Data Privacy | Therme Euskirchen
1) Name and address of the data controller
2) Name and address of the data protection officer
3) General information on data processing
- 3.1 Scope of the processing of personal data
- 3.2 Legal basis for the processing of personal data
- 3.3 Data deletion and storage period
4) Provision of the website and creation of log files
- 4.1 Description and scope of data processing
- 4.2 Legal basis for data processing
- 4.3 Purpose of data processing
- 4.4 Duration of storage
- 4.5 Possibilities of objection and removal
- 5.1 Description and scope of data processing
- 6.1 Description and scope of data processing
- 6.2 Legal basis for data processing
- 6.3 Purpose of data processing
- 6.4 Duration of data storage
- 6.5 Possibility of objection and removal
- 7.1 Description and scope of data processing
- 7.2 Legal basis for data processing
- 7.3 Purpose of data processing
- 7.4 Duration of data storage
- 7.5 Possibility of objection and removal
8) Contact form and contact by e-mail
- 8.1 Description and scope of data processing
- 8.2 Legal basis
- 8.3 Purpose of data processing
- 8.4 Duration of storage
- 8.5 Possibilities of objection and elimination
9) Web tracking and web analysis by Google Analytics
- 9.1 Handling of processing
- 9.2 Legal basis for data processing
- 9.3 Purpose of data processing
- 9.4 Duration of storage
- 9.5 Possibility of objection and elimination
10) Google Adwords
11) Google Web Fonts
12) Google Maps
13) Google Tag Manager
14) Use of Cookiebot
15) The Trade Desk
17) Facebook Pixels
20) Marketing Automation with Mautic
21) Walls.io plugin
22) Presence on Facebook
24) Online Shop
25) Application for a spa card / premium card
- 25.1 Handling of processing
- 25.2 Legal basis for data processing
- 25.3 Recipients
- 25.4 Storage period
- 25.5 Transfer to third countries
26) Direct marketing
- 26.1 Description and scope of data processing
- 26.2 Legal basis for data processing
- 26.3 Purpose of data processing
- 26.4 Duration of storage
- 26.5 Possibilities of objection and elimination
27) Legal defense and enforcement
- 27.1 Description and scope of data processing
- 27.2 Purpose of data processing
- 27.3 Duration of storage
- 27.4 Possibilities of objection and elimination
28) Categories of recipients
29) Rights of the data subjects
- 29.1 Right to information
- 29.2 Right to rectification
- 29.3 Right to restriction of processing
- 29.4 Right to erasure
- 29.5 Right to information
- 29.6 Right to data portability
- 29.7 Right to object
- 29.8 Right to revoke declaration of consent under data protection law
- 29.9 Automated decision in individual cases including profiling
- 29.10 Right to complain to a supervisory authority
30) Note on the data protection declaration
1) Contact details of the controller
The responsible body within the meaning of the data protection laws, in particular the EU data protection basic regulation (DSGVO), is
Thermen & Badewelt Euskirchen GmbH
Phone +49 2251/1485 0
(hereinafter referred to as "we" or "our")
2) Contact details of the data protection officer
The protection of your personal data is of great importance to us. To express this importance, we have commissioned a consulting firm specializing in data protection and data security to take on these central issues. We are advised by:
Straubinger Straße 7
94405 Landau an der Isar
3) General information on data processing
3.1 Scope of the processing of personal data
As a matter of principle, we process your personal data only insofar as this is necessary for the performance of our services. Your personal data is regularly processed only on the basis of your consent. An exception applies in those cases where obtaining prior consent is not possible for actual reasons or the processing of your personal data is permitted by law.
3.2 Legal basis for the processing of personal data
Insofar as we obtain consent from you for the processing of personal data, Art. 6 (1) lit. a EU-DSGVO serves as our legal basis.
When processing personal data that is necessary for the performance of a contract between you and us, Art. 6 (1) lit. b EU-DSGVO serves as our legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as processing of personal data is necessary for compliance with a legal obligation to which we are subject, Art. 6 (1) c EU-DSGVO serves as the legal basis for us.
In the event that vital interests of you or another natural person make processing of personal data necessary, Art. 6 (1) (d) EU-DSGVO serves as our legal basis.
If the processing is necessary to protect a legitimate interest of us or a third party and your interests, fundamental rights and freedoms do not outweigh the former interest, then Art. 6 (1) lit. f EU-DSGVO serves us as the legal basis for the processing.
3.3 Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may take place beyond this if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.
4) Provision of the website and creation of log files
4.1 Description and scope of data processing
Each time our website is called up, our system automatically collects data and information from the computer system of the calling computer. The following data is collected in this process:
- Information about the browser type and the version used.
