A-ROSA Data Protection Information

Privacy Policy

1. Introduction

The A-ROSA Flussschiff GmbH and the A-ROSA Reederei GmbH are both responsible for data processing. The protection of your privacy and personal data is very important to us. We also pay close attention to this aspect in our online activities.

With the following information, we would like to give you, as the “data subject”, an overview of how we process your personal data and your rights under data protection laws. It is generally possible to use our website without entering any personal data. However, if you wish to use special services offered by our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to A-ROSA Flussschiff GmbH. With this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use and process.
As the party responsible for processing personal data via this website, we have implemented a variety of technical and organisational measures to provide the highest level of protection possible. Nevertheless, internet-based data transmissions can generally have security gaps, meaning that absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us by alternative means, such as by telephone or post.
You too can take simple and easy-to-implement measures to protect yourself against unauthorised access to your data by third parties. We would therefore like to take this opportunity to give you some tips on how to handle your data securely:

Protect your account (login, user or customer account) and your IT system (computer, laptop, tablet or mobile device) with secure passwords.
Only you should have access to the passwords.
Make sure to only ever use your passwords for one account (login, user or customer account).
Do not use the same password for different websites, applications or online services.
Especially when using publicly accessible IT systems or those shared with other people, you should always log out after each session on a website, application or online services.

Passwords should consist of at least 12 characters and be chosen so that they cannot be easily guessed. Therefore, they should not contain common words from everyday life, your own name or the names of relatives, but should include upper- and lower-case letters, numbers and special characters.

2. Responsible

The controller within the meaning of the GDPR is:

A-ROSA Flussschiff GmbH
Loggerweg 5, 18055 Rostock, Germany

Telephone: +4938144040100
Fax: +4938144040109
Email: service@a-rosa.com

Representative of the controller: Rolf-Dieter Maltzahn

3. Data protection officer

You can contact the data protection officer as follows:

Mr. G. Laaser

Email: datenschutzbeauftragter@a-rosa.com

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Definitions

The privacy policy is based on the terminology used by the European legislators and regulators when enacting the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easy to read and understand for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance.

We use the following terms in this privacy policy, among others:

1. Personal data

Personal data is any information relating to an identified or identifiable natural person. A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

2. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).

3. Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or any other form of provision, alignment or combination, restriction, erasure or destruction.

4. Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.

5. Profiling

Profiling is any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

6. Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

7. Processor

A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

8. Recipient

A recipient is a natural or legal person, public authority, agency or another body to which personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

9. Third party

Third party means any natural or legal person, public authority, agency, or other body, other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

10. Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5. Legal basis for processing

Article 6 (1) (a) GDPR (in conjunction with Section 25 (1) of the German Telecommunications and Digital Services Data Protection Act (TDDDG, formerly TTDSG) serves as the legal basis for our company for processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party—for example, processing operations required for the delivery of goods or the provision of services or other contractual obligations—such processing is carried out on the basis of Article 6(1)(b) GDPR. The same legal basis applies to processing operations that are required for the implementation of pre-contractual measures, such as responding to enquiries regarding our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfilment of tax obligations, the processing is carried out on the basis of Article 6 (1)(c) GDPR.
If you provide us with health data (e.g. allergens or intolerances) that is important for your stay on our ships, we process your health data on the basis of your express and informed consent in accordance with Article 9 (2) (a) GDPR. We process this data solely for the purpose of providing services (catering) on board. This data is not used for any other purpose. You can revoke this consent at any time with future effect via all communication channels.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured in our establishment and their name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third party. In this case, the processing would be based on Article 6(1)(d) GDPR.

Finally, processing operations may also be based on Article 6 (1)(f) GDPR. This legal basis applies to processing operations that are not covered by any of the above legal bases, where the processing is necessary to safeguard the legitimate interests of our company or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to rely on this legal basis in particular because it has been expressly recognized by the European legislator. In this context, the legislator considered that a legitimate interest may be assumed where you are a customer of our company (Recital 47, sentence 2 of the GDPR).

6. Transfer of data to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We only pass on your personal data to third parties if:

you have given us your express consent in accordance with Article 6 (1)(a) GDPR,
the transfer is permissible under Article 6(1)(f) GDPR to safeguard our legitimate interests, and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
there is a legal obligation to disclose the data in accordance with Article 6 (1)(c) GDPR, and
it is legally permissible and necessary for the performance of contractual relationships with you in accordance with Article 6 (1)(b) GDPR.

In order to protect your data and, if necessary, enable us to transfer data to third countries (outside the EU/EEA), we have concluded agreements on order processing based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Article 49(1)(a) GDPR may serve as the legal basis for the transfer to third countries. This does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Article 45 GDPR.

For the purposes of travel arrangements, it is necessary to transfer data to A-ROSA Reederei GmbH in Switzerland, which is responsible for the operational management of your trip. Data transfers to Switzerland are subject to an adequacy decision. Switzerland offers an adequate level of protection and does not require any special authorisation for data transfers.

Within the scope of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they are certified under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Article 45 GDPR applies. We have explicitly mentioned this in the privacy policy for the service providers concerned. In order to protect your data in all other cases, we have concluded agreements on order processing based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Article 49(1)(a) GDPR may serve as the legal basis for the transfer to third countries. This does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Article 45 GDPR.

7. Technology

7.1. SSL/TLS encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact enquiries that you send to us as the operator. You can recognise an encrypted connection by the fact that the address line of the browser contains “https://” instead of “http://” and by the lock symbol in your browser line.
We use this technology to protect the data you transmit.

