For us, building partnership based on trust starts with taking care of the details. For us, this naturally includes protecting your data from the outset. In this privacy notice, we would like to explain how, why and what elements of your personal data are processed and used by us when you visit our website as we seek to make the online experience as pleasant as possible for our customers.
The controller within the meaning of the GDPR is:
GLC Glücksburg Consulting AG
represented by the Management Board: Professor Martin Weigel, Edith Brasche
22761 Hamburg, Germany
b. Data protection officer
We are advised on questions concerning data protection by ARCONDA SYSTEMS AG, where our external data protection officer is Dr Bernd Lühr. He can be contacted at the following address:
ARCONDA SYSTEMS AG
Dr Bernd Lühr
22453 Hamburg, Germany
Tel: +49 (0)40 8231 580
Fax: +49 (0)40 8231 5899
The terminology in this privacy notice corresponds to that used in the GDPR and the BDSG. The main terms used include the following:
• ‘Personal data’: Any information pertaining to an identified or identifiable natural person (‘data subject’). An identifiable natural person is some who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person (Article 4(1) GDPR).
• ‘Processing’: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) GDPR).
• ‘Third party’: A natural or legal person, public authority, agency or body other than the data subject, controller, processor or persons who, under the direct authority of the controller or processor, are authorized to process personal data (Article 4(10) GDPR).
• ‘Consent’ of the data subject: Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) GDPR).
d. Types of data
In particular, the following types of data are processed on our website:
• Inventory data (data required for the establishment, content creation, amendment or termination of a contractual relationship, e.g. names and address)
• Contact details (data which can be used to contact you or your company, e.g. email addresses and telephone numbers)
• Content data (content of messages sent, e.g. text entered by you, images, videos)
• Usage data (technical information regarding for example access times and websites visited)
• Communication data (data which provides us with information about the communication channel used, e.g. your browser, device information, IP addresses)
The following types of data also arise in connection with business-related processing:
• Contract data (contract text and subject matter, term, etc.)
• Payment details (e.g. bank details and accounting history)
e. Data subject groups and general purpose of processing
Personal data is collected from the users of this website. Data collected from you is processed to help make this website available and to respond to enquiries. We also collect some data for the purposes of reach measurement and to improve the design of our website for our customers. Information about what data is collected, on what legal basis, and how we process it is contained in the specific explanations in this privacy notice.
f. Right of withdrawal
It goes without saying that, pursuant to Article 7(3) GDPR, you have the right at any time to withdraw the consent you have granted with future effect without stating your reasons for doing so. Withdrawal need not be expressed in a specific way to be valid and will take effect and be observed by us upon receipt, regardless of the medium used. However, to make things smoother for both you and us, we kindly request that declarations of withdrawal be sent to the following email address: datenschutz(at)glc-group.com.
These days, nearly all websites use various cookies to ensure that the pages work as intended and in order to optimize their design and features for you. Cookies are information files which are transmitted by our web server or third-party web servers to your web browser, where they are stored for later retrieval. These information files are specific information packets related to your device (PC or smartphone and the browser you use). However, they do not enable us to identify you. Cookies are mainly used to improve the user-friendliness of websites (e.g. by storing login data or your preferred language). Cookies will not harm your device and do not contain viruses, trojan horses or other malicious software.
What types of cookies do we use?
This website uses transient and persistent cookies. Their scope and how they work are explained below.
Transient cookies are automatically deleted as soon as you close your browser. They mainly include session cookies. Session cookies store a ‘session ID’, which can be used to remember various browser requests throughout the entire session, hence enabling your computer to be recognized if you visit our website again. Using these cookies means you do not have to log in each time you return to our website if you have an account with us. Session cookies are deleted when you log off or close your browser.
Persistent cookies automatically expire after a specific length of time, which may vary from one cookie to the next. Cookies can be deleted in your browser’s security settings at any time.
