Privacy Policy

Thank you for visiting our website. Below, we would like to inform you about how we handle your data in accordance with Article 13 of the General Data Protection Regulation (GDPR).

Privacy Settings

Settings

1. Websites

We are delighted that you have visited our website. Below, we would like to inform you about how we handle your data in accordance with Article 13 of the General Data Protection Regulation (GDPR).

Responsible party

The entity named in the legal notice is responsible for the data processing described below.

Usage data

When you visit our websites, our web server temporarily evaluates so-called usage data for statistical purposes in order to improve the quality of our websites. This data record consists of

the name and address of the requested content,
the date and time of the query,
the amount of data transferred,
the access status (content transferred, content not found),
the description of the web browser and operating system used,
the referral link, which indicates from which page you accessed our website,
the IP address of the requesting computer, which is shortened so that it can no longer be traced back to a specific person.

The aforementioned log data is only evaluated anonymously.

Storage of the IP address for security purposes

In addition, we store the complete IP address transmitted by your device for a period of 14 days for the specific purpose of detecting, limiting and eliminating attacks on our websites. After this period has expired, we delete or anonymise the IP address. The legal basis for this is Art. 6 (1) (f) GDPR.

Data security

We take technical and organisational measures to protect your data from unauthorised access as comprehensively as possible. We use an encryption process on our websites. Your information is transferred from your computer to our server and vice versa via the Internet using TLS encryption. You can usually recognise this by the closed padlock symbol in your browser's status bar and the address line beginning with https://.

Required cookies

We use cookies on our websites that are necessary for the use of our websites.

Cookies are small text files that can be stored and read on your device. A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session.

We do not use these necessary cookies for analysis, tracking or advertising purposes.

In some cases, these cookies only contain information about certain settings and are not personally identifiable. They may also be necessary to enable user guidance, security and implementation of the site.

We use these cookies on the basis of Art. 6 (1) (f) GDPR.

You can set your browser to inform you when cookies are placed. This makes the use of cookies transparent for you. You can also delete cookies at any time via the corresponding browser setting and prevent new cookies from being set. Please note that our websites may then not be displayed and some functions may no longer be available for technical reasons.You can also find a list of the cookies used in the Privacy settings obove.

Google Consent Mode

We use Google Consent Mode V2 (Basic Mode). This means that your IP address will be transmitted to Google regardless of your settings in the banner. However, Google deletes this immediately after collection and does not log it. Processing is carried out in our legitimate interest in order to better control and use certain functions of the Google services used on the website that require consent. The legal basis for processing is Art. 6(1)(f) GDPR.

Google Analytics

We use the web analytics tool ‘Google Analytics’ to design our websites in line with user needs. Google Analytics creates usage profiles based on pseudonyms. For this purpose, permanent cookies are stored on your device and read by us. This enables us to recognise returning visitors and count them as such.

Within the framework of Google Analytics, Google Ireland Limited and Google LLC. (USA) supports us as processors in accordance with Art. 28 GDPR. Data processing may therefore also take place outside the EU or the EEA (in particular in the USA). With regard to Google, an adequate level of data protection is guaranteed on the basis of the adequacy decision (EU-U.S. Data Privacy Framework). Google also undertakes to conclude standard contractual clauses with other sub-processors. With regard to Google LLC, an adequate level of data protection cannot be assumed due to processing in the USA. There is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to take legal action. Please note this when you decide to give your consent to our use of Google Analytics. You can revoke your consent at any time. To do so, please open the Privacy settings page.

Google Tag Manager

We use Google Tag Manager. With the exception of IP addresses, no personal data is collected via Google Tag Manager itself. Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that are used, among other things, to measure traffic and visitor behaviour, to record the impact of online advertising and social channels, to set up remarketing and targeting, and to test and optimise websites. We use Tag Manager for the Google services Google Ads and Google Analytics. Data processing is carried out on the basis of Art. 6(1)(f) GDPR.

