Data protection

Data protection information in accordance with the EU General Data Protection Regulation

We are pleased that you are visiting our website and thank you for your interest. In the following, we will inform you about how we handle your personal data when you use our website. Personal data is all data with which you can be personally identified.


1. who is responsible for data processing and who can I contact?

The controller of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

ATG Alster-Touristik GmbH, Jungfernstieg jetty, 20354 Hamburg

Phone: (040) 357424-0
E-mail: info@alstertouristik.de

You can contact our company data protection officer as follows:
Data protection officer of ATG Alster-Touristik GmbH at Hamburger Hochbahn AG
Data protection department
Steinstraße 20
20095 Hamburg
Telephone: (040) 3288-2316
E-mail: datenschutzbeauftragter@hochbahn.de

You can contact the official data protection officer at:
The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7th floor
20459 Hamburg
Telephone: (040) 428 54 4040
E-mail: mailbox@datenschutz-hamburg.de

 

2. data collection when visiting our website

2.1 Hosting

We host the content of our website with Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin (hereinafter "Strato"). When you visit our website, Strato records various log files including your IP addresses.

Further information can be found in Strato's privacy policy: https://www.strato.de/datenschutz/.

Strato is used on the basis of Art. 6 para. 1 lit. f of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR"). We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 of the Telecommunications Digital Services Data Protection Act (hereinafter "TDDDG"), insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

2.2 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

2.3 Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

- Browser type and browser version Operating system used

- Referrer URL

- Host name of the accessing computer Time of the server request

- IP address

This data is not merged with other data sources.

This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - the server log files must be recorded for this purpose.

2.4 Cookies

Our Internet pages use so-called "cookies". Cookies are small data packets and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of

certain services of third-party companies within websites (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies can be used to evaluate user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG); the consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

You can find out which cookies and services are used on this website in this privacy policy.

2.5 Consent with Borlabs Cookie

Our website uses Borlabs Cookie consent technology to obtain your consent to the storage of certain cookies in your browser or to the use of certain technologies and to document these in compliance with data protection regulations. The provider of this technology is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (hereinafter referred to as Borlabs).

When you enter our website, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not passed on to the provider of Borlabs Cookie.

The data collected will be stored until you ask us to delete it or delete the Borlabs cookie yourself or until the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected. Details on data processing by Borlabs Cookie can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/.

Borlabs cookie consent technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

2.6 Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions - in particular retention periods - remain unaffected.

2.7 Plugins and tools

2.7.1 Friendly Captcha

We use Friendly Captcha (hereinafter referred to as "Friendly Captcha") on this website. The provider is Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany.

Friendly Captcha is used to check whether the data entry on this website (e.g. in a contact form) is made by a human or by an automated program. For this purpose, Friendly Captcha analyzes the behavior of the website visitor based on various characteristics. For the analysis, Friendly Captcha evaluates various information (e.g. anonymized IP address, referrer, visit time, etc.). Further information on this can be found at: https://friendlycaptcha.com/legal/privacy-end-users/.

The data is stored and analyzed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and "SPAM". If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

2.7.2 Google Maps

This site uses the map service Google Maps. With the help of this service we can integrate map material on our website.

To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer. If Google Maps is activated, Google may use Google Fonts for the purpose of uniform display of fonts. When you call up Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we have indicated on the website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/.

You can find more information on the handling of user data in Google's privacy policy: https://policies.google.com/privacy?hl=de.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

2.7.3 YouTube

This website embeds videos from the YouTube website. The operator of the website is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit one of our websites on which YouTube is integrated, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.

Furthermore, YouTube may store various cookies on your device or use comparable technologies to recognize you (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to record video statistics, improve user-friendliness and prevent fraud attempts.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on the handling of user data can be found in YouTube's privacy policy at: https://policies.google.com/privacy?hl=de.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.

2.7.4 Vimeo

This website uses plugins from the video portal Vimeo.

When you visit one of our pages featuring a Vimeo video, a connection to the Vimeo servers is established. This tells the Vimeo server which of our pages you have visited. Vimeo also obtains your IP address. This also applies if you are not logged in to Vimeo or do not have a Vimeo account. The information collected by Vimeo is transmitted to the Vimeo server in the USA.

If you are logged into your Vimeo account, you enable Vimeo to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Vimeo account.

Vimeo uses cookies or comparable recognition technologies (e.g. device fingerprinting) to recognize website visitors.

The use of Vimeo is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission and, according to Vimeo, on "legitimate business interests". You can find details here: https://vimeo.com/privacy.

Further information on the handling of user data can be found in Vimeo's privacy policy at: https://vimeo.com/privacy.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5711.