- The operating system of the user
- The user's Internet service provider
- The IP address of the user
- Date and time of access
- The amount of data transferred
- Referrer URL
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
4.2 Legal basis for data processing
The legal basis for the processing of your personal data in the context of providing the website and creating log files is Art. 6 (1) lit. f EU-DSGVO.
4.3 Purpose of data processing
The temporary storage of your personal data by us is necessary to enable delivery of the website to your computer. For this purpose, your personal data must be stored for the duration of the session.
The storage of your personal data in log files is done to ensure the functionality of the website. In addition, we use your personal data to optimize the website and to ensure the security of our information technology systems. An evaluation of your personal data for marketing purposes does not take place in this context.
These purposes are also our legitimate interest in data processing according to Art. 6 Para. 1 lit. f EU-DSGVO.
4.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of your personal data for the provision of the website, this is the case as soon as the respective session has ended.
In the case of storage of your personal data in log files, these are deleted after seven days at the latest. Storage beyond this period is possible. In this case, your personal data will be deleted or alienated so that an assignment of the calling client is no longer possible.
4.5 Possibilities of objection and removal
The collection of your personal data to provide the website and the storage of your personal data in log files is mandatory for the operation of the website. Consequently, there is no possibility for you to object.
5.1 Description and scope of data processing
When you access this website, we store cookies (small files) on your device. These have a validity of:
Name: Storage period:
- TDCPM 1 year
- TDID 1 year
- __cfduid 1 month
- _fbp 3 months
- _ga 2 years
- _gat_ 1 day
- _gid 1 day
- Collect end of session
- ads/ga-audiences end of session
- uslk_e 1 year
- uslk_s end of session
- CookieConsent 1 year
- PHPSESSID End of session
- SERVERID End of session
- SESS# 20 years
- apay-session-set 1 year
- uslk_in_service_time Persistent
- _uslk_test End of session
- _uslk_widget_key End of session
- mtc_id Persistent
- mtc_sid End of session
- mtc_social_login Persistent
- uslk_e 1 year
- fr 3 months
- tr End of session
- ANID 11 months
- CONSENT 18 years
- NID 6 months
- caymland_device_id Persistent
- caymland_referer_id 1 day
- caymland_session_id 1 year
- language 1 day
- HEX (32) End of session
- AWSALBCORS 6 days
- mtpConfigFeed# Persistent
- mtpConfigFeedBase# Persistent
- mtpDeckchairSprite# Persistent
- mtpTemplates# Persistent
- mtpTranslations# Persistent
- accomodationIds-# 1 day
- #GUID#23 1 year
6.1 Our website offers you a newsletter in which we inform you about news and offers. If you would like to subscribe to the newsletter, you must provide a valid e-mail address. By subscribing to the newsletter, you agree to receive the newsletter and to the explained procedures. To subscribe to the newsletter, the following data must be provided:
- E-mail address (mandatory field)
- First name
The newsletter is sent by the open source provider Mautic of Mautic Inc. The tool is operated exclusively on servers in Germany. Information about the data protection regulations of the dispatch service provider can be found at: https://www.mautic.org/what-is-mautic.
6.2 Legal basis for data processing
The legal basis for the processing of your personal data within the scope of the newsletter dispatch is Art. 6 para. 1 lit. a EU-DSGVO if consent has been given or as a result of the sale of goods or services the legal permission of § 7 para. 3 UWG.
6.3 Purpose of data processing
The purpose of collecting your personal data is to send the newsletter to you. The purpose of processing your personal data in the context of sending the newsletter is to promote the sale of goods or services.
6.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, your personal data will be stored as long as the subscription to the newsletter is active.
6.5 Possibility of objection and removal
You can cancel your subscription to the newsletter at any time. For this purpose, you will find a corresponding link in each newsletter. Cancellation of the subscription also enables revocation of consent.
7.1 Description and scope of data processing
On our website, you must register in order to accelerate the conclusion of the contract. Accordingly, the processing of your personal data contributes to the performance of the contract or the implementation of pre-contractual measures.
The following data is stored during registration:
- First name*
- Last name*
- Repeat e-mail*
- House number*
For the processing of the data, reference is made to this data protection declaration within the scope of the registration process.
7.2 Legal basis for data processing
The legal basis for processing your personal data as part of the registration process is Art. 6 (1) lit. b EU-DSGVO.
7.3 Purpose of data processing
Your registration enables the simplified conclusion of contracts between you and us. The processing of your personal data within the scope of registration is therefore necessary for the fulfillment of a contract between you and us or for the implementation of pre-contractual measures.
7.4 Duration of storage
Your data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for data collected during the registration process for the performance of a contract or for the performance of pre-contractual measures when your personal data is no longer required for the performance of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations.
