Data protection declaration
Data protection information regarding our data processing as per Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
We take data protection seriously. In this data protection declaration, we will inform you about how we process your data as well as which claims and rights are due to you in accordance with statutory data protection regulations. Valid as of 25 May 2018.
1. The party responsible for data processing and contact data in the sense of data protection law is:
Besttravel Dortmund GmbH
You can contact the data protection officer at:
The Data Protection Officer
c/o Borussia Dortmund GmbH & Co. KGaA
Tel.: 02 31 - 90 20 0
2. The purposes for which we process your data and the legal basis for this
We process personal data in accordance with the stipulations set out in the General Data Protection Regulation (GDPR) as well as other applicable data protection regulations (details below). Which data in particular are processed and how these are used primarily depends on the particular service that has been requested or arranged. Further details and additions regarding the purposes of data processing can be found in respective contractual documents, forms, declarations of consent and/or other information messages that have been provided to you (e.g. while using our website or in our terms and conditions). Furthermore, this data protection information may be updated from time to time, as can be seen on our website at www.besttravel.bvb.de.
2.1 Purposes for the fulfilment of a contract or pre-contractual measures (Article 6 para. 1 b of the GDPR)
Personal data is processed so that we can carry out orders placed by you. It is also processed so that we can implement measures and perform work within the scope of pre-contractual relationships, e.g. with interested parties. In particular, data processing serves the performance of business services in connection with the mediation of travel packages or individual travel modules, possibly participation in competitions and club offers, when registering on our website and/or on a besttravel app, or when filling out forms on our website. This is done in accordance with your orders and wishes and encompasses the business services, measures and work required for their execution. These primarily include: contract-related communications with you, corresponding invoice and related payment transactions, the verification of transactions, orders and other agreements, quality control through appropriate documentation, acts of goodwill and measures for the management and improvement of business processes, the fulfilment of general due diligence obligations and management and control by affiliated companies (e.g. the parent company); statistical analyses for the purpose of company management, cost accounting and controlling, reporting, internal and external communication, crisis management, the billing and tax assessment of operational services, risk management, the assertion of legal claims and defence in the case of legal disputes; the safeguarding of IT security (including system and plausibility checks) and general security, including building and facility security, the safeguarding and observance of householder’s rights (e.g. through access controls); the safeguarding of the integrity, authenticity and availability of data and the prevention and investigation of crimes; monitoring by supervisory boards or authorities (e.g. audits).
2.2. Purposes within the scope of our legitimate interest or that of third parties (Article 6, para. 1 f of the GDPR)
Beyond the actual fulfilment of a contract or a preliminary contract, it may be the case that we process your data in order to protect our legitimate interest or that of third parties as the circumstances require, especially:
- For advertising purposes or market and opinion research, insofar as you have not objected to the use of your data;
- For the purpose of obtaining information from and exchanging information with credit agencies where this goes beyond our financial risk;
- For the review and improvement of needs analyses procedures;
- For the further improvement of business services and products as well as existing systems and processes;
- For the disclosure of personal data as part of due diligence in company sales negotiations;
- For comparison with European and international anti-terrorist lists where this goes beyond our legal obligations;
- For the enrichment of our data, including by using or researching publicly accessible data;
- For statistical or market analyses;
- For benchmarking;
- For the assertion of legal claims or for purposes of defence in the event of legal disputes which cannot be directly attributed to the contractual relationship;
- For the restricted storage of data where deletion is not possible or only possible at disproportionately great expense owing to the special way in which the data has been stored;
- For the development of scoring systems or automated decision-making processes;
- For the prevention and investigation of crimes where this is not only for the fulfilment of legal requirements;
- For building and facility security (e.g. through access controls and video surveillance) where this goes beyond our general duty of care;
- For internal and external research and security reviews;
- For the purpose of listening in on or recording telephone conversations for quality control and training purposes;
- For the purpose of obtaining and maintaining certifications of a private-law or official nature;
- For the purpose of safeguarding and observing householder’s rights through corresponding measures and video surveillance to protect our customers and employees and for the purpose of securing evidence in the event of crimes and their prevention.