Most browsers accept cookies by default. If you do not want cookies to be saved on your device, the corresponding option can be disabled in your browser’s system settings. Saved cookies can also be deleted in the system settings of your browser. However, please note that certain functions of this website may be impaired if cookies are not used. The following links explain how to disable cookies on the most popular browsers:
Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
Microsoft Internet Explorer: https://support.google.com/accounts/answer/61416?hl=en
h. Objection to processing of personal data (including for direct marketing purposes)
Pursuant to Article 21 GDPR, regardless of your visit to our website, please note that you naturally always have the right to object to the processing of your personal data.
Under Article 21(2) GDPR, you also have the right to object to your personal data being processed for direct marketing purposes. Objection need not be expressed in a specific way to be valid and will take effect and be observed by us upon receipt, regardless of the medium used. However, to make things smoother for both you and us, we kindly request that objections be sent to the following email address: datenschutz(at)glc-group.com.
i. General right to erasure and restriction of processing
Your personal data can be erased or restricted in accordance with Articles 17 and 18 GDPR. Data is in particular erased by us as soon as the purpose for which the data was originally collected no longer applies and there is no statutory retention period. Under Section 257(1) HGB German Commercial Code, we are for instance legally obliged to keep account books, inventories, opening balance sheets, annual financial statements, individual financial statements as defined by Section 325(2a), management reports, consolidated financial statements and consolidated management reports as well as procedural instructions necessary to understand them and other organizational documentation, commercial letters and accounting receipts for a period of six years. If statutory retention obligations apply, we shall restrict the processing of data so that we can only process it for the statutorily prescribed purpose.
j. Data security
To ensure the security of your data, we use the widespread SLL (Secure Socket Layer) protocol to transmit both website content and data entered by you. Data is sent between you and our hosting provider using 256-bit encryption. If your browser does not support 256-bit encryption, we will use 128-bit v3 technology instead.
III. Your rights
The aim of our efforts to protect your data is for you to always have full control over the information you provide. As such, in addition to the aforementioned rights, you also have rights regarding the personal data stored by us, which are described below in detail.
a. Right to obtain confirmation of processing
Pursuant to Article 15 GDPR, you have the right to obtain confirmation from us regarding the processing of your personal data.
b. Right of access
If we process your personal data, under Article 15 GDPR, you have the right to access your data in our possession. We will provide you with this information in accordance with the provisions of Article 15 GDPR.
c. Right to completion and rectification
Pursuant to Article 16 GDPR, you have the right to request us to rectify incorrect personal data concerning you without delay. You also have the right to complete incomplete data stored by us.
d. Right to erasure
Under Article 17 GDPR, you have the right to request that your personal data be erased without delay if one of the following points applies and if none of the exceptions provided for in Article 17(2, 3) GDPR apply:
• The personal data is no longer required for the purposes for which it was collected or processed in some other way
• The data subject withdraws his or her consent on which processing is based under Article 6(1a) or Article 9(2a) and there is no other legal basis for processing
• The data subject objects to processing in accordance with Article 21(1) and there are no overriding legitimate grounds for processing, or the data subject objects to processing under Article 21(2)
• The personal data has been unlawfully processed
• The personal data must be erased to comply with a legal obligation under Union or Member State law to which the controller is subject
• The personal data was collected in relation to the offer of information society services referred to in Article 8(1)
e. Right to the restriction of processing
Under Article 18 GDPR, you have the right to request that the processing of your personal data be restricted without delay if one of the following applies:
• The accuracy of personal data is contested by the data subject, restriction to apply for a period enabling the controller to check the personal data’s accuracy
• Although processing is unlawful, the data subject opposes the erasure of the personal data and requests that its use be restricted instead
• Although the controller no longer needs the personal data for the purposes of processing, it is required by the data subject to establish, exercise or defend legal claims
• The data subject has objected to processing under Article 21(1) GDPR pending verification of whether the controller’s legitimate grounds outweigh those of the data subject
Where processing has been restricted under paragraph 1, such personal data may, with the exception of storage, only be processed with the data subject’s consent, for the establishment, exercise or defence of legal claims, to protect the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. We will notify you prior to the lifting of any such restriction.
