Preamble

With the following privacy policy, we would like to explain to you what types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent.
The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Table of contents

• Preamble
• Person responsible
• Contact data protection officer
• Overview of processing
• Relevant legal bases
• Security measures
• Transmission of personal data
• Deletion of data
• Use of cookies
• Business services
• Provision of the online offer and web hosting
• Advertising communication via e-mail, post, fax or telephone
• Rights of the data subjects

Responsible Hotel Wittelsbacher Hof, Wilhelm Ortlieb GmbH & Co. KG represented by the managing director Wilhelm Ortlieb Prinzenstrasse 24 87561 Oberstdorf Germany

Phone: +49 8322 605300 Fax: +49 8322605300

E-mail: info@wittelsbacherhof.de Website: https://wittelsbacherhof.de

RG Kempten, HRA No. 6061 VAT ID No.: DE128516848

Contact data protection officer

OFF Telekommunikation GmbH Mr. Mathias Greiner Beim Högner 2 1/2 87490 Börwang Germany E-Mail: mg@off.de

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

• Inventory data.
• Payment data.
• Contact details.
• Contract data.
• Usage data.
• Meta, communication and process data.

Categories of affected persons

• Interested parties.
• Communication partner.
• Users.
• Business and contractual partners.

Purposes of the processing

• Provision of contractual services and customer service.
• Contact requests and communication.
• Safety measures.
• Direct marketing.
• Office and organizational procedures.
• Managing and responding to inquiries.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.

Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data.
Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile.
Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany.
These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG).
In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling.
It also regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees.
The data protection laws of the individual federal states may also apply.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, safeguarding of availability and its separation.
Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats.
Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Transmission of personal data

As part of our processing of personal data, data may be transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them.
The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website.
In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as the consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data no longer applies or it is not required for the purpose).
If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to these purposes.
This means that the data is blocked and not processed for other purposes.
This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices may also contain further information on the storage and deletion of data, which apply primarily to the respective processing.

Use of cookies

Cookies are small text files or other storage notes that store information on end devices and read information from the end devices.
For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed or the functions used in an online offering.
Cookies can also be used for various purposes, e.g. to ensure the functionality, security and convenience of online services and to analyze visitor flows.

Notes on consent: We use cookies in accordance with the statutory provisions.
We therefore obtain prior consent from users, unless this is not required by law.
In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary in order to provide the user with a telemedia service expressly requested by them (i.e. our online offering).
The revocable consent is clearly communicated to the users and contains the information on the respective cookie use.

Information on legal bases under data protection law: The legal basis under data protection law on which we process users’ personal data with the help of cookies depends on whether we ask users for their consent.
If users consent, the legal basis for processing their data is the consent they have given.
Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the business operation of our online offering and improving its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations.
We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed.
  For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again.
  The user data collected with the help of cookies can also be used to measure reach.
  If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke the consents they have given at any time and also object to processing in accordance with the legal requirements in Art. 21 GDPR.
Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies (although this may also restrict the functionality of our online services).
An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/

Further information on processing operations, procedures and services:

Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the consent of users to the use of cookies or the processing and providers mentioned in the cookie consent management procedure can be obtained, managed and revoked by users.
The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligation.
Consent can be stored on the server and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device.
Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years.
A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.

Google Maps This site uses the Google Maps map service via an API.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
To use the functions of Google Maps, it is necessary to save your IP address.
This information is usually transmitted to a Google server in the USA and stored there.
The provider of this site has no influence on this data transfer.
The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we have indicated on the website.
This constitutes a legitimate interest within the meaning of Art. 6 para.
1 lit.
f GDPR.

You can find more information on the handling of user data in Google’s privacy policy: policies.google.com/privacy?hl=en.

Application and use of Google Analytics (with anonymization function) The controller has integrated the Google Analytics component (with anonymization function) on this website.
Google Analytics is a web analysis service.
Web analysis is the collection, gathering and evaluation of data about the behavior of visitors to websites.
Among other things, a web analysis service collects data on the website from which a data subject came to a website (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed.
Web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.

The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

The data controller uses the addition “_gat._anonymizeIp” for web analysis via Google Analytics.
By means of this addition, the IP address of the Internet connection of the data subject is shortened and anonymized by Google if access to our Internet pages is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyze the flow of visitors to our website.
Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us that show the activities on our website, and to provide other services related to the use of our website.

