Data protection statement
I. Name and address of the responsible party
The responsible party within the meaning of the general data protection regulation and other national data protection laws of the member states as well as other data protection regulations is: Terra Fortunata, S.A. Calle las Trincheras S/N, 38812 Alajero – La Gomera, Spain. Tel. (+34) 922 895 668 E-Mail: firstname.lastname@example.org
II. General notes on data processing
1. Scope of personal data processing As a matter of principle, we collect and utilize our users’ personal data only to the extent necessary for providing a functional website as well as our content and services. As a routine, users’ personal data are collected and utilized only after the users have provided their consent. An exception here are cases in which obtaining consent in advance is not possible for tangible reasons, and processing of data is permitted by legal regulations. Further information in this regard is provided in the following statement. 2. Legal basis for processing personal data Article 6, Paragraph 1, Item a) of the EU’s general data protection regulation (GDPR) serves as the legal basis for processing personal data, insofar as we have obtained the concerned person’s consent to processing of such data. Article 6, Paragraph 1, Item b) of the GDPR serves as the legal basis for processing personal data needed to fulfil a contract to which the concerned person is party. This also applies to processing operations needed to implement pre-contractual measures. Article 6, Paragraph 1, Item c) of the GDPR serves as the legal basis for processing personal data needed to fulfil a legal obligation to which our company is subject. Article 6, Paragraph 1, Item d) of the GDPR serves as the legal basis for cases in which vital interests of the concerned person or another natural person require processing of personal data. Article 6, Paragraph 1, Item f) of the GDPR serves as the legal basis for processing if this is needed to safeguard a legitimate interest of our company or a third party, and this interest is not outweighed by the interests or basic rights and freedoms of the person concerned. 3. Data deletion and storage duration An individual’s personal data are deleted or blocked once the need for storage has expired. Storage beyond this scope is possible if provided for by European or national legislation as part of the EU’s legal ordinances, laws or other regulations to which the responsible party is subject. Blocking or deletion of data takes place also when a storage deadline prescribed by the mentioned standards expires, unless there is a need for continued storage of data for contract conclusion or fulfilment.
III. Website provision and creation of log files
1. Description and scope of data processing Each time our website is invoked, our system automatically registers data and information from the invoking computer’s system. The following data are collected here: (1) Information about the browser type and version being used (2) The user’s IP address (3) Date and time of access (4) Websites from where the user’s system arrives at our Internet page (5) Content / the page requested (6) Operating system and its interface These data form part of the information saved in our system’s log files. The data are not stored together with the user’s remaining personal data. 2. Legal basis for data processing Article 6, Paragraph 1, Item f) of the GDPR serves as the legal basis for temporary storage of data and log files. 3. Purpose of data processing Temporary storage of IP addresses by the system is needed to ensure website access from the user’s computer. For this purpose, the user’s IP address must be stored for the duration of the session. Log files are used for storage to ensure the website’s functionality. In addition, the data allow us to optimize the website and to ensure the security of our information technology systems. Data analysis for marketing purposes does not take place in this context. These purposes also contain our legitimate interest in data processing according to Article 6, Paragraph 1, Item f) of the GDPR. 4. Duration of storage Data are deleted as soon as they are no longer necessary for achieving the purpose of their collection. For data collected in order to make the website accessible, this is the case when the session is finished. For data stored in log files, this is the case after no later than seven days. Storage beyond this scope is possible. In this case, the user’s IP address is deleted or modified so that association with the invoking client is no longer possible. 5. Possibility of objection and removal Collection of data to enable website access, and storage of data in log files are absolutely necessary for website operation. The user is therefore not able to raise any objections in this regard.
IV. Use of technically required cookies a) Description and scope of data processing
V. Google Analytics
VI. Google reCAPTCHA
VII. Implementation of YouTube-Videos
YouTube videos are included on our site and are stored on YouTube (responsibility lies at Google Inc., Amphitheater Parkway, Mountain View, CA 94043, USA), but are directly playable on our website. To protect your privacy, you must first activate the videos on our pages. When you activate or play the videos, YouTube or DoubleClick cookies may be stored and / or read on your device, and data may be transmitted to YouTube or DoubleClick (USA, Google), e.g. Your IP address and cookie ID, the specific address of the page accessed by us, system date and time of the call, identifier of your browser. (§§ 12 Abs.1, 15 Abs.3 TMG). For information about the purpose and extent of data collection and processing by YouTube or DoubleClick, please refer to the information on Google: https://www.google.com/intl/en/policies/privacy/. If you do not want YouTube or DoubleClick to receive data about you through the use of our website, you should not activate the videos. The data transfer takes place after activation of the video, regardless of whether you have a user account on YouTube or Google that you are logged in to, or if you have no user account. If you are logged in, this data can be immediately assigned to your account. If you want to avoid this, you must log out of your account before activating the video. Google has submitted to the EU Privacy Shield (certificate available at: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI).
