This data protection agreement explains the type, scope and purpose of the processing of personal data (hereinafter in brief ‘data’) within our online offer and its associated websites, functions and contents, as well as external online presences e.g. our social media (hereinafter referred to together as ‘online offer’). Regarding the terminology used, such as ‘personal data’ or its ‘processing’, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
SMARTments business Betriebsgesellschaft mbH
Am Weichselgarten 11-13
91058 Erlangen, Germany
AG Fürth: HRB 13497
B. Ünver, D. Zawe
Telephone number: +49 9131 928 46 00
E-Mail address: datenschutz(at)smartments.de
SMARTments business City West
DG Steinplatz Boardinghouse GmbH
Dr. Hans Karl Fischer, Nils Huber
USt-IdNr.: DE 303744838
Amtsgericht Charlottenburg HRB 1716252B
SMARTments Ges. m.b.H.
1100 Vienna, Austria
Commercial register/no.: FN 469993 t
Managing Directors: B. Ünver, D. Zawe
Telephone number: +43 (1) 890 66 29 - 21
E-Mail address: datenschutz(at)smartments.de
Data protection officer
Name: Hohmann, Sophie
E-mail address: datenschutz(at)smartments.de
Types of processed data
- Core data (e.g. names, addresses)
- Contact data (e.g. e-mail, telephone numbers)
- Content data (e.g. text entries, photographs, videos)
- Contract data (e.g. contract object, running time)
- Payment data (e.g. bank connection, payment history)
- Usage data (e.g. access times, approx. age, gender)
- Meta/communication data (e.g. device information)
- Processing of special categories of data (Art. 9 Par. 1 GDPR). No special categories of data are processed.
Categories of persons affected by the processing:
- Customers / prospective buyers
- Visitors and users of the online offer
In the following we refer to the affected persons collectively as “users”.
Purpose of the processing:
- Provision of the online offer, its content and functions.
- Answering contract queries and communication with users
- Marketing, advertising and market research
1. Key legal bases
In accordance with Art.13 GDPR, we would like to inform you about the legal bases of our data processing. If the legal basis is not stated in the data protection declaration, the following applies: the legal basis for securing consent is Art. 6 Par. 1 Clause a and Art. 7 GDPR. The legal basis for the processing for fulfilling our services and carrying out contractual measures, as well as answering queries, is Art. 6 Par. 1 Clause b GDPR. The legal basis for the processing for fulfilling our legal obligations is Art. 6 Par. 1 Clause c GDPR, and the legal basis for the processing to safeguard our justified interests is Art. 6 Par. 1 Clause f GDPR. In case vital interests of the affected person or another natural person make the processing of personal data necessary, Art. 6 Par. 1 Clause d GDPR serves as the legal basis.
2. Changes and updates to the data protection declaration
We kindly request that you inform yourself regularly about the content of our data protection declaration. We modify the data protection declaration as soon as any changes to the data processing require it. We inform you as soon as the changes require any action on your part (e.g. consent) or another individual notification.
3. Safety measures
3.1. In accordance with Art. 32 GDPR – in consideration of the latest technology, the implementation costs and the type, scope, circumstances and purpose of the processing, as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons – we take suitable technical and organisational measures to ensure an adequate level of protection against risks: in particular, the measures include the safeguarding of confidentiality, integrity and availability of data by controlling physical access to the data, as well as the relevant access, inputting, transmission, securing of availability and separation. In addition, we have set up procedures that ensure an awareness of affected person rights, deletion of data and reactions to an endangering of the data. Furthermore, we already consider the protection of personal data in the development or selection of hardware, software and procedures, in accordance with the principle of data protection through the technology setup and through data-protection-friendly settings (Art. 25 GDPR).
3.2. In particular, the security measures include the encrypted transmission of data between your browser and our server.
4. Cooperation with contract processors and third parties
4.1. If we reveal data to other persons and companies (contract processors or third parties) as part of our processing, transmit data to them or grant them any other access to the data, it is only on the basis of a legal permission (e.g. if a transmission of data to third parties, such as a payment service provider, in accordance with Art. 6 Par. 1 Clause b GDPR is necessary for contract fulfilment), or if you have consented, a legal obligation demands it or on the basis of our justified interests (e.g. for the use of appointees, web hosts etc.).
4.2. If we appoint third parties to process data on the basis of a so-called “assignment processing contract”, this is on the basis of Art. 28 GDPR.
