Data protection

I. Name and address of the controller
Within the meaning of the General Data Protection Regulation and other national data protection laws of Member States, as well as other data protection regulations, the controller is:

Ruhr Tourismus GmbH
Centroallee 261
46047 Oberhausen
Germany
Tel.: +49 208 899 59 100
E-mail: info@ruhr-tourismus.de
Website: www.ruhr-tourismus.de

I. Name and address of the data protection officer
The data protection officer for the controller is:

Dr Ralf W. Schadowski
ADDAG GmbH & Co KG

Krefelder Strasse 121
52070 Aachen
Germany
Tel.: +49 241 446880
E-mail: info@addag.de
Website: www.addag.de

III. General information on data processing

1. Scope of the processing of personal data
Essentially, we only process the personal data of our users insofar as this is necessary to provide a fully-functioning website, content and services. The processing of our users’ personal data takes place on a regular basis, but only with the consent of each individual user. An exception applies in cases in which prior consent can not be obtained for practical reasons, and the processing of the data is permitted by law.

2. Legal basis of the processing of personal data
Insofar as we obtain the consent of the data subject to process personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. If it is necessary to process personal data for the performance of a contract of which the contracting party is the data subject, Article 6(1)(b) GDPR serves as the legal basis. This is also applicable for processing operations which are necessary for implementing precontractual measures. If it is necessary to process personal data for the fulfilment of a legal obligation which our company is subject to, Article 6(1)(c) GDPR serves as the legal basis. If processing is necessary for the protection of a legal interest of our company or of a third party, and the interests, basic rights and basic freedoms of the data subject do not outweigh the interests of the former, Article 6(1)(f) GDPR serves as the legal basis for processing.

3. Data retention period and erasure
The personal data of the data subject is deleted or blocked as soon as the purpose of its retention ceases to exist. Data may also be retained if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data is also deleted or blocked if a retention period specified by the named standards expires, unless there is a requirement to continue to store the data for the conclusion or performance of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing
Every time a user accesses our website, our system automatically collects data and information from the user’s computer system.
The following data is collected:

  1. Information on the browser type and the version used
  2. The user’s operating system
  3. The IP address of the user
  4. Date and time of access
  5. Websites via which the user’s system accesses our website
  6. Websites which are accessed by the user’s system via our website

The data is also stored in log files in our system. This data is not stored along with the user’s other personal data.

2. Hosting
The hosting services we use provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services, which we use to operate this website.
We, or our hosting providers, process the inventory data, contact details, content data, contractual details, usage data and the meta and communication data of customers, interested parties and visitors to our website, on the basis of our legitimate interest in the efficient and secure provision of our content, pursuant to Article 6(1)(f) GDPR and Article 28 GDPR (Conclusion of Processing Contract).

3. Legal basis of data processing
The legal basis for the temporary retention of data and log files is Article 6(1)(f) GDPR.

4. Purpose of data processing
The temporary storage of the IP address by the system is necessary, so that the content of the website can be accessed by the user’s computer. The IP address of the user must therefore be retained for the duration of the session. Data is stored in log files to ensure the functionality of the website. The data helps us to optimise the website, and to ensure the security of our information technology systems. In this context, the data is not evaluated for marketing purposes. For this purpose, our legitimate interest also lies in data processing pursuant to Article 6(1)(f) GDPR.

5. Duration of retention
The data is deleted if it is no longer needed for the purpose of its collection. When collecting data for the provision of the website, this is the case if the session has ended. When saving data in log files, this is the case after seven days at the latest. Further-reaching storage is possible. In this case, user IP addresses are deleted or distorted, so that it is no longer possible to identify customers who access the site.

6. Opposition and removal
The collection of data for the provision of the website, and the storage of the data in log files is essential for the operation of the website. There is therefore no possibility for the user to object.

V. Use of Cookies

1) Description and scope of data processing
Our website uses Cookies. Cookies are text files which are saved in/by the Internet browser on the user’s computer. When the user visits a website, a Cookie can be saved on the user’s operating system. This Cookie contains a character sequence that allows the browser to be uniquely identified when the website is reopened.
We use Cookies to make our website more user-friendly. Some elements of our website require the browser to be identified, even after a page change.
The following information is therefore saved and transferred in the Cookies:

  1. Language settings
  2. Log-in information
  3. Access from the “correct” website (radrevier.ruhr, industriekultur.ruhr, ruhr-tourismus.de)

Our website also uses Cookies which enable the analysis of the user’s surfing behaviour. In this way, the following data can be transferred:

  1. Search term entered
  2. Frequency of site access
  3. Use of website functions

User information which is stored in this way is pseudonymised by technical measures. It is no longer possible to assign data to the user. The data is not saved with other personal data relating to the user.
When accessing our website, users are informed of the use of Cookies via an info banner, and referred to this data protection declaration.
When accessing our website, the user is informed of the use of Cookies via an info banner, and he gives his consent for the personal data collected in this context to be processed. In this context, there is also a link to this data protection declaration.

