Privacy policy
Data protection information for users of our website and customers
We would like to inform you about how we process your personal data in accordance with
the General Data Protection Regulation (‘GDPR’).
Our data protection information is structured in modules. It consists of general
notes for all processing of personal data and processing situations
(I.) and special notes, the content of which only refers to the processing situation specified therein
processing situation (II. et seq.). To find the parts that are relevant for you, please refer to the following structure:
I. General information
II. Additional information for the website (https://www.wohnperlen-apartments.de)
III. Newsletter distribution
IV. Additional information for communication with us
V. Additional information for our customers
I. General information
1. Person responsible for data protection
person responsible within the meaning of the GDPR and other national data protection laws of the
member states as well as other data protection regulations is:
Wohnperlen UG (haftungsbeschränkt), Oskar-Röder-Straße 6, 01237 Dresden, +49 172 3419400
2. Legal basis for the processing of personal data
We process some of your personal data on the basis of the following
legal bases:
a) Consent of the data subject
Insofar as we obtain the consent of the data subject for a specific purpose, Art. 6
para. 1 sentence 1 lit. a GDPR is the legal basis.
b) Fulfilment of contractual obligations
Insofar as the processing is necessary for the fulfilment of a contract to which
you are a party, Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis. This also applies to
processing operations that are necessary to carry out pre-contractual measures.
c) Legal requirements and obligations
Insofar as processing is necessary to fulfil a legal obligation to which we
are subject, Art. 6 para. 1 sentence 1 lit. c DSGVO is the legal basis.
d) Safeguarding legitimate interests
Insofar as processing is necessary to safeguard our legitimate interests or those of a third party
and your interests, fundamental rights and freedoms do not outweigh the former
interest, Art. 6 para. 1 sentence 1 lit. f DSGVO is the legal basis.
3. Storage period and deletion of personal data
Personal data is deleted or blocked as soon as there is no longer any purpose
justifying a legal basis for processing.
4. Recipients of personal data
Internally, personal data is only processed by the departments that require it for the fulfilment of their
processing purposes. This also applies to the
contract processors, service providers and vicarious agents we use. All departments and persons who
work with personal data are bound to data secrecy and
made aware of the sensitive handling of such data.
Personal data will only be passed on to third parties if this is in accordance
with data protection regulations. In particular,
persons employed to carry out our business operations (e.g. service providers for IT and EDP services,
banks, tax advisors) and government agencies/authorities may receive
your personal data insofar as this is necessary to fulfil a legal obligation
.
5. Data processing in third countries
In some cases, our services require the processing of personal data in
countries outside the EU/EEA (‘third countries’) by our processors. Insofar as
personal data is processed and there is no
data protection level in the country that corresponds to the European standard and that
has been confirmed by an adequacy decision in accordance with Art. 45 (3) GDPR by the EU Commission
, we have concluded EU standard contractual clauses with the processors concerned in order to establish appropriate safeguards within the meaning of Art. 46
GDPR. A copy of the EU standard contractual clauses can be found here:
https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914&from=DE.
We will notify you in the event of processing in third countries.
6. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of
the GDPR and you have the following rights in relation to us as the controller:
a) Right of access
Pursuant to Art. 15 GDPR, you have the right to request information about the personal data processed by us.
In particular, you can
• request information about the purposes of the processing,
• the category of the data,
• the categories of recipients to whom your data has been or
will be disclosed, as well as information as to whether the personal data will be transferred to a third country or to an international organisation (in this context, you can
request information about the appropriate guarantees in accordance with Art. 46 GDPR),
• the planned storage period,
• the existence of a right to rectification, erasure, restriction of
processing or objection,
• the existence of a right to lodge a complaint, the source of your data if it was not
collected by us,
• and the existence of automated decision-making including
profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases –
meaningful information about the logic involved and the scope and
intended effects of such processing for the data subject
.
b) Right to rectification
In accordance with Art. 16 GDPR, you have the right to have your personal data rectified and/or completed
your personal data if it is incorrect or incomplete. We are required to
make the correction without undue delay.
c) Right to restriction of processing
Pursuant to Art. 18 GDPR, you have the right to request the restriction of the processing of your
data if you dispute the accuracy of the data or the
processing is unlawful.
