Data Privacy Statement
Data Protection Declaration in Accordance with the GDPR
1) Name and Address of the Responsible Party
Your contact person in accordance with the European Union's General Data Protection Regulation (EU-GDPR) and other national data protection laws of the member countries as well as other data protection guidelines is:
Badeparadies Schwarzwald TN GmbH
Am Badeparadies 1
Telefon: +49 (0) 7651 / 9360 333
(hereafter referred to as "we" or "our")
2) Name and Address of the Data Protection Officer
The protection of your personal data is a high priority for us. In order to convey this importance, we have commissioned a consulting firm specialising in data protection and data security with the assumption of responsibility for these central themes. We are being consulted by:
Straubinger Straße 7
94405 Landau an der Isar
3) General Information regarding Data Processing
3.1) Scope of the Processing of Personal Data
We shall process your personal data in principle only insofar as this is required for the rendering of our services. The processing of your personal data shall be done regularly only subject to your consent. An exception shall be valid only in such cases in which a prior obtaining of consent is not possible based upon the actual circumstances or the processing of your personal data is permitted by law.
3.2) Legal Basis for the Processing of Personal Data
Insofar as we obtain your consent for the processing of personal data, Art. 6 Para. 1 lit. a EU-GDPR shall serve as our legal basis for this.
During the processing of personal data which is required for the fulfilment of a contractual agreement between you and us, Art. 6 Para. 1 lit. b EU-GDPR shall serve as our legal basis. This shall be valid also for any processing steps which are required for the implementation of pre-contractual measures.
Insofar as a processing of personal data is required for the fulfilment of a legal obligation to which we are subject, Art. 6 Para. 1 lit. c EU-GDPR shall serve as our legal basis.
For the case that vital interests of yours or of another natural person make a processing of personal data required, Art. 6 Para. 1 lit. d EU-GDPR shall serve as our legal basis.
If the processing is required in order to safeguard an entitled interest of ours or of a third party and your interests, fundamental rights and fundamental freedoms do not outweigh the aforementioned interest, Art. 6 Para. 1 lit. f EU-GDPR shall serve as the legal basis for the processing.
3.3) Data Deletion and Storage Timeframe
Your personal data shall be deleted or blocked as soon as the purpose for their storage is no longer valid. Moreover, storage can be done if this has been prescribed by the European or national lawmakers in European Union decrees, laws or other directives to which we are subject. A blocking or deletion of data shall also then be undertaken if a storage timeframe prescribed by the aforementioned norms lapses unless a requirement exists for the continued storage of the data for a conclusion or the fulfilment of a contractual agreement.
4) Making the Website Available and Creating Log Files
4.1) Description and Scope of the Data Processing
During every visit to our Internet site, our system collects data and information from the accessing computer's computer system in automated fashion. In this regard, the following data are collected:
- Information regarding the browser type and the version being used
- The user's operating system
- The user's Internet service provider
- The user's IP address
- Date and time of day of the access
- Respectively-transferred data quantity
- Referrer URL
The data shall likewise be stored in our system's log files. A storage of these data together with the user's other personal data shall not be undertaken.
4.2) Legal Basis for the Data Processing
The legal basis for the processing of your personal data during the supplying of the website and the creation of log files shall be Art. 6 Para. 1 lit. f EU-GDPR.
4.3) Purpose of the Data Processing
It is necessary for us to temporarily store your personal data in order to enable the supplying of the website to your computer. In order to do this, your personal data must be stored for the duration of the session.
The storage of your personal data shall be undertaken in log files in order to guarantee the website's functionality. In addition, your personal data shall serve the purpose of enabling us to optimise the website and guarantee the security of our information systems. In this context, no evaluation of your personal data shall be undertaken for marketing purposes.
Our entitled interest in the data processing also lies in these purposes in accordance with Art. 6 Para. 1 lit. f EU-GDPR.
4.4) Storage Timeframe
Your personal data shall be deleted as soon as they are no longer needed for the attainment of the purpose for their collection. In the case that the collection of your personal data is required for the supplying of the website, this shall be the case as soon as the respective session has ended.
In the case that your personal data are stored in log files, they shall be deleted by no later than after seven days. However, a longer storage timeframe is possible. In this case, your personal data shall be deleted or digitally altered so that a classification of the accessing client is no longer possible.
4.5) Rights of Objection and Deletion of the Personal Data
The collection of your personal data for the supplying of the website and the storage of your personal data in log files are mandatorily required for the operation of the website. Consequently, you shall have no right to lodge an objection in this regard.
5) Usage of Cookies
5.1) Description and Scope of the Data Processing
Whenever you visit this Internet site, we shall store cookies (small files) on your device. They shall be valid for a timeframe of:
Name: Storage Timeframe:
- TDCPM 1 year
- TDID 1 year
- __cfduid 1 month
- _fbp 3 months
- _ga 2 years
- _gat_UA-24969466-3 1 day
- _gid 1 day
- ads/ga-audiences End of the session
- _pin_unauth 1 year
- _uetsid 1 day
- _uetsid_exp Permanently
- _uetvid 16 days
- _uetvid_exp Permanently
- mf_# End of the session
- mf_user 3 months
- uslk_e 1 year
- uslk_s End of the session
- CookieConsent 1 year
- PHPSESSID End of the session
- SERVERID End of the session
- uslk_in_service_time Permanently
- _uslk_test Session
- _uslk_widget_key End of the session
- mtc_id Permanently
- mtc_sid Permanently
- mtc_social_login Permanently
- mf_initialDomQueue End of the session
- mf_transmitQueue End of the session
- collect End of the session
- MUID 1 year
- IDE 1 year
- fr 3 months
- tr End of the session
- ANID 11 months
- CONSENT 18 years
- NID 6 months
- SESS# 20 years
- apay-session-set 1 year
- language 1 day
- HEX (32) End of the session
- #GUID#23 1 year
- _pinterest_ct_ua 1 year
- v3 End of the session
- mtpConfigFeed# Permanently
- mtpConfigFeedBase# Permanently
- mtpDeckchairSprite# Permanently
- mtpTemplates# Permanently
- mtpTranslations# Permanently
We use them in order to be able to improve the usage of the website and to offer the visitors more functions. The settings on most browsers are enabled in such a manner that they accept the usage of cookies. However, this function can be deactivated for the current session or permanently by changing the settings on your Internet browser.
6.1) Description and scope of data processing
To register for the newsletter, the following data must be provided:
- Email address (required field)
- First name
- Last name
- Date of birth
NeverBounce, a service provided by NeverBounce 805 Broadway St, Suite 900 Vancouver, WA 98660 USA, is integrated into Hubspot with which we aim to reduce the number of invalid email addresses (email marketing/subscriber lists). By verifying email addresses, we can improve our services and offer you even better services.
6.2) Legal Basis for the Data Processing
The legal basis for the processing of your personal data for the sending of the newsletter is, if consent has been granted, Art. 6 Para. 1 lit. a EU-GDPR or, as the result of the sale of goods or services, the legal consent specified in § 7 Para. 3 German Unfair Competition Act.
6.3) Purpose of the Data Processing
The collection of your personal data serves the purpose of sending the newsletter to you. The purpose of the processing of your personal data for the sending of the newsletter is the promotion of the sale of goods or services.
6.4) Storage Timeframe
Your personal data shall be deleted as soon as they are no longer required for the fulfilment of the purpose of their collection. Your personal data shall therefore be stored as long as your subscription to the newsletter is active.
6.5) Rights of Objection and Revocation
You may terminate the subscription to the newsletter at any time. There is a corresponding link for this purpose in each newsletter. The termination of the subscription shall likewise enable a revocation of the consent.
