Privacy

Thank you for your interest in our website. Data protection has a particularly high priority for us. The use of the Internet pages of Winterberg-Ferien "Kappe Deluxe" GbR is possible without any indication of personal data. However, if a data subject wants to use special services provided by our enterprise via our website, processing of personal data could become necessary.

If processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain the consent of the data subject. The processing of personal data – for example, the name, address, e-mail address, or telephone number of a data subject – shall always be in line with the General Data Protection Regulation, and in accordance with the country-specific data protection regulations applicable to us. With this data protection declaration, we inform the public about the type, scope and purpose of the personal data we collect, use and process. Furthermore, by means of this data protection declaration, data subjects are informed about the rights to which they are entitled.

Sven Hehl is responsible for the processing of data. Therefore, we have implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be subject to security vulnerabilities, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.

1. Definitions

This data protection declaration is based on the terms used by the European Directive and Ordinance when issuing the General Data Protection Regulation (DS-GVO). Our data protection declaration should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance. We use the following terms, among others, in this data protection declaration:

Personal data: Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who is identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject: Data subject is any identified or identifiable natural person whose personal data are processed by the controller.

Processing: Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

Profiling: Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

Pseudonymization: Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Controller or data processor: The controller or data processor is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

Processor: A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: A recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law are not considered recipients.

Third Party: A third party is a natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Processor and the persons authorized to process the Personal Data under the direct responsibility of the Controller or the Processor.

Consent: Consent shall mean any freely given indication of the data subject's wishes for the specific case in an informed and unambiguous manner, in the form of a statement or other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

2. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions with data protection character is:

Winterberg-Ferien "Kappe Deluxe" GbR
Sven Hehl
Auf dem Esch 1
48356 Nordwalde
Germany

Phone: (+49)/(0)2573/6078640
Fax: (+49)/(0)2573/6078641
E-mail: privacy@winterberg-ferien.de
Website: https://www.winterberg-ferien.de

3. Hosting services by third party providers

In the context of processing on behalf of Sven Hehl, third party providers provide us with the services for hosting and displaying the website. Based on Art. 6 para. 1 p. 1 lit. f DS-GVO, this serves to protect our legitimate interests in a correct presentation of our offer, which outweigh our interests. All data collected when using our websites as described below is processed on the servers of these third-party providers. Processing on other servers only takes place within the scope explained in each case.

4. Smoobu (hosting and data transfer for the use of the booking system)

Our web presence is located on a server of the German rental service provider Smoobu. In addition, the website was created by using the Smoobu website editor.

The operating company of Smoobu is Smoobu GmbH, Wönnichstraße 68/70, 10713 Berlin, Germany.

The server registers every access to our web presence. Against this background, a series of general data and information is collected each time a data subject or automated system accesses the website.

The following data may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of an access to the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When a data subject uses this website, the general data and information (including his or her IP address) will be transmitted to and stored by Smoobu in the server's log files, separately from any other personal data that the data subject may provide. Thus, any conclusions by us or by Smoobu about a data subject are excluded. Rather, the information is needed (1) to deliver the content of our website correctly, (2) to optimize the content of our website and the advertising for it, (3) to ensure the long-term functionality of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

Smoobu also provides users with a booking system with an occupancy calendar, which enables direct booking of our accommodations via the Internet. It also enables extensive communication between us as landlords and tenants and potential customers. Also, Smoobu offers a system for online check-in of tenants through our site, in order to avoid long waiting times when checking into our vacation properties.

In order to make a booking, it is necessary to provide your contact information. Bookings are processed and stored on Smoobu's servers.

Bookings are recorded on this website via a booking system with contact form provided by Smoobu. Which data is specifically affected by this collection, can be seen from the respective input masks. Only the fields marked with an asterisk are mandatory fields. In addition, we store the booking date and the time of booking. Any additional information is not mandatory.

The data you provide on our website, including any notes, are personal data and are processed and used by us to ensure the processing of the booking and the provision of the requested service. We also use your data to provide you with relevant information regarding the booking or during your stay. For the use of the transmitted data for contract processing, we have concluded a contract with Smoobu for order data processing. For questions regarding the specific content of this contract for commissioned data processing as well as the processing of transferred data by Smoobu, the entirety of the employees of the controller are available to the data subject as contact persons.

Furthermore, the data subject may also obtain information about the applicable data protection provisions of Smoobu GmbH at https://www.smoobu.com/en/privacy-policy/.

5. Domainfactory (domain redirect to our website)

All links and domains accessing our website are directed to our website via the central domain “winterberg-ferien.de.” The domain “winterberg-ferien.de” is registered with the German internet provider DomainFactory and redirected from there to our website.

The operating company of the DomainFactory domain registration and web hosting is domainfactory GmbH, Oskar-Messter-Straße 33, 85737 Ismaning, Germany.

The DomainFactory servers register every access to our website. Against this background, a range of general data and information is collected each time the website is accessed by a data subject or an automated system.

The following may be recorded: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serves to avert danger in the event of attacks on our information technology systems.

DomainFactory uses this information to ensure that the redirection and the entire web server are functioning properly. In addition, the processing of the aforementioned data serves to detect and defend against attacks and to ensure the stable operation of our website. Finally, the processing enables the secure delivery of the website to the user and the creation of anonymized statistics.

DomainFactory may transfer this information to third parties if required by law or if third parties process this data on behalf of DomainFactory.

We have concluded a data processing agreement with DomainFactory. Through this agreement, DomainFactory assures that it processes the data in accordance with the General Data Protection Regulation (GDPR) and guarantees the protection of the rights of the data subject.

The applicable data protection regulations of DomainFactory can be found at https://www.df.eu/de/datenschutz/.

6. Strato (domain redirect to “winterberg-ferien.de”)

The data subject also has the option of accessing our website via one of the domains “kappe-deluxe.de,” “kappe-deluxe.nl,” “feriensuite-winterberg.de,” “designstudio-winterberg.de,” or “aktivurlaub-winterberg.de,” or via third-party websites via a link referring to these domains. These domains are registered with the German internet provider Strato and are redirected from there to our main domain “winterberg-ferien.de”.

