data protection
As a hostel in Galicia, we attach great importance to protecting your data. This privacy policy explains how we process and protect your personal data in connection with your visit to our website.
We only collect personal data if you provide it to us voluntarily, e.g. by filling out a contact form or making a booking. We only use your data for the purpose for which you provided it to us and will not pass it on to third parties unless this is necessary to fulfill the purpose or you have expressly consented.
You have the right to receive information about the personal data we store, to change it or to have it deleted at any time. In addition, you have the right to object to the processing of your data or to withdraw your consent to the processing.
We use technical and organizational measures to protect your data. Our servers are regularly checked for security vulnerabilities and we use SSL encryption to protect your data during transmission.
If you have any further questions about data protection, please contact us.
Responsible person VLTREIA e.V. non-profit association for the promotion the medieval pilgrimage routes
Privacy Policy
This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering"). Regarding the terms used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Controller
VLTREIA e.V.
gemeinnütziger Verein zur Förderung der mittelalterlichen Pilgerwege
c/o Rita van Drunen
Seyfferstrstr. 66/2
70197 Stuttgart
Email: 1.vorsitzender@lafaba.de
Types of Processed Data
- Basic data (e.g., names, addresses).
- Contact data (e.g., email, phone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).
Categories of Affected Persons
Visitors and users of the online offering (hereinafter collectively referred to as "users").
Purpose of Processing
- Provision of the online offering, its functions, and content.
- Responding to contact requests and communication with users.
- Security measures.
- Audience measurement/marketing.
Definitions of Terms
"Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter "data subject"). A natural person is considered identifiable if they can be directly or indirectly identified, particularly through the assignment of an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
"Processing" refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.
"Pseudonymization" refers to the processing of personal data in such a way that it can no longer be attributed to a specific data subject without additional information, provided that such additional information is stored separately and is subject to technical and organizational measures ensuring that the personal data is not assigned to an identified or identifiable natural person.
"Profiling" refers to any form of automated processing of personal data that involves using this data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
"Controller" refers to the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.
"Processor" refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Applicable Legal Bases
In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing. Unless the legal basis is specified in the privacy policy, the following applies:
- The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR.
- The legal basis for processing necessary for the performance of our services, contractual obligations, and responses to inquiries is Article 6(1)(b) of the GDPR.
- The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) of the GDPR.
- The legal basis for processing to protect our legitimate interests is Article 6(1)(f) of the GDPR.
- If processing personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) of the GDPR serves as the legal basis.
Security Measures
In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of technology, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to individuals' rights and freedoms.
These measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical access, data access, input, transfer, availability security, and separation of data. We also have procedures in place to ensure the exercise of data subjects' rights, the deletion of data, and responses to data breaches. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and processes in accordance with the principle of "privacy by design and by default" (Article 25 GDPR).
Cooperation with Processors and Third Parties
If, in the course of processing, we disclose data to other persons or companies (processors or third parties), transfer data to them, or otherwise grant them access to the data, this is done only on the basis of legal permission (e.g., if data transfer to payment service providers is necessary for contract fulfillment under Article 6(1)(b) of the GDPR), based on your consent, a legal obligation, or our legitimate interests (e.g., when using commissioned service providers, web hosts, etc.).
If we commission third parties with data processing based on a "data processing agreement," this is done in accordance with Article 28 GDPR.
Data Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs through the use of third-party services or disclosure/transmission of data to third parties, this is only done if necessary for fulfilling our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special conditions of Articles 44 et seq. GDPR are met. This means that processing occurs, for example, based on special guarantees, such as an officially recognized level of data protection equivalent to that of the EU (e.g., for the USA under the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
Data Subject Rights
You have the right to request confirmation as to whether personal data concerning you is being processed, access to such data, and further information, as well as a copy of the data, in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to request the completion or correction of inaccurate personal data concerning you.
Under Article 17 GDPR, you have the right to request the immediate deletion of relevant data or, alternatively, restriction of processing under Article 18 GDPR.
