Data Privacy Statement

1. What is personal data?

The term ‘personal data’ is defined in the General Data Protection Regulation (hereinafter: ‘GDPR’). According to this regulation, personal data includes all information that refers to an identified or identifiable natural person. This includes, for example, your given name, your address, phone number or date of birth. Information about your use of this website may also constitute personal data if the information could identify you as a person. 

2. Extent of the processing of personal data

We only process our users’ personal data to the extent that it is necessary to provide a functional website, its content and our services. The processing of our users’ personal data is only done with the consent of the user or if so permitted by law. 

3. Legal basis for the processing of personal data

Where we obtain the consent of the data subject for the processing of personal data, Art. 6, Para. 1(a) GDPR serves as the legal basis.

When processing personal data in order to fulfil a contract to which the data subject is a party, Art. 6, Para. 1(b) GDPR serves as the legal basis. This also applies to processing that is required in order to perform pre-contractual measures.

If it is necessary to process personal data in order to fulfil a legal obligation to which our company is subject, Art. 6, Para. 1(c) GDPR serves as the legal basis.

In cases where it is necessary to process personal data in order to protect the vital interests of the data subject or another natural person, Art. 6, Para. 1(d) GDPR serves as the legal basis.

If data processing is necessary in order to protect a legitimate interest of our company or of a third party and if this interest is not superseded by the interests or fundamental rights and freedoms of the data subject, Art. 6, Para. 1(f) GDPR serves as the legal basis. 

4. Deletion of data and duration of storage

The personal data of the data subject is deleted or blocked as soon as the purpose for its storage ceases to apply. Data may be stored for longer than this period if so stipulated by European or national law in provisions of European Union, laws or other regulations to which the data controller is subject. Data is also blocked or deleted if a deadline specified by one of the above conventions expires, unless it is necessary to continue to save the data in order to conclude or fulfil a contract.

1. Description and extent of data processing

 When you visit our website, the following data is logged: 

• Browser and version
• Operating system used
• Referrer URL (website previously visited), as well as pages visited on our website
• IP address
• Date and time of server request
• Internet service provider

The data is also saved in the log files on our system. This data is not stored with any other personal data from the data subject.

2. Legal basis for data processing

The legal basis for saving data and log files is Art. 6, Para. 1(f) GDPR.

3. Purpose of the data processing

The temporary storage of the IP address by the system is necessary in order to supply the website to the user’s computer. To do this, the user’s IP address needs to be saved for the duration of the session. Data is saved in log files in order to ensure the proper functioning of the website. It also helps us to optimise the website and ensure the security of our IT systems. The data is not analysed for marketing purposes in this context. These purposes also represent our legitimate interest in data processing in accordance with Art. 6, Para. 1(f) GDPR.

4. Duration of data storage

The data we save is deleted as soon as it is no longer required in order to fulfil the purpose for which it was originally collected. This is the case after seven days at the latest. It may be the case that data is stored for longer than this. In such cases, the user’s IP address is deleted or modified so that they can no longer be assigned to the calling client.

5. Opt-out and requests for deletion

The collection of the data listed is essential in order to be able to operate the website. As a result, there is no opt-out option available to the user.

Our website uses various cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user accesses a website, a cookie may be saved on the user’s operating system. This cookie contains a unique character string that enables the clear identification of the browser if the website is accessed again at a later time.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser also be identifiable after visiting another page. 

The following data is saved and transmitted in cookies, for example:

• Language settings
• Items in a shopping basket
• Log-in details

We also use cookies on our website in order to analyse the user’s browsing habits. 

As such, the following data may be transmitted, for example:

• Search terms entered
• Frequency of page impressions
• Use of website functions

Analysis and functional cookies are used to improve the quality of our website and its contents and to make it easier for you to use our services on the website. Analysis cookies allow us to learn how the website is used so that we can constantly optimize our offer. So-called marketing cookies are used to display personalized content that matches your interests. We can use it to show you personal offers and information that are particularly relevant to your planned trip.

Insofar as we use cookies for analysis or marketing purposes, we process your data on the basis of your consent in accordance with Art. 6 Paragraph 1 Clause 1 lit. a) DSGVO. In all other cases, the legal basis for the use of cookies is Art. 6 Paragraph 1 Clause 1 lit. f) DSGVO (essential cookies).

Specifically, we use the following services that use cookies or comparable services:

1. Essential

• Usercentrics Consent Management Platform
• Google Tag Manager
• Google Analytics
• Matomo
• reCAPTCHA

2. Functional

• Google Optimize
• Ve interactive
• YouTube video
• Google Translate
• OpenStreetMap

3. Marketing

• Bing Ads
• Bing Ads Retargeting
• Google Ads
• Google Ads Conversion Tracking
• Google Ads Remarketing
• Facebook Pixel
• Facebook Custom Audiences
• Adform
• Mathtag
• Criteo
• DoubleClick Foodlight
• Recolize
• TradeTesk
• Emarsys

You can revoke this consent at any time with effect for the future, in whole or in part. For this and for more information on the individual services, the scope and duration of data storage or to be able to view and manage your consent individually, you can access our consent platform and change your personal settings here.