7.2. Data collection when visiting the website

When using our website for informational purposes only, and you do not register or otherwise provide us with information or give your consent to processing that requires consent, we only collect data that is technically necessary to provide the service. This is usually data that your browser transmits to our server (in so-called server log files). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information are stored in the server’s log files. The following may be collected:

Browser types and versions used,
the operating system used by the accessing system,
the website from which an accessing system reaches our website (so-called referrer),
the subpages accessed on our website via an accessing system,
the date and time of access to the website,
an Internet Protocol address (IP address) and,
the Internet service provider of the accessing system.

We do not draw any conclusions about you as a person when using this general data and information. Rather, this information is required in order to:

deliver the content of our website correctly,
optimise the content of our website and the advertising for it,
ensure the long-term functionality of our IT systems and the technology of our website, and
provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

We evaluate the data and information collected for statistical purposes and to enhance data protection and data security within our company. In this way, we aim to ensure an optimal level of protection for the personal data we process. The data recorded in the server log files is stored separately from any other personal data provided by the data subject.

The legal basis for data processing is Article 6 (1)(f) GDPR. Our legitimate interest arises from the purposes of data collection described above.

7.3. Encrypted payment transactions

If, after concluding a contract that involves a charge, you are obliged to provide us with your payment details (e.g. your account number when issuing a direct debit authorisation), this data is required for payment processing.

Payment transactions using common payment methods (Visa/MasterCard or direct debit) are carried out exclusively via an encrypted SSL or TLS connection. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

We use this technology to protect the data you transmit.

7.4. Hosting by Nets

We host our website with nets. Software- und Internetlösungen, Brauergasse 2, 18055 Hansestadt Rostock (hereinafter referred to as nets.).

When you visit our website, your personal data (e.g. IP addresses in log files) is processed on the servers of nets.

The use of nets. is based on Article 6 (1)(f) GDPR. We have a legitimate interest in the most reliable presentation, provision and security of our website.

We have concluded a contract for order processing (AVV) with nets. in accordance with Article 28 GDPR. This is a contract required by data protection law, which ensures that nets. processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Further information on nets.’ privacy policy can be found at: www.nets.de/datenschutz (website available only in German).

8. Cookies

8.1. General information about cookies

Cookies are small files that are automatically created by your browser and stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our website.

These files contain information related to the specific device you are using. However, this does not mean that we can directly identify you through them.

We use cookies to make your experience of our website more convenient. For example, we use so-called session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, we use temporary cookies to optimise user-friendliness. These cookies are stored on your device for a defined period of time. When you return to our website to use our services, the system automatically recognises that you have visited before and recalls the entries and settings you previously made, so you do not need to enter them again.

We also use cookies to record the use of our website for statistical purposes and to evaluate our offer for optimisation. These cookies enable us to automatically recognise that you have visited our website before when you visit it again. They are automatically deleted after a defined period of time. The exact storage duration of each cookie can be found in the settings of the consent tool we use.

8.2. Legal basis for the use of cookies

The data processed by the cookies, which is essential for the proper functioning of the website, is therefore necessary to safeguard our legitimate interests and those of third parties in accordance with Article 6 (1) (f) GDPR.

For all other cookies, you have given your consent in accordance with Article 6 (1)(a) GDPR via our opt-in cookie banner.

8.3. Consent Manager (Consent Management Tool)

We use the consent management platform “Consentmanager” from consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden. This service enables us to obtain and manage the consent of website users for data processing.

Consentmanager collects data generated by end users visiting our website. When an end user gives their consent, Consentmanager automatically logs the following data:

Browser information
Date and time of access
Device information
The URL of the page visited
Banner language
Consent ID
The consent status of the end user, which serves as proof of consent

The consent status is also stored in the end user’s browser, so the website can automatically read and comply with the end user’s consent for all subsequent page requests and future end user sessions for up to 12 months. The consent data (consent and withdrawal of consent) is stored for three years. The retention period corresponds to the regular limitation period in accordance with Section 195 of the German Civil Code (BGB). The data is then deleted immediately.

The functionality of the website cannot be guaranteed without the processing described above. The user has no right to object as long as there is a legal obligation to obtain the user’s consent to certain data processing operations (Article 7(1), 6(1)(c) GDPR).

Consentmanager is the recipient of your personal data and acts as a processor for us. Data processing takes place exclusively in the European Union.

Detailed information on the use of Consentmanager can be found at: https://www.consentmanager.net/en/privacy/

9. Content of our website

9.1. Registration as a user

You have the option of registering on our website by providing personal data.

The personal data transmitted to us in this process is determined by the respective input mask used for registration. The personal data you enter is collected and stored exclusively for internal use by us and for our own purposes. We may arrange for the data to be passed on to one or more processors, for example, a parcel service provider, who will also use the personal data exclusively for internal use attributable to us.

When you register on our website, the IP address assigned by your Internet service provider (ISP), the date and the time of registration are also stored. This data is stored because it is the only way to prevent misuse of our services and, if necessary, to enable the investigation of criminal offences. In this respect, storing this data is necessary for our protection. This data is not passed on to third parties. This does not apply if we are legally obliged to pass on the data or if the disclosure serves the purpose of criminal prosecution.

Your registration, which involves voluntarily providing your personal data, also enables us to offer you content or services that, due to their nature, can only be offered to registered users. Registered persons are free to change the personal data provided during registration at any time or to have it completely deleted from our database.

Upon request, we will provide you with information at any time about which personal data is stored about you. Furthermore, we will correct or delete personal data at your request, if this does not conflict with any legal retention obligations. A data protection officer named in this privacy policy and all other employees are available to the data subject as contact persons in this context.