The operating company of the Strato domain registration and web hosting is STRATO GmbH, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany.

Strato's servers log every access to our website. Against this background, a range of general data and information is collected each time a data subject or an automated system accesses the website.

The following data may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system browser types and versions, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serves to avert danger in the event of attacks on our information technology systems.

Strato uses this information to ensure that the forwarding and the entire web server are functioning properly. In addition, the processing of the aforementioned data serves to detect and defend against attacks and to ensure the stable operation of our website. Finally, the processing enables the secure delivery of the website to the user and the creation of anonymized statistics.

Strato may transfer this information to third parties if required by law or if third parties process this data on behalf of Strato.

We have concluded a data processing agreement with Strato. Through this agreement, Strato assures that it will process the data in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the rights of the data subject.

Strato's applicable data protection regulations can be found at https://www.strato.de/datenschutz/.

7. Cookies

The internet pages of Winterberg-Ferien "Kappe Deluxe" GbR use cookies. Cookies are text files that are placed and stored on a computer system (e.g. PC, smartphone, etc.) via an Internet browser.

Numerous Internet pages and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID.

Through the use of cookies, Winterberg-Ferien "Kappe Deluxe" GbR can provide the users of this website with more user-friendly services that would not be possible without the cookie setting. Through the use of cookies, the information and offers on our website can be optimized for the user. Cookies enable us, as already mentioned, to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website.

The data subject can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

By the way: You can manage many online ad cookies from companies yourself via the US site aboutads.info or the EU site youronlinechoices.com!

8. CCM19 (Cookie Consent Management)

The controller uses the consent management tool CCM19 to fulfill a legal obligation based on Art. 6 (1) lit. c GDPR.

CCM19 is operated by Papoo Software & Media GmbH, Auguststraße 4, 53229 Bonn, Germany.

The tool enables data subjects to give their consent to data processing via the website, in particular the setting of cookies, to manage this consent, and to exercise their right to withdraw consent already given.

To do this, CCM19 sets a cookie on the data subject's information technology system. What cookies are has already been explained above. Among other things, the following information is collected and transmitted to CCM19: (1) Consent status regarding the use of cookies on our website (consent(s) or revocation of consent(s); (2) IP address of the data subject; (3) Information about the browser used; (4) Information about your device; (5) Date and time of the page view.

The data processing from this tool serves to obtain the necessary consent for data processing or its revocation, to document it, and to assign it to the respective data subject. This enables us to comply with the above-mentioned legal obligations.
Die erhobenen Daten (einschließlich Ihrer IP-Adresse) werden an einen Server von CCM19 übertragen und dort als Logdatei gespeichert. Eine eigenständige Verarbeitung der Daten durch die Papoo Software & Media GmbH erfolgt nicht. Ein Zugriff auf die Logfiles erfolgt nur nach vorheriger Absprache und mit dem Einverständnis der betroffenen Person. Eine Weitergabe der Daten an Dritte erfolgt nicht. Die Datenspeicherung bleibt so lange bestehen, bis Sie uns zur Löschung auffordern, das CCM19-Cookie selbst löschen oder der Zweck für die Datenspeicherung entfällt. Zwingende gesetzliche Aufbewahrungsfristen bleiben unberührt.

We have concluded a contract with Papoo Software & Media GmbH for order processing. This is a contract required by data protection law, which ensures that CCM19 processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR, and guarantees the protection of the rights of the persons concerned.

The applicable data protection regulations of CCM19 can be found at https://www.ccm19.de/en/datenschutzerklaerung.html.

9. Google Analytics

If the data subject has consented to the use of our cookie consent management tool, this site uses Google's “Google Analytics” tracking tool.

Google Analytics is a web analytics platform that collects website and app data to generate detailed reports on user behavior and transmit them to the operators of the sites and apps. This gives us insights into who visits our website, how long our users stay there, and what content they consume. We use this information to tailor our web content and products to the needs of our users as best as possible and thus improve the user experience. Understanding user behavior also helps us optimize marketing campaigns and increase conversion rates.

For this purpose, Google places a cookie on the information technology system of the data subject. What cookies are has already been explained above. Among other things, the following information is collected and transmitted to Google: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the subwebsites and page areas that are accessed via an accessing system on our website, (5) the date, time, and duration of access to the website, (6) an Internet Protocol address (IP address).

Since we have deactivated data sharing with Google and enabled IP address masking when configuring Google Analytics, the storage of your data is reduced to a minimum. For example, Google only uses the IP address of the data subject to determine their location (country, city, region). The full IP address is not stored, only a version truncated at the end, so that neither we nor Google can draw any conclusions about a data subject.

Nevertheless, we would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could make it more difficult to enforce their rights, for example. However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The valid adequacy decision of the European Commission certifies that these companies provide an adequate level of data protection.

The operating company of Google Analytics is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

You can view Google LLC's active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

We have concluded a contract with Google Inc. for order processing. This is a contract required by data protection law that ensures that Google processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR, and guarantees the protection of the rights of the persons concerned.

The privacy policy published by Google, which is available at https://www.google.de/intl/en/policies/privacy/, provides information about the collection, processing, and use of personal data by Google. It also explains the settings options Google offers to protect the privacy of the data subject. A specific explanation of how Google Analytics uses data can be found at https://support.google.com/analytics/answer/6004245?hl=en&utm_id=ad. In addition, various applications are available that make it possible to suppress data transmission to Google. Such applications can be used by the data subject to prevent data transmission to Google.

You can revoke your consent at any time via our cookie consent management tool by setting an opt-out cookie. Alternatively, you can also deactivate the service using a browser add-on, which you can download at https://tools.google.com/dlpage/gaoptout?hl=en. However, if you do not consent, you may not be able to use all the functions of our website to their full extent.

