A-ROSA Flussschiff GmbH and A-ROSA Reederei GmbH are jointly responsible for data processing. The protection of your privacy and your personal data is very important to us. We also pay close attention to this aspect in our Internet activities. We collect, process and use personal data in accordance with the applicable data protection regulations, in particular the DATA PROTECTION BASIC REGULATION (DSGVO), the Telemedia Act (TMG) and the Telecommunications Act (TKG).
We implement technical and organisational security measures in order to optimally protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised parties. These security measures are upgraded on an ongoing basis to keep up with technological advancements.
OBJECT OF DATA PROTECTION / PERSONAL DATA
Personal data are the object of data protection measures. Data is personal if it is referenceable to an identified or identifiable person. This includes such information as name, address, e-mail address and telephone number. Sensitive data (such as health data) are subject to special protections. Information not directly related to your actual identity (such as favourite websites or number of page users) is not covered.
Within the meaning of the GDPR, all information relating to an identified or identifiable natural person is personal data. A natural person is deemed identifiable if the person can be directly or indirectly identified, particularly by means of referencing such identifiers as name, ID number, location data, username or one or more special attributes which characterise the physical, physiological, genetic, mental, financial, cultural or social identity of that natural person. Personal data are only stored as necessary to provide the booked services, comply with legal requirements or fulfil the purposes stated below.
COLLECTION, PROCESS, AND USE OF PERSONAL DATA
Other than in the cases outlined under Automated Collection and Processing of Data of Visitors to our Websites, data collection and data processing are only allowed if you voluntarily provide your personal data. This applies in particular to the following situations:
TRAVEL BOOKING AND CONTRACT FULFILLMENT (PURPOSE OF COLLECTION)
Personal data provided during registration and/or booking is collected, processed and used for the purposes of fulfilling travel contracts, utilising services on our website, providing customer service and complying with legal obligations. Such data include information provided for ship manifests and customer satisfaction surveys. In accordance with applicable laws, such data are generally only collected for the purpose of providing the services you wish to receive or require. Any other information we request on our forms is provided by you on a strictly voluntary basis, and is designated as voluntary.
These personal data are forwarded to our service providers for travel contract fulfilment.
When booking a cruise, the personal data of persons travelling with you may also be collected. We therefore request that you ensure that such data are provided with the consent of the persons travelling with you. Personal data of children and other minors (under the age of 18) are collected, stored and used solely for travel contract fulfilment.
LEGAL BASES FOR PROCESSING
The legal basis for personal data processed pursuant to our obtaining the consent of the data subject is Article 6 (1) a) of the EU General Data Protection Regulation (GDPR).
The legal basis for processing of personal data necessary for the performance of a contract to which the data subject is a party is Article 6 (1) b) GDPR. This also applies to processing performed to enable pre-contractual actions.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
The transfer of your personal data occurs exclusively in compliance with applicable laws, including particularly data protection and competition laws.
As necessary for the performance of the contractual services or fulfilment of our legal obligations, your data may also be transferred to sub-contractors or service providers for the provision of services in our name or on our behalf (technical processing of postal and e-mail dispatch, payment processing, customer service, etc.). Data are also transferred to persons or companies in order to process your order or booking, including particularly to airlines for travel services, other tour operators, hotels, travel agencies, destination agencies and government agencies, among other parties.
We only pass on the data to third parties that is necessary for the provision of the travel service and its accounting (e.g. travel processing data to A-ROSA Reederei GmbH in Switzerland or data from the ship's manifest to the port authorities). If data is passed on to service providers, they are bound by the contractual provisions of A-ROSA Flussschiff GmbH on the subject of data protection in addition to the mandatory statutory provisions. Personal data is only collected or transmitted to state institutions and authorities within the framework of mandatory legal provisions.