Your data is processed in the interest of convenient and easy use of our website. This constitutes a legitimate interest within the meaning of Article 6 (1) (f) GDPR.

9.2. Data processing when opening a customer account and for contract processing

In accordance with Article 6 (1)(b) GDPR, personal data is collected and processed when you provide it to us for the purpose of executing a contract or opening a customer account. The collected data can be seen in the respective input forms. Your customer account can be deleted at any time, for example, by sending a message to the address (as outlined above) of the controller. We store and use the data you provide for contract processing.

The personal data provided during your registration or booking is collected, processed and used for travel processing, the use of a service on our website, customer service or compliance with legal requirements. This includes, among other things, information for the ship’s manifest and satisfaction surveys. In accordance with legal regulations, we generally collect only the data necessary to provide the service you have requested. If we request additional information in our forms, this is always voluntary and clearly marked as such.

This personal data is forwarded to our service providers as part of the travel process.

When booking a trip, personal data of fellow travellers may also be collected. We therefore ask you to ensure that this data is provided with the consent of your fellow travellers. Personal data of children and young people (under 18 years of age) is only collected, stored and used for the purpose of processing the trip.

After complete processing of the contract or deletion of your customer account, your data will be blocked in accordance with tax and commercial law retention periods and deleted after these periods have expired, unless you have expressly consented to further use of your data or we have reserved the right to further use your data in accordance with the law, about which we will inform you below.

9.3. Contacting us / Contact form

When you contact us (e.g. via contact form or email), personal data is collected. The data collected when using a contact form can be seen on the respective contact form. This data is stored and used exclusively for the purpose of responding to your enquiry or for establishing contact and the associated technical administration. The legal basis for this processing of the data is our legitimate interest in responding to your request in accordance with Article 6 (1)(f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Article 6 (1)(b) GDPR. Your data will be deleted after your enquiry has been processed, which is the case when it can be inferred from the circumstances that the matter in question has been conclusively resolved and there are no legal retention obligations that prevent deletion.

9.4. Services / Digital goods

We only transfer personal data to third parties if this is necessary for the execution of the contract, for example, to the credit institution responsible for payment processing.

No further transfer of data will take place unless you have expressly consented to the transfer. Your data will not be passed on to third parties without your express consent, for example, for advertising purposes.

The basis for data processing is Article 6 (1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.

9.5. Blog comment function

We offer users the opportunity to leave individual comments on individual blog posts on a blog located on our website. A blog is a portal maintained on a website, usually publicly accessible, where one or more people, known as bloggers or web bloggers, can post articles or write down their thoughts in so-called blog posts. The blog posts can usually be commented on by third parties.

If you leave a comment on the blog published on this website, in addition to the comments you leave, information about the time the comment was entered and the username you chose will also be stored and published. Furthermore, the IP address assigned by your Internet service provider (ISP) is also logged. This IP address is stored for security reasons and in case you have violated the rights of third parties or posted illegal content in a comment you have submitted. The storage of this personal data is therefore in our own interest so that we can exculpate ourselves in the event of a legal violation. This constitutes a legitimate interest within the meaning of Article 6 (1)(f) GDPR. This collected personal data will not be passed on to third parties unless such disclosure is required by law or serves our legal defence.

9.6. Application management/job board

We collect and process the personal data of applicants for the purpose of managing the application process. Processing may also be carried out electronically. This is particularly the case if an applicant submits the relevant application documents to us electronically, for example by email or via a web form on the websiteIf an employment or service contract is concluded with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship, in compliance with the statutory provisions. If no contract is concluded, the application documents will be automatically deleted six months after notification of the rejection decision, unless overriding legitimate interests on our part prevent deletion. Such a legitimate interest may arise, for example, from our obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).

The legal basis for the processing of your data is Article 6 (1)(b), 88 GDPR in conjunction with Section 26 (1) of the Federal Data Protection Act (BDSG).

10. Newsletter dispatch and postal advertising
10.1. Advertising newsletter

Our website offers you the opportunity to subscribe to our company newsletter. The personal data transmitted to us when ordering the newsletter is determined by the input mask used for this purpose.

We inform our customers and business partners about our offers at regular intervals by means of a newsletter. You can only receive our company’s newsletter if:

you have a valid email address, and
you have registered to receive the newsletter.

For legal reasons, a confirmation email will be sent to the address you provided when registering for our newsletter, using the double opt-in procedure. This confirmation email serves to verify that you are the owner of the email address and that you have authorised receiving the newsletter.

When you register for the newsletter, we also store the IP address assigned by your Internet service provider (ISP) to the device used at the time of registration, as well as the date and time of registration. The collection of this data is necessary to be able to trace any (possible) misuse of your email address at a later date and therefore serves our legal protection.

The personal data collected when you subscribe to the newsletter will be used exclusively for the purpose of sending our newsletter. Furthermore, subscribers to the newsletter may be informed by email if this is necessary for the operation of the newsletter service or for registration in this regard, as may be the case in the event of changes to the newsletter offer or changes to the technical conditions. The personal data collected as part of the newsletter service will not be passed on to third parties. You can unsubscribe from our newsletter at any time. The consent you have given us to store your personal data for the purpose of sending you our newsletter can be revoked at any time. For the purpose of revoking your consent, there is a corresponding link in every newsletter. Furthermore, you can also unsubscribe from the newsletter at any time directly on our website or inform us in another way.

The legal basis for data processing for the purpose of sending the newsletter is Article 6 (1) (a) GDPR.