In the event of requests for information and the assertion of user rights, we would like to point out that these can be most effectively asserted with Google itself. Only the providers have access to the user data and can take appropriate measures and provide information directly. If the data subject still requires assistance, they can contact the controller at any time.

10. Contact option via the website

Due to legal requirements, the website of Winterberg-Ferien “Kappe Deluxe” GbR contains information that enables quick electronic contact with our company and direct communication with us, which also includes a direct telephone call button and a button for and a general address for so-called electronic mail (e-mail). If a data subject contacts the controller by telephone, email, or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted voluntarily by a data subject to the controller is stored for the purpose of processing requests or contacting the data subject. This personal data will not be passed on to third parties.

11. Data collection and use for contract processing and registration on our website or opening a customer account

The data subject has the option of registering on the website of the controller by providing personal data. We also collect personal data if you voluntarily provide it to us when making a booking, contacting us (e.g., via contact form or email), or opening a customer account. The personal data transmitted to the controller is determined by the respective input mask.

The personal data entered by the data subject is collected and stored exclusively for internal use by the controller and for its own purposes. The controller may arrange for the data to be passed on to one or more processors, for example a parcel or payment service provider or on-site service providers such as cleaning services or guest services, who also use the personal data exclusively for internal use attributable to the controller. In some cases, these service providers also collect the data required for their activities themselves. If you voluntarily transfer data directly to the service provider beyond our data collection, the privacy policy of the respective service provider applies.

By registering on the website of the controller, the IP address assigned by the Internet service provider (ISP) of the data subject, the date, and the time of registration are also stored. This data is stored because it is the only way to prevent misuse of our services and, if necessary, to enable criminal offenses to be investigated. In this respect, the storage of this data is necessary to protect the controller. This data will not be passed on to third parties unless there is a legal obligation to do so or the disclosure serves the purpose of criminal prosecution.

The registration of the data subject by voluntarily providing personal data serves the purpose of enabling the controller to offer the data subject content or services that, due to their nature, can only be offered to registered users. Registered persons are free to change the personal data provided during registration at any time or to have it completely deleted from the controller's database. The controller shall provide each data subject with information at any time upon request about which personal data is stored about the data subject. Furthermore, the controller shall correct or delete personal data at the request or upon notification of the data subject, provided that this does not conflict with any legal retention obligations. All employees of the controller are available to the data subject as contact persons in this regard.

12. Data protection provisions regarding the use of WhatsApp for customer communication

By voluntarily providing their mobile phone number to the controller—in some cases also through third parties such as booking portals such as Booking.com, Airbnb, etc.—the data subject agrees that the communication necessary for contract processing will also be conducted via the WhatsApp communication platform in addition to other communication channels, provided that the data subject has an existing messaging account there.

In addition to direct contact by us as described above, the controller has also provided a direct button on its website for contacting us via WhatsApp. If a data subject contacts us themselves using this button, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller is also stored for the purposes of processing requests, communicating for contract execution, or contacting the data subject. The transfer of stored personal data by us to third parties is carried out exclusively on the basis of this privacy policy (see also Art. 11, 14, 15, and 28).

We would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce user rights. However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The European Commission's valid adequacy decision certifies that these companies provide an adequate level of data protection.

The operating company of WhatsApp is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

If a data subject lives outside the USA or Canada, the controller responsible for the processing of personal data is WhatsApp Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

You can view Meta Platforms Inc.'s active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

When communicating via WhatsApp, both we and WhatsApp receive your phone number and information that we are communicating via the platform.

The aforementioned data is also forwarded by WhatsApp to servers of Meta Platforms, Inc. in the USA and processed by WhatsApp and Meta in accordance with the WhatsApp Privacy Policy, which also includes processing for their own purposes, such as improving the WhatsApp service or drawing conclusions about user behavior.

Please note that WhatsApp also accesses the address book of the device used and the contact data stored therein, among many other things. For more information on the purpose and scope of data collection and the further processing of this data by WhatsApp and Meta, as well as your rights and settings options for protecting your privacy, please refer to the WhatsApp Privacy Policy at https://www.whatsapp.com/legal/#privacy-policy and the WhatsApp Business Privacy Policy at https://business.whatsapp.com/policy.

We have concluded a data processing agreement with WhatsApp. Through this agreement, WhatsApp assures that it processes data in accordance with the General Data Protection Regulation (GDPR) and guarantees the protection of the rights of the data subject.

The processing of users' personal data is based on our legitimate interests in effectively informing users and communicating with them in accordance with Art. 6 (1) lit. f. GDPR. If WhatsApp users are asked to consent to data processing (i.e., they declare their consent, for example, by ticking a checkbox or confirming a button), the legal basis for processing is Art. 6 (1) lit. a, Art. 7 GDPR.

If the data subject does not agree to the processing of personal data by WhatsApp, they can object to communication via WhatsApp by simply notifying the controller. All employees of the controller are available to the data subject as contact persons in this context.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with Instagram itself. Only the providers have access to the user data and can take appropriate measures and provide information directly. If the data subject still requires assistance, they can contact the controller at any time.

13. Data protection provisions regarding the use of WhatsGuest for automated customer communication via WhatsApp

The controller has integrated WhatsGuest into its booking system with the aim of automating guest and customer communication via WhatsApp (see also Art. 12). WhatsGuest is a German guest messaging platform.

WhatsGuest is operated by AK Software GmbH, Seydelstraße 7, 10117 Berlin, Germany.

When using WhatsGuest as a messaging platform for WhatsApp, AK Software GmbH processes the telephone number of the data subject as well as message content and communication history, booking information and guest inquiries, technical data from the data exchange with WhatsApp, and personal data from the connection with our booking system Smoobu (see Art. 4).

This data is used to provide WhatsApp services and facilitates communication between us and the data subject. In addition, AK Software GmbH analyzes the data to improve its services and processes it in accordance with the WhatsApp Business API guidelines (see also Art. 12). Finally, WhatsGuest also enables the synchronization of communication histories with our booking system Smoobu.