You have the right to request to receive the data concerning you that you have provided to us, in accordance with Article 20 GDPR, and to request its transfer to another controller.
Furthermore, under Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right to Withdraw Consent
You have the right to revoke consent given under Article 7(3) GDPR with future effect.
Right to Object
You may object to the future processing of your data at any time under Article 21 GDPR. In particular, you may object to processing for direct marketing purposes.
Cookies and Right to Object to Direct Marketing
"Cookies" are small files stored on users' devices. Various types of information can be stored within cookies. The primary purpose of a cookie is to store user-related data (or data related to the device on which the cookie is stored) during or after their visit to an online service.
- "Temporary cookies" or "session cookies" are deleted after a user leaves an online service and closes their browser. These cookies can, for example, store the contents of a shopping cart in an online shop or a login status.
- "Permanent" or "persistent cookies" remain stored even after the browser is closed. This allows, for example, the login status to be saved if users visit the site again after several days. Similarly, such cookies can store user interests for audience measurement or marketing purposes.
- "Third-party cookies" are those provided by providers other than the operator of the online service. If only the website operator’s cookies are used, they are called "first-party cookies."
We may use both temporary and permanent cookies and will inform users accordingly within our privacy policy.
If users do not wish for cookies to be stored on their devices, they can disable this option in their browser settings. Stored cookies can also be deleted in the browser settings. Disabling cookies may lead to functional restrictions on this online service.
A general objection to the use of cookies for online marketing purposes, especially for tracking, can be declared via the U.S. website [http://www.aboutads.info/choices/](http://www.aboutads.info/choices/) or the EU website [http://www.youronlinechoices.com/](http://www.youronlinechoices.com/). Furthermore, cookies can be disabled in browser settings. However, please note that this may result in limited functionality of the online service.
Data Deletion
Data processed by us will be deleted or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless explicitly stated within this privacy policy, stored data will be deleted as soon as it is no longer required for its intended purpose and no legal retention obligations prevent deletion. If data is not deleted because it is required for other and legally permitted purposes, its processing will be restricted. This means the data is locked and not processed for other purposes.
In accordance with German law, data retention is required for 10 years under Sections 147(1) AO, 257(1) Nos. 1 and 4, and (4) HGB (books, records, management reports, accounting records, etc.) and for 6 years under Section 257(1) Nos. 2 and 3, and (4) HGB (commercial letters).
In Austria, retention is required for 7 years under Section 132(1) BAO (accounting records, invoices, receipts, etc.), for 22 years in connection with real estate, and for 10 years for electronically provided services, telecommunications, broadcasting, and television services supplied to non-business customers in EU member states under the Mini-One-Stop-Shop (MOSS) scheme.
Integration of Third-Party Services and Content
Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering under Article 6(1)(f) GDPR), we use content or service offers from third-party providers to integrate their content and services (such as videos or fonts).
This always requires that third-party providers perceive users' IP addresses, as they cannot send content to users’ browsers without it. The IP address is thus required for displaying such content.
YouTube
We integrate videos from the platform “YouTube” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: [https://www.google.com/policies/privacy/](https://www.google.com/policies/privacy/), Opt-Out: [https://adssettings.google.com/authenticated](https://adssettings.google.com/authenticated).
Google+
Within our online offering, functions and content from the Google+ platform, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), may be integrated. This may include content such as images, videos, or text, as well as buttons that allow users to share content from this online offering within Google. If users are members of the Google+ platform, Google may associate the retrieval of the aforementioned content and functions with their respective user profiles.
Google is certified under the Privacy Shield agreement, which provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). Further information on Google's data usage, settings, and opt-out options can be found in Google's privacy policy (https://policies.google.com/technologies/ads) as well as in the settings for displaying advertisements by Google (https://adssettings.google.com/authenticated).
Updates to This Privacy Policy
We may revise this privacy policy at our discretion. The version published on our website is always current. Significant changes will be communicated via a notice on our website.
Created with Datenschutz-Generator.de by Attorney Dr. Thomas Schwenke.