Third-party tracking technologies for advertising purposes

We use cross-device tracking technologies so that targeted advertising can be displayed to you on other websites based on your visit to our websites and so that we can determine how effective our advertising measures have been.

Data processing is based on your consent, provided you have given your consent via our banner. Your consent is voluntary and can be revoked at any time.

How does tracking work?

When you visit our websites, the third-party providers listed below may retrieve recognition features for your browser or device (e.g. a so-called browser fingerprint), evaluate your IP address, store or read recognition features on your device (e.g. cookies) or gain access to individual tracking pixels.

The individual features can be used by third-party providers to recognise your device on other websites. We may commission the relevant third-party providers to place advertisements based on the pages you have visited on our website.

What does cross-device tracking mean?

If you log in to the third-party provider with your own user data, the respective recognition features of different browsers and end devices can be linked together. If, for example, the third-party provider has created a separate identifier for the laptop, desktop PC, smartphone or tablet you use, these individual identifiers can be linked to each other as soon as you use a third-party provider's service with your login details. This enables the third-party provider to target our advertising campaigns across different devices.

Which third-party providers do we use in this context?

Below, we list the third-party providers with whom we collaborate for advertising purposes. If the data is processed outside the EU or the EEA (in particular in the USA) in this context, we provide information on the level of data protection in the table below.

Provider	Adequate level of data protection	Right to object
Meta (Facebook)	The transfer is based on Art. 49(1)(a) GDPR. For transfers to the USA, an adequate level of data protection is also guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).	If you wish to withdraw your consent, please click on Privacy settings on top of this page and make the appropriate setting.
Google	The transfer is based on Art. 49(1)(a) GDPR. For transfers to the USA, an adequate level of data protection is also guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).	If you wish to withdraw your consent, please click on Privacy settings on top of this page and make the appropriate setting.
Salesforce.com Inc. / Salesforce.com Germany GmbH (USA and/or Deutschland)	The transfer is based on Art. 49(1)(a) GDPR. For transfers to the USA, an adequate level of data protection is also guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).	If you wish to withdraw your consent, please click on Privacy settings on top of this page and make the appropriate setting.

Anonymous visitor measurement

We also carry out anonymous visitor measurement on our websites. For this purpose, the log data of the web server and the truncated IP address are evaluated. It is not possible to draw any conclusions about your person.

Embedded videos

We embed videos on our websites that are not stored on our servers. To ensure that visiting our websites with embedded videos does not automatically result in third-party content being reloaded, we initially only display locally stored preview images of the videos. This means that the third-party provider does not receive any information. Only after clicking on the preview image is the third-party provider's content reloaded. This provides the third-party provider with information that you have accessed our site, as well as the technically necessary usage data. In addition, the third-party provider is then able to implement tracking technologies.

We have no influence on further data processing by the third-party provider. By clicking on the preview image, you give us your consent to reload content from the third-party provider. The embedding is based on your consent in accordance with Section 25 (1) or (2) TDDDG or, for subsequent processing, Article 6 (1) (a) GDPR, provided that you have given your consent by clicking on the preview image. Please note that embedding many videos means that your data will be processed outside the EU or the EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to seek legal redress. If the data is processed outside the EU or the EEA (in particular in the USA) in this context, we provide information on the level of data protection in the following table.

Provider	Adequate level of data protection	Right to object
YouTube / Google (USA)	The transfer is based on Art. 49(1)(a) GDPR. For transfers to the USA, an adequate level of data protection is also guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).	When you click on a preview image, the third-party content is immediately reloaded. If you do not want this reloading to occur on other pages, please do not click on the preview images.

Map services

We embed map services on our websites that are not stored on our servers. To ensure that visiting our websites with embedded map services does not automatically result in third-party content being reloaded, we initially only display locally stored preview images of the maps. This means that the third-party provider does not receive any information.