In addition, we would like to point out that we do not use artificial inteligence when creating WhatsApp messages sent via WhatsGuest and have deactivated these functions.

For more information on the purpose and scope of data collection and further processing of this data by WhatsGuest and AK Software GmbH, as well as your rights and settings options for protecting your privacy, please refer to the WhatsGuest privacy policy at https://www.whatsguest.de/datenschutz.

We have concluded a data processing agreement with AK Software GmbH. Through this agreement, AK Software GmbH assures that it will process the data collected via WhatsGuest in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the rights of the data subject.

The processing of users' personal data is based on our legitimate interests in effectively informing users and communicating with them in accordance with Art. 6 (1) lit. f. GDPR.

If the data subject does not agree to the processing of personal data by WhatsGuest, they can object to communication via WhatsGuest by simply notifying the controller. All employees of the controller are available to the data subject as contact persons in this regard.

In addition, we would like to point out that in the event of requests for information and the assertion of user rights, these can be most effectively asserted with the body responsible for data processing at WhatsGuest itself. Only the providers have access to the user data and can take appropriate measures and provide information directly.

The data controller responsible for WhatsGuest is Büttner Holding GmbH, Karlstraße 57, 45661 Recklinghausen, Germany.

If the data subject nevertheless requires assistance, they can contact the controller at any time.

14. Niedersfeld Plus

After the person concerned has booked holiday accommodation or otherwise commissioned the controller via our website or booking system, the controller uses the services of Niedersfeld Plus to fulfill the contract. Niedersfeld Plus is a German vacation property management company that takes care of the cleaning and preparation of the vacation properties on site and also looks after guests during their stay.

The operating company of Niedersfeld Plus is Niedersfeld Plus UG (limited liability), Am Bergelchen 22, 59955 Winterberg, Germany.

When engaging Niedersfeld Plus, we transfer various personal data of the data subject to the company, which it needs on site to fulfill the contract. This may include, among other things: (1) booked vacation accommodation, (2) date and time of arrival and departure, (3) names of the person concerned and their fellow travelers, (4) mobile phone number provided, (5) email address provided, (6) postal address of all travelers, (7) nationality of all travelers, (8) date of birth of all travelers, (9) other individual information from the communication conducted.

Niedersfeld Plus processes the transmitted data exclusively for the purpose of contract execution. The data will not be passed on to third parties unless this is necessary for the fulfillment of the contract (e.g., subcontractors).

We process users' personal data on the basis of our legitimate interest in the proper performance of a contract to which the data subject is a party and/or in the implementation of pre-contractual measures pursuant to Art. 6 (1) lit. b GDPR.

We have concluded a data processing agreement with Niedersfeld Plus. Through this agreement, Niedersfeld Plus assures that it will process the data in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the rights of the data subject.

15. AVS registration form system for fulfilling the registration requirements of the city of Winterberg

Visiting a holiday accommodation in Winterberg is subject to a visitor's tax. We are therefore obliged to transmit the personal data of all our holiday guests to the city of Winterberg via the AVS registration form system. The transfer of data for the fulfilment of registration requirements and the spa tax payable through us is based on Section 30 (3) of the Federal Registration Act (BMG) and the spa tax regulations of the city of Winterberg in their current version.

The operator of the AVS registration form is AVS Abrechnungs- und Verwaltungs-Systeme GmbH, Josephsplatz 8, 95444 Bayreuth, Germany.

After the data requested in the check-in masks of our booking system has been entered by the data subject, the necessary personal data is automatically transferred from there to the AVS registration form system. This may include, among other things: (1) booked holiday accommodation, (2) date of arrival and departure, (3) names of the data subject and their fellow travellers, (4) email addresses of all travellers, (5) postal address of the person registering the trip, (6) nationalities of all travellers, (7) ID number of the person registering the trip, (8) dates of birth of all travellers, (9) other individual information from the communication, (10) vehicle registration number of the person registering the trip.

AVS forwards the processed data to the town of Winterberg in order to comply with registration requirements and, on behalfof the spa tax management department, generates the spa cards (either the ‘Sauerland Card’ or the ‘Sauerland SommerCard’, depending on the season) and the registration form, which must be signed in person by the person concerned upon arrival. The person concerned will receive the digital visitor cards by email from the town of Winterberg before their arrival.

AVS processes the above-mentioned data in accordance with Art. 28 GDPR as a processor for the town of Winterberg. Information about the type, scope and duration of the data processed can be obtained from Winterberg Touristik und Wirtschaft GmbH, Am Kurpark 4, 59955 Winterberg, Germany.

For more details on the purpose and scope of data collection and the further processing of this data by AVS and the town of Winterberg, represented by Winterberg Touristik und Wirtschaft GmbH, as well as your rights and settings options for protecting your privacy, please refer to the data protection policy of the town of Winterberg at https://www.winterberg.de/datenschutz/.

16. Data protection provisions regarding the use of sevDesk for data storage for accounting purposes

The controller uses the online accounting software from the German software provider sevDesk for accounting, invoicing and communication purposes.

The operating company of sevDesk is sevDesk GmbH, Im Unteren Angel 1, 77652 Offenburg, Germany.

If the data subject has concluded a contract with us via our booking system or a linked booking portal (e.g. Booking.com, Airbnb, etc.), the controller stores personal and order-related data in the sevDesk accounting software. This may include, among other things: (1) booked holiday accommodation, (2) date of arrival and departure, (3) name of the data subject, (4) email address, (5) postal address, (6) telephone numbers, (7) date of birth, (8) bank or credit card details, (9) age and number of fellow travellers, (10) ordering of additional services, (11) billing information, (12) payment status.

The legal basis for data storage for accounting purposes is provided by the German Fiscal Code (AO) and the German Commercial Code (HGB). These laws stipulate the obligation to retain business documents. In addition to this, the principles of proper accounting (GoBD) issued by the Ministry of Finance, which define the rules for electronic data processing and storage, are also applicable. Based on these legal regulations, we store data in accordance with the retention periods stipulated by tax and commercial law (see also Art. 32).