7.1) Description and Scope of the Data Processing
You must register on our website in order to speed up the conclusion of the contractual agreement. The processing of your personal data shall therefore contribute to the fulfilment of the contractual agreement or the implementation of pre-contractual measures.
During the registration, the following data shall be stored:
- Form of address*
- E-mail (repeated)*
- Building No.*
- Postal Code*
For the processing of the data, reference is made during the registration process to this Data Protection Declaration.
7.2) Legal Basis for the Data Processing
The legal basis for the processing of your personal data during the registration is Art. 6 Para. 1 lit. b EU-GDPR.
7.3) Purpose of the Data Processing
Your registration shall enable the simplified conclusion of contractual agreements between you and us. The processing of your personal data during the registration is thus required for the fulfilment of a contractual agreement between you and us or in order to implement pre-contractual measures.
7.4) Storage Timeframe
Your data shall be deleted as soon as they are no longer required for the fulfilment of the purpose of their collection. This is then the case for the measures undertaken during the registration process for the fulfilment of an agreement or for the implementation of pre-contractual measures if your personal data are no longer required for the implementation of the agreement. Even after the agreement has been concluded, a necessity may exist to store the contractual partner's personal data in order to fulfil contractual or legal obligations.
7.5) Rights of Objection and Deletion
You shall at all times have the right to rescind the registration. You can have the personal data stored about you modified at any time. If your personal data are required for the fulfilment of an agreement or for the implementation of pre-contractual measures, a premature deletion of your personal data is possible only insofar as contractual or legal obligations do not oppose a deletion.
8) Registration for application days
8.1) Description and extent of data processing
Go to our website to register your participation in our application days to facilitate your application process. Accordingly, processing your person-related data helps to organise or carry out pre-contractual measures. The following data is saved upon registration:
- First Name*
- Family Name*
- Street and House No.*
- Post Code*
It is also possible to upload application documents (curriculum, certificates etc.) when registering. We treat these documents strictly confidential. They help us to individually prepare for your participation on the application day.
Within the scope of the registration procedure, reference is made to this data protection declaration for processing your data.
8.2) Legal basis for processing data
The basis for processing your person-related data during the registration procedure for the application day is Article 6 Paragraph 1 lit. b EU-DSGVO in connection with § 26 BDSG-new.
8.3) Purpose of the data processing
Your registration serves to process the application and facilitates signing a contract between the two of us. Processing your person-related data within the scope of registration is therefore required to prepare a contract between the two of us or in order to carry out pre-contractual measures.
8.4) Period of storing data
Your data is deleted once the purpose for which it was raised does not exist any longer. Regarding your registration and carrying out the application day, your data is saved by us in any case as long as it takes to conclude the application procedure. In case of a negative decision or upon withdrawing your application, we save your documents for a maximum of 6 months to assert, defend and exercise legal claims, restricted to only saving the data. If your application results in an employment the relevant data gleaned from your application documents is included in the administration of employees. In case you withdraw your registration prior to the application day, your data is deleted at once.
8.5) Option to object and remove
You have the option to remove your registration at any time. You can also have your saved person-related data changed any time. If your person-related data is required to fulfil a contract or to carry out pre-contractual measures, having your person-related data deleted prematurely is only possible, in so far as contractual or legal obligations or legitimate interests of the company do not prevent a deletion.
9) Enquiry Form – Children's Birthday Party
9.1) Description and extent of data processing
Go to our website for an enquiry to book a date for a children's birthday party with us. Your personal data is subsequently used to organise or carry out pre-contractual measures. The following data is saved upon registration:
- Order number of your registration ticket*
- Date of birth of your child*
- Date of visit*
- Approximate time of arrival*
- Number of children including birthday child*
- Number of accompanying persons/adults*
- Party theme*
- Child's gender
- First name of birthday child*
- Family name of birthday child*
- First Name*
- Family Name*
Reference is made to this privacy declaration within the scope of processing the registration.
9.2) Legal basis for data processing
The legal basis for the processing of your personal data for the inquiry for a child's birthday shall be Art. 6 Para. 1 lit. [b EU-GDPR]
9.3) Purpose of data processing
Your enquiry simplifies the process of planning children's birthday parties and also the signing of a contract between yourselves and us. Therefore, processing your personal data within the scope of an enquiry is necessary to prepare a contract between yourselves and us or to carry out pre-contractual measures. In addition, we reserve the right to use the data for marketing purposes or to promote the sale of goods or services.
9.4) Period of storing data
Your data is deleted as soon as it is no longer required for achieving the purpose of their raising in the first place. In case of your enquiry or registration and carrying out a children's birthday party, your data is saved with us until the end of the birthday party. The data is subsequently deleted from the data files without delay. If you cancel the children's birthday party, your data is deleted immediately.
9.5) Right to object to and to remove data
You are entitled to withdraw from the enquiry or registration at any time. You are also entitled to have your personal data changed that is saved with us. Should your person-related data be required to fulfil a contract or to carry out pre-contractual measures, then this data can only be deleted provided there are no contractual or legal obligations or in case the enterprise has a legitimate interest that prevents data from being deleted.
10) Registration for the Galaxino Club
10.1) Description and scope of the data processing On our website, you can register your child in the Galaxino Club in order to receive potential advantages when visiting our thermal bath and information regarding thermal bath events as well as a birthday greeting via e-mail. During the registration, the following data shall be stored:
- Parents' forenames*
- Parents' surname*
- E-mail address*
- Street and building no.
- Postal code
- Child's forename*
- Child's surname*
- Child's age*
For the processing of the data, during the registration process, reference shall be made to this Data Protection Declaration. The data shall be collected via the open source provider Mautic from Mautic Inc. The tool is operated exclusively on servers in Germany. You can find information regarding the shipping provider's data protection guidelines at: https://www.mautic.org/what-is-mautic
10.2) Legal Basis for the Data Processing
The legal basis for the processing of your personal data during the registration for the Galaxino Club shall be your consent in accordance with Art. 6 Para. 1 lit. a EU-GDPR. The participation in mailing campaigns shall likewise be based upon a consent which shall be separately requested during the registration process. In order to use the Club's benefits, the processing of the personal data may also include (pre-)contractual measures in accordance with Art. 6 Para. 1 lit. b EU-GDPR.
10.3) Purpose of the Data Processing
Your registration shall serve the purpose of implementing and simplifying the organisation of the Galaxino Club and enable the simplified conclusion of agreements between you and us. The processing of your personal data for the inquiry shall thus be undertaken in order to negotiate the agreement between you and us or in order to implement pre-contractual measures. In addition, we reserve the right to also use the data for marketing purposes and/or to promote the sale of goods or services if you have issued your consent in this regard.
10.4) Duration of the Storage
Your data shall be deleted as soon as they are no longer required for the attainment of the purpose for their collection. This shall then be the case for the pre-contractual measures during the registration process in order to fulfil an agreement or in order to implement the aforementioned pre-contractual measures if your personal data are no longer required for the implementation of the agreement. Even after the conclusion of the agreement as well, it may be necessary to store the contractual partner's personal data in order to fulfil contractual or legal obligations. Insofar as you revoke your consent or cancel your child's Club account, all of your child's data that are not subject to a retention obligation shall be promptly deleted when the revocation becomes effective.
10.5) Rights of Revocation and Deletion
You shall have the right at any time to revoke the inquiry and/or registration. You may have the data stored about you altered at any time. If your personal data are required in order to fulfil an agreement or in order to implement pre-contractual measures, a premature deletion of your personal data shall be possible only insofar as contractual or legal obligations and/or the company's entitled interests do not oppose a deletion.