DATA TRANSFER TO COUNTRIES OUTSIDE THE EU
As necessary for the fulfilment of travel contracts we may also transfer your data to non-EU recipients if we are able to ensure that the data recipient guarantees an adequate level of data protection and there are no other legitimate interests against the transfer of data. In particular, we utilise the model contracts of the EU Commission for the transfer of personal data to third countries in order to ensure that the data recipient affords an adequate level of protection.
The transfer of data to A-ROSA Reederei GmbH in Switzerland, which is responsible for the operational aspects of your travel, is necessary for the fulfilment of travel contracts. The basis for data transfer to Switzerland is an adequacy decision. Switzerland provides an adequate level of protection, and does not require any special authorisation for data transfer.
STANDARD PERIODS FOR DELETION OF DATA
Data are deleted in accordance with retention obligations and periods applicable for the specific processing purposes. Financial accounting and reporting data for a concluded financial year are deleted after a maximum period of 10 years in accordance with legal requirements (tax law) unless a longer retention period is required pursuant to regulations or for legitimate reasons. Manifest data are deleted 2 years after the conclusion of travel (EU Package Travel Directive).
A-ROSA Flussschiff GmbH and A-ROSA Reederei GmbH have taken the necessary technical and organizational measures to protect your personal data against manipulation, loss, destruction or access by unauthorized persons and to protect your rights and comply with the applicable to comply with data protection regulations of the EU and the Federal Republic of Germany. The measures taken are intended to ensure the confidentiality and integrity of your data and to ensure the long-term availability and resilience of our systems and services when processing your data. They are also intended to ensure the rapid restoration of data availability and access in the event of a physical or technical incident.
All our employees and all persons involved in data processing are obliged to comply with the GDPR and other laws relevant to data protection and to treat personal data confidentially. Our employees are trained accordingly. Both internal and external audits ensure compliance with all data protection-related processes at A-ROSA Flussschiff GmbH of A-ROSA Reederei GmbH.
Our security measures also include the encryption of your data. When your data is transmitted to us, it is encrypted using Transport Layer Security (HTTPS). All information that you enter online is transmitted via an encrypted transmission path. As a result, this information can never be viewed by unauthorized third parties.
Our data processing and our security measures are continuously improved in line with technological developments.
NEWSLETTER AND POSTAL ADVERTISING
If you wish to receive our newsletter and register for it, we need to have a functioning e-mail address referenceable to you which allows us to verify that you are the owner of the given e-mail address. In addition to your e-mail address, the data we collect include your form of address, first name and surname. This information is used to personalise the salutation of the recipient.
Consent to saving of your e-mail address and other personal data provided by you (form of address, first name, surname) and to use thereof to send out the newsletter may be withdrawn at any time with non-retrospective effect.
Registration for our newsletter involves a ‘double opt-in’ procedure. This means you receive an e-mail after registration requesting you to confirm your registration. This confirmation is necessary to eliminate the possibility of anyone registering from a different e-mail address.
Newsletter registrations are logged to document that the registration process accords with the legal requirements. This involves saving of the time of login and confirmation and of your IP address. Changes to your stored data are also logged.
To process your registration to receive the newsletter we collect technical information including data about the browser and system you are using, your IP address and the time of retrieval. These data are utilised to improve the technical performance of services based on technical data or target groups and their reading habits, based on location of retrieval (determinable via the IP address) and access times.
Statistical data gathered include determination of whether the newsletter is opened, when it is opened and which links are clicked on. For technical reasons, this information is referenceable to individual newsletter recipients. It is not our interest however to monitor individual users. Rather, analysis is performed to enable us to identify the reading habits of our users, adapt our content to their needs and send differing content based on the interests of our users.
As required under the General Data Protection Regulation (GDPR), which enters into force on 25 May 2018, we are informing you that the basis for consent to the sending of e-mail addresses is Articles 6 (1) a), 7 GDPR and Section 7 (2) no. 3 and (3) of the German Unfair Competition Act (UWG). Statistical data gathering and analysis and logging of the registration procedure are performed on the basis of our legitimate interests in line with Article 6 (1) f) GDPR. Our interest is in deploying a user-friendly and secure newsletter system which both serves our business interests and meets the expectations of our users.