In this context, the processing of users' personal data is based on our legitimate interest in the proper performance of a contract to which the data subject is a party and/or in the implementation of pre-contractual measures pursuant to Art. 6(1) lit. b GDPR. In addition, Art. 6 (1) lit. c GDPR regulates our legitimate interest in the proper fulfilment of our legal obligations. Finally, data processing is based on our legitimate interests in effectively informing users and communicating with them in accordance with Art. 6 (1) lit. f GDPR.

We have concluded a data processing agreement with sevDesk. Through this agreement, sevDesk assures that it processes the data in accordance with the General Data Protection Regulation (GDPR) and guarantees the protection of the rights of the data subject.

For more information on the purpose and scope of data collection and the further processing of this data by sevDesk, as well as your rights and settings options for protecting your privacy, please refer to the sevDesk GmbH privacy policy at https://sevdesk.de/datenschutz/.

17. Payment method: Data protection provisions for the use of Stripe services for payment processing

The controller has integrated components from Stripe on this website.

Stripe is a payment service provider that enables cashless payment for products and services on the internet. Stripe allows the buyer to choose from various payment methods (credit card payment, direct debit, etc.). Stripe then implements a technical process through which the online retailer immediately receives payment confirmation. This enables a retailer to deliver goods, services or downloads, as well as travel documents, to the customer immediately after the order has been placed.

Stripe is operated by Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.

If the data subject selects ‘credit card payment’ or ‘direct debit’ as the payment option during the booking or ordering process on our website, the data subject's data is automatically transmitted to Stripe. By selecting one of these payment options, the data subject consents to the transfer of personal data necessary for payment processing.

The personal data transmitted to Stripe usually includes first name, last name, address, email address, IP address, telephone number, mobile phone number or other data, as well as financial transaction data such as credit card number or account details, which are necessary for payment processing. Personal data related to the respective booking and/or order is also necessary for the execution of the purchase contract.

The purpose of transferring the data is to process payments and prevent fraud. The controller will transfer personal data to Stripe in particular if there is a legitimate interest in the transfer.

We would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights. However, with regard to US providers certified under the Data Privacy Framework Programme, we would like to clarify that they are committed to complying with EU data protection standards. The valid adequacy decision of the European Commission certifies that these companies have an adequate level of data protection.

You can view Stripe, Inc.'s active Data Privacy Framework licence at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Programme website.

The personal data exchanged between Stripe and the controller may be transferred by Stripe to credit reference agencies. The purpose of this transfer is to verify identity and creditworthiness. Stripe may disclose personal data to affiliated companies and service providers or subcontractors to the extent necessary to fulfil its contractual obligations or to process the data on its behalf.

We have entered into a data processing agreement with Stripe. Through this agreement, Stripe assures that it will process data in accordance with the General Data Protection Regulation (GDPR) and guarantee the protection of the rights of the data subject.

Stripe's applicable data protection provisions can be found at https://stripe.com/privacy.

18. Data protection provisions regarding the use of paywise debt collection services

If, despite a ‘final reminder’ setting a deadline for payment, the data subject fails to meet their contractual payment obligations, the controller will use the debt management services of the German debt collection agency paywise.

The operating company of paywise is paywise GmbH, Hopfenstraße 8, 80335 Munich, Germany.

In the above mentioned case, the controller will transfer personal and contract-related information to paywise. The data transfer takes place directly via a REST API from paywise, which the controller has integrated into the sevDesk accounting system (see also Art. 16). The purpose of the data transfer is to commission paywise to collect outstanding debts by means of debt collection.

The data transferred to paywise may include, among other things: (1) master data, contact details and bank details of the data subject, (2) data relating to the contractual relationship between the controller and the data subject (e.g. contract content, correspondence, payment history, etc.), (3) other information and images resulting from the documents submitted.

The processing of users' personal data is based on our legitimate interest in enforcing our lawful claims in the interests of the proper execution of our business operations in accordance with Art. 6(1) lit. f GDPR.

Subsequently, the processing of the data necessary for the collection of the claim (debtor data) is carried out by paywise on its own responsibility and not on behalf of the controller. Personal data is only stored by paywise for as long as it is necessary to fulfil the purpose of processing. It is deleted as soon as it is no longer required for the purpose.

In this context, however, we would like to point out that the personal data exchanged between paywise and the controller may also be transferred to credit agencies under certain circumstances. There, this data may be taken into account when determining probability values (scoring). In addition, paywise may also pass on personal data to affiliated companies and service providers or subcontractors, insofar as this is necessary to fulfil contractual obligations or the data is to be processed on behalf of paywise.

In this regard, we would like to point out that paywise also uses innovative AI technology from Microsoft for efficient order processing, which means that personal data can also be processed abroad. For this purpose, paywise has concluded a data processing agreement with Microsoft.

For more information on the purpose and scope of data collection and further processing of this data by paywise, as well as your rights and settings options for protecting your privacy, please refer to the paywise GmbH privacy policy at https://paywise.de/datenschutz/.

19. Use of data for advertising purposes

In addition to the processing of personal data for the performance of contracts, Sven Hehl also uses the data collected under Sections 4, 10 and 11 to communicate with the data subject about his or her bookings, specific products or marketing campaigns and to recommend products or services. Customers of Winterberg-Ferien "Kappe Deluxe" GbR occasionally receive product recommendations by e-mail that may be of interest to them.

These product recommendations are sent on the basis of Art. 6 (1) p. 1 lit. f GDPR even independently of the subscription to a newsletter. The legitimate interest of Sven Hehl results from the purpose of the data use listed here. Thus, Sven Hehl wants to send the data subject information about products from its range that may be of interest to them based on their recent purchases.

The mailing is carried out strictly in accordance with the legal requirements. This also includes that the data subject may object at any time to the processing of his or her data for direct marketing purposes. The entirety of the employees of the controller are available as contact persons for the data subject in this context.