Only after clicking on the preview image is the third-party provider's content reloaded. This provides the third-party provider with the information that you have accessed our site and the technically necessary usage data in this context. We have no influence on further data processing by the third-party provider. By clicking on the preview image, you give us your consent to reload the third-party provider's content.

The embedding is based on your consent in accordance with Section 25 (1) or (2) TDDDG for subsequent processing in accordance with Art. 6 (1) (a) GDPR, provided that you have previously given your consent by clicking on the preview image.

Please note that the embedding of some map services means that your data will be processed outside the EU or the EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to seek legal redress. If the data is processed outside the EU or the EEA (in particular in the USA) in this context, we provide information on the level of data protection in the table below.

Provider	Adequate level of data protection	Right to object
Google LLC (USA)	The transfer is based on Art. 49(1)(a) GDPR. For transfers to the USA, an adequate level of data protection is also guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).	If you wish to withdraw your consent, please click on Privacy settings on top of this page and make the appropriate setting.

Other processors

We pass on your data within the scope of order processing in accordance with Art. 28 GDPR to service providers who support us in operating our websites and the associated processes. These include, for example, hosting service providers. Our service providers are strictly bound by our instructions and are contractually obliged to do so.

Below, we list the processors with whom we work, unless we have already done so in the above text of the privacy policy. If data is transferred outside the EU or the EEA in this context, we provide information on the appropriate level of data protection.

Provider	Adequate level of data protection	Right to object
Rechenzentrum des DJH Hauptverband Leonardo-da-Vinci-Weg 1, 32760 Detmold	Webhosting and Support	Processing within the EU/EEA
Salesforce.com Inc. / Salesforce.com Germany GmbH	Newsletter-Mailing	Processing within the EU/EEA

Contact details of the data protection officer

Our external data protection officer is available to provide you with information on data protection at the following contact details: datenschutz süd GmbH, Wörthstraße 15, 97082 Würzburg, email: office@datenschutz-sued.de When contacting our data protection officer, please also indicate the responsible body named under ‘Responsible body’.

Your rights as a data subject

When processing your personal data, the GDPR grants you certain rights as a data subject:

Right of access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and to the information specified in detail in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You have the right to request that personal data concerning you be erased without delay if one of the reasons listed in detail in Art. 17 GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if you have objected to the processing, for the duration of the review by the controller.

Right to data portability (Art. 20 GDPR)

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transfer of this data to a third party.

Right of withdrawal (Art. 7 GDPR)

If the processing of data is based on your consent, you are entitled under Art. 7(3) GDPR to withdraw your consent to the use of your personal data at any time. Please note that the withdrawal only applies to the future. Processing that took place before the withdrawal is not affected.

Right to object (Art. 21 GDPR)

If data is collected on the basis of Art. 6(1)(f) GDPR (data processing to safeguard legitimate interests) or on the basis of Art. 6(1)(e) GDPR (data processing to safeguard public interests or in the exercise of official authority), you have the right to object to the processing at any time on grounds relating to your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

Exercising your rights

Unless otherwise specified above, please contact the office named in the legal notice to exercise your rights as a data subject.

Newsletter registration and dispatch

You can subscribe to a newsletter on our website. Please note that we require certain data (at least your email address) for you to register for the newsletter.

The newsletter will only be sent if you have given us your express consent in accordance with Art. 6 (1) (a) GDPR. We use XQueue GmbH Christian-Pleß-Straße 11-13, 63069 Offenbach am Main, or Salesformce.com Germany GmbH, Erika,-Mann-Str. 31, 80636 Munich, Germany, as a service provider (processor), which is strictly bound by our instructions and contractually obliged to do so.

After you have subscribed on our website, you will receive a confirmation email to the email address you provided (known as double opt-in). You can revoke your consent at any time. Revoking your consent does not affect the lawfulness of the processing carried out on the basis of your consent until revocation. You can easily revoke your consent, for example, by using the unsubscribe link provided in every newsletter.