Google Analytics places a cookie on the data subject’s IT system.
What cookies are has already been explained above.
By setting the cookie, Google is enabled to analyze the use of our website.
Each time one of the individual pages of this website is accessed, which is operated by the data controller and on which a Google Analytics component has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis.
During the course of this technical procedure, Google gains knowledge of personal information, such as the IP address of the data subject, which serves Google, inter alia, to understand the origin of visitors and clicks, and subsequently create commission settlements.

The cookie is used to store personal information, such as the access time, the location from which access was made and the frequency of visits to our website by the data subject.
Each time our website is visited, this personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America.
This personal data is stored by Google in the United States of America.
Google may pass on this personal data collected via the technical process to third parties.

The data subject can prevent the setting of cookies by our website at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies.
Such an adjustment to the Internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject.
In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.google.de/intl/de/policies/privacy/ and under http://www.google.com/analytics/terms/de.html.
Google Analytics is explained in more detail at this link https://www.google.com/intl/de_de/analytics/

Contact form (request information, apply online) If you contact us using the form on the website or by e-mail, or apply for a job, we will store the data you provide and the general data described above.
By using our form, you consent to the processing of your data.
We do not pass the data on to third parties and use the data exclusively to process the contact and to answer the respective inquiry.
If you contact us by e-mail, the necessary legitimate interest in the processing of the data also lies in the processing of the contact.
The legal basis for the processing of the data is Article 6 para.
1 lit.
a GDPR.
The legal basis for the processing of data transmitted in the course of sending an email is Article 6 para.
1 lit.
f GDPR.
The data transmitted to us in the course of contacting us will be deleted as soon as it is no longer required for the aforementioned purpose.
As far as the personal data from the contact form and the data sent by email are concerned, this is the case as soon as the respective conversation has ended.
This in turn is the case as soon as the facts of the case have been conclusively clarified.
If the contact is also aimed at concluding a contract, the additional legal basis is Article 6 para.
1 lit.
b GDPR.
In this case, we will store your request as a business letter for 7 years.

Subscription to our newsletter On the website of the Wilhelm Ortlieb GmbH & Co KG, users are given the opportunity to subscribe to our enterprise’s newsletter.
The input mask used for this purpose determines what personal data are transmitted to the controller when the newsletter is ordered.

The Wilhelm Ortlieb GmbH & Co KG informs its customers and business partners regularly by means of a newsletter about enterprise offers.
Our company’s newsletter can only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject registers to receive the newsletter.
For legal reasons, a confirmation e-mail is sent to the e-mail address entered by a data subject for the first time for the newsletter mailing using the double opt-in procedure.
This confirmation email is used to check whether the owner of the email address as the data subject has authorized the receipt of the newsletter.

When registering for the newsletter, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration.
The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject’s e-mail address at a later date and therefore serves as legal protection for the controller.

The personal data collected when registering for the newsletter will be used exclusively to send our newsletter.
Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or changes to the technical circumstances.
The personal data collected as part of the newsletter service will not be passed on to third parties.
The subscription to our newsletter can be canceled by the data subject at any time.
The consent to the storage of personal data, which the data subject has given us for the newsletter dispatch, can be revoked at any time.
There is a corresponding link in every newsletter for the purpose of revoking consent.
It is also possible to unsubscribe from the newsletter at any time directly on the controller’s website or to inform the controller of this in another way.

Newsletter tracking The newsletters of Wilhelm Ortlieb GmbH & Co KG contain so-called tracking pixels.
A tracking pixel is a miniature graphic that is embedded in e-mails that are sent in HTML format to enable log file recording and log file analysis.
This allows a statistical evaluation of the success or failure of online marketing campaigns to be carried out.
Based on the embedded tracking pixel, the Wilhelm Ortlieb GmbH & Co KG may see if and when an e-mail was opened by a data subject, and which links in the e-mail were called up by data subjects.

Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the controller in order to optimize the newsletter dispatch and to adapt the content of future newsletters even better to the interests of the data subject.
This personal data is not passed on to third parties.
Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure.
After revocation, this personal data will be deleted by the controller.
The Wilhelm Ortlieb GmbH & Co KG automatically regards a withdrawal from the receipt of the newsletter as a revocation.