7.5 Possibility of objection and removal
You have the option to cancel your registration at any time. You can have the personal data stored about you changed at any time. If your personal data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, an early deletion of your personal data is only possible insofar as contractual or legal obligations do not prevent a deletion.
8) Contact form and contact by e-mail
8.1 Description and scope of data processing
A contact form is available on our website, which can be used for electronic contact. If you take advantage of this option, the data entered in the input mask will be transmitted to us and stored. These data are:
- First name*
- House number
- ZIP CODE
- E-mail address
- Your message*
Alternatively, it is possible to contact us via the e-mail address provided. In this case, your personal data transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.
8.2 Legal basis
The legal basis for the processing of your personal data transmitted in the event of contact being made via the contact form or by e-mail is Art. 6 (1) lit. f EU-DSGVO. If the contact via the contact form or by e-mail aims at the conclusion of a contract, Art. 6 (1) lit. b EU-DSGVO is an additional legal basis for the processing.
8.3 Purpose of data processing
The processing of your personal data in the event of contact via the contact form or by e-mail serves us solely to process the contact.
8.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
For personal data from the input mask of the contact form and those sent by e-mail, this is the case when the conversation has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been conclusively clarified. In the case of facts that have not been conclusively clarified, such as reports of loss or lost property, the transmitted data is automatically deleted after 6 months. Any additional personal data collected during the sending process will be deleted after a period of seven days at the latest.
8.5 Possibilities of objection and elimination
You have the option at any time to object for the future to the processing of your personal data in the context of contacting us via the contact form or by e-mail. In such a case, the conversation between you and us cannot be continued. All personal data stored in the course of contacting you will be deleted in this case.
9) Web tracking and web analysis through Google Analytics
9.1 Handling of processing
This website uses Google Analytics, the web analytics service of Google Inc. (hereinafter "Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the available browser plugin.
You can prevent the collection by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the future collection of your data when visiting this website:
Disable Google Analytics
9.2 Legal basis for data processing
The legal basis for the processing of your personal data is Art. 6 (1) lit. f EU-DSGVO.
9.3 Purpose of data processing
The processing of your personal data enables us to analyze your surfing behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes are also our legitimate interest in processing your personal data according to Art. 6 para. 1 lit. f EU-DSGVO. By anonymizing your IP address, your interest in the protection of personal data is sufficiently taken into account.
9.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required for our aforementioned purposes.
9.5 Opt-out and opt-out options
If you want to disable Google Analytics, visit this page and install the Google Analytics disable add-on for your browser. For detailed information on installing and uninstalling the add-on, see the relevant help resources for your browser.
Browser and operating system updates may cause the opt-out add-on to stop working as intended. For more information on managing add-ons for Chrome, click here. If you're not using Chrome, check directly with your browser manufacturer to see if add-ons work properly in the browser version you're using.
The latest versions of Internet Explorer occasionally load the Google Analytics disable add-on after sending data to Google Analytics. Therefore, if you use Internet Explorer, the add-on will install cookies on your computer. These cookies ensure that any data collected is immediately deleted from the server that collected the data. Make sure that third-party cookies are not disabled for Internet Explorer. If you delete your cookies, the add-on will reset these cookies within a short period of time to ensure that your Google Analytics browser add-on continues to work without restrictions.
www.google.com/analytics/terms/de.html or at support.google.com/analytics/answer/6004245. IP anonymization is activated on this website.
10) Google Adwords
As part of our use of Google Adwords, we use Google Conversion Tracking. This is an analysis service of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
When you reach our website via a Google ad, Google Adwords sets a cookie on your device ("conversion cookie"). This cookie loses its validity after 30 days. It is not used for personal identification. If the cookie has not yet expired when you visit certain pages on our site, we and Google can recognize that someone has clicked on the ad and thus been redirected to our site. Each AdWords customer receives a different cookie. Cookies can therefore not be tracked through the websites of AdWords customers.
11) Google Web Fonts
For the uniform display of fonts, this website can use the so-called Google Web Fonts.
When using these fonts, your browser downloads the required fonts from our website system. These are then temporarily stored in the so-called browser cache in order to display the fonts correctly.
During this process, your browser does not establish a connection to Google's servers. This ensures that Google does not gain knowledge of your call or your IP address.
12) Google Maps
This site uses the map service Google Maps via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.
The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website.
Google Maps is only used on the basis of consent in accordance with Art. 6 Para. 1 lit. a DSGVO.
13) Google Tag Manager
On this We use on our website the Google Tag Manager of Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). If you have your habitual residence in the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the controller of your data. Google Ireland Limited is therefore the company affiliated with Google that is responsible for processing your data and complying with applicable data protection laws.