10.2. Episerver

We use Episerver to send newsletters. The provider is Episerver GmbH, Wallstraße 16, 10179 Berlin. Episerver is a service that can be used to organise and analyse newsletter distribution. The data entered to subscribe to the newsletter (e.g. email address) is stored on Episerver’s servers.

Our newsletters sent via Episerver enable us to analyse the behaviour of newsletter recipients. Among other things, we can analyse how many recipients opened the newsletter message and how often each link in the newsletter was clicked. With the help of conversion tracking, we can also analyse whether a predefined action (e.g. purchase of a product on our website) took place after clicking on the link in the newsletter.

In the case of sending our newsletter to our existing customers, the analysis is based on our legitimate interest in determining the success of our newsletter and optimising its content (Article 6(1)(f) GDPR). If you register to receive our newsletter, the analysis is based on the consent you gave when you registered (Article 6(1)(a) GDPR).

If you do not want analysis using Episerver, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message. You can also unsubscribe from the newsletter directly on the website.

The data you provide us with for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter. After you have unsubscribed from the newsletter, the data will be blocked on both our servers and Episerver’s servers for the purpose of sending further newsletters. Please let us know if you also wish to have your data stored for the purpose of the newsletter deleted. Data stored by us for other purposes (e.g. email addresses for the member area) remains unaffected by this.

For more information on Episerver’s privacy policy, please visit:

https://www.optimizely.com/legal/privacy-notice/.

10.3. Newsletter tracking

Our newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails sent in HTML format to enable log file recording and analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns. The embedded tracking pixel allows the company to see if and when an email was opened and which links in the email were clicked on.

We store and evaluate the personal data collected via the tracking pixels contained in the newsletters to optimise the newsletter dispatch and tailor the content of future newsletters even better to your interests. This personal data is not passed on to third parties. Data subjects are entitled to revoke their separate declaration of consent given via the double opt-in procedure at any time. After revocation, we will delete this personal data. We automatically interpret unsubscribing from the newsletter as revocation.

Such an evaluation is carried out in particular in accordance with Article 6 (1) (f) GDPR on the basis of our legitimate interests in displaying personalised advertising, market research and/or the needs-based design of our website.

10.4. Postal advertising

If you have booked a river cruise with A-ROSA or are interested in booking a cruise, we will use your postal address to send you product information and individually optimised travel offers. You can object to this use of your postal address for advertising purposes at any time, as described in the above section (right to information, correction, deletion and blocking; objection and revocation) of this privacy policy.

11. Our activities on social networks

We have our own pages on various social networks in order to communicate with you and provide information about our services. When you visit one of our social media pages, we share responsibility with the provider of the respective social media platform for the processing of your personal data in accordance with Article 26 GDPR.

We are not the original provider of these pages, but merely use them within the scope of the functionalities made available to us by the respective providers.

As a precaution, we would therefore like to point out that your data may also be processed outside the European Union or the European Economic Area. The use may therefore involve data protection risks for you, as it may be more difficult to safeguard your rights, e.g. to information, deletion, objection, etc. Processing on social networks is often carried out directly by the platform providers for advertising purposes or to analyse user behaviour, and we generally have no influence over these operations. If the provider creates usage profiles, cookies may be used, or your activity may be linked to your member profile on the social network.

The processing of personal data described above is carried out in accordance with Article 6 (1)(f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a modern way and informing you about our services. If you have to give your consent to data processing as a user to the respective providers, the legal basis refers to Article 6 (1)(a) GDPR in conjunction with Article 7 GDPR.

As we do not have access to the providers’ databases, we would like to point out that it is best to exercise your rights (e.g. to information, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in social networks is listed below for each of the social network providers we use.

11.1. Facebook

(Joint) controller for data processing in Europe:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Facebook) may, unless objected to, process content from adult users in the EU, e.g. photos, posts or comments, for the purpose of training its own AI models. The basis for this is a legitimate interest pursuant to Article 6(1)(f) GDPR. As a company, we have no influence on this specific data processing by Meta. Users can object to this via an online form on the Meta platforms.

11.2. Instagram
(Joint) controller for data processing in Germany:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Instagram) may, unless objected to, process content from adult users in the EU, e.g. photos, posts or comments, for the purpose of training its own AI models. As a company, we have no influence on this specific data processing by Meta. The basis for this is a legitimate interest pursuant to Article 6 (1)(f) GDPR. Users can object to this via an online form on the Meta platforms.

11.3. LinkedIn

(Joint) controller for data processing in Europe:

LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland

11.4. Pinterest

(Joint) controller for data processing in Germany:

Pinterest Inc., 651 Brannan Street, San Francisco, CA 94107, USA.

11.5. X (Twitter)

(Joint) controller for data processing in Europe:

Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland

Information about your data: https://twitter.com/settings/your_twitter_data

11.6. XING (New Work SE)

(Joint) controller for data processing in Germany:

New Work SE, Am Strandkai 1, 20457 Hamburg, Germany

Information requests for XING members: https://www.xing.com/settings/privacy/data/disclosure

11.7.YouTube

(Joint) controller for data processing in Europe:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

12. Social media plugins

12.1. YouTube plugin

We have integrated components from YouTube into this website. YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programmes, as well as music videos, trailers and videos created by users themselves, are available via the internet portal.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Whenever you access a page on our website that contains an integrated YouTube component (YouTube plugin), your browser automatically downloads a representation of that component from YouTube. Through this technical process, YouTube and Google become aware of which specific subpage of our website you are visiting.

Further information about YouTube can be found at https://www.youtube.com/yt/about/.

If you are logged into YouTube at the same time, YouTube recognises which specific subpage of our website you are visiting when you call up a subpage that contains a YouTube plugin. This information is collected by YouTube and Google and assigned to your YouTube account.