Furthermore, you can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Previously stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

1. Description and extent of data processing

You have the option of signing up to receive various free newsletters via our website. These newsletters can inform you about our company activities, the latest information regarding our services, special offers, promotions, events and competitions. The content of each newsletter is briefly described when you sign up.

You will only receive our newsletters if you provide your express consent and then confirm your consent. We use what is known as the double opt-in process for signing up to our newsletters. This means that, after you sign up, an email will be sent to the address provided where we ask for you to confirm that you want to receive the newsletter. If you do not confirm your registration, your information will be deleted automatically after three days.

The only mandatory information we require to send you the newsletter is your email address. The following data is also collected when you sign up:

• IP address of the recipient’s computer 
• Date and time of registration 

Once you have confirmed your consent, we will save your email address for the purpose of sending the newsletter until you withdraw your consent. We will also save the IP address used at the time of registration, the time of registration and the confirmation for up to three years after registration (period of limitation). The aim of doing this is to be able to prove your registration in case of doubt and to be able to clarify any misuse of your personal data if necessary.

The provision of additional data is done so on a voluntary basis: This data is used in order to be able to address you personally.

As a loyal customer, you will regularly receive product recommendations from us via email. You will receive these product recommendations regardless of whether or not you have subscribed to our newsletter. To send you these recommendations, we will use the email address provided in the context of a purchase. In this case, we will only send via the newsletter direct advertising for our own, similar goods or services.

The data processed in the context of sending the newsletter is only used in order to send the newsletter and is not shared with third parties. 

2. Newsletter tracking

Please be aware that we analyse your user behaviour when we dispatch the newsletter. In order to complete this analysis, the emails sent contain what are known as web beacons or tracking pixels, which are saved on our website. To conduct the analysis, we link the data listed and web beacons with your email address and an individual ID. The links contained in the newsletter also feature this ID.

The data is processed in pseudonymous form, i.e. the IDs are not linked to any of your other personal data, preventing them from being directly linked to a specific individual. The legal basis for this data processing is our legitimate interest in measuring the scope and success of this service, Art. 6, Para. 1(f) GDPR.

You may withdraw your consent to this tracking at any time by unsubscribing from our newsletter (see item 5 Opt-out and requests for deletion).

This kind of tracking is also not permitted if you have deactivated the display of images as standard in your email program. In such cases, you will not be able to view the newsletter in full and may not be able to use all of its functions. If you choose to display the images manually, tracking occurs as described above.

The tracking information is saved for as long as you are subscribed to the newsletter. Once you have unsubscribed, the data is anonymised and is used solely for statistical purposes.

The data saved by us in order to provide the newsletter is saved until you choose to unsubscribe from the newsletter and deleted once you have been unsubscribed. Data saved for other purposes remain unaffected.

3. Legal basis for data processing

Art. 6, Para. 1(a) GDPR serves as the legal basis for processing data following subscription to the newsletter with the user’s consent.
The legal basis for sending out the newsletter following the purchase of goods or services is Section 7, Para. 3 of the Unfair Competition Law (UWG).

4. Purpose of the data processing

The user’s email address is requested in order to supply the newsletter. The collection of any other personal data as part of the subscription process serves to prevent the misuse of the services and email address.

5. Duration of data storage

The data is deleted as soon as it is no longer required in order to fulfil the purpose for which it was originally collected. The user’s email address is therefore only saved for as long as the subscription to the newsletter is active. 

The other personal data collected during the subscription process is generally deleted after a period of seven days.

6. Opt-out and requests for deletion 

You may withdraw your consent to receive the newsletter and to unsubscribe from the newsletter at any time. Inform us of your opt-out by clicking on the unsubscribe link in each newsletter email or email us at datenschutz@hamburg-tourismus.de.

You may opt-out of receiving future product recommendations at any time without stating any reason by emailing datenschutz@hamburg-tourismus.de.

1. Description and extent of data processing

We send advertising and product recommendations to our existing customers by e-mail or by post. These promotional letters contain, for example, information about our products and services that are related to the purchase or order from us, product recommendations or customer satisfaction surveys. Customers will be informed of this fact when they first order or purchase products and services from us.

2. Legal basis for data processing

The legal basis is our legitimate interest arising from Art. 6, Para. 1(f) GDPR. The implementation of direct marketing measures is mentioned explicitly in recital 47. This also corresponds to our customers’ expectations because such measures have been in place for years.