2.3 Purposes based on your consent (Article 6 para. 1 lit. a of the GDPR)
Your personal data may also be processed for certain purposes on the basis of your consent. As a rule, you may revoke this consent at any time (e.g. the use of your email address for marketing purposes). This also applies to the revocation of declarations of consent which were granted to us prior to the GDPR’s coming into effect, that is to say, prior to 25 May 2018. Information about such purposes and about the consequences of a revocation or non-conferral of consent will be provided to you separately in the text which accompanies the declaration of consent.
In principle, the revocation of a declaration of consent only applies to the future. Processing which was carried out prior to the revocation is not affected by such a revocation and remains lawful.
2.4 Purposes for the fulfilment of legal requirements (Article 6 para. 1 lit. c of the GDPR) or in the public interest (Article 6 para. 1 lit. e of the GDPR)
Like anybody who engages in business activity, we are also subject to numerous legal obligations. These are primarily legal requirements (e.g. trade and taxation laws), but also, as the case may be, supervisory or other official obligations. Processing for these purposes includes, where applicable, identity and age checks, the prevention of fraud and money laundering, the prevention, combating and investigation of terrorist financing and crimes which endanger assets, comparisons with European and international anti-terror lists, the fulfilment of statutory tax control and reporting obligations, the archiving of data for purposes of data protection and data security as well as monitoring by tax authorities and other authorities. Furthermore, it may be necessary to disclose personal data within the scope of official or judicial measures for purposes of evidence collection, criminal proceedings or the enforcement of civil law.
3. Data categories processed by us where we do not receive data from you directly and their origin
Insofar as it is necessary for the fulfilment of our business services, we process personal data which we have received in a permissible manner from other companies or other third parties (e.g. credit agencies, address publishers). In addition, we process personal data that was taken, received or purchased in a permissible manner from public sources (e.g. telephone directories, trade and association registers, civil registers, debtor records, land registers, the press, the Internet and other media) and which we are allowed to process.
Relevant personal data categories include, in particular:
- Personal data (name, date of birth, place of birth, nationality, marital status, occupation/branch and comparable data)
- Contact data (address, email address, telephone number and comparable data)
- Address data (registration data and comparable data)
- Payment confirmations and cover notes from banking and credit institutes
- Information about your financial situation (credit worthiness data including scoring, i.e., data for the assessment of financial risk)
- Customer history
- Data about your use of tele-media provided by us (e.g. the time at which you accessed our websites, apps or newsletter, sites or links provided by us which you have clicked on or entries and comparable data)
- Video data
4. Recipients of your data and categories of recipients of your data
Within our company, internal departments and organisational units which require your data for the fulfilment of our contractual and statutory obligations or as part of the processing and realisation of our legitimate interests will receive your data. Your data will only be forwarded to external bodies:
- In connection with the processing of contracts;
- For the purpose of fulfilling legal obligations which oblige us to provide information, provide notification or forward data, or where the forwarding of data is in the public interest (see section 2.4);
- Where external business service providers process data on our behalf in their capacity as data processing companies or as a company to which a function has been transferred (e.g. data centres, support/maintenance from EDV/IT applications, archiving, document processing, call-centre services, compliance services, controlling, data screening for anti-money-laundering purposes, data validation or plausibility checking, data destruction, purchasing/acquisition, customer management, letter shops, marketing, media technology, research, risk, billing, telephony, website management, auditing services, credit institutes, printers or data removal companies, courier services, logistics);
- On the basis of our legitimate interest or the legitimate interest of third parties within the scope of the purposes specified under section 2.2 (e.g. to authorities, credit agencies, debt-collection agencies, lawyers, courts, surveyors, affiliated companies and supervisory and control bodies);
- Where you have granted us consent to transmit your data to third parties.