YouTube and Google receive information via the YouTube component that you have visited our website whenever you are logged into YouTube at the same time as visiting our website; this occurs regardless of whether you click on a YouTube video or not. If you do not want this information to be transmitted to YouTube and Google, you can prevent this by logging out of your YouTube account before visiting our website.

The use of YouTube is in the interest of convenient and easy use of our website. This constitutes a legitimate interest within the meaning of Article 6 (1)(f) GDPR.

This US company is certified under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Article 45 GDPR has been made, so that personal data may be transferred without further guarantees or additional measures.

Personal data is only processed using the social media buttons with your express consent in accordance with Article 6 (1)(a) GDPR.

The privacy policy published by YouTube, which is available at www.google.com/intl//policies/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.

13. Web analysis

13.1. Google Analytics 4 (GA4)

We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), on our websites.

In this context, pseudonymised usage profiles are created and cookies (see “Cookies”) are used. The information generated by the cookie about your use of this website may include:

a short-term recording of the IP address without permanent storage
Location data
Browser type/version
Operating system used
Referrer URL (previously visited page)
Time of server request

The pseudonymised data may be transferred by Google to a server in the USA and stored there.

The information is used to evaluate the use of the website, compile reports on website activity and provide other services related to website activity and internet usage for the purposes of market research and the design of this website in line with user needs. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the controller.

These processing operations are carried out exclusively with the express consent of the data subject in accordance with Article 6 (1)(a) GDPR.

The default data storage period set by Google is 14 months. Otherwise, personal data is stored for as long as it is necessary to fulfil the purpose of processing. The data is deleted as soon as it is no longer required to achieve the purpose.

The parent company, Google LLC, is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Article 45 GDPR has been made, so that personal data may be transferred without further guarantees or additional measures.

Further information on data protection when using GA4 can be found at: https://support.google.com/analytics/answer/12017362?hl=.

13.2. Google Analytics 4 (GA4) – Additional information about Google Signals

Google Signals is a feature in Google Analytics that collects session data from websites and apps where users are signed in with their Google account and have enabled personalised advertising. It enables advanced analysis by linking user behaviour across different devices and providing additional information such as demographic characteristics and interests. Your consent to the use of Google Analytics (see above) also includes consent to the additional Google Signals feature.

13.3. Google Analytics 4 (GA4) – Additional information on consent mode, simple implementation

Under the Digital Markets Act, Google is required to obtain user consent before user data is processed by Google for personalised advertising. Google complies with this requirement with “Consent Mode”. Users are required to implement this and thus prove that they have obtained the consent of website visitors.

Google offers two implementation modes: simple and advanced.

We use the simple implementation method of Google Consent Mode. Only if you give your consent to the use of Google Analytics (see above) will a connection to Google be established, a Google code executed and the processing described above carried out. If you refuse to give your consent, Google will only receive information that consent has not been given. The Google code will not be executed, and no Google Analytics cookies will be set.

13.4. Google Analytics Remarketing

We have integrated Google Remarketing services on this website. The operator of Google Remarketing services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Remarketing is a feature of Google AdWords that enables a company to display advertisements to Internet users who have previously visited the company’s website. The integration of Google Remarketing, therefore, allows a company to create user-related advertising and consequently display interest-relevant advertisements to the Internet user.

The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing enables us to display advertisements via the Google advertising network or on other websites that are tailored to the individual needs and interests of Internet users.

Google Remarketing places a cookie on the IT system of the person concerned. By placing the cookie, Google is able to recognise visitors to our website when they subsequently visit other websites that are also members of the Google advertising network. Each time you visit a website on which the Google Remarketing service has been integrated, your internet browser automatically identifies itself to Google. As part of this technical process, Google obtains personal data such as your IP address or surfing behaviour, which Google uses, among other things, to display interest-based advertising.

The cookie is used to store personal information, such as the websites you have visited. Each time you visit our website, personal data, including your IP address, is transferred to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected through the technical process to third parties.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Article 45 GDPR has been made, so that personal data may be transferred without further guarantees or additional measures.

The data protection provisions of Google Analytics Remarketing can be viewed at: https://www.google.de/intl/policies/privacy/.

13.5. Hotjar

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta.

Hotjar is a tool for analysing your user behaviour on this website. With Hotjar, we can record your mouse and scroll movements and clicks, among other things. Hotjar can also determine how long you remained with the mouse pointer on a specific spot. Hotjar uses this information to create so-called heat maps, which can be used to determine which areas of the website are preferred by website visitors.

Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you cancelled your entries in a contact form on (so-called conversion funnels). In addition, Hotjar can be used to obtain direct feedback from website visitors. This function serves to improve the website operator’s web offerings.

Hotjar uses cookies. Cookies are small text files that are stored on your computer and saved by your browser. They serve to make our website more user-friendly, effective and secure. These cookies can be used in particular to determine whether this website was visited with a specific device or whether Hotjar’s functions have been deactivated for the browser in question. Hotjar cookies remain on your device until you delete them.

You can configure your browser to notify you when cookies are set, to allow cookies only in individual cases, to block the acceptance of cookies in certain situations or entirely, and to enable the automatic deletion of cookies when the browser is closed. Please note that if cookies are disabled, the functionality of this website may be limited.

These processing operations are carried out exclusively with the express consent of the data subject in accordance with Article 6 (1)(a) GDPR.

Further information about Hotjar can be found at: https://help.hotjar.com/hc/en-us/sections/115003204947.

