© INTERPIXELS, Shutterstock.com

Privacy policy

Part 1

Information on data protection concerning our data processing pursuant to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)

1. Controller responsible for data processing and contact data

Contact data of our Data Protection Officer

KölnTourismus GmbH
Data Protection Officer HEC Harald Eul Consulting GmbH
Kardinal-Höffner-Platz 1, 50667 Cologne
E-Mail: datenschutz@koelntourismus.de


controller as defined under data protection law

KölnTourismus GmbH
Kardinal-Höffner-Platz 1, 50667 Cologne
Telephone: +49 (0) 221 346 43 0
Fax: +49 (0) 221 346 43 429
E-Mail: info@koelntourismus.de

 

2. Purposes and legal basis of our processing of your data

We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) as well as other applicable data protection regulations (details below). Which data are processed in detail and the manner of their use is based authoritatively on the respective services applied for or agreed. Further details or extensions of the purposes of the data processing can be seen from the respective contract documentation, forms, from a declaration of consent and/or other information provided to you (e.g. within the scope of use of our website or in our terms and conditions of business). This data protection information may also be updated from time to time.

 

2.1 Purposes for fulfilment of a contract or of contractual measures (Art. 6 (1) (b) GDPR)

The processing of personal data is carried out for the purpose of executing our contracts with you, for the execution of your orders as well as for the performance of measures and activities in the context of pre-contractual relationships, e.g. with interested parties. The processing is therefore in particular for the purpose of providing tourist services and deliveries of products in accordance with your orders and wishes, and covers the services, measures and activities necessary for this. This includes essentially the contract-related communication with you, the verifiability of transactions, orders and other agreements, also for quality control through corresponding documentation, goodwill measures, measures for managing and optimising business processes as well as for the fulfilment of the general duties of care, management and control through affiliated companies (e.g. parent company), statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, settlement and fiscal evaluation of operating performances, risk management, assertion of legal entitlements and defence in legal disputes, ensuring IT security (among other things system or plausibility tests) and general safety, including building and system safety, ensuring and safeguarding domestic authority (e.g. through access controls), ensuring the integrity, authenticity and availability of the data, prevention and clarification of criminal offences, control through supervisory bodies or control instances (e.g. internal audit).

 

2.2 Purposes in the context of a justified interest of us or third parties (Art. 6 (1) (f) GDPR)

In addition to the actual fulfilment of the contract or pre-contract, we may possibly process your data if this is necessary in order to safeguard justified interests of us or third parties, in particular for purposes:

  • of advertising or market and opinion research, if you have not objected to the use of your data
  • of obtaining credit information as well as the exchange of data with credit agencies, insofar as this goes beyond our economic risk,
  • of checking and optimising requirements-analysis procedures,
  • of further development of products and services as well as of existing systems and processes,
  • of disclosing personal data within the scope of due diligence measures in negotiations concerning the sale of a company,
  • of comparing European and international anti-terror lists, insofar as this goes beyond the statutory obligations,
  • of enriching our data, among other things through the use or research of publicly accessible data,
  • of statistical evaluations or market analysis,
  • of benchmarking,
  • of asserting legal claims and defence in legal disputes that cannot be assigned directly to the contractual relationship,
  • of restricted storage of the data, if erasure is not possible due to the particular form of storage, or is possible only at disproportionately high expense,
  • of developing scoring systems or automated decision-making processes,
  • of preventing and clarifying criminal offences, insofar as not exclusively for the fulfilment of statutory requirements,
  • of building and system safety (e.g. through access controls and video surveillance) insofar as this goes beyond the general duties of care,
  • of internal and external investigations, security checks,
  • of possible listening in on or recording of telephone conversations for quality-control and training purposes,
  • of obtaining and maintaining certifications of a private-law or official nature,
  • of ensuring and exercising domestic authority through corresponding measures, as well as through video surveillance, for the purpose of protecting our customers and employees as well as for securing evidence related to criminal offences and their prevention.

 

2.3 Purposes within the scope of your consent (Art. 6 (1) (a) GDPR)

The processing of your personal data for specific purposes (e.g. use of your email address for marketing purposes) is only possible on the basis of your consent. As a rule, you can revoke your consent at any time. This also applies to the revocation of declarations of consent issued to us before application of the GDPR, i.e. before 25 May 2018. You will be informed separately of the purposes, the consequences of revocation or of failure to issue consent in the corresponding consent text.
As a general rule, the revocation of consent is effective only for the future. Processing carried out prior to the revocation is not affected and shall remain lawful.