If the processing has been restricted, you will be informed by us
before the restriction is lifted.
d) Right to erasure
Pursuant to Art. 17 GDPR, you have the right to erasure of your personal data,
unless the processing is necessary for exercising the right of freedom of expression and
information, for compliance with a legal obligation, for reasons of public
interest or for the establishment, exercise or defence of legal claims
.
e) Right to notification
If you have asserted the right to rectification, erasure or restriction of processing
against us, we are obliged to notify all recipients to whom the
personal data has been disclosed of the rectification, erasure of the
personal data or restriction of processing, unless
this proves impossible or involves a disproportionate effort.
f) Right to data portability – Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us,
in a structured, commonly used and machine-readable format
or to demand its transmission to another controller.
g) Right to object
Pursuant to Art. 21 GDPR, you have the right to object to the processing
provided that the processing is carried out on the basis of Art. 6 (1) sentence 1 lit. e or lit. f GDPR.
Unless the objection is to direct marketing, we ask
when exercising such an objection to explain the reasons why we
should not process your data as we have done. In this case, we will examine the
and will either stop or adjust the data processing or
show you our compelling legitimate grounds for continuing the processing
.
h) Right to revoke the declaration of consent under data protection law
Pursuant to Art. 7 (3) GDPR, you have the right to revoke your declaration of consent under data protection law
at any time. The revocation of consent does not affect the
lawfulness of the processing carried out on the basis of the consent until the revocation
.
i) Right to lodge a complaint with a supervisory authority
Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority
about our processing of your personal data.
II. Additional information for the website (https://www.example.org)
We are responsible for our website and its sub-pages (‘website’).
When you use our websites, personal data is processed. In the following,
we will provide you with detailed information about the data processing that takes place.
1. provision of the website and creation of log files
When you access our websites, we automatically collect data and information from the
user's end device (so-called log files).
Processor
To provide our website, we use the processor vOffice
GmbH, Untere Querstraße 3, 237030 Neustadt in Holstein (‘vOffice’), with whom we have concluded a
data processing agreement. vOffice in turn uses
the service provider Amazon Web Service (‘AWS’, Amazon.com Inc.,
2012 Seventh Ave., Seattle, Washington 98121, USA) as a subcontractor, with whom vOffice has
has concluded a data processing agreement with vOffice and processes the personal data
exclusively on behalf of vOffice.
AWS also provides the so-called ‘Content Delivery Network’ CloudFront CDN for faster and more secure delivery of our
website.
Here, too, personal data is processed exclusively on behalf of vOffice. AWS may
process personal data via sub-processors in a
third country. AWS has therefore concluded the EU standard contractual clauses with its sub-processors to
provide suitable guarantees within the meaning of Art. 46 GDPR.
In addition, Amazon Web Services
Inc. is certified under the EU-US Data Privacy Framework (adequacy decision within the meaning of Art. 45 (
3) GDPR).
Information processed and duration of processing
The following information is processed:
• Information about the browser type and version used
• The operating system of the end device
• The user's internet service provider
• The IP address of the end device
• Date and time of access
• Referrer URL
The log files are deleted within 7 days at the latest.
Purpose of processing and legal basis
The data is required to display the website on the user's device, to ensure its
functionality and to analyse any malfunctions. We also use the
data to optimise the website and to ensure the security of our
information technology systems.
The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. The collection of log files is
operation of the website is absolutely essential. Consequently, there is no possibility for the user to
object.
2. Use of mandatory cookies
We use cookies on our website. These are text files that are stored in or by the
internet browser on the system of the user's end device when visiting a website
.
Processed information & duration of processing
Each cookie contains a characteristic string of characters that enables the browser
to be clearly identified the next time the website is accessed and thus the respective
user end device.
The necessary cookies are deleted in the following time periods:
• Duration of the session
Purpose & legal basis
Some of our website's functions cannot be carried out without the use of cookies.
These technically necessary cookies are not used to determine the identity of the
user or to create user profiles.
The legal basis for the storage of mandatory cookies is § 25 para. 2 no. 2
TTDSG.
The legal basis for the processing of the personal data generated in the process is
Art. 6 para. 1 sentence 1 lit. f DSGVO.