f. Right to data portability
Under Article 20 GDPR, you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format, and to request that it be transmitted to a third party without hindrance. Restrictions to this right may apply under Article 20 GDPR.
g. Right to lodge a complaint
Pursuant to Article 77 GDPR, you have the right to lodge a complaint with the relevant supervisory authority. The competent authority can be contacted at the following address: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Klosterwall 6, 20095 Hamburg, Germany; tel: 040 428544040; fax: 040 428 54 4000; email: mailbox(at)datenschutz.hamburg.de.
IV. Processing for technical reasons
a. Hosting the website
To be able to make this website available to you, we work with a hosting provider who supplies the infrastructure for the smooth operation of this website and carries out regular maintenance to ensure your data is not lost. To ensure compliance with data protection standards and that your data is protected, our hosting provider has signed a data processing agreement pursuant to Article 28 GDPR obliging it to observe our high data protection standards. This provider processes inventory, contact, content, contract, use and communication data for users of this website on the basis of our legitimate interest in the maintenance, operation and security of this website pursuant to Article 6(1f) GDPR.
In addition, usage data is created every time our website is visited. This includes in particular the name of the website accessed, downloaded files, the date and time of access, the volumes of data transferred in each case, messages about successful website access, the browser type and operating system used, the site previously visited, the IP address and the provider used. This data is processed by us or our hosting provider on our behalf and on the basis of our legitimate interest in protection from misuse and for security reasons pursuant to Article 6(1f) GDPR. With the exception of personal data which must continue to be stored for evidence purposes, personal data is stored for seven days and then automatically erased.
b. Webshop cookie
To enable you to register in our web shop and the shopping cart function to work, we place a cookie on your device which assigns you a unique identifier. We use the personal data stored by this cookie on the basis of our legitimate interest in having a functioning webshop system pursuant to Article 6(1f) GDPR. The cookie is a ‘session cookie’ which automatically expires and is normally automatically deleted from your browser when you leave our website and close your browser.
c. Webshop order processing
You can register in our webshop system either as a guest or with a user profile account. The data requested from you via the input mask is processed in order to deal with orders for items from our webshop on the basis of Article 6(1b) GDPR. We also send your address details to our mailing contractor so that your order can be delivered.
d. Contacting us
By contact form
If you wish to contact us, you can do so by using our contact form. We will process the data collected there to deal with your contact enquiry pursuant to Article 6(1b) GDPR. If in addition we stay in touch with you for commercial purposes, your personal data may also be processed in a customer relationship management system. If the data is no longer required to respond to your enquiry, we will erase it provided that no statutory archiving obligations apply.
Contacting us by email or telephone
If you contact us by telephone or email, your details will be processed in order to deal with your contact enquiry pursuant to Article 6(1b) GDPR (necessary details prior to entering into a contract) or Article 6(1f) GDPR (legitimate interest in responding to your enquiry). If you contact us by email, we will also save the content you send us by email. If you provide us with information about communication channels (such as telephone numbers), we may also contact you via these communication channels to answer your request. The personal data you provide will only be used for the purpose for which you provided us with it when contacting us.
We will erase the data we receive when you contact us as soon as it is no longer required to achieve the purpose for which it was collected. This also applies to data you provide voluntarily. It is in our legitimate interest to store this data together with the required data. Personal data sent by email or provided to us by telephone will be erased when the conversation with the user has ended. The conversation is deemed to have ended when it can be inferred from the circumstances that the matter in question has been finally clarified, albeit no later than one month after the most recent contact. If a contract is concluded with you, the statutory retention periods apply.
