This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our website.
I. NAME AND ADDRESS OF THE RESPONSIBLE PERSON
The responsible person in terms of the basic data protection regulation and other national data protection laws of the member states and other data protection regulations is:
PENG Communications GmbH
Managing directors: Rael Hoffmann and Max Mühlbach
Commercial register: Charlottenburg Local Court, HRB 180871 B
Phone: +49(0)30 – 20 84 99 07 02
II. GENERAL INFORMATION ON DATA PROCESSING
1. the scope of processing of personal data
As a matter of principle, we process our users personal data only to the extent necessary to provide a functional website, contents and services. The processing of our users personal data is regularly – and only – carried out with the consent of the user. An exception is made in cases where prior consent cannot be obtained for factual reasons and the processing of data is permitted by legal regulations.
We process inventory data (e.g. name, address and e-mail address), contract data (e.g. services used, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 para. 1 lit b. DSGVO. The entries marked as obligatory in online forms are required for the conclusion of the contract.
2. legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a EU Data Protection Regulation (DSGVO) serves as the legal basis.
When processing personal data which is necessary for the performance of a contract to which the data subject is a party, Article 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 lit. c DSGVO serves as the legal basis.
In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6 (1) lit. f DSGVO serves as the legal basis for the processing.
3. data deletion and storage period
The personal data of the person concerned will be deleted or blocked as soon as the purpose of the storage is no longer applicable. Furthermore, data may be stored if this has been provided for by the European or national legislator in Union regulations, laws or other regulations to which the person responsible is subject. Data is also blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
4. cooperation with contract processors and third parties
If we transfer data to other persons and companies (processors or third parties) in the course of our processing or otherwise grant them access to the data, this is only done on the basis of a legal permission, you have consented, a legal obligation provides for this, for the processing of contractual relationships (e.g. bookingKit, Mangopay) with you or if we have a legitimate interest in the data transfer (e.g. when using agents, webhosters, etc.). If we commission third parties to process data on the basis of a so-called “contract processing agreement”, this is done on the basis of Art. 28 DSGVO.
5. data security
We use the common SSL (Secure Socket Layer) method in connection with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is being transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser. We also use suitable technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
6. company profiles in social media
We operate company profiles within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
Unless otherwise stated in our data protection declaration, we process the data of users if they communicate with us within the social networks and platforms, e.g. write articles on our online presences or send us messages.
III. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
When you call up our website https://exitexpress.de, information is automatically sent to the server of our website by the browser used on your end device. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:
(1) Information about the browser type and the version used
(2) The user’s operating system
(3) The Internet service provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Websites from which the user’s system reaches our website
(7) Websites that are accessed by the user’s system via our website
(8) Protocol (GET or POST)
(9) Status code (200 or 500)
We process the above-mentioned data for the following purposes:
– To ensure a smooth connection of the website,
– Guarantee a comfortable use of our website,
– Evaluation of system security and stability and
– for other administrative purposes.
The data processed by cookies is required for the above-mentioned purposes to safeguard our legitimate interests and those of third parties in accordance with Art. 6 Para. 1 S. 1 lit. f DSGVO.
Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website.
V. E-MAIL CONTACT
It is possible to contact us via the provided e-mail address firstname.lastname@example.org. In this case the personal data of the user transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.
The legal basis for the processing of the data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DSGVO. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.
The processing of the personal data from the e-mail serves solely to process the contact. This also includes the necessary legitimate interest in the processing of the data.
The data will be deleted as soon as it is no longer required for the purpose of its collection. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.
The user has the possibility to revoke his or her consent to the processing of personal data at any time. If the user contacts us by e-mail (email@example.com), he/she can object to the storage of his/her personal data at any time. In such a case the conversation cannot be continued, and all personal data stored in the course of the contact will be deleted.
VI. CONTACT FORM
If you have any questions of any kind, you are welcome to contact us using a form provided on the website. The following personal data must be provided
– E-mail address
so that we know who is making the request and can answer it. The data processing for the purpose of contacting us is carried out in accordance with Art. 6 Para. 1 S. 1 lit. f DSGVO. The personal data collected by us for the use of the contact form will be automatically deleted after completion of the request you have made.
VII. TRACKING TOOLS
The tracking measures listed below and used by us are carried out on the basis of Art. 6 para. 1 sentence 1 lit. f DSGVO. With the tracking measures used, we want to ensure that our website is designed to meet the needs of our customers and is continuously optimised. On the other hand, we use the tracking measures to record the use of our website statistically and evaluate it for the purpose of optimising our offer for you. These interests are to be regarded as justified in the sense of the aforementioned regulation. The respective data processing purposes and data categories can be taken from the corresponding tracking tools.
1. google analytics
For the purpose of designing and continuously optimising our pages according to your needs, we use Google Analytics, a web analysis service of Google Inc. (https://www.google.de/intl/de/about) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter “Google”). In this context, pseudonymised user profiles are created and cookies (see under point IV) are used. The information generated by the cookie about your use of this website such as
– Browser type/version,
– the operating system used,
– Referrer URL (the previously visited page),
– Host name of the accessing computer (IP address),
– Time of the server request,
VIII. SOCIAL MEDIA PLUG-INS
We use social plug-ins of the social networks Facebook, Twitter and Instagram on our website on the basis of Art. 6 para. 1 sentence 1 lit. f DSGVO in order to make EXIT better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the DSGVO. The responsibility for the data protection compliant operation is to be guaranteed by their respective providers. The integration of these plug-ins by us takes place by means of the so-called two-click method in order to protect visitors to our website in the best possible way.