3. Purpose of the data processing

The purpose is to provide our customers with new offers of our own goods and/or services that are similar to those they have already purchased from us.

4. Opt-out and requests for deletion

You always have the right to opt out of receiving advertising by post (Art. 21, Para 2 GDPR)

5. Possibility of objection and removal

If you no longer wish to receive advertising about our products or services, you can object to the corresponding use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic rates. You can unsubscribe from e-mail advertising by clicking on the unsubscribe link contained in each mailing or by sending an e-mail to datenschutz@hamburg-tourismus.de from the product recommendations. You can also unsubscribe from postal advertising by sending an e-mail to datenschutz@hamburg-tourismus.de.

If you are making bookings on our site, for example to purchase tickets, vouchers or goods, book holidays or hotels or request other services, we will in principle only collect the data necessary in order to provide the service requested and that you yourself enter into the input field, such as your name and other contact details. In cases where payment is necessary, this may also include bank and/or credit card details. For payments, your data is usually transferred and processed by the payment provider you use in order to process the payment for your order. Payment providers generally also process your data for other purposes, such as to prevent misuse and in order to carry out identity and credit checks. For more information about data processing by your payment provider, please read their data privacy policy. 

Personal data may also be shared with affiliated third parties, such as courier services, travel operators, ticket operators and/or hotels, if this is necessary in order to provide you with the service requested. 

If a technical error occurs during the booking process that leads to the cancellation of the booking, an email is automatically sent to our IT support team with your booking details. This only happens, however, if the customer has already consented to it during booking or when concluding the contract.

The legal basis for this is Art. 6, Para. 1 (b, f) GDPR. The purpose of the data processing is to be able to clarify technical errors within the system. You also have the option of requesting a call-back from our service centre. The legal basis for data processing in this case is Art. 6, Para. 1(a) GDPR. We will only use your data to deal with your request.

1. Hotel reviews

After booking, you also have the option of leaving a review for your hotel after your stay. To do this, we will process your email address and your review if you have provided us with your express consent to do so.

The legal basis for data processing is Art. 6, Para. 1(a) GDPR. You may withdraw your consent at any time by contacting our Data Protection Officer (see below for contact details). In this case, we will delete your data. Otherwise, we will save your data for as long as it is required to fulfil the purpose of reviewing the hotel selected. This generally extends beyond the period of time in which we cooperate with the hotel you have chosen.

2. Ship tours

If you want to tour a ship (e.g. an MSC cruise ship), the German Federal Police require the shipping companies to register accurate data for visitors on board in advance (International Ship and Port Facility Security Code, ISPS). As a result, in addition to your full name and contact details, such as a phone number and address, we will also need your date and place of birth, and information from your passport or ID card. This data will be forwarded to the shipping companies.

3. Input of coupon codes (TYPO3)

Our content management system TYPO3 uses a security plugin that prevents the mass testing of voucher codes on our website. When you enter a coupon code, your IP address is collected and stored.

4. Purchase of train tickets including seat reservation

You have the option of booking Deutsche Bahn train tickets including a seat reservation as part of a travel package. It is not possible to sell individual Deutsche Bahn tickets, as the ticket conditions must always be offered in conjunction with another main service, usually an overnight stay in a hotel. Bookings are made via our website or by an agent of Hamburg Tourismus GmbH via telephone sales. The following personal data is transferred to the Deutsche Bahn system via an interface for ticket creation:

• First name and surname of the person making the booking
• If booking with a child, the child's age
• Travel data (outward and return journey date)
• Connection data of the train connection selected by the customer for the outward and return journey (time, train selection, carriage class)
• Departure station for outward journey, destination station for return journey

Once the passenger data has been transmitted or recorded in the Deutsche Bahn system, Deutsche Bahn is responsible for processing the passenger data transmitted or recorded there. Information on data protection can be found here: Data protection information bahn.de. The legal basis for the use and transfer of data is Art. 6 para. 1 sentence 1 lit. b) GDPR (fulfilment of the contractual relationship).

You will receive your travel documents exclusively from us and not via the Deutsche Bahn system.

5. Legal basis for data processing

The registration and subsequent data processing by us serves to fulfil a contract to which you are a party, or to carry out pre-contractual measures. The legal basis for the data processing is Art. 6, Para. 1(b) GDPR.

The use of your data for a call-back due to a technical error with the booking is done in reference to Art. 6, Para. 1(a, b) GDPR.

The legal basis for data processing with regard to ship tours is Art. 6, Para. 1(b) GDPR.

The legal basis for data processing is our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f) DSGVO.

6. Purpose of the data processing

The collection, subsequent processing and potential sharing of your data is necessary in order to fulfil the contracts to which you are a party, or as required in order to carry out pre-contractual measures. Your registration may also be necessary in order for us to provide certain content and services on our website.