2) Legal basis of data processing
The legal basis for the processing of personal data using technically necessary Cookies is Article 6(1)(f) GDPR. The legal basis for the processing of personal data using Cookies for analytical purposes with the consent of the user is Article 6(1)(f) GDPR.

3) Purpose of data processing
The purpose of the use of technically necessary Cookies is to facilitate access to websites for users. Some functions of our website cannot be offered if Cookies are not accepted. It is therefore necessary that the browser can be recognised, even after a page change.
Cookies are required for the following functions:

  1. Booking process
  2. Changes to language settings
  3. Marking search terms

User data which is collected by Cookies for technical purposes is not used for the creation of user profiles.
Analysis Cookies are used to improve the quality of our website and its content. The analysis Cookies determine how the website is used, and allow us to continuously optimise our content. In addition, through the use of Cookies, the selected URL is displayed with the correct start page logo and corresponding content.
For this purpose, our legitimate interest also lies in the processing of personal data pursuant to Article 6(1)(f) GDPR.

4) Duration of retention, opposition and removal
Cookies are saved on the user’s computer, from where they are transferred to our website. You, the user, therefore have full control of the use of Cookies. By changing the settings in your Internet browser, you can deactivate or limit the transfer of Cookies. Previously saved Cookies can be deleted at any time. This can also happen automatically. If Cookies are deactivated for our website, it may be that some functions of the website can no longer be used to their full extent.

VI. Newsletter

1. Description and scope of data processing

Our website offers you the chance to subscribe to a free newsletter. When you subscribe to the newsletter, the data from the input screen is transferred to us. This data comprises:

  1. The IP address of the computer used
  2. Date and time of registration
  3. E-mail address of the customer

For data processing, your consent is obtained during the login process, and you are referred to this data protection declaration. We use rapidmail to send and analyse our newsletter. Your data is transferred to rapidmail GmbH. Rapidmail GmbH is prohibited from using your data for purposes other than sending the newsletter. Rapidmail GmbH is not permitted to disclose or sell your data. Rapidmail is a certified German newsletter software provider, which has been carefully selected pursuant to the requirements of GDPR and BDSG. You can revoke your consent regarding the retention and use of your data for newsletter distribution at any time, e.g. by clicking on “Unsubscribe” in the newsletter.

Newsletter tracking
The Ruhr Tourismus GmbH newsletter contains so-called tracking pixels. A tracking pixel is a miniature graphic which is embedded in e-mails which are sent in HTML format, to enable log file recording and log file analysis. A statistical evaluation of the success or failure of online marketing campaigns can therefore be made. Using the embedded tracking pixels, Ruhr Tourismus GmbH can recognise if and when an e-mail has been opened by erasure, and which links included in the e-mail have been accessed by the data subject.<br/> Such personal data which is obtained by the tracking pixels contained in the newsletters is saved and evaluated by the controller, in order to improve newsletter distribution, and to better adapt the content of future newsletters to the interests of the data subject. This personal data will not be disclosed to third parties. Data subjects are able to revoke their declaration of consent granted through the double opt-in procedure at any time. Following revocation, this personal data is deleted by the controller. Unsubscribing from the newsletter is automatically seen by Ruhr Tourismus GmbH as revocation.

2. Legal basis of data processing
The legal basis for the processing of personal data with the consent of the user, when the user subscribes to the newsletter, is Article 6(1)(f) GDPR.

3. Purpose of data processing
The user’s e-mail address is obtained so that the newsletter can be delivered.

4. Duration of retention
The data is deleted if it is no longer needed for the purpose of its collection. The user’s e-mail address is retained for as long as the newsletter subscription is active.

5. Opposition and removal
The user can terminate his subscription to the newsletter at any time. For this purpose, there is a link in each edition of the newsletter.

VII. E-commerce

1. Description and scope of data processing
On our website, we give users the opportunity to book package tours, buy entrance tickets (for museums, etc.), or enjoy so-called experience offers (bus tours, excursions, etc.). This requires users to enter personal data. The data is entered into an input screen, and transferred to and saved by us. For the purposes of processing and order/booking, the data is transferred to my.IRS GmbH, Dornierstr. 4, 82178 Puchheim. The following data is collected as part of the registration process:

  • Gender (Mr/Mrs)
  • Surname
  • Given name
  • Address (street, post code, city)
  • E-mail
  • in some cases (WelcomeCard Ruhr) date of birth

When paying (online) by credit card or PayPal, your credit card details (MasterCard, VISA, American Express, AmEx, card number, verification code and expiry date) are compiled and saved by DataTrans, Kreuzbühlstrasse 26, CH-8008 Zürich, and only transferred to companies involved in the payment process. We will not save your credit card details.
When paying (online) by direct debit, your account details are transferred to EVO Payments International GmbH, Elsa-Brandström-Str. 10-12, 50668 Köln. When paying by direct debit, the account details are also saved by myIRS GmbH, Dornierstr. 4, 82178 Puchheim. We will not save your account details.