20. Routine erasure and blocking of personal data

The controller processes and stores personal data of the data subject only for the period of time necessary to achieve the purpose of storage or insofar as this has been provided for by the European Directives and Regulations or other legislator in laws or regulations to which the controller is subject. If the storage purpose ceases to apply or if a storage period prescribed by the European Directive and Regulation Maker or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

21. Rights ofe the data subject

Right to confirmation: Every data subject has the right granted by the European Directive and Regulation to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may, at any time, contact any employee of the controller.

Right of access: Any person concerned by the processing of personal data has the right granted by the European Directive and Regulation to obtain at any time from the controller, free of charge, information about the personal data stored about him or her, and a copy of that information. In addition, the European Directive and Regulation Body has granted the data subject access to the following information:

* the purposes of processing;
* the categories of personal data processed;
* the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
* if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
* the existence of a right to obtain the rectification or erasure of personal data concerning them or to obtain the restriction of processing by the controller or a right to object to such processing;
* the existence of a right of appeal to a supervisory authority;
* where the personal data are not or have not been collected from the data subject himself: any available information on the origin of the data;
* the existence of automated decision-making, including profiling, pursuant to Article 22 (1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

In addition, the data subject shall have the right to obtain information as to whether personal data have been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If a data subject wishes to exercise this right of access, he or she may, at any time, contact an employee of the controller.

Right of rectification: Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulation to request that inaccurate personal data concerning him or her be corrected without delay. Furthermore, the data subject has the right to request the completion of incomplete personal data – also by means of a supplementary declaration – taking into account the purposes of the processing. If a data subject wishes to exercise this right of rectification, he or she may, at any time, contact any employee of the controller.

Right to erasure (right to be forgotten): Any person concerned by the processing of personal data has the right granted by the European Directive and Regulation to obtain from the controller the erasure without delay of personal data concerning him or her, where one of the following grounds applies and insofar as the processing is not necessary.

* The personal data were collected or otherwise processed for such purposes for which they are no longer necessary.
* The data subject withdraws his or her consent on which the processing was based pursuant to Article 6 (1a) GDPR or Article 9 (2a) GDPR and there is no other legal basis for the processing.
* The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
* The personal data have been processed unlawfully.
* The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
* The personal data has been collected in relation to information society services offered pursuant to Article 8 (1) of the GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to arrange the erasure of personal data stored by Winterberg-Ferien, he or she may, at any time, contact any employee of the controller. The employee will arrange for the erasure request to be complied with immediately. If the personal data have been made public by Winterberg-Ferien and we as the controller are obliged to erase the personal data pursuant to Article 17 (1) of the Data Protection Regulation, we shall implement reasonable measures, including technical measures, to allow other data controllers to process the published personal data and to inform the data subject that he or she has requested from those other data controllers to erase all links to or copies or replications of the personal data, unless the processing is necessary. The employee of Winterberg-Ferien "Kappe Deluxe" GbR will arrange the necessary in individual cases.

Right to restriction of processing: Every data subject concerned by the processing of personal data has the right, granted by the European Directive and the Regulation, to obtain from the controller the restriction of processing where one of the following conditions is met:

* The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
* The processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.
* The controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the establishment, exercise or defense of legal claims.
* The data subject has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of personal data stored by Winterberg-Ferien "Kappe Deluxe" GbR, he or she may, at any time, contact any employee of the controller. The employee will arrange the restriction of the processing.

Right to data portability: Every data subject concerned by the processing of personal data has the right, granted by the European Directive and the Regulation, to obtain personal data concerning him or her, which has been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit this data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6 (1a) of the GDPR or Article 9 (2a) of the GDPR or on a contract pursuant to Article 6 (1b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, when exercising the right to data portability pursuant to Article 20 (1) of the GDPR, the data subject has the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. In order to assert the right to data portability, the data subject may at any time contact any employee of Winterberg-Ferien "Kappe Deluxe" GbR.

Right to object: Any person affected by the processing of personal data has the right granted by the European Directive and Regulation to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6 (1) sentence 1 lit. e or f GDPR. This also applies to profiling based on these provisions. We shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims.

If Sven Hehl processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data processed for such marketing. If the data subject objects to Sven Hehl to the processing for direct marketing purposes, we will no longer process the personal data for these purposes. In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by the Winterberg-Ferien for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) of the Data Protection Regulation (GDPR), unless such processing is necessary for the performance of a task carried out for reasons of public interest. In order to exercise the right to object, the data subject may directly contact any employee of Winterberg-Ferien "Kappe Deluxe" GbR.

In addition, the data subject is free to exercise his/her right to object by means of automated procedures using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

Automated decisions in individual cases, including profiling: Any person concerned by the processing of personal data shall have the right, granted by the European Directive and the Regulation, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the controller, or (2) is permitted by Union or Member State law to which the controller is subject and that law contains suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is made with the data subject's explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or (2) it is made with the data subject's explicit consent, the Sven Hehl shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, which include at least the right to obtain the intervention of a data subject on the part of the controller, to express his or her point of view and contest the decision. If the data subject wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact any employee of the controller.

Right to withdraw consent under data protection law: Every data subject affected by the processing of personal data has the right, granted by the European Directive and Regulation-maker, to withdraw consent to the processing of personal data at any time. If the data subject wishes to exercise the right to withdraw consent, he or she may, at any time, contact any employee of the controller.

22. Integration of third party services and content

It may happen that third-party content, such as videos from YouTube, maps from Google Maps, RSS feeds or graphics from other websites are integrated within this online offer. This always requires that the providers of this content (hereinafter referred to as "third-party providers") perceive the IP address of the user. Without the IP address, they could not send the content to the browser of the respective user. The IP address is thus necessary for the display of this content.

We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. However, we have no influence if the third-party providers store the IP address, e.g. for statistical purposes. Insofar as this is known to us, we inform the users about it.