 

2.4 Purposes for the fulfilment of statutory requirements (Art. 6 (1) (c) GDPR) or in the public interest (Art. 6 (1) (e) GDPR)

As is the case with all parties involved in economic life, we are also subject to a number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws, but possibly also supervisory-law or other official requirements). The purposes of the processing can include the verification of identity and age, the prevention of fraud and money laundering, the prevention, combating and clarification of terrorism financing and asset-threatening criminal offences, comparisons with European and international anti-terror lists, the fulfilment of fiscal-law control and reporting obligations as well as the archiving of data for data-protection and data-security purposes, and also auditing by tax and other authorities. The disclosure of personal data can also be necessary in the context of official/judicial measures for the purpose of taking evidence, criminal prosecution or the assertion of civil-law claims.

 

3. The data categories processed by us – insofar as we do not receive the data directly from you – and their origin

If necessary for the provision of our services, we process personal data received legally from other companies or other third parties (e.g. credit agencies, address providers). We also process personal data lawfully taken, received or acquired from publicly accessible sources (e.g. telephone directories, commercial register, register of associations, register of residents, debtor registers, land registers, press, Internet and other media) and that we are entitled to process.
Relevant categories of personal data can be in particular:

  • data on persons (name, date of birth, place of birth, nationality, marital status, profession/industry and comparable data)
  • contact data (address, email address, telephone number and comparable data)
  • address data (registration data and comparable data)
  • payment/cover confirmation for bank and credit cards
  • information on your financial position (credit-rating data including scoring, i.e. data for the purpose of assessing the economic risk)
  • customer history
  • data on your use of the tele-media offered by us (e.g. time of call-up of our websites, apps or newsletters, our sites/links clicked on, or entries and comparable data)
  • video and photo data

 

4. Recipients – or categories of recipients – of your data

Within our organisation, your data is made available to those internal bodies and organisational units that require these for the fulfilment of our contractual and statutory obligations, or in the context of the handling and implementation of our justified interest. Any forwarding of your data to external bodies takes place exclusively

  • in connection with processing of the contract,
  • for purposes of fulfilment of statutory requirements, under which we are obliged to provide information, to report or to forward data, or if the forwarding of the data is in the public interest (see Number 2.4),
  • if external service providers process data on our behalf as order data processors or assumers of functions (e.g. external computing centres, support/maintenance of EDP/IT applications, archiving, voucher processing, call-centre services, compliance services, controlling, data screening for anti-money-laundering purposes, data validation or plausibility checking, data destruction, purchasing/procurement, customer administration, letter shops, marketing, media technology, research, risk controlling, settlement, telephony, website management, auditing services, banks, printers or data disposal companies, courier services, logistics),
  • on the basis of our justified interest or of the justified interest of the third party within the scope of the purposes stated under Number 2.2 (e.g. to authorities, credit agencies, debt collection, lawyers, courts, expert assessors, and group companies, bodies and control instances),
  • if you have issued us with your consent to the forwarding to third parties.

We shall not forward your data to third parties for any other reasons. If we appoint service providers within the scope of order processing, your data will be covered by the same security standards there as with us. In other cases, the recipients are entitled to use the data solely for the purposes for which they have provided to them.

 

5. Duration of storage of your data

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the winding up of a contract.

We are also subject to various retention and documentation obligations, resulting among other things from the German Commercial Code (HGB) and the German Tax Code (AO). The retention or documentation periods prescribed therein are up to ten years after the end of the business relationship or of the pre-contractual business relationship.
Special statutory regulations may also require retention for a longer period, e.g. the preservation of evidence in the context of the statutory time-barring regulations. Under Sections 195 et seq. of the German Civil Code (BGB) the normal limitation period is three years; nevertheless, limitation periods of up to 30 years can apply.
If the data are no longer required for the fulfilment of contractual or statutory obligations and rights, they will be erased as a routine procedure, unless their further processing – for a limited period -–is necessary for fulfilment of the purposes stated under Number 2.2 based on a predominantly justified interest. Such a predominantly justified interest shall also be given for example if erasure is not possible – or possible only at disproportionately high expense – due to the particular form of storage, and processing for other purposes is excluded using suitable technical and organisational measures.