We do not share your personal data with third parties unless we are obligated to do so by law, the sharing of data is necessary in order to implement the contractual relationship, or you have given your express consent for your data to be shared.

External service providers and affiliates, such as online payment providers or a courier commissioned for the delivery of goods, will only receive your data to the extent that it is necessary in order to process your order. In such cases, the extent of the data shared is kept to the minimum necessary. Where our service providers process your personal data on our behalf, we ensure, in accordance with the commissioned data processing guidelines described in Art. 28 GDPR, that these service providers comply with the requirements of the data protection laws in the same way. Please read the data privacy policies from the relevant service providers.

It is important to us that your data is processed within the EU/EEA. It may, however, be the case that we use service providers that process data outside of the EU/EEA. In such cases, prior to the transmission of your personal data, we ensure that your data is protected by the recipient with appropriate measures that are of a similar standard to those in place within the EU. This may be achieved via EU standard contracts or Binding Corporate Rules, or special agreements such as the EU Privacy Shield, whose regulations may be adopted by the company.

The collection and subsequent storage of your personal data is solely for the purpose of preventing mass entries of voucher codes.

7. Duration of data storage

The data we handle is deleted as soon as it is no longer required in order to fulfil the purpose for which it was originally collected.

This is the case for data collected during registration when the registration on our website is repealed or amended. 

This is the case for data collected during the registration process in order to fulfil a contract or carry out pre-contractual measures if the data is no longer required in order to fulfil the contract. It may still be necessary to save personal data for the contractual partner beyond the conclusion of the contract in order to comply with contractual or legal obligations.

For other third parties responsible for executing the contract, such as hotels, travel operators or payment service providers, there may be other data storage periods in place, or mandated by law. Please read the data privacy policies of the relevant third parties.

The personal data (IP address) is stored by us for a period of 30 minutes and then deleted.

8. Opt-out and requests for deletion

You have the option to cancel your registration and/or have any personal data corrected by us at any time.  

Ask the data controller and our data protection officer about how to delete your registration.

If the data is required in order to execute a contract or carry out pre-contractual measures, it is only possible to delete the data beforehand if there are no contractual or legal requirements to the contrary.

If your IP address is recorded to the extent described, this is mandatory for the purpose stated above. Therefore, there is no possibility to object.

1. Description and extent of data processing

You can apply to work for our company electronically. We will of course only use your information to process your application and will not share it with third parties. Please make sure you only send applications in via our online application page. We only request the necessary data for applications. This information is marked in the input field as mandatory. Mandatory information includes your name and contact details, as well as the position of interest and your CV, references and qualifications. You may also provide other information, such as your salary expectations. This information is provided on a voluntary basis.

2. Legal basis for data processing

The legal basis for data processing is Art. 6, Para. 1(b) GDPR and Section 26, Para.1 German Federal Data Protection Act (BDSG). In the case of voluntary information regarding salary expectations or other information, as well as your consent to the longer storage of your application, Art. 6, Para. 1(a) GDPR serves as the legal basis.

3. Purpose of the data processing

We only use your data in order to process your application or, if you have consented, to inform you of future vacancies.

4. Duration of data storage

Once the application process is complete, we will delete your data after six months at the latest, unless you have given your express consent to us storing the data for longer. In such cases, we will delete your data after one year or if you revoke your consent to its storage.

5. Opt-out and requests for deletion

You may revoke your consent to the storage of your data at any time and to request that your data be deleted.

1. Description and extent of data processing

If you participate in surveys or competitions, we collect the data required in order to be able to implement the competition or survey. In general, these are an individual competition post (e.g. a comment or photo), as well as a name and contact details. In the case of a competition, it may be necessary that we share your data with third parties involved in the competition in order to issue a prize. Such third parties may include couriers, travel operators or hotels. Data processing and data sharing may vary depending on the competition and is therefore described in detail in the Terms and Conditions for each competition. Participation in the competition and the associated data collection is, of course, voluntary. In the case of surveys, we will generally anonymise your personal data so that this information cannot identify you as a person, unless you have given your express consent for us to process your personal data.

2. Legal basis for data processing

The legal basis for the processing of your data is your consent in accordance with Art. 6, Para. 1(a) GDPR.

3. Purpose of the data processing

We only process your data in order to be able to implement the competition and/or survey. 

4. Duration of data storage

Your data will be deleted after the end of the competition, provided no further storage of the information is required due to a newsletter subscription, for example. We will delete your data once the competition is complete, the prizes have been issued and after any statutory warranty period. In the cases of surveys, your data is generally anonymised.

