This privacy statement aims to inform you about the nature, scope and purpose of the processing of personal data (hereinafter referred to as ‘data’ for short) within our online presence and the connected websites, functions and content, as well as within external online presences, as for example, our social media profiles (hereinafter jointly referred to as ‘online presence’). Concerning the terminology used, as for example, ‘processing’ or ‘controller’, we make reference to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Owner: Susanne Stützlein
Legal notice: https://regensburg-ferienwohnungen.com/en/imprint/
Types of processed data
- Master data (e.g. names, addresses)
- Contact data (e.g. email, phone numbers)
- Content data (e.g. text entries, photos, videos)
- Usage data (e.g. visited websites, interest in content, access times)
- Meta/communication data (e.g. information on devices, IP addresses)
Categories of data subjects
Visitors and users of the online presence (the data subjects will hereinafter also be jointly referred to as ‘users’).
Purpose of processing
- Making available the online presence, its functions and content
- Responding to contact requests and communication with users
- Security measures
- Audience measurement/marketing
‘Personal data’ means all data concerning an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special characteristics which are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This definition is far reaching and includes virtually all handling of data.
‘Pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Appropriate legal basis
We inform you herewith of the legal basis of our data processing pursuant to Article 13 GDPR. Insofar as the legal basis has not been specified in the Privacy Statement, the following shall apply: The legal basis for obtaining consent is Article 6 section 1 letter a and Article 7 GDPR; the legal basis of processing for the fulfillment of our services and performance of contractual measures, as well as answering of inquiries is Article 6 section 1 letter b GDPR; the legal basis for the fulfillment of our contractual obligations is Article 6 section 1 letter c GDPR; and the legal basis of processing for safeguarding our legitimate interests is Article 6 section 1 letter f GDPR. Should the vital interests of the data subject or of another natural person make the processing of personal data necessary, this is done on the legal basis of Article 6 section 1 letter d GDPR.
Pursuant to Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
These measures include especially the safeguarding of confidentiality, integrity and availability of data by means of controlling physical and logical admission to the data as well as their pertinent access, their entry, transmission, as well as securing their availability and separation. We have furthermore set up procedures, that guarantee the exercise of the data subjects’ rights, the deletion of data and reaction to the endangerment of the data. Additionally, we already consider the protection of personal data when developing or respectively selecting hardware, software as well as procedures, pursuant to the principle of data protection by design and by default (Article 25 GDPR).
Cooperation with processors and third parties
If during our processing we disclose or transmit data to other persons and companies (processors or third parties), or allow them any other access to the data, this is done on the basis of a legal allowance (e.g. if transmission of data to third parties as for example payment service providers is necessary for contract performance pursuant to Article 6 section 1 letter b GDPR), on the basis of your consent or of a legal obligation providing for it, or on the basis of our legitimate interests (e.g. concerning the assignment of representatives, web hosting services, etc.).
Insofar as we commission third parties with the processing of data on the basis of a so-called ‘processing contract’, this is in accordance with Article 28 GDPR.
Transfer to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or of the European Economic Area (EEA)) or if this happens as part of using the services of third parties, the disclosure or, respectively, transmission of data to third parties, this is only done for the performance of our (pre-) contractual obligations, on the basis of your consent, for reasons of a legal obligation or on the basis of our legitimate interests. Reserving statutory or contractual permissions, we will only process data or have it processed in a third country provided the special preconditions of Article 44 et seq. GDPR have been met. This means, processing will be done e.g. on the basis of special guarantees, as for example, the officially recognized determination of a level of data protection equal to that in the EU (e.g. for the U.S., by means of the ‘Privacy Shield’), or on the basis of officially recognized, special contractual obligations (so-called ‘standard contractual clauses’).
Rights of data subjects
In accordance with Article 15 GDPR, you have the right to obtain a confirmation as to whether or not data concerning him or her are being processed, as well as to access these data, further information and a copy of these data.
You have the right, according to Article 16 GDPR, to have the data concerning yourself be completed or obtain the rectification of inaccurate data concerning yourself.
According to Article 17 GDPR you have the right to obtain the erasure of data concerning yourself without undue delay or, respectively, alternatively according to Article 18 GDPR, to obtain a restriction of processing of these data.
You have the right to demand to receive the data concerning yourself that you have provided us with in accordance with Article 20 GDPR and demand their transfer to other controllers.
According to Article 77 GDPR you furthermore have the right to lodge a complaint with the relevant supervisory authority.
Right to withdraw
In accordance with Article 7 section 3 GDPR, you have the right to withdraw given consent effective for the future.
Right to object
You can object to future processing of your data at any time in accordance with Article 21 GDPR. This objection can especially concern processing for direct marketing purposes.
Cookies and right to object regarding direct marketing
‘Cookies’ are small files that are saved on the users’ computers, which can be used for storing various information. A cookie is primarily used to store information on a user (or respectively the device on which the cookie is saved) during or even after his visit within an online presence. Temporary cookies or, respectively, ‘session cookies’ or ‘transient cookies’ are cookies that are deleted when a user leaves an online presence and closes his or her browser. Such a cookie is used e.g. to save the content of a shopping basket in an online shop or a login status. ‘Permanent’ or ‘persistent’ cookies are cookies that remain saved even after the browser has been closed. This allows e.g. to save the login status, in case of users returning after multiple days. Such a cookie also allows to save the users’ interests, which can be used for audience measurement or marketing purposes. ‘Third-party cookie’ means cookies, that are provided by other providers than the controller responsible for the online presence (‘first-party cookies’ would otherwise mean only the controller’s cookie).
