Information in accordance with Section 5 of the German Telemedia Act (TMG):
Ferien im Bergdorf Spessart GmbH

Represented by:
Lisa Köhler and Toyanna Benkert-Visavachaiwat

Address

Ferien im Bergdorf Spessart GmbH
Oberer Friedrichsberg 23-29
63639 Flörsbachtal-Lohrhaupten

Postal address
Hauptstraße 27
63639 Flörsbachtal-Lohrhaupten

Telephone: +49 170 4778994
E-Mail: info@bergdorf-spessart.de
Internet: www.bergdorf-spessart.de

DISCLAIMER

Liability for content:
The utmost care has gone into creating our site. However, we cannot assume any liability for the accuracy, completeness or topicality of its contents. As a service provider, we are responsible for the content we publish on these pages in accordance with general legislation in accordance with Section 7 (1) of the German Telemedia Act (TMG). According to Sections 8 to 10 of the TMG, however, we are not required as a service provider to monitor transmitted or stored third-party information or to investigate possible illegal activity. Obligations to remove or block the use of information in accordance with general laws remain unaffected by this. However, we shall only become liable in this respect from the time at which we became aware of a definite breach. If we become aware of any such infringements, we will remove this content immediately.

Liability for links:
Our offer contains links to external websites hosted by third parties, the content of which we have no control over. Therefore, we cannot assume any liability for external content. The respective provider or operator of the pages is always responsible for the content of the linked pages. The linked pages were checked for possible legal violations at the time of linking. Illegal content was not identified at the time of linking. However, it is not deemed reasonable to permanently monitor the content of the linked pages without concrete evidence of a violation of the law. If we become aware of any infringements of the law, we will remove such links immediately.

Copyright:
The content and works created by the site operators on these pages are subject to German copyright law. The reproduction, editing, distribution and any kind of utilisation outside the limits of copyright law shall require the written consent of the respective author or creator. Downloads and copies of this page are only permitted for private, non-commercial purposes. The copyrights of third parties shall be respected if the content on this site was not created by the operator. Third-party content, in particular, is identified as such. Nevertheless, please inform us should you become aware of a copyright infringement. If we identify any infringements, we will remove such content immediately.

Bilder Quellenangabe:
Datei-Nr.: 387899980 von efimenkoalex / stock.adobe.com
Datei-Nr.: 175859106 von Joshua Resnick / stock.adobe.com
Datei-Nr.: 383094990 von efimenkoalex / stock.adobe.com
Datei-Nr.: 225307359 von kichigin19 / stock.adobe.com
Datei-Nr.: 376056708 von Melinda Nagy / stock.adobe.com
Datei-Nr.: 334957230 von Rembrandt is Dead. / stock.adobe.com
Datei-Nr.: 288864119 von vectorfusionart / stock.adobe.com
Datei-Nr.: 306912082 von Alessandro Biascioli / stock.adobe.com
Datei-Nr.: 254218202 von anatoliy_gleb / stock.adobe.com
Datei-Nr.: 104737822 von XtravaganT / stock.adobe.com
Datei-Nr.: 139704957 von Mediteraneo / stock.adobe.com
Datei-Nr.: 92669330 von Sina Ettmer / stock.adobe.com
Datei-Nr.: 255543568 von Thomas / stock.adobe.com
Datei-Nr.: 296896028 von naughtynut / stock.adobe.com
Datei-Nr.: 92302779 von Sina Ettmer / stock.adobe.com
Datei-Nr.: 269918769 von Comofoto / stock.adobe.com
Datei-Nr.: 170650489 von Ilhan Balta / stock.adobe.com
Datei-Nr.: 170627925 von mstein / stock.adobe.com
Datei-Nr.: 330934426 von andrey / stock.adobe.com
Datei-Nr.: 203659600 von fesenko / stock.adobe.com
Datei-Nr.: 131468551 von Jasmin Merdan / stock.adobe.com
Datei-Nr.: 292594417 von Sina Ettmer / stock.adobe.com
Datei-Nr.: 242166907 von leszekglasner / stock.adobe.com
Datei-Nr.: 298759772 von Maria Sbytova / stock.adobe.com
Datei-Nr.: 298568535 von Eric Mitchell Photos / stock.adobe.com
Datei-Nr.: 106596388 von Monkey Business / stock.adobe.com
Datei-Nr.: 177245281 Von Zsolnai Gergely / stock.adobe.com
Datei-Nr.: 440636577 Von Anastasia / stock.adobe.com
Datei-Nr.: 178980290 von karepa / stock.adobe.com
Datei-Nr.: 182068771 von kerkezz / stock.adobe.com
Datei-Nr.: 300019621 von ArtSys / stock.adobe.com
Datei-Nr.: 247354014 von exclusive-design / stock.adobe.com
Datei-Nr.: 26344874 von Franziska Reichelt / stock.adobe.com
Datei-Nr.: 37975912 von C. Rupp / stock.adobe.com
Datei-Nr.: 434477030 von Rawpixel.com / stock.adobe.com
Datei-Nr.: 83117744 von lichtmeister / stock.adobe.com
Wine tasting and guided tours: Stiftung Bürgerspital zum Hl. Geist, Würzburg

