships, your personal data may be disclosed to third-party companies. They may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfilment of contractual and business obligations and for the maintenance of your business relationship with us. We will inform you about the respective details of the transfer below at the relevant points.
Einigen Drittländern bescheinigt die Europäische Kommission durch sog. Angemessenheitsbeschlüsse einen Datenschutz, der dem EWR-Standard vergleichbar ist (eine Liste dieser Länder sowie eine Kopie der Angemessenheitsbeschlüsse erhalten Sie hier:https://ec.europa.eu/info/law/law-topic/data-protection_en). In anderen Drittländern, in die ggf. personenbezogene Daten übertragen werden, herrscht aber unter Umständen wegen fehlender gesetzlicher Bestimmungen kein durchgängig hohes Datenschutzniveau. Soweit dies der Fall ist, achten wir darauf, dass der Datenschutz ausreichend gewährleistet ist. Möglich ist dies über bindende Unternehmensvorschriften, Standard-Vertragsklauseln der Europäischen Kommission zum Schutz personenbezogener Daten, Zertifikate, anerkannte Verhaltenskodizes oder eine Eigenzertifizierung über das EU-US-Privacy Shield (Informationen dazu erhalten Sie hier: https://www.privacyshield.gov/welcome). Bitte wenden Sie sich an unseren Datenschutzbeauftragten (siehe unter A.(3)), wenn Sie hierzu nähere Informationen erhalten möchten.
(8) No automated decision-making (including profiling)
We do not intend to use any personal information you collect for automated decision-making (including profiling) procedures.
(9) No obligation to provide personal data
We do not make the conclusion of contracts with us dependent on you providing us with personal data in advance. As a customer, there is no legal or contractual obligation to provide us with your personal data; however, we may be unable to provide certain offers to a limited extent or not at all if you do not provide the necessary information. If this should exceptionally be the case within the scope of the products presented below and offered by us, you will be informed separately.
(10) Legal obligation to provide certain data
We may be subject to a special legal or legal obligation to provide the legally processed personal data to third parties, in particular public authorities (Art. 6 sec. 1 p. 1 lit.c GDPR).
(11) Your rights
You can assert your rights as a data subject with regard to your processed personal data at any time against us under the contact details given at the beginning under A.(2). As a person concerned, you have the right to:
- in accordance with Art. 15 GDPR, to request information about your data processed by us. In particular, you may request information on the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right of rectification, deletion, restriction of processing or opposition, the existence of a right of appeal, the origin of their data, if not collected by us, and the existence of automated decision-making, including profiling and, where applicable, meaningful information on its details;
- require the correction of inaccurate data or the completion of your data stored by us without delay in accordance with Article 16 GDPR;
- require the deletion of your data stored by us in accordance with Article 17 GDPR, unless processing is necessary for the exercise of the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
- require the processing of your data to be restricted in accordance with Article 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
- in accordance with Article 20 GDPR, to obtain your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");
- object to the processing in accordance with Article 21 GDPR, provided that the processing takes place on the basis of Article 6 (1) p. 1 lit. e or lit. f GDPR. This is especially the case if the processing is not necessary for the performance of a contract with you. Unless there is an objection to direct marketing, we ask us to explain the reasons why we should not process your data as we have carried out in the exercise of such an objection. In the event of your justified objection, we will check the situation and will either discontinue or adapt the data processing or show you our compelling reasons for protecting us, on the basis of which we continue the processing;
- pursuant to Art. 7 sec. 3 GDPR Your consent given once (even before the gdpr, i.e. before 25.5.2018) – i.e. your voluntary, informed and unequivocally made understandable by a declaration or any other clear affirmative action, that you agree to the processing of the personal data in question for one or more specific purposes – at any time to withdraw from us , if you have granted one. As a result, we may no longer continue the processing of data based on this consent for the future and
- in accordance with Article 77 GDPR, to complain to a data protection supervisory authority about the processing of your personal data in our company, for example to the data protection supervisory authority responsible for us:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
B. Visiting websites
(1) Explanation of the function
Information about our companies and the services offered by us can be found at www. travelappointments.com and the corresponding subpages (hereinafter collectively: "Websites"). When you visit our websites, personal data may be processed by you.
(2) Personal data processed
When using the website in an informative manner, we collect, store and process the following categories of personal data:
"Protocol data": When you visit our websites, a so-called log record (so-called server log files) is temporarily and anonymized on our web server. It consists of:
- the page from which the page was requested (so-called referrer URL)
- the name and URL of the requested page
- the date and time of the call
- description of the type, language, and version of the web browser used
- the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be produced
- of the amount of data transferred
- the operating system
- message whether the call was successful (access status/Http status code)
- the GMT time zone difference
"Contact form data": When using contact forms, the data transmitted thereby will be processed (e.B. gender, name and first name, address, company, e-mail address and the time of transmission).
"Registration data/account data": When booking our services and registering on our website, the data transmitted thereby will be processed (e.B. gender, name and first name, address, company, e-mail address and the time of transmission).
(3) Purpose and legal basis of data processing
We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 sec. 1 p. 1 lit. f GDPR, the aforementioned purposes also represent our legitimate interests.
The processing of the log data serves statistical purposes and improves the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 sec. 1 p. 1 lit. f GDPR).
