Data Protection DeclarationI) Name and address of the responsible party Kur- und Kongreß-GmbH Bad Homburg v. d. Höhe The Kur- und Kongreß-GmbH Bad Homburg is the responsible party in the sense of the EU General Data Protection Regulation (GDPR) and other national data protection laws.
The contact details of the data protection authority of the responsible party are: Data Protection Officer
We collect and use personal data of the users of our website only to the extent necessary in providing a functional website, including our content and services. In principle, our users’ personal data is collected and used only with their consent. An exception to this principle applies in cases where the processing of data is permitted by legal regulations or where obtaining prior consent is not possible for actual reasons.
The legal bases for the processing of personal data are provided in principle by:
3) Data deletion and storage period IV) Use of our website and general information 1) Description and scope of data processing Every time our website is accessed, our system automatically collects data and information from the user’s computer system. At this point in time, the following information is collected:
The data described is stored in the log files of our system. The data is not stored together with any other personal data of the user.
The temporary storage of the IP address by our system is necessary to enable the delivery of the website to the user’s computer. For this purpose, the user's IP address must remain stored for the duration of the session. The legal basis for the temporary storage of user data and log files is Art. 6 Para. 1 Lit. f GDPR. The collection of a user’s personal data for the provision of our website and the storage of the data in log files is mandatory for the operation of the website. Therefore, it is not possible for the user to object.
If user data is stored in log files, it is deleted after seven days at the latest. Storage beyond this period is possible, in which case the IP address of the user is deleted or alienated. An assignment of the calling client is thus no longer possible. We use cookies on our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user calls up a website, a cookie may be stored on his or her operating system. This cookie contains a string of characters that enables the browser to be uniquely identified when the website is called up again. We use cookies to make our homepage more user-friendly. Some elements of our website require that the browser is still identifiable even after a page change. During the process, the following data is stored and transmitted:
The legal basis for the processing of personal data using cookies results from Art. 6 Para. 1 Lit. f GDPR. The purpose for using cookies that are technically required is to simplify the use of our website. Please note that some functions of our website may only be accessible with the use of cookies. These functions include the following applications: The following is a list of applications. Examples include:
Please note that we do not use user data collected by way of technically required cookies to create user profiles. Cookies are stored on a user’s computer and transmitted from there to our website. Users therefore have control over the use of cookies. They may restrict or deactivate the transmission of cookies by making changes to the settings of their Internet browser. There, stored cookies may also be deleted again. Please note that a user may not be able to use all of the functions of our website if he or she disables cookies. Use of YouTube Use of Facebook plug-ins Our website uses the plug-ins of the social network, facebook.com, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). When pages of our website that are provided with such a plug-in are called up, a connection to the Facebook servers is established and the plug-in is displayed on the page by notifying the user’s browser. This action transmits to the Facebook server which of our pages the user has visited. If a user is logged in as a Facebook member, Facebook assigns this information to the user’s personal Facebook account. When using the plug-in functions (e.g., clicking the “Like” button or submitting a comment), this information is also assigned to the user’s Facebook account, an action that is only preventable by logging out before using the plug-in. If a user does not want Facebook to assign the collected information directly to his or her Facebook profile, he or she must either log out of Facebook before visiting our website or block the loading of Facebook plug-ins on our pages by using a so-called “Facebook blocker”. For further information on the collection and use of data by Facebook, on user rights to this end, and on options for protecting user privacy, please refer to the privacy policy of Facebook (https://www.facebook.com/policy.php). VI) User rights / Rights of persons concerned According to the EU General Data Protection Regulation, users have the following rights as concerned parties: 1) Right to information You have the right to obtain from us, as data controller, information on whether we process personal data concerning you. In addition, you may request information on the following:
Lastly, the user also has the right to request information on whether his or her personal data is transferred to a third country or to an international organisation. In this case, the user may request information on the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer. You may assert your right to information at: 2) Right to notification If the personal data we process and which concerns the user is incorrect or incomplete, the user has the right to demand that we correct and/or complete it. Such corrections will be made without delay. 