Data Privacy
In the following we would like to inform you about our handling of your data when using our website www.lufthansaholidays.com and its sub-pages (hereinafter: "website") in accordance with Art. 13 of the Basic Data Protection Ordinance (hereinafter: "DSGVO"). You can access, print or download this data protection declaration permanently and at any time at https://lufthansaholidays.com/en-de/privacy
I. Data Processing Unit and Data Protection Officer
Responsible for data collection, processing and use ("data processing") within the meaning of the DSGVO is
HLX Touristik GmbH (hereinafter: "HLX"),
Augustaplatz 8
76530 Baden-Baden
Phone: 0049 (0) 234 96103626
E-mail address: service.lhh@hlx.com
The data protection officer of HLX Touristik GmbH can be contacted by e-mail at datenschutz@hlx.com
II. data security
HLX uses technical and organizational security measures to protect the data against accidental or intentional manipulation, loss, destruction or access by unauthorized persons, taking into account the state of the art, implementation costs and the type, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk. The transmission of personal data between your terminal and our server is always encrypted (TLS encryption).
III. provision of the website and creation of log files
1. description and scope of data processing
In order to establish and maintain the connection during the mere informational use of the website, only those server log files that your browser transmits to us are automatically collected and stored. The following data, which is technically necessary for the presentation and for IT security, is therefore collected when the website is viewed only:
· Your IP address
· the HTTP status code,
· the browser type, the browser version,
· the referrer URL (the previously visited page),
· Date and time of the server request,
· the transferred files,
· and the size of the files transferred during the connection.
The listed personal data is also stored in the log files of the server. A combination of this stored data with further data of yours does not take place.
HLX also uses cookies and analysis services. You will find more detailed information on this in the following information in this data protection declaration.
2. legal basis of data processing
The legal basis for storage is Art. 6 Para.1 f) DSGVO.
3. Purpose of data processing
Temporary storage of the data in log files is absolutely necessary to enable a correct presentation of the website, to ensure the permanent functionality of the information technology systems and the technology of the website and to optimise the website.
In addition, the data is stored in the interest of recognizing, limiting and eliminating attacks on our website.
4. Duration of storage
Stored log files are deleted or made anonymous if they are no longer required. They are usually deleted or made anonymous after 3 months, provided that no legal retention obligations exist or longer storage is necessary, for example to ward off or clarify an attack on our website (e.g. fraudulent booking, cyber attacks).
5. recipient of the data
The processing of your personal data for the provision and optimisation as well as analysis of the website is also carried out by contract processors (e.g. web analysis service providers). These shall be included exclusively on the basis of an agreement to an order agreement in accordance with Art. 28 para. 3 DSGVO.
6. Google Fonts
We use web fonts from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
Google is certified for this for the "Privacy Shield" (https://www.privacyshield.gov/), which is intended to ensure compliance with the data protection level applicable in the EU.
When you call up a page, your browser loads the required web fonts into your browser to display texts and fonts correctly. To do this, your browser connects to Google, which tells Google that our websites have been accessed via your IP address.
The use of Google Fonts is in the interest of a uniform and appealing representation of our web pages. If your browser does not support Google Fonts or Web Fonts, your device uses a default font.
For more information about Google Fonts and Google's privacy policy, please visit the following Web sites:
https://fonts.google.com/
http://www.google.de/policies/privacy
The legal basis for the processing of personal data using Google Fonts is Art. 6 para.1 letter f DSGVO (legitimate interest).
7. Google Maps
On our website we use the map service Google Maps (API) from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") to show our location.
Google is certified for this for the "Privacy Shield" (https://www.privacyshield.gov/), which is intended to ensure compliance with the data protection level applicable in the EU.
When you enter the page on which the Google Maps map is integrated, our website sends various information including your IP address to Google in the USA, where it is stored on its servers. If you have a Google Account and are logged in at the time you visit our site, the information will be associated directly with your account. But even without a user account, Google will create a user profile about you. This is regardless of whether Google provides a user account that you are logged in with or whether no user account exists.
The legal basis for data processing is Art. 6 para. 1 lit. f DSGVO. Our transmission of the data to Google is based on our legitimate interest in offering you the map function of Google Maps on our website.
You can prevent the allocation of the data we transmit to your user account by logging out of Google before you visit our website. To stop the data transfer to Google completely, you have to switch off the JavaScript application in your browser. The map display can then no longer be used.