We will not forward your data to third parties for any other purposes than those mentioned above. Where we commission service providers for the purpose of order processing, your data there are subject to the same security standards as they are within our company. In all other cases, recipients may only use the data for the purposes for which they were conveyed.
5. The length of time for which your data will be stored
We process and store your data for the duration of our business relationship. This includes the initiation of a contract (pre-contractual legal relationship) and the performance of a contract. Furthermore, we are subject to various retention and documentation regulations arising from, among other things, trade and taxation laws. These stipulate that the periods of time for which data must be retained or documented are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.
Furthermore, special legal regulations may require that data be retained for a longer period of time, for example, the retention of evidence within the scope of statutory limitation periods.
Where data are no longer required for the fulfilment of contractual or legal obligations and rights, these will be deleted on a regular basis, unless their – temporary – further processing is required for the fulfilment of the purposes specified under section 2.2 owing to an overriding legitimate interest. Such an overriding legitimate interest exists, for example, where deletion is impossible or disproportionately expensive owing to the special way in which the data has been stored and where processing for other purposes by means of appropriate technical or organisational measures is not possible.
6. Processing of your data in a third country or by international organisations
Data will be transmitted to sites in countries outside of the European Union (EU) or the European Economic Area (EEA) (referred to as third countries) where it is required for the performance of an order from you or a contract with you, where it is prescribed by law (e.g. statutory tax reporting obligations), where it lies within the scope of our legitimate interest or that of a third party or where you have granted your consent to us.
In this regard, the processing of your data in a third country may also take place where service providers have been engaged for the purpose of order processing. Where the EU Commission has not passed a resolution regarding the appropriate level of protection for the country in question, we ensure that your rights and freedoms will be adequately protected and guaranteed by concluding appropriate contracts in accordance with EU data protection regulations.
Information on appropriate or adequate guarantees and how you can get a copy of them can be obtained from the company’s data protection officer on request.
7. Your data protection rights
You can assert your data protection rights against us under certain conditions. For example, you have the right to receive information from us about data which concerns you and which is stored at our company in accordance with the regulations set forth in Article 15 of the GDPR and the applicable national data protection law.
At your request, we will amend data about you which we have stored in accordance with Article 16 of the GDPR where these are inapplicable or erroneous.
Should you want, we will delete your data in accordance with the principles set forth in Article 17 of the GDPR provided that other legal regulations (e.g. statutory retention obligations or possible restrictions stemming from applicable national data protection law) or an overriding interest on our part (e.g. to defend our rights and claims) does not stand in the way of this.
In consideration of the conditions set forth in Article 18 of the GDPR, you can demand that we limit the processing of your data.
Furthermore, you can object to the processing of your data in accordance with Article 21 of the GDPR, on the basis of which we must end the processing of your data. However, this right to object only applies where there exist very special circumstances in your personal situation, whereby the rights of our company may conflict with your right to object.
In accordance with the conditions set forth in Article 20 of the GDPR, you also have the right to receive your data in a structured, current and machine-readable format or to transmit them to a third country. Furthermore, you have the right to revoke your consent to the processing of personal data previously granted to us with effect for the future (see section 2.3).
Furthermore, you are entitled to complain to a data protection supervisory authority (Article 77 of the GDPR). Nevertheless, we recommend lodging a complaint with our data protection officer in the first instance. Your requests regarding the exercise of your rights should, where possible, be made out in writing to the aforementioned address or to our data protection officer directly.
8. The extent of your obligation to disclose your data to us
You are only required to disclose those data which are required for the acceptance and performance of a business relationship or a pre-contractual relationship with us, or those data which we are required to collect by law. Without these data, we will, as a rule, not be able to conclude or perform a contract. This may also refer to data required later on in the business relationship. Where we request data from you which go beyond these, you will be informed of your right to provide such data on a voluntary basis.