11) Contact Form and Contact via E-Mail
11.1) Description and scope of data processing
The contact form on our website can be used to contact us electronically. If you choose to contact us via this form, the data entered in the input mask will be transmitted to us and saved. The following data is required to send enquires via the contact form:
- First name*
- Last name*
- House number
- Email address*
- Your message*
Alternatively, you can contact us via the email address provided. In this case, your personal data transmitted via the email will be saved. Data received this way will not be passed on to third parties. The data will only be used to process the enquiry.
11.2) Legal Basis
The legal basis for the processing of your personal data, which are transmitted when making contact via the contact form or e-mail, shall be Art. 6 Para. 1 lit. f EU-GDPR.
If the initiation of contact via the contact form or e-mail is for the purpose of concluding an agreement, then Art. 6 Para. 1 lit. b EU-GDPR shall be a supplemental legal basis for the processing.
11.3) Purpose of the Data Processing
In the case that contact is initiated via the contact form or e-mail, the processing of your personal data shall serve us solely for the processing of your message to us.
11.4) Storage Timeframe
Your personal data shall be deleted as soon as they are no longer required for the fulfilment of the purpose of their collection.
For personal data from the input mask of the contact form and that data which have been sent via e-mail, this shall then be the case if the conversation has been ended. The conversation shall then be considered to have been ended if it can be inferred based upon the circumstances that the affected issue has been definitively clarified.
The personal data also collected during the sending process shall be deleted by no later than after seven days.
11.5) Rights of Objection and Deletion
You shall have the right at any time to object to the processing of your personal data in the future when making contact via the contact form or e-mail. In such a case, the conversation cannot be continued between you and us. In this case, all personal data that have been stored when contact was made shall be deleted.
12) Web tracking with Google Analytics (GA 4)
12.1) Scope of the processing of personal data
This website uses Google Analytics 4, the latest web analytics service from Google. This is provided by Google Ireland Limited (Gordon House, Barrow Street 4, Dublin, D04 E5W5, Ireland). We use Google Analytics to analyse the surfing behaviour of our users.
Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site.
The information generated by the cookie about your use of this website is usually stored on a server in the EU and transmitted to a Google server in the USA. In Google Analytics 4, the anonymisation of IP addresses is activated by default. Due to IP anonymisation, your IP address will be truncated by Google within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. By using the code "anonymizeIp", we enable the anonymised collection of IP addresses (so-called IP masking). The software runs exclusively on the servers of our website. Personal user data is only stored there. The data is not passed on to third parties.
During your website visit, your user behaviour is recorded in the form of "events". Events can be:
- Page views
- First visit to the website
- Start of session
- Your "click path", interaction with the website
- Scrolls (whenever a user scrolls to the bottom of the page (90%))
- Clicks on external links
- Internal search queries
- Interaction with videos
- file downloads
- ads seen / clicked on
- language settings
- Your approximate location (region)
- your IP address (in shortened form)
- technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- your internet service provider
- the referrer URL (via which website/advertising medium you came to this website)
We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalised ads (interests and demographics) and ads can be delivered to these users in cross-device remarketing campaigns.
12.2) Legal basis for data processing
The legal basis for the processing of your personal data is Art. 6 para. 1 lit. f EU-DSGVO.
12.3) Purpose of data processing
On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.
12.4) Duration of storage
The data sent by us and linked to cookies will be automatically deleted after 14 and 26 months respectively. Data whose retention period has been reached is automatically deleted once a month.
12.5) Possibility of objection and removal
You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser in such a way that all cookies are rejected, functionalities on this and other websites may be restricted. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by:
a. Not giving your consent to the setting of the cookie, or
downloading and installing the browser add-on to deactivate Google Analytics. (https://tools.google.com/dlpage/gaoptout?hl=de)
12.6) Google Signals
This website actively uses Google Signals in conjunction with Google Analytics 4, which updates existing Google Analytics features (advertising reports, remarketing, cross-device reports and reports on interests including demographic characteristics) to provide an aggregated profile of your anonymised data if you allow personalised ads in your Google Account.
This is cross-device tracking. This means your data can be analysed across devices. By activating Google Signals, data is collected and linked to the Google Account. Thanks to the activation of Google Signals, we can launch cross-device marketing campaigns.
These analyses also help to better assess your behaviour, wishes and interests. This allows services and products to be optimised and adapted. The collected data is stored for 14 months and then expires. Please note that this data collection only takes place if you have allowed personalised advertising in your Google account. The data is always stored anonymously and transferred to the USA. You can also manage or delete this data in your Google account.
13) Google AdWords
For our usage of Google AdWords, we also use the Google Conversion Tracking. This is an analytical service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
Whenever you view a Google ad on our website, Google AdWords places a cookie on your device ("Conversion Cookie"). This cookie loses its validity after 30 days. It does not enable personal identification. If the cookie has not yet expired during the visit to specific pages of ours, we and Google can recognise that someone has clicked on the ad and thus has been guided to our website. Each AdWords customer shall receive another cookie. Thus, cookies cannot be tracked via the websites of AdWords customers.
The information obtained through the Conversion Cookie serves the purpose generating conversion statistics for AdWords customers which have opted for Conversion Tracking. The AdWords customers find out the total number of users who have clicked on their ad and have been guided to a page which has been affixed with a conversion tracking tag. However, they shall receive no information which could be used in order to personally identify the users. If you would not like to participate in the tracking procedure, you may also reject the placement of a cookie which is required in this regard – for example, by changing your browser's settings which generally deactivates the automated placement of cookies. You may also deactivate cookies for conversion tracking by changing your browser's settings in such a manner that cookies are blocked by the domain "googleadservices.com".
Additional information regarding Google's data protection can be found at https://www.google.com/policies/?hl=de. Users may also deactivate or object to (implement an opt-out) Google ads, in whole or in part, under http://www.google.com/settings/ads.
14) Google Web Fonts
For the uniform displaying of fonts, this website may use the so-called Google Web Fonts.
When using these fonts, your browser shall download the required fonts from our website system. They are then placed into intermediate storage in the so-called browser cache in order to correctly display the fonts.
In this context, your browser shall create no connection to Google's servers. It is thus ensured that Google obtains no knowledge of your visit or your IP address.
15) Google Maps
This website uses the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
In order to use the Google Maps' functions, it is necessary to store your IP address. As a rule, this information is transmitted to a Google server in the USA and stored there. The provider of this website exerts no influence on this data transmission.
The usage of Google Maps is undertaken in order to enable an appealing displaying of our online offerings and the easy findability of the locations specified on the website.
Any usage of Google Maps is undertaken only based upon a consent that has been granted in accordance with Art. 6 Para. 1 lit. a GDPR.
You can find more information on the handling of user data in Google's Data Protection Declaration: https://www.google.de/intl/de/policies/privacy/.
16) Google Tag Manager
On our website, we use the Google Tag Manager from Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Insofar as you have your customary abode in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) shall be considered to be the Responsible Party for your data. Accordingly, Google Ireland Limited is the company affiliated with Google which is responsible for the processing of your data and the fulfilment of the applicable data protection laws.
The Google Tag Manager itself stores neither cookies nor any personal data created therefrom. However, it enables the activation of additional tags which may collect and process personal data.
You can find detailed information on the Usage Terms and Conditions and data protection here: https://www.google.com/intl/de/tagmanager/use-policy.html
17) Usage of Cookiebot
We use features provided by Cookiebot on our website. Cookiebot is operated by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot allows us, among other things, to provide you with a comprehensive Cookie Notice (also known as a Cookie Banner). By using this feature, your data may be sent to, stored and processed by, Cookiebot or Cybot.
