Data protection information according to Art. 13 and 14 of the EU General Data Protection Regulation (GDPR)
With this privacy policy we inform you about the processing of your personal data by us as well as about the rights to which you are entitled in the context of guest services.
All information is valid as of June 2022, subject to change.
1. Who is responsible for data processing and who can you contact?
DERTOUR Destination Services AG
Korporationsweg 9b
8832 Wilen bei Wollerau
Switzerland
dataprivacy.guestservice@dertouristik.com
If you have any questions on the subject of data protection, you can contact the following e-mail address: dataprivacy.guestservice@dertouristik.com.
2. What data and what sources do we use?
We process data that we receive in the course of supporting your travel or on the basis of your consent. We receive the data directly from you, e.g. as part of the travel order or other order.
If you provide us with personal data of other persons (e.g. fellow travellers) as a travel applicant, including special personal data from which e.g. health, religion or sex life may be revealed (Art. 9 (1) GDPR), you must ensure that they agree to this and that you may transmit the data. You must ensure that these individuals know how their personal data can be processed by us and what rights they have.
As far as necessary, we process the following categories of data
- Identification/authentication data (e.g. surname and first name, booking number)
- Demographic data (e.g. age and date of birth)
- Physical characteristics (e.g. gender)
- Communication data (e.g. e-mail address, telephone number correspondence, e-mail correspondence)
- Travel data (e.g. products/services booked)
- Behaviour (e.g. behaviour on our websites, location, …)
- Sensitive Data (e.g. health, religion, …)
- Preferences
3. On what legal basis and for what purpose is your data used?
3.1 Necessary for the implementation of pre-contractual measures which are carried out at your request or the fulfilment of contractual obligations with you (Art. 6 para. 1 lit. b GDPR)
- To arrange and carry out the trip/ booked services, incl. complaints and crisis management
- For the provision of contact options to us (e.g. via contact forms)
3.2 Due to legal requirements (Art. 6 para. 1 lit. c GDPR)
We are subject to various legal obligations and statutory requirements (e.g. tax laws). The purposes of processing include the fulfilment of tax law/official control and reporting obligations as well as storage under financial and tax law.
3.3 Data processing for the protection of vital interests (Art. 6 para. 1 lit. d GDPR)
We process your data in individual cases to protect your vital interests, e.g. to be able to provide emergency services with an evacuation list in emergency situations. The data is deleted after the required retention periods have expired.
3.4 To safeguard legitimate interests (Art. 6 para. 1 lit. f GDPR)
Within the framework of a balancing of interests, to safeguard legitimate interests, your data may be used by us or by legitimate third parties. This is done for the following purposes:
- Provision of contact options (contact form)
- Further development of travel services and additional products
- Assertion of legal claims and defence in legal disputes
- Prevention and detection of fraud and crime
- Processing enquiries and providing necessary information
- Ensuring IT security and availability of IT operations
Our interest in the respective processing results from the respective purposes and is otherwise of an economic nature (profit generation, avoidance of legal risks, efficient task fulfilment, provision and security of our services).
As far as the specific purpose allows, we process your data pseudonymously.
3.5 Based on your consent (Art. 6 para. 1 lit. a GDPR)
If you have given us consent to process your personal data, this consent is the legal basis for the processing mentioned there. In particular, you may have consented to the transmission of information by e-mail. You can revoke your consent at any time with effect for the future. To do so, please contact us at our contact address. The revocation only applies to future processing, not to processing that has already taken place.
4. Who gets my data?
Your personal data will only be passed on in compliance with the requirements of the GDPR and only insofar as this is permitted by a legal basis. Your data will only be disclosed to those bodies that need it to fulfil our contractual and legal obligations or to perform their respective tasks, e.g.
- Internal offices entrusted with the mediation, implementation of travel support/processing of your enquiry
- Destination agency (transfer and possibly excursion organisation)
- Transport service providers ( e.g. bus companies, car rental companies)
- Accommodation operators (e.g. hotels)
- Service providers of other booked services or partners for the implementation of travel support (e.g. excursion providers)
- In addition, the following bodies may receive your data:
- Processors used by us (Art. 28 GDPR), in particular in the area of IT services, who process your data for us in accordance with your instructions
- Public offices and institutions ( Embassies of the destination country) in the event of a legal or official obligation (storage obligations, VISA procurement, obtaining entry requirements) as well as
- Other positions for which you have given us your consent to data processing
5. How long will my personal data be stored?
To the extent necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract and to defend our rights. In addition, we are subject to various retention and documentation obligations resulting from national laws.
Unless otherwise stipulated by special law, the retention obligation lasts 10 years in accordance with the Swiss Code of Obligations, beginning at the end of the financial year.
Your personal data will be deleted on the basis of your consent as soon as the purpose has been fulfilled or until revocation.
6. Will my data be transferred to a third country?
We only transfer your data to recipients outside the scope of the regulation of the GDPR if this is necessary for the implementation of pre-contractual measures or the implementation of services or is required by law or if you have given us your consent. This data processing is a permitted exemption from Art. 49 GDPR.
Insofar as a third country transfer takes place when using processors, this is secured, among other things, with EU standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GDPR. If necessary, the EU standard contractual clauses are supplemented by further contractual assurances.
7. Do I have certain rights?
You have the right of information (Art. 15 GDPR), correction (Art. 16 GDPR), deletion (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data portability (Art. 20 GDPR) under the respective legal conditions.
In addition, you have the right to object at any time on reasons relating to your particular situation to the processing of personal data relating to you that is carried out on the basis of Article 6 (1) (f) of the GDPR, in accordance with Article 21 of the GDPR. This also applies to so-called „profiling“ based on this provision within the meaning of Art. 4 No. 4 GDPR. If a justified objection is made, we will no longer process this personal data for these purposes. An objection can be made informally to our contact address. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).
A current list of the competent supervisory authorities can be found at
https://www.ldi.nrw.de/
https://www.edoeb.admin.ch
8. Is there an obligation for me to provide my data?
Within the framework of the execution of the trip, you only have to provide the personal data that is necessary for the execution or that we are legally obliged to collect. Without this data, we will usually have to refuse the conclusion of the contract or the execution of the order or will no longer be able to execute an existing contract and may have to terminate it.
9. Is there automated decision-making in individual cases?
For the establishment and implementation of the business relationship, we generally do not use automated decision-making pursuant to Art. 22 GDPR. Should we use these procedures in individual cases, you will be informed separately, insofar as this is required by law.
10. Will my data be used for profiling in any way?
Use for profiling purposes does not take place.