Information on data protection regarding our data processing under Article (Art.) 13, 14 and 21 of the General Data Protection Regulation (GDPR)
We take data protection seriously and are hereby informing you how we process your data and which claims and rights you have under the data protection regulations. Applicable as of May 25, 2018.
1. Controller responsible for data processing and contact data
Controller within the meaning of data protection law [DFB-Reisebüro GmbH]
Contact data for the data protection officer:
HEC Harald Eul Consulting GmbH
Data Protection Officer DFB-Reisebüro
Auf der Hoehe 34
2. Purpose and legal basis on which we process your data
We process personal data in harmony with the provisions of the General Data Protection Regulation (GDPR) and other applicable data protection regulations (details below). Which data is specifically processed and in which way it is used essentially depends on the requested or agreed services. See the relevant contract documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of using our website or our General Terms and Conditions of Business) for further details or additions to the purposes of the data processing. Furthermore, this data protection information can be updated from time to time, as you can see on our website www.dfb-reisebuero.de.
2.1 Purposes for performance of a contract or of pre-contractual steps (Art. 6 (1)(b) GDPR)
The processing of personal data takes place to perform our contracts with you and to execute your orders as well as to take steps and activities as part of a pre-contractual relationship, e.g. with prospects. In particular, the processing thereby serves the provision of services in relation to the arrangement of travel packages or individual travel modules, possible participation in sweepstakes and club offers and the registration on our website and/or an DFB-Reisebüro app, or to fill out forms on our website in accordance with your orders and requests, and include the services, steps and activities required to do so. This essentially includes the contract-related communication with you, the relevant invoice and associated payment transactions, the verifiability of transactions, orders and other agreements, serves quality control through respective documentation, accommodating arrangements, measures for steering and optimizing business processes and fulfills the general duties of care, steering and control through associated enterprises (e.g. parent company); statistical analyses for management control, cost finding and controlling, reporting, internal and external communication, emergency management, invoicing and tax assessments relating to operational services, risk management, the assertion of legal claims and defense in litigation; guarantee of IT security (including system and plausibility tests) and general safety, including building and facility security, safeguarding and exercising the right to grant or deny access (e.g. by using access controls); guaranteeing the integrity, authenticity and availability of data, prevention and solving of crimes; control by supervisory committees or controlling instances (e.g. audits).
2.2 Purpose within the context of a legitimate interest on our part or by third parties (Art. 6 (1) GDPR)
Beyond the actual performance of the contract or pre-contract, we may process your data if this is necessary to safeguard our legitimate interests or those of third parties, specifically for purposes of:
2.3 Purposes within the framework of your consent (Art. 6 (1)(a) GDPR)
Processing of your personal data for specific purposes (e.g. use of your email address for marketing purposes) can take place based on your consent. You may generally withdraw it at any time. This also applies to the withdrawal of declarations of consent that were given to us before the GDPR applied, i.e. before May 25, 2018. You will be informed separately in the relevant text of the consent about the purposes and consequences of a withdrawal or of not giving your consent.
In general, the withdrawal of consent is only effective for the future. Processing that took place prior to the withdrawal is not affected and remains lawful.
2.4 Purposes for fulfilling statutory requirements (Art. 6 (1)(c) GDPR) or in the public interest (Art. 6 (1)(e) GDPR)
Like anyone who participates in business, we are subject to a variety of legal obligations. The statutory requirements (e.g. commercial and tax laws) are primary, but there may also be supervisory law or other official conditions. Identity and age verification may be part of the purposes of this processing, as fraud and money laundering prevention, the prevention, fighting and clearing up of terrorism financing and crimes endangering property, comparisons of European and international anti-terror lists, fulfilling tax law control and reporting obligations and the archiving of data for the purpose of data protection and data security as well as review by tax and other authorities. In addition, the disclosure of personal data as part of official/judicial measures can become necessary for the purposes of providing evidence, prosecuting criminal acts or enforcing civil law claims.
3. The data categories we process insofar as we do not receive data directly from you, and their origin
To the extent this is necessary to perform our services, we process personal data that we have lawfully obtained from other companies or miscellaneous third parties (e.g. credit agencies, address publishers). In addition, we process personal data that we have lawfully taken or received from publicly accessible sources (e.g. telephone directories, company and association registers, resident registries, debtor lists, land registers, press, Internet and other media) and that we are permitted to process.
The following can be relevant personal data categories:
4. Recipients or categories of recipients of your data
Within our company, those internal offices or organizational units will receive your data that need it to perform our contractual or legal obligations or as part of the processing and enforcement of our legitimate interest. Your data will be disclosed to external parties exclusively
We will not disclose your data to third parties beyond this. If we engage service providers as contract processors, your data will be subject to the same security standards there as it is with us. In all other cases, the recipients may only use the data for the purpose for which it was transferred to them.
