We are delighted that you are using our website, ostseecard. Data protection is a particularly high priority for Ostsee-Tourismus-Service GmbH. Users can access the Ostsee-Tourismus-Service GmbH website without submitting personal data. However, it may be necessary to process personal data if data subjects wish to use specific services provided by our company via our website. If the processing of personal data is necessary and no legal basis for such processing exists, we will normally obtain the consent of the data subject.

The processing of personal data, e.g. the name and email address of a data subject, will comply with the General Data Protection Regulation (GDPR) and the specific regional data protection regulations applicable to Ostsee-Tourismus-Service GmbH at all times. The purpose of this privacy policy is to inform the public about the nature, scope and purpose of the data collected by our company. This privacy policy also informs data subjects about their rights.

As the data controller, Ostsee-Tourismus-Service GmbH has implemented numerous technical and organisational measures to ensure the most comprehensive protection of personal data processed through this website.

However, information transmitted via Internet may have security vulnerabilities such that total protection cannot be guaranteed. All data subjects may therefore submit personal data to us by alternative means, e.g. by telephone.

1. Definitions
The privacy policy of Ostsee-Tourismus-Service GmbH is based on the terms used by the European directives and legislators for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy should be legible and comprehensible for the general public, our customers and business partners. For the sake of clarity, we would therefore like to explain the terms used herein.

We use the following terms, among others, in this privacy policy:

a) Personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter the "data subject"). A natural person is considered to be identifiable if the expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified directly or indirectly, in particular by an assignment to an identifier, e.g. a name, identification number, location data, online identifier or to one or more specific features.

b) Data subject
Data subjects are any identified or identifiable natural person whose personal data is processed by the data controller.

c) Processing
Processing is any process carried out with or without using automated procedures or any series of such processes in connection with personal data, e.g. collecting, recording, organising, arranging, storing, adapting or changing, reading out, querying, using, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction.      

d) Restriction of processing
Restriction of processing is the marking of stored personal data to restrict the future processing of such data.     

e) Profiling
Profiling is any form of automated processing of personal data whereby the personal data is used to evaluate specific personal aspects relating to a natural person, in particular to analyse or predict the natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.      

f) Pseudonymisation
Pseudonymisation is the processing of personal data such that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.      

g) Controller or data controller
The controller or data controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.      

h) Processor
A processor is a natural or legal person, public authority, agency or other body which has been commissioned to process data on behalf of the controller.      

i) Recipient
Recipient denotes a natural or legal person, public authority, agency or other body to whom personal data is disclosed, regardless of whether they are a third party. However, authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law shall not be considered as recipients.      

j) Third party
A third party is any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or processor.      

k) Consent
Consent denotes any voluntary, specific and informed indication of the data subject's wishes in the form of a statement or other unambiguous affirmative act by which the data subject indicates their consent to the processing of their personal data.

2. Name and address of the data controller
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions relating to data protection is:

Ostsee-Tourismus-Service GmbH
Kirchenstraße 3 – 5
23570 Lübeck Travemünde
Tel.: 04502 / 804-103
Fax: 04502 / 804-200
Email: info@ostseecard.de
Website: http://www.ostseecard.de/

3. Name and address of the data protection officer
Insert once the position is filled if the data protection officer of the Hanseatic City of Lübeck is the correct contact person for this website.

4. Cookies
The webpages of Ostsee-Tourismus-Service GmbH use cookies. Cookies are text files that are stored on a computer system via an Internet browser.

Numerous websites and servers use cookies. Many cookies also contain a ‘cookie ID’. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that allow websites and servers to be assigned to the specific Internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified via the unique cookie ID.

The use of cookies enables Ostsee-Tourismus-Service GmbH to provide more user-friendly services to the users of this website that would not be possible without the cookie setting.

The data subject can block the use of cookies by our website at any time by adjusting the relevant setting in the Internet browser used and therefore permanently object to the use of cookies. Moreover, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all the common Internet browsers. If the data subject disables the storing of cookies in the Internet browser used, they may be unable to access the full functionalities of our website.

