PRIVACY POLICY ACCORDING TO THE DSGVO

This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our website.

I. NAME AND ADDRESS OF THE RESPONSIBLE PERSON

The responsible person in terms of the basic data protection regulation and other national data protection laws of the member states and other data protection regulations is:

PENG Communications GmbH
Klosterstraße 62
10179 Berlin
Germany
Managing directors: Rael Hoffmann and Max Mühlbach
Commercial register: Charlottenburg Local Court, HRB 180871 B
Phone: +49(0)30 – 20 84 99 07 02
e-mail: hallo@exitexpress.de

II. GENERAL INFORMATION ON DATA PROCESSING

1. the scope of processing of personal data
As a matter of principle, we process our users personal data only to the extent necessary to provide a functional website, contents and services. The processing of our users personal data is regularly – and only – carried out with the consent of the user. An exception is made in cases where prior consent cannot be obtained for factual reasons and the processing of data is permitted by legal regulations.

We process inventory data (e.g. name, address and e-mail address), contract data (e.g. services used, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 para. 1 lit b. DSGVO. The entries marked as obligatory in online forms are required for the conclusion of the contract.

2. legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU Data Protection Regulation (DSGVO) serves as the legal basis.

When processing personal data which is necessary for the performance of a contract to which the data subject is a party, Article 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c DSGVO serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6 (1) lit. f DSGVO serves as the legal basis for the processing.

3. data deletion and storage period
The personal data of the person concerned will be deleted or blocked as soon as the purpose of the storage is no longer applicable. Furthermore, data may be stored if this has been provided for by the European or national legislator in Union regulations, laws or other regulations to which the person responsible is subject. Data is also blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.

4. cooperation with contract processors and third parties
If we transfer data to other persons and companies (processors or third parties) in the course of our processing or otherwise grant them access to the data, this is only done on the basis of a legal permission, you have consented, a legal obligation provides for this, for the processing of contractual relationships (e.g. bookingKit, Mangopay) with you or if we have a legitimate interest in the data transfer (e.g. when using agents, webhosters, etc.). If we commission third parties to process data on the basis of a so-called “contract processing agreement”, this is done on the basis of Art. 28 DSGVO.

5. data security
We use the common SSL (Secure Socket Layer) method in connection with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is being transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser. We also use suitable technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

6. company profiles in social media
We operate company profiles within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

Unless otherwise stated in our data protection declaration, we process the data of users if they communicate with us within the social networks and platforms, e.g. write articles on our online presences or send us messages.

III. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

When you call up our website https://exitexpress.de, information is automatically sent to the server of our website by the browser used on your end device. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:

(1) Information about the browser type and the version used
(2) The user’s operating system
(3) The Internet service provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Websites from which the user’s system reaches our website
(7) Websites that are accessed by the user’s system via our website
(8) Protocol (GET or POST)
(9) Status code (200 or 500)

We process the above-mentioned data for the following purposes:
– To ensure a smooth connection of the website,
– Guarantee a comfortable use of our website,
– Evaluation of system security and stability and
– for other administrative purposes.

The legal basis for data processing is Art. 6 Paragraph 1 S. 1 lit. f DSGVO. Our legitimate interest follows from the above-mentioned purposes for data collection. Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person. Furthermore, we use cookies and analysis services when you visit our website. You will find more detailed explanations in sections V and VIII of this privacy policy.

 

IV. USE OF COOKIES

We use cookies on our website. These are small files that are automatically created by your browser and stored on your end device (laptop, tablet, smartphone or similar) when you visit our site. Cookies do not cause any damage to your terminal device, do not contain viruses, Trojans or other malware. Information is stored in the cookie that is related to the specific terminal device used. This does not mean, however, that we are immediately informed of your identity.

The use of cookies serves on the one hand to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted when you leave our site. In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a certain defined period of time. If you visit our site again to make use of our services, it is automatically recognised that you have already been with us and which entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies in order to statistically record the use of our website and to evaluate it for the purpose of optimising our services for you (see section VII). These cookies enable us to automatically recognise that you have already been with us when you visit our site again. These cookies are automatically deleted after a defined period of time. When calling up our website, users are informed by an info banner about the use of cookies for analysis purposes and are referred to this data protection declaration. In this context, there is also a note on how the storage of cookies can be prevented in the browser settings.

The data processed by cookies is required for the above-mentioned purposes to safeguard our legitimate interests and those of third parties in accordance with Art. 6 Para. 1 S. 1 lit. f DSGVO.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.

 

V. E-MAIL CONTACT

It is possible to contact us via the provided e-mail address hallo@exitexpress.de. In this case the personal data of the user transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.

The legal basis for the processing of the data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DSGVO. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.

The processing of the personal data from the e-mail serves solely to process the contact. This also includes the necessary legitimate interest in the processing of the data.

The data will be deleted as soon as it is no longer required for the purpose of its collection. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.