When you subscribe to our newsletter, we store additional data beyond the data already mentioned, insofar as this is necessary to prove that you have subscribed to our newsletter. This may include storing your full IP address at the time of subscription or confirmation of the newsletter, as well as a copy of the confirmation email we sent. The corresponding data processing is carried out on the basis of Art. 6 (1) (f) GDPR and is carried out in the interest of being able to account for the legality of the newsletter dispatch.

2. Membership

Responsible party

The regional association in whose geographical area the data subject resides is responsible for data processing:

Landesverband Baden-Württemberg e. V., Fritz-Walter-Weg 19, 70372 Stuttgart - Bad Cannstatt
Landesverband Bayern e.V., Mauerkircherstraße 5, 81679 Munich
Landesverband Berlin-Brandenburg e.V., Babelsberger Str. 28, 14473 Potsdam
Landesverband Hannover e. V., Ferdinand-Wilhelm-Fricke-Weg 1, 30169 Hannover
Landesverband Hessen e.V., Mühlweg 18, 61348 Bad Homburg
Inklusive Jugendherbergen Hessen gGmbH, Mühlweg 18, 61348 Bad Homburg
Landesverband Mecklenburg-Vorpommern e.V., Konrad-Zuse-Straße 2, 18057 Rostock
Landesverband Nordmark e.V., Rennbahnstraße 100, 22111 Hamburg
Landesverband Rheinland e. V., Düsseldorfer Straße 1a, 40545 Düsseldorf
Die Jugendherbergen in Rheinland-Pfalz und im Saarland, In der Meielache 1, 55122 Mainz
Landesverband Sachsen e. V., Zschopauer Straße 216, 09126 Chemnitz
Landesverband Sachsen-Anhalt e. V., Leiterstraße 10, 39104 Magdeburg
Landesverband Thüringen e.V., Zum Wilden Graben 12, 99425 Weimar
Die JugendHerbergen gemeinnützige GmbH, Woltmershauser Allee 8, 28199 Bremen
DJH Landesverband Westfalen-Lippe gemeinnützige GmbH, Eppenhauser Strasse 65, 58093 Hagen

General information

We only collect data that is necessary

for the performance of a contract to which the data subject is party,
for the implementation of pre-contractual measures taken at the request of the data subject.
for the protection of legitimate interests.

Data processing for the performance of a contract or for the implementation of pre-contractual measures

We process the data collected with the membership application in accordance with Art. 6 (1) lit. b GDPR for the purpose of fulfilling the contract or implementing pre-contractual measures. This includes the following data in particular: gender, name, address, date of birth, email address, IBAN, information about partners and children (gender, name, date of birth).

The data is stored for 10 years, in particular in accordance with Sections 14, 14b of the Austrian Value Added Tax Act (UStG), Section 256 of the Austrian Commercial Code (HGB) and Section 147 of the Austrian Fiscal Code (AO). In the event of statutory retention periods, the data concerned is archived for the duration of these periods and blocked from general access if it is no longer required for the performance of the contract.

Data processing based on consent

If you have provided voluntary information, e.g. telephone or fax number, or have given us separate consent to send you a newsletter, the corresponding processing will be carried out on the basis of Art. 6 (1) lit. a GDPR. Your consent can be revoked at any time without affecting the legality of the processing carried out to date. If consent is revoked, we will cease processing the data in question.

Data processing to safeguard the legitimate interests of the controller

We process your data in accordance with Art. 6 (1) (f) GDPR as follows:

1. We process your name and address in order to inform you of new offers by post. Our legitimate interest lies in increasing the occupancy of our youth hostels and increasing sales.

2. We use your name and email address to promote our own similar products electronically, provided we have received this information in connection with your booking. Here, too, our legitimate interest lies in increasing the occupancy of the youth hostels we offer and increasing sales.

You may object to data processing at any time. This will not incur any costs other than the transmission costs according to the basic tariffs. Your data will be deleted when you exercise your right to object.