You can find additional information at: https://www.cookiebot.com/de/privacy-policy/.
18) The Trade Desk
On our website, we use the tool called The Trade Desk from The UK Trade Desk Ltd. (Co. No. 8539108), 10th Floor, 1 Bartholomew Close, London EC1A 7BL, United Kingdom. The Trade Desk offers a technology which is known in the advertising industry as a Demand Side Platform (DSP). Stated in simplified form, this means that, by using this, digital advertising campaigns can be managed via a wide array of channels such as websites, apps, audio platforms and smart TVs.
By using cookies, pseudonymised data and data which do not enable the identification of individual persons are collected and transmitted to The Trade Desk. These data include particularly, but not exclusively, your shortened and thus pseudonymised IP address, the date and time of day of the website visit, the location of the device with which you have accessed our website (e.g. through the GPS signal of the device, Bluetooth or the WLAN signal used), page visits and interaction with the website and the referencing website (referrer). These data are transmitted to the Demand Side Platform and linked there with your pseudonymised ID. This occurs cross-website on all platforms which use this technology. The purpose of the data collection and data processing is namely to deliver only ads to you which are oriented to your past interests and thus are of higher relevance for you. Your personal data shall be pseudonymised before transmission to the Demand Side Platform by The Trade Desk. Transmission outside of the EU to the USA is also undertaken.
You can find detailed information on the technology used by The Trade Desk and its Data Protection Guidelines by clicking on the following link: http://thetradedesk.com/general/privacy-policy.
Our data collection is undertaken subject to your consent in accordance with Art. 6 Para. 1 lit. a EU-GDPR with regards to the corresponding data processing which you naturally may also revoke at any time by changing the settings in your private sphere.
This website uses the Content Delivery Network (CDN) called Cloudfront. This is a service from Amazon
Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210.
The Cloudfront CDN provides duplicates of data from a website on various Amazon Web Services (AWS) servers worldwide. This enables a faster loading time for the website, a higher reliability and an increased protection from data loss. Some of the photos and videos that have been integrated into this website are referred to when visiting Cloudfront
Through this retrieval, information shall be transmitted regarding your usage of our website (e.g. your IP address) to Amazon's servers outside of the EU and stored there. This occurs as soon as you enter our website. The usage of Amazon Web Services and the Amazon CDN
Cloudfront is undertaken in order to enable a higher reliability of the website, the increased protection from data loss and a better loading speed for this website.
This constitutes an entitled interest in accordance with Art. 6 Para. 1 lit. f GDPR. You can find out more about Amazon Web Services' data protection measures at:
You can find Amazon Web Services' current Data Protection Declaration at:
20) Facebook Pixels
If you have given us your express consent by clicking on a button provided for this purpose, we will use the "Facebook pixel" of Facebook Inc., 1601 S. California Ave, PaloAlto, CA 94304, USA ("Facebook") within our website. This allows users to track their behaviour after seeing or clicking on a Facebook ad. This process is used to evaluate the effectiveness of Facebook advertisements for statistical and market research purposes and can help to optimise future advertising measures. The collected data is anonymous for us and does not give us any information about the identity of the user. However, Facebook stores and processes the data so that it can be linked to the respective user profile and Facebook can use the data for their own advertising purposes in accordance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/).
On our website, data are collected and stored via technologies from Bing Ads based upon which usage profiles are created while using pseudonyms. This encompasses a service rendered by the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. This service enables us to track the activities of users on our website whenever they are guided to our website via ads from Bing Ads. If you are guided to our website via such an ad, a cookie shall be placed on your computer. On our website, a Bing UET tag has been integrated. This encompasses a code via which, in conjunction with the cookie, some non-personal data are stored regarding the usage of the website. They include, among others, the time spent on the website, which sections of the website were visited and via which ad the users reached the website. Information regarding your identity shall not be collected.
The information collected shall be transmitted to Microsoft's servers in the USA and stored there for in principle a maximum of 180 days. You can prevent the collection of the data generated by the cookie and referring to your usage of the website as well as the processing of these data by deactivating the placement of cookies. However, by so doing, the functionality of the website may be restricted.
Moreover, Microsoft may possibly also track your usage behaviour across multiple devices from your electronic devices via so-called cross-device tracking and is thus able to insert personalised advertising on and/or in Microsoft websites and Microsoft apps. You may deactivate this behaviour at http://choice.microsoft.com/de-de/opt-out.
You can find detailed information regarding Bing's analytical services on Bing Ads' website ( https://help.bingads.microsoft.com/#apex/3/de/53056/2 ). You can find detailed information regarding the data protection at Microsoft and Bing in Microsoft's Data Protection Guidelines (https://privacy.microsoft.com/de-de/privacystatement).
This website uses Mouseflow, a web analysis tool from Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. The data processing shall serve the purpose of the analysis of this website and its visitors. In order to do this, data shall be collected and stored for marketing and optimisation purposes. Based upon these data, user profiles can be created under a pseudonym. Cookies may be used for this purpose. With the web analysis tool Mouseflow, randomly-selected individual visits are recorded (only with an anonymised IP address).
In this context, a log is created of the mouse movements and clicks with the intention of playing back individual website visits upon a random sampling basis and identifying potential improvements for the website from them. The data collected via Mouseflow shall not be used without the separately-issued approval from the affected party in order to personally identify the respective visitor to this website and shall not be commingled with personal data regarding the holder of the pseudonym. The processing shall be done upon the basis of Art. 6 Para. 1 lit. f GDPR based upon the entitled interest in direct customer communication and in the needs-specific layout of the website.
You shall have the right, owing to reasons based upon your special situation, to at any time object to this processing of your personal data in accordance with Art. 6 Para. 1 lit. f GDPR. In order to do this, you can globally deactivate a collection of data on all websites which use Mouseflow upon a global basis for the browser which you are using by clicking on the following link: https://mouseflow.de/opt-out/
For more information on Mouseflow and GDPR, visit https://mouseflow.com/gdpr/
24) Marketing Automation with Mautic
This website uses the open-source tool for marketing automation called Mautic. The tool is operated exclusively on servers in Germany. Mautic collects data from the surfing behaviour of the visitors to this website by using cookies.
Mautic is used for the following activities:
- E-mail marketing and campaigns
- Landing pages
- Website analyse
- Data collection for new members in the Galaxino Club
- Sending the newsletter
Mautic conducts data collection for the technical events (e.g. visits to pages or the reading of an e-mail) by using the following techniques:
- Tracking pixel in order to recognise whether, for example, an e-mail has been opened; personalised web links in order to recognise whether, for example, a user clicks on link from an e-mail
- Cookies in order to recognise individual users again (these so-called "first-party cookies" are stored on the user's device during the first visit to the website and can be placed and evaluated only by us
- IP address currently being used (during each visit to our website, this IP address is transmitted to us and is used in order to recognise the website's users again)
The data collected in this regard encompass:
- The activity on our website,
- Number of page visits and the length of the visit of the website visitor,
- The click path of the respective visitor,
- Downloads of files which are made available via the website,
- Visits to landing pages,
- Openings of e-mails from newsletters and campaigns,
- Browser type/browser version, browser language, internal resolution of the browser window and the screen resolution as well as the browser loading speed,
- The operating system being used,
- The Internet provider being used,
- The inputting method (among others, touchscreen),
- The device being used (desktop, tablet, mobile telephone),
- The reference/referrer URL (the previously-visited page),
- The access type (direct access and/or paid access),
- The time of day and the date of the access,
- Demographic: Your age, gender (form of address via form's data),
- Geographic data: Your location,
- Your behaviour: New visitor/returning visitor, session length including the date leaving our website, page sections, page visits, bounce rate, pages/session, date, search terms via the site search, page visited,
- The downloads (file names),
- The redirect URL (pages to which you are guided) with the page title,
- The access user agent (browser of the Mautic user),
- Chat record (insofar as this is offered and used),
- The access code.