5. Opt-out and requests for deletion

You may revoke your consent to have your data processed or may file an objection to your data being processed at any time. If the data is required in order to execute a contract or carry out pre-contractual measures, it is only possible to delete the data beforehand if there are no contractual or legal requirements to the contrary.

Mouseflow

If you have given your consent, we use Mouseflow, a web analysis service provided by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark.

The web analysis tool Mouseflow records randomly selected individual visits (only with anonymized IP addresses). This creates a log of mouse movements and clicks with the intention of randomly playing back individual website visits and deriving potential improvements for the website. The data collected with Mouseflow will not be used to personally identify the visitor to this website and will not be merged with personal data about the bearer of the pseudonym without the separately granted consent of the person concerned.
Mouseflow is a tool for analyzing user behavior on our website.
The data collected can be used in heat maps, funnels and feedback campaigns.

 Mouseflow collects the following data:

• Clicks, movements and scrolling of the mouse or trackpad
• Browser type of the device
• Information about the device used (desktop, tablet or phone)
• Language settings of the browser
• Operating system of the device
• Screen resolution
• Duration of the visit to the website
• Pages you visit on the website (URLs)
• Content of the website visited (HTML)
• Approximate ISP location (city, state/region, country)
• Whether you were redirected from another URL
• Whether you are a first-time or returning visitor
• Your response in the Consent Management Tool (consent)

The data is stored for one month.
The information collected by cookies about your use of this website is generally processed in the European Union. According to the data processing agreement, Mouseflow does not process any personal data outside the EU/EEA and only uses subcontractors within the EU/EEA.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future by opening the "Privacy settings" in the footer of the website and revoking your consent to the storage of cookies there.

Alternatively, you can object to tracking by Mouseflow in the browser you are using on all websites. Use the following link for this opt-out option:
https://mouseflow.com/opt-out/

Further information about the scope of data collection by Mouseflow and your rights and settings options in this regard can be found in Mouseflow's privacy policy: mouseflow.com/legal/gdpr/
 

1. Description and extent of data processing

There is a contact form on our website that can be used to contact us electronically. If a user decides to use this form, the data from the input field are sent to us and saved. 

If you contact us via email or a contact form, the data you share with us (email address, name and phone number) is saved in order to answer your questions and deal with your enquiry.

When the message is sent, the following data is also saved:

1. User IP address
2. Date and time of registration

Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted with the email is saved. If you provide us with data regarding communication channels (such as email address, phone number), we will only use this information to answer your enquiry.

This information will not be shared with third parties in this context. The data will only be used in order to process the enquiry.

2. Legal basis for data processing 

The legal basis for processing data shared when you make contact with us is Art. 6, Para. 1(f) GDPR. If we request information via the contact form that is not essential to our contacting you, such entries are always marked as optional. This information serves to clarify your request and improve the way we handle your enquiry. This information is provided on a solely voluntary basis and with your consent as per Art. 6, Para.1(a) GDPR.

If the purpose of the email contact is to conclude a contract, the additional legal basis for processing the data is Art. 6, Para. 1(b) GDPR.

3. Purpose of the data processing

The processing of personal data from the input field is used solely to process the contact request. In the case of email contact, this also represents a necessary legitimate interest in the data processing.

The other personal data processed while sending the message serve to prevent the misuse of the contact form and to ensure the security of our IT systems.

4. Duration of data storage

The data is deleted as soon as it is no longer required in order to fulfil the purpose for which it was originally collected. For the personal data from the input fields on the contact form and the data sent via email, this is the case once the conversation with the user has ended. The conversation is deemed ended if the circumstances imply that the subject of the enquiry has been conclusively clarified. 

The other personal data collected while sending the message is deleted after a period of seven days at the latest.

5. Opt-out and requests for deletion

The user may revoke his or her consent to the processing of personal data at any time. If users contact us via email, they may revoke consent to the storage of their personal data at any time. In such cases, the conversation cannot be continued.

All personal data saved during a contact request is deleted in such cases.

We use an API from Leaflets on our site to integrate maps from the OpenStreetMap Foundation (https://wiki.osmfoundation.org/wiki/Main_Page). As an alternative to Google Maps, OpenStreetMap is an open-source JavaScript library that enables us to integrate interactive maps on our website. In order to display the maps correctly, it is necessary from a technical point of view to send requests to the server server.arcgisonline.com. These requests mean that it is fundamentally possible that information about your use of this website (including your IP address and location data) is sent to other servers and saved there. The legal basis for the use of OpenStreetMap is Art. 6, Para. 1(f) GDPR.

To our knowledge, the user data is used by OpenStreetMap solely to display the map functions and to save the settings selected. For more information about OpenStreetMap and the length of time for which data is saved, please ask the provider or visit https://www.openstreetmap.de/faq.html or  https://wiki.osmfoundation.org/wiki/Privacy_Policy . For more information on the Leaflets API, please visit https://www.leafletjs.com.