5. Duration of storage of your data
We will process and store your data for the duration of our business relationship. That includes the initiation of a contract (pre-contractual legal relationship) and the performance of a contract.
In addition, we are subject to various safekeeping and documentation obligations as per the commercial and tax laws, among others. The deadlines for safekeeping or documentation stipulated there are ten years beyond the end of the business relationship or the pre-contractual legal relationship.
Furthermore, special statutory regulations may require a longer period of safekeeping, e.g. the preservation of evidence as part of the statute of limitations provisions.
If the data are no longer necessary to fulfill contractual or statutory obligations and rights, they are generally erased, unless their – limited – continued processing is necessary to fulfill the purposes listed in section 2.2 based on a predominant legitimate interest. Such a predominant legitimate interest is considered to exist, e.g. if erasing the data is not possible or would only be possible with a disproportionately great effort and processing for other purposes is excluded through appropriate technical and organizational steps.
6. Processing of your data in a third country or by an international organization
Data are transmitted to locations in states outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) if it is necessary to perform an order/contract of or with you, it is required by law (e.g. reporting obligations under tax law), it lies in our legitimate interest or that of a third party, or you have given us your consent.
The processing of your data in a third country can also take place when service providers are engaged as part of the order processing. If there is no decision by the EU Commission on an appropriate data protection level existing in the relevant country, we warrant that your rights and freedoms are appropriately protected and guaranteed through relevant contracts as per the EU data protection requirements. The pertinent detailed information will be provided to you on request.
Information on the suitable or appropriate guarantees and on the option to receive a copy thereof can be requested from the company’s data protection officer.
7. Your data privacy rights
You can assert your data privacy rights against us under certain conditions.
Your requests in exercise of your rights should always be addressed directly in writing to our data protection officer at the above stated address, if possible.
8. Scope of your obligations to provide your data to us
You only need to provide the data necessary to create and execute a business relationship, to establish a pre-contractual relationship with us, or which we are legally obligated to collect. Without this data we will generally not be able to enter into the contract or execute it. This can also pertain to data required later in the context of the business relationship. Insofar as we request data from you going beyond this, it will be pointed out to you that providing this information is voluntary.
9. Existence of an automated decision-making process on an individual case basis (including profiling)
We do not utilize any purely automated decision-making processes pursuant to Article 22 GDPR. Should we utilize such a process in individual cases in the future, we will inform you separately if required by law.
We may process your data aiming in part to assess certain personal aspects (profiling). If appropriate, we may utilize analytical instruments to be able to inform and advise you about products in a purposeful way. They allow product design, communication and advertising in line with your needs, including market research and opinion polling.
Such processes can also be utilized to assess your financial standing and creditworthiness and to fight money laundering and fraud. So-called “scores” may be used to assess your financial standing and creditworthiness. When scoring, mathematical processes are used to calculate the probability with which a customer will meet his payment obligations in accordance with the contract. Such scores thus support us, e.g. in evaluating creditworthiness, in making decisions as part of product close-outs, and they flow into our risk management. The calculation is based on mathematically and statistically recognized and tested processes and is done based on your data, specifically income situation, expenses, existing liabilities, occupation, employer, length of employment, experience from the business relationship to date, contractual repayment of earlier loans and information from credit agencies.
Information about citizenship and special categories of personal data as per Art. 9 GDPR are not processed.
Information on your right to object under Art. 21 GDPR
We will no longer process your data for the purposes of direct advertising if you object to the processing for these purposes.
The objection can be lodged informally and should be directed to the above stated address of the responsible party, if possible.
Supplementary information regarding our online offers
By using cookies, the model company can provide user-friendly services to the users of the website, which would not be possible without the placement of cookies.
The data subject may prevent the placement of cookies by our website at any time by adjusting the relevant setting of the Internet browser being used and thereby permanently objecting to the placement of cookies. Furthermore, previously placed cookies can be deleted at any time via an Internet browser or other software program. This is possible in all popular Internet browsers. If the data subject deactivates the placement of cookies in the Internet browser used, all functions of our website may not be fully usable under some circumstances.
Data protection information for the application process
We process application data only for the purpose of, and in the context of, the application process in compliance with the legal requirements. Applicant data are processed only to fulfill our (pre-)contractual obligations within the application process as defined in Art. 6 (1)(b) GDPR, Art. 6 (1)(f) GDPR if the data processing becomes necessary for us, e.g. in the context of legal proceedings (in Germany, § 26 of the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] applies in supplement).