More information about Google and the use of Google Maps can be found here:
Google Terms of Use:
http://www.google.de/intl/de/policies/terms/regional.html
Terms of use for Google Maps:
https://www.google.com/intl/de_US/help/terms_maps.html
Google's privacy policy (Google Privacy Policy):
http://www.google.de/intl/de/policies/privacy/
IV. Technically conditioned cookies
1. description and scope of data processing
HLX uses cookies when operating the website. Cookies are small text files that can be stored and read on the visitor's terminal device. The handling of cookies can be set in the browser. If cookies are not accepted, the functionality of the website may be restricted. You can distinguish between different types of cookies:
Session cookies: These are automatically deleted at the end of the browser session. The following data is collected: Browser type, operating system, country of origin of the accessing computer.
Permanent cookies: These can be stored over the individual browser session.
2. legal basis of data processing
Processing is carried out on the basis of Art. 6 para. 1 lit. f DSGVO.
3. Purpose of data processing
The use of technically conditioned cookies and the associated data processing takes place due to our legitimate interest in a technically objection-free and comfortable use of our website.
4. Duration of storage
Technically conditioned cookies are usually deleted automatically when you close your browser (session cookies), in other cases only after some time (permanent cookies). The duration of storage of permanent cookies is determined by the provider and can be viewed by you in your browser, for example.
5. recipient of the data
Only in selected cases will personal data be transmitted to external service providers within the framework of order processing in accordance with Art. 28 DSGVO. Further information can be found in Section V.5 ("Tracking-tools/Web analysis services").
V. Tracking tools/Website analysis services
Website analysis services used by HLX are used on the basis of Art. 6 para. 1 sentence 1 f) DSGVO. These services ensure a demand-oriented design and the continuous optimization of our website and marketing measures. In addition, these services are used to statistically record and evaluate the use of the website (e.g. number of visits by different users) for the purpose of optimization. These interests are to be regarded as legitimate within the meaning of the aforementioned provisions.
1. Google Analytics
We use on our websites Google Analytics and Google-Signals, both web analytics services provided by Google Inc. (" Google "). These services use cookies that are stored on your device, to allow us to analyse the usage of our website. The information generated by the cookies about your use of the web sites is usually transmitted to and stored by Google on a server in the US. Google Analytics provides us with statistical data on how often a particular device used our web site. If you use a Gmail Email and have activated the personalised Advertising, we also receive aggregate statistical usage data via the Google Signals service.
However, your IP address will be reduced before Google transfers it within member states of the European Union or in other signatory states to the Agreement on the European Economic Area and thus made anonymous. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. IP anonymisation is active on our websites. On behalf of HLX, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide HLX with further services relating to website and Internet use. We have concluded an order processing agreement with Google in accordance with Art. 28 DSGVO.
The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of our websites. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by setting an opt-out cookie that prevents future collection of your data when you visit our websites. To do this, click on this link: <a href="javascript:gaOptout()">Disable Google Analytics</a>. The opt-out cookie is only valid in this browser and only for our websites and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again.
2. Hurra
This website uses the web analysis and online marketing controlling system "OWAPro" of Hurra Communications GmbH, Stuttgart, (hereinafter: "hurra.com") for web analysis and optimization of online marketing measures.
Web analytics is mainly used to analyze user flows on this website and to optimize online marketing campaigns. OWAPro can process the following personal data: Online identifiers, including cookie IDs, IP addresses, device identifiers, customer identifiers, referrer, transaction data. This data can also be used to measure and optimize the success of advertising campaigns and their cost-benefit analysis to obtain information about which offers visitors have ordered or which other campaigns they have initiated (so-called "con-version tracking). For this purpose, cookies may be used that enable the recognition of an Internet browser on a new visit. These cookies can store unique online identifiers ("cookie ID") on your device.
As a rule, OWAPro only processes pseudonymized data that hur-ra.com itself cannot assign to an identifiable natural person. IP addresses are automatically anonymized by OWAPro by default. Further information on the type and scope of personal data processed by hurra.com in OWAPro and the possible cookies used can be found in hurra.com's data protection declaration at: http://www.hurra.com/privacy
You can object to the collection and processing of data by hurra.com services for this website at any time in the future by opting out[http://ssl.hurra.com/opt-out?cid=4697&ln=en].