2.8 Opening a customer account and placing orders

In order to process your order, we work together with the following service provider(s), who support us in whole or in part in the execution of concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.

The personal data collected by us will be passed on to the transport company commissioned with the delivery as part of the contract processing, insofar as this is necessary for the delivery of the goods. We pass on your payment data to the commissioned credit institution within the scope of payment processing, insofar as this is necessary for payment processing. If payment service providers are used, we will inform you of this explicitly below. The legal basis for the transfer of data is Art. 6 para. 1 lit. b GDPR.

2.8.1 Palisis

Orders are sent via the service provider "Palisis" (Palisis AG, Seestraße 25, 8702 Zollikon, Switzerland). In accordance with Art. 6 para. 1 lit. b GDPR, we pass on your data to Palisis exclusively for the purpose of processing your online order. Your data will only be passed on if this is actually necessary for processing.

We have concluded an order processing contract with Palisis, in which we oblige Palisis to protect our customers' data and not to pass it on to third parties. For the transfer of data outside the European Economic Area, Palisis relies on so-called standard data protection clauses of the European Commission, which are intended to ensure compliance with the European level of data protection.

Your data will be deleted after final processing of your request. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary. Further information on data protection at Palisis can be found at https://www.palisis.com/privacy-policy/.

2.8.2 Adyen

If you choose a payment method from the payment service provider Adyen, the payment will be processed via the payment service provider Adyen, Simon Carmiggeltstraat 6 - 50, 1011 DJ Amsterdam, The Netherlands, to whom we will transfer your data entered in the payment form.

We will pass on the information provided during the ordering process together with the information about your order (name, address, IBAN, BIC, invoice amount, currency and transaction number) in accordance with Art. 6 para. 1 lit. b GDPR. Your data will only be passed on for the purpose of payment processing with the payment service provider Adyen and only to the extent that it is necessary for this purpose.

2.8.3 PayPal

When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by installments" via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"), as part of the payment processing. The transfer takes place in accordance with Art. 6 para. 1 lit. b GDPR and only insofar as this is necessary for payment processing.

PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by installments" via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 lit. f GDPR on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. Further data protection information, including information on the credit agencies used, can be found in PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for contractual payment processing.

2.9 Use of analysis tools

2.9.1 Google Ads conversion tracking

This website uses the online advertising program "Google Ads" and, as part of Google Ads, the conversion tracking of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). We use Google Ads to draw attention to our attractive offers on external websites with the help of advertising material (so-called Google Adwords). We can determine how successful the individual advertising measures are in relation to the advertising campaign data. Our aim is to show you advertising that is of interest to you, to make our website more interesting for you and to achieve a fair calculation of the advertising costs incurred.

The conversion tracking cookie is set when a user clicks on an ad placed by Google. Cookies are small text files that are stored on your end device. These cookies generally lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user clicked on the ad and was redirected to this page. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked via the websites of Google Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.

Details on the processing triggered by Google Ads Conversion Tracking and how Google handles data from websites can be found here: https://policies.google.com/technologies/partner-sites

If you do not wish to participate in tracking, you can block this use by deactivating the Google Conversion Tracking cookie via your Internet browser under the keyword "User settings". You will then not be included in the conversion tracking statistics. We use Google Ads on the basis of our legitimate interest in targeted advertising in accordance with Art. 6 para. 1 lit. f GDPR. As part of the use of Google Ads, personal data may also be transmitted to the servers of Google LLC. in the USA.

You can find more information about Google's privacy policy at the following Internet address: https://www.google.de/policies/privacy/

You can permanently object to the setting of cookies by Google Ads Conversion Tracking by downloading and installing the Google browser plug-in available at the following link: https://www.google.com/settings/ads/plugin?hl=de

Please note that if you have deactivated the use of cookies, certain functions of this website may not be available or may only be available to a limited extent.

Insofar as legally required, we have obtained your consent to the processing of your data as described above in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future. To exercise your revocation, deactivate this service in the "Cookie Consent Tool" provided on the website or alternatively follow the option described above to make an objection.

2.9.2 Google (Universal) Analytics

This website uses Google (Universal) Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google (Universal) Analytics uses "cookies", which are text files placed on your device, to help the website analyze how users use the site. The information generated by the cookie about your use of this website (including the shortened IP address) is usually transmitted to a Google server and stored there; it may also be transmitted to the servers of Google LLC. in the USA.

This website uses Google (Universal) Analytics exclusively with the extension "_anonymizeIp()", which ensures anonymization of the IP address by shortening it and excludes direct personal reference. This extension means that your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google LLC server in the USA and shortened there. Google will use this information on our behalf to evaluate your use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google (Universal) Analytics will not be merged with other Google data.