The application process presupposes that applicants provide us with the applicant data. Insofar as we offer an online form, the required applicant data are marked, otherwise they follow from the job description and generally include information about the person, mailing and contact addresses, and the documents that are part of the application, such as the letter, curriculum vitae and the references. In addition, applicants may voluntarily provide us with further information.
By transmitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope described in this data protection policy.
If special categories of personal data within the meaning of Art. 9 (1) GDPR are communicated voluntarily as part of the application process, they will be processed additionally pursuant to Art. 9 (2)(b) GDPR (e.g. health data, such as disability status, or ethnic origin). Insofar as special categories of data within the meaning of Art. 9 (1) GDPR are asked of applicants as part of the application process, they will be processed additionally pursuant to Art. 9 (2) (a) GDPR (e.g. health data, if this is required to carry out the occupation).
If provided, applicants may submit their applications to us by means of an online form on our website. The data are transmitted to us with state-of-the-art encryption.
Furthermore, applicants can transmit their applications to us by email. However, when doing so, we ask that you note that emails are generally not sent encrypted and that applicants must take care of the encryption themselves. Therefore, we cannot assume any liability for the application during the time of transfer from the sender to receipt on our server, and thus recommend an online form or postal mailing. Instead of applying through the online form or by email, applicants continue to have the option to send us their application by mail.
If the application is successful, the data provided by the applicants can be further processed by us for the purposes of employment. Otherwise, if the application for a job is not successful, the applicant’s data will be erased. The applicant’s data are also erased if an application is withdrawn, which applicants are entitled to do at any time.
The erasure will take place subject to a legitimate revocation by the applicant, after a time period of six months has expired, so that we may answer any follow-up questions regarding the application and meet our obligations of proof under the Act on Equal Treatment [Gleichbehandlungsgesetz]. Invoices for any travel expense reimbursements will be archived in accordance with the tax law requirements.
When contacting us (e.g. through the contact form, by email, telephone or via social media), the user’s information is processed to process the contact inquiry and complete it pursuant to Art. 6 (2) (b) GDPR. The user’s information may be stored in a customer relationship management system (“CRM System”) or a comparable inquiry organizer.
We will erase the inquiries when they are no longer needed. We will review this necessity every two years; furthermore, the statutory archiving obligations apply.
The following information will inform you about the contents of our newsletter as well as the registration, sending and statistical analysis processes and your right to object. By subscribing to the newsletter, you consent to its receipt and the described procedures.
Content of the newsletter: We send out newsletters, emails and other electronic notifications with advertising information (hereinafter “Newsletter”) with the recipient’s consent or as permitted by law. If the contents of the Newsletter are specifically outlined as part of subscribing to it, they are determinative for the user’s consent. In all other respects, our Newsletters contain information about our services and about us.
Double opt-in and documentation: The subscription to our Newsletter is done by way of a so-called double opt-in process. This means after registration you receive an email asking you to confirm your subscription. This confirmation is required so that no one can subscribe with a third-party email address. The subscription to the Newsletters is documented in order to be able to verify the registration process in accordance with the legal requirements. This includes storing the subscription and confirmation time, as well as the IP address. Changes to your data stored with the sending service provider are also documented.
Subscription data: To subscribe to the Newsletter, it is sufficient if you state your email address. We request that you state your name for the purpose of a personal greeting in the Newsletter, but this is optional.
The Newsletters are sent and the relevant results measured on the basis of consent by the recipient pursuant to Art. 6 (1)(a), Art. 7 GPPR in conjunction with § 7 (2) no. 3 of the Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG] or as permitted by law pursuant to § 7 (3) UWG.
The subscription process is documented on the basis of our legitimate interests pursuant to Art. 6 (1) (f) GDPR. Our interest is directed at having a user-friendly and secure newsletter system that both serves our business interests and meets the users’ expectations, and further allows us to verify consent.
Termination/revocation – You can terminate receipt of our Newsletter at any time, i.e. revoke your consent. You will find a link to terminate the Newsletter at the end of each Newsletter. We can store the unsubscribed email addresses for up to three years on the basis of our legitimate interests in order to furnish proof of previous consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for erasure is possible at any time, if the former existence of consent is confirmed simultaneously.
Newsletter – marketing service
The Newsletter is sent by way of the marketing service SC-NETWORKS GMBH, Enzianstr. 2, 82319 Starnberg, Germany. You can view the marketing service’s data protection provisions at http://www.sc-networks.de/unternehmen/datenschutz. The marketing service is engaged on the basis of our legitimate interests pursuant to Art. 6 (1)(f) GDPR as well as an order processing contract pursuant to Art. 28 (3) sentence 1 GDPR.