Use and application of Twitter The data controller has integrated Twitter components on this website.
Twitter is a multilingual, publicly accessible microblogging service on which users can publish and disseminate so-called tweets, i.e. short messages limited to 140 characters.
These short messages can be accessed by anyone, including people who are not registered with Twitter.
However, the tweets are also displayed to the so-called followers of the respective user.
Followers are other Twitter users who follow a user’s tweets.
Twitter also makes it possible to address a broad audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Each time one of the individual pages of this website is accessed, which is operated by the controller and on which a Twitter component (Twitter button) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Twitter component to download a representation of the corresponding Twitter component from Twitter.
Further information about the Twitter buttons is available at https://about.twitter.com/de/resources/buttons.
During the course of this technical procedure, Twitter gains knowledge of what specific sub-page of our website was visited by the data subject.
The purpose of the integration of the Twitter component is to enable our users to redistribute the contents of this website, to make this website known in the digital world and to increase our visitor numbers.

If the data subject is logged in at the same time on Twitter, Twitter recognizes with each call-up to our website by the data subject and for the entire duration of his or her stay on our Internet site, which specific sub-page of our Internet page was visited by the data subject.
This information is collected by the Twitter component and assigned by Twitter to the respective Twitter account of the data subject.
If the data subject clicks on one of the Twitter buttons integrated on our website, the data and information transmitted with it is assigned to the personal Twitter user account of the data subject and stored and processed by Twitter.

Twitter always receives information via the Twitter component that the data subject has visited our website if the data subject is logged in to Twitter at the same time as accessing our website; this takes place regardless of whether the data subject clicks on the Twitter component or not.
If the data subject does not want this information to be transmitted to Twitter, they can prevent the transmission by logging out of their Twitter account before accessing our website.

The applicable data protection provisions of Twitter may be retrieved under https://twitter.com/privacy?lang=de

Use and application of YouTube The controller has integrated YouTube components on this website.
YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate and comment on them free of charge.
YouTube allows the publication of all types of videos, which is why complete film and television programs as well as music videos, trailers or videos made by users themselves can be accessed via the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website is accessed, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube.
Further information about YouTube can be found at https://www.youtube.com/yt/about/de/.
During the course of this technical procedure, YouTube and Google gain knowledge of what specific sub-page of our website was visited by the data subject.

If the data subject is logged in to YouTube at the same time, YouTube recognizes which specific subpage of our website the data subject is visiting when a subpage containing a YouTube video is accessed.
This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject.

YouTube and Google always receive information via the YouTube component that the data subject has visited our website if the data subject is logged in to YouTube at the same time as accessing our website; this takes place regardless of whether the data subject clicks on a YouTube video or not.
If the data subject does not want this information to be transmitted to YouTube and Google, they can prevent the transmission by logging out of their YouTube account before accessing our website.

The data protection provisions published by YouTube, which can be accessed at https://www.google.de/intl/de/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.

PAYPAL as a payment method The data controller has integrated PayPal components on this website.
PayPal is an online payment service provider.
Payments are processed via so-called PayPal accounts, which are virtual private or business accounts.
PayPal also offers the option of processing virtual payments via credit cards if a user does not have a PayPal account.
A PayPal account is managed via an e-mail address, which is why there is no classic account number.
PayPal makes it possible to initiate online payments to third parties or to receive payments.
PayPal also assumes trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject selects “PayPal” as the payment option during the ordering process in our online store, the data of the data subject is automatically transmitted to PayPal.
By selecting this payment option, the data subject consents to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, cell phone number or other data required for payment processing.
Personal data that is necessary for processing the purchase contract is also data that is related to the respective order.

The purpose of transmitting the data is to process payments and prevent fraud.
The controller will transmit personal data to PayPal in particular if there is a legitimate interest in the transmission.
The personal data exchanged between PayPal and the controller may be transmitted by PayPal to credit reference agencies.
The purpose of this transmission is to check identity and creditworthiness.

PayPal may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfill the contractual obligations or if the data is to be processed on behalf of PayPal.

The data subject has the option of withdrawing consent to the handling of personal data from PayPal at any time.
A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing.
The applicable data protection provisions of PayPal may be retrieved under https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Etracker The provider of this website uses services of etracker GmbH from Hamburg, Germany (www.etracker.com) to analyze usage data.
Cookies are used to statistically analyze the use of this website by its visitors and to display usage-related content or advertising.
Cookies are small text files that are stored by the Internet browser on the user’s end device.
etracker cookies do not contain any information that enables a user to be identified.

The data generated with etracker is processed and stored by etracker on behalf of the provider of this website exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards.
In this respect, etracker has been independently audited, certified and awarded the ePrivacyseal data protection seal of approval.