Introduction

The present privacy polices serves to inform you about the different types of your personal data (hereinafter referred to as "data") that we process, the purposes for which we process such data, and the extent to which data is processed. This privacy policy applies to all processing operations carried out by us, both in the context of providing services and in particular on our websites, on mobile apps and publishing content to external online sites, such as our social media profiles (hereinafter jointly referred to as “online content”).

The terms used are not gender-specific.

Last updated: 13 December 2021

Summary of the contents

• Introduction
• Legal bases
• Security measures
• Transmitting personal data
• Data processing in third countries
• Data erasure
• Cookies
• Commercial services
• Provision of our online content and web hosting
• Blogs and publication media
• Contact and request management
• Marketing communications via e-mail, post, fax or telephone
• Digital marketing
• Presence on social media networks
• Plugins and embedded functions and content
• Changes and amendments to the privacy policy
• The rights of the data subject
• Definitions

Legal bases

You will find an overview of the legal bases of the GDPR below. Please note that is the basis on which we process your personal data. Please note that, in addition to GDPR provisions, national data protection regulations may apply in your/our country of residence or domicile. Should more specific legal bases become relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 (1)(a) GDPR) - The data subject has given their consent to the processing of personal data relating to them for a specific purpose or purposes.
• Performance of a contract and processing pre-contractual enquiries (Art. 6 (1)(b) GDPR) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 (1)(c) GDPR) - processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interest (Art. 6 (1)(f) GDPR) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection shall apply in Germany. This includes, in particular, the Law on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). In particular, the BDSG contains special provisions with regard to the right of access to personal data, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes as well as special provisions regarding data transmission and automated decision-making in specific cases, including profiling. It also regulates data processing operations within the context of an employment relationship (Section 26 BDSG), in particular with regard to establishing, implementing or terminating employment relationships as well as to obtaining consent from employees. Furthermore, data protection laws specific to individual federal states may also apply.

Security measures

We take appropriate technical and organisational measures to ensure a level of protection which is appropriate to the risk in accordance with legal requirements, which takes state-of-the-art technology, the implementation costs and the nature, scope, circumstances and purposes of the processing into account as well as the different probabilities of occurrence and the extent to which the rights and freedoms of natural persons are threatened.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to data as well as the access to, entry into, disclosure of, assurance of availability of and segregation of the data. Furthermore, we have established procedures to ensure that data subjects’ rights are exercised, data is erased, and responses to data breaches are made. Furthermore, we have already take the protection of personal data into account when developing or selecting hardware, software and processes in accordance with the principle of data protection, through technology design and through privacy by default settings.

Transmitting personal data

Personal data may be transmitted to or disclosed to other bodies, companies, legally independent organisational units or persons as part of our processing operations. The recipients of this data may include, for example, service providers instructed to complete IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with statutory requirements and, in particular, enter into corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Data processing in third countries

If we process data in a third country (i.e., a country located outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place while using third-party services or involves disclosing or transmitting data to other persons, bodies or companies, this is only done in accordance with the statutory requirements.

We only process or have data processed in third countries with a recognised level of data protection, a contractual obligation arising from the EU Commission's so-called standard protection clauses, in the presence of certifications or binding internal data protection regulations which are subject to express consent or data transmissions required by law or by contracts (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Data erasure

The data processed by us will be erased in accordance with statutory requirements as soon as the consent they provided us with to process their data is revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not required for the purpose).

Where the data are not deleted because they are required for other and legally permissible purposes, the processing of such data shall be limited to those purposes. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law purposes or whose storage is necessary for the purpose of asserting, exercising or defending legal claims or for the purpose of protecting the rights of another natural or legal person.