The controller has integrated PayPal components into this website. PayPal is an online payment service. Payments are made through so-called PayPal accounts, which can be either private or corporate accounts. PayPal also offers the option of making online payments using a credit card, if a user does not have a PayPal account. A PayPal account is associated with an e-mail address, as there is no standard account number. PayPal makes it possible to make online payments to third parties, and also to receive payments. PayPal also fulfils fiduciary functions, and offers buyer protection services.
The European branch of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject chooses to pay by “PayPal” when placing an order in our online shop, the data of the data subject is automatically transferred to PayPal. By selecting this payment option, the data subject consents to the transfer of the personal data required for payment processing.
Personal data transferred to PayPal typically includes your surname, given name, address, e-mail address, IP address, telephone number, mobile number, or other details which are needed to process the payment. Personal data relating to the order is also needed for the performance of the purchase contract.

The data is processed for the purposes of payment processing and fraud prevention. The controller transfers personal data to PayPal, if there is a legitimate interest for this transfer. Under certain circumstances, personal data exchanged between PayPal and the controller is submitted to credit agencies. This submission is for the purposes of identity and credit checking.

PayPal may transfer personal data to associated companies and service providers or subcontractors if this is necessary for the fulfilment of contractual obligations, or for processing the data on our behalf.
The data subject has the opportunity to revoke his consent to the processing of his personal data by PayPal at any time. This revocation excludes personal data which must be processed, used or transferred for payment processing (as per the contract).
The current PayPal data protection regulations can be seen at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

SLL encryption

For security reasons and for the protection of confidential content, such as orders or queries which you send to us, this site uses SSL or TLS encryption. You can tell if you have a secure connection if the “http://” in the address bar has changed to “https://”, and if there is a padlock symbol in the browser line.
If the SLL or TLS encryption has been activated, the data that you submit to us cannot be accessed by third parties.

If, following the conclusion of a fee-based contract, you are obliged to provide us with your payment details (e.g. account details when paying by credit card or direct debit), this data will be required for payment processing. Payments using the standard payment methods (Visa/MasterCard, direct debit) are made exclusively through a secure SSL or TLS connection. During encrypted communication, the payment data that you submit to us cannot be accessed by third parties.

Your personal data is also disclosed to the relevant service provider (e.g. accommodation services, tour operators). The service provider is prohibited from using your data for purposes other than processing your booking. The service provider is not permitted to disclose or sell your data.

2. Legal basis of data processing
The collected data serves the fulfilment of a contract to which the user is a party, or the implementation of pre-contractual measures, pursuant to the additional legal basis for the processing of data, Article 6(1)(b) GDPR.

3. Purpose of data processing
The collection of the user’s data is necessary for concluding a contract with the user, or for implementing precontractual measures.

4. Duration of retention
The data will be deleted if it is no longer legally required for the performance of the contract.

VIII. Contact form and e-mail contact

5. Description and scope of data processing

Our website features a contact form, which can be used for contacting us electronically. If the user contacts us this way, the information entered in the input mask will be transferred to, and saved by, us. This data is:

  • Surname
  • Given name
  • E-mail
  • Telephone
  • Street and house number
  • Postcode and city
  • Country
  • Remarks

When the message is submitted, the following data is also saved:

  1. The IP address of the user
  2. Date and time of registration

For data processing, your consent is obtained during the login process, and you are referred to this data protection declaration.<br/> Alternatively, you can contact us using the e-mail address provided. In this case, the personal data which is transferred with the e-mail is saved. <br/> In this context, no data is disclosed to third parties. The data is only used for communication.

6. Legal basis of data processing
The legal basis for the processing of personal data with the consent of the user is Article 6(1)(f) GDPR.

7. Purpose of data processing
The personal data from the input screen is only processed for contact purposes. In the case of contact by e-mail, this also includes the required legitimate interest for processing the data. The other personal data processed when messages are sent serve to prevent misuse of the contact form, and to ensure the security of our information technology systems.

8. Duration of retention The data is deleted if it is no longer needed for the purpose of its collection. For the personal data from the input form of the contact form, and messages sent by e-mail, this is the case if contact with the user has ended. Contact ends when it can be derived from the circumstances that the facts of the case have been clarified. Additional personal data which is collected during the sending process will be deleted after seven days at the latest.

9. Opposition and removal The user has the option to revoke his consent to the processing of his personal data at any time. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such cases, contact cannot continue. The user must clearly declare his revocation in writing. In this case, all personal data which has been saved during contact will be deleted.