Data processing is carried out on the legal basis of Art. 6 para. 1 lit. f (legitimate interest) of the EU General Data Protection Regulation (EU GDPR).
Our legitimate interest lies in the optimization of our online offering and our website.
Since the privacy of our visitors is particularly important to us, etracker anonymizes the IP address as early as possible and converts login or device identifiers into a unique key that is not assigned to a person.
No other use, merging with other data or forwarding to third parties is carried out by etracker.

TRAMINO contact forms Our contact forms (inquiries, reviews) are processed using software from Tramino (registered office: Weststrasse 30, D-87561 Oberstdorf, Germany, privacy policy).
When you contact us (e.g. by contact form, email, telephone or via social media), the user’s details are used to process the contact request and its processing in accordance with Art. 6 para. 1 lit. f GDPR.
Art. 6 para.
1 lit.
b DSGVO processed.
The user’s details are stored in a customer relationship management system (“CRM system”).
We delete the inquiries if they are no longer required to fulfill your request.
We review the necessity every two years; the statutory archiving obligations also apply.

Booking & ordering system Our bookings or orders are processed using software from Tramino (registered office: Weststrasse 30, D-87561 Oberstdorf, Germany, privacy policy).
This service provider is used on the basis of our legitimate interests acc.
Art. 6 para.
1 lit.
f GDPR and an order processing contract acc.
Art. 28 para.
3 sentence 1 GDPR and does not use the resulting personal data itself or pass it on to third parties.

Data collected during a booking or order (address data with address, communication data such as telephone number and e-mail address) and details of accompanying persons (names, dates of birth) are stored in a customer relationship management system (“CRM system”).
If you provide special personal data that is relevant to the fulfillment of our services, e.g. allergy-related intolerances, this will also be stored.

Business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships and associated measures and in the context of communication with the contractual partners (or pre-contractual), e.g. to answer inquiries.

We process this data in order to fulfill our contractual obligations.
These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service disruptions.
In addition, we process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the company organization.
In addition, we process the data on the basis of our legitimate interests in proper and efficient business management and in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities).
Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations.
Contractual partners will be informed about other forms of processing, e.g. for marketing purposes, as part of this privacy policy.

We inform the contractual partners which data is required for the aforementioned purposes before or as part of the data collection, e.g. in online forms, by special marking (e.g. colors) or symbols (e.g. asterisks or similar), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons.
The statutory retention period is ten years for documents relevant under tax law as well as for trading books, inventories, opening balance sheets, annual financial statements, the work instructions required to understand these documents and other organizational documents and accounting records, and six years for commercial and business letters received and reproductions of commercial and business letters sent.
The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent or the accounting document was created, the record was made or the other documents were created.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

• Processed data types: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of contract, term, customer category).
• Persons concerned: Interested parties; business and contractual partners.
• Purposes of Processing: Provision of contractual services and customer support; Contact requests and communication; Office and organizational procedures; Managing and responding to inquiries.
• Legal basis: Contract fulfillment and pre-contractual inquiries (Art.
  6 para.
  1 sentence 1 lit.
  b) GDPR); Legal obligation (Art.
  6 para.
  1 sentence 1 lit.
  c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Provision of the online offer and web hosting

We process users’ data in order to provide them with our online services.
For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

• Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

• Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”.
  The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.
  The server log files may be used for security purposes, e.g. to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure server capacity utilization and stability; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized.
  Data whose further storage is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.

Advertising communication via e-mail, post, fax or telephone

We process personal data for the purposes of advertising communication, which may take place via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object to advertising communication at any time.

After revocation or objection, we store the data required to prove the previous authorization for contacting or sending up to three years after the end of the year of revocation or objection on the basis of our legitimate interests.
The processing of this data is limited to the purpose of a possible defense against claims.
On the basis of the legitimate interest in permanently observing the revocation or objection of the user, we also store the data required to avoid renewed contact (e.g. depending on the communication channel, the e-mail address, telephone number, name).

• Processed data types: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers).
• Affected persons: Communication partner.
• Purposes of processing: Direct marketing (e.g. by e-mail or post).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para.
  1 lit.
  e or f GDPR; this also applies to profiling based on these provisions.
  If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to obtain information about this data and further information and a copy of the data in accordance with the legal requirements.
• Right to rectification: In accordance with the statutory provisions, you have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: In accordance with the statutory provisions, you have the right to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.

• Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
• Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.