Google Analytics also uses a special function, the so-called "demographic characteristics", to create statistics with statements about the age, gender and interests of site visitors on the basis of an evaluation of interest-based advertising and with the involvement of third-party information. This allows the definition and differentiation of user groups of the website for the purpose of target group-optimized marketing measures. However, data records collected via the "demographic characteristics" cannot be assigned to a specific person.

Details on the processing triggered by Google Analytics and how Google handles data from websites can be found here: https://policies.google.com/technologies/partner-sites

All processing described above, in particular the setting of Google Analytics cookies for reading information on the end device used, will only be carried out if you have given us your express consent to do so in accordance with Art. 6 para. 1 lit. a GDPR. Without this consent, Google Analytics will not be used during your visit to our website.

You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "cookie consent tool" provided on the website. We have concluded an order processing contract with Google for the use of Google Analytics, which obliges Google to protect the data of our website visitors and not to pass it on to third parties.

For the transfer of data from the EU to the USA, Google refers to so-called standard data protection clauses of the European Commission, which are intended to ensure compliance with the European level of data protection in the USA.

Further information on Google (Universal) Analytics can be found here: https://policies.google.com/privacy?hl=de&gl=de

3. our social media presence

This privacy policy applies to the following social media sites: - https://www.facebook.com/alstertouristik/ - https://www.instagram.com/alstertouristik/ - https://www.linkedin.com/company/atg-alster-touristik-gmbh

3.1 Data processing by social networks

We maintain publicly accessible profiles in social networks. The individual social networks we use are listed below.

Social networks such as Facebook, X etc. can generally analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or were logged in.

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

3.2 Legal basis

Our social media presences are intended to ensure the widest possible presence on the Internet. This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 lit. a GDPR).

3.4 Responsible party and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. Facebook).

Please note that, despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing procedures of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

3.5 Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data that is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

3.6 Your rights

You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to object, the right to data portability and the right to lodge a complaint with the competent supervisory authority. Furthermore, you can request the correction, blocking, deletion and, under certain circumstances, the restriction of the processing of your personal data.

3.7 Social networks in detail

3.7.1 Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter referred to as Meta). According to Meta, the data collected is also transferred to the USA and other third countries.

We have entered into a joint processing agreement (Controller Addendum) with Meta. This agreement specifies which data processing operations we or Meta are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings yourself in your user account. To do this, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Details can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452.

3.7.2 Instagram

We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

Details on how they handle your personal data can be found in Instagram's privacy policy: https://privacycenter.instagram.com/policy/.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452.

3.7.3 LinkedIn

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

Details on how they handle your personal data can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/5448.

4. general data processing by ATG Alster-Touristik GmbH

4.1 Handling of applicant data

We advertise current vacancies on our website in a separate section, for which interested parties can apply by e-mail to the contact address provided.

In order to be included in the application process, applicants must provide us with all personal data required for a well-founded and informed assessment and selection together with their application by e-mail.

The required information includes general information about the person (name, address, telephone or electronic contact details) as well as performance-specific proof of the qualifications required for a position.

Qualifications. In addition, health-related information may be required, which must be given special consideration under labor and social law in the interest of the applicant's social protection.

Please refer to the respective job advertisement to find out which components an application must contain in order to be considered and in which form these components must be sent by e-mail.

After receipt of the application sent using the email contact address provided, the applicant data will be stored by us and evaluated exclusively for the purpose of processing the application. For any queries arising in the course of processing, we use either the e-mail address provided by the applicant with their application or a telephone number provided, at our discretion.

The legal basis for this processing, including contacting us for queries, is generally Art. 6 para. 1 lit. b GDPR in conjunction with Section 26 para. 1 of the Federal Data Protection Act (hereinafter "BDSG"), in the sense of which the application process is considered to be the initiation of an employment contract.

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR (e.g. health data such as information on severely disabled status) are requested from applicants as part of the application process, the processing is carried out in accordance with Art. 9 para. 2 lit. b. GDPR so that we can exercise the rights arising from labor law and social security and social protection law and fulfill our obligations in this regard.

Cumulatively or alternatively, the processing of special categories of data may also be based on Art. 9 para. 1 lit. h GDPR if it is carried out for the purposes of preventive health care or occupational medicine, for the assessment of the applicant's fitness for work, for medical diagnostics, health or social care or treatment or for the management of health or social care systems and services.

If the applicant is not selected in the course of the evaluation described above or if an applicant withdraws their application prematurely, their data transmitted by email and all electronic correspondence including the original application email will be deleted after 6 months at the latest following a corresponding notification. This period is based on our legitimate interest in being able to answer any follow-up questions regarding the application and, if necessary, to comply with our obligations to provide evidence under the regulations on equal treatment of applicants.