We may provide users with further information on our policies for erasing and storing their data, which apply specifically to the respective processing operations, within the scope of our privacy policy.

Cookies

Cookies are small text files, or other storage media, which store information on terminals and read information from the terminals. For example, to store the login status in a user account, the contents of a shopping basket in an e-shop, content accessed or the functions used as part of our online content. Cookies can also be used for various purposes, e.g. for the functionality, security and comfort of online content and creating analyses of visitor flows.

Information about consent: We use cookies in accordance with statutory requirements. We therefore obtain prior consent from users, except where this is not required by law. In particular, we do not need to obtain consent in cases where it is absolutely necessary to store and read the information, i.e. also in the case of cookies, to provide the user with a telemedia service expressly requested by the user (i.e. our online content). Users are clearly informed about their right to revoke consent and information on the use of respective cookies is provided.

Information on the legal basis for data protection: The legal basis under data protection law on which we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for the processing of their data is their declared consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interest (e.g. to operate our online content and improve its usability); or if this is done in the context of fulfilling our contractual obligations; or if we need to use cookies to fulfil our contractual obligations. We explain the purposes for which we process cookies in this privacy policy or as part of our consent and processing procedures.

Storage period: We make a distinction between the following types of cookies with regard to the storage period:

• Temporary cookies (also: session cookies): Temporary cookies are erased at the latest after a user has left an online offer and closed their terminal (e.g. browser or mobile app).
• Permanent Cookies: Permanent cookies remain stored even after the terminal has been closed. For example, the login status can be saved or preferred content can be displayed as soon as the user visits a website again. Likewise, user data collected with the help of cookies can be used to measure the website’s reach. Unless we provide users with explicit information about the type of and storage period for cookies (e.g. when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to their data being processed in accordance with the legal requirements stipulated in Art. 21 GDPR (further information on objections is provided within the scope of this privacy policy). Users can also object to this by changing their browser settings.

Further guidance on processing operations, procedures and services:

• Processing Cookie data on the basis of consent: We use a cookie consent management procedure under which users' consent to the use of cookies, or to the processing and providers mentioned in the cookie consent management procedure, and which may be obtained and managed and revoked by users. The declaration of consent is stored so that it does not have to be repeated and that consent can be proven in accordance with our legal obligation. This may be stored on the server side and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) so that we may assign the consent to a user or their device. Subject to specific details on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. Here, a pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and terminal used.

Commercial services

We process the data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractual), e.g. to answer enquiries.

We process this data so that we may fulfil our contractual obligations, safeguard our rights and perform the administrative tasks associated with this information as well as run our business. Within the framework of applicable law, we only disclose data provided by contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfilment of legal obligations or with the consent of the persons concerned (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners will be informed about any further forms of processing, e.g. for marketing purposes, within the framework of this privacy policy.

We shall inform our contractual partners of the types of data required for the above-mentioned purposes before or over the course of data collection, e.g. in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks or similar), or in person.

We shall erase the data after the legal warranty and comparable obligations have expired, i.e., in principle after 4 years, unless the data is stored in a customer account, e.g., for as long as it must be retained for legal archiving reasons (e.g., for tax purposes usually 10 years). We shall erase data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications of the order, in principle after the end of the order.

If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.

• The types of data we process: Inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data (e.g. subject matter of contract, term, customer category).
• Data subjects: Interested parties; business and contractual partners.
• Purposes of processing: Provision of contractual services and customer service; contact requests and communication; office and organisational procedures; managing and responding to requests.
• Legal bases: Performance of a contract and processing pre-contractual enquiries (Art. 6 (1)(b) GDPR); legal obligation (Art. 6 (1)(c) GDPR); legitimate interest (Art. 6 (1)(f) GDPR).

Provision of our online content and web hosting

We use the services of one or several web hosting providers from whose servers (or servers managed by them) online content can be accessed so that we may provide our online services in a secure and efficient way. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed in the context of providing the hosting service may include all information relating to the users of our online service that is generated in the course of use and communication. This regularly includes the IP address, which we need to be able to deliver the online content to browsers, and all entries made within our online content or from websites.

• The types of data we process: Content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Providing our online content and user-friendliness.
• Legal bases: Legitimate interest (Art. 6 (1)(f) GDPR).