3. trbo
On our site, trbo GmbH, Römerstrasse 6, 80801 München (http://www.trbo.com/) collects and stores data from which user profiles are created using pseudonyms to provide you with personalised customer benefits. For this purpose, cookies may be used that enable the recognition of an Internet browser. These usage profiles serve the analysis of visitor behaviour and are evaluated for the improvement and demand-oriented design of our offer. The pseudo-nymised user profiles are not combined with personal data about the bearer of the pseudonym without the express consent of the data subject to be given separately. You can object at any time by clicking on the following links: activate trbo and deactivate trbo.
Activate trbo
Link: https://track2.trbo.com/optin.php?redirect=XXX
disable trbo
Link: https://track2.trbo.com/optout.php?redirect=XXX
4. recipient of the data
4.1 Data transmission to third parties
The processing of your personal data in the context of tracking tools and web analysis services is also carried out by contract processors. These are exclusively included on the basis of an agreement to an order agreement in accordance with Art. 28 para. 3 DSGVO.
4.2 Data transmission to third countries
When using Google Analytics, in the exceptional cases described above, your IP address may be transmitted to Google LLC in full and only shortened there. Google LLC is domiciled in the USA and thus in a so-called "third country" according to Art. 44 DSGVO. At Google Analytics, the appropriate level of data protection follows from participation in the Privacy Shield Agreement (Art. 54 Para. 1 DSGVO).
If you would like to know more about the protection of the data transmitted, please contact our data protection officer.
VI. travel bookings
1. description and scope of data processing
When you book a trip via our website, you must enter the following personal data in an input mask as part of the booking process:
Travel Applicant:
o Salutation
o Title
o First name(s)
o Surname
o Place of residence
o Date of birth
o Telephone number
o E-mail address
o For SEPA Direct Debit Scheme: Name of account holder; IBAN and BIC
o For payment by credit card: card number, cardholder, expiry date, card verification number
Passengers:
o Salutation
o Title
o First name(s)
o Surname
o Date of birth
2. legal basis of data processing
The legal basis for data processing is Art. 6 para. 1 lit. b DSGVO, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.
3. Purpose of data processing
We store and use this data to process your travel booking (contract processing).
4. Duration of storage
The data will be deleted if it is no longer required to process the contractual relationship/your rice booking. As a rule, they are deleted after 3 years, unless there is a legal obligation to store them.
5. recipient of the data
5.1 Data transmission to third parties
We transfer personal data, which you enter when booking rice, for the fulfilment of our contractual obligations as a travel agent to your respective tour operator.
5.2 Data transmission to third countries
We transfer personal data to third countries outside the EU. This transmission is based on Art. 49 para. 1 lit. c DSGVO.
If you would like to know more about the protection of the data transmitted, please contact our data protection officer.
6. automated decisions
They are only subject to automated decision making in exceptional cases (see Art. 22 DSGVO) if you again specify a means of payment for which a payment has already failed, or if there are otherwise actual grounds for suspecting that it is a fraudulent booking. In such cases, HLX will refuse your request for a travel booking. Such an automatic decision is required for the conclusion of the contract (Art. 22 para. 2 lit. a DSGVO). The person concerned has the option of contacting us via the contact data mentioned above (see item I.) in order to request an explanation or the intervention of a person or to inform us of their position.
VII Credit check
In order to avoid payment fraud, we carry out a check on your creditworthiness as part of your booking request, based on the data you provide. We use the credit agency Creditreform Boniversum GmbH, Herllersbergstraße 11, D-41460 Neuss. On the basis of the data transmitted, we receive feedback on the extent to which there is a statistical risk of payment default. For example, address data may also be included in the test, which, according to a scientifically recognized mathematical-statistical method, so-called score or probability, determines the risk factor values. The details of the identification of the person concerned and the figures for the credit rating are used exclusively for our purely internal purposes. We take your privacy seriously and protect it in accordance to the legal requirements. The presented data processing is thus carried out exclusively for the purpose of exercising legitimate interests on the basis of Art. 6 para. 1 lit. f) of the General Data Protection Regulation.
VIII Establishment of contact
When you contact HLX (e.g. by phone, mail or e-mail), the data you provide will be processed to process your request and answer your question.
The legal basis for data processing is Art. 6 para. 1 lit. f (our legitimate interest in providing the contact option) and Art. 6 para. 1 lit. b DSGVO (performance and initiation of contracts).
Your data will be deleted after your request has been processed and the questions have been answered, unless there is a legal obligation to retain your data. Data stored with us for other purposes (e.g. for travel bookings) remain unaffected by this.