During a registration on the website, we collect the following data from the usage of Mautic:
- Contact data (gender (form of address), forename and surname, e-mail address, birthdate)
- The IP address from the device from which the website is used
The released data are clearly recognisable for the user when filling out a form. In this regard, it is also indicated which data are required in order to submit the form.
We collect and use data with Mautic only insofar as this is required for the attainment of the business goals. In this context, the data are provided to third parties at no time.
Mautic is only then used in a personalisable manner if you have explicitly approved this. You may revoke this consent at any time by notifying the contact person whom we have designated above. In this case, all tracking data collected via Mautic shall be promptly deleted.
25) Usage of YouTube Videos
Videos from the external video platform called YouTube have been integrated into our website. Upon a standard basis, merely deactivated images from the YouTube channel have been embedded which create no automated connection to YouTube's servers. Thus, the operator receives no user data from visits to the website.
You yourself can decide whether the YouTube videos are supposed to be activated. Only then when you have approved the playback of the videos by clicking on "continuous activation" shall it be considered that you have issued your consent for the required data (among others, the Internet address from the current page as well as the user's IP address) to be transmitted to the operator.
In order to store the user's desired settings, we place a cookie which stores the parameters. However, when placing these cookies, we store no personal data: They contain merely anonymised data for the adaptation of the browser. Thereupon, the videos are active and may be played back by the user. If you would like to once again deactivate the automated loading of YouTube videos, you may once again remove the tick for your consent under the data protection symbol. By so doing, the settings for the cookies are also updated.
YouTube is a website offered by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA.
You can find additional information regarding the purpose and scope of the data processing (including outside the European Union and outside the USA) as well as information regarding setting options in order to protect your private sphere in the Data Protection Declaration:
26) Presence on Facebook
In order to expand our Internet site, we offer a Facebook page. This encompasses a service provided by Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
However, we wish to point out that you are using this Facebook page and its functions at your own responsibility. This shall be valid particularly for the usage of interactive functions (e.g. commenting, sharing, and rating).
When visiting our Facebook page, Facebook collects, among other things, your IP address as well as additional information which are available in the form of cookies on your PC. This information is used in order to provide us – as the operator of the Facebook page – with statistical information regarding the usage of the Facebook page. Facebook provides detailed information in this regard under the following link: https://de-de.facebook.com/help/pages/insights
The data collected about you in this context are processed by Facebook Ltd. and, where applicable, are transmitted to countries outside the European Union. Facebook describes in a general form in its Data Usage Guidelines which information Facebook receives and how this information is used. There, you will also find information regarding the options for contacting Facebook as well as the setting options for advertisements. The Data Usage Guidelines are available by clicking on the following link:
You can find Facebook's complete Data Protection Guidelines here:
Facebook has not definitively and clearly stated – and we are not aware of – in what manner Facebook uses the data from the visit to the Facebook pages for its own purposes, in what scope activities on the Facebook website are categorised to individual users, how long Facebook stores these data and whether data from a visit to the Facebook website are passed on to third parties.
When accessing a Facebook page, the IP address assigned to your device will be transmitted to Facebook. According to information provided by Facebook, this IP address is anonymised (for "German" IP addresses) and deleted after 90 days. Moreover, Facebook stores information regarding the devices of its users (e.g. within the parameters of the "log-in notification" function); where applicable, it is possible for Facebook to thus categorise IP addresses to individual users.
If you, as the user, are currently logged-in to Facebook, there will be a cookie with your Facebook ID on your device. Thus, Facebook is able to find out that you have searched for this page and how you have used it. This is also valid for all other Facebook pages. Via the Facebook buttons which have been integrated into websites, it is possible for Facebook to collect data regarding your visits to these webpages and attribute them to your Facebook profile. Based upon these data, content or advertising can be offered to you in a targeted manner.
If you would like to avoid this, you should log out of Facebook and/or deactivate the "remain logged-in" function which will delete the cookies which are present on your device as well as end and restart your browser. In this manner, any Facebook information, which could be used in order to directly identify you, shall be deleted. Thus, you can use our Facebook page without revealing your Facebook ID. Whenever you access interactive functions of the webpage (like, commenting, sharing, messages, etc.), a Facebook log-in mask will appear. Where applicable, after you have logged-in, you shall be recognisable once again for Facebook as a specific user.
You can find information regarding how you can manage or delete the existing information on the following Facebook support pages: https://de-de.facebook.com/about/privacy#
Moreover, we, as the provider of the information service, shall collect and process the following data from your usage of our service: Publicly-viewable data from the affected person's user profile. This includes, for example, the user name, the profile photo, content from comments drafted regarding our articles.
You can also find additional information regarding Facebook and other social networks and how you can protect your data on youngdata.de.
Our website uses plugins from the Instagram network operated by Facebook Inc. 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). When you click on the Instagram button, the plugin establishes a direct connection between your browser and the Instagram server. This will tell Instagram that you have visited our site with your IP address. The purpose and scope of the data collection and the further processing and use of this data by Instagram is not known to us. We encourage you to review Instagram's
Our Internet site uses plug-ins from the Pinterest network which is operated by Pinterest Inc., 808 Brannan St., San Francisco, CA 94103, USA ("Pinterest").
By visiting our website with the integrated "Pin it" button, Pinterest receives the notification that you have visited the corresponding page of our Internet site. If you should be logged-in to Pinterest during your visit to our website, then Pinterest can attribute your visit to your Pinterest account. If you should click on the "Pin it" button, then the transmitted data shall be stored by Pinterest. If you would not like this, then you must log out of Pinterest before visiting our Internet site.
Please review the scope and purpose of the data collection and the more extensive processing and usage of the data by Pinterest as well as your related rights and setting options for the protection of your private sphere by reading Pinterest's Data Protection Guidelines: https://about.pinterest.com/de/privacy-policy-0
29) TikTok channel
We use the TikTok platform to post our videos and make them publicly available. TikTok is a third-party service not affiliated with us, namely TikTok Inc. 10100 Venice Blvd., Culver City, CA 90232, USA.
30) Online Shop
Purchase of Vouchers, Packages and Entrance Tickets:
Insofar as you reserve a day-based thermal bath appointment, purchase vouchers or other products in our online shop on our website, the data provided shall be processed for the following purposes:
- So that we can identify you as a customer as well as process, fulfil and implement your order
- The required correspondence with you in order to fulfil the contractual agreement
- Billing and handling any liability claims
- Asserting, exercising and warding off your legal claims
In this context, we shall process the following personal data:
- Form of address
- Surname, forename
- Street, postal code, place of residence, country
- Telephone no.
- E-mail address
- Password (optional, only applicable if you create a customer account)
- Reservation history
Consequently, our processing serves the purpose of the implementation of a contractual agreement in accordance with Art. 6 Para. 1 lit. b GDPR.
Moreover, we also process and use your data
- In order to create a customer account (optional, only applicable if you create a customer account);
- In order to contact you insofar as you have requested it or it is required for a contractual relationship or is permitted by law.