The Google Tag Manager itself neither stores cookies nor does it process personal data. However, it enables the triggering of other tags that can collect and process personal data.
14) Use Cookiebot
We use functions of the provider Cookiebot on our website. The company behind Cookiebot is Cybot A/S, Havnegade 39, 1058 Copenhagen, DK. Cookiebot offers us, among other things, the possibility to provide you with a comprehensive cookie notice (also called cookie banner or cookie notice). By using this feature, data from you may be sent to Cookiebot or Cybot, stored and processed.
For more information, please visit: https://www.cookiebot.com/de/privacy-policy/.
15) The Trade Desk
On our website we use the tool The Trade Desk of The UK Trade Desk Ltd. (Co. No. 8539108), 10th Floor, 1 Bartholomew Close, London EC1A 7BL, United Kingdom. The Trade Desk offers a technology known in the advertising industry as Demand Side Platform (DSP). In simple terms, this means that digital advertising campaigns can be managed across a variety of channels such as websites, apps, audio platforms and smart TVs.
By means of cookies, pseudonymized data and data that does not serve to identify individuals is collected and transmitted to The Trade Desk. This includes in particular, but is not limited to, your shortened and thus pseudonymized IP address, the date and time of the website call, the location of the device with which you access our website (e.g. through the GPS signal of the device used, Bluetooth or the WLAN signal), page views and interaction with the page and the referencing page (referrer). This data is transmitted to the Demand Side Platform and linked there with your pseudonymous ID. This happens across websites on all platforms that use this technology. The purpose of the data collection and processing is to only deliver advertisements to you that are based on your previous interests and are therefore of higher relevance to you. Your personal data is pseudonymized before being transferred to The Trade Desk's Demand Side Platform. There is a third party transfer to the USA.
For further information on the technology used by The Trade Desk and on data protection, please see the following link: http://thetradedesk.com/general/privacy-policy.
When collecting data, we rely on your consent in accordance with Art. 6 Para. 1 lit. a EU-DS-GVO for the corresponding data processing, which you can of course also revoke at any time by changing the privacy settings.
This website uses the Cloudfront Content Delivery Network (CDN). This is a service provided by Amazon Web Services Inc, 410 Terry Avenue North, Seattle, WA 98109-5210. The Cloudfront CDN makes duplicates of a website's data available on various Amazon Web Services (AWS) servers distributed around the world. This provides faster website load times, increased resiliency, and increased protection against data loss. Some of the images and videos embedded on this website are obtained from the Cloudfront
CDN when you visit the site. Through this retrieval, information about your use of our website (such as your IP address) is transmitted to Amazon's servers in other EU countries and stored there. This happens as soon as you enter our website. The use of Amazon Web Services and the Amazon CDN Cloudfront is done in the interest of a higher reliability of the website, increased protection against data loss and a better loading speed of this website. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. You can find out more about the data protection measures of Amazon Web Services at: https://aws.amazon.com/de/data-protection/.
17) Facebook Pixels
If you have given us your express consent by clicking a button provided for this purpose, we use the "Facebook pixel" of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook") within our website. This allows us to track the behavior of users after they have seen or clicked on a Facebook ad. This procedure is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help to optimize future advertising measures. The data collected is for us, so it does not offer us any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Use Policy (https://www.facebook.com/about/privacy/).
This website uses Mouseflow, a web analytics tool provided by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. The purpose of data processing is to analyze this website and its visitors. For this purpose, data is collected and stored for marketing and optimization purposes. From this data, usage profiles can be created under a pseudonym. Cookies can be used for this purpose. With the web analysis tool Mouseflow, randomly selected individual visits (only with anonymized IP address) are recorded. This creates a log of mouse movements and clicks with the intention of randomly replaying individual website visits and deriving potential improvements for the website. The data collected with Mouseflow will not be used to personally identify the visitor to this website without the separately granted consent of the data subject and will not be merged with personal data about the bearer of the pseudonym. The processing is carried out on the basis of Art. 6 (1) lit. f DSGVO from the legitimate interest in direct customer communication and in the design of the website in line with requirements. You have the right to object at any time to this processing of personal data relating to you based on Art. 6 (1) f DSGVO for reasons arising from your particular situation. To do this, you can deactivate a recording on all websites that use Mouseflow globally for the browser you are currently using at the following link: https://mouseflow.de/opt-out/
If you are interested in commissioned data processing, you can conclude this with us directly via RightSignature online: https://mouseflow.de/gdpr/
20) Marketing automation with Mautic
Mautic is used in the following activities:
- Email marketing and campaigns
- Landing pages
- Website analytics
Mautic records technical events (such as page views or reading an email) using the following techniques:
- Tracking pixels to detect if, for example, an email has been opened Personalized web links to detect if, for example, a user accesses a link from an email
- cookies to recognize individual users (these so-called "first-party cookies" are stored on the user's device when the website is visited for the first time and can only be set and evaluated by us)
- currently used IP address (this is transmitted to us each time our website is called up and is used to recognize users of the website)
- The data collected in the process are:
- activity on our website,
- the number of page views and dwell time of the website visitor,
- the click path of the respective visitor
- downloads of files provided through the website,
- visits to landing pages,
- openings of e-mails from newsletters and campaigns,
- browser type/version, browser language, inner resolution of the browser window and screen resolution, and browser loading speed,
- the operating system used,
- the Internet service provider used,
- the input method (including touchscreen),
- the device used (desktop, tablet, cell phone),
- the reference/referrer URL (the previously visited page),
- the type of access (direct access or paid access),
- the time and date of access,
- demographic: your age, gender (salutation via form details),
- geographical data: Your location,
- your behavior: new visitor/recurring visitor, session duration incl. date of leaving our site, page depth, page views, bounce rate, pages/session, date, search terms via Sitesearch, page visited,
- downloads (file names),
- the redirect URL (pages you are redirected to) with page title,
- the access User Agent (browser of the Mautic user),
- chat history (if offered and used),
- the access code.
