In the following, we will explain what information we collect when you use the online services of Herden Tours & Tickets GmbH and
for what purposes this information is processed by us and third parties.
what rights and choices you have in regard to the processing of your information.
how to contact us regarding data protection.
2. Responsibility and contact persons
Responsible for the processing of your personal information when visiting this website in accordance with the EU General Data Protection Regulation (GDPR) is
3. Data processing on our website
3.1. Accessing our website / automatically collected access data
Herden Tours& Tickets GmbH
Telefon +49 (0) 2000 6981-0
If you have any questions concerning data protection in connection with our products or the use of our website, you can contact us at any time.
You are able to visit our websites without disclosing any information about your person. Only access data that are automatically transferred by your browser will then be collected. The access data include, in particular:
the IP address of the device used for access,
the date and time of access,
the address of the visited website and the requesting website,
the address of the visited website and the requesting website,
online identifiers (for example device IDs, session IDs).
The data processing of this access data is necessary to enable the visit to the website and to ensure the long term functionality and security of our systems. The access data are also temporarily stored in internal log files for the aforementioned purposes in order to create statistical data about the use of our website, to further develop our website regarding the usage habits of our visitors (for example, when the share of mobile devices being used to access the website increases) and to maintain our website in the general administrative sense. The legal basis is Art. 6 para. 1 lit. b and f of the GDPR. The information stored in the log files does not allow any direct conclusion to your person – in particular, we only store the IP addresses in a shortened, anonymized form. The log files are stored for 30 days and will be archived after subsequent anonymization.
You have several different options for contacting us. These include our contact form, our e-mail address and our telphone hotline. In this context, we process data exclusively for the purpose of communicating with you. The legal basis is Art. 6 para. 1 lit. b of the GDPR. The data we collect through the contact form will be automatically deleted after the complete processing of your request, unless we require your request to be able to fulfill our contractual or legal obligations (see the section “storage duration”).
3.3. Orders and Bookings
During an order process, we collect necessary data for the execution of the contractual agreement (order and booking information):
first and last name, address, telephone number, e-mail address
The legal basis for the afore mentioned processing is Art. 6 para. 1 lit. b of the GDPR, based on the legitimate interest in providing a simple and user-friendly registration process for our clients. These data are required for processing, concluding and administrating your order (see 3.5)
Upon completing an order you can choose between various payment options. To ensure this, we offer different payment methods and cooperate with various payment service providers.
In particular, we have entrusted the following service providers to process the payments:
when paying by PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A, 22-24 Boulevard Royal, L-2449 Luxemburg, Luxemburg,
when paying by Group Pay: mamooble SARL, 54, rte de Mondorf, L-3260 Bettembourg, Luxemburg.
Any information you provide to the afore mentioned service providers will not be forwarded to us by them. The only information we receive is that the payment has been completed.
In the case of payment by credit card, you enter the required payment information (credit card details) directly on our website. We will in this case forward you to the following payment service provider:
Concardis GmbH, Helfmann-Park 7, 65760 Eschborn.
The processing of data by the afore mentioned payment service providers is based on our legitimate interest, according to Art. 6 para. 1 lit. b and f of the GDPR, in providing our clients with comfortable and secure payment through a service provider of their choice.
3.5. Forwarding your data to the service partners you have selected
When you order services through our website we will forward your data necessary for the execution of the orders by e-mail to the respective service providers in order to fulfill our contractual agreements. According to our general terms and conditions, these service providers will become your direct contract partners after the confirmation of the booking, and will issue the invoices for their services directly to you.
3.6. Login area for regular customers and cooperation partners
You have the possibility to register for our login area so that you are able to enjoy the full functionality of our website. We have highlighted the data you are required to provide. Without these data, registration is not possible. Legal basis for processing is Art. 6 para. 1 lit. b of the GDPR.