In the event of a successful application, the data provided will be processed on the basis of Art. 6 para. 1 lit. b GDPR (for processing in Germany in conjunction with Section 26 para. 1 BDSG) for the purposes of implementing the employment relationship.

4.2 Communication with ATG Alster-Touristik GmbH

4.2.1 Inquiries by telephone, e-mail or fax

If you contact us by e-mail, telephone or fax, we will store and process your inquiry, including all personal data (name, inquiry), for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; consent can be revoked at any time.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

4.2.2 E-mail ticket system

We use the e-mail ticket system of Palisis AG, Seestrasse 25, 8702 Zollikon, Switzerland ("Palisis") to process customer inquiries. If users of our website submit contact requests by email, these are stored and organized in the ticket system to enable chronological processing and improve the service experience. Users can always view the current status of the processing of their request via the individually assigned ticket number. Personal data is collected, transmitted to Palisis, stored there and read out exclusively for the organization of requests and their processing, as far as provided in the request, but in any case communication data (surname, first name, e-mail address, address) and payment data. The legal basis for the processing of this data is our legitimate interest in the efficient design of our customer service, the fastest possible response to your request and the optimization of our service offer in accordance with Art. 6 para. 1 lit. f GDPR. We have concluded an order processing contract with Palisis, in which we oblige Palisis to protect our customers' data and not to pass it on to third parties. For the transfer of data outside the European Economic Area, Palisis relies on so-called standard data protection clauses of the European Commission, which are intended to ensure compliance with the European level of data protection.

Your data will be deleted after final processing of your request. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary. Further information on data protection at Palisis can be found at https://www.palisis.com/privacy-policy/.

4.2.3 Audio and video conferencing

We use online conferencing tools, among others, to communicate with our customers. The individual tools we use are listed below. If you communicate with us by video or audio conference via the internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data that you provide/enter to use the tools (e-mail address and/or your telephone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" in connection with the communication process (metadata).

Furthermore, the provider of the tool processes all technical data that is required to process the online communication. This includes, in particular, IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker and the type of connection.

If content is exchanged, uploaded or provided in any other way within the tool, it is also stored on the tool provider's servers. Such content includes, in particular, cloud recordings, chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full control over the data processing procedures of the tools used. Our options are largely determined by the company policy of the respective provider. Further information on data processing by the conference tools can be found in the privacy policies of the tools used, which we have listed below this text.

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). If consent has been requested, the tools in question are used on the basis of this consent; consent can be withdrawn at any time with effect for the future.

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.

Details on data processing can be found in the Microsoft Teams privacy policy: https://privacy.microsoft.com/de-de/privacystatement.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/6474.

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

5. duration of the storage of personal data

The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing and - if relevant - additionally by the respective statutory retention period (e.g. retention periods under commercial and tax law).

When processing personal data on the basis of express consent in accordance with Art. 6 para. 1 lit. a GDPR, this data is stored until the data subject withdraws their consent.

If there are statutory retention periods for data that is processed within the framework of legal or similar obligations on the basis of Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for contract fulfillment or contract initiation and/or we no longer have a legitimate interest in further storage.

When processing personal data on the basis of Art. 6 para. 1 lit. f GDPR, this data is stored until the data subject exercises their right to object in accordance with Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defense of legal claims.

When processing personal data for the purpose of direct advertising on the basis of Art. 6 para. 1 lit. f GDPR, this data is processed for as long as

stored until the data subject exercises their right to object in accordance with Art. 21 (2) GDPR.

Unless otherwise stated in the other information in this declaration on specific processing situations, stored personal data is deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.

6. your rights

6.1 Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

6.2 Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR).

IF YOUR PERSONAL DATA ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR THE PURPOSE OF DIRECT MARKETING (OBJECTION PURSUANT TO ART. 21 PARA. 2 GDPR).

6.3 Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract transferred to yourself or to a third party in

in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.

6.4 Information, correction and deletion

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data. You can contact us at any time if you have further questions on the subject of personal data.

6.5 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time to do this. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we generally need time to check this. You have the right to request the restriction of the processing of your personal data for the duration of the review.

If the processing of your personal data was/is carried out unlawfully, you can request the restriction of data processing instead of erasure.

If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure. If you have lodged an objection in accordance with Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

6.6 Right to lodge a complaint with the competent supervisory authority

If you are of the opinion that we are in breach of current data protection law, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedies.

The competent data protection supervisory authority for ATG Alster-Touristik GmbH is:

The Hamburg Commissioner for Data Protection and Freedom of Information Ludwig-Erhard-Str 22 20459 Hamburg Phone: +49 (40) 42854-4040 E-mail: mailbox@datenschutz.hamburg.de

Status: July 2024e

Tickets