The use of these cookies is absolutely necessary for the operation of the website.
Consequently, the user has no right of objection.
3. Consent Manager
We have integrated a consent solution (so-called ‘Consent Manager’) on our website
which ensures the legally required consent for the use of cookies.
By means of the Consent Manager, the required consent for
storing cookies or accessing information that has already been stored in cookies
and documented. The Consent Manager also contains
all detailed information about the cookies and technologies used.
Purpose of processing & legal basis
The legal basis is Art. 6 para. 1 sentence 1 lit. c GDPR.
Processor
The Consent Manager ‘CCM19’ from the provider Papoo Software & Media
GmbH, Auguststr. 4, 53229 Bonn. The Consent Manager was integrated via the servers of our
contract service provider vOffice GmbH.
As long as the user does not give consent, the Consent Manager blocks the setting of
cookies that require consent. In order to assign page views to individual users
and to record and store consents, the Consent Manager collects
Consent Manager collects certain information from the user, including the IP address, so that page views can be assigned to individual users and so that consents can be recorded and stored.
This data is not passed on to the provider of the Consent Manager. The
collected data is stored until the cookie is deleted by the user,
the user requests us to delete it, or the purpose for storing the data no longer applies.
Mandatory legal retention periods remain unaffected.
4. Use of the analysis service Google Analytics
We use the analysis tool Google Analytics on our website, which
uses analysis cookies or similar technologies.
Processor & third-country processing
The analysis tool we use is provided by Google Ireland Limited (‘Google’), Gordon
House, Barrow Street, 4 Dublin, Ireland, which acts as our sub-processor
and with which our processor vOffice has
(sub-)processing contract. It is possible that Google
processes personal data in a third country. Therefore, the
Google companies have
concluded EU standard contractual clauses with each other to provide suitable guarantees within the meaning of Art. 46 GDPR. For more information about
Google's privacy practices, please see the Google Privacy Policy
https://policies.google.com/privacy.
Processed information
The analysis tool collects the following categories of personal data:
• Visibility of ads
• Timestamp
• Track clicks on ads
• IP (truncated)
• Track time and date
• Track user device
• Track user location
• Visitor behaviour
• User agent
• Language
• Visited website
• Time zone
Purpose, legal basis and duration
The use of analysis tools enables us to analyse how our
website is used. The processing is based on the consent of the respective
user, which they grant us when they visit the website for the first time. Consent
is given via our Consent Manager, which you can access again at https://www.example.org
.
On the one hand, consent includes the storage and retrieval of information on the
user's end device in accordance with Section 25 (1) TTDSG.
On the other hand, the consent includes the processing of the resulting
personal data for analysis purposes in accordance with Art. 6 (1) sentence 1 lit. a GDPR.
The processing takes place until the consent is revoked, unless the purpose of the
processing no longer applies.
5. Other services
We use Google Tag Manager on our website.
Processor & third-country processing
Google Tag Manager is provided by Google Ireland Limited (‘Google’), Gordon House,
Barrow Street, 4 Dublin, Ireland, which acts as our subprocessor
and with which our processor vOffice has concluded a data processing agreement.
Google may process personal data in a third country
. Therefore, the Google companies have concluded EU standard contractual clauses with each other to provide suitable guarantees
within the meaning of Art. 46 GDPR.
For more information about privacy at Google, please see the Google
privacy policy https://policies.google.com/privacy.
Processed information
The Google Tag Manager tool processes the following categories of personal
data:
• Date/time stamp
• IP address (truncated)
• Tracking user location
• Language
• Visited website
• Time zone
Purpose, legal basis and duration
Google Tag Manager is an auxiliary service. It loads other components that
may collect data under certain circumstances. Google Tag Manager does not access
this data. The processing is based on the consent of the respective user, which
granted to us when you first visit the website. Consent is granted via
our Consent Manager, which you can access again at https://www.example.org
.
On the one hand, consent includes the storage and retrieval of information on the
user's end device in accordance with Section 25 (1) TTDSG.
On the other hand, consent includes the processing of the resulting
personal data for analysis purposes in accordance with Art. 6 para. 1 sentence 1 lit. a DSGVO.