Data recipients

We only transfer your data to third parties if there is a legal basis for doing so (in particular in accordance with the above-mentioned legal provisions). If necessary, personal data will be passed on to companies involved in the execution of this contract, e.g. credit institutions for payment processing, printing and shipping service providers, cooperation partners for the implementation of booked events, etc.

When collecting and processing data for the aforementioned purposes, we use the services of the German Youth Hostel Association (Deutsches Jugendherbergswerk Hauptverband für Jugendwandern und Jugendherbergen e.V., Leonardo-da-Vinci-Weg 1, 32760 Detmold) within the framework of a contract processing relationship within the meaning of Art. 28 GDPR.

Contact details of the data protection officer

Rights of the data subject

In accordance with the relevant provisions of the GDPR, data subjects have the right to access (Art. 15) personal data concerning them, as well as the right to rectify inaccurate data or to erase it (Art. 16, 17). They also have the right to restrict processing (Art. 18) and, in the cases specified in Art. 20 GDPR, the right to data portability.

Objection

If data is processed on the basis of Art. 6(1)(f) GDPR (data processing to safeguard legitimate interests), the data subject has the right to object to the processing at any time for reasons arising from their particular situation.

We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

In the case of advertising by e-mail, you can object to the processing of your data at any time without giving reasons.

Right to lodge a complaint with a supervisory authority

Every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of data concerning them violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of the data subject's place of residence or the place of the alleged infringement.

Exercising your rights

Unless otherwise described above, please contact the responsible body to exercise your rights as a data subject.

3. Bookings

Responsible party

DJH Landesverband Hessen e.V., Mühlweg 18, 61348 Bad Homburg, info-hessen@jugendherberge.de is responsible for data processing (in case of the youth hostel Marburg: Inklusive Jugendherbergen Hessen gGmbH, Mühlweg 18, 61348 Bad Homburg)</li>

Type, purposes and legal basis of data processing

We process the following personal data about you:

Data of the person making the booking (name, address, email address, telephone/mobile number/email address, DJH membership number);

Data of persons accompanying the person making the booking (name, address, email address if applicable, telephone or mobile number, DJH membership number);

Booking details (number and age of guests, booking period, catering details, selected accommodation);

Bank details, if applicable;

Details of any paid services (additional services such as bed linen or Wi-Fi; leisure activities) that you use during your stay, if applicable.

The legal basis for data processing is Art. 6(1)(b) GDPR (for the performance of a contract or implementation of pre-contractual measures).

If the contract has been or is to be concluded with a legal entity or institution (e.g. association, school, daycare centre, public authority, company), the data of the contact persons of the legal entity or institution will be processed on the basis of Art. 6 (1) lit. f GDPR. Our legitimate interest lies in the performance of the contract with the legal entity or institution to which you belong.

In addition, we process special categories of personal data (e.g. information about disabilities – for the provision of a suitable room; about allergies – for consideration when preparing meals). The legal basis for the processing of this data is Art. 9 (2) (a) GDPR (consent). Consent can be revoked at any time with effect for the future. Data processing carried out until revocation of consent remains lawful.

We process your name and address in accordance with Art. 6(1)(f) GDPR in order to inform you about our offers by post (based on the legitimate interest in promoting our services). You can object to the use of your data for advertising purposes at any time.

If we have received your email address in the context of a contractual relationship, we use it to inform you about the same or similar products and offers. The promotion is carried out in the legitimate interest of increasing the occupancy rate of our youth hostels. You can object to the use of your email address for advertising purposes at any time (contact details below under ‘Your data protection rights’) without incurring any costs other than the transmission costs according to the basic rates.

Transfer of data

We only transfer your data to third parties if we have the authority to do so under data protection law (e.g. consent/contract fulfilment/legitimate interest). If necessary, personal data will be passed on to companies involved in the processing/fulfilment of this contract, e.g. credit institutions for payment processing, cooperation partners for the implementation of booked events.