You can unsubscribe from the newsletter at any time, i.e. revoke your consent to use of your data for that purpose. This means your consent to newsletter dispatch and to related statistical analysis is revoked. Unfortunately it is not possible to separately revoke your consent to sending of the newsletter and to statistical analysis.
If you no longer wish to receive our newsletter, click on the link "Unsubscribe from the newsletter" which appears at the end of every newsletter we send out.
If you have booked a trip with A-ROSA Flussschiff GmbH or are interested in booking a trip, we utilise your postal address to send you product information and individually optimised travel offers. You can object to the use of your postal address for advertising purposes at any time as outlined in the aforementioned section of this data protection policy (Right to Information, Correction, Deletion and Restriction, Rights of Objection and Revocation).
DATA COLLECTION BY THIRD-PARTY PROVIDERS/SOCIAL NETWORKS
Our website contains links to social networks (Facebook, Google Plus, Twitter, Instagram, XING, YouTube, Pinterest, etc.). These social networks are exclusively operated by third parties. If you follow the corresponding links, data may be transmitted to these third parties (but no personal data within the meaning of the GDPR). Please see the data privacy policies of the respective operators for information regarding the purpose and scope of data collection by the social networks, further processing of and use of your data by those networks, your relevant rights and the settings you can configure to protect your privacy.
OUR SOCIAL MEDIA PRESENCE
We also use social media to present our company to users and facilitate communication with them.
When visiting these social media pages, it may occur that user data is processed outside the European Union. In general, German and/or European data protection legislation is not valid in these jurisdictions. This can make it more difficult to exercise your rights. US providers with Privacy Shield certification have undertaken to comply with EU data protection standards.
The data collected from social media users is normally processed for market research and advertising purposes. The content retrieved can be used to set up user profiles that are in turn used to display advertisements both on and off social media that are intended to match the user's interests. This process is usually facilitated by cookies stored on the user's computer.
However, providers can also use other methods to store data collected from social media users, particularly if these users are registered with and logged into the respective social media platforms.
The user's personal data is processed on the basis of Art. 6(1) lit. f GDPR. As the operator of a social media page, we have a legitimate interest in communicating with users and ensuring that they receive information in an efficient manner. If the user has agreed to the processing of their data – for example by clicking on a check box – the legal basis for processing this data is Art. 6(1) lit. a, Art. 7 GDPR.
Additional information about data processing and opt-out possibilities is available from the respective providers, who are listed below.
Requests for information and communications relating to the exercise of other user rights are best directed to the providers themselves. This is because they are the only parties with access to all user data and are thus the only ones able to provide the desired information or initiate the relevant measures.
– Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland) – Privacy: www.facebook.com/about/privacy/, Opt-Out: www.facebook.com/settings and www.youronlinechoices.com/de/praferenzmanagement/, Privacy Shield: www.privacyshield.gov/participant.
– Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Privacy: policies.google.com/privacy, Opt-Out: adssettings.google.com/authenticated, Privacy Shield: www.privacyshield.gov/participant.
YOUTUBE VIDEO PLUG-INS
This website contains content from third-party providers. This content is provided by Google Inc ("the Provider").
YouTube is operated by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).
The advanced privacy setting is enabled for YouTube videos that are embedded on our website. This means that no data of website visitors are collected and stored by YouTube unless such a video is played.
AUTOMATED COLLECTION AND PROCESSING OF DATA WHEN VISITING OUR WEBSITES
Data processing to enable website use
When you visit our websites, we collect the data necessary to enable your usage of the site (usage data). These include your IP address and data about the start and end points of your usage of the website and why you are using the website and potentially certain identification data (such as your login data if you log in to a secure area). These data are required to provide services and design services to meet user needs. These data are deleted if and when you revoke consent to processing. See below regarding the processing of pseudonymous user profiles.