9. The existence of automated decision making in individual cases (including profiling)
In accordance with Article 22 of the GDPR, we do not make use of a fully automated decision-making process. However, should we make use of such a process in individual cases in future, we will inform you about this separately insofar as this is prescribed by law.
We may process your data in part with the aim of evaluating certain personal aspects (profiling).
In order to inform you and advise you about products in a targeted manner, we may possibly make use of analysis instruments. These facilitate needs-based product design, communication and advertising including market and opinion research.
Similarly, such processes may be made use of in order to evaluate your credit worthiness and to combat money-laundering and fraud. What are referred to as “score-values” may be used to evaluate your credit worthiness. Using mathematical procedures, scoring is undertaken to calculate the likelihood that a customer will settle his or her payment obligations in accordance with a contract. Consequently, such score-values aid us, for example, in the evaluation of credit worthiness and the decision-making process as part of product sales. They also feed into our risk management processes. The calculation is based on mathematically and statistically recognised and proven procedures and takes place on the basis of your data, in particular, your income, expenditure, existing liabilities, occupation, employer, duration of employment, experiences from your business relationship thus far, the repayment of previous loans in accordance with a contract as well as information from credit agencies.
As part of this process, information regarding nationality as well as particular categories of personal data as per Article 9 of the GDPR will not be processed.
Supplementary information regarding our online services
The data subject can prevent cookies from being placed by our internet site at any time by means of the appropriate setting in the internet browser he or she makes use of and can, in this way, object to the placement of cookies on a permanent basis. Furthermore, cookies that have already been placed can be deleted at any time using an internet browser or other software programme. This is possible in all current internet browsers. Should the data subject deactivate the placement of cookies in the internet browser he or she uses, then it may be the case that he or she cannot make full use of all of the functions on our internet site.
Data protection information with respect to application procedures
We only process applicants’ data for the purpose of and as part of the application process in accordance with legal requirements. The processing of applicants’ data is done to fulfil our (pre-) contractual obligations as part of the application process in the sense of Article 6 para. 1 lit. b of the GDPR and Article 6 para. 1 lit. f of the GDPR insofar as data processing becomes necessary for us, for example, as part of legal proceedings (§ 26 of the German Federal Data Protection Act also applies).
The application procedure requires applicants to disclose application data to us. The required application data are indicated where we offer on online form or can otherwise be found in job descriptions. In principle, these include personal information, postal and contact addresses and documents as part of the application such as a covering letter, CV and certificates. Besides these data, applicants may disclose additional information to us voluntarily.
By sending their application to us, applicants consent to their data being processed for the purposes of the application procedure in accordance with the type and scope of processing set forth in this data protection declaration.
Insofar as special categories of personal data are voluntarily disclosed as part of the application procedure in the sense of Article 9 para. 1 of the GDPR, they will be additionally processed in accordance with Article 9 para. 2 lit. b of the GDPR (e.g. health data such as severe disabilities or ethnic origin). Insofar as special categories of personal data are requested from applicants as part of the application procedure in the sense of Article 9 para. 1 of the GDPR, they will be additionally processed in accordance with Article 9 para. 2 lit. a of the GDPR (e.g. health data where these are required to exercise the profession).
Where an online form is provided, applicants may send their applications in this way on our website. The data will be encrypted and sent to us in a way commensurate with the latest technology. Furthermore, applicants may send their applications to us via email. If applicants choose to do so, we would ask them to remember that emails are not sent in an encrypted format as a rule and that applicants must ensure they are encrypted themselves. Consequently, we cannot accept any liability for the path of transmission the application travels along between the sender and its arrival on our server and recommend, as a result, using an online form or sending the application by post. This is because applicants still have the option to send the application to us by post instead of applying via the online form or by email.
Where an application is successful, the data disclosed to us by an applicant may be processed by us further for the purposes of the employment relationship. Otherwise, where an application for a job is unsuccessful, the applicant’s data will be deleted. An applicant’s data will also be deleted where an application is withdrawn, something which applicants are entitled to do at any time.