IX. Disclosure of personal data to third parties

1. Scope of the processing of personal data
On our website, we give users the opportunity to order brochures. This requires users to enter personal data. The data is entered into an input screen, and transferred to and saved by us. For the purposes of processing, the data is transferred to my.IRS GmbH, Dornierstr. 4, 82178 Puchheim and to HID Werkstätten Karthaus, Industriestrasse 7, 48249 Dülmen. This data is:

  • Surname
  • Given name
  • E-mail
  • Telephone
  • Street and house number
  • Postcode and city
  • Country

2. Legal basis of the processing of personal data
The collected data serves the fulfilment of a contract to which the user is a party, or the implementation of pre-contractual measures, pursuant to the additional legal basis for the processing of data, Article 6(1)(b) GDPR.

3. Purpose of data processing
The personal data of the user is collected so that the requested brochure can be provided

4. Duration of retention
The data that you enter in the input form will be retained by us until you ask us to delete it, or you revoke your consent for it to be stored, or the purpose for data retention ceases to exist (e.g. following completion of your request). Mandatory statutory provisions – especially retention periods – remain unaffected.

5. Opposition and removal
The user has the option to revoke his consent to the processing of his personal data at any time. If the user contacts us by e-mail, he may object to the storage of his personal data at any time.
The user must clearly declare his revocation in writing.
In this case, all personal data which has been saved during the ordering process will be deleted.

X. Website analysis services

1. Description and scope of data processing
This website uses functions of the website analysis service Google Analytics. The operating company is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland. Google Analytics uses so-called “Cookies”. These are text files which are saved to your computer, and enable your use of the website to be analysed. The information relating to your use of this website which is compiled by the Cookies is usually transferred to a Google server in the USA, and stored there.

2. Legal basis of the processing of personal data
Article 6(1)(f) GDPR is the legal basis for the retention of Google Analytics Cookies. The website operator has a legitimate interest in analysing user behaviour, so as to optimise both its website and its advertising.

3. Purpose of data processing
The website operator has a legitimate interest in analysing user behaviour, so as to optimise both its website and its advertising. You can prevent the storage of Cookies using the corresponding settings in your browser software. However, please note that if you do this, you may not be able to use all the features of this website to the fullest extent possible. In addition, you may prevent Google from collecting and processing the data generated by the Cookie relating to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

4. Opposition and removal
You can prevent the storage of Cookies using the corresponding settings in your browser software. However, please note that if you do this, you may not be able to use all the features of this website to the fullest extent possible. In addition, you may prevent Google from collecting and processing the data generated by the Cookie relating to your use of the website (including your IP address) by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

5. Opposition to data collection
You can prevent your data being collected by Google Analytics, by clicking on the link below. An opt-out Cookie is created, which will prevent the recording of your data during future visits to this website: https://adssettings.google.com/anonymous?hl=de&sig=ACi0TChVmevmsGgtwDdljrftL3IiFgyMPAyXecL6tIHU9zVeljWkqh1qD-5CARUH0OE-Thkp3vUU6Sg4MHuYN_zyroCJUguOszFkkZeYsNRNyknLcVQIP0M. More information on the processing of user data by Google Analytics can be found in the Google data protection declaration: https://support.google.com/analytics/answer/6004245?hl=de.

XI. Google AdWords

1. Data protection regulations on the implementation and use of Google AdWords
The controller has integrated PayPal components into the Google AdWords website. Google AdWords is an online advertising service which allows advertisers to display their adverts in Google search results and in the Google advertising network. Google AdWords allows advertisers to select predetermined key words so that their adverts will only be shown in Google search results when a user looks for a key word-relevant search result. In the Google advertising network, adverts are displayed on relevant websites by means of an automatic algorithm, taking into account the predetermined key words.
The operating company of the Google AdWords service is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland.
The purpose of Google AdWords is to promote our website by including relevant advertisements on third-party websites and in Google search results, and by including external advertisements on our website.
If erasure accesses our website through a Google advert, Google stores a Conversion Cookie on the information technology system of the data subject. Please scroll up for an explanation of what Cookies are. A conversion Cookie becomes invalid after thirty days, and is not used to identify the data subject. If the Conversion Cookie has not expired, it is used to determine whether certain sub-pages – such as a shopping basket in an online store – have been accessed from our website. With the Conversion Cookie, we and Google can determine whether a data subject who has been directed to our site through an AdWords advertisement has generated a sale – i.e. completed or cancelled a purchase. The data and information collected by the Conversion Cookie are used by Google to create visitor statistics for our website. We use these user statistics to determine the total number of users who have come to our site through AdWords advertisements, and to evaluate the success or failure of the relevant AdWords advertisement, and therefore to improve our AdWords advertisements for future use. Neither our company not other advertising clients of Google AdWords obtains data from Google through which the data subject can be identified.
Personal data is saved by Conversion Cookies, e.g. from websites visited by the data subject. Each time someone visits our website, his personal data – including the IP address of the Internet connection used by the data subject – is transferred to Google in the United States of America. This personal data is saved by Google in the United States of America. In certain circumstances, Google may transfer personal data collected through the technical process to third parties.
The data subject can prevent the setting of Cookies by our website as shown above, at any time through the corresponding settings of the Internet browser used, and therefore permanently oppose the use of Cookies. Such settings in the Internet browser used also prevent Google from creating a Conversion Cookie on the information technology system of the data subject. Cookies created by Google AdWords can be deleted via the Internet browser or another software program at any time.
Furthermore, the data subject has the option to object to Google's interest-based advertising. The data subject must access www.google.de/settings/ads on each of his Internet browsers, and adjust the desired settings.
More information and the current Google data protection regulations can be seen at https://www.google.de/intl/de/policies/privacy/.