23. Privacy policy regarding the use of our online presence on Facebook

We maintain an online presence on Facebook in order to communicate with customers, interested parties, and users who are active there and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could make it more difficult for them to enforce their rights, for example. However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The valid adequacy decision of the European Commission certifies that these companies have an adequate level of data protection.

The operating company of Facebook is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

If a data subject lives outside the US or Canada, the controller responsible for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

You can view Meta Platforms, Inc.'s active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

In general, Facebook also processes user data for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests. These usage profiles can then be used, for example, to place advertisements within and outside the platforms that are likely to correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of Facebook and are logged in at the same time).

The processing of users' personal data is based on our legitimate interests in effectively informing users and communicating with them in accordance with Art. 6 (1) lit. f GDPR. If Facebook asks users for consent to data processing (i.e., they declare their consent, e.g., by checking a box or confirming a button), the legal basis for processing is Art. 6 (1) lit. a, Art. 7 GDPR.The data policy published by Facebook, which is available at https://facebook.com/about/privacy/, provides information about the collection, processing, and use of personal data by Facebook. It also explains the settings options Facebook offers to protect the privacy of the data subject. Various applications are also available that enable data transmission to Facebook to be suppressed. Such applications can be used by the data subject to prevent data transmission to Facebook.

If the data subject does not agree to the processing of data by Facebook, they can object to its use at https://www.facebook.com/settings?tab=ads#_=_.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with Facebook itself. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If the data subject still needs help, they can contact the controller at any time.

24. Privacy policy regarding the use of our online presence on Instagram

We maintain an online presence on Instagram in order to communicate with customers, interested parties, and users who are active there and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights. However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The valid adequacy decision of the European Commission certifies that these companies have an adequate level of data protection.

The operating company of Instagram is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.

If a data subject lives outside the USA or Canada, the controller responsible for the processing of personal data is Instagram Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

You can view Meta Platforms, Inc.'s active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

In general, Instagram also processes user data for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests. These usage profiles can then be used, for example, to place advertisements within and outside the platforms that are likely to correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of Instagram and are logged in at the same time).

The privacy policy published by Instagram, which is available at https://help.instagram.com/519522125107875, provides information about the collection, processing, and use of personal data by Instagram and Facebook. It also explains the settings options Instagram offers to protect the privacy of the data subject. Various applications are also available that make it possible to suppress data transmission to Instagram. Such applications can be used by the data subject to prevent data transmission to Instagram.

If the data subject does not agree with the processing of data by Instagram, they can object to its use at https://www.instagram.com/accounts/privacy_and_security.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with Instagram itself. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If the data subject still needs help, they can contact the controller at any time.

25. Privacy policy regarding the use of YouTube

The controller has integrated components from YouTube into its website. YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, and videos created by users themselves, are available via the internet portal.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website operated by the controller is accessed, on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information about YouTube can be found at https://www.youtube.com/yt/about/en/. As part of this technical process, YouTube and Google become aware of which specific subpage of our website is visited by the data subject.

In general, YouTube also processes user data for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (in particular if the users are members of YouTube and are logged in at the same time).

If the data subject is logged into YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting when they call up a subpage that contains a YouTube video. This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject. YouTube and Google receive information via the YouTube component that the data subject has visited our website whenever the data subject is logged into YouTube at the same time as visiting our website; this occurs regardless of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube and Google, they can prevent the transmission by logging out of their YouTube account before visiting our website.

You can view Google LLC's active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

The privacy policy published by YouTube, which is available at https://www.google.com/intl/en/policies/privacy/, provides information about the collection, processing, and use of personal data by YouTube and Google.

26. Privacy policy regarding the use of our online presence on YouTube

We maintain an online presence on YouTube in order to communicate with customers, interested parties, and users who are active there and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce user rights. However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The valid adequacy decision of the European Commission certifies that these companies have an adequate level of data protection.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

You can view Google LLC's active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

In general, YouTube also processes user data for market research and advertising purposes. For example, usage profiles can be created based on user behavior and the resulting interests. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of YouTube and are logged in at the same time).

The privacy policy published by Google, which is available at https://www.google.com/intl/en/policies/privacy/, provides information about the collection, processing, and use of personal data by YouTube and Google. It also explains the settings options Google offers to protect the privacy of the data subject. Various applications are also available that enable data transmission to YouTube or Google to be suppressed. Such applications can be used by the data subject to prevent data transmission to YouTube or Google.

If the data subject does not agree to the processing of data by YouTube or Google, they can object to its use at https://adssettings.google.com/authenticated.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with YouTube or Google itself. Only the providers have access to the user's data and can take appropriate measures and provide information directly. If the data subject still needs help, they can contact the controller at any time.

27. Privacy policy regarding the use of Google Maps

The controller has integrated components of the “Google Maps” service into its website, in order to enable our guests to access route plans to the locations of our vacation properties in the form of directions and data records for navigation using interactive maps. In addition, the location maps serve to illustrate the location of our vacation accommodations to our prospective customers and guests in a visual form.

In this regard, we would like to point out that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data is generally processed for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of Google and are logged in at the same time).

However, with regard to US providers certified under the Data Privacy Framework Program, we would like to clarify that they are committed to complying with EU data protection standards. The European Commission's valid adequacy decision certifies that these companies provide an adequate level of data protection.

Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

You can view Google LLC's active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

By using Google Maps, information about the use of this website, including your IP address and the (start) address entered in the route planner function, may be transmitted to Google in the USA. When you visit a page on our website that contains Google Maps, your browser establishes a direct connection to Google's servers. The map content is transmitted directly from Google to your browser. Therefore, we have no influence on the scope of the data collected by Google in this way.

In general, Google processes information about how users interact with the maps provided. For example, the tool shows which parts of the maps users view, which functions they use, and how they navigate the map. Google also collects device data such as browser, operating system, and hardware configurations.