14. Advertising

14.1. Google Ads (AdWords) remarketing/retargeting

We have integrated Google Ads into this website. The operator of Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

This allows us to advertise this website in Google search results and on third-party websites. For this purpose, Google places a cookie in the browser of your device, which automatically enables interest-based advertising using a pseudonymous cookie ID and based on the pages you have visited.

Any further data processing only takes place if you have agreed to Google linking your internet and app browsing history to your Google account and using information from your Google account to personalise the ads you see on the web. In this case, if you are logged into Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing. To do this, Google temporarily links your personal data with Google Analytics data to form target groups.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

You can view the data protection provisions and further information from Google Ads at: https://www.google.com/policies/technologies/ads/

14.2. Google Ads with conversion tracking

We have integrated Google Ads into this website. The operating company for Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads is an internet advertising service that allows advertisers to place ads in Google search engine results and on the Google advertising network. Google Ads allows advertisers to specify certain keywords in advance, which are then used to display an ad in Google’s search engine results only when the user enters a keyword-relevant search query in the search engine. In the Google advertising network, the ads are distributed to relevant websites using an automatic algorithm and taking into account the predefined keywords.

The purpose of Google Ads is to promote our website by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine, and to display third-party advertising on our website.

If you access our website via a Google ad, Google will place a so-called conversion cookie on your IT system. A conversion cookie expires after thirty days and is not used to identify you. The conversion cookie is used to track whether certain subpages, such as the shopping basket of an online shop system, have been accessed on our website, provided that the cookie has not yet expired. The conversion cookie allows both us and Google to track whether a user who has accessed our website via an AdWords ad has generated a sale, i.e. completed or cancelled a purchase.

The data and information collected through the use of the conversion cookie are used by Google to compile visit statistics for our website. We, in turn, use these visit statistics to determine the total number of users who were referred to us via Ads advertisements, i.e. to determine the success or failure of the respective Ads advertisement and to optimise our Ads advertisements for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify you.

The conversion cookie stores personal information, such as the websites you have visited. Each time you visit our website, personal data, including the IP address of the Internet connection you are using, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

You can view the data protection provisions and further information from Google AdSense at: https://www.google.com/intl/policies/privacy/.

14.3. Google Ads with enhanced conversions

We have integrated Google Ads into this website. The operating company of Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads is an internet advertising service that allows advertisers to place ads in Google search engine results and on the Google advertising network. The purpose of Google Ads is to promote our website by displaying interest-based advertising on the websites of third-party companies and in the search results of the Google search engine, and to display third-party advertising on our website.

If you access our website via a Google ad, Google will place a so-called conversion cookie on your IT system. A conversion cookie expires after thirty days and is not used to identify you. The conversion cookie is used to track whether certain subpages, such as the shopping basket of an online shop system, have been accessed on our website, provided that the cookie has not yet expired. The conversion cookie allows both us and Google to track whether a user who accessed our website via a Google Ads advertisement generated a sale, i.e. completed or cancelled a purchase.

We use the enhanced conversions option offered by Google Ads. To do this, we transmit personal data collected by us, such as telephone numbers or email addresses, to Google. This data is matched with event data from Google Ads in order to record more conversions.

Each time you visit our website, personal data, including the IP address of the Internet connection you are using, is transmitted to Google in the United States of America. Google may pass on this personal data collected using technical procedures to third parties.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

The parent company, Google LLC, is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Article 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures.

You can view the data protection provisions and further information from Google Ads at: https://www.google.com/intl/policies/privacy/ or https://support.google.com/adspolicy/answer/9755941?hl=&ref_topic=7012636&%20sjid=9061832235671554201-EU.

14.4. Google Ads – Additional information on consent mode, simple implementation

Under the Digital Markets Act, Google is required to obtain user consent before processing user data for personalised advertising. Google complies with this requirement through “Consent Mode”. Users are required to implement this mode and thus demonstrate that they have obtained the consent of website visitors.

Google offers two implementation modes: simple and advanced implementation.

We use the simple implementation method of Google Consent Mode. Only if you give your consent to the use of Google Ads (see above) will a connection to Google be established, a Google code executed and the processing described above carried out. If you refuse to give your consent, Google will only receive information that consent has not been given. The Google code will not be executed, and no Google Ads cookies will be set.

14.5. Microsoft Bing Ads

We have integrated Microsoft Bing Ads into this website. The operating company is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521, Ireland.

Bing Ads is an internet advertising service that allows advertisers to place ads in both Bing search engine results and the Bing advertising network. The purpose of Bing Ads is to promote our website by displaying interest-based advertising on third-party websites and in the search results of the Bing search engine, and to display third-party advertising on our website.

Microsoft Bing Ads conversion tracking allows us and Microsoft to recognise whether users have performed certain actions. For example, we analyse which buttons on our website are clicked frequently and which products are viewed or purchased particularly often. This information is used to compile conversion statistics. We receive the total number of users who clicked on our ads, as well as details of the actions performed. Personal identification data of users is not collected in this process. Microsoft uses cookies or similar technologies for recognition purposes.

The following data, among others, may be processed:

IP address (without permanent storage),
Browser details,
Visited URL,
Referrer URL (previously visited page),
Time of server request,
User behaviour.

These processing operations are carried out exclusively with the express consent of the user in accordance with Article 6 (1)(a) GDPR.

The data may be transferred to servers in the USA and stored there. Microsoft Corporation is certified under the EU-US Data Privacy Framework as a US company. This constitutes an adequacy decision pursuant to Article 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

You can view the privacy policy and further information from Microsoft Bing Ads at: https://about.ads.microsoft.com/en-us/resources/policies/remarketing-in-paid-search-policies.