2. Data protection regulations on the implementation and use of Google Remarketing
The controller has integrated Google Remarketing services into this website. Google Remarketing is a function of Google AdWords which enables a company to show relevant adverts to previous visitors to the company’s website. The integration of Google Remarketing therefore allows a company to create user-appropriate advertisements, and to consequently show users online adverts relating to their interests.
The operating company of the Google Remarketing service is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland.<br/> The purpose of Google Remarketing is to ensure that advertising relevant to the user’s interests is shown. Google Remarketing enables us to display online adverts which are in-line with the user’s needs and interests, via the Google advertising network.
Google Remarketing saves a Cookie to the information technology system of the data subject. Please scroll up for an explanation of what Cookies are. Setting Cookies means that Google is able to remember visitors to our website if they subsequently access websites which are also members of the Google advertising network. Every time the data subject visits a website onto which Google Remarketing services are integrated, the browser automatically identifies him through Google. As part of this technical process, Google is informed of personal data, such as the IP address or the surfing behaviour of the user, which Google uses, inter alia, show interest-related advertisements.
Personal data is saved by Cookies, e.g. from websites visited by the data subject. Each time someone visits our website, his personal data – including the IP address of the Internet connection used by the data subject – is transferred to Google in the United States of America. This personal data is saved by Google in the United States of America. In certain circumstances, Google may transfer personal data collected through the technical process to third parties. The data subject can prevent the setting of Cookies by our website as shown above, at any time through the corresponding settings of the Internet browser used, and therefore permanently oppose the use of Cookies. Such settings in the Internet browser used also prevent Google from creating a Cookie on the information technology system of the data subject. Cookies created by Google Analytics can be deleted via the Internet browser or another software program at any time.
Furthermore, the data subject has the option to object to Google's interest-based advertising. The data subject must access www.google.de/settings/ads on each of his Internet browsers, and adjust the desired settings.
More information and the current Google data protection regulations can be seen at https://www.google.de/intl/de/policies/privacy/.

XII. Social media embedding

1.Data protection regulations on the implementation and use of Facebook
The controller has integrated Facebook components into this website. Facebook is a social networking site. A social network is an Internet-based social meeting place, an online community which typically enables users to communicate with each other, and to interact on a virtual platform. A social network can be used as a platform on which to exchange opinions and experiences, or allows the online community to share personal or business information. Inter alia, Facebook enables users of its social network to create a private profile, upload photos, and network by means of friend requests.
The operating company of Facebook is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If the data subject is not based in the USA or Canada, the controller for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
With each visit to an individual page of this website which is operated by the controller, and into which an Facebook component (Facebook plug-in) has been integrated, the Facebook component causes the Internet browser on the information technology system of the data subject to automatically download a representation of the corresponding Facebook component. An overview of all Facebook plug-ins can be seen at https://developers.facebook.com/docs/plugins/?locale=de_DE. As part of this technical process, Facebook is informed of which specific section of our website is visited by the data subject. If the data subject is simultaneously logged into Facebook, Facebook can determine which specific sections of our website the data subject is visiting, each time the data subject visits our website and for the duration of each stay. This information is collected by the Facebook components, and mapped to the Facebook account of the data subject by Facebook. When the data subject clicks on one of the Facebook buttons on our site – e.g. the “Like” button – or writes a comment, Facebook assigns this information to the data subject’s account, and saves his personal data.
Through the Facebook components, Facebook is notified that the data subject has visited our website, if the data subject is logged into Facebook when accessing our website. This happens irrespective of whether or not the data subject clicks on the Facebook components. If the data subject does not want his personal data to be transferred to Facebook in this way, he can prevent this transfer by logging out of his Facebook account before accessing our website.
The data protection guidelines published by Facebook, which are accessible at https://de-de.facebook.com/about/privacy/, provide information on the collection, processing and use of personal data by Facebook. They also explain which options Facebook offers to protect the privacy of the data subject. Also available are various applications, which prevent data from being transferred to Facebook. The data subject can use such applications to prevent data transfers.