Further guidance on processing operations, procedures and services:

• Collecting access data and log files: We ourselves collect (or our web hosting provider collects) data on every access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transmitted, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. On the one hand, these server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), while, on the other hand, they can be used to ensure that servers utilise their capacity and are stable; erasure of data: Log file information is stored for a maximum of 30 days and then erased or anonymised. Data whose further retention is required for evidence purposes are exempt from erasure until the respective incident has been finally clarified.

Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). Readers' data are processed for the purposes of the publication medium but only to the extent necessary for its presentation and communication between authors and readers or for reasons of security. Please also refer to the information provided on how we process data from visitors to our publication medium within the scope of this privacy policy.

• The types of data we process: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Providing contractual services and customer service; feedback (e.g. collecting feedback via online form); security measures; managing and responding to enquiries.
• Legal bases: Performance of a contract and processing pre-contractual enquiries (Art. 6 (1)(b) GDPR); legitimate interest (Art. 6 (1)(f) GDPR).

Further guidance on processing operations, procedures and services:

• Comments and contributions: When users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interest. This is done for our security, in case someone leaves unlawful content in comments and posts (insults, forbidden political propaganda, etc.). In this case, we ourselves may be prosecuted for the comment or post and are therefore interested in the identity of the author. Furthermore, we reserve the right to process user data for the purpose of spam detection on the basis of our legitimate interest. On the same legal basis, we reserve the right to store the IP addresses of users in the case of surveys for the duration of the survey and to use cookies in order to avoid multiple votes being cast. The personal information provided in the context of comments and contributions, any contact and website information as well as the content-related information will be permanently stored by us until the user objects.

Contact and request management

When contacting us (e.g. by contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed provided that it is necessary to do so to respond to contact enquiries and any requests.

We answer contact enquiries and manage contact and enquiry data within the framework of contractual or pre-contractual relationships so that we may fulfil our contractual obligations or respond to (pre-)contractual enquiries, and we do so on the basis of the legitimate interest in answering enquiries and maintaining user or business relationships.

• The types of data we process: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms).
• Data subjects: Communication partners.
• Purposes of processing: Contact enquiries and communication.
• Legal bases: Performance of a contract and processing pre-contractual enquiries (Art. 6 (1)(b) GDPR); legitimate interest (Art. 6 (1)(f) GDPR).

Marketing communications via e-mail, post, fax or telephone

We process personal data for the purposes of marketing communications, which may take place via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to revoke their consent at any time or to object to receiving promotional communications at any time.

After revocation or objection, we may store the data required to prove consent for up to three years on the basis of our legitimate interest before we erase it. The processing of this data is limited to the purpose of a possible defence against claims. You may request that specific data are erased at any time, provided that you also confirm that you had previously given your consent to sharing this data.

• The types of data we process: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g. via e-mail or post).
• Legal bases: Consent (Art. 6 (1)(a) GDPR); Legitimate interest (Art. 6 (1)(f) GDPR).

Digital marketing

We process personal data for online marketing purposes, which may include, in particular, marketing advertising space or displaying promotional and other content (collectively, "content") based on users' potential interests and measuring its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar procedures are used, by means of which the information about the user relevant to the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on usage times and functions used. If users have consented to having their location data collected, this may also be processed.

The users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., anonymisation by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored as part of the online marketing process, but pseudonyms are. This means that we, as well as the parties who provide the online marketing service, do not know the actual identity of the users, only the information stored on their profiles.

The information stored on the profiles is usually stored in the cookies or using similar procedures. These cookies can generally be read on other websites that use the same online marketing service and analysed for the purpose of displaying content as well as supplemented with further data and stored on the server of the online marketing service provider.

Clear data can only be assigned to user profiles in exceptional cases. This is the case if, for example, the users are members of a social network whose online marketing services we use and the network links the users' profiles with the aforementioned information. Please note that users may make additional agreements with these providers, e.g. by giving their consent as part of the registration process.

In principle, we are only granted access to summarised information about the success of our advertisements. However, in the context of so-called conversion measurements, we can check which of our online marketing methods have led to a so-called conversion, i.e., for example, to a contract being entered into with us. This conversion measurement is used for the sole purpose of analysing the success of our marketing operations.

Unless otherwise stated, we ask you to assume that your cookies used will be stored for a period of two years.