External service providers who are strictly bound by instructions may be used for data processing. Contracts for order processing have been concluded with these providers. We audit them regularly.

Data deletion

We delete your data when it is no longer required for the above-mentioned purposes and there are no legal retention periods (in particular from the UStG, HGB and AO) that prevent deletion. This is regularly the case for booking data after 10 years.

Contact details of the data protection officer

Your data protection rights

When processing your personal data, the GDPR grants you certain rights as a data subject:

Right of access (Art. 15 GDPR)

Right to rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You have the right to request that personal data concerning you be erased without delay, provided that one of the reasons specified in Art. 17 GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

Right to data portability (Art. 20 GDPR)

Right of withdrawal (Art. 7 GDPR)

Right to object (Art. 21 GDPR)

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

Exercising your rights

Unless otherwise specified above, please contact the responsible body to exercise your rights as a data subject.

4. Data protection information for the DJH app

The following information is intended to inform you about the extent to which data concerning you is processed when you use the DJH app (hereinafter referred to as the ‘app’), the purposes for which this is done, the legal basis for this and the rights and claims to which you may be entitled.

1. Name and contact details of the controller

The controller responsible for the data processing described below is:
Deutsches Jugendherbergswerk (German Youth Hostel Association)
Hauptverband für Jugendwandern und Jugendherbergen e.V. (Main Association for Youth Hiking and Youth Hostels)
Leonardo-da-Vinci-Weg 1
32760 Detmold

2.Usage data

When you open the app, so-called usage data about the user is automatically processed, which is necessary for the provision of the app or services. This includes, for example, the following data:
• IP address of your device
• Type of device (smartphone, tablet, manufacturer, device ID)
• Name of files received
• Date and time of file requests
• Amount of data transferred
• Status messages about the successful or failed retrieval of data
The data processing described above is carried out in order to ensure the functionality of our app and to optimise this service.
In addition, we store the transmitted full IP address for a period of 14 days for the sole purpose of detecting, limiting and eliminating attacks on our application. After this period has expired, we delete or anonymise the IP address.

3. Registration/login

In order to access certain functions (such as member benefits and simplified booking) of the app, you must log in with your user name and password. If necessary, we may also process an additional attribute, such as your device ID or IP address, as part of two-factor authentication. We process this data to ensure your authentication and to guarantee effective access protection. The legal basis for this processing is Art. 6 (1) (f) GDPR, taking into account the technical and organisational measures pursuant to Art. 32 GDPR.

4. User profile

The following information, which we also collect as part of your membership or booking, may be stored in your user profile:

• Surname, first name,
• Email address (if available),
• Membership number,
• Address,
• Date of birth,
• Email,
• Telephone number,
• Mobile phone number,
• Information about partners and children for additional membership cards that are stored (in each case: gender, surname, date of birth).
The legal basis for this processing is Art. 6 (1) (b) GDPR, as this data is necessary for the performance of a contract or for the implementation of pre-contractual measures in connection with the use of the app.

5. Permissions

In order to make full use of the app and its various functions, it requires certain access permissions, which you will be asked to grant either when you first register or when you use the respective function. This can be controlled directly via the device's permission settings.
These permissions allow the app to access the device functions described in more detail below and the data stored on the end device via the corresponding interfaces.
The granting of permissions and access to the app is entirely voluntary and only necessary if you wish to use the corresponding function. We then process the personal data you provide exclusively on the basis of Art. 6 (1) (f) GDPR, as this data is necessary for the use of the app.
5.1. Access to the network / network connections
The app requires network access for many of its applications, as they only work in online mode.
5.2. Access to camera
In addition to entering your personal data, you can also scan your membership card directly and use it for your user profile. This requires access to your system camera.