The user has the possibility to revoke his or her consent to the processing of personal data at any time. If the user contacts us by e-mail (hallo@exitexpress.de), he/she can object to the storage of his/her personal data at any time. In such a case the conversation cannot be continued, and all personal data stored in the course of the contact will be deleted.

 

VI. CONTACT FORM

If you have any questions of any kind, you are welcome to contact us using a form provided on the website. The following personal data must be provided

– E-mail address

so that we know who is making the request and can answer it. The data processing for the purpose of contacting us is carried out in accordance with Art. 6 Para. 1 S. 1 lit. f DSGVO. The personal data collected by us for the use of the contact form will be automatically deleted after completion of the request you have made.

 

VII. TRACKING TOOLS

The tracking measures listed below and used by us are carried out on the basis of Art. 6 para. 1 sentence 1 lit. f DSGVO. With the tracking measures used, we want to ensure that our website is designed to meet the needs of our customers and is continuously optimised. On the other hand, we use the tracking measures to record the use of our website statistically and evaluate it for the purpose of optimising our offer for you. These interests are to be regarded as justified in the sense of the aforementioned regulation. The respective data processing purposes and data categories can be taken from the corresponding tracking tools.

1. google analytics
For the purpose of designing and continuously optimising our pages according to your needs, we use Google Analytics, a web analysis service of Google Inc. (https://www.google.de/intl/de/about) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). In this context, pseudonymised user profiles are created and cookies (see under point IV) are used. The information generated by the cookie about your use of this website such as

– Browser type/version,
– the operating system used,
– Referrer URL (the previously visited page),
– Host name of the accessing computer (IP address),
– Time of the server request,

are transmitted to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on the website activities and to provide further services associated with the use of the website and the Internet for the purposes of market research and demand-oriented design of these Internet pages. This information may also be transferred to third parties in case it is required by law or in case third parties process this data on our behalf. Under no circumstances will your IP address be merged with other data from Google. The IP addresses are made anonymous, so that an assignment is not possible (IP masking). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de). As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting the data by clicking on this link. An opt-out cookie is set to prevent the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you will need to set the opt-out cookie again. Further information on data protection in connection with Google Analytics can be found in the Google Analytics help (https://support.google.com/analytics/answer/6004245?hl=de).

 

VIII. SOCIAL MEDIA PLUG-INS

We use social plug-ins of the social networks Facebook, Twitter and Instagram on our website on the basis of Art. 6 para. 1 sentence 1 lit. f DSGVO in order to make EXIT better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the DSGVO. The responsibility for the data protection compliant operation is to be guaranteed by their respective providers. The integration of these plug-ins by us takes place by means of the so-called two-click method in order to protect visitors to our website in the best possible way.

1. facebook
On our website, social media plugins from Facebook are used to make their use more personal. For this we use the “LIKE” or “SHARE” button. This is an offer from Facebook. When you call up a page on our website that contains such a plugin, your browser establishes a direct connection with the Facebook servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the website by it. Through the integration of the plugin, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can assign your visit to our website directly to your Facebook account. If you interact with the plugins, for example by clicking the “LIKE” or “SHARE” button, the corresponding information is also transmitted directly to a Facebook server and stored there. The information is also published on Facebook and displayed to your Facebook friends. Facebook may use this information for the purposes of advertising, market research and the design of Facebook pages to meet your needs. For this purpose, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements shown to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services associated with the use of Facebook. If you do not want Facebook to assign the data collected via our website to your Facebook account, you must log out of Facebook before visiting our website. For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook’s data protection information (https://www.facebook.com/about/privacy).

2. twitter
There are plugins of the short message network known as Twitter Inc. (Twitter) integrated on our website. You can recognise the Twitter plugins (tweet button) by the Twitter logo on our site. You can find an overview of tweet buttons here (https://about.twitter.com/resources/buttons).

If you call up a page on our website that contains such a plugin, a direct connection is established between your browser and the Twitter server. Twitter thereby receives the information that you have visited our site with your IP address. If you click the Twitter “tweet button” while you are logged in to your Twitter account, you can link the contents of our pages on your Twitter profile. This allows Twitter to associate your visit to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Twitter. If you do not want Twitter to be able to link your visit to our pages, please log out of your Twitter user account. For further information, please refer to the Twitter privacy policy (https://twitter.com/privacy).

3. instagram
Our site also uses social plugins (“Plugins”) from Instagram, which is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). The plugins are marked with an Instagram logo, for example in the form of an “Instagram Camera”. When you access a page on our site that contains such a plug-in, your browser will establish a direct connection to Instagram’s servers. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. This integration informs Instagram that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information (including your IP address) is transmitted by your browser directly to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can immediately associate your visit to our website with your Instagram account. When you interact with the plug-ins, for example by clicking the “Instagram” button, this information is also transmitted directly to an Instagram server and stored there. The information is also published to your Instagram account and displayed to your contacts. If you do not want Instagram to associate the information collected through our website directly with your Instagram account, you must log out of Instagram before visiting our website. For more information, please refer to Instagram’s Privacy Policy (https://help.instagram.com/155833707900388).

