We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) as well as other applicable data protection regulations (details below). Which data are processed in detail and the manner of their use is based authoritatively on the respective services applied for or agreed. Further details or extensions of the purposes of the data processing can be seen from the respective contract documentation, forms, from a declaration of consent and/or other information provided to you (e.g. within the scope of use of our website or in our terms and conditions of business). This data protection information may also be updated from time to time, as can be seen from our website www.koelntourismus.de/planen-informieren/service/datenschutz/.
2.1 Purposes for fulfilment of a contract or of contractual measures (Art. 6 (1) (b) GDPR)
The processing of personal data is carried out for the purpose of executing our contracts with you, for the execution of your orders as well as for the performance of measures and activities in the context of pre-contractual relationships, e.g. with interested parties. The processing is therefore in particular for the purpose of providing tourist services and deliveries of products in accordance with your orders and wishes, and covers the services, measures and activities necessary for this. This includes essentially the contract-related communication with you, the verifiability of transactions, orders and other agreements, also for quality control through corresponding documentation, goodwill measures, measures for managing and optimising business processes as well as for the fulfilment of the general duties of care, management and control through affiliated companies (e.g. parent company), statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, settlement and fiscal evaluation of operating performances, risk management, assertion of legal entitlements and defence in legal disputes, ensuring IT security (among other things system or plausibility tests) and general safety, including building and system safety, ensuring and safeguarding domestic authority (e.g. through access controls), ensuring the integrity, authenticity and availability of the data, prevention and clarification of criminal offences, control through supervisory bodies or control instances (e.g. internal audit).
2.2 Purposes in the context of a justified interest of us or third parties (Art. 6 (1) (f) GDPR)
In addition to the actual fulfilment of the contract or pre-contract, we may possibly process your data if this is necessary in order to safeguard justified interests of us or third parties, in particular for purposes:
- of advertising or market and opinion research, if you have not objected to the use of your data
- of obtaining credit information as well as the exchange of data with credit agencies, insofar as this goes beyond our economic risk,
- of checking and optimising requirements-analysis procedures,
- of further development of products and services as well as of existing systems and processes,
- of disclosing personal data within the scope of due diligence measures in negotiations concerning the sale of a company,
- of comparing European and international anti-terror lists, insofar as this goes beyond the statutory obligations,
- of enriching our data, among other things through the use or research of publicly accessible data,
- of statistical evaluations or market analysis,
- of benchmarking,
- of asserting legal claims and defence in legal disputes that cannot be assigned directly to the contractual relationship,
- of restricted storage of the data, if erasure is not possible due to the particular form of storage, or is possible only at disproportionately high expense,
- of developing scoring systems or automated decision-making processes,
- of preventing and clarifying criminal offences, insofar as not exclusively for the fulfilment of statutory requirements,
- of building and system safety (e.g. through access controls and video surveillance) insofar as this goes beyond the general duties of care,
- of internal and external investigations, security checks,
- of possible listening in on or recording of telephone conversations for quality-control and training purposes,
- of obtaining and maintaining certifications of a private-law or official nature,
- of ensuring and exercising domestic authority through corresponding measures, as well as through video surveillance, for the purpose of protecting our customers and employees as well as for securing evidence related to criminal offences and their prevention.
2.3 Purposes within the scope of your consent (Art. 6 (1) (a) GDPR)
The processing of your personal data for specific purposes (e.g. use of your email address for marketing purposes) is only possible on the basis of your consent. As a rule, you can revoke your consent at any time. This also applies to the revocation of declarations of consent issued to us before application of the GDPR, i.e. before 25 May 2018. You will be informed separately of the purposes, the consequences of revocation or of failure to issue consent in the corresponding consent text.
As a general rule, the revocation of consent is effective only for the future. Processing carried out prior to the revocation is not affected and shall remain lawful.
2.4 Purposes for the fulfilment of statutory requirements (Art. 6 (1) (c) GDPR) or in the public interest (Art. 6 (1) (e) GDPR)
As is the case with all parties involved in economic life, we are also subject to a number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws, but possibly also supervisory-law or other official requirements). The purposes of the processing can include the verification of identity and age, the prevention of fraud and money laundering, the prevention, combating and clarification of terrorism financing and asset-threatening criminal offences, comparisons with European and international anti-terror lists, the fulfilment of fiscal-law control and reporting obligations as well as the archiving of data for data-protection and data-security purposes, and also auditing by tax and other authorities. The disclosure of personal data can also be necessary in the context of official/judicial measures for the purpose of taking evidence, criminal prosecution or the assertion of civil-law claims.