 

6. Processing of your data in a third country or by an international organisation

Data will be forwarded to bodies in countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) if this is necessary for the execution of an order/contract from or with you, if it is prescribed by law (e.g. fiscal-law reporting obligations), is part of a justified interest of us or a third party, or if you have issued your consent.

In this respect, the processing of your data in a third country can also take place in connection with the involvement of service providers within the scope of the order processing. If no resolution of the EU Commission is available concerning an appropriate level of data protection in the country concerned, we shall ensure appropriate protection and guarantees of your rights and liberties through corresponding contracts in accordance with the EU data protection requirements. We shall provide you with corresponding detailed information on request.

Information on the suitable or appropriate guarantees and on the possibility of obtaining a copy of these, can be requested from the Company Data Protection Officer if required.

 

7. Your data protection rights

Under certain circumstances you can assert your data protection rights against us

  • For example, you have the right to receive information from us concerning your data stored by us pursuant to the rulings of Art. 15 GDPR (possibly with restrictions pursuant to Section 34 BDSG).
  • Upon request by you, we shall rectify the data stored on you pursuant to Art. 16 GDPR if these are inaccurate or incorrect.
  • If you wish, we shall erase your data in accordance with the principles of Art. 17 GDPR, provided no other statutory rulings (e.g. statutory retention periods or the restrictions pursuant to Section 35 BDSG), or a predominant interest of us (e.g. for defending our rights and entitlements), stand in the way of this.
  • Taking account of the preconditions of Art. 18 GDPR, you can ask us to restrict the processing of your data.
  • You can also file a complaint against the processing of your data pursuant to Art. 21 GDPR, on the basis of which we are obliged to end the processing of your data. Nevertheless, this right of objection applies only given the presence of very special circumstances concerning your personal situation. In this respect, rights of our organisation may stand in the way of your right of objection.
  • Subject to the preconditions of Art. 20 GDPR, you also have the right to receive your data – or to forward them to a third party – in a structured, commonly-used and machine-readable format.
  • You also have the right to revoke consent – already issued – to the processing of personal data by us at any time with effect for the future (see Number 2.3).
  • In addition, you have a right to complain to a data protection supervisory authority (Art. 77 GDPR). However, we recommend that complaints always be addressed initially to our Data Protection Officer.

If possible, your applications concerning the exercise of your rights should be sent in writing to the above address or directly to our Data Protection Officer.

 

8. Scope of your obligations to provide us with your data

You are only obliged to provide the data required for the start and execution of a business relationship or for a pre-contractual relationship with us, or data that we are obliged to collect by law. Without these data, we shall not, as a rule, be in a position to conclude or execute the contract. This can also apply to data required later in the context of the business relationship. If we request additional data from you, we shall draw your separate attention to the voluntary nature of the information.

 

9. Existence of automated decision making in individual cases (including profiling)

We do not use purely automated decision-making procedures as per Article 22 GDPR. If we nevertheless use such a procedure in individual cases in future, we shall inform you of this separately, insofar as this is prescribed by the law.

Under certain circumstances we process your data in part with the aim of evaluating specific personal aspects (profiling).

We may use evaluation instruments to enable us to provide you with targeted information and advice on products. These enable requirements-oriented product design, communication and advertising, including market and opinion research.

Such procedures can also be used to enable the assessment of your financial position and creditworthiness as well as for combating money laundering and fraud. So-called “score values” can be used to assess your financial position and creditworthiness. A scoring uses mathematical procedures to calculate the probability of a customer meeting his/her payment obligations in contractually-conform manner. These score values thus assist us for example in assessing creditworthiness, in decisions in the context of product contracts, and are included in our risk management. The calculation is based on mathematically-statistically recognised and proven procedures, and is carried out on the basis of your data, in particular income situation, outgoings, existing liabilities, profession, employer, length of employment, experience from previous business relationships, contractually conform repayment of previous loans as well as information from credit agencies.

In this respect, we do not process information on nationality or special categories of personal data as per Art. 9 GDPR.

 

Information on your right of objection pursuant to Art. 21 GDPR

  1. You have the right to file an objection at any time against the processing of your data on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a weighing-up of interests) or Art. 6 (1) (e) GDPR (data processing in the public interest), given the presence of reasons resulting from your particular situation. This also applies to profiling based on this provision as defined in Art. 4 No. 4 GDPR.

