Privacy Policy

1. Introduction

With the following information, we would like to provide you, as a "data subject," with an overview of how we process your personal data and your rights under data protection laws. In principle, you can use our website without providing any personal data. However, if you wish to use special services offered by our company via our website, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to "Europastadt GörlitzZgorzelec GmbH". This privacy policy is intended to inform you about the scope and purpose of the personal data we collect, use, and process.

As the data controller, we have implemented numerous technical and organizational measures to ensure the most complete protection possible for personal data processed via this website. However, internet-based data transmissions can fundamentally have security vulnerabilities, meaning absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us via alternative means, such as by telephone or mail.

You too can take simple and easy-to-implement measures to protect yourself against unauthorized access to your data by third parties. Therefore, we would like to give you some tips on how to handle your data securely:

• Protect your account (login, user or customer account) and your IT system (computer, laptop, tablet or mobile device) with secure passwords.
• Only you should have access to the passwords.
• Make sure you only ever use your passwords for one account (login, user or customer account).
• Do not use the same password for different websites, applications, or online services.
• Especially when using publicly accessible IT systems or systems shared with other people, it is essential that you log out after every login to a website, application or online service.

Passwords should consist of at least 12 characters and be chosen so that they cannot be easily guessed. Therefore, they should not contain common everyday words, your own name, or the names of relatives, but rather uppercase and lowercase letters, numbers, and special characters.

2. Responsible person

The controller within the meaning of the GDPR is:

Europastadt GörlitzZgorzelec GmbH,
Fleischerstr. 19, 02826 Görlitz, Germany

Representative of the responsible party: The management

3. Data Protection Officer

You can reach the data protection officer as follows:

DataOrga® GmbH

Email: datenschutz@europastadt-goerlitz.de

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Definitions

This privacy policy is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easily readable and understandable for both the general public and our customers and business partners. To ensure this, we would like to explain the terminology used beforehand.

In this privacy policy, we use, among other things, the following terms:

1. Personal data
   is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject: A data subject
   is any identified or identifiable natural person whose personal data is processed by the controller (our company).
3. Processing
   means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Restriction of processing:
   Restriction of processing is the marking of stored personal data with the aim of limiting its future processing.
5. Profiling
   means any type of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
6. Pseudonymization
   is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
7. Data processor
   A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
8. A recipient
   is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not considered recipients.
9. A third
   party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
10. Consent
    means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5. Legal basis for processing

Article 6 paragraph 1 letter a) GDPR (in conjunction with Section 25 paragraph 1 TDDDG (formerly TTDSG)) serves as the legal basis for our company for processing operations where we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of other services or consideration, then the processing is based on Article 6(1)(b) GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, such as in cases of inquiries about our products or services.

If our company is subject to a legal obligation which necessitates the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c) GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance details, or other vital information had to be disclosed to a doctor, hospital, or other third party. In such a case, the processing would be based on Article 6(1)(d) GDPR.

Ultimately, processing operations could be based on Article 6(1)(f) GDPR. This legal basis applies to processing operations not covered by any of the aforementioned legal bases if the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are permitted in particular because they have been specifically mentioned by the European legislator. The legislator took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47, second sentence, GDPR).

6. Transfer of data to third parties

Your personal data will not be transmitted to third parties for purposes other than those listed below.

We only share your personal data with third parties if:

1. You have given us your explicit consent in accordance with Art. 6 para. 1 lit. a) GDPR,
2. The transfer of your data is permitted under Article 6(1)(f) GDPR for the purposes of our legitimate interests and there is no reason to assume that you have an overriding legitimate interest in not having your data transferred
3. in the event that there is a legal obligation to disclose the data pursuant to Article 6(1)(c) GDPR, as well as
4. This is legally permissible and necessary for the performance of a contract with you in accordance with Article 6(1)(b) GDPR.

To protect your data and, where necessary, to allow us to transfer data to third countries (outside the EU/EEA), we have concluded data processing agreements based on the European Commission's Standard Contractual Clauses. If the Standard Contractual Clauses are insufficient to ensure an adequate level of security, your consent pursuant to Art. 49 para. 1 lit. a) GDPR can serve as the legal basis for the transfer to third countries. This may not apply to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR.