2. Data protection regulations on the implementation and use of Instagram
The controller has integrated Instagram components into this website. Instagram is a service which can be classified as an audio-visual platform, and allows users to share pictures and videos, and copy such data to other social networking sites.
The operating company of Instagram is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA. With each visit to an individual page of this website which is operated by the controller, and into which an Instagram component (Insta Button) has been integrated, the Instagram component causes the Internet browser on the information technology system of the data subject to automatically download a representation of the corresponding Instagram component. As part of this technical process, Instagram is informed of which specific section of our website is visited by the data subject. If the data subject is simultaneously logged into Instagram, Instagram can determine which specific sections of our website the data subject is visiting, each time the data subject visits our website and for the duration of each stay. This information is collected by the Instagram components, and mapped to the Instagram account of the data subject by Instagram. When the data subject clicks on one of the Instagram buttons on our site, Instagram assigns this information and data to the data subject’s account, and saves and processes it.
Through the Instagram components, Instagram is notified that the data subject has visited our website, if the data subject is logged into Instagram when accessing our website. This happens irrespective of whether or not the data subject clicks on the Instagram components. If the data subject does not want his personal data to be transferred to Instagram in this way, he can prevent this transfer by logging out of his Instagram account before accessing our website.
More information and the current Google data protection regulations can be seen at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

3. Data protection regulations on the implementation and use of Pinterest
The controller has integrated Pinterest Inc. components into this website. Pinterest is a so-called social network. A social network is an Internet-based social meeting place, an online community which typically enables users to communicate with each other, and to interact on a virtual platform. A social network can be used as a platform on which to exchange opinions and experiences, or allows the online community to share personal or business information. Inter alia, Pinterest enables users of its social network to publish (“pin”) picture collections and individual images, as well as captions, to a virtual pin wall, which can be shared (“re-pinned”) or commented on by other users.
The operating company of Pinterest is Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA.
With each visit to an individual page of this website which is operated by the controller, and into which an Pinterest component (Pinterest plug-in) has been integrated, the Pinterest component causes the Internet browser on the information technology system of the data subject to automatically download a representation of the corresponding Pinterest component. More information on Pinterest can be found at https://pinterest.com/. As part of this technical process, Pinterest is informed of which specific section of our website is visited by the data subject. If the data subject is simultaneously logged into Pinterest, Pinterest can determine which specific sections of our website the data subject is visiting, each time the data subject visits our website and for the duration of each stay. This information is collected by the Pinterest components, and mapped to the Pinterest account of the data subject by Pinterest. When the data subject clicks on one of the Pinterest buttons on our site, Pinterest assigns this information to the data subject’s account, and saves his personal data.
Through the Pinterest components, Pinterest is notified that the data subject has visited our website, if the data subject is logged into Pinterest when accessing our website. This happens irrespective of whether or not the data subject clicks on the Pinterest components. If the data subject does not want his personal data to be transferred to Pinterest in this way, he can prevent this transfer by logging out of his Pinterest account before accessing our website.
The data protection guidelines published by Pinterest, which are accessible at https://about.pinterest.com/privacy-policy, provide information on the collection, processing and use of personal data by Facebook.

4. Data protection regulations on the implementation and use of Twitter
The controller has integrated Twitter components into this website. Twitter is a multilingual, publicly accessible microblogging service, on which users can publish and share so-called “Tweets” – short posts which are restricted to 280 characters. These short posts are accessible to anyone – even if they are not registered Twitter users. The Tweets are also accessible to the user’s so-called followers. Followers are other Twitter users who follow the Tweets of a particular user. Twitter users can also reach a wider audience by means of hashtags, links or re-tweets.
The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
With each visit to an individual page of this website which is operated by the controller, and into which an Twitter component (Twitter button) has been integrated, the Twitter component causes the Internet browser on the information technology system of the data subject to automatically download a representation of the corresponding Twitter component. More information on the Twitter buttons can be found at https://about.twitter.com/de/resources/buttons. As part of this technical process, Twitter is informed of which specific section of our website is visited by the data subject. The purpose of integrating Twitter components is to allow users to redistribute the content of this website, to promote the website in the digital world, and to increase our visitor numbers.
If the data subject is simultaneously logged into Twitter, Twitter can determine which specific sections of our website the data subject is visiting, each time the data subject visits our website and the duration of each stay. This information is collected by the Twitter components, and mapped to the Twitter account of the data subject by Twitter. When the data subject clicks on one of the Twitter buttons on our site, Twitter assigns this information and data to the data subject’s account, and saves and processes it.
Through the Twitter components, Twitter is notified that the data subject has visited our website, if the data subject is logged into Twitter when accessing our website. This happens irrespective of whether or not the data subject clicks on the Twitter components. If the data subject does not want his personal data to be transferred to Twitter in this way, he can prevent this transfer by logging out of his Twitter account before accessing our website. The current Twitter data protection regulations can be seen at https://twitter.com/privacy?lang=de.