We can use temporary as well as permanent cookies and will make this information available in our privacy statement.
Should users not want cookies to be saved to their computers, they are asked to deactivate the relevant option in their browser’s systems setting. Saved cookies can be erased using the browser’s system settings. The exclusion of cookies can result in limitations of the functions of this online presence.
Erasure of data
Pursuant to Article 17 and 18 GDPR, the data processed by us will be erased or its processing restricted. Where not stated explicitly in this privacy statement, the data saved by us will be erased when they are no longer needed for their intended purpose and such erasure is not in conflict with statutory retention obligations. If the data are not erased because they are necessary for other and legally admissible purposes, their processing is restricted. This means that the data are made unavailable and will not be processed for other purposes. For example, this applies to data that are to be retained pursuant to provisions of commercial or tax law.
According to statutory provisions in Germany, data has to be retained, in particular, for 10 years pursuant to Sections (§§) 147 para. 1 German Fiscal Code, 257 para. 1 number 1 and 4, para. 4 German Commercial Code (accounts, records, status reports, accounting vouchers, trading books, for taxation of relevant documents, etc.) and 6 years pursuant to Section (§) 257 para. 1 number 2 and 3, para. 4 German Commercial Code (commercial letters).
According to statutory provisions in Austria, data has to be retained, in particular, for 7 years pursuant to Section (§) 132 para. 1 Austrian Federal Fiscal Code (accounting vouchers, receipts/invoices, accounts, vouchers, commercial documents, statement of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for records in connection with electronically supplied services, telecommunication, radio and television services that are rendered to non-entrepreneurs in EU Member States and for which the mini one-stop-shop (MOSS) is being used.
Administration, financial accounting, office organization, contact management
We are processing data in connection with administrative tasks, as well as the organization of our company, financial accounting and compliance with statutory obligations, as for example archiving. In this respect, we are processing the same data that we are processing for fulfilling our contractual performances. Basis of this processing are Article 6 para. 1 letter c GDPR and Article 6 para. 1 letter f GDPR. Customers, interested parties, business partners and visitors of the website are affected by this processing. Purpose and interest of the processing are administration, financial accounting, office organization and archiving of data. These are all tasks necessary for maintaining our business activities, carrying out our responsibilities and performing our services. Deletion of data in respect to contractual performances and contractual communication complies with the information mentioned with these processing activities.
In this respect, we will disclose or transfer data to financial authorities, consultants, as for example tax consultants or auditors, as well as other billing centers and payment service providers.
On the basis of our economic interests, e.g. for subsequently making contact, we are also saving information on suppliers, organizers and other business partner. We will principally store these predominantly business-related data on a permanent basis.
When contacting us (e.g. by using the contact form, email, telephone or via social media), the user’s information is saved for processing and resolving the contact request in accordance with Article 6 para. 1 letter b (concerning contractual/precontractual relationships) or, respectively, Article 6 para. 1 letter f (other requests) GDPR. The user’s information can be saved to a customer relationship management system (‘CRM system’) or a comparable request organization system.
Provided they are no longer necessary, we will delete the requests. We will review this necessity bi-annually. Statutory archiving obligations do apply as well.
Hosting and email dispatch
The hosting services used by us are used to provide the following services: Infrastructure and platform services, computing capacity, memory space and database services, email dispatch, security services as well as technical maintenance services, that we use for purposes of operating this online presence.
Pursuant to Article 6 para. 1 letter f GDPR, in connection with Article 28 GDPR (conclusion of a processing contract), we or, respectively, our hosting provider are processing, in this respect, master data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors of this online presence on the basis of our legitimate interests regarding an efficient and secure provision of this online presence.
Collection of access data and log files
On the basis of our legitimate interests within the meaning of Article 6 para. 1 letter f GDPR, we or, respectively, our hosting service collect data on every access to the server on which this service is located (so-called server log files). These access data include the name of the accessed website, file, date and time of day of the access, transmitted data volume, report of successful access, type and version of browser, the user’s operating system, referrer URL (the last visited website), IP address and the requesting provider.
For security reasons (e.g. for the investigation of cases of abuse or fraud), log file information is stored for a maximum duration of 7 days and then deleted. Data that has to be saved for a longer period of time, for reasons of its use as evidence, will be excluded from deletion pending definitive settlement of the respective incident.
Embedding third-party services and content
On the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online presence within the meaning of Article 6 para. 1 letter f GDPR), we use third-party content and services within our online presence, in order to embed their content or services, as for example videos or fonts (hereinafter uniformly referred to as ‘content’).
This always requires that the third-party providers of this content, can ascertain the users’ IP address, as without the IP address they could not provide the content to their browsers. The IP address is thus necessary for displaying this content. We endeavor to use only such content, where the respective providers use the IP address only for the delivery of this content. For statistical or marketing reasons, third-party providers can also use so called pixel tags (invisible elements, also called ‘web beacons’). These ‘pixel tags’ allow for the evaluation of information such as the visitor traffic on the pages of this website. The pseudonymized information can also be saved to the users’ device in cookies and may contain, inter alia, technical information on browser and operating system, referring websites, time and duration of visit, as well as further information on the usage of our online presence, and additionally be connected with such information from other sources.