Our handling of your data and your rights

- Information in accordance with Articles 13, 14 and 21 of the EU General Data Protection Regulation (GDPR) -

In the following, we would like to inform you about the processing of your personal data by Kurverwaltungsgesellschaft mbH Waldbronn and the claims and rights to which you are entitled under data protection regulations.

Preliminary remark

In order to better understand the content of the privacy policy, we would first like to familiarise you with some important data protection terms.

What is personal data?

According to Art. 4 GDPR, personal data is "any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

What is meant by the processing of personal data?

Data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Who is responsible for the processing of personal data?

The "controller" of data processing is the natural or legal person, public authority, agency or other body (including public bodies) which alone or jointly with others determines the purposes and means of the processing of personal data.

Who is a data subject affected by data processing

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

What is meant by a processor?

"Processor" is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Further definitions can be found in Art. 4 GDPR.

1 Who is responsible for data processing and who can I contact?

The entity responsible for data processing is

Kurverwaltungsgesellschaft mbH Waldbronn
Market square 7
76337 Waldbronn
Telephone: 07243 5657-0
E-mail: kurverwaltung@waldbronn.de

Our official data protection officer is Mr Dirk Benjowsky, lawyer, Ligusterweg 27, 76337 Waldbronn. You can reach him at: datenschutz@anwalt-waldbronn.de

2 What sources and data do we use?

We process personal data that we receive from you in connection with the operation of our facilities (Albtherme Waldbronn, Eistreff Waldbronn, Freibad Waldbronn) or in the context of our fulfilment of tasks in tourism (billing of visitor's tax, answering contact enquiries, issuing Waldbronn guest card, Albtal guest card). For purchases in our online shop, we refer separately to data processing in our privacy policy on our homepage www.albtherme-waldbronn.de.

We also process - to the extent necessary for the provision of our services - personal data that we have received from third parties in a permissible manner (e.g. to fulfil legal obligations or on the basis of consent given by you).

Relevant personal data includes personal details (name, address and other contact details, date and place of birth and nationality), legitimisation data (e.g. ID card details) and authentication data (e.g. your signature). In addition, this may also include data about your use of the telemedia we offer (e.g. accessing our website) and other data comparable with the aforementioned categories.

For particularly sensitive data (e.g. health data, religious or ideological beliefs), data processing only takes place with your consent, which expressly refers to this data. The transmission of data by persons who are subject to professional secrecy, e.g. doctors and lawyers, also requires special authorisation from the data subject.

3. what do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the Baden-Württemberg State Data Protection Act (LDSG) and all other relevant laws. We only collect personal data without the involvement of the data subject if direct collection would require a disproportionate effort.

a) For the fulfilment of contractual obligations

(Art. 6 para. 1 lit. b) GDPR)

If you wish to make use of our services (e.g. make a booking or reservation), submit an enquiry or use our facilities, we generally require personal data from you (e.g. issuing a season ticket for our outdoor pool, making a reservation for the ice rink, registering for courses at the Albtherme, etc.). We use the data collected for communication with you, for invoicing/billing and for other obligations associated with the fulfilment of the contract. The utilisation of our services or the use of our facilities is not possible, or not possible to the full extent, without the processing of your personal data. In addition, we require your personal data for evaluations (compilation of statistics), e.g. to further improve our offers or to fulfil legal obligations.

b) As part of the balancing of interests

(Art. 6 para. 1 lit. f) GDPR)

Where necessary, we process your data beyond the actual fulfilment of our contractual obligations to protect our legitimate interests or those of third parties. These are in particular

• Measures to safeguard domiciliary rights,
• Measures for the further development of our services,
• Assertion and defence of claims in the event of legal disputes,
• ensuring IT security and IT operations.

c) Based on your consent (Art. 6 (1a) GDPR, Art. 9 (2a) in conjunction with Art. 7 GDPR)

If you have given us your consent to process personal data for specific purposes (e.g. advertising or analysing data for marketing purposes), this processing is lawful on the basis of your consent. Insofar as special categories of personal data (e.g. your health data) are required for this purpose, we will obtain your consent in accordance with Art. 9 para. 2 a) in conjunction with Art. 7 GDPR.

Consent that has been granted can be withdrawn at any time. This also applies to the revocation of declarations of consent given to us before the General Data Protection Regulation came into force, i.e. before 25 May 2018.

Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.

d) Due to legal requirements (Art. 6 para. 1 lit. c) GDPR)

In addition, we process your personal data to fulfil legal obligations, such as retention obligations under commercial and tax law or our documentation obligations.

4 Who receives my data?

Within Kurverwaltungsgesellschaft mbH Waldbronn, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Processors engaged by us (Art. 28 GDPR) may also receive data for these purposes. The processors are contractually obliged by us to comply with the requirements of the GDPR and the BDSG. We currently use processors in the categories of software maintenance, hosting and newsletter dispatch.

With regard to the transfer of data to recipients outside the aforementioned bodies, we only pass on data if this is required by law, if you have given your consent or if we are otherwise authorised to provide information. Under these conditions, recipients of personal data may be, for example: Public authorities and institutions (e.g. tax authorities, law enforcement or customs authorities) if there is a legal or official obligation. Other data recipients may be those bodies for which you have given us your consent to transfer data.

5 How long will my data be stored?

The data provided by you will be processed for as long as it is necessary to fulfil the (contractually) agreed purpose, i.e. as long as the contractual or usage relationship exists. After its termination, the data provided by you will be processed to comply with statutory retention obligations or on the basis of our legitimate interests. The existing retention or documentation periods in this respect are generally six or ten years. Finally, the storage period is also assessed according to the statutory limitation periods, in particular according to §§ 195 ff. of the German Civil Code (BGB). In individual cases, a retention period of up to thirty years may therefore be considered.

Once the statutory retention periods have expired and/or our legitimate interests no longer apply, the data you have provided will be deleted.

6. is there an obligation to provide data?

In principle, you only have to provide the personal data that is necessary for the establishment, implementation and termination of our legal relationship or that we are legally obliged to collect. Without this data, we will generally not be able to provide our services or will not be able to provide them in full or will have to terminate an existing legal relationship.

7. is data transferred to a third country or an international organisation?

If we transfer personal data to service providers outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or other appropriate data protection guarantees are in place.

8 What data protection rights* do I have?

a) Right to information pursuant to Art. 15 GDPR:

You have the right to receive information free of charge upon request as to whether and what data about you is stored and for what purpose it is stored.

b) Right to rectification pursuant to Art. 16 GDPR:

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

c) Right to erasure ("right to be forgotten") pursuant to Art. 17 GDPR:

You have the right to demand that the controller erase your data without undue delay. The controller is obliged to erase personal data without undue delay where one of the following grounds applies

(aa) the purposes for which the personal data was collected no longer apply

bb) You withdraw your consent to the processing. There is no other legal basis for the processing.

cc) You object to the processing. There is no other legal basis for the processing.

dd) The personal data was processed unlawfully.

ee) The deletion of the personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.

ff) The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

d) Right to restriction of processing pursuant to Art. 18 GDPR and Section 35 BDSG:

You have the right to demand the restriction of processing if one of the following conditions is met:

aa) The accuracy of the personal data is contested by you.

bb) The processing is unlawful, but you oppose the erasure.

cc) Personal data are no longer required for the purposes of the processing; however, you require the data for the establishment, exercise or defence of legal claims.

dd) You have lodged an objection to the processing pursuant to Art. 21 para. 1 GDPR. As long as it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons, processing will be restricted.

e) Right to data portability pursuant to Art. 20 GDPR:

You have the right to receive the data provided by you from the controller in a structured, commonly used and machine-readable format. We must not prevent the data from being forwarded to another controller.

f) Right to object pursuant to Art. 21 GDPR:

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6(1) GDPR (data processing on the basis of a balancing of interests). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

You also have the right to object to the processing of your personal data for the purpose of direct marketing. Please address your objection to our contact details above.

g) Withdrawal of consent

You have the right to withdraw your declaration of consent under data protection law at any time. All you need to do is send us an informal email. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

h) Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority in the event of breaches of data protection law. The supervisory authority responsible for us in matters of data protection law is

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Lautenschlagerstr. 20, 70173 Stuttgart

Tel.: 0711 61 55 41 - 0
Fax: 0711 61 55 41 - 15

E-mail: poststelle@lfdi.bwl.de
Internet: https://www.baden-wuerttemberg.datenschutz.de

*Restrictions exist according to §§ 34 and 35 BDSG (rights to information and deletion) as well as according to the provisions of §§ 8 to 11 LDSG BW.