Visitors to our website are able to leave reviews on its subpages. At the request of the site visitor, we publish the review on our website once our editorial team has received the email.

The legal basis for data processing is Art. 6, Para. 1(a) GDPR. Once the review has been approved by the editorial team, it will be visible to all visitors of our site. We would like to inform you that you may revoke your consent at any time. In such cases, the review, including the data provided in conjunction with the review, will be deleted, except in cases where we are legally obliged to store your data for longer. 

The website does not integrate any social media plug-ins directly into the site. This means it is impossible for third parties to form profiles.

In order for us still to be able to share our services on Facebook and Twitter, for example, we use what is known as the two-click solution.

Only if you decide to share content via the relevant interface and click on it is the data transmitted to the operator of the relevant social media channel. 

We recommend that you read the Data Privacy Policy of the social media channel in question before using it so that you are informed of the purpose and extent of the data collected and its subsequent processing and use, as well as of your rights in this regard and the settings you can adopt to protect your privacy.

You can find them here:

• Facebook: https://www.facebook.com/about/privacy/
• Twitter: https://twitter.com/privacy
• Instagram: https://www.instagram.com/about/legal/privacy/
• Google+: https://www.google.com/intl/de/policies/
• Xing: https://www.xing.com/privacy
• Pinterest: https://policy.pinterest.com/en/privacy-policy

It is our aim to provide you with information via a wide range of media. As a result, we integrate videos from YouTube (YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA). YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

YouTube is an online video-sharing platform that makes it possible for people to publish videos for free and for other users to watch, rate and comment on videos, also for free. YouTube permits the publication of all types of videos, which is why entire films and TV shows can be viewed on the site, along with music videos, trailers and videos made by users themselves.

In order to view our videos, users need to click on the preview image. Only once the information box is clicked away or the user logs in can the video be viewed. 

The integration of YouTube videos also takes place in an expanded data privacy mode, or uses the no-cookie solution. This means that only when a video is played are YouTube cookies and pixel tags placed in order to tailor advertising and search results.

When a YouTube video is played, the following data is sent to Google as the operator of YouTube:

• IP address
• The specific address of the site accessed
• The browser ID transmitted
• System date and time of page visit
• Existing cookies permitting the clear identification of your browser

As the operator of YouTube, Google has sole responsibility for processing this data. More information is available at: policies.google.com/privacy.

We would like to inform you that Google may receive other information about cookies previously saved on your computer. We have no influence over how Google may use this information.

You can find the YouTube Data Privacy Policy here: https://policies.google.com/privacy?hl=de&gl=de

1. General information

Social media have become an integral part of the Internet and of modern communication. In order to stay in contact with our customers and potential customers, we have also set up our own fan page on Facebook. Facebook is a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and is certified under the EU/US Privacy Shield. With Implementing Directive (EU) 2016/1250 of the EU Commission dated 12 July 2016, the level of protection provided under the EU/US Privacy Shield is deemed of an equal standard to the level of protection within the European Union.

We hereby emphasise that Facebook saves and uses its user data (such as IP address, preferences and personal interests, browsing habits on Facebook, any personal information saved on Facebook) for commercial purposes.

The processing and subsequent use of this data is outside of our control because Facebook alone governs the data processing. The extent to which what data is saved, where and for how long, the extent to which the data is linked and analysed, and with whom the data is shared, is currently unknown to us. We also have no insight or influence with regard to deletion dates, i.e. whether and how accurately deletion dates are observed.

For information from Facebook itself regarding which information is collected, please see the Facebook Data Privacy Policy, which can be viewed here.

If you are a member of Facebook and have logged in to your account, Facebook can attribute your visit to our site to your user account. If you would like to prevent Facebook from linking your visit to our fan page with the data saved about you in your Facebook account, you must:

• Log out of Facebook before each visit to our fan page
• Delete existing cookies on your device
• Close your browser and reopen it

In this way, Facebook states, all information by which Facebook could identify you has been deleted.

2. Extent of data collection and storage

You do not need to be signed up to Facebook in order to view the content of our Facebook fan page. However, Facebook collects, stores and uses data for each visit to our site.

When you call up our fan page, your browser established a connection with a Facebook server. In doing so, data may be transmitted to countries outside of the European Union. In any case, your IP address will be transmitted and cookies are saved on your device, whether you are signed up to Facebook or not. If you are a member of Facebook and have logged in to your account, Facebook can attribute your visit to our site to your user account.