5. Transmission to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)), or as part of using the services of third parties or the disclosure / transmission of data to third parties, it only occurs if it is to fulfil our (pre)contractual duties, on the basis of your consent, due to a legal obligation or on the basis of our justified interests. Subject to legal or contractual approvals, we process data or have it processed in a third country only under the special conditions set out in Art. 44 et seqq. GDPR. This means that the processing occurs on the basis of special guarantees, such as the officially recognised establishment of a data protection level corresponding to the EU (e.g. for the USA through the “Privacy Shield”), or compliance with officially recognised special contractual obligations (so-called “standard contract clauses”).
6. Rights of the affected persons
6.1. You have the right to request a confirmation about whether respective data is being processed and to information about this data, as well as to further information and a copy of the data in accordance with Art. 15 GDPR.
6.2. In accordance with Art. 16 GDPR, you have the right to request the completion of the data relevant to you or the correction of incorrect data pertaining to you.
6.3 In accordance with Art. 17 GDPR, you have the right to request that respective data is deleted immediately, or alternatively in accordance with Art. 18 GDPR to request a restriction of the data processing.
6.4 You have the right to request to receive the respective data that you have provided to us in accordance with Art. 20 GDPR and to request its transmission to other responsible parties.
6.5 You also have the right, in accordance with Art. 77 GDPR, to submit a complaint to the responsible supervisory authority.
7. Right of revocation
You have the right to revoke issued consents in accordance with Art. 7 Par. 3 GDPR with effect for the future.
8. Right of objection
You can object at any time to the future processing of the affected data in accordance with Art. 21 GDPR. In particular, the objection can be against the processing for the purposes of direct advertising.
9. Cookies and right of objection for direct advertising
10. Deletion of data
10.1. The data processed by us are deleted or their processing is restricted in accordance with Art. 17 and 18 GDPR. If not stated explicitly as part of this data protection declaration, the data we have stored is deleted as soon as it is no longer required for its purpose and there are no legal storage obligations against the deletion. If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted. This means the data is blocked and not used for other purposes. This applies e.g. to data that must be stored for commercial or tax law reasons.
10.2. Germany: according to legal directives, storage is typically for 6 years according to § 257 Par.1 HGB (account books, inventories, opening balances, annual balance of accounts, trade letters, vouchers etc.), as well as for 10 years according to § 147 Par. 1 AO (books, records, warehouse reports, vouchers, trade and business letters, for taxing relevant documents etc.).
10.3. Austria: according to legal regulations, the storage is typically for 7 years according to § 132 Par. 1 BAO (accounting documents, invoices/receipts, accounts, business papers, balance of revenue and expenses etc.), for 22 years in connection with real estate sites and for 10 years for documents in connection with electronically provided services, telecommunications, radio and TV services, which are brought by non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is made use of.
11. Performing contractual services
11.1. We process core data (e.g. names and addresses, as well as contact details of users), contract data (e.g. services used, names of contact persons, payment information), for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 Par. 1 Clause b GDPR. The entries on online forms marked as obligatory are required for closing the contract.
11.2. Users can set up an optional user account where they can view their orders in particular. As part of the registration, the required mandatory user details are submitted. The user accounts are not public and cannot be indexed by search engines. If users have closed their user account, their data pertaining to the user account is deleted, unless its storage is necessary for commercial or tax law reasons in accordance with Art. 6 Par. 1 Clause c GDPR. It is the users’ responsibility to secure their data if terminating before the contract expires. We are entitled to irrevocably delete all user data stored during the contract term.
11.3. We process user data (e.g. the visited webpages of our online offers, interest in our products) and content data (e.g. entries on the contact form or user profile) for advertising purposes in a user profile, in order to insert product notifications for the user based on their previously used services.
11.4. The deletion occurs after expiry of legal guarantee and comparable obligations. The necessity of the data storage is checked every three years. In the case of legal archiving obligations, the deletion occurs after their expiry (end of commercial law – 6 years – and tax law – 10 years storage obligation). Details remain in the customer account until deletion.
12. Making contact
12.1. When establishing contact with us (via contact form or e-mail), the user details are only processed to process the contact enquiry and its handling in accordance with Art. 6 Par. 1 Clause b GDPR.
12.2. The user details can be stored in our Customer Relationship Management System (“CRM System”) or a comparable enquiry organisation.
