Data protection notice

Valid from: April 2019

As a data controller, we are hereby fulfilling our duty to provide information and our duty of disclosure. We also provide information about the nature, scope and purpose of personal data processing carried out by our company as part of our online presence and operations.

Firstly, we will provide general information on this subject, to the extent that this relates to any processing or constitutes an overriding regulation in this regard. This is followed by information regarding individual instances of processing and the use of services offered by other providers.

The terms used, including “personal data”, “processing”, “data controller”, “data subject”, “third party” and others are defined in accordance with the provisions of Regulation (EU) 2016/679 (GDPR), and, in particular, Art. 4 GDPR.

Please note that this data protection notice may be amended to reflect specific developments or as the result of a regular review. We, therefore, recommend that you stay informed of amendments to our data protection notices made available on our online content.

1        General information

1.1        Scope of application

This data protection notice applies in particular to this website as well as to the following additional online content:

Website: https://www.apodistravel.com

In addition, this data protection statement also applies to other types of processing set out here, which are carried out as part of our business activities. We refer to this data protection notice in order to simplify access and comply with the requirements of clarification and transparency.

In the case of services offered by other service providers, such as those referred to via links, the data protection notice of the relevant service provider shall apply.

1.2       The data controller is

Apodis Travel
Adolf-Kolping-Str. 20
83607 Holzkirchen
Germany

Tel.: +49 151 42234344
Email: connect@apodistravel.com

1.3       Data distribution and disclosure

1.3.1        General information

As a data controller, we process personal data on a regular basis. The communication or disclosure of personal data shall only take place where there is a legal basis for doing so, in particular, where one of the following reasons applies:

• It is necessary for the performance of a contract or to take steps at the person’s request prior to entering into the contract (point (b) of Art. 6 (1)(1) GDPR).
• The communication of data is necessary for the establishment, exercise or defence of legal claims, and there is no reason to believe that the data subject has compelling, legitimate grounds for their data not being communicated (point (f) of Art. 6(1)(1) GDPR).
• There is a legal obligation to communicate the data (point c of Art. 6(1)(1) GDPR).
• There has been valid consent (point a of Art. 6(1)(1) GDPR).

1.3.2       Processing carried out by contractors

Data belonging to data subjects may also be communicated for the purpose of processing or disclosed by a service provider contracted to carry out the processing. Whenever we contract a processor, this is always done as part of a processing agreement ensuring that the processing is performed in accordance with our policies, there are sufficient guarantees that appropriate technical and organisational measures will be taken and the rights of the data subject will be guaranteed.

If any individual piece of processing is to be carried out by a processor we have contracted, we will inform you of this.

1.3.3       Transmission to third countries

Data will only be transmitted to third countries (outside the EU and EEC) if the specific requirements necessary for this have been met (Art. 44 et seq. GDPR).

1.4        Criteria for determining the storage period (periods for the erasure of data)

As a general rule, we shall save personal data if this is necessary for the purpose of the relevant processing, if legal or regulatory retention periods are applicable, if you have a legitimate interest in such storage or if you have granted us the required consent.

We shall save specific types of data, in accordance with the following rules, for the period of time specified in each case. We shall delete them after the specified time period has elapsed:

• Three years: Data and content regarding legal transactions (including their preparation), to the extent that these are necessary to be able to disclose information and prepare a defence, as well as for establishing and mounting a defence against claims.
• Six years: Commercial letters (Section 257(1) No. 2 and 3 and Section 257(4) of the German Commercial Code (HGB))
• 10 years: The documents, accounting records and trading books (Section 147 (1) of the German Fiscal Code (AO)) relevant for taxation under points 1 and 4 of Section 257(1) and Section 257 (4) HGB)
• 30 years: Data which are saved in specific circumstances to serve our interests or those of third parties, due to the fact that there are relevant applicable limitation or retention periods (e.g. enforcement orders or special limitation periods).

In such cases, as a general rule, the storage period will begin at the end of the calendar year in which the last event relating to the relevant processing has taken place (e.g. the order, delivery, end of a contract or issuing of an invoice).

After the storage period has elapsed, checks will be carried out at the end of the relevant calendar year to determine whether further storage is required. If circumstances arise during the storage period (such as the conclusion of a contract, negotiations regarding claims, legal disputes, etc.) which make it necessary to store the data for a longer period, these time periods will be extended accordingly.

We shall provide specific information regarding storage periods for specific types of processing in the relevant place.

1.5       Use of automated decision-making or profiling

As a general rule, we do not use automated decision-making or profiling of any person, as defined in Art. 22 GDPR, even where we use software-supported processes to process data.