The privacy policy published by Google, which is available at https://www.google.com/intl/en/policies/privacy/, provides information about the collection, processing, and use of personal data by Google. It also explains the settings options Google offers to protect the privacy of the data subject. In addition, various applications are available that make it possible to suppress data transmission to Google. Such applications can be used by the data subject to prevent data transmission to Google.

If the data subject does not agree to the processing of data by Google, they can object to its use at https://adssettings.google.com/authenticated.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with Google itself. Only the providers have access to the user data and can take appropriate measures and provide information directly. If the data subject still requires assistance, they can contact the controller at any time.

28. Privacy policy regarding the use of AWIN

The data controller has integrated components from the company AWIN into this website. AWIN is a German affiliate network that offers affiliate marketing.

Affiliate marketing is an internet-based form of distribution that enables commercial operators of websites, known as merchants or advertisers, to display advertising, which is usually remunerated via click or sale commissions, on third-party websites, i.e., distribution partners, also known as affiliates or publishers. The merchant provides advertising material, such as an advertising banner or other suitable means of internet advertising, via the affiliate network, which is then integrated by an affiliate on their own websites or advertised via other channels, such as keyword advertising or email marketing.

AWIN is operated by AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany.

AWIN places a cookie on the data subject's information technology system. Cookies have already been explained above. AWIN's tracking cookie is not used to identify the data subject. Only the identification number of the affiliate, i.e., the partner referring the potential customer, as well as the reference number of the visitor to a website and the advertising material clicked on are stored. The purpose of storing this data is to process commission payments between a merchant and the affiliate, which are handled via the affiliate network, namely AWIN.

As described above, the data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting in the Internet browser used and thus permanently object to the setting of cookies. Such a setting in the Internet browser used would also prevent AWIN from setting a cookie on the data subject's information technology system. In addition, cookies already set by AWIN can be deleted at any time via an Internet browser or other software programs.

The applicable data protection regulations of AWIN AG can be accessed at https://www.awin.com/gb/privacy.

29. Privacy policy regarding the use of Google AdWords

The controller has integrated Google AdWords into this website.

Google AdWords is an internet advertising service that allows advertisers to place ads in Google search engine results and on the Google advertising network. Google AdWords enables advertisers to specify certain keywords in advance, which are then used to display an ad in Google's search engine results only when the user enters a keyword-relevant search result in the search engine. In the Google advertising network, the ads are distributed to relevant websites using an automatic algorithm and taking into account the previously specified keywords.

The operator of Google AdWords services is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

You can view Google LLC's active Data Privacy Framework license at any time at https://www.dataprivacyframework.gov/list on the Data Privacy Framework Program website.

The purpose of Google AdWords is to promote our website by displaying interest-based advertising on the websites of third-party companies and in the search results of the Google search engine, and to display third-party advertising on our website.

If a data subject accesses our website via a Google ad, Google places a so-called conversion cookie on the data subject's information technology system. What cookies are has already been explained above. A conversion cookie loses its validity after 30 days and is not used to identify the data subject. The conversion cookie is used to track whether certain subpages, such as the shopping cart of an online shop system, have been accessed on our website, provided that the cookie has not yet expired. The conversion cookie allows both us and Google to track whether a data subject who has accessed our website via an AdWords ad has generated a sale, i.e., completed or cancelled a purchase.

The data and information collected through the use of conversion cookies is used by Google to compile visit statistics for our website. We in turn use these visit statistics to determine the total number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the respective AdWords ad and to optimise our AdWords ads for the future. Neither we nor other Google AdWords advertisers receive information from Google that could be used to identify the data subject.

The conversion cookie stores personal information, such as the websites visited by the data subject. Each time our websites are visited, personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.

Furthermore, user data is generally also processed by Google itself for market research and advertising purposes. For example, usage profiles can be created based on user behaviour and the resulting interests. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on users' computers, in which the usage behaviour and interests of users are stored. Furthermore, data can also be stored in the usage profiles independently of the devices used by users (especially if users are members of Google and are logged in at the same time).

As described above, the data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting in the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a conversion cookie on the information technology system of the data subject. In addition, a cookie already set by Google AdWords can be deleted at any time via the Internet browser or other software programmes.

Furthermore, the data subject has the option of objecting to interest-based advertising by Google. To do so, the data subject must visit the link https://www.google.com/settings/ads from each of the internet browsers they use and make the desired settings there. Further information and Google's applicable data protection provisions can be found at https://www.google.com/intl/en/policies/privacy/.

In the case of requests for information and the assertion of user rights, we would also like to point out that these can be most effectively asserted with Google itself. Only the providers have access to the user data and can take appropriate measures and provide information directly. If the data subject nevertheless requires assistance, they can contact the controller at any time.

30. Legal basis of processing and legitimate interest

Art. 6 (1) lit. a GDPR serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for a delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 (1) lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.

If we are subject to a legal obligation by which a processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 (1) lit. c GDPR.

In rare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 (1) lit. d GDPR.

Art. 6 (1) lit. f GDPR provides us with the legal basis for processing operations where the processing is necessary to protect a legitimate interest of us or of a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.

Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47, Sentence 2 GDPR).

If the processing of personal data is based on Article 6 (1) lit. f GDPR, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.

31. Duration for which the personal data are stored

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data will be routinely deleted, provided that they are no longer required for the performance of the contract or the initiation of the contract.

32. Legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision

We inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner).

Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.

Before providing personal data by the data subject, the data subject may contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

33. Existence of automated decision-making

We do not use automated decision-making or profiling.

If you have any questions about the collection, processing or use of your personal data, for information, correction, blocking or deletion of data, as well as revocation of consent given or objection to a particular use of data, please contact us directly using the contact details in our imprint.

This privacy statement was created based on the following tools:

Data protection declaration generator of the DGD Deutsche Gesellschaft für Datenschutz GmbH in cooperation with the law firm Wilde Beuger Solmecke Rechtsanwälte

Data protection generator from the law firm Dr. Thomas Schwenke