e. Privacy in connection with applications and application procedures
To deal with application procedures, applicants’ personal data is collected and processed by the controller. Processing may also take place electronically. This is mainly done whenever an applicant submits application documents digitally (e.g. by email) to the controller. If a contract of employment is subsequently concluded between the controller and the applicant, the data provided will be saved in order to implement employment in compliance with the statutory regulations. If an applicant is informed that he or she has been turned down, the application documents will be automatically deleted after six months assuming no contract of employment is concluded between the controller and the applicant unless other legitimate interests on the part of the controller stand in the way of deletion. An example of other legitimate interests in this sense is the burden of proof in proceedings under the AGG General Equal Treatment Act.
f. Booking enquiries
Holiday accommodation in the Wittenberg region can be reserved or booked on our website. Your personal data provided by you in connection with your enquiry will be processed in order to deal with your enquiry on the basis of Article 6(1b) GDPR.
If you wish to be kept abreast of our latest products and information, you can sign up for our email newsletter.
To ensure that third parties do not register using your email address, registration has been set up as a ‘double opt-in’ process. After you have entered your email address in the relevant box and clicked on the corresponding button to register, you will receive an email from us containing a link to confirm your registration. By clicking on the link, you consent to the further use of your personal data required to send you the newsletter. For reasons of traceability, we log this registration and process the time of registration and confirmation, the IP address and the email address provided on the basis of our legitimate interest in the traceability of registration pursuant to Article 6(1f) GDPR. We will use the email address and name provided by you to send you the newsletter and for the salutation. We will process this data on the basis of your consent pursuant to Article 6(1a) and Article 7 GDPR in conjunction with Section 7(2, no. 3) UWG German Act against Unfair Competition as well as on the basis of the legal authorization pursuant to Section 7(3) UWG.
If you no longer want us to send you newsletters, you can unsubscribe at any time. A link to unsubscribe from the newsletter is contained at the end of each newsletter. Of course, you can also simply send us an email to the following address: info(at)lutherstadt-wittenberg.de.
After you unsubscribe, we may store your name and email address for up to three years on the basis of our legitimate interest in tracing consent previously granted pursuant to Article 6(1f) GDPR. This data will only be retained for this purpose and cannot be used for other purposes.
h. Ordering brochures
Brochures can be ordered on our website. To do so, you need to provide us with your surname, first name and address. This data is collected to deal with your request in accordance with Article 6(1b) GDPR and will be forwarded to our mailing contractor Skorzak GmbH & Co. KG, Direktmarketing-Dienstleistungen, Westerallee 155, 24941 Flensburg, Germany so that the brochure(s) ordered can be sent to you. Once your request has been dealt with and your data is no longer required, it will be erased by both us and our contractor. A data processing agreement has been signed with the contractor.
V. Use of third-party services – technical features and information
We use the services of the mailing contractor Tripicchio AG – Dialog Marketing, Engesserstrasse 4a, 79108 Freiburg, Germany (hereinafter Tripicchio) and the mailing tool Maileon to send our newsletter on the basis of our legitimate interest pursuant to Article 6(1f) GDPR. By collecting your form of address, first name, surname and email address, which you submit to us on our website using a double opt-in procedure, we are able to provide you with a functioning, user-friendly newsletter service. For this purpose, we will forward the email address you have provided as well as your IP address and the time of your registration and confirmation to the mailing service Maileon. This additional data will solely be used by Maileon to optimize its own service. Maileon is not allowed to pass on this data to anyone else and has signed a data processing agreement with us.
Newsletters sent via Maileon contain a tracking pixel – a miniature graphic which is retrieved by Maileon when you open the newsletter and provides it with information about your browser and your system as well as your IP address and the time of retrieval. It also records whether a newsletter has been opened and whether links in it have been used. This data is used to improve the content of future newsletters and will not be forwarded to third parties. After the withdrawal of consent, this personal data will be erased by the controller. After unsubscribing to the newsletter, your data will be automatically erased from the system.
b. Google Analytics
We use the service ‘Google Analytics’ from Google on our website on the basis of our legitimate interest pursuant to Article 6(1f) GDPR. This allows us to determine what is particularly relevant for visitors to our website, to obtain an overview of visitor numbers, and to make our website even more attractive. This service is operated by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043 USA; hereinafter ‘Google’) and can only function if a cookie is used. The location of visitors, their operating system and the type of device they use are processed. The cookie also stores information about how you found us (‘referring websites’) as well as landing pages, click paths, bounce rates and how long you spend on individual pages.