To the extent that such technology is used in specific instances of processing, we shall give express notification of this, as well as meaningful information regarding the rationale and scope of such use and its intended outcomes.

1.6       Rights of data subjects and the right to lodge a complaint

Persons affected by our processing of personal data (i.e. data subjects), e.g. as users of our services, are entitled to exercise various rights:

• Under Art. 15 GDPR, they are entitled to obtain information, in particular regarding whether we are processing their personal data. Under certain circumstances, this right to information may be subject to limitations (e.g. in cases where Section 34 of the German Federal Data Protection Act (BDSG) is applicable).
• Under Art. 16 GDPR, data subjects are entitled to obtain the rectification of any inaccurate personal data and the completion of any personal data belonging to them that is stored by us.
• Under Art. 17 GDPR, they are entitled to demand the erasure of personal data belonging to them that is stored by us.
• Under Art. 18 GDPR, they are entitled to demand the restriction of processing.
• Under Art. 20 GDPR, they are entitled to demand the personal data that they have provided us with in a structured, commonly used and machine readable format or to have these data transmitted to another controller.
• They are entitled to exercise their right to object under Art. 21 GDPR, especially if their personal data are being used for the purpose of direct marketing or if grounds for such arise due to their specific circumstances, if the processing is based either point (e) or (f) of Art. 6(1)(1) GDPR.

If data subjects consent to the processing of their personal data, this can be withdrawn at any time with effect for the future. This shall not affect any processing that has taken place prior to the withdrawal of consent.

Under Art. 77 GDPR, the data subject shall have the right to lodge a complaint with a data protection supervisory authority.

2       Online content and other media services

In the following sections we will set out the processing performed as part of our online content and media services.

2.1       Online content provided

Our online content serves the purpose of general communication, the provision and presentation of information on us as well as allowing us to provide our services.

The legal basis for this type of data processing is our legitimate interest, which, as a general rule, arises from the specified purpose (point (f) of Art. 6(1)(1) GDPR). To the extent that the online content is necessary for the performance of a contract or for preparing the grounds for the conclusion of a contract with the data subject, at their request, the legal basis is point (b) of Art. 6(1)(1) GDPR.

The data subjects are typically the respective users of this online content.

We set out any additional or differing information regarding individual instances of processing, as well as additional purposes and legal bases, in the relevant parts of this data protection notice.

2.1.1        Company website

Our company website shall serve the purpose of general communication, providing and presenting information on us and our services.

2.2       General information regarding online content

2.2.1       Hosting the online content

Our online content is hosted by a provider within the EU with which we have concluded a processing contract. Unless stated otherwise, the data are processed on the systems of the provider on our behalf and in accordance with our instructions, during which time the employees of the service provider will have no direct access to the data.

2.2.2      Processing the calls and server log files

When online content is used, we collect personal data which are transmitted from the user’s browser to the server at the point at which the call is made. This will involve the processing of the following data in order to provide the corresponding online content and any related services:

• The IP address of the request, and where applicable, the proxy server used
• The time and date of the request.
• The hostname/device name of your terminal device.
• The URL (address) of the request as well as the URL which made the request (the referrer).
• The browser used, the operating system and its interface, the language settings and version of the browser software.
• Technical information relating to access: Access status/HTTP status code and the volume of data transmitted in each case.
• Accessed and linked content data (text, photos, videos, graphics, other types of data etc.).

These data are stored in a log file. In the log file, the IP address is replaced by an invariable, private IP address, meaning that, as a general rule, it is no longer possible to make any conclusions regarding the original request.

The log data are erased after 14 days. These data will only be retained for longer periods under exceptional circumstances for evidence or analysis purposes. Such data will be erased as soon as grounds for retention cease to apply.

The legal basis for data processing is our legitimate interest in providing our online content (point (f) of Art. 6(1)(1) GDPR).

2.2.3      Use of cookies

Our online content uses cookies. Cookies are small files in which data can be stored and are saved on the terminal device by a browser. This information is transmitted to the web server when it is re-accessed. This means that it is possible for the user session to be recognised, e.g. to attribute login data or user settings such as language settings or font size, or to clearly attribute a basket in a web shop to a user. However, cookies also make it possible to observe user behaviour, especially when so-called “third-party cookies” are used.

We use the cookies required to allow us to provide the main functions of the website and allow us to manage our online content and, in particular, to respond to user queries. This shall include, in particular, the management of the settings you have chosen, filling out and processing forms, potential basket functions as well as the recognition of user sessions with log-in functions.

The legal basis for the use of cookies is point (f) of Art. 6(1)(1) GDPR. Our legitimate interest is based on the respective use of cookies.