// for End Customers
End customers (consumers) can utilise the A-ROSA website to find out about offers of A-ROSA Flussschiff GmbH, directly book travel, order additional cruise services and transmit data. The booking, reservation and transmission of data are only possible if the necessary personal data are entered.
Information on the website is made available publicly in the form of text, images, video and downloads with no data entry required.
A-ROSA Website: www.arosa-cruises.com
In addition, customer club members can make use of the A-ROSA Club area after logging in. This requires providing personal data for registration.
A-ROSA Club: www.arosa-cruises.com/river-cruises/my-a-rosa/a-rosa-club/a-rosa-club.html
// for Travel Agencies
Travel agencies can utilise the A-ROSA extranet to find out about offers of A-ROSA Flussschiff GmbH and make direct bookings for their customers.
Travel agencies receive login credentials after successful registration which must be used to take advantage of the additional functionalities of the A-ROSA extranet.
Information on the A-ROSA extranet is made available to travel agencies in the form of text, images, video and downloads; data entry is required in some cases.
A-ROSA extranet: www.a-rosa.de/a-rosa-extranet.html
The entire A-ROSA website is encrypted.
The A-ROSA BLOG contains information on A-ROSA cruises, travel photos and special cruise offers. This content is freely accessible to the public in the form of text, images and video.
A-ROSA BLOG (german): blog.a-rosa.de/kreuzfahrt-blog/
The entire A-ROSA BLOG is encrypted.
The KURS A-ROSA website is an exclusive online series of training units for travel agents for enhancing their A-ROSA sales knowledge. Registration is required to utilise all course functionalities.
Kurs A-ROSA (german): www.kurs.a-rosa.de
The entire KURS A-ROSA website is encrypted.
You can disable the storage of cookies via your browser configurations and delete them from your hard drive at any time. Please be advised that only limited use of our offers on the website is possible without cookies. In particular, it is not at all possible to book travel without cookies, as these are required to verify booking data.
You can however prevent certain cookies (e.g. third-party cookies) from being placed via your browser settings, for example if you wish to prevent web tracking. See the Help function of your browser for more detailed information.
The cookie storage period is 60 days.
HOW DO I CONFIGURE THE COOKIE SETTINGS OF MY BROWSER?
Jeder Browser unterscheidet sich in der Art, wie er die Cookie-Einstellungen verwaltet. Diese ist in dem Hilfemenü jedes Browsers beschrieben, welches Ihnen erläutert, wie Sie Ihre Cookie-Einstellungen ändern können. Diese finden Sie für die jeweiligen Browser unter den folgenden Links:
Internet Explorer™: support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
Opera™ : help.opera.com/Windows/10.20/de/cookies.html
PSEUDONYMOUS USAGE PROFILES FOR ADVERTISING AND MARKET RESEARCH (WEB TRACKING AND ANALYSIS)
A-ROSA uses web tracking systems (if you have consented to the cookies) for advertising, market research and to make your use of our website as pleasant as possible. Data about the use of our website is stored in pseudonymous user profiles (your IP address is anonymised). This allows us to further develop our website and tailor the content even better to your needs. In addition, the usage profiles are used for so-called retargeting. This enables A-ROSA Flussschiff GmbH to place interesting offers on other websites that you visit. The pseudonymous usage profiles are not merged with personal data.
An explanation is provided below of how to notify the individual service providers of your objection to web tracking.
This website utilises Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics employs cookies (see ‘Cookies’) to enable analysis of website usage. The information generated by the cookie about the use of this website is generally transmitted to a Google server in the USA, where it is then stored. However, your IP address is truncated and anonymised by Google within member states of the European Union and other countries party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and then truncated. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports about website activities and to provide for the website operator further services connected to the website use and the Internet use. The IP address transmitted by your browser as part of Google Analytics shall not be combined with other Google data.