In the context of a registration on the website, we collect through the use of Mautic:
- Contact data (gender (salutation), first and last name, e-mail address, date of birth).
- the IP address of the terminal device from which the use of the website takes place.
The released data are clearly recognizable for the user by filling out a form. In doing so, it is marked which data is necessary to submit the form.
We collect and use data with Mautic only to the extent necessary to achieve business objectives. The data will not be transmitted to third parties at any time.
Mautic is only used peronalizable if you have explicitly consented to this. You can revoke this consent at any time to the contact person named by us above. In this case, all tracking data collected by means of mautic will be deleted immediately.
Our website uses social media plugins or widgets from Walls.io. When these plugins are called up, the IP address and cookie information are transmitted to Walls.io, solely due to technical necessities for offering the service. This data is only stored by Walls.io in Europe and is not shared with third parties.
22) Facebook presence
To extend our Internet presence, we offer a Facebook page. This is a service of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
We would like to point out that you use this Facebook page and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).
When you visit our Facebook page, Facebook collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as operators of the Facebook pages, with statistical information about the use of the Facebook page. Facebook provides more detailed information on this at the following link: https://de-de.facebook.com/help/pages/insights.
The data collected about you in this context is processed by Facebook Ltd. and may be transferred to countries outside the European Union in the process. Facebook describes in general terms what information it receives and how it is used in its data usage guidelines. There you will also find information on how to contact Facebook and on the settings options for advertisements. The data usage guidelines are available at the following link: https://de-de.facebook.com/about/privacy.
Facebook's full data policies can be found here: https://de-de.facebook.com/help/568137493302217
In what way Facebook uses data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties, is not conclusively and clearly stated by Facebook and is not known to us.
When you access a Facebook page, the IP address assigned to your terminal device is transmitted to Facebook. According to Facebook, this IP address is anonymized (for "German" IP addresses) and deleted after 90 days. Facebook also stores information about the end devices of its users (e.g. as part of the "login notification" function); this may enable Facebook to assign IP addresses to individual users.
If you are currently logged in to Facebook as a user, a cookie with your Facebook ID is located on your end device. This enables Facebook to track that you have visited this page and how you have used it. This also applies to all other Facebook pages. Via Facebook buttons embedded in websites, it is possible for Facebook to record your visits to these website pages and assign them to your Facebook profile. Based on this data, content or advertising can be offered tailored to you.
If you want to avoid this, you should log out of Facebook or deactivate the "stay logged in" function, delete the cookies present on your device and exit and restart your browser. In this way, Facebook information through which you can be directly identified will be deleted. This will allow you to use our Facebook page without revealing your Facebook identifier. When you access interactive features of the page (Like, Comment, Share, Message, etc.), a Facebook login screen will appear. After any login, you will again be recognizable to Facebook as a specific user.
Information on how to manage or delete information about you can be found on the following Facebook support pages: https://de-de.facebook.com/about/privacy#.
As the provider of the information service, we also collect and process the following data from your use of our service: publicly viewable data from the user profile of the person concerned. This includes, for example, the user name, profile picture, content of comments written on our posts.
You can also find more information about Facebook and other social networks and how you can protect your data at youngdata.de.
Our website uses plugins from the Instagram network, which is operated by Facebook Inc. 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook").
When you click on the Instagram button, a direct connection is established between your browser and the Instagram server via the plugin. This transmits the information to Instagram that you have visited our site with your IP address.