The processing takes place until the consent is revoked, unless the purpose of the
processing already ceases to apply.
6. payment service provider Stripe
For the execution of payments initiated through our website, we use
the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand
Canal Dock, Dublin, Ireland (‘Stripe’). When Stripe provides services as a
payment service provider (PSP), Stripe itself is
the controller within the meaning of the GDPR. Payment processing via credit card and
SEPA direct debit is carried out directly via Stripe. We do not process this data for our own
purposes.
If necessary, to process payment differences,
we and Stripe may also need to exchange such data that is related
to your respective booking. These data transfers are each carried out on the
basis of a legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. Please note
that Stripe, as a financial services provider and data controller with respect to the processing
of financial transaction data, may also pass on your personal data to credit reference agencies,
as well as to affiliated companies and subcontractors, insofar as this is necessary to
fulfil contractual obligations or on the basis of a legitimate
interest or the data is processed on behalf of a third party. It is not
excluded that Stripe also transfers personal information to affiliated
companies outside the EU or the EEA (e.g. in the USA).
Your data will be transmitted to Stripe in encrypted form and will be processed exclusively by
Stripe for the purpose of payment processing. Stripe is legally obliged to process and
check this data.
For more information about data protection in connection with this
payment service provider, please refer to Stripe's privacy policy:
https://stripe.com/at/privacy
If necessary, we also pass on your data to our service providers in the areas of banking,
taxation and tax advice and – within the scope of legal requirements – to the
tax authorities.
7. Map provider
To provide the maps, our processor vOffice uses the services of
the OpenStreetmap Foundation, St John's Innovation Centre, Cowley Road, Cambridge,
United Kingdom (OpenStreetMap).
Information processed & duration of processing
The following data is processed to display the maps:
• The IP address of the end device
• Date, time
The data is deleted after each session.
Purpose of processing & legal basis
The data is processed to improve the usability of the website and our offers
and thus serves our overriding legitimate interest and the same
interest of the user in accordance with Art. 6 para. 1 sentence 1 lit. f DSGVO.
8. Virtual 3D tours
The presentation of 3D tours (also ‘virtual tour’) is provided by the
service provider Matterport Inc., 352 E. Java Drive, Sunnyvale, CA 94089, USA.
Categories of data processed:
• The IP address of the end device
• Date, time
• Data for the creation of usage statistics
• Data on the use of the website
• Logging of clicks on individual elements
The legal basis for the processing: your consent in accordance with Art. 6 (1) a GDPR.
Data is transferred: to the independent controller Matterport Inc., 352
E. Java Drive, Sunnyvale, CA 94089, USA. The legal basis for the data transfer
to Matterport Inc. is your consent in accordance with Art. 6 (1) a GDPR. This may also
transfer of personal data to a country outside the European Union.
The data is transferred on the basis of your consent in accordance with Art. 6 (1)
(a) in conjunction with Art. 49 (1) (a) GDPR. The privacy policy of Matterport Inc.:
https://matterport.com/de/node/44.
III. Newsletter
You can register to receive a newsletter on our website. We
need your email address for this. In addition, we have to
check whether you are actually the owner of the
email address provided and wish to receive the newsletter. For this purpose,
we will send you a validation email. Our newsletter informs you about our
offers, events and holiday activities.
The legal basis for sending and receiving the newsletter is your consent; Art. 6 para.
1 lS. 1 lit a GDPR. You can revoke your consent to the collection and storage of your
data at any time without stating reasons. To do so, use the unsubscribe link
that you will find at the end of each of our newsletters or contact us at
info@example.org.
Our processor vOffice uses the services of the service provider
Mailjet GmbH, Alt-Moabit 2, 10557 Berlin (‘Mailjet’) to send our newsletter. vOffice has concluded a
data processing agreement with Mailjet, so that Mailjet processes personal data
exclusively on our behalf.
IV. Additional information for communicating with us
The following information applies to all communication with us.
If the communication takes place within a contractual relationship, the
data processing is also governed by the additional information under V.
1. Telephone
You can contact us by phone.
Information processed & duration of processing
In addition to your telephone number, we process the personal data that you provide to us
during the call.
The data will be deleted – unless there is another reason for processing it –
as soon as the matter has been resolved with you.