We also use the technical extension "Google Signals", which enables cross-device tracking. This makes it possible to associate a single website visitor with different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the "personalised advertising" option in their Google account settings. Even then, however, no personal data or user profiles become accessible to us; they remain anonymous to us.
If you do not wish to use "Google Signals", you can deactivate the "personalised advertising" option in your Google account settings.
You can prevent the storage of cookies by configuring your browser software accordingly (see ‘Cookies’) or utilising a privacy plug-in. You can also prevent recorded data generated by the cookie concerning your use of the website (including your IP address) from being sent to Google and the processing of these data by Google by downloading and installing the browser plug-in available via the following link: tools.google.com/dlpage/gaoptout. Alternatively, you can prevent collection by Google Analytics by placing an ‘opt-out cookie’ on your computer. For more information about data protection and Google Analytics, see: www.google.com/intl/en/policies/.
Google AdWords Conversion
We utilise Google Analytics for statistical analysis of data derived from the Google AdWords service. This enables us to analyse behaviour after a user clicks on our ad – whether the user purchased our product or viewed the ad from a mobile phone, for example – and thereby improve our offers. These services are also utilised so that you receive interest-based advertising. If you are opposed to this, you can disable the functionality via the Google Ads Settings: adssettings.google.com/authenticated
Google Tag Manager
We use the Hotjar web analytics service from Hotjar Ltd. on some websites. Hotjar Ltd. is a European company based in Malta (Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe, tel.: +1 (855) 464-6788).
With this tool, movements on the websites on which Hotjar is used can be traced (so-called heat maps). For example, you can see how far users scroll and which buttons they click how often. It is also possible to use the tool to obtain feedback directly from the users of the website. In this way, we obtain valuable information in order to make our websites even faster and more customer-friendly.
When using this tool, we pay particular attention to the protection of your personal data. So we can only understand what buttons are clicked, mouse history, how far scrolled, device screen size, device type and browser information, geographic location (country only) and preferred language to display our website. Areas of the websites in which personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable at any time.
Hotjar offers every user the option of using a "Do Not Track header" to prevent the use of the Hotjar tool, so that no data about the visit to the respective website is recorded. This is a setting that all standard browsers support in current versions. To do this, your browser sends a request to Hotjar to deactivate the tracking of the respective user. If you use sipgate websites with different browsers/computers, you must set up the “Do Not Track header” separately for each of these browsers/computers.
Detailed instructions with information about your browser can be found at: www.hotjar.com/opt-out
Learn more about Hotjar Ltd. and via the Hotjar tool can be found at: www.hotjar.com
The Facebook Pixel of Facebook Inc., 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland ("Facebook") is used on this website. This enables users of this website to be tracked via other websites that use the Facebook pixel. This serves to analyze and optimize our online offer, in particular retargeting, i.e. repeated advertising on other websites and assignment to target groups for Facebook Ads. You can object to the use of the pixel here:
Link for activating/deactivating the Facebook pixel available.
In connection with this service, we process your personal data as follows:
a) Purpose of processing
We process your personal data in order to use the Facebook pixel to display advertising.
b) Legal basis for processing
The processing of your personal data for the use of the Facebook pixel for the display of advertising takes place on the basis of your consent.
c) Recipients/categories of recipients of your personal data
We disclose your personal data to Facebook.
d) Storage duration of your personal data
We store your personal data for as long as is necessary to use the Facebook pixel to display advertising.
e) Reference to third countries for the processing of your personal data
Facebook processes your personal data in the USA. The USA does not offer an adequate level of data protection. However, the processing by Facebook takes place within the framework of an adequacy decision (EU-US Privacy Shield) (Art. 45 DS-GVO).
f) Obligation to provide your personal data
You are not obliged to disclose personal data. If you have not used the above-mentioned function to deactivate tracking by the Facebook pixel, it is not possible to access this website without processing your personal data within the framework of the Facebook pixel.