    If you file an objection, we shall then no longer process your personal data, unless we can demonstrate compelling reasons for the processing warranting protection, and these prevail over your interests, rights and liberties, or if the processing is for the purpose of asserting, exercising or defence of legal entitlements.

  2. We may possibly also process your personal data for the purpose of carrying out direct advertising. If you do not wish to receive advertising, you have the right to object to this at any time. This also applies to the profiling insofar as this is connected to any such direct advertising. We shall comply with this objection for the future.

    We shall no longer process your data for direct advertising purposes if you object to processing for these purposes.

     

The objection can be filed informally and, if possible, should be addressed to

KölnTourismus GmbH
Kardinal-Höffner-Platz 1
50667 Cologne

 

10. Supplementary privacy information

10.1 Data protection information from KölnTourismus GmbH (Cologne Tourist Board) regarding the use of guestoo

We use the cloud solution guestoo (https://www.guestoo.cloud/en/) either separately or as part of our online services in order to handle the guest management of events that we organize ourselves, including those which we organize in cooperation with third parties (partners). For the management of the events, we transfer the personal data of the guests planned by us — and in the case of joint events, those planned by partners — to guestoo. The other processes (e.g. the dispatch of invitations, registrations, cancellations, correspondence in the run-up to the event and admission checks) are also managed through guestoo. For these purposes, we mainly enter and collect the following personal data:

  • e-mail address
  • Name
  • Title
  • Professional position
  • Telephone number
  • Institution
  • The institution’s address data
  • The name and institution of any accompanying persons

Pursuant to Article 6 (1) f GDPR (balancing of interests), we and guestoo store this data and process it through guestoo solely in the context of the respective event. Insofar as additional people are registered for an event (e.g. accompanying persons), the data processing takes place on the basis of Article 6 (1) b GDPR.

Insofar as we carry out individual events in cooperation with partners and that we are solely responsible for the event organization within this context, we will subsequently transfer the respective final guest list including the collected data and the participation status to the respective partner. This information is transferred on the basis of the respective partner’s overriding legitimate interest pursuant to Article 6 (1) f GDPR.

We process and store your data within guestoo for the period required to organize the respective event (including the corresponding preparation and follow-up phases). This does not affect any legal obligations to retain data. We will delete your data in guestoo within one year after an event has ended, insofar as you have not been invited to another event. You have the right to object to this, of course.

KölnTourismus GmbH (Cologne Tourist Board) has concluded a data processing agreement with the operator of guestoo (code piraten UG, Managing Director: Stefan Wirtz, Am Ruhmbach 44, 45149 Essen, Germany). KölnTourismus GmbH monitors the processing of your personal data in accordance with the requirements of the GDPR.

You can obtain further information about the use of your data on this website in guestoo’s privacy policy (https://www.guestoo.cloud/en/privacy).

 

10.2 Privacy policy for online meetings, conference calls, and webinars using “Zoom”

In the following, we would like to provide you with information about the processing of personal data in connection with the use of Zoom.

Purpose of the data processing
We use the tool Zoom to conduct conference calls, online meetings, video conferences and/or webinars (subsequently referred to hereinafter as “online meetings”). Zoom is a service provided by Zoom Video Communications, Inc., which is based in the USA.

Responsible organization
The Cologne Tourist Board is responsible for the data processing that is done in direct connection with the performance of online meetings.
Note: Insofar as you call up the website of Zoom, the provider of Zoom is responsible for the data processing. However, you do not need to call up the website in order to use Zoom. You only need to do so to download the software for the use of Zoom. You can also use Zoom if you directly enter the respective meeting ID and any additional access data for the meeting into the Zoom app. If you cannot use the Zoom app or do not wish to do so, you can use the basic functions via a browser version, which you can also find on the Zoom website.

Which data are processed?
A variety of types of data are processed whenever you use Zoom. The scope of the data processed also depends on the data you produce before or during your participation in an online meeting.

The following personal data are processed:
Information about the user: First name, surname, telephone number (optional), e-mail address, password (if the single sign-on option is not used), a profile picture (optional), department (optional)

Meeting metadata:
Topic, description (optional), IP addresses of the participants, device/hardware information

When recording meetings (optional):
MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat.

When dialling in by phone:
The telephone numbers of the outgoing and incoming calls, the name of the country, the starting and finishing time. Where appropriate, additional connection data such as the IP address of the device in question may also be stored.