 

IX. THIRD PARTY SERVICES

1st Google Maps
To optimise our website we use the map service “Google Maps” by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The improvement of our website with regard to the display of maps and the creation of directions is also in our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO. When using Google Maps, Google collects, processes and uses data on the use of the Maps functions by users of our website. In particular, the user’s IP address is required for the display of Google Maps content for the purpose of displaying maps. The data collected by Google is transferred to the USA by Google and stored there. Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Further information about data processing by Google can be found in Google’s data protection information.

2nd bookingkit
To distribute our offers (EXIT missions and vouchers) we use a booking system by bookingkit GmbH, Sonnenallee 233, 12059 Berlin (“bookingkit”). If you make a booking on our site, you agree to the storage and processing of your personal data by bookingkit. Your personal data will be forwarded to bookingkit and processed. This storage and processing of the data is done for the purpose of supporting and processing your orders, your authentication, the handling of payment transactions and the improvement of the services of bookingkit. You can find more information on terms of use and data protection and the possible assignment of third parties for data processing by bookingkit under https://bookingkit.net/de/datenschutzerklaerung/.

3rd MANGOPAY
Services for payment by [bank transfer, credit and debit cards, SEPA direct debit, direct transfer, Giropay, iDeal and Przelewy24] are provided by MANGOPAY S.A, 10 boulevard Royal, L-2449 Luxembourg. For the use of these services, MANGOPAY collects, stores and processes personal data in accordance with the MANGOPAY Terms of Use, and is responsible for the lawful handling of such data. For more information, please refer to the MANGOPAY Privacy Policy at https://www.mangopay.com/privacy.

4th paypal
The PayPal service is provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When paying with PayPal, you will be redirected to the PayPal website via a link. In order to use this service, PayPal collects, stores and processes your personal data such as your name, address, telephone number and email address, as well as your credit card or bank account information. PayPal is solely responsible for the protection and handling of the data collected by PayPal. In this respect, the PayPal Terms of Use, which can be found at www.PayPal.com, apply. For more information on how PayPal handles your information and the use of third parties, please refer to PayPal’s Privacy Policy, which can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

 

X. RIGHTS OF THE DATA SUBJECT

If personal data is processed by you, you are a data subject within the meaning of the DSGVO and you are entitled to the following rights in relation to the person responsible:

1. right of information
You can request confirmation from the person responsible as to whether personal data concerning you is being processed by us.

If such processing has taken place, you can request information from the data controller on the following:

(1) the purposes for which personal data is processed
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of storage of the personal data relating to you or, if it is not possible to give specific details, criteria for determining the duration of storage;
(5) the existence of a right of rectification or erasure of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information as to the origin of the data, where the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) DPA and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 DPA in connection with the transfer.

2. right of rectification
You have the right to obtain the rectification and/or integration of any personal data processed concerning you if it is incorrect or incomplete. The data controller shall make the correction without delay.

3. the right to limit processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:

(1) if you dispute the accuracy of the personal data concerning you for a period which enables the controller to verify the accuracy of the personal data
(2) the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need them in order to assert, exercise or defend legal claims; or
(4) if you have initiated an objection to the processing pursuant to Art. 21 (1) DPA and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data relating to you has been restricted, such data – apart from being stored – may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. right of cancellation

a) Duty to delete

You may request the controller to delete personal data concerning you without delay and the controller is obliged to delete such data without delay if one of the following reasons applies:

(1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
(2) you revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DPA and there is no other legal basis for the processing.
(3) You submit an objection to the processing pursuant to Art. 21 Para. 1 DSGVO and there are no overriding legitimate reasons for the processing, or you submit an objection to the processing pursuant to Art. 21 Para. 2 DSGVO.
(4) The personal data concerning you have been processed unlawfully.
(5) The deletion of personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you have been collected in relation to information society services offered, in accordance with Article 8(1) of the DPA.

(b) Exceptions

The right of cancellation does not exist insofar as the processing is necessary

(1 ) on the exercise of the right to freedom of expression and information;
(2) to comply with a legal obligation requiring processing under Union or national law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 DSGVO;
(4) for archival, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
(5) to assert, exercise or defend legal claims.

5. right to information
If you have exercised the right to rectify, erase or limit the processing, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed of these recipients by the controller.

6. right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 paragraph 1 letter e or f of the DPA; this also applies to profiling based on these provisions.

The controller no longer processes the personal data concerning you, unless he can demonstrate compelling reasons for processing which are worthy of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.

Where personal data relating to you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data relating to you for the purpose of such marketing, including profiling, insofar as it relates to such direct marketing.

If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for those purposes.

You have the possibility to exercise your right of objection in relation to the use of information society services, without prejudice to Directive 2002/58/EC, by means of automated procedures using technical specifications.

7. right to withdraw your data protection consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.

8. right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are domiciled, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you is in breach of the DPA.

The supervisory authority to which the complaint has been sent shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.

Status: May 2018