Information on legal bases: Where we ask users to consent to the use of third party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interest (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• The types of data we process: Event data (Facebook) ("Event data" is data that may be transmitted by us to Facebook, e.g. via the Facebook pixel (via apps or other means), and relates to persons or their actions; the data includes, for example, information about visits to websites, interactions with content, functions, app installations, product purchases, etc.; the event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences); Event data does not include the actual content (such as comments written), no login information and no contact information (i.e. no names, email addresses and telephone numbers). Event data are erased by Facebook after a maximum of two years, the target groups formed from them with the erasure of our Facebook account); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Remarketing; conversion measurement (measuring the effectiveness of marketing measures); targeting; audience building (determining target groups relevant for marketing purposes or otherwise outputting content); marketing; profiling with user-related information (creating user profiles).
• Security measures: IP-Masking (anonymising the IP address).
• Legal bases: Consent (Art. 6 (1)(a) GDPR); Legitimate interest (Art. 6 (1)(f) GDPR).
• Opting out: We refer to the privacy notices of the respective providers and the objection options (so-called "opt-out") given for the providers. If no explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the functions of our online content. We therefore recommend the following additional opt-out options, which are offered in summary form for the respective territories: a) Europe: https://www.youronlinechoices.eu. b) Kanada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: https://optout.aboutads.info.

Further guidance on processing operations, procedures and services:

• Facebook Pixel and Custom Audiences: With the help of the Facebook pixel (or comparable functions, for the transmission of event data or contact information by means of interfaces in apps), it is possible for Facebook, on the one hand, to determine the visitors to our online content as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those users on Facebook and within the services of partners cooperating with Facebook (so-called "Audience Network" https://www.facebook.com/audiencenetwork/ ) who have also shown an interest in our online content or who have certain characteristics (e.g. interest in certain topics or products that are evident from the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). https://www.facebook.com/audiencenetwork/ With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. The Facebook pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion measurement"); service provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; standard contractual clauses (ensuring level of data protection for processing in third countries): The "Facebook EU Data Transfer Addendum" (https://www.facebook.com/legal/EU_data_transfer_addendum) applies in the case of commissioned processing by Facebook as the basis for the processing of event data of EU citizens in the USA and the inclusion in the "Facebook Platform Terms of Use" (https://developers.facebook.com/terms) with regard to the autonomous processing of event data by Facebook in the context of ad placement; Further information: The "Data Processing Terms and Conditions" (https://www.facebook.com/legal/terms/dataprocessing/update) apply with regard to event data that Facebook processes on behalf of companies in order to provide them with reports and analyses; furthermore, the "Controller Addendum" applies as an agreement on joint responsibility (Art. 26 (1) sentence 3 GDPR), which is decisive in the case of the processing of event data by Facebook on its own responsibility for the purposes of targeting as well as improving and securing Facebook products.

Presence on social media networks

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce users' rights.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to display advertisements within and outside the networks that presumably correspond to the users' interests. For these purposes, cookies are usually stored on the users' computers, in which the usage behaviour and interests of the users are stored. Furthermore, data may also be stored in the usage profiles irrespective of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can directly take appropriate measures and provide information. You can contact us if you need further assistance.

• The types of data we process: Contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
• Legal bases: Legitimate interest (Art. 6 (1)(f) GDPR).

Further guidance on processing operations, procedures and services:

• Instagram: Social network; service provider: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
• Facebook: Profiles within the social network Facebook - We are jointly responsible with Facebook Ireland Ltd. for the collection (but not the further processing) of data of visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see under "Things You and Others Do and Provide" in the Facebook Data Policy: https://www.facebook.com/policy), https://www.facebook.com/policyas well as information about the devices users use (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under "Device Information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Privacy Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, called "Page Insights", to Page operators to provide them with insights into how people interact with their Pages and with the content associated with them. We have concluded a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the data subject rights (i.e. users can, for example, send information or erasure requests directly to Facebook). The rights of users (in particular to access to personal data, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information on Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service Provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Standard contractual clauses (ensuring level of data protection for data processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further Information: Agreement on joint accountability: https://www.facebook.com/legal/terms/information_about_page_insights_data.

Plugins and embedded functions and content

We integrate functional and content elements into our online content that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This may include, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is thus required for the display of this content or function. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online content as well as be linked to such information from other sources.