Text, audio and video data:
During an online meeting, if appropriate you can use the chat, question and survey functions. The texts you enter will be processed insofar as they are to be displayed in the online meeting and, if necessary to log them. To enable the display of video and the replay of audio, the data from microphone and video camera (if applicable) of your terminal will be processed accordingly for the duration of the meeting. You can turn off/mute the camera and the microphone at any time via the Zoom applications.

In order to take part in an online meeting or enter the “meeting room”, you will have to give your name at the very least.

Scope of data processing
We use Zoom in order to conduct online meetings. Whenever we want to record online meetings, we will transparently notify you of this fact in advance and, if necessary, ask for your approval. The Zoom app also shows you if a meeting is being recorded.

We will also record chat content if this is necessary in order to document the results of an online meeting. However, this is generally not done.

In order to record and follow-up webinars, we can also process the questions posed by webinar participants.

If you are registered as a user of Zoom, reports about online meetings (meeting metadata, dial-in data, the questions and answers during webinars, surveys during webinars) can be stored at Zoom for up to one month.

We do not use automated decision-making in the sense of Art. 22 of the GDPR.

The legal basis for the data processing
If personal data of the employees of the Cologne Tourist Board are processed, the legal basis of the data processing is Section 26 BDSG (German Data Protection Act). If personal data associated with the use of Zoom are not needed for the performance of the employment relationship or its termination but be essential for the use of Zoom, the legal basis for the data processing is Art. 6 (1) (f) of GDPR. In such cases, our interest is that online meetings are effectively carried out.
Apart from that, the legal basis for data processing in connection with the performance of online meetings is Art. 6 (1) (b) GDPR if the meetings are conducted within the context of contractual relationships.
If no contractual relationship exists, the legal basis is Article 6 (1) (f) GDPR. In such cases, our interest is also that online meetings are effectively carried out.

Recipient/transfer of data
Personal data that is processed in connection with a person’s participation in online meetings are in principle not forwarded to third parties insofar as they are not specifically intended for such a transfer. Please note: As is the case with face-to-face meetings, the content from online meetings is often specifically intended to be forwarded in order to communicate information to customers, interested individuals, or third parties.
Other recipients: The provider of Zoom necessarily learns of the aforementioned data insofar as this is specified in our data processing contract with Zoom.

Data processing outside of the European Union
Zoom is a service offered by a provider based in the USA. As a result, personal data is also processed in a non-EU country. However, we have concluded a data processing contract with the provider of Zoom that fulfils the requirements of Art. 28 GDPR.
An appropriate level of data protection is guaranteed by signing of the standard contractual clauses of the EU.

 

 

Our data protection statement as well as the information on data protection concerning our data processing pursuant to Art. 13, 14 and 21 GDPR can alter from time to time. All alterations will be published on this site.

Data protection information last amended 03.06.2024

Part 2

Supplementary privacy policy for our websites

Thank you for your interest in our website. Protecting your privacy is very important to us. The following section explains in detail how your personal data will be handled.

You can visit our pages without entering any personal information. Without your explicit additional consent we store only access data without personal information — even when you use a newsletter link or a QR-Code to visit our sites. For example, we store:

  • the name of your Internet provider
  • the page you are connecting from
  • the name of the requested file

This information is evaluated solely for the purpose of improving our service and does not enable us to draw any conclusions about you personally.

We collect, store and handle your information in connection with the processing of your purchase orders, possible warranty service requirements and advertising purposes if necessary. Personal information is collected when you voluntarily provide it to us when you place an order for a purchase of goods or services, open a customer account or register for the newsletter.

Your personal information will be passed on to a service provider (transporter, shipper, bank) as part of the processing and delivery of an order (for example city guide, service provider, transporter, logistician, banks).

 

Server log files

The provider of the pages automatically collects and stores information in server log files, which your browser automatically transmits to us. These are Browser type and browser version Operating system used Referrer URL Host name of the accessing computer, time of the server request, IP address.

This data is not merged with other data sources. This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - the server log files must be recorded for this purpose.

 

Use of cookies

We use cookies to make our webpages as user-friendly as possible. Cookies are small files that are stored on a visitor’s hard disk. They enable information to be held for a certain amount of time and the visitor’s computer to be identified. To a certain extent, this is also done with tracking pixels, which aren’t stored on the visitor’s hard disk, but can help to identify the visitor’s computer in the same way a cookie can. Hereinafter we use the term “cookie” to refer not only to cookies in the strict technical sense, but also to tracking pixels and similar technical methods.