The purpose and scope of the data collection and the further processing and use of this data by Instagram is not known to us. In this regard and with regard to your rights and setting options for protecting your privacy, we ask you to observe the corresponding data protection information from Instagram: https://help.instagram.com/155833707900388
24) Online Shop
Purchase of vouchers, packages and admission tickets: Insofar as you reserve a day-linked spa admission, purchase vouchers or purchase other products in our online shop on our website, the data entered will be processed for the following purposes:
- To enable us to identify you as a customer, process, fulfil and complete your order.
- Necessary correspondence with you for the fulfilment of the contract
- Invoicing and processing of any liability claims that may exist
- Enforcement, exercise and defence of legal claims against you
In doing so, we process the following personal data:
- Surname, first name
- Street, postcode, place of residence, country
- Telephone number
- E-mail address
- Password (optional, only if you have created a customer account)
- Reservation history
Consequently, our processing serves the performance of a contract within the meaning of Art. 6 (1) lit. b DSGVO.
We also process and use your data
- to create a customer account (optional, only if you create a customer account);
- to contact you, if requested by you or required within the framework of a contractual relationship or permitted by law.
- For electronic advertising in accordance with § 7 para. 3 UWG for the same or similar services of Thermen & Badewelt Sinsheim using e-mail, provided that we have received your e-mail address from you in connection with the sale of a service and you do not object to the use of the e-mail address. You can object to this use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic rates. If this permission standard cannot justify electronic advertising, we will instead obtain your consent from you in accordance with Art. 6 Para. 1 lit. a) DSGVO. You can revoke this declaration of consent at any time by clicking on the unsubscribe link at the end of the respective e-mail newsletter.
The personal data we collect will only be passed on to third parties if this is necessary to process the contract or due to legal requirements:
- A contract in accordance with Art. 28 DSGVO has been concluded in each case with any integrated order processors in order to ensure data protection-compliant and secure data processing.
- In the course of ordering and shipping products, personal data relating to the order may be viewed by employees of WUND Holding, as well as Bluphoria GmbH if applicable, when the corresponding packages are packed and prepared for shipping.
- The personal data collected by us will be passed on to the transport company commissioned with the delivery as part of the contract processing, insofar as this is necessary for the delivery of the goods.
- We pass on your payment data to the commissioned credit institution in the context of processing payments. Transfers to state institutions or authorities only take place within the framework of mandatory national legal provisions.
When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" via PayPal, we pass on your payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as part of the payment processing.
PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" via PayPal. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method.
Instant bank transfer:
On our website we offer, among other things, payment by "Sofortüberweisung". The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter "Sofort GmbH").
With the help of the "Sofortüberweisung" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfill our obligations.
If you have chosen the payment method "Sofortüberweisung", you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, it also automatically checks your turnover, the credit line of the overdraft facility and the existence of other accounts and their balances.
In addition to the PIN and the TAN, the payment data you have entered as well as data about yourself are also transmitted to Sofort GmbH. The personal data is your first and last name, address, telephone number(s), e-mail address, IP address and, if necessary, other data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent fraud attempts.
The transmission of your data to Sofort GmbH is based on Art. 6 para. 1 lit. a DSGVO (consent) and Art. 6 para. 1 lit. b DSGVO (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the effectiveness of past data processing operations.
For details on payment with Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.
25) Application for a Thermencard / Premiumcard
25.1 Handling of processing
You have the option on our website to apply online for a Thermencard/Premiumcard. In doing so, we process your data for the following purposes:
- Creation, personalization, provision and administration of the Thermencard/Premiumcard.
- Participation in customer promotions (loyalty gifts, bonuses, advantage promotions) and regular customer promotions
- sending information about innovations, offers and promotions concerning the Thermencard/Premiumcard (Thermencard/Premiumcard newsletter)
- Sending information by mail
- Regular dispatch of the e-mail newsletter of Thermen & Badewelt Euskirchen.
25.2 Legal basis for data processing
The processing of your data for the individual purposes occurs in each case on the following legal basis:
- Contract fulfillment according to Art. 6 para. 1 lit. b) DSGVO.
- Legitimate interest according to Art. 6 para. 1 lit. f) DSGVO in accordance with the provisions of § 7 UWG.
Legitimate interests pursued by the person responsible:
The mailing of print media and the Thermencard/Premiumcard newsletter includes such information that is relevant to Thermencard/Premiumcard users and is based on the legitimate interest of the responsible party to advertise. Independently of this, we may and will also contact you if there are questions or concerns regarding the processing of the Thermencard/Premiumcard, insofar as this is necessary in the context of fulfilling the contract.