3) Right to restriction The right to restrict the processing of personal data concerning the user may be exercised in the following cases: (1) The accuracy of the personal data is contested for a period, thereby enabling the data controller to verify the accuracy of the personal data; (2) The processing is unlawful and the deletion of the personal data is refused, requesting instead the restriction of use of the personal data; (3) The data controller no longer needs the personal data for the purposes of processing, but the person concerned needs them for the establishment, exercise or defence of legal claims, or If the processing of personal user data has been restricted, this data may – apart from being stored – only be processed with the user’s consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. In the event of a restriction of processing in accordance with the principles outlined, we will inform the user before the restriction is lifted. If the reasons outlined below apply, the user may request that his or her personal data be deleted without delay. As such, the responsible party is obliged to delete this data without delay. The reasons are: (1) The personal data concerning the user are no longer required for the purposes for which they were collected or otherwise processed. (2) The processing is protected by consent according to Art. 6 Para. 1 Lit. a or Art. 9 Para. 2 Lit. a GDPR and the user revokes his or her consent. Another requirement is that there is no other legal basis for the processing. (3) The user objects to the processing (Art. 21 Para. 1 GDPR and there are no overriding legitimate grounds for the processing. Another possibility is that the user files an objection against the processing according to Art. 21 Para. 2 GDPR. (4) The processing of the user’s personal data is unlawful. (5) The deletion of the user’s personal data is required for compliance with a legal obligation under Union or Member State law to which the data controller is subject. (6) The user’s personal data has been collected in relation to information society services offered pursuant to Art. 8 Para 1 GDPR. If we have made the user’s personal data public and we are obliged to delete it pursuant to Article 17 Para. 1 of the GDPR, we shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers who process the personal data that the user, as the person concerned, has requested the deletion of all links to, or copies or replications of, such personal data. We would like to point out that the right to deletion does not exist insofar as the processing is required: (1) For the exercise of the right to freedom of expression and information; (2) For compliance with a legal obligation that requires processing under Union or Member State law to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; (3) For reasons of public interest in the area of public health pursuant to Art. 9 Para. 2 Lit. h and i and Art. 9 Para. 3 GDPR; (4) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89 Para. 1 of the GDPR, insofar as the right referred to in Section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or (5) For the assertion, exercise or defence of legal claims. 5) Right to information If the user has asserted the right to rectification, deletion or restriction of processing, we will be obliged to notify all recipients to whom the user’s personal data has been disclosed of this rectification or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. Furthermore, the user has the right to be informed about these recipients. 6) Right to data portability According to the GDPR, the user also has the right to receive the personal data that has been provided to us in a structured, common and machine-readable format. Furthermore, the user has the right to transfer this data to another data controller without hindrance by the data controller to whom the personal data was provided, provided that:
Lastly, in exercising the right to data portability, the user has the right to demand that his or her personal data be transferred directly from one data controller to another, insofar as this is technically feasible and does not adversely affect the freedoms and rights of other persons. The right to data portability does not apply to the processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. 7) Right to revoke the declaration of consent under prevailing data protection laws The user has the right to revoke his or her declaration of consent under the prevailing data protection laws at any time. Please note that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. 8) Right to objection Furthermore, the user has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, which is carried out on the basis of Art 6 Para. 1 Lit. e or f GDPR. The right to object also applies to profiling based on these provisions. 9) Automated decisions in individual cases including profiling Under the EU General Data Protection Regulation, the user continues to have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects upon the user or similarly and significantly affects him or her. However, there is an exception to this principle if the decision: (1) is required for the conclusion or performance of a contract between the user and the responsible person; (2) is permitted by legislation of the Union or the Member States to which the data controller is subject and that legislation contains appropriate measures to safeguard the user’s rights and freedoms and his or her legitimate interests, or (3) is carried out with the user’s explicit consent. If the processing is carried out within the framework of the cases mentioned in (1) and (3), the data controller shall take appropriate measures to safeguard the rights and freedoms as well as the user’s legitimate interests. This includes at least the right to obtain the intervention of a person on the part of the data controller, to express his or her own point of view and to challenge the decision. The decision under (1) to (3) may not be based on special categories of personal data pursuant to Art. 9 Para. 1 GDPR, unless Art. 9 Para. 2 Lit. a or g applies and appropriate measures have been taken to protect the rights and freedoms and the user’s legitimate interests. Lastly, if the user considers that the processing of his or her personal data infringes upon the GDPR, the user has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, workplace or the place of the alleged infringement. 1) General information Users may subscribe to a free newsletter on our homepage with which we inform them about our currently most interesting offers. The advertised goods and services are named in the consent form. The data that the user enters in the input mask during registration will be transmitted to us. We collect the following data on the basis of the consent obtained from the user during the registration process:
User data will not be passed on in connection with the data processing required for sending newsletters. The data will be used exclusively for newsletter dispatch. 2) Double opt-in and logging Registration for our newsletter takes place by way of a so-called double opt-in process. After registration, users will receive an e-mail in which they are asked to confirm their registration. This confirmation is necessary so that no one may register with other email addresses. The registrations for the newsletter are logged in order to prove the registration process according to legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address.
The legal basis for the processing of the data is Art. 6 Para. 1 Lit. a GDPR if the user has given his or her consent. The collection of the user's e-mail address is required to deliver the newsletter.