Usage of service services
After you make a booking, you as our customer will have the opportunity to rate our online booking procedure on the well-known, reliable consumer review website Trustpilot. By leaving a review, you will also help other customers make the decision to book online with A-ROSA. To enable you to do this, we will send you an e-mail within 48 hours of your booking and invite you to submit a review through Trustpilot. This is a one-off e-mail that will be sent to the e-mail address you provided when you made the booking. You will then be able to leave a review. Reviews are voluntary and we will not collect any further information during the process. The data you provide (e-mail address) enabling us to invite you to submit a review through Trustpilot will be erased within 7 days.
Rights of the data subject
You can request information about the data stored about you by A-ROSA Flussschiff GmbH or A-ROSA Reederei GmbH free of charge at any time and - insofar as the legal requirements are met - their correction, blocking and deletion. In the above cases and if you are contacted by A-ROSA Flussschiff GmbH for advertising purposes, you can exercise your right to object. If you have given your consent under data protection law, you can revoke this at any time with effect for the future.
YOUR RIGHTS IN THE OVERVIEW
RIGHT TO INFORMATION
Pursuant to Article 15 GDPR, data subjects have the right to obtain information from a processor about which personal data of theirs is stored by that processor.
RIGHT TO CORRECTION
If a data subject finds that his/her personal data on file are incorrect, these data must be corrected pursuant to Article 16 GDPR.
RIGHT TO DELETION ("RIGHT TO BE FORGOTTEN")
Data subjects have the right pursuant to Article 17 GDPR to request the deletion of their data. Deletion is only permitted however after any statutory retention periods have elapsed.
RESTRICTION FROM PROCESSING
You may have the right to restrict data from processing pursuant to Article 18 GDPR under certain circumstances (such as if you as the data subject disagree with the data processor as to whether data stored are correct).
Pursuant to Article 21 GDPR, you may object to the processing of your personal data at any time with non-retrospective effect. Please note that if you file an objection with respect to mandatory data required for the use of our offer, you will no longer be able to use the offer.
You enjoy a right to data portability under Article 20 GDPR in certain processing cases if the data were collected on the basis of consent or for performance of a contract.
To exercise your rights as data subject, please contact A-ROSA Flussschiff GmbH and/or the data protection officer of A-ROSA Flussschiff GmbH either in person or in writing.
If you wish to make use of your data subject rights, please contact A-ROSA Flussschiff GmbH or A-ROSA Reederei GmbH and/or the data protection officer of A-ROSA Flussschiff GmbH or A-ROSA Reederei GmbH personally or in writing.
NAME AND CONTACT DETAILS OF THE CONTROLLER
A-ROSA Flussschiff GmbH, Loggerweg 5, 18055 Rostock, Germany
email@example.com, Telefon +49 (381) 440 40 100
Managing Director: Jörg Eichler (CEO)
A-ROSA Reederei GmbH, Kasernenstrasse 92, 7000 Chur, Switzerland
firstname.lastname@example.org, Telefon +41 812543840
Managing Director: Mr Markus Zoepke, Mrs Daniela Sandmann
Data protection officer:
Data protection offer, Mr G. Laaser
RIGHT TO FILE A COMPLAINT
If you are of the opinion that the processing of your personal data violates data protection law, you can contact the data protection officer of A-ROSA Flussschiff GmbH in accordance with Article 38 Paragraph 3 DS-GVO (for contact details see the Data Protection Officer section) or in accordance with Article 77 Paragraph 1 DS-GVO contact a competent supervisory authority. The supervisory authority responsible for A-ROSA Flussschiff GmbH is:
The Commissioner for Data Protection and Freedom of Information of the Federal State of Mecklenburg-Vorpommern
Phone: +49 385 59494 0
Fax: +49 385 59494 58
Website: www.datenschutz-mv.de; www.informationsfreiheit-mv.de
Data protection information from 1st March 2022