Adjust/change cookie settings

5. Collection of general data and information
The website of Ostsee-Tourismus-Service GmbH collects a series of general data and information every time a data subject or automated system accesses the website. This general data and information is stored in the server log files. The following data is recorded:

(1) Browser types and versions used.
(2) The operating system used by the accessing system.
(3) The website from which an accessing system arrives at our website (the ‘referrer’).
(4) The sub-websites that are accessed via an accessing system on our website.
(5) The date and time of access to the website.
(6) An Internet protocol address (IP address).
(7) The Internet service provider of the accessing system, and
(8) Other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using this general data and information, Ostsee-Tourismus-Service GmbH draws no conclusions regarding the data subject. However, this information is required to:

(1) Provide the content of our website in a correct manner.
(2) Optimise the content of our website and to advertise the website.
(3) Ensure the permanent functionality of our information technology systems and the technology of our website, and
(4) Provide the law enforcement authorities with the information necessary for a prosecution in the event of a cyberattack.
Ostsee-Tourismus-Service GmbH therefore conducts an anonymous analysis of any data and information collected on the one hand for statistical purposes and, on the other, to increase the data protection and data security of our company, with the ultimate aim of ensuring an optimal level of protection for the personal data processed by us. The anonymous data of the server log files is stored separately from any personal data provided by a data subject.

6. Contact option via the website
In accordance with the legal stipulations, the Ostsee-Tourismus-Service GmbH website contains legal information that enables direct communication with us and which also includes a general electronic mail (email) address. If a data subject contacts the data controller by email, the personal data transmitted by the data subject will be automatically stored. The personal data provided on a voluntary basis by a data subject to the controller shall be stored for the purposes of processing or contacting the data subject. This personal data will not be disclosed to third parties.

7. Routine deletion and locking of personal data
The controller shall process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or where stipulated by the European directives and legislators or other legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European directives or legislators or other competent legislator expires, the personal data will be routinely locked or deleted in accordance with the statutory provisions.

8. Rights of the data subject
a. Right to confirmation
All data subjects shall have the right, granted by the European directives and legislators, to request confirmation from the controller as to whether their personal data is being processed. Data subjects who wish to exercise this right of confirmation may contact an employee of the controller at any time.

b. Right of access
Persons whose personal data is subject to processing shall have the right, granted by the European directives and legislators, to obtain from the controller access to and a copy of their personal data which has been stored at any time and free of charge. In addition, the European directives and legislators grant the data subject access to the following information:
I. The purposes of processing.
II. The categories of personal data processed.
III. The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular in the case of recipients in third countries or international organisations.
IV. Where possible, the anticipated period for which the personal data will be stored or, if this is not possible, the criteria used to determine such period.
V. The existence of a right to request the rectification or erasure of their personal data or to request a restriction of processing by the controller or a right to object to such processing.
VI. The existence of a right to lodge a complaint with a supervisory authority.
VII. If the personal data is not collected from the data subject: Any available information regarding the source of the data.
VIII. The existence of automated decision-making, including profiling, pursuant to Article 22 para 1 and 4 GDPR and, at least in these cases, meaningful information about the logic applied and the scope and intended effects of such processing for the data subject.
Furthermore, the data subject has a right to know whether personal data has been transferred to a third country or an international organisation. In this case, the data subject shall also have the right to request information on the appropriate safeguards in connection with the transfer.

c. Right to rectification
Persons whose personal data is processed shall have the right, granted by the European directives and legislators, to request rectification without delay of any inaccuracies of their personal data, and the right to request the completion of any incomplete personal data, including through a supplementary statement on the purposes of such processing. Data subjects who wish to exercise the right to rectification may contact an employee of the controller at any time.

d. Right to erasure (right to be forgotten)
Persons whose personal data is processed shall have the right, granted by the European directives and legislators, to request the controller to erase their personal data without delay, if one of the following grounds applies and insofar as the processing is not necessary:

I. The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
II. The data subject withdraws consent on which the processing was based pursuant to Article 6 para 1(a) GDPR or Article 9 para 2(a) GDPR and no other legal basis for such processing exists.
III. The data subject objects to the processing pursuant to Article 21 para 1 GDPR and there are no overriding legitimate grounds for such processing, or the data subject objects to the processing pursuant to Article 21 para 2 GDPR.
IV. The personal data has been processed unlawfully.
V. The deletion of the personal data is required to comply with a legal obligation under Union or Member State law to which the controller is subject.
VI. The personal data was collected with respect to information society services provided in accordance with Article 8 para 1 GDPR.
If one of the above reasons applies and a data subject wishes to erase their personal data stored by Ostsee-Tourismus-Service GmbH, they may contact an employee of the controller at any time. The employee of Ostsee-Tourismus-Service GmbH will ensure that the request for erasure is complied with immediately.