12.3. We use the “SIHOT” system of the supplier GUBSE Aktiengesellschaft, Bahnhofstraße 26-28, 66578 Schiffweiler, Germany on the basis of our justified interests (efficient and quick processing of user enquiries). To do so, we have concluded a contract with GUBSE Aktiengesellschaft (public limited company) with so-called standard contract clauses, in which GUBSE Aktiengesellschaft is obliged to process the user data only in accordance with our instructions and to maintain the EU data protection standard.
12.4. We delete the enquiries if these are no longer required. We check the necessity every two years. Enquiries from customers who have a customer account are stored permanently and indicate the customer account details for deletion. In case of legal archiving obligations, the deletion occurs after their expiry (end of commercial law – 6 years – and tax law – 10 years – storage obligation).
13. Gathering access data and logfiles
13.1. On the basis of our justified interests according to Art. 6 Par. 1 Clause f. GDPR, we gather data about every access to the server our service is on (so-called server logfiles). The access data includes the name of the accessed website, file, date and time of the access, transmitted data volume, notification of successful access, browser type and version, the operating system of the user, referrer URL (the previously visited site), IP address and the enquiring provider.
13.2. For safety reasons (e.g. to clarify misuse or fraud actions), logfile information is stored for a duration of a maximum of seven days and is then deleted. Data that must be stored further for proof purposes is excepted from the deletion until the final resolving of the incident.
14. Online presences in social media
14.1. We entertain online presences within social networks and platforms to communicate with the active customers, prospective buyers and users there and to be able to inform them about our services. When accessing the respective networks and platforms, the General Terms and Conditions and the data processing directives of the respective operator apply.
14.2. If not indicated otherwise as part of our data protection declaration, we process the user data if they communicate with us within the social networks and platforms, e.g. compiling entries on our online presences or sending us messages.
15. Cookies & scope measurement
15.1. Cookies are information that is transmitted from our web server(s) or from web servers of third partners to the web browser of the users and is stored there for a later access. Cookies can be small files or other types of information storage.
15.2. We use “session cookies” that are only deposited for the duration of the actual visit on our online presence (e.g. to store your login status or to enable the shopping cart function and therefore the use of our online offer in the first place). A randomly generated clear identification number is deposited in a session cookie, a so-called session ID. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have ended use of our online offer and e.g. log out or close the browser.
15.4. If users don’t want cookies to be stored on their device, they may deactivate the corresponding option in the system settings. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to function restrictions of this online offer.
16. Google Analytics
16.2. Google is certified under the Privacy Shield and therefore offers a guarantee of complying with European data protection law (www.privacyshield.gov/participant).
16.3. Google will use this information on our behalf to evaluate the use of our online offer by the users, to compile reports about the activities within this online offer and to provide further services to us associated with the use of the online offer and Internet usage. Pseudonymous usage profiles of the users can be compiled from the processed data.
16.4. We use Google Analytics to display the advertisements placed within the Google advertising services and its partners only to those users who have also shown an interest in our online offer or show certain characteristics (e.g. interest in certain themes or products determined by the visited websites) that we transmit to Google (so-called “remarketing” or “Google Analytics Audiences”). With the help of the remarketing audiences, we would also like to ensure that our advertisements correspond to the potential interest of the users and do not appear bothersome.
16.5. We only use Google Analytics with activated IP anonymisation. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. It is only in exceptional cases that the full IP address is conveyed to a Google server in the USA and shortened there.
16.6. The IP address transmitted from the browser of the user is not merged with other Google data. Users can prevent the storing of cookies by means of a corresponding setting of their browser software. In addition, users can prevent the gathering of the data generated by the cookie and relating to your use of the online offer, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link:
16.7. Further information about data usage by Google, settings and objection options is available on the Google websites:
www.google.com/intl/de/policies/privacy/partners (“data usage by Google when using websites or apps of our partners”), policies.google.com/technologies/ads (“data usage for advertising purposes”), adssettings.google.com/authenticated (“Managing information that Google uses to display advertising”).
17.1. Based on our justified interests (i.e. the interest in the analysis, optimisation and economic operation of our online offer according to Art. 6 Par. 1 Clause f GDPR), we use the marketing and remarketing services (in brief: “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
17.2. Google is certified under the Privacy Shield agreement and therefore offers a guarantee of complying with European data protection law (www.privacyshield.gov/participant).