7. Technology

7.1 SSL/TLS encryption

This website uses SSL/TLS encryption to ensure the security of data processing and to protect the transmission of confidential information, such as orders, login data, or contact requests that you send to us as the operator. You can recognize an encrypted connection by the fact that "https://" appears in the browser's address bar instead of "http://" and by the padlock icon in your browser's address bar.

We use this technology to protect your transmitted data.

7.2 Data collection when visiting the website

When you use our website for purely informational purposes, without registering, otherwise providing us with information, or consenting to processing that requires consent, we only collect data that is technically essential for providing the service. This typically includes data that your browser transmits to our server ("in so-called server log files"). Our website collects a range of general data and information each time a page is accessed by you or an automated system. This general data and information is stored in the server's log files. The following data may be collected:

1. browser types and versions used
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (so-called referrer),
4. the subpages which are accessed via an accessing system on our website,
5. the date and time of access to the website,
6. a shortened Internet Protocol address (anonymized IP address) as well as,
7. the Internet service provider of the accessing system.

We do not draw any conclusions about you personally when using this general data and information. Rather, this information is needed to

1. to deliver the content of our website correctly,
2. to optimize the content of our website and the advertising for it,
3. to ensure the continued functionality of our IT systems and the technology of our website, as well as
4. to provide law enforcement agencies with the information necessary for prosecution in the event of a cyberattack.

We therefore use this collected data and information for statistical analysis and to improve data protection and data security within our company, ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from all personal data provided by a data subject.

The legal basis for data processing is Article 6(1)(f) GDPR. Our legitimate interest arises from the purposes of data collection listed above.

7.3 Hosting by Strato

We host our website with Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin (hereinafter referred to as Strato).

When you visit our website, your personal data (e.g. IP addresses in log files) will be processed on Strato's servers.

The use of Strato is based on Article 6 Paragraph 1 Letter f) GDPR. We have a legitimate interest in the most reliable possible presentation, provision, and security of our website.

We have concluded a data processing agreement (DPA) with Strato in accordance with Article 28 of the GDPR. This is a legally required contract under data protection law, which ensures that Strato processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

Further information on Strato's data protection regulations can be found at: https://www.strato.de/datenschutz/

8. Cookies

8.1 General information about cookies

Cookies are small files that your browser automatically creates and stores on your IT system (laptop, tablet, smartphone, etc.) when you visit our site.

The cookie stores information related to the specific device being used. However, this does not mean that we thereby gain direct knowledge of your identity.

We use cookies to make your experience on our website more enjoyable. For example, we use session cookies to recognize that you have already visited certain pages of our website. These are automatically deleted when you leave our site.

Furthermore, we also use temporary cookies to optimize user-friendliness. These cookies are stored on your device for a specific, predetermined period. When you revisit our site to use our services, it is automatically recognized that you have already been here and what entries and settings you have made, so you don't have to enter them again.

Secondly, we use cookies to statistically record the use of our website and to evaluate our services for optimization purposes. These cookies allow us to automatically recognize that you have already visited our website when you return. These cookies are automatically deleted after a defined period. The specific storage duration of the cookies can be found in the settings of the consent tool used.

8.2 Legal basis for the use of cookies

The data processed by the cookies, which are required for the proper functioning of the website, are therefore necessary to protect our legitimate interests and those of third parties in accordance with Art. 6 para. 1 lit. f) GDPR.

For all other cookies, you have given your consent via our opt-in cookie banner in accordance with Art. 6 para. 1 lit. a) GDPR.

8.3 Instructions for avoiding cookies in common browsers

You can delete cookies, allow only selected cookies, or disable cookies completely at any time via your browser settings. Further information can be found on the support pages of the respective providers

• Chrome: https://support.google.com/chrome/answer/95647?tid=311178978.
• Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac?tid=311178978.
• Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen?tid=311178978.
• Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09.

9. Content of our website

9.1 Contact / Contact Form

When you contact us (e.g., via contact form or email), personal data is collected. The specific data collected when using a contact form is indicated on the form itself. This data is stored and used solely for the purpose of responding to your inquiry, contacting you, and for the associated technical administration. The legal basis for processing this data is our legitimate interest in responding to your inquiry, pursuant to Article 6(1)(f) of the GDPR. If your inquiry aims at concluding a contract, the additional legal basis for processing is Article 6(1)(b) of the GDPR. Your data will be deleted after your inquiry has been fully processed. This is the case when it is clear from the circumstances that the matter has been resolved and no legal retention obligations prevent its deletion.