The marketing service may utilize the data of the recipient in a pseudonymous form, i.e. without attributing it to a user, to optimize or improve its own services, e.g. for the technical optimization of sending and portraying the Newsletter or for statistical purposes. However, the marketing service shall not use the data of our Newsletter recipients to contact them itself or to disclose the data to third parties, however.
Newsletter – measuring success
The Newsletters contain a so-called “web beacon,” i.e. a pixel-sized file that is retrieved by our server when the Newsletter is opened or, if we are utilizing a marketing service, by its server. Initially, technical information such as information regarding the browser and your system are collected, and so is your IP address and the time of retrieval.
This information is used for the technical improvement of the service using the technical data or the target groups and their reading behavior in light of their retrieval locations (which can be determined with the help of the IP address) or the access times. Among the statistical information collected is whether the Newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be attributed to the individual Newsletter recipient. However, it is not our desire to have the marketing service, if utilized, observe individual users. Instead, the analyses serve to help us recognize our users’ reading habits and to adapt our content to them or to send out different content, depending on the interests of our users.
Collection of access data and log files
We, or our hosting provider, may collect data on the basis of our legitimate interest within the meaning of Art. 6 (1) (f) GDPR, concerning each access to the server on which this service is located (so-called server log files). The access data include the name of the website visited, file, date and time of the access, transferred data volume, report on successful retrieval, browser type and version, the user’s operating system, referrer URL (the site previously visited), IP address and the retrieving provider.
For security reasons (e.g. to clear up abuse or fraud), log file information is stored for a maximum of three months and erased thereafter. Data which must be kept longer for evidentiary purposes are exempt from erasure until final resolution of the relevant incident.
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited („Google“), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics uses so-called cookies. Cookies are text files, which are stored on your computer and that enable an analysis of the use of the website by users. The information generated by cookies on your use of this website is usually transferred to a Google server in the United States, where it is stored.
The storage of Google Analytics cookies and the utilization of this analysis tool are based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in the analysis of user patterns to optimize both, the services offered online and the operator’s advertising activities. If a corresponding agreement has been requested (e.g. an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the agreement can be revoked at any time.
On this website, we have activated the IP anonymization function. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this website, Google shall use this information to analyse your use of this website to generate reports on website activities and to render other services to the operator of this website that are related to the use of the website and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.
You do have the option to prevent the archiving of cookies by making pertinent changes to the settings of your browser software. However, we have to point out that in this case you may not be able to use all of the functions of this website to their fullest extent. Moreover, you have the option prevent the recording of the data generated by the cookie and affiliated with your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Contract data processing
We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.
Objection to the recording of data
Google Analytics on www.dfb-reisebuero.de is presently active in this browser. You may deactivate it.
For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.
Data on the user or incident level stored by Google linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) will be anonymized or deleted after 14 months. For details please click the following link: https://support.google.com/analytics/answer/7667196?hl=en
We integrate the maps of the “Google Maps” service provided by the service provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data can include IP addresses and location data of the users, which will not be collected without their consent (generally done in the settings of your mobile devices). The data can be processed in the USA. Data privacy statement: www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.
Integration of services and contents of third parties
Based on our legitimate interests (i.e. our interest in the analysis, optimization and economic operation of our online services within the meaning of Art. 6 (1)(f) GDPR), we utilize content or service offers from third-party providers within our online services in order to integrate their content and services, e.g. videos or fonts (hereinafter uniformly referred to as “Content.”)
This always presupposes that the third-party providers of this Content perceive the IP address of the users since they cannot send the Content to their browsers without the IP address. Therefore, the IP address is necessary to represent the Content. We make an effort to use exclusively such Content whose respective providers only use the IP address to deliver the Content. Third-party providers can also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. Information such as the visitor traffic on the pages of this website can be evaluated using the “pixel tags.” Furthermore, the pseudonymous information can be stored in the user’s device and, among other things, contain technical information on the browser and operating system, referring websites, access times and other information pertaining to the use of our online services, but also be connected with such information from other sources.
Online presence in social media
We maintain an online presence within social networks and platforms to be able to communicate with the customers, prospects and users active there, and to be able to inform them about our services. When the relevant networks and platforms are accessed, the terms and conditions of business and the data processing policies of the operator in question apply.
Unless otherwise stated in our data protection statement, we only process the data of users if they communicate with us within the social networks and platforms, e.g. write contributions on our online sites or send us messages.
Our information on data protection concerning our processing of data pursuant to Article (Art.) 13, 14 and 21 GDPR can change from time to time. All changes will be published on this page.
Status: January 10, 2020