15. Partner and affiliate programmes

15.1. AWIN

We participate in the affiliate programme of AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany.

AWIN enables us to track which third-party providers of websites, apps or other technologies have referred potential customers to our websites and apps (“referrers”) and to pay them a commission in return for these referrals.

AWIN uses cookies to track visitors via our partners’ affiliate links and to trace the origin of orders. Both AWIN and the respective AWIN affiliate partners independently collect the following data, among other things:

Identification number of the affiliate partner
User identification number
Information about the advertising material clicked on
Order/product ID
User agent
IP address

Partners participating in the affiliate programme may vary and are not limited in number or identity. AWIN requires all partners to comply with data protection regulations.

If personal data is transferred to companies within the AWIN Group or to service providers in countries that have not already been granted an adequate level of protection by an adequacy decision of the EU Commission, special contracts containing the EU Commission’s standard contractual clauses (the “EU Standard Contractual Clauses”) will be concluded to ensure that personal data is handled by all parties in a manner that complies with and respects data protection laws, in particular the GDPR.

These processing operations are carried out exclusively with the express consent of the data subject in accordance with Article 6 (1)(a) GDPR.

Your data will be deleted as soon as it is no longer required for the purpose for which it was collected or you withdraw your consent.

For more information on AWIN’s privacy policy, please visit: https://www.awin.com/gb/privacy.

16. Plugins and other services

16.1. Google Maps

We use Google Maps (API) on our website. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Maps is a web service for displaying interactive (land) maps to visually represent geographical information. By using this service, you can, for example, view our location and make it easier to find us.

When you visit subpages that include Google Maps, information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there, provided that you have given your consent within the meaning of Article 6 (1)(a) GDPR. In addition, Google Maps loads Google Web Fonts, Google Photos and Google Stats. These services are also provided by Google Ireland Limited. When you visit a page that incorporates Google Maps, your browser loads the web fonts and photos required to display Google Maps into your browser cache. For this purpose, the browser you are using also establishes a connection to Google’s servers. This allows Google to know that our website has been accessed via your IP address. This occurs regardless of whether Google provides a user account that you are logged in to or whether no user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not want your data to be associated with your Google profile, you must log out of your Google user account. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

If you do not agree to the future transmission of your data to Google in connection with the use of Google Maps, you also have the option of completely deactivating the Google Maps web service by disabling JavaScript in your browser. You will then not be able to use Google Maps and thus also the map display on this website.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1) (a) GDPR.

You can view Google’s terms of use at policies.google.com/terms, and the additional terms of use for Google Maps can be found at https://www.google.com/intl/US/help/terms_maps/.

You can view the Google Maps privacy policy at: (“Google Privacy Policy”): https://policies.google.com/privacy?hl=&gl=.

16.2. Google Tag Manager

We use the Google Tag Manager service on this website. Google Tag Manager is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This tool allows “website tags” (i.e. keywords that are embedded in HTML elements) to be implemented and managed via an interface. By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on and can then record which content on our website is of particular interest to you.

The tool also triggers other tags, which may collect data. Google Tag Manager does not access this data. If you have disabled cookies at the domain or cookie level, this will remain in effect for all tracking tags implemented with Google Tag Manager.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

Further information on Google Tag Manager and Google’s privacy policy can be found at: https://policies.google.com/privacy?hl=

16.3. Salesforce CRM system

We use the CRM system provided by salesforce.com Inc. (“salesforce”), One Market Street, Suite 300, San Francisco, CA 94105, USA.

Salesforce is a cloud-based CRM solution for customer relationship management. All departments (including, for example, marketing, sales, customer service, as well as online and brick-and-mortar retail) work on a shared CRM platform. Among other things, this serves the purpose of structured contract processing and documentation of contract initiation.

Salesforce has full access to the customer data we process and store in the cloud. This may include names, addresses, email addresses and telephone numbers.

If the relevant consent has been requested, processing is carried out exclusively on the basis of Article 6 (1)(a) GDPR. The legal basis for the use of “salesforce” in the context of contractual relationships is Article 6 (1)(b) GDPR. In all other cases, the legal basis for the processing of your personal data is Article 6 (1)(f) GDPR. Here, our interest lies in the effective coordination of internal and external communication and the management of customer relationships.

This US company is certified under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Article 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures.

Further information on Salesforce can be found at: https://www.salesforce.com/company/privacy/.

16.4. Vimeo (videos)

Our website incorporates plugins from the video portal Vimeo, owned by Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA. When you visit a page on our website that contains such a plugin, your browser establishes a direct connection to the Vimeo servers. The content of the plugin is transmitted directly from Vimeo to your browser and integrated into the page. Through this integration, Vimeo receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Vimeo account or are not currently logged in to Vimeo. This information (including your IP address) is transmitted directly from your browser to a Vimeo server in the USA and stored there.

If you are logged in to Vimeo, Vimeo can immediately associate your visit to our website with your Vimeo account. If you interact with the plugins (e.g. by clicking the start button on a video), this information is also transmitted directly to a Vimeo server and stored there.

The tracking tool Google Analytics is automatically integrated into Vimeo videos embedded on our site. This is Vimeo’s own tracking tool, to which we have no access and which cannot be influenced by our site. Google Analytics uses so-called “cookies” for tracking. These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

You can view Vimeo’s privacy policy at: https://vimeo.com/privacy.