e. Right to restriction of processing
Persons whose personal data is processed have the right, granted by the European directives and legislators, to request the controller to restrict processing if one of the following conditions applies:

I. The accuracy of the personal data is contested by the data subject for a period that enables the controller to verify the accuracy of the personal data.
II. The processing is unlawful, the data subject does not wish the personal data to be deleted, and requests instead the restriction of the use of the personal data.
III. The controller no longer requires the personal data for the purposes of processing, but the data subject requires it to establish, exercise or defend legal claims.
IV. The data subject has objected to the processing pursuant to Article 21 para 1 GDPR and it remains unclear whether the legitimate grounds of the controller override those of the data subject.
If one of the above conditions is fulfilled, and a data subject wishes to request the restriction of personal data stored by Ostsee-Tourismus-Service GmbH, they may contact an employee of the controller at any time. The employee of Ostsee-Tourismus-Service GmbH will proceed to restrict processing.

f. Right to data portability
Persons whose personal data is processed shall have the right, granted by the European directives and legislators, to receive their personal data which has been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. Data subjects may also transmit this data to another controller without hindrance from the controller to whom the personal data was submitted, provided that such processing is based on consent pursuant to Article 6 para 1(a) GDPR or Article 9 para 2(a) GDPR or a contract pursuant to Article 6 para 1(b) GDPR, and the processing is carried out by automated means, unless the processing is necessary to perform a duty in the public interest or to exercise official authority vested in the controller. Moreover, when exercising the right to data portability pursuant to Article 20 para 1 GDPR, the data subject shall have the right to obtain the direct transfer of personal data from one controller to another controller where technically feasible and insofar as this does not adversely affect the rights and freedoms of other persons. Data subjects may contact an employee of the Ostsee-Tourismus-Service GmbH at any time to assert the right to data portability.

g. Right to object
Persons whose personal data is processed have the right, granted by the European directives and legislators, to object to the processing of their personal data carried out based on Article 6 para 1 (e) or (f) GDPR at any time, on grounds relating to their particular situation. This also applies to profiling based on these provisions. Ostsee-Tourismus-Service GmbH shall cease processing the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for such processing which override the interests, rights and freedoms of the data subject or to assert, exercise or defend legal claims. Should Ostsee-Tourismus-Service GmbH process personal data for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data for such marketing. This also applies to profiling insofar as it is associated with such direct marketing. If the data subject objects to Ostsee-Tourismus-Service GmbH to the processing for direct marketing purposes, Ostsee-Tourismus-Service GmbH will cease processing the personal data for these purposes. In addition, data subjects have the right, on grounds relating to their particular situation, to object to the processing of their personal data which is carried out by Ostsee-Tourismus-Service GmbH for statistical purposes pursuant to Article 89 para 1 GDPR, unless such processing is necessary to perform a duty in the public interest. The data subject may contact any employee of Ostsee-Tourismus-Service GmbH or another employee directly or indirectly to exercise the right to object. In the context of the use of information society services, notwithstanding Directive 2002/58/EC, data subjects may exercise their right to object by means of automated procedures using technical specifications.

h. Automated decisions in individual cases including profiling
This does not apply within the framework of the website of Ostsee-Tourismus-Service GmbH.

i. Right to revoke consent under data protection law
Data subjects whose personal data is processed have the right, granted by the European directives and legislators, to withdraw consent to the processing of personal data at any time. Data subjects who wish to exercise their right to withdraw consent may contact an employee of the controller at any time to do so.

9. Legal basis for processing
Article 6 1(b) GDPR serves as the legal basis for our company to provide our services.

10. Period for which the personal data is stored
The criterion for the period of the storage of personal data is the respective statutory retention period. After the expiry of the deadline, the corresponding data will be routinely erased if it is no longer required to perform or initiate the contract.