5. Data protection regulations on the implementation and use of YouTube
The controller has integrated YouTube components into this website. YouTube is an online video portal which allows video publishers to upload videos free of charge, and other users to watch, rate and comment on them. YouTube enables the publication of all kinds of videos, be they complete films or television programmes, music videos, trailers, or user-made films. The videos are accessible on the online portal. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
With each visit to an individual page of this website which is operated by the controller, and into which an YouTube component (YouTube video) has been integrated, the YouTube component causes the Internet browser on the information technology system of the data subject to automatically download a representation of the corresponding YouTube component. More information on YouTube can be found at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google are informed of which specific section of our website is visited by the data subject. If the data subject is simultaneously logged into YouTube, YouTube can determine which specific sections of our website featuring a YouTube video the data subject is visiting. This information is collected by YouTube and Google, and mapped to the YouTube account of the data subject.
Through the YouTube components, YouTube is notified that the data subject has visited our website, if the data subject is logged into YouTube when accessing our website. This happens irrespective of whether or not the data subject clicks on a YouTube video. If the data subject does not want his personal data to be transferred to YouTube in this way, he can prevent this transfer by logging out of his YouTube account before accessing our website. The data protection guidelines published by YouTube, which are accessible at https://www.google.de/intl/de/policies/privacy/, provide information on the collection, processing and use of personal data by Facebook.

6. Data protection regulations regarding the use of Juicer
The controller has integrated a Juicer Social Wall into this website. The Juicer system gives the user the opportunity to combine his social media activity into a single feed, and to integrate this into a social wall on the website. It is therefore possible to integrate content from Instagram, Twitter and various other social media sites by means of hashtags, or alternatively to add all content from an account (Instagram, Twitter, etc.) to the Social Wall. The Social Wall is available to everyone – even for people who do not use Instagram, Twitter, etc. The operating company of Juicer is Juicer.io, 1515 7th Street, #424, Santa Monica, CA 90403.
Juicer and third party suppliers with which it collaborates work in compliance with EU GDPR. The GDPR has been developed to give users more information, and to better protect user data. Juicer will never:  

  • save or collect user data from the Juicer Feed (Social Wall) of a page.
  • Distribute Juicer user data, apart from that collected from Cookies which optimise the use of the system. Juicer therefore collects a minimum amount of data, and discretely handles all data which is disclosed to social networks. 

7. Data protection regulations on the implementation and use of Vimeo
We can incorporate videos from the platform “Vimeo”, provided by Vimeo Inc., FAO: Legal Department, 555 West 18th Street New York, New York 10011, USA. Data protection declaration: https://vimeo.com/privacy. We would like to point out that Vimeo can implement Google Analytics, and therefore refer to the privacy statement (https://www.google.com/policies/privacy) as well as the opt-out options for Google-Analytics (https://tools.google.com/dlpage/gaoptout?hl=de) or the Google settings relating to the use of data for marketing purposes (https://adssettings.google.com/.).

XIII. Data subject rights
If your personal data is processed, you are the data subject pursuant to the GDPR, and you have the following rights against the controller:

1. Right of access
You can request a confirmation from the controller as to whether your personal data is processed by us. If such processing takes place, you can request a disclosure of the following information:

(1)       the purposes for which the personal data is processed;

(2)       the categories of personal data which is processed;

(3)       the recipients, or the groups of recipients, to whom/which the personal data has been – or continues to be – disclosed;

(4)       the planned duration of retention of your personal data, or – if concrete information is not available – criteria for determining the duration of retention;

(5)       the existence of a right to rectify or erase your personal data, a right to restrict the processing of your personal data by the controller, or a right to object to the processing;

(6)       the existence of the right to complain to a supervisory authority;

(7)       all available information on the origin of the data, if the personal data has not been obtained from the data subject;

(8)       the existence of automated decision-making, including profiling pursuant to Article 22(1) and (4) GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing on the data subject.

You have the right to request a confirmation as to whether or not your personal data is transferred to a third country or an international organisation. In this context, you can request information on the guarantees relating to the transfer, pursuant to Article 46 GDPR.

2. Right to rectification
You have a right to rectification and/or completion against the controller, provided that the processed personal data is incorrect or incomplete. The controller must promptly carry out the rectification.