17.3. The Google Marketing services allow us to display advertisements for and on our website in a more targeted manner, to present users only with content that potentially corresponds to their interests. In case a user is shown e.g. advertisements for products in which they have shown an interest on other websites, one speaks of “remarketing”. For these purposes, when accessing our and other website on which Google Marketing services are active, a code by Google is carried out immediately by Google and so-called (re)marketing tags (invisible graphics or code, also referred to as “web beacons”) are incorporated into the website. With their help, an individual cookie, i.e. a little file, us stored on the device of the user (instead of cookies, comparable technologies may also be used). The cookies can be placed by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file notes what websites the user searches for, what content they are interested in and what offers have been clicked on, as well as technical information about the browser and the operating system, referral websites, visiting duration and further details about the use of the online offer. The IP address of the user is also recorded, whereby we point out as regards Google Analytics that the IP address within the member states of the European Union or other contracting states to the agreement on the European Economic Area are transmitted to a Google server in the USA in a shortened form and only in exceptional cases is it transmitted in full and abbreviated there. The IP address is not merged with user data pertaining to other Google offers. The aforementioned information can also be linked by Google with information from other sources. If the user subsequently visits other websites, certain targeted adverts according to their interests may be displayed.
17.4. The user data is processed pseudonymously by Google Marketing services, i.e. Google does not store and process e.g. the name or e-mail address of the users but processes the relevant cookie-related data within pseudonymous user profiles. This means that from the point of view of Google, the advertisements are not administrated and displayed for a concretely identified person, but for the cookie user, independently of who this cookie user is. This does not apply if a user has explicitly permitted Google to process the data without this pseudonymization. The information gathered about the users by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.
17.5. The Google Marketing Services we use include e.g. the online advertising programme “Google AdWords”. In the case of Google AdWords, every AdWords customer receives a different “conversion cookie”. Cookies can therefore not be traced through the websites of AdWords customers. The information gathered with the help of the cookies serves the purpose of compiling conversion statistics for AdWords customers who have decided on conversion tracking. The AdWords customers find out the total number of users who have clicked on their post and are forwarded to a page with a conversion tracking tag. However, they do not receive information with which users can be personally identified.
17.6. We can also use the “Google Optimiser” service. Google Optimiser allows us to trace as part of so-called “A/B Testing” what effect various modifications to a website have (e.g. changes to the input fields, the design etc.). For these test purposes, cookies are placed on the devices of the users. Only pseudonymous data of the users is processed.
17.7. In addition, we can use the “Google Tag Manager” to incorporate the Google analysis and marketing services into our website and manage them.
17.8. Further information about data usage for marketing purposes by Google is available on the overview page: policies.google.com/technologies/ads, while the Google data protection declaration can be accessed at policies.google.com/privacy.
17.9. If you would like to object to the interest-related advertising by Google Marketing Services, you can make use of the setting and opt-out options provided by Google: adssettings.google.com/authenticated.
18. Facebook, Custom Audiences and Facebook marketing services
18.1. Within our online offer, based on our justified interests in the analysis, optimisation and economic operation of our online offer and for these purposes, the so-called “Facebook Pixel” of the social network Facebook is used, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU then , Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
18.2. Facebook is certified under the Privacy Shield agreement and therefore offers a guarantee of complying with European Data Protection law (www.privacyshield.gov/participant).
18.3. With the help of Facebook Pixel, it is possible for Facebook on the one hand to establish the visitors to our online offer as a target group for the presentation of advertisements (so-called “Facebook Ads”). In accordance with this, we use the Facebook Pixel to display the Facebook Ads only to those Facebook users who have actually shown an interest in our online offer or show certain characteristics (e.g. interest in certain themes or products determined by the visited websites), which we transmit to Facebook (so-called “Custom Audiences”). With the help of Facebook Pixels, we also want to ensure that our Facebook Ads correspond to the potential interest of users and are not bothersome. In addition, through Facebook Pixels we can trace the effectiveness of the Facebook advertisements for statistical and market research purposes, by seeing whether users were forward to our website (so-called “conversion”) after clicking on a Facebook advertisement.
18.4. When using Facebook Pixels, we also use the additional function “extended comparison”, whereby data such as telephone numbers, e-mail addresses or Facebook IDs of the users are transmitted to Facebook (encrypted) to form target groups “Custom Audiences” or “Look Alike Audiences”). Further information about the “extended comparison”: www.facebook.com/business/help/611774685654668.