If you communicate with us by e-mail, access by third parties cannot be ruled out. HLX therefore recommends that confidential information be sent by post or encrypted e-mail (PGP). Please let us know if you wish to correspond with us by e-mail in encrypted form, so that we can provide you with information on the relevant addresses and public keys.
IX. newsletter
1. description and scope of data processing
On our website we offer you the opportunity to subscribe to our newsletter. The following data, entered by you in the registration form, will be transmitted, which are technically necessary for the registration as well as the data necessary for the legal proof of the registration process:
· e-mail address
· IP address of the calling computer
· date and time of registration
The newsletters also contain so-called tracking pixels. These are files that are retrieved from the server when the newsletter is opened and collect technical information about the browser or your terminal device. HLX can also detect if and when emails have been opened and links have been clicked on.
For the newsletter registration we use the so-called double opt-in procedure. After your registration an e-mail will be sent to the specified e-mail address containing a confirmation link to receive the newsletter.
2. legal basis of data processing
The legal basis for data processing is your consent pursuant to Art. 6 para. 1 lit. a DSGVO and otherwise Art. 6 para. 1 lit. f DSGVO (justified interest of HLX) in conjunction with § 7 para. 3 UWG.
HLX is entitled, within the scope of the legal permission according to § 7 Abs. 3 UWG, to use the e-mail address you provided in connection with a chargeable booking for direct advertising for its own, similar products or services.
3. Purpose of data processing
HLX informs interested parties at regular intervals via newsletter about current offers, voucher campaigns, competitions and general travel news. The data provided by you for this purpose will be processed exclusively for the purpose of sending you the newsletter. We only collect the additional data required for registration in order to prevent misuse of the newslet-ter service and, in particular, your e-mail address. The registration procedure is recorded in order to preserve evidence. The statistical evaluation of the newsletter e-mails is carried out for the purpose of optimizing the content of the newsletter.
4. Duration of storage
Your newsletter data will be stored for as long as the subscription to the newsletter is used. The data will be deleted if they are no longer required. They are usually deleted or made anonymous after 6 months, provided that there are no legal storage obligations or longer storage is required, for example in order to log the registration procedure. Data stored by us for other purposes (e.g. for travel bookings) remain unaffected by this.
5. possibility of objection
You can revoke your consent to receive the newsletter and thus to use the associated use of counting pixels at any time. If you do not wish HLX to advertise similar products or services, you can object to the corresponding use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic terms. The revocation or objection can be made through the link provided in each newsletter or through a message to service.lhh@hlx.com
6. recipient of the data
The processing of your personal data in the context of the newsletter dispatch, takes place also via contract processors. These are included exclusively on the basis of an agreement to an order agreement in accordance with Art. 28 para. 3 DSGVO.
X. rights concerned
If your personal data is processed by HLX, you are more relevant within the meaning of Art. 4 Para. 1 DSGVO. Therefore, you have the following rights regarding your personal data:
Right to information according to Art. 15 DSGVO
You have a right to information about your personal data processed by us. This includes the mandatory information set out in Art. 15 DSGVO.
Right to correction under Article 16 DSGVO
You have the right to correct and complete inaccurate personal data without delay.
Right to cancellation in accordance with Art. 17 DSGVO
You have the right to request the deletion of your personal data if one of the reasons mentioned in Art. 17 DSGVO intervenes, in particular if there is no longer a legal basis for the processing.
Right to limitation of processing according to Art. 18 DSGVO
You have the right to demand the restriction of the processing of your personal data if one of the reasons mentioned in Art. 18 DSGVO intervenes, in particular at your request instead of deletion of the data.
Right to data transferability according to Art. 20 DSGVO
You have the right to request all personal data stored by us about you in a structured, current and machine-readable format and to transmit this data to another person in charge without obstruction by the person responsible to whom the personal data was provided.
Right of objection according to Art. 21 DSGVO
If data are collected on the basis of Art. 6 Para. 1 letter f DSGVO (data processing to protect legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. If you object to processing on the basis of our legitimate interest, we may nevertheless continue processing if we can prove compelling reasons worthy of protection for the processing which outweigh your interests, your rights and freedoms.
Right of appeal to the competent supervisory authority, Art. 77 DSGVO
According to Art. 77 DSGVO, you have the right to file a complaint with the supervisory authority responsible for you.
If you do not agree with the way we process your data, please contact our data protection officer at datenschutz@hlx.com
Status: September 2018