Our legitimate interest in advertising does not conflict with any higher-ranking interest of the data subject worthy of protection, as we observe the provisions of Section 7 (3) of the German Unfair Competition Act (UWG) for e-mail advertising for the processing. Accordingly, advertising via electronic mail is permissible even without consent if we have received your e-mail address from a contractual relationship, the advertising is only for the same or similar products, you have not objected to the use of your data for advertising purposes and you are informed of your right to object when the data is collected and each time it is used for advertising purposes.
If you do not wish to receive any further advertising from us, you can object to the use of your data for advertising purposes at any time in the future. To do so, please contact us at firstname.lastname@example.org or use the unsubscribe link at the end of each e-mail newsletter.
The collection and processing of your Thermencard/Premiumcard is carried out exclusively by authorized employees of Thermen & Badewelt Euskirchen GmbH, who have been obligated in writing to maintain confidentiality. When processing your data for the purpose of sending electronic newsletters, we work with a processor with whom a contract for order processing has been concluded in accordance with Art. 28 DSGVO.
25.4 Storage period
We store your data,
- if the processing is based on a legitimate interest on our part, at most until you object to this processing.
- if we need the data to perform a contract, at most for as long as the contractual relationship with you exists or statutory retention periods run.
The data stored by us will be deleted if it is no longer required for its intended purpose and the deletion is not contrary to any legitimate interests or legal retention obligations.
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained for reasons of commercial or tax law.
25.5 Transfer to third countries
There is no data transfer to third countries outside the European Union.
25.6 Provision prescribed or required
The provision of your data is required for the creation and, if necessary, issuance of a new Thermencard/Premiumcard in the event of loss.
26) Direct marketing
26.1 Description and scope of data processing
Our company processes personal data such as address and name in order to send you advertising by mail and thereby increase sales of the sale of goods or services.
26.2 Legal basis for data processing
The legal basis for the processing of your personal data in the context of direct marketing by mail is Art. 6 (1) lit. f EU-DSGVO.
26.3 Purpose of data processing
The purpose of processing your personal data in the context of direct marketing by mail is to promote the sale of goods or services. This purpose is our legitimate interest in data processing according to Art. 6 (1) lit. f EU-DSGVO.
26.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected; this is the case in particular upon receipt of the objection.
26.5 Possibilities of objection and elimination
You may object to the processing of your personal data in the context of direct marketing by mail at any time for the future.
27) Legal defense and enforcement
27.1 Description and scope of data processing
Our company aims to protect itself from unauthorized claims by defending itself against them. We also enforce claims and rights to which we are entitled.
For this purpose, it is necessary to process personal data.
These consist of the legally relevant data of the data subjects.
27.2 Purpose of data processing
The purpose of processing your personal data in the context of legal defense and enforcement is the defense against unjustified claims and the legal enforcement of claims and rights. This purpose is our legitimate interest in data processing according to Art. 6 (1) lit. f EU-DSGVO.
27.3 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
27.4 Possibilities of objection and elimination
The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement. Consequently, there is no possibility for you to object.
28) Recipient categories
Within our company, those offices and departments receive personal data that need it to fulfill the aforementioned purposes. In addition, we sometimes use different service providers and transfer your personal data to other trustworthy recipients. These may be, for example:
- Scan service
- IT service providers
- Lawyers and courts
29) Rights of the data subjects
29.1 Right to information
In accordance with Art. 15 EU-DSGVO, you may request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you can request information from the controller pursuant to Art. 15 (1) EU-DSGVO about the following information:
- the purposes for which the personal data are processed
- the categories of personal data which are processed
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
- the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage duration
- the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by us or a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- any available information about the origin of the data, if the personal data is not collected from the data subject
- the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) EU GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for you. You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 EU GDPR in connection with the transfer.
If this data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Art. 46 EU GDPR in connection with the transfer in accordance with Art. 15 (2) EU GDPR
29.2 Right to rectification
Based on Art. 16 EU-DSGVO, you have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. We shall carry out the rectification without undue delay
29.3 Right to restriction of processing
As follows from Article 18 (1) EU GDPR, you may request the restriction of the processing of personal data concerning you under the following conditions:
- if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data (Art. 18 (1) a EU-DSGVO)
- the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data (Art. 18 (1) (b) EU-DSGVO)
- we no longer need the personal data for the purposes of processing, but it is necessary for you to assert, exercise or defend legal claims (Art. 18(1)(c) EU GDPR)
- if you have objected to the processing pursuant to Art. 21 (1) EU-DSGVO and it has not yet been determined whether our legitimate grounds override yours. (Art. 18 para. 1 lit. d EU-DSGVO)
If the processing of personal data relating to you has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State. (Art. 18(2) EU GDPR).