10. Newsletter distribution

10.1 Newsletter distribution to existing customers

If you provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services from our product range via email. According to Section 7 Paragraph 3 of the German Unfair Competition Act (UWG), we do not need to obtain your separate consent for this. The data processing is based solely on our legitimate interest in personalized direct marketing pursuant to Article 6 Paragraph 1 Letter f) of the GDPR. If you initially objected to the use of your email address for this purpose, we will not send you any emails. You have the right to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by sending a message to the data controller named at the beginning of this document. You will only incur transmission costs at the basic rates for this. Upon receipt of your objection, the use of your email address for advertising purposes will be discontinued immediately.

10.2 Promotional newsletter

Our website offers you the opportunity to subscribe to our company newsletter. The personal data transmitted to us when you subscribe to the newsletter is determined by the input form used for this purpose.

We regularly inform our customers and business partners about our offers via a newsletter. You can only receive our company's newsletter if you have subscribed to it

1. You have a valid email address and
2. You have registered to receive the newsletter.

For legal reasons, a confirmation email will be sent to the email address you initially registered for newsletter distribution using the double opt-in procedure. This confirmation email serves to verify that you, as the owner of the email address, have authorized the receipt of the newsletter.

When you subscribe to our newsletter, we also store the IP address assigned to your IT system by your internet service provider (ISP) at the time of registration, as well as the date and time of registration. Collecting this data is necessary to be able to trace any (potential) misuse of your email address at a later date and therefore serves our legal protection.

The personal data collected during newsletter registration is used exclusively for sending our newsletter. Furthermore, newsletter subscribers may be contacted by email if this is necessary for the operation of the newsletter service or related registration, such as in the event of changes to the newsletter content or technical modifications. Personal data collected through the newsletter service will not be shared with third parties. You can unsubscribe from our newsletter at any time. You can also withdraw your consent to the storage of your personal data for newsletter distribution at any time. A corresponding link for withdrawing your consent is included in every newsletter. You can also unsubscribe directly on our website or notify us of your wish to unsubscribe in another way.

The legal basis for data processing for the purpose of sending newsletters is Art. 6 para. 1 lit. a) GDPR.

10.3 Brevo (formerly Sendinblue)

We use Brevo for sending newsletters. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.

Brevo is a service that, among other things, allows you to organize and analyze the distribution of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on Sendinblue's servers in Germany.

If you do not wish to receive analysis from Brevo, you must unsubscribe from the newsletter. We provide a corresponding link for this purpose in every newsletter email. You can also unsubscribe directly on the website.

You can withdraw your consent at any time. You can also prevent processing at any time by unsubscribing from the newsletter. Furthermore, you can prevent the storage of cookies by adjusting your web browser settings. You can also prevent the storage and transmission of personal data by disabling JavaScript in your web browser or by installing a JavaScript blocker (e.g., https://noscript.net or https://www.ghostery.com). Please note that these measures may prevent you from using all the features of our website.

With the help of Brevo, we can analyze our newsletter campaigns. For example, we can see whether a newsletter message was opened and which links, if any, were clicked. This allows us to determine, among other things, which links were clicked most frequently.

Furthermore, we can see whether certain predefined actions were performed after opening/clicking (conversion rate). For example, we can see if you made a purchase after clicking on the newsletter.

Brevo also allows us to divide newsletter recipients into different categories (so-called "clusters"). For example, recipients can be segmented by age, gender, or location. This allows us to better tailor the newsletters to the respective target groups.

Detailed information about Brevo's features can be found at the following link: https://www.brevo.com/de/features/.

Data processing is based on your consent pursuant to Art. 6 para. 1 lit. a) GDPR. You can withdraw this consent at any time. The lawfulness of data processing operations already carried out remains unaffected by the withdrawal.

The data you provided for the purpose of subscribing to our newsletter will be stored by us until you unsubscribe. After you unsubscribe, this data will be deleted from both our servers and Brevo's servers. Data stored for other purposes (e.g., email addresses for the members' area) will remain unaffected.

You can view Brevo's privacy policy at: https://www.brevo.com/de/datenschutz-uebersicht/.

10.4 Newsletter tracking

Our newsletters contain tracking pixels. A tracking pixel is a miniature graphic embedded in HTML emails to enable log file recording and analysis. This allows for statistical evaluation of the success or failure of online marketing campaigns. Using the embedded tracking pixel, the company can determine if and when you opened an email and which links within the email you clicked.