3.7. Newsletter and advertising mailings
You have the possibility to sign up for our newsletter, in which we regularly inform you about news regarding our offers and promotions. For signing up to our newsletter, we use the so-called double opt-in procedure, which means that we will only send you newsletters by e-mail after you, by clicking a link in our notification e-mail, have confirmed that you are the owner of the given e-mail address. If you confirm your e-mail address, we will save your e-mail address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of storing this information is to provide you with the newsletter and to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A notification sent to the contact details mentioned above or in the newsletter (for example, via e-mail or by mail) is of course also sufficient. The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a of the GDPR. In addition, we also send out advertising mailings in connection with our services to you. The legal basis for this data processing is Art. 6 para. 1 lit. f of the GDPR, based on our interest in existing customer advertising. For the dispatch of our newsletter and our advertising mailings, we work together with service providers to whom we, among other things, send your e-mail address and the circumstances of your newsletter registration in order to be able to send you the newsletter and advertising mailings (for example, MailChimp of The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA). Additionally, our newsletter and advertising mailings will to a small extent adapt to the individual needs of our customers. For this, we use the services of Emarsys eMarketing Systems AG, Märzstraße 1, 1150 Vienna, Austria. On the basis of the booking data collected from you, we adapt, for example, the language settings in our mailings or indicate bookable additional services. The disclosure of data to our service providers in connection with newsletter distribution and advertising mailings is based on our legitimate interest in advertising our services to our customers in an interest-based manner. In our newsletters, we use commercially common technologies that measure the interaction with the newsletters (for example, the opening of e-mails, clicked links). We use this data in pseudonymous form for the purpose of general statistical evaluations as well as for the optimization and further development of our content and customer communication. This is done with the help of small graphics that are embedded in the newsletter (so-called pixels). These data are collected exclusively in pseudonymous form and are also not linked with your other personal information. Legal basis for this is our aforementioned legitimate interest in accordance with Art. 6 para. 1 lit. f of the GDPR. Through our newsletter, we aim to share content relevant to our customers and to better understand what readers are actually interested in. If you do not want to have your usage behavior analyzed, you can unsubscribe from the newsletter or deactivate graphics in your e-mail program. The data for the interaction with our newsletters are stored in pseudonymous form for 30 days and subsequently completely anonymized.
3.8. Google Maps
3.9. Usage of own cookies
3.11. Google Tag-Manager
4. Cooperation with partners
Basically, we only process data that we receive directly from you. However, we also work together with various cooperation partners who provide us with prospects for our products. These include in particular travel agencies and tour operators as well as tourism offices. We will only process personal data that we permissibly receive (for example, on the basis of contracts or your consent) from our cooperation partners.
5. Disclosure of data
The data collected by us will only be passed on if:
you have given your explicit consent in accordance with Art. 6 para. 1. lit. a of the GDPR, especially in context with 3.5. of this statement (see above)
the disclosure in accordance with Art. 6 para. 1 lit. f of the GDPR is necessary in order to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
we are legally obliged in accordance with Art. 6 para. 1 lit. c of the GDPR to disclosure or
this is permitted by law and, in accordance with Art. 6 para. 1 lit. b of the GDPR, is required for the execution of contractual relationships with you or for the execution of precontractual measures, which will be carried out upon your request.
6. Storage duration
Principally, we only store personal information for as long as it is necessary to fulfill the contractual or statutory obligations for which we have collected the data. Thereafter, we immediately delete the information, unless we need the data for purposes of proof for civil law claims or due to statutory retention obligations. For evidence purposes, we must keep contractual data for another three years starting from the end of the year in which the business relationship with you ends. Any claims become statute-barred after the legal limitation period, earliest at this point in time. Even after this period, we still need to store some of your data for accounting purposes. We are required to do so by legal requirements on documentation that may arise from the German Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The time periods specified there for retention of documents are two to ten years.
7. Your rights
You have the right to request information about the processing of your personal data by us at any time. We will explain the data processing and provide you with an overview of the data stored about you as part of the provision of information. If data stored with us are incorrect or no longer up to date, you have the right to have this information corrected. Furthermore, you have the right to request the deletion of your data. Should the deletion in exceptional cases not be possible due to other legal provisions, the data will be blocked so that they are only available for this legal purpose. Furthermore, you may also have the processing of your data restricted, for example, if you believe the data we have stored are incorrect. You also have the right to data portability, meaning that we would send you a digital copy of the personal data you have provided upon your request. To exercise your rights as described here, you can contact us at any time using the aforementioned contact details. This is also the case if you wish to receive copies of warranties to prove an adequate level of data protection. In addition, you have the right to object to data processing based on Art. 6 para. 1 lit. e or f of the GDPR. Finally, you have the right to file a complaint with the data protection authority responsible for our supervision. You may exercise this right before a supervisory authority in the member state in which you are staying, working or in the place of the alleged violation. In Berlin, the responsible supervisory authority is:
8. Right of revocation and objection
Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin (Berlin Data Protection and Freedom of Information Commissioner).
In accordance with Article 7 para. 2 of the GDPR, you have the right to revoke a consent once given to us at any time. As a result, we will not continue to process data based on this consent in the future. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent prior to the revocation. Insofar as we process your data on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f of the GDPR, you have the right, in accordance with Art. 21 of the GDPR, to appeal against the processing of your data if there are reasons for this due to your particular situation or if your appeal concerns an objection to direct advertising. In the latter case, you have a general right of objection, which we will implement without requesting reasons. If you would like to exercise your right of revocation or objection, it is sufficient to send us an informal message using the afore mentioned contact details.
9. Data security
We maintain updated technical measures to guarantee data security and, in particular, to protect your personal data from dangers during data transfers as well as from the acquisition of data by third parties. These measures are adjusted and updated to the newest technological standards for each of them. In order to secure the personal information you provide via our website, we use Transport Layer Security (TLS), which encrypts the information you enter.