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted. (Art. 18 para. 3 EU-DSGVO).
29.4 Right to deletion
a) Obligation to delete
Pursuant to Art. 17 (1) EU-DSGVO, you may demand that we delete the personal data relating to you without undue delay. Furthermore, we are obliged to delete this data without delay if one of the following reasons applies:
- The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed. (Art. 17 para. 1 lit. a EU-DSGVO).
- You withdraw your consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) EU-DSGVO and there is no other legal basis for the processing. (Art. 17 para. 1 lit. b EU-DSGVO).
- You object to the processing pursuant to Art. 21 (1) EU-DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) EU-DSGVO. (Art. 17 para. 1 lit. c EU-DSGVO).
- The personal data concerning you has been processed unlawfully. (Art. 17 para. 1 lit. d EU-DSGVO).
- The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. (Art. 17 para. 1 lit. e EU-DSGVO).
- The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) EU-DSGVO. (Art. 17 para. 1 lit. f EU-DSGVO)
b) Information to third parties
If we have made the personal data concerning you public and we are obliged to erase it pursuant to Art. 17 (1) EU GDPR, we shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers that process the personal data that you, as the data subject, have requested them to erase all links to, or copies or replications of, that personal data. (Art. 17(2) EU GDPR).
The right to erasure does not exist insofar as the processing is necessary for one of the following reasons:
- for the exercise of the right to freedom of expression and information (Article 17(3)(a) EU GDPR).
- for compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Art. 17 (3) (b) EU GDPR)
- for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) EU GDPR (Art. 17(3)(c) EU GDPR)
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) EU-DSDR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or (Art. 17(3)(d) EU-DSDR)
- for the assertion, exercise or defense of legal claims. (Art. 17 para. 3 lit. e EU-DSGVO).
29.5 Right to information
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged pursuant to Art. 19 EU-DSGVO to inform all recipients to whom the personal data relating to you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against us to be informed about these recipients.
29.6 Right to data portability
Based on Article 20 (1) EU-DSGVO, you have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this personal data to another controller without hindrance from us, provided that
- the processing is based on consent pursuant to Art. 6 (1) (a) EU GDPR or Art. 9 (2) (a) EU GDPR or on a contract pursuant to Art. 6 (1) (b) EU GDPR and (Art. 20 (1) (a) EU GDPR)
- the processing is carried out with the aid of automated procedures (Art. 20 para. 1 lit. b EU-DSGVO).
Pursuant to Art. 20(2) EU GDPR, you also have the right to obtain that the personal data concerning you be transferred directly from us to another controller, to the extent that this is technically feasible.
The exercise of the right under Article 20 (1) EU-DSGVO does not affect the right to erasure under Article 17 EU-DSGVO. This does not apply to processing that is necessary for the performance of a task, is in the public interest or is carried out in the exercise of delegated official authority. This results from Art. 20 (3) EU-DSGVO.
According to Art. 20 (4) EU GDPR, freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
29.7 Right of objection
Pursuant to Article 21 (1) EU GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) or (f) EU GDPR; this also applies to profiling based on these provisions.
We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
(Art. 21 para. 2 EU-DSGVO).
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
(Art. 21 para. 3 EU-DSGVO).
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications. (Art. 21 (5) EU GDPR).
You also have the right to object, on grounds relating to your particular situation, to the processing of your personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) EU GDPR, unless the processing is necessary for the performance of a task carried out in the public interest
(Art. 21 para. 6 EU-DSGVO).
29.8 Right to revoke the declaration of consent under data protection law
Based on Art. 7 (3) EU-DSGVO, you have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You will be informed of this before giving your consent.
29.9 Automated decision in individual cases including profiling.
You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects vis-à-vis you or similarly significantly affects you. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and us
- is permitted by legislation of the Union or the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
- is carried out with your express consent.
This results from Art. 22 (1), (2) EU-DSGVO.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1) EU-DSDR, unless Art. 9(2)(a) or (g) EU-DSDR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases mentioned in (1) and (3), we take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, which include at least the right to obtain the intervention of a person on the part of the controller, to express your point of view and to contest the decision.
(Art. 21 (3), (4) EU GDPR).
29.10 Right to complain to a supervisory authority.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement, pursuant to Article 77 EU GDPR, if you consider that the processing of personal data relating to you infringes the EU GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
(Art. 77 EU-DSGVO).
Competent supervisory authority for this website is:
The State Commissioner for Data Protection and Information Security of North Rhine-Westphalia (LDI NRW).
The supervisory authority to which you have submitted a complaint will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 EU-DSGVO. If you have any questions, please do not hesitate to contact our data protection officer at any time.
Status: August 2022