16.5. YouTube (videos)

We have integrated YouTube components into this website. YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programmes, as well as music videos, trailers or videos created by users themselves, can be accessed via the internet portal. Each time one of the individual pages of this website, which is operated by us and on which a YouTube component (YouTube video) has been integrated, is accessed, the Internet browser on your IT system is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. The services Google WebFonts, Google Video and Google Photo can also be downloaded from YouTube. Further information about YouTube can be found at www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google are informed about which specific subpage of our website you are visiting.

If you are logged into YouTube at the same time, YouTube recognises which specific subpage of our website you are visiting when you call up a subpage that contains a YouTube video. This information is collected by YouTube and Google and assigned to your YouTube account.

YouTube and Google receive information via the YouTube component that you have visited our website whenever you are logged into YouTube while visiting our website; this happens regardless of whether you click on a YouTube video or not. If you do not want this information to be transmitted to YouTube and Google, you can prevent the transmission by logging out of your YouTube account before visiting our website.

These processing operations are carried out exclusively with your express consent in accordance with Article 6 (1)(a) GDPR.

You can view YouTube’s privacy policy at https://policies.google.com/privacy?hl=&gl=.

16.6. YouTube videos in extended data protection mode (YouTube NoCookies)

Some subpages of our website contain links or connections to YouTube. In general, we are not responsible for the content of websites to which links are provided. However, if you follow a link to YouTube, we would like to point out that YouTube stores its users’ data (e.g. personal information, IP address) in accordance with its own data usage guidelines and uses it for business purposes.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

We also embed videos stored on YouTube directly on some subpages of our website. In this case, content from the YouTube website is displayed in parts of a browser window. When you visit a (sub)page of our website that contains embedded YouTube videos, a connection to the YouTube servers is established and the content is displayed on the website by notifying your browser.

YouTube content is only embedded in “extended privacy mode”. This is provided by YouTube itself and ensures that YouTube does not initially store any cookies on your device. However, when you visit the relevant pages, your IP address and, if applicable, other data will be transmitted, thereby revealing which of our web pages you have visited. However, this information cannot be attributed to you unless you have logged in to YouTube or another Google service before visiting the page or are permanently logged in. As soon as you start playing an embedded video by clicking on it, YouTube only stores cookies on your device that do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by adjusting your browser settings and extensions accordingly.

Requesting the video also constitutes your consent to the placement of the corresponding cookie (Article 6(1)(a) GDPR).

This US company is certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Article 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures.

You can view YouTube’s privacy policy at: https://policies.google.com/privacy?hl=&gl=.

17. Your rights as a data subject

17.1. Right to confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

17.2. Right to information Article 15 GDPR

You have the right to obtain from us, free of charge, information about the personal data stored about you and a copy of this data in accordance with the statutory provisions.

17.3. Right to rectification Article 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

17.4. Erasure Article 17 GDPR

You have the right to request that we erase personal data concerning you without undue delay, provided that one of the reasons specified by law applies and that the processing or storage is not necessary.
17.5. Restriction of processing Article 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met.

17.6. Data portability Article 20 GDPR

You have the right to receive the personal data concerning you, and that you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, where the processing is based on your consent (Article 6(1)(a) or Article 9(2)(a) GDPR) or on a contract (Article 6(1)(b) GDPR), and where the processing is carried out by automated means. This right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20(1) GDPR, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

17.7. Objection Article 21 GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out based on Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) of the GDPR.

This also applies to profiling based on these provisions within the meaning of Article 4 (4) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.

In individual cases, we process personal data for direct marketing purposes. You can object to the processing of personal data for such marketing purposes at any time. This also applies to profiling insofar as it is related to such direct marketing. If you object to us processing your data for direct marketing purposes, we will no longer process your personal data for these purposes.

In addition, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you that we carry out for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free to exercise your right to object in relation to the use of information society services, notwithstanding Directive 2002/58/EC of the European Parliament, by means of automated procedures using technical specifications.

17.8. Revocation of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

17.9. Complaint to a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

18. Profiling / Automated decisions

Profiling refers to the automated process of analysing or predicting certain personal aspects or behaviours based on personal data. This allows customers to be served and advised more individually and offers to be better tailored to their individual needs. “Automated individual decisions” are decisions that are made fully automatically and without relevant human involvement and that may have adverse legal or similarly negative effects on the customer.

A-ROSA Flussschiff GmbH does not make any automated individual decisions as a matter of principle. Should A-ROSA Flussschiff GmbH make automated individual decisions in individual cases, it will inform the customer separately. In such a case, the customer has the option of having this decision reviewed manually by an employee of A-ROSA Flussschiff GmbH.

19. Routine storage, deletion and blocking of personal data

We process and store your personal data only for the period necessary to achieve the purpose of storage or as provided for by the legal provisions to which our company is subject.

If the storage purpose no longer applies or a prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

20. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfilment or initiation of a contract.

Below are the most important periods for the storage of your personal data:

Correspondence: Six years (in accordance with the German Commercial Code (HGB)).
Offers resulting in an order: Six years (in accordance with the German Commercial Code (HGB)).
Accounting records: Ten years (in accordance with the German Commercial Code (HGB) and the German Fiscal Code (AO)).
Application documents (unsuccessful applicants): Six months (to prevent lawsuits under the General Equal Treatment Act (AGG)).

21. Up-to-dateness and changes to the privacy policy

This Privacy Policy is currently valid and was last updated in September 2025.

As our website and services continue to develop, or in the event of changes to legal or regulatory requirements, it may become necessary to amend this Privacy Policy.

Download

Data Protection Information

20250910_PrivacyPolicy_final_V1.pdf

Find Your Cruise

x

Data Protection Information

Privacy Policy

Download

Data Protection Information

Subscribe to newsletter & win a cruise

+49 381 2026001

FAQ