18.5. We also use the “Custom Audiences from File” procedure of the social network Facebook Inc. In this case, the e-mail addresses of the newsletter recipients are uploaded at Facebook. The uploading procedure is encrypted. The upload only serves the purpose of determining recipients of our Facebook advertisements. We would like to ensure with this that the advertisements are only displayed to users who have an interest in our information and services.
18.6. The processing of the data by Facebook is in accordance with the data usage guidelines of Facebook. General information about the presentation of Facebook Ads can be found in the data usage guidelines of Facebook: www.facebook.com/policy.php. Special information and details about Facebook Pixel and its functioning is available in the help area of Facebook:
18.7. You can object to the gathering and usage of your data through the Facebook Pixel for the presentation of Facebook Ads. To set what types of advertisements are displayed to you within Facebook, you can access the page set up by Facebook and follow the instructions there for setting usage-based advertising: www.facebook.com/settings. The settings are platform-independent, i.e. that are adopted for all devices such as desktop computer or mobile devices.
18.8. To prevent the gathering of your data by the Facebook Pixel on our website, please click the following link: Facebook Opt-Out. Note: if you click on the link, an “opt-out” cookie is stored on your device. If you delete the cookies in this browser, then you must click on the link again. Furthermore, the opt-out only applies within the browser you use and only within our web domain where the link was clicked on.
19. Facebook Social Plugins
19.1. On the basis of our justified interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in accordance with Art. 6 Par. 1 Clause f GDPR), we use social plugins (“plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can represent interaction elements or content (e.g. videos, graphics or text entries) and can be recognised by one of the Facebook logos (white “f” on a blue tile, the terms “like” or a “thumbs up” sign) or are indicated by the addition “Facebook social plugin”. The list and the appearance of the Facebook social plugins can be viewed here: developers.facebook.com/docs/plugins/.
19.2. Facebook is certified under the Privacy Shield agreement and therefore offers the guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
19.3. If a user accesses a function of this online offer that contains such a plugin, their device builds a direct connection with the Facebook servers. The content of the plugins is transmitted by Facebook directly to the device of the user and incorporated by them into the online offer. User profiles can be created out of the processed data. We therefore have no influence on the scope of the data that Facebook gathers with the help of this plugin and users are informed according to our knowledge status.
19.4. By incorporating the plugin, Facebook receives the information that a user has accessed the respective page of the online offer. If the user is logged into Facebook, Facebook can attribute the visit to their Facebook account. If users interact with the plugins, for example activate the like button or enter a comment, the information is transmitted from their device directly to Facebook and stored there. If a user is not a member of Facebook, it is nevertheless possible that Facebook identifies their IP address and stores it. According to Facebook, in Germany only an anonymised IP address is stored.
19.5. The purpose and scope of the data gathering and the further processing and use of the data through Facebook, as well as the associated rights and setting options for the protection of user privacy, can be viewed in the Facebook data protection specifications: www.facebook.com/about/privacy/.
19.6. If a user is a Facebook member and does not want Facebook to gather data about them through this online offer and to link it to their member details stored at Facebook, it is necessary to log out of Facebook before using our online offer and to delete the cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: www.facebook.com/settings or through the US American page www.aboutads.info/choices/ or the EU page www.youronlinechoices.com. The settings are platform-independent, i.e. they are adopted for all devices such as desktop computer or mobile devices.
20.1. In the following, we inform you about the contents of our newsletter, as well as the registration, sending and statistical evaluation procedures and your objection rights. By subscribing to our newsletter, you declare your consent to the receipt and the described procedure.
20.2. Content of the newsletter: we send newsletters, e-mails and further electronic notifications with commercial information (hereinafter “newsletters”) only with the consent of the recipient or legal permission. Our newsletters also contain information about our products, offers, initiatives and our company.
20.3. Double-opt-in and logging: the subscription to our newsletter takes place in a so-called double opt-in procedure, i.e. after registering you receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can log in with unrecognised e-mail addresses. The registrations to the newsletter are logged to be able to track the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Modifications to your data stored at the dispatch service provider are also recorded.
20.4. Dispatch service providers: the sending of the newsletter is by means of “MailChimp”, a newsletter dispatch platform offered by the US supplier Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data protection guidelines of the dispatch provider can be viewed here: mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and therefore offers a guarantee of complying with European data protection standards (www.privacyshield.gov/participant).