Purpose of processing & legal basis
The personal data is processed by us solely for the purpose of processing the request and
in the event of follow-up questions.
If the communication is aimed at concluding a contract, the legal basis
for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR (see the additional information under V).
In all other cases, the legal basis is Article 6 (1) sentence 1 point (f) GDPR. Your interest
does not override our interest in answering your enquiry; since you are writing to us,
it is also in your interest to receive an answer and you are aware that we
have to process your personal data in order to answer your enquiry.
2. E-mail and contact form
You can contact us directly by email or by using the contact form on our website.
We would like to point out that there are possibilities for third parties
to gain insights into email communication. If it is important to you that
the information you provide is not exposed to the risk of illegal access by third parties,
we therefore recommend using a different means of communication. However, if you
contact us by email, we assume that you also
wish to continue the exchange via this communication channel.
Processing of information & duration of processing
In addition to your email address, we process the personal data that you
provide us with in the email communication.
The data will be deleted – unless there is another reason for processing it –
as soon as the matter has been resolved with you.
Purpose of processing & legal basis
The personal data is processed by us solely for the purpose of processing the request and
in the event of follow-up questions.
If the communication is aimed at concluding a contract, the legal basis
for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
In all other cases, the legal basis is Art. 6 (1) 1 lit. f GDPR. Your interest
does not outweigh our interest in answering your enquiry; since you are writing to us,
it is also in your interest to receive an answer and you are aware that we
have to process your personal data to answer your enquiry.
V. Additional information for our customers
The following information also applies if we are in a contractual relationship
with each other or are in the process of entering into one.
Processed information & duration of processing
Which of your data is processed in detail depends on the tasks
within the contractual relationship. We use the personal information
exclusively for the purpose for which it was provided to us.
In particular, when renting a holiday property, this is:
Title
First name
Surname
Street/house number
Postcode/town
Email address
Telephone number
Country
Timestamp of the booking
IP address of the person making the booking
The personal data will be deleted as soon as the contractual relationship with you
has ended and provided that there is no other reason for processing it.
Purpose of the processing & legal basis
The processing is carried out primarily for the purpose of initiating, establishing and
implementing the contractual relationship; the legal basis is Art. 6 (1) sentence
1 lit. b GDPR.
In addition, we also process your data in part on the basis of our legitimate
interest, namely for the purpose of contact and communication management,
cost-effectiveness checks, contract and project management, and to ensure the
operation of information and telecommunications systems. The legal basis is Art. 6
para. 1 sentence 1 lit. f DSGVO.
In addition, we may also be bound by various legal obligations that
must be complied with due to applicable laws and regulations. The legal basis for
processing to fulfil legal requirements and obligations is Art. 6 para. 1 sentence 1
lit. c GDPR. These include, in particular, tax law retention obligations.
Data processing in connection with the digital guest card
Our holiday property customers are entitled to use the digital guest card,
which we provide as part of our contractual relationship. Use
requires the following data to be entered:
• Date of arrival and departure
• First and last name of the guest
• Date of birth
• Nationality
• Address
• Number of fellow travellers and their nationality
• ID number for foreign guests
• E-mail address
This data (with the exception of the e-mail address) is used to fulfil the guest's registration obligation
in accordance with § 30 of the Federal Registration Act. In this respect, the data processing is
on Art. 6 para. 1 sentence 1 lit c) DSGVO. We would like to point out that we are obliged, at the request of the
competent authority, to provide the data (with the exception of the e-mail address).
The legal retention period is twelve months. After that,
the data will be deleted within three months.
The data
• First and last name of the guest
• E-mail address
• Data on the use of discounts
are processed in order to provide the guest with the services associated with the digital guest card.
In this respect, the data processing is based on Art. 6 Para. 1 S. 1 lit b)
GDPR. In this respect, the additional information for our customers and contractual partners described above applies
.
The data will be deleted if any claims by the guest based on the
provision of the guest card, namely three years after the end of the year
in which the claim arose.
We also use the company vOffice GmbH, Untere Querstraße 3, 23730 Neustadt i. H., as a processor for the digital guest card to process the
reporting obligation via the guest card and to fulfil the
obligation to provide the guest card for the purpose of claiming
benefits.