VIII. Google Web Fonts
IX. Google Maps
X. SSL & TLS Encryption
This website uses, for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as a site operator, an SSL or. TLS encryption. You can recognize an encrypted connection by changing the address line of the browser from “http: //” to “https: //” and the lock symbol in your browser line. If SSL or TLS encryption is enabled, the data you submit to us cannot be read by third parties.
XI. Contact form and e-mail contact
1. Description and scope of data processing A contact form available at our website can be used for establishing electronic contact. If a user avails of this possibility, the data specified in the input screen are transmitted to us and stored. At the time of the sending of the message, the following data are also stored: (1) The user’s IP address (2) Date and time of registration For the purpose of data processing, the user’s consent is obtained and this data protection statement is referred to during the sending procedure. Alternatively, it is possible to establish contact via the e-mail address provided. In this case, the user’s personal data communicated in the e-mail are stored. In this context, there is no transfer of data to third parties. The data are used exclusively for processing the conversation. 2. Legal basis for data processing Article 6, Paragraph 1, Item a) of the GDPR serves as a legal basis for data processing if the user has consented. Article 6, Paragraph 1, Item f) of the GDPR serves as a legal basis for processing data communicated via e-mail messages or contact forms. If contact is aimed at concluding a contract, then Article 6, Paragraph 1, Item b) of the GDPR serves as an additional legal basis. 3. Purpose of data processing For us, processing of personal data from an input screen is intended solely as part of establishing contact. In case of contact establishment via e-mail, this also encompasses the required legitimate interest in data processing. Other personal data processed during sending serve to prevent misuse of the contact form and ensure the security of our information technology systems. 4. Duration of storage Data are deleted once no longer necessary for achieving the purpose of their collection. For personal data from the contact form’s input screen, this is the case when the respective conversation with the user is finished. The conversation is finished when circumstances indicate that the concerned issue has been conclusively clarified. Personal data collected additionally during dispatch are deleted after a period of 26 months at the latest. 5. Possibility of objection and removal The user is able to withdraw their consent to processing of personal data at any time. If the user has established e-mail contact with us, they can revoke storage of their personal data at any time. In such cases, the conversation cannot be continued. Revocation is to be announced in writing (fax/e-mail being sufficient) to the contact whose details are provided in I. All personal data stored in the course of establishing contact are deleted in this case.
XIII. Rights of the concerned person
If your personal data are processed, you are a concerned person within the meaning of the GDPR, and have the following rights vis-à-vis the responsible party: 1. Right to disclosure You can request confirmation from the responsible party as to whether data concerning your person are processed by us. If such processing has occurred, you can request the responsible party to disclose the scope and content of data processing as follows: (1) The purposes for which personal data are processed. (2) The categories of personal data which are processed. (3) The recipients / categories of recipients to which data concerning your person have been, or will be, disclosed. (4) The planned duration of storing data concerning your person or, if specific details are not possible here, criteria for determining the storage duration. (5) The existence of a right to rectification or deletion of data concerning your person, right to restriction of processing by the responsible party, or right of objection to such processing. (6) The existence of a right of complaint to a supervisory authority. (7) All available information on the origin of any personal data collected from a source other than the concerned person. (8) The existence of automated decision-making mechanisms, including profiling, in accordance with Article 22, Paragraphs 1 and 4 of the GDPR and – at least in these cases – meaningful information about the involved logic as well as the scope and intended effects of such processing for the person concerned. You are entitled to request information on whether data concerning your person are communicated to a third-party country or an international organization. In this context, you may request information on the appropriate safeguards pursuant to Article 46 of the GDPR in connection with communication. 2. Right to rectification You have a right to rectification and/or completion vis-à-vis the responsible party, insofar as processed data concerning your person are incorrect or incomplete. The responsible party must perform the rectification immediately. 3. Right to restriction of processing You can request restrictions on processing of data concerning your person under the following conditions: (1) If you dispute the correctness of the data concerning your person for a period which allows the responsible party to review the correctness of the personal data. (2) If processing is unlawful and you refuse deletion of the personal data and instead call for restrictions on use of the personal data. (3) If the responsible party no longer requires the personal data for processing, although you require these data to assert, exercise or defend legal claims. (4) If you have issued an objection to processing pursuant to Article 21, Paragraph 1 of the GDPR and it is not yet definite whether the responsible party’s legitimate reasons outweigh your reasons. If processing of data concerning your person has been restricted, these data – irrespective of their storage – may only be processed with your consent, or in order to assert, exercise or defend legal claims, or protect the rights of another natural or legal person, or for reasons of important public interest in the EU or a member state. If processing has been restricted according to the requirements above, you will be informed by the responsible party before the restriction is lifted. 