User data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Accordingly, a user’s email address will be stored as long as the subscription to the newsletter is active. The subscription to the newsletter may be terminated by the user at any time by revoking consent. For this purpose, the user will find a corresponding link in each newsletter. Please note that the user may object to the future processing of his or her personal data in accordance with the legal requirements pursuant to Art. 21 GDPR at any time. The objection may be made in particular against the processing for purposes of direct-advertising. 5) Statistical survey Please note that we evaluate user behaviour when sending the newsletter. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For the evaluations, we link the data mentioned under Item 1 and the web beacons with the user’s email address and an individual ID. Links received in the newsletter also contain this ID. Data is only collected pseudonymously, i.e., the IDs are not linked to a user’s other personal data; a direct personal reference is excluded. Users may object to this tracking at any time by clicking on the separate link provided in each email or by informing us via another contact channel. The information is stored for as long as the user is subscribed to the newsletter. After unsubscribing, we store the data purely statistically and anonymously. VIII) Electronic contact and order form Users who would like to order an item or service will find an order form on our homepage. The data entered in the input mask will be transmitted to us and stored. This data includes:
The following data is also stored at the time of message dispatch:
The processing of personal data in this context serves solely to process the order. Furthermore, it is also possible to contact us by way of the provided email address. In this case, the personal data of the user transmitted with the e-mail will be stored. User data will not be passed on to third parties in this context; the data will be used exclusively for processing communication. The legal basis for the processing of the data is Art. 6 Para. 1 Lit. a GDPR, provided the user has given his or her consent. The legal basis for the processing of data transmitted in the course of sending an email is Art. 6 Para. 1 Lit. f GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 Para. 1 Lit. b GDPR. In this context, the processing of personal data is solely for the purpose of processing of the contact. In addition, when contact is made by email, the necessary legitimate interest in processing the data also exists. If further personal data is processed during the dispatch process, this data is only used to prevent misuse of the order form and to ensure the security of our information technology systems. User data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. Concerning the personal data from the input mask of the order form and that sent by email, this is the case when the respective correspondence with the user has ended. The correspondence is ended when it is clear from the circumstances that the matter in question has been conclusively clarified. The additional personal data collected during the dispatch process will be deleted after a period of seven days at the latest. Users have the option to revoke their consent to the processing of personal data at any time. They may also object to the storage of their personal data at any time when contacting us by email. However, please note that in such a case the correspondence cannot be continued. All personal data stored in the course of contacting us will be deleted in this case. IX) Web shop If a user would like to order from our web shop, a contract must be concluded in which he or she provides his or her personal data, which we need for the processing of the order. Mandatory data required for the processing of contracts is marked separately; other information is voluntary. We process the data provided to process the order. For this purpose, we may pass on a user’s payment data to our house bank. The legal basis for this is Art. 6 Para. 1 P. 1 Lit. b GDPR. We may also process user data to inform the user about other interesting products from our portfolio or to send him or her emails with technical information. We are required by commercial and tax law to store the user’s address, payment and order data for a period of ten years. However, we do restrict processing, i.e., the user’s data is only used to comply with legal obligations. To prevent unauthorised access of a user’s personal data, especially financial data, by third parties, the ordering process is encrypted using TLS technology. X) Social media presence We maintain fan pages within various social networks and platforms with the aim of communicating with customers, interested parties and users active there, and to inform them of our services. Please note that a user’s personal data may be processed outside the European Union, which may result in risks for the user (for example, when enforcing his or her rights under European / German law). Please note that some U.S. providers are certified under the Privacy Shield and have thus committed to comply with EU data protection standards. User data is usually processed for market research and advertising purposes. For example, usage profiles may be created from the usage behaviour and resulting interests of the users. These usage profiles may in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behaviour and interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged into them). The processing of the users’ personal data is based on our legitimate interests in effectively informing users and communicating with users pursuant to Art. 6 Para. 1 Lit. f. GDPR. If users are asked by the respective providers to consent to data processing (i.e., declare their consent, e.g., by ticking a checkbox or confirming a button), the legal basis for processing is Art. 6 Para 1 Lit. a., Art. 7 GDPR. For further information on the processing of personal user data and a user’s objection options, please refer to the links of the respective provider as listed below. The assertion of information and other rights of the persons concerned may also be made against the providers, then only if they have direct access to the data of the users and have the corresponding information. We are of course happy to answer any questions you may have and to support you if you need assistance. Provider: Facebook
Use of Google Analytics This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on a user’s computer, to help the website analyse how users use the site. The information generated by the cookie about the use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymisation is activated on this website, however, the user’s IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Community. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating a user’s use of the website, compiling reports on website activity and providing other services relating to website activity and Internet usage to the website operator. The IP address transmitted by a user’s browser as part of Google Analytics will not be merged with other data from Google. Users may refuse the use of cookies by selecting the appropriate settings on their browsers; however, please note that this may lead to the website not being fully functional to the user. Users may also prevent the collection of data generated by the cookie and related to their use of the website (including their IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. This website uses Google Analytics with the extension “_anonymizeIp()”. This means that IP addresses are processed in an abbreviated form, thus excluding the possibility of personal references. Insofar as the data collected about a user is related to a person, this is therefore immediately excluded and the personal data is thus immediately deleted. We use Google Analytics to analyse and regularly improve the use of our website. The statistics obtained enable us to improve our offerings and make them more interesting for users. For exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, Information on the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Conditions of Use: http://www.google.com/analytics/terms/de.html, Overview of Privacy Policy: http://www.google.com/intl/de/analytics/learn/privacy.html, and Data Protection Declaration: http://www.google.de/intl/de/policies/privacy. XII) Use of Google fonts |
 |