Information on legal bases: Where we ask users to consent to the use of third party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interest (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

• The types of data we process: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online content and user-friendliness; provision of contractual services and customer service.
• Legal bases: Legitimate interest (Art. 6 (1)(f) GDPR).

Further guidance on processing operations, procedures and services:

• Google Fonts: We integrate the fonts ("Google Fonts") of the provider Google, whereby the user's data is used solely for the purpose of displaying the fonts in the user's browser. The integration is based on our legitimate interest in a technically secure, maintenance-free and efficient use of fonts, their uniform display and taking into account possible restrictions under licensing law for their integration; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy.
• Google Maps: We integrate the maps of the "Google Maps" service of the provider Google. The data processed may include, in particular, IP addresses and location data of users, but these are not collected without their consent (usually executed within the settings of their mobile devices); Service Providers: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://cloud.google.com/maps-platform; Privacy Policy: https://policies.google.com/privacy; Opt-out: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://adssettings.google.com/authenticated.

Änderung und Aktualisierung der Datenschutzerklärung

Wir bitten Sie, sich regelmäßig über den Inhalt unserer Datenschutzerklärung zu informieren. Wir passen die Datenschutzerklärung an, sobald die Änderungen der von uns durchgeführten Datenverarbeitungen dies erforderlich machen. Wir informieren Sie, sobald durch die Änderungen eine Mitwirkungshandlung Ihrerseits (z.B. Einwilligung) oder eine sonstige individuelle Benachrichtigung erforderlich wird.

Sofern wir in dieser Datenschutzerklärung Adressen und Kontaktinformationen von Unternehmen und Organisationen angeben, bitten wir zu beachten, dass die Adressen sich über die Zeit ändern können und bitten die Angaben vor Kontaktaufnahme zu prüfen.

The rights of the data subject

As a data subject, you are entitled to exercise various rights under GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right of revocation: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to any profiling that is carried out based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
• Right of revocation and consent: You have the right to revoke any consent you have given at any time.
• Right of access: You have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with the legal requirements.
• Right to rectification: In accordance with the legal requirements, you have the right to request that the data concerning you be completed or that the incorrect data concerning you be corrected.
• Right to erasure and right to restrict processing: In accordance with the statutory provisions, you have the right to demand that data relating to you be erased immediately or, alternatively, to demand restriction of the processing of the data in accordance with the statutory provisions.
• Right to data portability: You have the right to access data which relates to you and which you have provided to us with in a structured, common and machine-readable format in accordance with statutory requirements, or to request that it be transmitted to another controller.
• Complaints lodged with the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also reserve the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that personal data concerning you has been processed in a way that represents a breach of GDPR.

Definitions

This section provides you with an overview of the terms used in this privacy statement. Many of the terms are taken from the law and defined in Art. 4 GDPR, in particular. The statutory definitions are legally binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms have been sorted alphabetically.

• Conversion measurement: Conversion measurement (also known as "visit action evaluation") is a procedure that can be used to determine the effectiveness of marketing measures. This is usually done by storing a cookie on the users' devices within the websites where the marketing takes place and then retrieving it again on the target website. For example, we can see whether the ads we have placed on other websites have been successful.
• Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Profiles with user-related information: The processing of “profiles with user-related information”, or “profiles” for short, includes any type of automated processing of personal data that consists of using these personal data to analyse, evaluate or predict certain personal aspects relating to a data subject (depending on the type of profiling, this may include different information concerning demographics, behaviour and interests, such as interaction with websites and their content, etc.) (e.g. interests in certain content or products, click behaviour on a website or location). Cookies and web beacons are often used for profiling purposes.
• Remarketing: Remarketing" or "retargeting" is when, for example, for advertising purposes, it is noted which products a user was interested in on a website in order to remind the user of these products on other websites, e.g. in advertisements.
• Data controller: “Data controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
• Processing: "processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is wide-ranging and encompasses practically every handling of data, be it collection, evaluation, storage, transmission or erasure.
• Custom audiences: We speak of custom audiences when target groups are determined for advertising purposes, e.g. insertion of advertisements. For example, based on a user's interest in certain products or topics on the internet, it can be inferred that this user is interested in advertisements for similar products or the online shop where they viewed the products. Lookalike audiences" (or similar target groups) are when the content deemed suitable is displayed to users whose profiles or interests presumably correspond to the users for whom the profiles were created. Cookies and web beacons are generally used for the purpose of creating Custom Audiences and Lookalike Audiences.