Users will be able to configure their browser settings in accordance with their wishes and, for instance, to reject cookies or delete them on a regular basis. However, this may mean that it is not possible to use all the functions.

2.2.4      User accounts and authentication

We shall provide clients, customers, services, freelances, contractual partners, interested parties, employees (data subjects) with user accounts for authentication on our various services and online content. The users can gain information relevant to the use of the services and their user accounts via email.

The data processed includes, in particular, names, user names, passwords, email addresses and log data in relation to each log in (time and IP address of the terminal device).

The storage period for the data shall conform to the criteria used to determine this time-frame.

The legal basis for processing is point (f) of Art.6(1)(1) GDPR. Our legitimate interest lies in ensuring that data subjects can gain secure and authenticated access to the services and online content.

2.2.5      External links

We also use links to the services of other providers on our websites. The relevant provider or operator is responsible for such services and we do not have any influence over the processing they carry out. We, therefore, draw your attention to the data protection notices of such providers to the extent that it allows you to gain an understanding of the processing and to exercise your rights.

It is possible that these service providers will collect data concerning you, use cookies, as well as embedding the tracking services of other providers. In addition, it is possible that data will be linked to the user accounts that you have with the provider while you are logged into their service. If you think this may be the case, you should not make use of the links.

The legal basis is point (f) of Art.6(1)(1) GDPR. Our legitimate interest lies in the optimisation of the functionality and user-friendliness of our web presence.

2.2.6      General data security

To protect the processing of data and prevent misuse, unauthorised access, unauthorised changes, unauthorised communication and destruction, we shall implement the following measures:

• It will be possible to access the online content via HTTPS. Here, the content data are encrypted during the transmission between your browser and the server using a state-of-the-art encryption algorithm. However, this does not apply to addresses accessed (links/URLs). These tend to be unencrypted for technical reasons.
• The limitation of access to personal detail by our employees and clients to persons who are responsible for processing data.

3       Online presence on social media

We maintain an online presence on the platforms of social media providers for the purpose of communication with customers, suppliers, interested parties, as well as presenting and informing others about our company and services. Our presence on and use of social media for these purposes lies in our legitimate interests arising from this (legal basis is point (f) of Art. 6(1)(1) GDPR).

We would like to point out that this involves user data being processed outside the European Union, which may present risks to these data, as it may be more difficult for users to exercise their rights. To the extent that the providers in the USA are certified under the Privacy Shield, they thereby undertake to comply with data protection standards of the European Union.

As a general rule, user data from social media are used to create user profiles and analyse user behaviour. These are then, in turn, used for the purpose of market research and advertising. Cookies are regularly saved on the user’s terminal device for this purpose. In addition, data from users who have social media accounts can be assigned to their profiles.

The platform providers are typically responsible for the processing of data on the respective social media platforms. We, therefore, draw your attention to the terms of use and data protection notices of the relevant providers. In addition, we also advise you to make use of impartial news media and up-to-date reports to gain an understanding of the current situation and possible risks of using specific social media platforms.

• LinkedIn:
  Provider/representative: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
  Data protection notice: https://www.linkedin.com/legal/privacy-policy
  Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
  Privacy shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active

4       Processing as part of our business activities

4.1        Cooperation network and contact form

4.1.1        Description and purpose of processing

We maintain a database together with customers and interested parties (data subjects) who cooperate with us or intend to do so in the future (cooperation network database). For this purpose, we also provide a special contact form.

This involves the processing of the following categories of data:

• Personal master data (first name(s), surname, suffixes to names).
• Contact data (country of residence, telephone number(s), email address).
• Travel Interests.
• Information given voluntarily by the data subject.

The data are, as a general rule, collected from the data subject directly, via the contact form or a discussion.

4.1.2       The recipient and transmission of the data

The data are used internally, within the company and in accordance with the purpose of the processing. The data will not be communicated without receiving appropriate consent from the data subject.

4.1.3       Storage period

As a general rule, data belonging to data subjects will be erased if there has been no further contact with the data subject for two years.

4.1.4       Legal basis

We have a legitimate interest in maintaining a database of potential cooperation partners who can be contacted during projects and jobs for cooperation purposes (the legal basis is point (f) of Art. 6(1)(1) GDPR).

4.2       Processing for the purpose of providing services and implementing contacts

4.2.1       Description and purpose of processing

We process personal data belonging to you or the relevant contact person (the data subject) to provide our services to clients and customers and take steps at the request of interested parties prior to entering into the contract.

The categories of data processed are as follows:

• Personal master data (first name(s), surname, suffixes to names).
• Contact data (address, telephone numbers, email address).
• Payment data (bank details, information on payment processors).
• Data regarding contractual content and the processing of contracts (provision of services and the processing of payments.).