- For electronic advertising in accordance with § 7 Para. 3 Law against Unfair Competition for the same or similar services offered by Badeparadies Schwarzwald while using e-mail insofar as we have received your e-mail address from you in conjunction with the sale of a service and you do not object to the usage of the e-mail address. You may at any time object to this usage of your e-mail address without incurring any other costs than the transmission costs for this at the basic rates. If this permission policy should not be able to justify electronic advertising, we shall instead obtain your consent in accordance with Art. 6 Para. 1 lit. a) GDPR. You may at any time revoke this declaration of consent by clicking on the cancellation link at the end of the respective e-mail newsletter.
The personal data which we collect shall be passed on to third parties only insofar as this is required for the implementation of a contractual agreement or in accordance with the statutory guidelines:
- If any contracted data processors have been commissioned, an agreement has been respectively concluded in accordance with Art. 28 GDPR in order to ensure data protection-compliant and secure data processing.
- Employees of WUND Holding and, where applicable, Bluphoria GmbH may be able to view personal data relating to your order while the order is being processed or the products are shipped or when the relevant packages are being packed and prepared for shipping
- The personal data which we collect shall be passed on to the transport company commissioned with the delivery in order to implement the agreement.
- We shall pass on your payment data to the commissioned financial institution in order to process the payments. Such data shall be passed on to government institutions or government agencies only in accordance with the mandatory national legal guidelines.
We pass on your payment data to the commissioned credit institution within the framework of the processing of payments. Transfers to state institutions or authorities are only made within the framework of mandatory national legal provisions. When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" via PayPal, we pass on your payment details to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal") as part of the payment process.
PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" via PayPal. PayPal uses the result of the credit check for the statistical probability of non-payment for the purpose of deciding which payment method to provide in each case.
https://www.paypal.com/de/webapps/mpp/ua/privacy-full required for the provision of certain content and services on our website
On our website, we offer, among other options, the option of payment via "instant transfer". The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereafter, "Sofort GmbH").
Via the "instant transfer" process, we receive a payment confirmation in real time from Sofort GmbH and can begin promptly with the fulfilment of our obligations.
If you have chosen the "instant transfer" payment method, submit the PIN and a valid TAN to Sofort GmbH, by means which it can log in to your online banking account. After logging-in, Sofort GmbH shall automatically check your account balance and implement the transfer to us via the TAN which you have provided. Then it shall promptly send us a transaction confirmation. Moreover, after logging-in, your sales, the credit line of the overdraft facility and the existence of other accounts as well as their balances shall be checked in automated fashion.
In addition to the PIN and the TAN, the payment data which you have entered as well as data regarding your person shall be transmitted to Sofort GmbH. The data regarding your person shall encompass your forename and surname, address, telephone number(s), e-mail address, IP address and, where applicable, any additional data required for payment processing purposes. The transmission of these data shall be required in order to verify your identity and prevent attempts to commit fraud.
The transmission of your data to Sofort GmbH shall be undertaken upon the basis of Art. 6 Para. 1 lit. a GDPR (consent) and Art. 6 Para. 1 lit. b GDPR (processing for the fulfilment of an Agreement). You shall have the possibility of revoking your consent at any time for data processing. A revocation shall not have any ramifications on the effectiveness of the data processing procedures undertaken in the past.
You can find details regarding making payment via an instant transfer by clicking on the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
When paying via Amazon Pay, we will forward your payment details first to Amazon Payments Europe s.c.a., and second to Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL. All three are headquartered at 5 Rue Plaetis, L 2338 Luxembourg (hereinafter "Amazon Payments").
Amazon Payments reserves the right to conduct a credit check. Amazon Payments uses the findings of the credit check to determine the statistical probability of default and whether or not to provide the respective payment method. The credit check may include probability values (score values). Where score values are included in the credit report, these are based on a scientifically recognised mathematical statistics method. Your address details will also be included when calculating the score values.
Amazon Payments is also entitled to forward your personal data to unnamed third parties such as banks, e-service providers, service partners, as well as auditors, analytics services, credit agencies, marketing partners, cloud service providers, retargeting providers and affiliated companies.
31) Survey Monkey
We use the SurveyMonkey tool to create and analyse surveys. The service provider is Momentive Europe UC, 2 Shelbourne Buildings, Second Floor, Shelbourne Rd, Ballsbridge, Dublin 4, Ireland. We work together with Customer Research 42 GmbH, Birkenweiler 4, 88699 Frickingen to implement this service.
The data processing takes place on the basis of consent in accordance with Article 6 (1)(a) GDPR and our legitimate interest (Article 6 (1)(f) GDPR) in providing a technically error-free and optimised service.
We have concluded an order processing contract with Customer Research 42 GmbH, in which they undertake to protect the data of our customers, not to pass it on to third parties and, in the event of a transfer of personal data via subcontractors or affiliated companies to non-European third countries, to comply with the provisions of Art 46 GDPR.
Information on how Customer Research 42 GmbH processes personal data can be found on their website:
32) Applying for a Badeparadies Card
32.1) Handling of personal data
You can apply for a BADEPARADIES Card online on our website. We process your data for the following purposes:
- Creation, personalisation, provision and management of the BADEPARADIES Card
- Participation in customer campaigns (loyalty rewards, bonuses, special offers) and loyal customer deals
- Sending information about new services, offers and campaigns that affect the BADEPARADIES Card (Badeparadies Card newsletter)
- Sending information by post
- Emailing the Badeparadies Schwarzwald newsletter
32.2) The legal basis for the data processing
The processing of your data for the individual purposes shall be undertaken respectively upon the following legal basis:
- Contractual fulfilment in accordance with Art. 6 Para. 1 lit. b) GDPR
- Entitled interest in accordance with Art. 6 Para. 1 lit. f) GDPR in conjunction with the provisions of § 7 Law against Unfair Competition.
Entitled interests which are being pursued by the Responsible Party:
The sending of print media and the BADEPARADIES Card Newsletter encompass such information which is relevant for BADEPARADIES Card users and is supported by the entitled interest of the Responsible Party in conducting advertising. This notwithstanding, we may and shall also contact you if we have questions or concerns regarding the implementation of the BADEPARADIES Card insofar as this is required for the fulfilment of the agreement.
Our entitled interest in conducting advertising shall opposed by no higher-priority interest of the Affected Party which is worthy of protection because we follow the provisions of § 7 Para. 3 Law against Unfair Competition for e-mail advertising for the processing. Accordingly, advertising via electronic post is also permissible without consent if we have received your e-mail address from a contractual relationship, the advertising is being done only for the same or similar products, you have not objected to the usage of your data for advertising purposes and you have been informed of your right of objection during the collection of the data and each advertising-related usage thereof.
If you would like to receive no more advertising from us, you may at any time object to the advertising-related usage of your data for the future. In order to do so, please contact us via the address email@example.com or use the cancellation link at the end of each e-mail newsletter.
The collection and processing of your BADEPARADIES Card shall be done exclusively by authorised employees of Badeparadies Schwarzwald who have been obligated in writing to fulfil a confidentiality obligation. For the processing of your data for the purpose of the sending of the electronic newsletter, we cooperate with a contracted data processor with whom a contracted data processing agreement has been concluded in accordance with Art. 28 GDPR.
32.4) Retention Duration
We shall store your data,
- If the processing is based upon an entitled interest of ours, but nonetheless at the longest only until you object to this processing.
- If we require the data for the implementation of an agreement, but nonetheless at the longest only as long as the contractual relationship exists with you or statutorily-prescribed retention timeframes are valid.