Subject to a justified revocation by the applicant, the deletion will take place after six months have elapsed. This allows us to answer any follow-up questions regarding the application and to satisfy our obligation to provide proof arising from the German Equal Treatment Act. Invoices for any travel cost reimbursements will be archived in accordance with statutory tax requirements.
Where a user contacts us (e.g. using a contact form, by email, telephone or social media), his or her information will be processed for the purpose of processing the contact request and its handling in accordance with Article 6 para. 1 lit. b of the GDPR. The user’s data may be saved in a customer relationship management system (“CRM System”) or comparable request management system.
We will delete the data insofar as they are no longer required. We check whether they are still required every two years. Furthermore, statutory archiving obligations apply.
We will inform you below about the contents of our newsletter, registration, shipment and statistical analysis procedures as well as your right to object to these. Should you subscribe to our newsletter, you consent to receiving it and the procedures described.
The newsletter’s contents: we only send newsletters, emails and other electronic messages with advertising information (hereinafter “newsletter”) with the consent of the recipient or with legal permission. Insofar as the contents of the newsletter are outlined in concrete terms during the registration process, these are decisive for users’ consent. Moreover, our newsletters contain information about our services and us.
Double opt-in and logging: registration for our newsletter takes place as part of what is known as a double opt-in procedure. This means you will receive an email after registering in which you will be asked to confirm your registration. This registration is necessary to prevent other persons from registering using an email address which is not their own. Registrations for the newsletter are logged in order to prove the registration process took place in accordance with legal requirements. This includes the storage of the time at which the registration and confirmation took place and also the IP address. Amendments to data concerning you held by the shipping provider will also be logged.
Registration data: It is sufficient to provide your email address in order to register for the newsletter. We also ask you to provide a name on an optional basis so that we can address you personally in newsletters.
The shipment of the newsletter and the related performance assessment take place on the basis of the recipient’s consent in accordance with Article 6 para. 1 lit. a and Article 7 of the GDPR in conjunction with § 7 para. 2 no. 3 of the German Unfair Competition Act or on the basis of legal permission in accordance with § 7 para. 3 of the German Unfair Competition Act.
The logging of the registration process takes place on the basis of our legitimate interest in accordance with Article 6 para. 1 lit. f of the GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter system which serves our commercial interest, meets with users’ expectations and which also allows us to prove consent was granted.
Cancellation/revocation: you can cancel your receipt of our newsletter at any time, i.e. revoke your consent. You can find a link for the purpose of cancelling the newsletter at the end of every newsletter. On the basis of our legitimate interest, we may store email addresses provided to us for up to three years before we delete them in order to prove that somebody had previously provided us with consent. The processing of this data is limited to the purpose of defending against potential third-party claims. An individual request for data to be deleted is possible at any time insofar as the existence of consent that was given previously is confirmed at the same time.
Newsletter – Shipping Services
The newsletter is shipped by the shipping provider SC-NETWORKS GMBH, Enzianstr. 2, 82319 Starnberg, Germany. You can view the shipping provider’s data protection provisions here: https://www.sc-networks.de/unternehmen/datenschutz/. The shipping provider is used on the basis of our legitimate interest in accordance with Article 6 para. 1 lit. f of the GDPR and an order processing contract in accordance with Article 28 para. 3 page 1 of the GDPR.
The shipping provider may use recipients’ data in pseudonymised form, i.e. without being matched to a single user, for the purpose of optimising or improving its own services, e.g. for the technical optimisation of the shipping process and the newsletter’s presentation or for statistical purposes. However, the shipping provider will not use the data of our newsletter recipients in order to write to them themselves or to pass on the data to third parties.
Newsletter – Performance Assessment
Newsletters contain what is referred to as a “web-beacon”. This is a pixel-size file which is retrieved by our server when the newsletter is opened or, where we have used a shipping provider, by their server. As part of this retrieval, technical information such as information about the browser and your system as well as your IP address and the time of retrieval is collected in the first instance.