Some of the cookies saved are session cookies, which are deleted when the browser is closed, and permanent cookies, which remain on the device until they expire or until they are deleted by the user. A cookie is a tiny text file that enables a website to recognise a browser. Cookies are saved on the computer when it accesses a website and are called up and read the next time the server is accessed.  Via your browser settings, you can decide whether you want to allow cookies, and which ones you want to permit, block or delete. You can find instructions for various browsers here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can install ad blockers, such as Ghostery.

According to Facebook, the cookies it employs are used for authentication, security, website and product integrity, advertising and measurement, website functions and services, performance and analysis and research. For details of the cookies used by Facebook (e.g. name of the cookies, functional duration, content recorded and purpose), please see: https://www.facebook.com/policies/cookies/, by following the relevant links.

For settings relating to which adverts you see on Facebook, or that you no longer want to see, please see https://www.facebook.com/about/basics/advertising and http://www.youronlinechoices.com and make the relevant adjustments.

Under the above link, you can manage your preferences regarding usage-based online advertising. If you object to receiving usage-based online advertising from a specific advertiser with the aid of the preference manager, this only applies to collection of specific commercial data via the web browser currently in use. Preference management is cookie-based. Deleting all browser cookies also leads to the removal of all preferences set up with the preference manager.

• User communication: User interactions (posts, likes, etc.): Art. 6, Para. 1(f) GDPR 
• Targeted advertising:
  • Facebook cookies: Art. 6, Para. 1(f) GDPR 
  • Demographic data (e.g. based on age, place of residence, language  or gender): Art. 6, Para. 1(f) GDPR 
  • Statistical data on user interactions in aggregated form, i.e. without direct personal references for us (e.g. Page activities, page impressions, page previews, likes, recommendations, posts, videos, page subscriptions, including origin, time of day): Art. 6, Para. 1(f) GDPR 

Automatic decision making and profiling as described in Art. 22 GDPR does not take place.

We only save personal data for as long as is necessary to fulfil the purpose for which the data was collected. Within a business relationship with you, we save your personal data for as long as the business relationship exists. This includes the run-up to and implementation of the contract, as well as the regular statute of limitations. We also save the data as mandated if we are subject to statutory data storage requirements. Such requirements may arise from the German Commercial Code (HGB) or German Fiscal Code (AO).

If you have consented to a processing step, the data associated with the consent given shall be stored until the consent is revoked or, at the latest, for the duration of the processing step and according to the post-processing statute of limitations.

3. Facebook Insights

We use the Facebook Insights function for the purposes of statistical analysis. In this context, we receive anonymised data about the users of our Facebook fan page. It is therefore not possible for us to link this data to you. For more information, please see Facebook’s cookie policy.

4. Sharing and using personal data

Recipients or categories of recipients:

Facebook

If you interact with Facebook, Facebook of course has access to your data. It is specifically possible that Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA, has access to your data. Facebook is based in an insecure third country, where the level of data protection is lower. Facebook is subject to the EU/US Privacy Shield, which requires it to implement an appropriate – by European standards – level of data security.

Existing EU/US Privacy Shield certificates may be viewed at https://www.privacyshield.gov/list. With Implementing Directive (EU) 2016/1250 of the EU Commission dated 12 July 2016, the level of protection provided under the EU/US Privacy Shield is deemed of an equal standard to the level of protection within the European Union.

5. Legal basis

If data processing is necessary in order to protect a legitimate interest of our company or of a third party and if this interest is not superseded by the interests or fundamental rights and freedoms of the data subject, Art. 6, Para. 1(f) GDPR serves as the legal basis. We understand our legitimate interest in data processing as the presentation of our company, its products and services for your information and, specifically, as the provision of modern communication options for you.

6. Your rights

If the legal criteria are fulfilled, you have the following rights:

• Access to information: Art. 15 GDPR
• Rectification: Art. 16 GDPR
• Deletion: Art. 17 GDPR
• Blocking/restricting processing: Art. 18 GDPR
• Objection: Art. 21 GDPR
• Data portability: Art. 20 GDPR
• Right to lodge a complaint with a supervisory authority: Art. 77 GDPR
• Right to withdraw consent with future effect: Art. 7, Para. 3 GDPR

According to Art. 21 GDPR, you have the right to object at any time to the processing of personal data relating to you where the processing is done in accordance with Art. 6, Para. 1(e, f) GDPR for reasons resulting from your particular situation; this also applies to any profiling based on these provisions. If personal data is processed in order to offer direct advertising, you also have the right to object at any time to the processing of personal data relating to you for the purposes of such advertising; this also applies to any profiling, provided that it is connected with this kind of direct advertising.

7. Contact details for the data controller and Data Protection Officer; shared responsibility under Art. 26 GDPR

Hamburg Tourisms GmbH
Wexstraße 7
20355 Hamburg

and 

Facebook Ireland, Ltd.
4 Grand Canal Square, Grand Canal Harbour,
D2 Dublin
Ireland

In the view of the European Court of Justice (ECJ), we share the responsibility for the processing of your personal data with Facebook. The decision of the ECJ dated 05/06/2018 can be found here.