The data which we have stored shall be deleted whenever they are no longer required for their designated purpose and the deletion is opposed by no entitled interests or statutorily-prescribed retention obligations.
Insofar as the data are not deleted because they are required for other and statutorily-permissible purposes, their processing shall be restricted. That is to say, the data shall be blocked and not processed for other purposes. This shall be valid, for example, for data from users which must be retained owing to reasons under commercial or tax law.
32.5) Dissemination to Non-EU Countries
Data transmission to countries outside of the European Union shall not be undertaken.
32.6) Data Supplying Prescribed or Required
The supplying of your data shall be required for the creation and, where applicable, issuance of a new BADEPARADIES Card if it has been lost.
33) Direct Marketing
33.1) Description and Scope of the Data Processing
Our company shall process personal data such as your address and your name in order to send you advertising by post and thus in order to increase the sales of goods or services.
33.2) Legal Basis for the Data Processing
The legal basis for the processing of your personal data for direct marketing by post shall be Art. 6 Para. 1 lit. f EU-GDPR.
33.3) Purpose of the Data Processing
The purpose of the processing of your personal data for direct marketing by post shall be the promotion of the sales of goods or services. Our entitled interest in the data processing in accordance with Art. 6 Para. 1 lit. f EU-GDPR lies in this purpose.
33.4) Storage Timeframe
Your personal data shall be deleted as soon as they are no longer required for the fulfilment of the purpose for their collection; this shall be particularly the case upon the receipt of an objection to such processing.
33.5) Rights of Objection and Deletion
You may at any time object to the processing of your personal data for direct marketing by post for the future.
34) Legal Defence and Assertion of Rights
34.1) Description and Scope of the Data Processing
Our company intends to protect itself by asserting a legal defence against unjustified claims. Moreover, we shall assert the claims and rights to which we are entitled.
For this, it is necessary to process personal data.
They are created from the legally-relevant data of the affected persons.
34.2) Purpose of the Data Processing
The purpose of the processing of your personal data for measures for legal defence and the assertion of rights shall be the warding-off of unjustified claims as well as the legal assertion of claims and rights. Our entitled interest in the data processing in accordance with Art. 6 Para. 1 lit. f EU-GDPR lies in this purpose.
34.3) Storage Timeframe
Your personal data shall be deleted as soon as they are no longer required for the attainment of the purpose for their collection.
34.4) Rights of Objection and Deletion
The processing of your personal data for measures for legal defence and the assertion of rights shall be mandatorily required for such measures. Consequently, you shall have no right of objection.
35) Recipient Categories
Within our company, those job positions and divisions shall receive personal data which need them in order to fulfil the aforementioned purposes. In addition, we sometimes commission various service providers and pass on your personal data to additional trustworthy recipients. They can be, for example:
- Scan service
- Printing shops
- Letter shops
- IT service providers
- Attorneys and courts
36) Rights of the Affected Persons
36.1) Right to Information
You may demand a confirmation from the Responsible Party in accordance with Art. 15 EU-GDPR regarding whether your personal data are being processed by us.
If such processing is indeed being conducted, you may demand the following information from the Responsible Party in accordance with Art. 15 Para. 1 EU-GDPR:
- The purposes for which the personal data are being processed
- The categories of personal data which are being processed
- The recipients and/or the categories of recipients to whom your personal data have been disclosed or are still being disclosed
- The planned duration of the storage of your personal data or, if concrete information in this regard is not possible, the criteria for determining the storage timeframe
- The valid existence of a right to the correction or deletion of your personal data, a right to the restriction of the processing by us or a right of objection against this processing
- The valid existence of a right to lodge a complaint to a government supervisory agency
- All available information regarding the origin of the data if the personal data are not being collected from the affected person
- The existence of automated decision-making including profiling in accordance with Art. 22 Paras. 1 and 4 EU-GDPR and – at least in these cases – detailed information regarding the logics involved as well as the scope and the intended ramifications of such processing for you. You shall have the right to demand information regarding whether your personal data shall be transmitted to a non-EU country or to an international organisation. In this context, you may demand to be instructed regarding the suitable guarantees in accordance with Art. 46 EU-GDPR in conjunction with the transmission thereof
If these data are transmitted to a non-EU country or to an international organisation, then you shall have the right, in accordance with Art. 15 Para. 2 EU-GDPR, to be instructed regarding the suitable guarantees in accordance with Art. 46 EU-GDPR in conjunction with the transmission thereof.
36.2) Right of Correction
In accordance with Art. 16 EU-GDPR, you shall have a right to the correction and/or completion of your personal data that is owed by the Responsible Party insofar as your processed personal data are incorrect or incomplete. We must promptly undertake the correction.
36.3) Right of Restriction of the Processing
As derived from Art. 18 Para. 1 EU-GDPR, you may – subject to the following prerequisites – demand the restriction of the processing of your personal data:
- If you dispute the correctness of your personal data for a timeframe which enables the Responsible Party to verify the correctness thereof (Art. 18 Para. 1 lit. a EU-GDPR)
- The processing is illegal and you reject the deletion of the personal data and instead demand the restriction of the usage of the personal data (Art. 18 Para. 1 lit. b EU-GDPR)
- We no longer require the personal data for the purposes of the processing, but you nonetheless require them for the assertion, exercising or warding-off of legal claims (Art. 18 Para. 1 lit. c EU-GDPR)
- If you have lodged an objection to the processing in accordance with Art. 21 Para. 1 EU-GDPR and it has not yet been determined whether our entitled reasons outweigh your entitled reasons. (Art. 18 Para. 1 lit. d EU-GDPR)
If the processing of your personal data has been restricted, these data may – apart from their storage – be processed only subject to your consent or in order to assert, exercise or ward off legal claims or in order to protect the rights of another natural or juridical person or owing to reasons of an important public interest held by the European Union or a member country.
(Art. 18 Para. 2 EU-GDPR)
If the processing has been restricted based upon the aforementioned requirements, we shall notify you before the restriction is rescinded.
(Art. 18 Para. 3 EU-GDPR)
36.4) Right of Deletion
a) Deletion Obligation
In accordance with Art. 17 Para. 1 EU-GDPR, you may demand that we promptly delete your personal data. Moreover, we shall be obliged to promptly delete these data insofar as one of the following reasons is applicable:
- Your personal data are no longer required for the purposes for which they have been collected or in some other manner processed. (Art. 17 Para. 1 lit. a EU-GDPR)
- You revoke your consent, based upon which the processing was supported in accordance with Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a EU-GDPR and no other legal basis exists for the processing. (Art. 17 Para. 1 lit. b EU-GDPR)
- You lodge an objection to the processing in accordance with Art. 21 Para. 1 EU-GDPR and no prevailing justified reasons exist for the processing or you lodge an objection to the processing in accordance with Art. 21 Para. 2 EU-GDPR. (Art. 17 Para. 1 lit. c EU-GDPR)
- Your personal data have been illegally processed. (Art. 17 Para. 1 lit. d EU-GDPR)
- The deletion of your personal data is required in order to fulfil a legal obligation in accordance with the law of the European Union or the law of the member countries to which the Responsible Party is subject. (Art. 17 Para. 1 lit. e EU-GDPR)
- Your personal data have been collected within the parameters of the services offered by the Information Society in accordance with Art. 8 Para. 1 EU-GDPR. (Art. 17 Para. 1 lit. f EU-GDPR)
b) Notification of Third Parties
If we have publicly disclosed your personal data and are obliged to their deletion in accordance with Art. 17 Para. 1 EU-GDPR, then we shall – subject to the consideration of the available technology and the implementation costs, undertake appropriate measures – including of a technical nature – in order to notify the Responsible Party for the data processing who shall process the personal data that you, as the affected person of such personal data, have demanded the deletion of all links to these personal data or copies or replications of these personal data. (Art. 17 Para. 2 EU-GDPR)
The right of deletion shall not be valid insofar as the processing is required owing to one of the following reasons:
- In order to exercise the right of free expression and to provide information (Art. 17 Para. 3 lit. a EU-GDPR)
- In order to fulfil a legal obligation which requires the processing in accordance with the law of the European Union or the law of the member countries to which we are subject or in order to fulfil a task which lies in the public interest or in order to exercise public authority which has been assigned to us (Art. 17 Para. 3 lit. b EU-GDPR)
- Owing to reasons lying in the public interest in the area of public health in accordance with Art. 9 Para. 2 lit. h and i as well as Art. 9 Para. 3 EU-GDPR (Art. 17 Para. 3 lit. c EU-GDPR)
- For the archiving purposes lying in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Para. 1 EU-GDPR insofar as the right specified under Section a) is anticipated to make the realisation of the goals of this processing impossible or seriously restrict them or (Art. 17 Para. 3 lit. d EU-GDPR)
- In order to assert, exercise or ward off legal claims. (Art. 17 Para. 3 lit. e EU-GDPR)
36.5) Right of Notification
If you have asserted the right to the correction, deletion or restriction of the processing in your dealings with us, we shall be obliged, in accordance with Art. 19 EU-GDPR, to notify all recipients, to whom your personal data have been disclosed, of this correction or deletion of the data or restriction of the processing unless this is revealed to be impossible or is associated with disproportionate expenditures. You shall be entitled to request that we notify you of these recipients.