Personal data collected via tracking pixels in our newsletters is stored and analyzed by us to optimize newsletter distribution and better tailor the content of future newsletters to your interests. This personal data will not be shared with third parties. Data subjects have the right to revoke their separate consent, given via the double opt-in process, at any time. Upon revocation, this personal data will be deleted. Unsubscribing from the newsletter is automatically considered a revocation of consent.

Such evaluation is carried out in particular in accordance with Art. 6 para. 1 lit. f) GDPR on the basis of our legitimate interests in displaying personalized advertising, market research and/or designing our website to meet user needs.

11. Our activities on social networks

To enable us to communicate with you on social networks and inform you about our services, we maintain our own pages there. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing operations triggered by this visit, in accordance with Article 26 of the GDPR.

We are not the original provider of these pages, but merely use them within the scope of the options offered to us by the respective providers.
Therefore, we would like to point out that your data may also be processed outside the European Union or the European Economic Area. Using these services may therefore involve data protection risks for you, as exercising your rights, e.g., to access, erasure, or objection, could be more difficult, and processing on social networks is often carried out directly by the providers for advertising purposes or to analyze user behavior, without our being able to influence this. If the provider creates user profiles, cookies are often used, or the user behavior is associated with your own member profile on the social networks.

The processing of personal data described above is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in order to communicate with you in a modern manner and/or to inform you about our services. If you are required to give your consent to data processing as a user to the respective providers, the legal basis is Article 6(1)(a) GDPR in conjunction with Article 7 GDPR.

Since we have no access to the providers' data, we advise you to assert your rights (e.g., to information, rectification, erasure, etc.) directly with the respective provider. Further information on the processing of your data on social networks is listed below for each of the social network providers we use:

11.1 Facebook

(Joint) controller for data processing in Europe:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Unless users object, Meta (Facebook) may process content from adult users in the EU, such as photos, posts, or comments, to train its own AI models. This is based on a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. As a company, we have no influence over this specific data processing by Meta. Users can object to this via an online form on the Meta platforms.

Privacy Policy (Data Policy):
https://www.facebook.com/about/privacy

11.2 Instagram

(Joint) controller for data processing in Germany:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Unless users object, Meta (Instagram) may process content from adult users in the EU, such as photos, posts, or comments, to train its own AI models. We, as a company, have no influence over this specific data processing by Meta. The legal basis for this processing is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. Users can object to this processing via an online form on the Meta platforms.

Privacy Policy (Data Policy):
https://instagram.com/legal/privacy/

11.3 LinkedIn

(Joint) controller for data processing in Europe:
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy policy:
https://www.linkedin.com/legal/privacy-policy

11.4 X (Twitter)

(Joint) controller for data processing in Europe:
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland

Privacy policy:
https://twitter.com/de/privacy

Information about your data:
https://twitter.com/settings/your_twitter_data

11.5 XING (New Work SE)

(Joint) controller for data processing in Germany:
New Work SE, Am Strandkai 1, 20457 Hamburg, Germany

Privacy policy:
https://privacy.xing.com/de/datenschutzerklaerung

Information requests for XING members:
https://www.xing.com/settings/privacy/data/disclosure

11.6 YouTube

(Joint) controller for data processing in Europe:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy:
https://policies.google.com/privacy

11.7 Social Media Management with Swat.io

This website uses swat.io, a tool provided by Swat.io GmbH, Schönbrunner Straße 213-215, A-1120 Vienna, for operating a social media management tool. This tool allows for the centralized management of various social media channels, communication with users of these channels, and the planning and publication of content. We process the following data from you if you have previously provided it via one of the social media platforms: first and last name, user IDs from various social media platforms, profile URLs, profile pictures, website URLs, telephone number (when using WhatsApp or other telephony channels), as well as various content stored and published on social media platforms (timestamps, post IDs, post texts, images, videos, links, comments, ratings, private messages, other attachments, and metadata of social media content). Further information can be found at https://swat.io/de/datenschutzbestimmungen/

12. Web analytics

12.1 We use Fathom Analytics for web analytics.

Your personal data is processed in accordance with Article 6(1)(f) of the GDPR. We want to process as little personal data as possible when you use our website. For this reason, we have chosen Fathom Analytics, which does not use cookies and is compliant with the GDPR, ePrivacy (including PECR), COPPA, and CCPA. When using this privacy-friendly website analytics software, your IP address is only processed temporarily, and we (as the operator of this website) have no way of identifying you. In accordance with the CCPA, your personal data is anonymized. You can find more information on this on the Fathom Analytics website. We use this software to understand traffic on our website in the most privacy-friendly way possible, so that we can continuously improve our website and our business. The legal basis under the GDPR is "Article 6(1)(f); our legitimate interest is to continuously improve our website and our business." As stated in the declaration, no personal data is stored for an extended period. Furthermore, all data from EU users of our website is also processed within the EU. You can find more information here: https://usefathom.com/features/eu-isolation.