4. Right to deletion a) Obligation to delete You can request the responsible party to immediately delete data concerning your person, and the responsible party will be obliged to do so. The following reasons must exist for this: (1) The data concerning your person are no longer necessary for the purposes for which they were collected or processed in any other way. (2) You withdraw your consent on which processing was based in accordance with Article 6, Paragraph 1, Item a) or Article 9, Paragraph 2, Item a) of the GDPR, and there is no other legal basis for processing. (3) You object to processing as per Article 21, Paragraph 1 of the GDPR, and there are no overriding, legitimate grounds for processing, or you object to processing as per Article 21, Paragraph 2 of the GDPR. (4) The data concerning your person have been unlawfully processed. (5) Deletion of data concerning your person is required to fulfil a legal obligation according to the laws of the EU or a member state to which the responsible party is subject. (6) The data concerning your person were collected in relation to information society services according to Article 8, Paragraph 1 of the GDPR. b) Information to third parties If the responsible party has publicized the data concerning your person, and is obliged to delete them according to Article 17, Paragraph 1 of the GDPR, said party will take appropriate measures, also of a technical nature, taking into account available technology and implementation costs, to inform those responsible for processing personal data, that you as a concerned person have required them to delete all links to these personal data as well as any copies or replications of such data. c) Exceptions There is no right to deletion insofar as processing is required (1) to exercise the right to freedom of expression and information. (2) to comply with a legal obligation which requires processing according to the law of the EU or the member states to which the responsible party is subject, or to fulfil a task which is in the public interest or carried out in the exercise of official authority to which the responsible person has been delegated. (3) for reasons of public interest in the field of public health according to Article 9, Paragraph 2, Items h) and i), as well as Article 9, Paragraph 3 of the GDPR. (4) for archiving in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Article 89, Paragraph 1 of the GDPR, insofar as the right mentioned in Section a) is expected to prevent or seriously impair achievement of the objectives of this processing. (5) to assert, exercise or defend legal claims. 5. Right to information If you have asserted the right to rectification, deletion or restriction of processing vis-à-vis the responsible party, they are obliged to communicate this correction or deletion of data or restriction of processing to all recipients to whom the data concerning your person were disclosed, unless this proves impossible or requires disproportionate effort. You are entitled vis-à-vis the responsible party to be informed about these recipients 6. Right to data portability You have the right to obtain, in a structured, conventional and machine-readable format, the data which concerns your person and which you provided to the responsible party. Furthermore, you have the right to convey these data to another responsible party without hindrance by the responsible party to whom the personal data were provided, if (1) processing is based on consent pursuant to Article 6, Paragraph 1, Item a ) of the GDPR, or Article 9, Paragraph 2, Item a) of the GDPR, or a contract as per Article 6, Paragraph 1, Item b) of the GDPR. (2) processing takes place using automated procedures. In exercising this right, you are also entitled to have the data concerning your person be delivered directly by a responsible party to another responsible party insofar as this is technically feasible. The freedoms and rights of other persons must not be impaired as a result. The right of data transfer does not apply to processing of personal data required for fulfilment of a duty lying in the public interest or carried out as part of exercise of official authority delegated to the responsible party. 7. Right to objection For reasons arising from your specific situation, you have the right to object at any time to processing of your personal data on the basis of Article 6, Paragraph 1, Item e) or f) of the GDPR; this also applies to profiling based on these provisions. The responsible party no longer processes the data concerning your person, unless they can demonstrate compelling, defensible reasons for processing which outweigh your interests, rights and freedoms, or unless processing serves to assert, exercise or defend legal claims. If data concerning your person are processed for the purpose of direct advertising, you are entitled at any time to object to the processing of your personal data for the purpose of such advertising; this applies also to profiling insofar as it is associated with such direct advertising. If you object to processing for purposes of direct advertising, the data concerning your person will no longer be processed for these purposes. In conjunction with the use of information society services, you are able to exercise your right of objection by means of automated procedures which make use of technical specifications – regardless of directive 2002/58/EC. 8. Right to revoke the declaration of consent regarding data privacy You have the right revoke your declaration of consent regarding data privacy at any time. Revocation of consent does not influence the legality of the processing carried out on the basis of the consent until revocation. 9. Automated decision-making in individual cases, including profiling You have a right not to be subjected to decisions which are based exclusively on automated processing – including profiling – and which have legal implications for you or affect you significantly in a similar way. This does not apply if a decision (1) is necessary for conclusion or fulfilment of a contract between you and the responsible party. (2) is permissible on the basis of the EU’s or a member state’s legislation to which the responsible party is subject, and this legislation contains appropriate measures to safeguard your rights and freedoms as well as your legitimate interests. (3) is made with your explicit consent. However these decisions must not be based on special categories of personal data pursuant to Article 9, Paragraph 1 of the GDPR, unless Article 9, Paragraph 2, Item a) or g) applies, and appropriate measures for protecting your rights and freedoms as well as your legitimate interests have been taken. With regard to the cases mentioned in (1) and (3), the responsible party is to take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to effect human intervention on the part of the responsible party, to express one’s own point of view, and to contest the decision. 10. Right of complaint to a supervisory authority Irrespective of any other administrative or judicial appeal, you are entitled to file a complaint with a supervisory authority, in particular, in the member state containing your residence, your workplace or the location of the alleged infringement, if you believe that processing of data concerning your person is contrary to the GDPR. The supervisory authority with which the complaint has been filed informs the complainant about the status and results of the complaint, including the possibility of legal remedy according to Article 78 of the GDPR.