The processing of contact form data is carried out for the processing of customer enquiries (legal basis is Art. 6 sec. 1 p. 1 lit.b or lit. f GDPR).
The processing of registration data/account data takes place for the use of our services (legal basis is Art. 6 sec. 1 p. 1 lit.b GDPR).
(4) Duration of data processing
Ihre Daten werden nur so lange verarbeitet, wie dies für die Erreichung der oben genannten Verarbeitungszwecke erforderlich ist; hierfür gelten die im Rahmen der Verarbeitungszwecke angegebenen Rechtsgrundlagen entsprechend. Hinsichtlich der Nutzung und der Speicherdauer von Cookies beachten Sie bitte Punkt A.(4) sowie dieCookie-Richtlinie.
Third parties used by us will store your data on their system for as long as is necessary in connection with the provision of the services for us in accordance with the respective order.
(5) transfer of personal data to third parties; Justification
The following categories of recipients, which are usually processors (see A.(6)), may have access to your personal data:
- Service provider for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Article 6(1) p. 1 lit.b or lit. f GDPR, in so far as it is not a processor;
- Authorities to the extent necessary to fulfil a legal obligation. The legal basis for the transfer is then Article 6(1) p. 1 lit.c GDPR;
- Persons employed in our business (e.g. auditors, banks, insurance companies, legal advisers, supervisory authorities, participants in company acquisitions or the creation of joint ventures) are employed in our business operations. The legal basis for the transfer is then Art. 6 sec. 1 p. 1 lit.b or lit. f GDPR.
For the guarantees of an adequate level of data protection when the data is to be passed on to third countries, see A.(7).
In addition, we will only pass on your personal data to third parties if you have given express consent to this in accordance with Art. 6 sec. 1 lit. a GDPR.
Cookies may contain data that allows the device used to be recognised. In some cases, cookies also contain only information about certain settings that are not personal. However, cookies cannot directly identify a user.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistent cookies that are stored beyond the individual session.
We only use session cookies with the following functions:
- Technical cookies: These are mandatory in order to move around the website, to use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which websites you have visited;
- Performance cookies: These collect information about how you use our website, which pages you visit and, for example.B whether there are errors in website usage; they do not collect information that could identify you – all information collected is anonymous and is only used to improve our website and find out what our users are interested in.
C. Data processing on our website
Our web hosting provider, domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning ("domainfactory"), automatically collects data from the calling device every time our website is accessed and stores this data in log files (web server log files). This data is used exclusively for the delivery of our contents. We don't have access to it.
The following data is collected for access:
- Information about the calling application ("User Agent": browser type and version, possibly operating system and language)
- the IP address of the calling computer (visitor)
- Date and time of access
- Referer URLs (addresses of websites from which our pages are accessed)
- UrLs accessed (addresses of websites and files on our website that are accessed)
- Status code.
Die erfassten Informationen erlauben keine Rückschlüsse auf Personen; eine Speicherung dieser Daten zusammen mit anderen personenbezogenen Daten findet nicht statt. Wir benutzen auf dieser Website keine technischen Hilfsmittel zur Nutzungsanalyse wie Cookies, Google Analytics o. ä. Weitere Informationen:Datenschutzerklärung von domainfactory.
Purposes and legal basis of data processing: The temporary processing of data by domainfactory during website use is technically necessary to deliver our web content. IP addresses are only collected and temporarily stored for technical and security purposes, including establishing connections, detecting hacker attacks, and fixing technical faults. For the purposes mentioned above, there is a legitimate interest on our part in the processing of the data collected for this purpose in accordance with Article 6 (1) (f) GDPR.
Storage time and deletion: Web server log files are deleted by domainfactory as soon as they are no longer required for the above purposes. The storage period is 3 days. We have no influence on the data collection by the provider and cannot make any deletion ourselves. Therefore, there is no possibility of objection on the part of the users.
D. Data processing in the context of e-mail communication
We offer on our website possibilities to get in touch with us quickly and conveniently. When you contact us via the e-mail address provided by us, we will store the personal data that you provide to us with your e-mail as long as this is necessary for the processing of your request. Your contact information will not be passed on to third parties.
E-Mail-Nachrichten speichern wir lokal auf unseren Systemen sowie auf den E-Mail-Servern bei unserem E-Mail-Provider domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning („domainfactory“). Außerdem speichert domainfactory eventuell Verkehrsdaten mit IP-Adressen von Absendern. Mehr Informationen:Datenschutzerklärung von domainfactory.
Purposes and legal basis of data processing: The storage and processing of personal data transmitted by us by e-mail as well as traffic data enables the necessary communication within the scope of our work, in particular the processing of enquiries and the coordination during the treatment. For the purposes mentioned above, there is a legitimate interest on our part in the processing of the data collected for this purpose in accordance with Article 6 (1) (f) GDPR.
Storage period and deletion: We delete personal data that may be transmitted to us by e-mail if no contract is concluded or if it is no longer necessary for the aforementioned purposes and there is no legal obligation to retain it. If we wish to store personal data permanently in our systems in such cases, we will obtain the consent of the data subject.
We have no influence on the data collection by the provider and cannot make any deletion ourselves. Therefore, there is no possibility of objection on the part of the users.