20.5. In addition, according to their own information, the dispatch provider can use this data in a pseudonymous form, i.e. without attribution to a user, for the optimisation or improvement of their own services e.g. for the technical optimisation of the sending and the presentation of the newsletter, or for statistical purposes to determine what countries the recipients come from. The dispatch provider does not use the data of our newsletter recipients, however, to approach them themselves or to pass on to third parties.
20.6. Registration data: to register for the newsletter, it is sufficient if you indicate your e-mail address. Optional we request a name for personal addressing in the newsletter.
20.7. Measuring success – the newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is accessed by the server of the dispatch provider when opening the newsletter. As part of this access, technical information is gathered, such as information about the browser and your system, as well as your IP address and the time of access. This information is used for the technical improvement of the services according to the technical data or the target groups and your reading behaviour based on the access points (which can be determined with the help of your IP address) or the access times. Statistical information also includes determining whether the newsletters are opened, when they are opened and what links are clicked on. This information can be attributed to the individual newsletter recipients on technical grounds, but it is not the intention of us, nor of the dispatch provider, to observe individual users. The evaluations serve rather to identify the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
20.8. Germany: the sending of our newsletter and the measuring of success are on the basis of consent by the recipients according to Art. 6 Par. 1 Clause 1, Art. 7 GDPR in combination with § 7 Par. 2 No. 3 UWG, as well as on the basis of legal permission according to § 7 Par. 3 UWG.
20.9. Austria: the sending of our newsletter and the measuring of success are on the basis of consent by the recipients according to Art. 6 Par. 1 Clause a, Art. 7 GDPR in combination with § 107 Par. 2 TKG, as well as on the basis of legal permission in accordance with § 107 Par. 2 and 3 TKG.
20.10. The logging of the registration procedure is on the basis of our justified interests in accordance with Art. Par. 1 Clause f GDPR and serves the purpose of tracing the consent to receipt of the newsletter.
20.11. Termination/revocation – you can terminate receipt of our newsletter at any time, i.e. revoke your consent. You can find a link to quitting the newsletter at the end of each newsletter. If the user only registers for the newsletter and has terminated this registration, their personal data is deleted.
21. Incorporation of services and content of third parties
21.1. Within our online offer, based on our justified interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in accordance with Art. 6 Par. 1 Clause f GDPR), we use content of service offers from third party suppliers, in order to incorporate their content and services e.g. videos or texts (hereinafter referred to uniformly as “content”). This is always on the basis that the third-party suppliers of this content are aware of the IP address of the users, as they cannot sent content to their browser without an IP address. The IP address is therefore required for presenting this content. We strive to only use such content whose respective supplier uses the IP address only for supplying the content. Third-party suppliers can also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Due to the “pixel tags”, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information can also be stored in cookies on the user’s device and contain e.g. technical information about the browser and the operating system, linked websites, visiting time and other details of the use of our online offer, as well as be linked with such information from other sources.
21.2. The following presentation offers an overview of third-party suppliers and their content, along with links to their data protection declarations, which contain further notes about the processing of data and, as already mentioned, objection options (so-called opt-out):
- If our customers use the payment services of third parties (e.g. PayPal or direct transfer), the business terms and conditions and the data protection guidelines of the respective third-party suppliers apply, which can be accessed within their websites or transaction applications.
- External fonts by Google, LLC., www.google.com/fonts (“Google Fonts”). The integration of Google Fonts is through a server access by Google (as a rule in the USA). Data protection declaration: policies.google.com/privacy, opt-out: adssettings.google.com/authenticated. – Maps from the “Google Maps” service of the third-party supplier Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: www.google.com/policies/privacy/, opt-out: www.google.com/settings/ads/.
- For the processing of booking enquiries through www.smartments-business.de the supplier HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin, Germany, is used. Data protection declaration: https://www.hotelnetsolutions.de/Datenschutz
- Videos of the “YouTube” platform of the third-party supplier Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: policies.google.com/privacy, opt-out: adssettings.google.com/authenticated.
- Our website uses plugins of the video portal Vimeo. The supplier is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. If you visit one of our pages with a Vimeo plugin, a connection is established to the Vimeo servers. The Vimeo server is notified which of our pages you have visited. In addition, Vimeo is notified of your IP address. This also applies if you are not logged into Vimeo or do not have a Vimeo account. The information gathered by Vimeo is transmitted to a Vimeo server in the USA. If you are logged into your Vimeo account, you enable Vimeo to attribute your surfing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account. Further information about handling user data can be found in the data protection declaration of Vimeo under: vimeo.com/privacy.