As a result of our shared responsibility, we hereby inform you under Art. 26 GDPR of the key details of our existing agreement with Facebook governing our shared responsibility:https://www.facebook.com/legal/terms/page_controller_addendum

If you have any other questions regarding data privacy, please contact us. If you have any questions about the collection, processing or use of your personal data, or if you wish to request information, correct, block or delete data or revoke any consent you may have granted, please contact Ms Rammo (see below for contact details). Exercising your rights as above is free of charge.

8. For more information

For more information about the safe use of social networks, please see the website of the German Federal Office for Information Security at: https://www.bsi-fuer-buerger.de/BSIFB/DE/DigitaleGesellschaft/SozialeNetze/sozialeNetze_node.html

We operate our own channels on third-party websites. By doing so, we aim to inform their active users and interested parties of our services and offer them the opportunity of direct communication.

We would like to inform you that, as a result, user data may be processed outside of the European Union. This may be associated with risks for the user because it may be more difficult for the user to assert his or her rights, for example. With regard to US companies certified under the Privacy Shield, we would like to inform you that they are obliged to maintain the EU’s data security standards.

Furthermore, user data is usually processed for the purposes of market research and advertising. This enables the creation of website user profiles based on user browsing habits, for example. These user profiles may then be used in order to display targeted advertising within and outside of the platforms that correspond with the user’s presumed interests. For this purpose, cookies are generally saved on the user’s computer and store the user’s behaviour and interests. Furthermore, the user profiles may also feature data saved independently of the devices used by the user (particularly if the user is a member of the platform and is logged in at the time).

The legal basis for processing of personal data is Art. 6, Para. 1(f) GDPR. If the user is asked by the platform’s operator to consent to the data processing as described above, the legal basis for the data processing is Art. 6, Para. 1(a), Art. 7 GDPR.

For more information about the processing of personal data collected and your options for objecting to it, please see the website operator’s Data Privacy Policy.

1. YouTube , LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a Google Inc. company, Amphitheatre Parkway, Mountain View, CA 94043, USA; website: www.youtube.com; Google Data Privacy Policy:  https://www.google.de/intl/de/policies/privacy/
2. Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Data Privacy Policy: https://twitter.com/de/privacy, (settings) https://twitter.com/personalization; Privacy Shield (maintaining data privacy for data processed in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
3. Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; Data Privacy Policy http://instagram.com/about/legal/privacy.

We have taken technical and organisational security measures to protect your data that has been processed by us from accidental or deliberate manipulation, loss and destruction, as well as from access by unauthorised parties. We continually improve our security measures based on technological developments.

If your personal data is processed, you are the data subject within the understanding of GDPR and you have the following rights vis-à-vis the data controller.  

We would be happy to provide you with information about whether we process your personal data, to what extent and for what purposes (Art. 15 GDPR). Furthermore, where the legal criteria apply, you also have the right to rectification (Art. 16 GDPR), to the restriction of processing (Art. 18 GDPR), to deletion (Art. 17 GDPR) and to data portability (Art. 20, GDPR).

Where the legal criteria apply, you also have the right to object to data processing (Art. 21 GDPR).

If you wish to exercise the rights as above, please email datenschutz@hamburg-tourismus.de or write to our company address. Exercising your rights as above is free of charge.

Without prejudice to these rights or the option to exercise any other administrative or judicial remedy, you have the right at any time to assert your right to appeal to a supervisory authority, particularly in the Member State where you are resident, where you work or where the presumed infringement occurred, if you are of the opinion that your personal data was processed in contravention of data protection regulations (Art. 77 GDPR).

The relevant supervisory authority for our company is: the Hamburg Representative for Data Protection and Freedom of Information.

This data privacy policy will be adapted over the course of the development of the Internet and our services. We will publish any amendments on this page in good time. In order to remain up to date regarding the latest status of the provisions regarding our data use, please visit this site regularly.

z.H. externe Datenschutzbeauftragte von Hamburg Tourismus GmbH

intersoft consulting services AG
Beim Strohhause 17
20097 Hamburg

Telefon: +49 (0) 40 790 235 235
E-Mail: datenschutz@hamburg-tourismus.de

The chatbot ‘Stella’ is used on this website to provide you with general information quickly and easily. Clicking on the chat button activates the use of Stella with all its functions. You can end the chat at any time by closing the window. Communication takes place via an encrypted Internet connection. No personal data is required or requested. All information is provided without personal reference. The chat history in your browser is automatically deleted after one day. Chat histories are stored in the internal backend system for 60 days for quality assurance purposes and then automatically deleted.