6. Functions

6.1 Push notifications
If you have given your consent during installation to receive push notifications from this app, messages will be highlighted on your display regardless of whether you are using the app. This depends on the settings on your device. A device token or registration ID is assigned by your operating system provider. This device ID enables us to provide you with notifications without it being possible to identify you as a person. The legal basis for processing is Art. 6 (1) (f) GDPR in the legitimate interest of being able to inform you promptly about important news and announcements. This function is only used in certain cases.
You can deactivate the receipt of push notifications at any time in the app settings of your device or configure them on your device.

6.2 Third-party tracking technologies for advertising purposes
We use cross-device tracking technologies so that targeted advertising can be displayed to you on other websites based on your visit to our websites and so that we can recognise how effective our advertising measures have been.
Data processing is based on your consent, provided that you have given your consent via our banner. Your consent is voluntary and can be revoked at any time.
How does tracking work?
When you visit our websites, the third-party providers listed below may retrieve recognition features for your browser or device (e.g. a browser fingerprint), evaluate your IP address, store or read recognition features on your device (e.g. cookies) or gain access to individual tracking pixels.
The individual features can be used by third-party providers to recognise your device on other websites. We may commission the relevant third-party providers to place advertisements based on the pages you have visited on our website.
What does cross-device tracking mean?
If you log in to the third-party provider with your own user data, the respective recognition features of different browsers and end devices can be linked together. If, for example, the third-party provider has created a separate feature for the laptop, desktop PC or smartphone or tablet you use, these individual features can be assigned to each other as soon as you use a service of the third-party provider with your login details. In this way, the third-party provider can also control our advertising campaigns in a targeted manner across different devices.
Which third-party providers do we use in this context?
Below, we list the third-party providers with whom we collaborate for advertising purposes. If data is processed outside the EU or the EEA in this context, please note that there is a risk that authorities may access the data for security and surveillance purposes without you being informed or being able to seek legal redress. If we use providers in unsafe third countries and you consent, the transfer to a third country will be based on Art. 49(1)(a) GDPR.

Provider	Adequate level of data protection	Right to object
Google (USA)	EU-U.S. Data Privacy Framework (Art. 45(1) GDPR)	If you wish to withdraw your consent, please click on Privacy settings on top of this page and make the appropriate setting.

6.3 Anonymous visitor measurement
We also carry out anonymous visitor measurement on our websites. For this purpose, the log data of the web server and the truncated IP address are evaluated. It is not possible to draw any conclusions about your person.

7. Data recipients
We are supported in the operation and IT support of the app by neusta mobile solutions, based in Germany, which developed this service. The service provider acts strictly in accordance with our instructions as a processor. A data processing agreement in accordance with Art. 28 GDPR is in place.

8. Data security
We take technical and organizational measures to protect your data from unauthorized access as comprehensively as possible. To this end, we use a secure encryption process. Your data is transmitted from your device to our server and vice versa via the Internet using TLS encryption.

9. Your rights
As a user of our application, you have the option of asserting the following rights if the requirements are met:
Right of access (Art. 15 GDPR):
You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to obtain access to this personal data and to the information specified in Art. 15 GDPR.
Right to rectification and erasure (Articles 16 and 17 GDPR):
You have the right to request the immediate rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data.
You also have the right to request that personal data concerning you be erased without delay if one of the reasons listed in detail in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued.
Right to restriction of processing (Art. 18 GDPR):
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, e.g. if you have lodged an objection to the processing pursuant to Art. 21 GDPR or for the duration of any review of whether our legitimate interests outweigh your interests as a data subject.
Right to data portability (Art. 20 GDPR):
In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transfer of this data to a third party.
Right to object (Art. 21 GDPR):
If data is collected on the basis of Art. 6 (1) (f) GDPR (data processing to safeguard legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
Right to lodge a complaint with a supervisory authority:
Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the member state of your place of residence, your place of work, or the place of the alleged violation.

10. Contact details of the data protection officer: Our company data protection officer is available to provide you with information or suggestions on the subject of data protection:
datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen, Germany
Web: www.dsn-group.de
Email: office@datenschutz-nord.de