- Functions of the Instagram service are integrated into our online offer. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, by clicking on the Instagram button you can link the contents of our pages with your Instagram profile. Instagram can thereby attribute the visit to our pages to your user account. We point out that we as the provider of the pages do not receive details of the content of the transmitted data nor its use by Instagram. Data protection declaration: instagram.com/about/legal/privacy/.
- Within our online offer we use the marketing functions (so-called “LinkedIn Insight Tag”) of the network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Upon every access to one of our pages that contains the LinkedIn functions, a connection is built up to LinkedIn servers. LinkedIn is informed that you have visited our Internet pages with your IP address. With the help of the LinkedIn Insight Tag, we can especially analyse the success of our campaigns within LinkedIn or establish target groups for these on the basis of the interaction of the user with our online offer. If you are registered with LinkedIn, it is possible for LinkedIn to attribute your interaction with our online offer to your user account. Furthermore, if you click on the “recommend button” of LinkedIn and are logged into your LinkedIn account, it is possible for LinkedIn to attribute your visit to our Internet page to you and your user account. LinkedIn is certified under the Privacy Shield agreement and therefore offers a guarantee of complying with European data protection law (www.privacyshield.gov/participant). Data protection declarationwww.linkedin.com/legal/privacy-policy, opt-out: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Within our online offer, functions of the Twitter service or platform can be integrated (hereinafter referred to as “Twitter”). Twitter is a service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions contain the presentation of our contributions to Twitter within our online offer, the link to our profile at Twitter, as well as the possibility to interact with the contributions and the functions of Twitter, as well as to measure whether users access our online offer through the advertisements we place on Twitter (so-called conversion measuring). Twitter is certified under the Privacy Shield agreement and therefore offers a guarantee of complying with European data protection law (www.privacyshield.gov/participant). Data protection declaration: twitter.com/de/privacy, opt-out: twitter.com/personalization.
- We use functions of the XING network. The supplier is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. Upon every access to one of our pages that contains XING functions, a connection is established to the XING servers. To our knowledge there is no storage of personal data. In particular, no IP addresses are stored, nor the user behaviour evaluated. Data protection declaration: www.xing.com/app/share.
- For your questions and requests, we use the chat widget provided by Livechat, which is handled by the supplier Finnchat: Finnchat GmbH, Bouchéstraße 12, 12435 Berlin. Data protection declaration: finnchat.com/de/datenschutz/
21.3 We use the following systems based on our legitimate interests (efficient and fast processing of the user request ).
- Apaleo GmbH, Dachauer Str. 15a in 80335 München
- Adyen N.V. German Branch, Friedrichstr. 63 in 10117 Berlin
- Klarna Bank AB (publ), Sveavägen 46 in 11134 Stockholm, Schweden
- Sofort GmbH Unternehmen der Klarna Group
- Zendesk Inc., 1019 Market St in 94103 San Francisco, CA USA
- Straiv by Code2Order = CODE2ORDER GmbH, Eichwiesenring 4F 70567 Stuttgart
- Hotelbird GmbH, Plinganserstr. 150 in 81369 München
- Roomchecking = 38 Quai des Carrières, 94220 Charenton le pont, France
- Global Office = global office GmbH, Werkstr. 11 in 56410 Montabaur
- HotelNetSolutions GmbH, Genthiner Str. 8 in 10785 Berlin
- Calendly LLC, 271 17th St NW, Ste 1000 30363 Georgia, Atlanta USA
- DocuWare Europe GmbH – Planegger Str. 1 in 82110 Germering
- HappyHotel – revenue cloud solutions GmbH – In der Spöck 12 in 77656 Offenburg
- ReviewPro – Shiji Information Technology Spain, S.A. Pg. De Gracia 17, 6th Fllor in 08007 Barcelona
- HotelAppz – 14 Rue Soleillet, Paris, 75020 Ile de France
- Microsoft Corporation – One Microsoft Way, 98052-6399 Redmond, WA, USA
- Paypal ( Europe ) S.à.r.l. et Cie, S.C.A. – 22-24 Boulevard Royal in 2449 Luxembourg
- HQ Plus GmbH – Ullsteinstr. 130, Turm 2 in 12109 Berlin
For this purpose, we have concluded a contract with the above-mentioned companies with so-called standard contractual clauses, in which the contractual partners undertake to process the user data only in accordance with our instructions and to comply with the EU level of data protection.