We use cookies to create statistics and to incorporate external media. Among other things, cookies save you from having to enter data multiple times, make it easier for you to transfer specific content, and help us to identify especially popular areas of our online presentation. As a result, we can, for example, adapt the content of our webpages precisely to the user’s needs.

Insofar as individual cookies implemented by us also process personal data, the processing takes place pursuant to Article 6 (1) (b) GDPR for the implementation of a contract (e.g. registration), pursuant to Article 6 (1) (a) GDPR if you have given your permission (e.g. by clicking on a cookie banner to express your approval that the data be used for statistical purposes) or pursuant to Article 6 (1) (f) GDPR for the purposes of our legitimate interest in the best-possible functioning of the website (e.g. placement of the cookies in connection with a cookie banner to store any selections you may have made) and of a customer-friendly and effective structuring of your visit to the page.

If you wish, you can also deactivate the use of cookies in general by means of your browser settings at any time. Please click on the Help feature in your browser window to find out how you can change these settings. However, we would like to make you aware that changing these settings may prevent you from using some parts of our website.

If you are visiting our website for the first time, information will appear on your landing page regarding data protection and what settings you can make with regard to cookies. If you continue to use the webpages and do not object to the use of cookies, this approval is stored in your browser so that we do not have to display this information again on every page. If this data is not stored in your browser (e.g. you have deleted it in your browser history), this information will be displayed when you visit our webpages again.

 

Consent with Cookiebot
Our website uses Cookiebot's consent technology to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in accordance with data protection regulations. The provider of this technology is Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter “Cookiebot”).

When you enter our website, a connection is established to Cookiebot's servers in order to obtain your consent and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Cookiebot cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected. Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

We use the service of Cookiebot.

 

Data security

Technical and organizational measures ensure that our website and other systems are secured against the loss of, or damage to, your data. Similarly, such measures prevent access to, or the alteration and dissemination of, your data by any unauthorized person. You should always handle your access information confidentially and close the browser window when you have finished communicating with us, especially if you share a computer with other people.

 

SSL and TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

 

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the United States. The Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on its website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active

 

Use of Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is assigned to the user's end device. It is not assigned to a user ID. We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling approaches to supplement the collected data records and uses machine learning technologies for data analysis. Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active

 

IP anonymization

Google Analytics IP anonymization is activated. As a result, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

 

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

 

Meta Pixel (formerly Facebook Pixel)

To measure conversion rates, this website uses the visitor activity pixel of Facebook/Meta. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook’s statement the collected data will be transferred to the USA and other third-party countries too.

This tool allows the tracking of page visitors after they have been linked to the website of the provider after clicking on a Facebook ad. This makes it possible to analyze the effectiveness of Facebook ads for statistical and market research purposes and to optimize future advertising campaigns.

For us as the operators of this website, the collected data is anonymous. We are not in a position to arrive at any conclusions as to the identity of users. However, Facebook archives the information and processes it, so that it is possible to make a connection to the respective user profile and Facebook is in a position to use the data for its own promotional purposes in compliance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/). This enables Facebook to display ads on Facebook pages as well as in locations outside of Facebook. We as the operator of this website have no control over the use of such data.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TDDDG. You may revoke your consent at any time.

Within the meta pixel, we are using the expanded alignment function.

The expanded alignment allows us to transfer to Meta (Facebook) different types of data (e.g., place of residence, federal state, zip code, hashed email addresses, names, gender, date of birth or phone number) of our customers and prospects we collect through our website. As a result of this activation, we can tailor the offers presented in our advertising campaigns on Facebook to individuals interested in what we offer even more precisely. Moreover, this expanded alignment optimizes the allocation of website conversions and expands custom audiences.

Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 DSGVO). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook. The processing by Facebook that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The wording of the agreement can be found under: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the privacy-secure implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g., requests for information) regarding data processed by Facebook directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

In Facebook’s Data Privacy Policies, you will find additional information about the protection of your privacy at: https://www.facebook.com/about/privacy/.

You also have the option to deactivate the remarketing function “Custom Audiences” in the ad settings section under https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you first have to log into Facebook.

If you do not have a Facebook account, you can deactivate any user-based advertising by Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active.