On our website, social media plugins from Facebook are used to make their use more personal. For this we use the “LIKE” or “SHARE” button. This is an offer from Facebook. When you call up a page on our website that contains such a plugin, your browser establishes a direct connection with the Facebook servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the website by it. Through the integration of the plugin, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook account or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there. If you are logged in to Facebook, Facebook can assign your visit to our website directly to your Facebook account. If you interact with the plugins, for example by clicking the “LIKE” or “SHARE” button, the corresponding information is also transmitted directly to a Facebook server and stored there. The information is also published on Facebook and displayed to your Facebook friends. Facebook may use this information for the purposes of advertising, market research and the design of Facebook pages to meet your needs. For this purpose, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements shown to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services associated with the use of Facebook. If you do not want Facebook to assign the data collected via our website to your Facebook account, you must log out of Facebook before visiting our website. For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your rights in this regard and setting options for protecting your privacy, please refer to Facebook’s data protection information (https://www.facebook.com/about/privacy).
There are plugins of the short message network known as Twitter Inc. (Twitter) integrated on our website. You can recognise the Twitter plugins (tweet button) by the Twitter logo on our site. You can find an overview of tweet buttons here (https://about.twitter.com/resources/buttons).
IX. THIRD PARTY SERVICES
1st Google Maps
To optimise our website we use the map service “Google Maps” by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The improvement of our website with regard to the display of maps and the creation of directions is also in our legitimate interest pursuant to Art. 6 para. 1 lit. f DSGVO. When using Google Maps, Google collects, processes and uses data on the use of the Maps functions by users of our website. In particular, the user’s IP address is required for the display of Google Maps content for the purpose of displaying maps. The data collected by Google is transferred to the USA by Google and stored there. Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Further information about data processing by Google can be found in Google’s data protection information.
X. RIGHTS OF THE DATA SUBJECT
If personal data is processed by you, you are a data subject within the meaning of the DSGVO and you are entitled to the following rights in relation to the person responsible:
1. right of information
You can request confirmation from the person responsible as to whether personal data concerning you is being processed by us.
If such processing has taken place, you can request information from the data controller on the following:
(1) the purposes for which personal data is processed
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of storage of the personal data relating to you or, if it is not possible to give specific details, criteria for determining the duration of storage;
(5) the existence of a right of rectification or erasure of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information as to the origin of the data, where the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) DPA and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing on the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 DPA in connection with the transfer.
2. right of rectification
You have the right to obtain the rectification and/or integration of any personal data processed concerning you if it is incorrect or incomplete. The data controller shall make the correction without delay.
3. the right to limit processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
(1) if you dispute the accuracy of the personal data concerning you for a period which enables the controller to verify the accuracy of the personal data
(2) the processing is unlawful and you object to the deletion of the personal data and instead request the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need them in order to assert, exercise or defend legal claims; or
(4) if you have initiated an objection to the processing pursuant to Art. 21 (1) DPA and it is not yet clear whether the legitimate reasons of the controller outweigh your reasons.
If the processing of personal data relating to you has been restricted, such data – apart from being stored – may be processed only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4. right of cancellation
a) Duty to delete
You may request the controller to delete personal data concerning you without delay and the controller is obliged to delete such data without delay if one of the following reasons applies:
(1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
(2) you revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DPA and there is no other legal basis for the processing.
(3) You submit an objection to the processing pursuant to Art. 21 Para. 1 DSGVO and there are no overriding legitimate reasons for the processing, or you submit an objection to the processing pursuant to Art. 21 Para. 2 DSGVO.
(4) The personal data concerning you have been processed unlawfully.
(5) The deletion of personal data concerning you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you have been collected in relation to information society services offered, in accordance with Article 8(1) of the DPA.
The right of cancellation does not exist insofar as the processing is necessary
(1 ) on the exercise of the right to freedom of expression and information;
(2) to comply with a legal obligation requiring processing under Union or national law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 DSGVO;
(4) for archival, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 DSGVO, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
(5) to assert, exercise or defend legal claims.
5. right to information
If you have exercised the right to rectify, erase or limit the processing, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification, erasure or limitation of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.
6. right of objection
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 paragraph 1 letter e or f of the DPA; this also applies to profiling based on these provisions.
The controller no longer processes the personal data concerning you, unless he can demonstrate compelling reasons for processing which are worthy of protection and which outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.
Where personal data relating to you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data relating to you for the purpose of such marketing, including profiling, insofar as it relates to such direct marketing.
If you object to processing for the purposes of direct marketing, the personal data concerning you will no longer be processed for those purposes.
You have the possibility to exercise your right of objection in relation to the use of information society services, without prejudice to Directive 2002/58/EC, by means of automated procedures using technical specifications.
7. right to withdraw your data protection consent
You have the right to revoke your data protection declaration of consent at any time. Revocation of your consent does not affect the legality of the processing that has taken place on the basis of your consent until revocation.
8. right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are domiciled, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you is in breach of the DPA.
The supervisory authority to which the complaint has been sent shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.
Status: May 2018