3. Right to restrict processing
Subject to the following prerequisites, you can request the restriction of the processing of your personal data:

(1)      if you dispute the accuracy of your personal data for a period of time, the controller is able to verify the accuracy of your personal data;

(2)       the processing is unlawful and you refuse the erasure of your personal data, and instead request the restriction of the use of your personal data;

(3)       the controller no longer needs your personal data for the purposes of processing, but you need it to enforce, exercise or defend your rights, or

(4)       if you have objected to the processing pursuant to Article 21(1) GDPR and it is uncertain as to whether the legitimate reasons of the controller prevail over your reasons.

If the processing of your personal data has been restricted, this data – apart from that which is stored – may only be processed with your consent or for the purpose of enforcing, exercising or defending legal claims, or protecting the rights of another natural or legal person or for reasons of substantial public interest of the European Union or a Member State.
If the restriction of the processing is limited pursuant to the conditions stated above, you will be informed by the controller before the restriction is waived.

4. Right to erasure

  1. Erasure obligation

You may make a request for the controller to delete your personal data immediately, and the controller is required to delete it immediately if one of the following is applicable:

(1)       Your personal data is not longer required for the purpose for which it was collected, or processed in a certain way.

(2)       You revoke your consent to the processing pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other reason for the processing.

(3) You submit an objection to the processing of your data pursuant to Article 21(1) GDPR, and there are no legitimate grounds for processing, or you submit an objection pursuant to Article 21(2) GDPR.

(4)       Your personal data has been processed unlawfully.

(5)       Your personal data must be deleted to fulfil a statutory requirement under EU Law, or the law of the Member State by which the controller is governed.

(6)       Your personal data has been processed in relation to the services offered by the information society, pursuant to Article 8(1) GDPR.

  • Provision of information to third parties

If the controller has made your personal data public, and is obliged to delete it pursuant to Article 17(1) GDPR, it must take appropriate measures – in consideration of the available technology and the implementation costs of these measures, as well as the technical means – to inform the controller that you are a data subject and have requested the erasure of all links to your personal data or copies/replications of it.

  • Exceptions

The right to erasure is waived if processing is necessary

(1)       to exercise the right to free expression of opinion and information;

(2)       to fulfil a statutory requirement under EU Law, or the law of the Member State by which the controller is governed, or to carry out a task for the benefit of the public, or to exercise public authority delegated to the controller;

 (3)      to enforce, exercise or defend legal claims.

5. Right of information
If you have asserted your right of rectification, erasure or restriction of processing against the controller, it is obliged to notify all recipients to whom your personal data has been disclosed of this correction or erasure of data or restriction of processing, unless this proves to be impossible or involves disproportionate effort.
You also have the right against the controller to be informed of these recipients.

6. Right to data portability
You have the right to obtain your personally identifiable data which has been provided to the controller in a structured, standard and machine-readable format. You also have the right to transfer the available personal data to another controller, without obstruction by the controller

(1)       the processing is based on approval pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6(1)(b), and

(2)       the processing is carried out by means of automated procedures.

In exercising this right, you also have the right to obtain your personal data which is transferred directly from one controller to another, provided that this is technically feasible. The freedoms and rights of other people must not be affected by this.
The right to data portability does not apply to the processing of personal data which is necessary for carrying out a task for the benefit of the public, or to exercise public authority delegated to the controller.

7. Right of objection
You have the right, due to reasons arising from your situation, to object at any time to the processing of your personal data pursuant to Article 6(1)(e) or (f) GDPR. This also applies to profiling on the basis of these provisions.
The controller will no longer process your personal data, unless overriding and legitimate reasons arise which outweigh your interests, rights and freedoms, or processing is required to enforce, exercise or defend your rights.
If your personal data is processed to provide direct advertising, you have the right to object at any time to your personal data being used for the provision of this type of advertising. This also applies to profiling, if this is associated with such direct advertising.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for this purpose.
In connection with the use of the services offered by the information society – and irrespective of Directive 2002/58/EC – you have the option to exercise your right to object by means of automated procedures with technical specifications.

8. Right to revoke the data protection consent declaration
You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legitimacy of the processing carried out on the basis of the granting of consent until the revocation.

9. Automated decision in individual cases, including profiling
You have the right to not be subjected to a decision made solely on the basis of automated processing – including profiling – that will have a legal effect, or affect you in a similar manner. This is not applicable if the decision

(1)       is required for the conclusion of a contract between you and the controller,

(2)       is permissible on the basis of European Union or Member State legislation by which the controller is governed, and that the legislation includes appropriate measures to protect all rights, freedoms and legitimate interests.

(3)       is made with your express permission.

These decisions must not be based on special categories of personal data, pursuant to Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR is applicable and reasonable measures have been taken to protect all rights and freedoms, as well as your legitimate interests.
Regarding the cases referred to in (1) and (3), the controller must take appropriate measures to maintain all rights and freedoms, as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express individual positions, and to appeal decisions.

10. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedies, you have the right to complain to a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of alleged infringement, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority to which the complaint is submitted will inform the plaintiff of the status and result of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.