4.2.2      The recipient and transmission of the data

As part of the processing, we contract a range of service providers to process data on our behalf (see above), especially for the purpose of development in providing and maintaining the information systems we use for such processing, as well as invoicing and accounting. In addition, data may be transmitted or disclosed to another third party if this is necessary to carry out a service (e.g. delivery services).

4.2.3      Data storage period

The storage period for the data shall conform to the criteria used to determine this time-frame.

4.2.4      Legal basis

The legal basis for processing is point (d) of Art. 6(1)(1) GDPR. If it should become necessary to process special categories of personal data, point (f) of Art. 9(2) GDPR shall apply.

4.3       Processing for accounting purposes

4.3.1       Description and purpose of processing

In order to comply with our legal obligations to maintain and provide evidence of our accounting records, we process data from customers, suppliers, service providers, employees and others for whom we have to keep records for these purposes.

The categories of data processed are as follows:

• Personal master data (first name(s), surname, suffixes to names).
• Contact data (address, telephone numbers, email address).
• Contractual data underlying the situation.
• Financial messaging data and information (bank details, information on payment processors).

4.3.2      The recipient and transmission of the data

As part of this processing, we use processors to manage the accounting information, especially for the purpose of payroll accounting, as well as using service providers to provide and maintain the information systems we use for this purpose.

In addition, data may be transmitted or disclosed to another third party if this is necessary for carrying out the processing (e.g. the tax office, tax advisers, public authorities, auditors or lawyers).

4.3.3      Data storage period

The storage period for the data shall conform to the criteria used to determine this time-frame.

4.3.4      Legal basis

The legal basis for processing is provided by the statutory regulations (point c of Art. 6(1)(1) GDPR) relating to compliance with accounting duties and the duty to enter into a contract, to ensure the proper course of business and ensuring the company’s existence as a going concern.

4.4       Getting in contact and communication in general

4.4.1       Description and purpose of processing

When persons (data subjects) contact us (e.g. in person, via a contact form, email, by phone or over social media), we store and process the contact details they have submitted (their name, address, e-mail address and telephone number) and the information and content they have transferred when contacting us in order to respond to the request.

The same applies if you provide us with information at events, trade fairs or other occasions (e.g. through business cards or adding your details to the mailing list).

4.4.2      Data storage period

We will erase any data generated in this regard if they become no longer necessary to store it. As a general rule, this will take place after two years if there is no further communication in relation to the request and there is no longer any processing taking place that has arisen from the query (e.g. the following contractual relationship), which stipulates a further storage period.

4.4.3      Legal basis

We perform the processing as part of steps prior to entering the contract, if this is due to a corresponding request you have made (the legal basis is point (b) of Art. 6(1)(1) GDPR). Furthermore, we have a legitimate interest in responding to requests addressed to us and relating to us and our services, as well as making and maintaining business contacts and processing data accordingly (the legal basis is point (f) of Art. 6(1)(1) GPDR).

4.5       The establishment, exercise or defence of legal claims

4.5.1       Description and purpose of processing

We shall process the data of data subjects if it is necessary for the establishment, exercise or defence of legal claims. In this regard, the purpose may also have to be changed in accordance with the personal data.

Data subjects may include, in particular:

• Customers, suppliers, interested parties, employees, service providers and public authorities.
• Other claimants or defendants.
• The contact person, agent or authorised representative of any of the aforementioned persons or bodies.

In this regard, the following categories of data into consideration, if they are necessary in the specific case:

• Personal master data (first name(s), surname, suffixes to names, date of birth).
• Contact data (addresses, telephone numbers, email address).
• Documents, information and data which are necessary for the implementation of the claims.
• Special categories of personal data, if they are necessary for the implementation of the claims.

4.5.2      The recipient and transmission of the data

In relation to the processing, recipients may be a range public authorities, companies or even service providers, depending on the circumstances:

• Service provider tasked with enforcing claims (lawyers, collection agencies etc.)
• Public authorities and the courts
• The defendant

4.5.3      Data storage period

When using data for the purpose of establishing, exercising or defending legal claims, the relevant storage period may be extended until the definitive end of the proceedings, including the corresponding implementation, in order not to jeopardise the achievement of the purpose.

If this results in an enforceable title, the storage period will be 30 years.

4.5.4      Legal basis

The legal basis for processing is point (f) of Art. 6(1)(1) GDPR. Our legitimate interest lies in the establishment, exercise or defence of legal claims. If it becomes necessary to process special categories of personal data, point (f) of Art. 9(2) GDPR shall apply.