36.6) Right of Data Portability
In accordance with Art. 20 Para. 1 EU-GDPR, you shall have the right to receive your personal data, which you have provided to the Responsible Party, in a structured, standard and machine-readable format. Furthermore, you shall have the right to pass on these personal data to another Responsible Party without any objections upon our side insofar as
- The processing is based upon a consent in accordance with Art. 6 Para. 1 lit. a EU-GDPR or Art. 9 Para. 2 lit. a EU-GDPR or upon an Agreement in accordance with Art. 6 Para. 1 lit. b EU-GDPR and (Art. 20 Para. 1 lit. a EU-GDPR)
- The processing is undertaken via an automated process (Art. 20 Para. 1 lit. b EU-GDPR)
Furthermore, in accordance with Art. 20 Para. 2 EU-GDPR, you shall have the right to request that your personal data be passed on directly by us to another Responsible Party insofar as this is technically possible.
The exercising of the right in accordance with Art. 20 Para. 1 EU-GDPR shall not affect the right of deletion in accordance with Art. 17 EU-GDPR. This shall not be valid for a processing which is required for the fulfilment of a task, which lies in the public interest or is done in the exercising of assigned public authority. This shall be based upon Art. 20 Para. 3 EU-GDPR.
In accordance with Art. 20 Para. 4 EU-GDPR, the freedoms and rights of other persons may not be restricted by so doing.
The right of data portability shall not be valid for a processing of personal data which is required for the fulfilment of a task, which lies in the public interest or is done in the exercising of public authority which has been assigned to us.
36.7) Right of Objection
You shall have the right, in accordance with Art. 21 Para. 1 EU-GDPR, owing to reasons which are based upon your special situation, to at any time object to the processing of your personal data which is being done in accordance with Art. 6 Para. 1 lit. e or f EU-GDPR; this shall also be valid for a profiling supported by these provisions.
We shall no longer process your personal data unless we can document mandatory reasons worth protecting for the processing which outweigh your interests, rights and freedoms or the processing is being done in order to assert, exercise or ward off legal claims.
If your personal data are being processed in order to conduct direct advertising, you shall have the right at any time to lodge an objection to the processing of your personal data for the purposes of such advertising; this shall also be valid for the profiling insofar as it is associated with such direct advertising.
(Art. 21 Para. 2 EU-GDPR)
If you object to the processing for purposes of direct advertising, then we shall no longer process your personal data for these purposes.
(Art. 21 Para. 3 EU-GDPR)
You shall have the option, in conjunction with the usage of services from the Information Society – notwithstanding Guideline 2002/58/EC – to exercise your right of objection via an automated procedure whereby technical specifications are used. (Art. 21 Para. 5 EU-GDPR)
Furthermore, you shall have the right, owing to reasons based upon your special situation, to lodge an objection to the processing of your personal data which is being done for scientific or historical research purposes or statistical purposes in accordance with Art. 89 Para. 1 EU-GDPR unless the processing is required for the fulfilment of a task lying in the public interest.
(Art. 21 Para. 6 EU-GDPR)
36.8) Right of Revocation of the Declaration of Consent under Data Protection Law
You shall have the right, in accordance with Art. 7 Para. 3 EU-GDPR, to revoke your Declaration of Consent under data protection law at any time. However, the revocation of the consent shall not affect the legality of the processing undertaken based upon the consent until it was revoked.
You were instructed in this regard before your consent was granted.
36.9) Automated Decision-Making in the Individual Case Including Profiling
You shall have the right to not be subjected to a decision-making procedure which is based exclusively on automated processing – including profiling – which creates legal ramifications for you or substantially restricts you in a similar manner. This shall not be valid if the decision-making
- Is required for the conclusion or the fulfilment of an Agreement between you and us
- Owing to the legal guidelines of the European Union or of the member countries to which we are subject, is permissible and these legal guidelines include appropriate measures in order to safeguard your rights and freedoms as well as your entitled interests or
- Is done subject to your express consent.
This is based upon Art. 22 Paras. 1, 2 EU-GDPR.
However, these decisions may not be based upon special categories of personal data in accordance with Art. 9 Para. 1 EU-GDPR unless Art. 9 Para. 2 lit. a or g EU-GDPR is valid and appropriate measures have been undertaken in order to protect the rights and freedoms as well as your entitled interests.
With regards to the cases specified in (1) and (3), we shall undertake appropriate measures in order to safeguard the rights and freedoms as well as your entitled interests whereby this shall include at least the right to affect the intervention of a person upon the Responsible Party's side, to state one's own viewpoint and to contest the decision.
(Art. 21 Paras. 3, 4 EU-GDPR)
36.10) Right to Lodge a Complaint to a Government Supervisory Agency
Irrespective of any other legal remedies under administrative law or from the courts, you shall have the right, in accordance with Art. 77 EU-GDPR, to lodge a complaint to a government supervisory agency – particularly in the member country of your place of residence, your workplace or the location of the purported violation if you are of the belief that the processing of your personal data violates the EU-GDPR.
The government supervisory agency to which the complaint has been submitted shall notify the complainant of the status and outcome of the complaint – including the option of seeking a legal remedy in court in accordance with Art. 78 GDPR.
(Art. 77 EU-GDPR)
The competent government supervisory agency for us is:
The Bayerische Landesbeauftragte für den Datenschutz [Bavarian State Data Protection Commissioner] (BayLfD)
The government supervisory agency to which you have submitted your complaint shall notify you of the status and the outcome of the complaint – including the option of seeking a legal remedy in court in accordance with Art. 78 EU-GDPR. If you have any questions or comments, our Data Protection Officer would be glad to support you at any time.
37) Note regarding the Data Protection Declaration
Unless regulated to the contrary, the usage of all information which we have about you shall be subject to this Data Protection Declaration.
The company reserves the right to adapt this Data Protection Declaration upon an on-going basis to the required security measures based upon the technological development and shall announce any changes at this point.
Last updated: July 2023