 

YouTube with expanded data protection integration

This website integrates videos from the YouTube website. The operator of the website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit one of these websites on which YouTube is integrated and you activate the YouTube video, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. We use YouTube in extended data protection mode. According to YouTube, videos that are played in extended data protection mode are not used to personalize browsing on YouTube. Ads that are played in extended data protection mode are also not personalized. No cookies are set in extended data protection mode. Instead, so-called local storage elements are stored in the user's browser, which contain personal data similar to cookies and can be used for recognition. Details on the extended data protection mode can be found here: https://support.google.com/youtube/answer/171780.

After activating a YouTube video, further data processing operations may be triggered over which we have no influence. The use of YouTube is based on our interest in presenting our online content in an appealing manner. Pursuant to Art. 6(1)(f) GDPR, this is a legitimate interest. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TDDDG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.
For more information on how YouTube handles user data, please consult the YouTube Data Privacy Policy under: https://policies.google.com/privacy?hl=en.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5780.

Part 3

Additional data protection information regarding our social media presence

Data processing by social networks

We maintain publicly accessible profiles in social networks. The individual social networks that we use are listed below. Social networks such as Facebook, Instagram etc. can normally carry out comprehensive analyses of your behaviour as a user when you visit their websites or a website with integrated social media content (e.g. Like buttons or advertising banners). Numerous processing operations that are relevant to data protection are triggered by a visit to one of our social media sites. Specifically, if you visit one of our social media sites while you are logged in to your social media account, the operator of the social media portal can assign this visit to your user account. Under certain circumstances, your personal data may also be recorded when you are not logged in or if you do not have an account with the respective social media portal. In this case, the data acquisition is accomplished e.g. by using cookies that are saved on your device or by recording your IP address. The operators of the social media portals can use the data collected in this way to create user profiles in which your preferences and interests are stored. As a result, you can be presented with interest-based advertising both inside and outside the respective social media site. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are, or have been, logged in. Please also note that we are unable to trace all of the processing operations on the social media portals. Depending on the provider, further processing operations could be carried out by the operators of the social media portals. You can find details of such further processing in the terms and conditions of use and the privacy policies of the respective social media portals.

 

Legal basis

Our social media sites are intended to ensure the most comprehensive possible presence in the Internet. This is in our legitimate interest pursuant to Article 6 (1) (f) GDPR. The analytical processes initiated by the social networks may be based on differing legal foundations, which must be stated by the operators of the social networks (e.g. consent pursuant to Article 6 (1) (a) GDPR).

 

Data controller and assertion of rights

When you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by this visit. You can basically assert your rights (access, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g. against Facebook). Please note that despite our joint responsibility with the operators of the social media portals we do not have comprehensive influence on the data processing operations of the social media portals. Our opportunities essentially depend on the corporate policies of the respective provider.

 

Duration of storage

The data we collect directly through our social media sites is deleted by our systems as soon as you ask us to erase it, you revoke your consent to have the data stored or the purpose of the data storage no longer applies. Stored cookies remain on your device until you delete them. This clause does not affect mandatory legal requirements, in particular those specifying storage periods. We have no influence on the length of time that your data is stored by the operators of the social networks for their own purposes. To find out more, please refer to the information provided by the operators of the respective social networks (e.g. read their privacy policies; see below).

 

Specific social networks

Facebook

We have a Facebook page. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). Meta states that the data collected are also transferred to the USA and other third countries. We have an agreement with Meta (Controller Addendum) concerning the joint processing of the data. This agreement stipulates which data is processed by us and which is processed by Meta whenever you visit our Facebook page. You can read this agreement by clicking on the following link:

https://www.facebook.com/legal/terms/page_controller_addendum.

According to this we ourselves have no power to take or implement decisions with regard to the processing of Insights data. The primary responsibility pursuant to the GDPR for the processing of Insights data and the fulfilment of all duties arising from the GDPR with regard to the processing of Insights data has been assumed by Meta.

 

By means of the function “Page Insights” we can to this extent call up from Facebook statistical data of various categories in connection with the use of the Facebook Fanpage such as the total number of page views, the “Likes,” page activities, report interactions, video views, report range, comments, shared content, answers, proportion of men and women, origin with reference to country and city, language, calls and clicks in the Shop, clicks on the Route Planner and clicks on telephone numbers. We use these details in order to be able to make our pages more attractive and appropriate to requirements (e.g. in that we determine the appropriate point in time for the publication of an item of content).

 

With regard to the exercise of the rights of the data subject and of access requests we wish to point out that such rights can most effectively be asserted directly to Facebook (see https://www.facebook.com/legal/terms/information_about_page_insights_data).