This information is used for the technical improvement of our services on the basis of technical data, or on the basis of target groups and their reading habits by reference to their access locations (which can be determined using the IP address) or access times. This statistical information also includes verification as to whether newsletters are opened, when they are opened and which links are clicked on. For technical reasons, this information can be matched with the individual newsletter recipient. However, it is not our aim or, if used, that of the shipping provider to observe individual users. The analysis helps us much more in the determination of our users’ reading habits, to adapt our contents to them and to send different content according to our users’ interests.
Collection of access data and logfiles
On the basis of our legitimate interest in the sense of Article 6 para. 1 lit. f of the GDPR, we, that is to say, our hosting provider collects data about each instance where the server on which this service is located is accessed (so-called server logfiles). The access data include the name of the website which was visited, file, date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user’s operating system, the referrer URL (the previously visited site), IP address and the requesting provider.
For security reasons (e.g. the investigation of misuse of fraud), logfile information is stored for a maximum of three months and deleted thereafter. Data which need to be retained for longer for evidentiary purposes are exempted from deletion until the particular incident has been resolved.
Google is certified under the Privacy Shield Agreement and offers, as a result, a guarantee that it will adhere to European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We only use Google Analytics with activated IP anonymisation. This means that users’ IP addresses will be shortened by Google within member states of the European Union or in other states which are contractual parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
The IP address communicated by the user’s browser will not be merged with other Google data. Users can prevent the storage of cookies by using the appropriate setting in their browser software. Furthermore, users can prevent Google from collecting data generated by the cookie relating to their use of the online service and prevent Google from processing this data by downloading and installing the browser plugin available at the following link: tools.google.com/dlpage/gaoptout.
Further information on Google’s data usage, setting options and opportunities to object to this can be found in Google’s data protection declaration (https://policies.google.com/technologies/ads) and in the settings for the display of embedded advertisements by Google (https://adssettings.google.com/authenticated).
We incorporate the land maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Processed data may include, in particular, users’ IP addresses and location data, which, nevertheless, will not be collected without their consent. Users’ consent in this regard is normally granted or withheld through the settings on their mobile devices. The data may be processed in the USA. Data protection declaration: https://www.google.com/policies/privacy/. Opt-out: https://adssettings.google.com/authenticated.
The integration of services and content from third parties
On the basis of our legitimate interest (i.e. our interest in the analysis, optimisation and economical operation of our online service in the sense of Article 6 para. 1 lit. f of the GDPR), we use content and service offerings from third-party suppliers as part of our online service in order to integrate their content and services, for example, videos or fonts (referred to hereinafter collectively as “content”).
This always requires the third-party supplier of this content to make use of users’ IP addresses since they are unable to send such content to users’ browsers without the IP address. Consequently, the IP address is required for the display of this content. We make every effort to only use content whose respective suppliers only use the IP address to deliver this content. In addition, third-party suppliers may use what are referred to as pixel tags (invisible graphics which are also referred to as “web beacons”) for statistical or marketing purposes. Using these pixel tags, information such as visitor traffic to this website can be evaluated. Furthermore, pseudonymized information may be stored in cookies on users’ devices and may contain, among other things, technical information about the browser and operating system, referring websites, the time of visit and other information regarding the use of our online service. This information may also be linked with such information from other sources.
Online presence on social media
We maintain an online presence on social networks and platforms to be able to communicate with customers, interested persons and users who are active on these networks and platforms and to inform them there about our services. The terms and conditions and the data processing guidelines of the respective operator are applicable when accessing the respective networks and platforms.
Unless otherwise indicated within the scope of our data protection declaration, we process users’ data insofar as they communicate with us on social networks and platforms, e.g., where they post contributions on our social media presence or send us messages via such platforms.
Our data protection information regarding our processing of data in accordance with Articles 13, 14 and 21 of the GDPR can change from time to time. We will publish all amendments on this site.
Effective 23 May 2018.