The information generated by the cookie is sent to a Google server in the USA and processed there. Our website is configured such that your personal data is anonymized by being truncated before being sent anywhere outside the territory under the jurisdiction of the European Union or of other signatories to the Agreement on the European Economic Area (IP masking). The IP address sent from your browser in connection with Google Analytics will not be merged with any other data by Google.
Furthermore, Google is certified under the Privacy Shield agreement and obliged to comply with European data protection law. Corresponding proof of this status is available at www.privacyshield.gov/participant. Moreover, a data processing agreement has been signed with Google.
You can prevent data from being collected by downloading and installing the browser plug-in available at tools.google.com/dlpage/gaoptout. In this case, a browser cookie is stored which prevents Google from collecting information on this and other websites.
c. Google AdWords Conversion Tracking
d. Google Analytics Remarketing
We also use Google Analytics Remarketing on our website on the basis of our legitimate interest in promoting our offering among individuals and target groups pursuant to Article 6(1f) GDPR. Data from Google Analytics and AdWords may be merged. This enables us to display advertising to you which we believe contains offers relevant to you.
For more information about Google’s terms of service and privacy, please visit https://www.google.com/analytics/terms/gb.html and https://policies.google.com. For specific information about how Google Analytics Remarketing works, please visit https://marketingplatform.google.com/about.
e. Google Maps
This website uses Google Maps to display interactive maps and produce travel directions. Google Maps is a map service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. The use of Google Maps allows information on the use of this website to be transmitted to Google in the USA, including your IP address and the (start) address entered in the journey planner. When you access a page on our website containing Google Maps, your browser establishes a direct connection to Google’s servers. The map content is transmitted directly by Google to your browser, which integrates it into the website. We therefore have no control over the scope of data collected by Google in this way which, to our knowledge, includes at least the following:
• The date and time of your visit to the website concerned
• The web address or URL of the accessed website
• Your IP address
• The (start) address entered for journey planning
By using our website, you agree to the data collected about you by the Google Maps journey planner being processed in the manner and for the purpose described above.
f. Cloudflare CDN
We use a service provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter: Cloudflare) on the basis of our legitimate interest in optimizing and ensuring the stability of our website and protecting it from cyberattacks. All enquiries reaching our website are also transmitted to Cloudflare’s servers in the USA. Cloudflare uses this data solely to maintain its offering and assuredly will not pass on this data to third parties.
In addition, Cloudflare is certified under the Privacy Shield agreement and has thus undertaken to comply with European data protection law. Its status can be verified by visiting www.privacyshield.gov/participant.
g. HRS Destination Solutions
We use the booking system of HRS Destination Solutions GmbH, Breslauer Platz 4, 50668 Cologne (HRS DS) to arrange and book overnight accommodation. If you make a booking on our site, you agree to your personal data being stored and processed by HRS DS in order to deal with your booking. Your personal data will be forwarded to HRS DS and processed. Furthermore, your data will be forwarded to the provider of the accommodation booked. This data is stored and processed to support and deal with your booking and your authentication as well as for billing purposes between HRS DS and GLC Glücksburg Consulting AG as the agency partners of the accommodation provider. Whenever a booking is made, the data will be stored for the commercial retention period of ten years.
h. Die NetzWerkstatt
VI. Use of third-party services – social bookmarks
lutherstadt-wittenberg.de is of course on Facebook, Twitter, Youtube and Google+. We have included links to these social media platforms on our website to enable you to network with us.
VII. Validity and changes to this privacy notice
This privacy notice was drawn up in May 2018 and is the version currently in force. It may be necessary to amend this privacy notice as our website and services are developed or in response to legal changes.