 

You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in.

https://www.facebook.com/settings?tab=ads.

 

We would like to draw your attention to the fact that in the event of a visit to the Facebook Fanpage, your data as user can be processed outside the EU. Insofar as the European Commission has not taken a decision regarding the existence of an adequate level of data protection in the respective country, there is a risk of access by authorities, without the existence of adequate legal remedies.

 

The data transfer to the USA relies on standard contractual clauses of the European Commission. Details can be found at

https://www.facebook.com/legal/EU_data_transfer_addendum  and

https://en-gb.facebook.com/help/566994660333381.

For more information, refer to Facebook’s privacy policy at

https://www.facebook.com/about/privacy/.

 

Twitter

We use the short message service Twitter. The provider is the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

You can adjust your Twitter data protection settings yourself in your user account. To do so, click on the following link and log in: https://twitter.com/personalization.

The data transfer to the USA relies on standard contractual clauses of the European Commission. You can find details at https://gdpr.twitter.com/en/controller-to-controller-transfers.html

For more information, refer to Facebook’s privacy policy at: https://twitter.com/en/privacy.

 

Instagram

We have an Instagram profile. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data transfer to the USA relies on standard contractual clauses of the European Commission. Details can be found at

https://www.facebook.com/legal/EU_data_transfer_addendum,

https://help.instagram.com/519522125107875 and

https://en-gb.facebook.com/help/566994660333381.

For details of the handling of your personal data, see the Instagram privacy policy at

https://help.instagram.com/519522125107875.

 

Pinterest

We have a Pinterest profile. The operator is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. For details of the handling of your personal data, see the Pinterest privacy policy at https://policy.pinterest.com/en/privacy-policy.

 

LinkedIn

We have a LinkedIn profile. The provider is the LinkedIn Ireland Unlimited Company, Wilton

Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.

If you wish to deactivate LinkedIn advertising cookies, use the following link:

https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

The data transfer to the USA relies on standard contractual clauses of the European Commission. You can find details at https://www.linkedin.com/legal/l/dpa and

https://www.linkedin.com/legal/l/eu-sccs.

For details concerning their handling of your personal data refer to the LinkedIn privacy policy at

https://www.linkedin.com/legal/privacy-policy.

 

YouTube

We have a YouTube profile. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details concerning their handling of your personal data refer to the YouTube privacy policy at

https://policies.google.com/privacy?hl=de.

 

TikTok

We have a TikTok profile. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. For details concerning their handling of your personal data refer to the TikTok privacy policy at

https://www.tiktok.com/legal/privacy-policy?lang=en.

The data transfer to third countries without an adequate level of data protection relies on standard contractual clauses of the European Commission. You can find details at https://www.tiktok.com/legal/privacy-policy?lang=en

Part 4

Data Protection information for the use of the Cologne Tourist Board image database media.koelntourismus.de
 

1. provision of the online offer and web hosting

(1) When visiting the KölnTourismus image database, data of website visitors/users (= category of data subjects) are processed only to the extent necessary to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our website to the user's browser or end device.

 

(2) The following types of data are processed for this purpose:

  • Usage data (e.g. websites visited, interest in content, access times);
  • Meta and process data (e.g. time data, identification numbers);

 

(3) Access to our online offering is logged in the form of so-called "server log files". The server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and IP addresses as well as the requesting provider.

 

(4) Data processing is carried out solely for the following purposes:

  • the provision of our online offer and its user-friendliness;
  • the operation of the information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers)
  • Security measures and firewall; e.g. to avoid overloading the servers and ensure their stability, especially in the event of abusive attacks (so-called DDoS attacks).

 

(5) The legal basis for data processing is our legitimate interest in a secure, user-friendly and functioning online offering; Art. 6 para. 1 sentence 1 lit. f) GDPR.

 

(6) Log file information is stored for a maximum of 7 days and then deleted or anonymised. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified and will only be deleted once the purpose has been achieved.

 

(7) If IP addresses are processed by us or by the service providers and technologies used and the processing of a full IP address is not required, the IP address is truncated (also known as "IP masking"). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly complicate the identification of a person by means of their IP address.

 

(8) We use TLS encryption to protect the data transmitted via our online offering.

 

Our privacy policy and the information on data protection regarding our data processing in accordance with Articles 13, 14 and 21 GDPR may change from time to time. We will publish any changes on this page.