13. Plugins and other services

13.1 OpenStreetMap

We have integrated map excerpts from the online mapping tool "OpenStreetMap" into our website. This is an open-source mapping service that we access via an API (interface). This functionality is provided by the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. Using this service allows us, for example, to show you our location and make it easier for you to find us.

When you access the subpages that integrate OpenStreetMap, information about your use of our website (such as your IP address, data about your browser, device type, operating system) will be transmitted to OpenStreetMap and stored there.

OpenStreetMap uses the Content Delivery Network (CDN) of Fastly, Inc., PO Box 78266, San Francisco, CA 94107, USA (fastly) to speed up the service. A CDN is a service that helps deliver the content of our online offering, especially large media files such as graphics or scripts, more quickly using regionally distributed servers connected via the internet. Your data is processed exclusively for the aforementioned purposes and to maintain the security and functionality of the CDN.

Fastly, as a US company, is certified under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Article 45 of the GDPR, meaning that the transfer of personal data may take place without further safeguards or additional measures.

Fastly transfers personal data from log files (e.g., IP addresses) to the USA for each data processing activity, as certain servers used for processing the log files are located exclusively in the USA. Fastly is therefore committed to complying with the standards and regulations of European data protection law. Fastly's current Privacy Policy can be found at: https://www.fastly.com/de/privacy/.

If corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a) GDPR.

Detailed information about OpenStreetMap can be found at: https://wiki.osmfoundation.org/wiki/Privacy_Policy.

13.2 YouTube (Videos)

We have integrated components from YouTube into this website. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, also free of charge. YouTube permits the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, and user-generated videos, are available via the portal. Each time you access one of the individual pages of this website, which we operate and on which a YouTube component (YouTube video) is integrated, your web browser is automatically prompted by the respective YouTube component to download a representation of that component from YouTube. The services Google Web Fonts, Google Video, and Google Photos may also be loaded from YouTube. Further information about YouTube can be found at https://www.youtube.com/yt/about/de/ . As part of this technical process, YouTube and Google receive information about which specific subpage of our website you are visiting.

If you are logged into YouTube at the same time, YouTube recognizes which specific page of our website you are visiting when you access a page containing a YouTube video. This information is collected by YouTube and Google and associated with your YouTube account.

YouTube and Google receive information that you have visited our website via the YouTube component whenever you are logged into YouTube at the time of your visit; this occurs regardless of whether you click on a YouTube video or not. If you do not want this information to be transmitted to YouTube and Google, you can prevent this by logging out of your YouTube account before visiting our website.

These processing operations are carried out exclusively with explicit consent in accordance with Art. 6 para. 1 lit. a) GDPR.

The parent company, Google LLC, is certified under the EU-US Data Privacy Framework as a US company. This constitutes an adequacy decision pursuant to Article 45 of the GDPR, meaning that the transfer of personal data may take place without further safeguards or additional measures.

You can view YouTube's privacy policy at https://www.google.de/intl/de/policies/privacy/.

13.3 We use Outdooractive

Insofar as we use the services of Outdooractive on our website, in particular their map data, the following supplementary data protection declaration applies. Outdooractive provides electronic databases which you, as our users, can access in the form of an electronic information portal in the digital tourism sector. This includes, for example, maps and route planning. Outdooractive receives the following data, which is technically necessary for Outdooractive to display the electronic databases to you and to ensure stability and security (legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR): • IP address • Date and time of the request • Time zone difference to Greenwich Mean Time (GMT) • Content of the request (specific page) • Access status/HTTP status code • Amount of data transferred in each case • Website from which the request originated • Browser • User's location • Operating system and its interface • Language and version of the browser software. Outdooractive uses cookies for analysis, which are stored on your browser. Outdooractive stores the information collected in this way on servers in Germany and in third countries. You can disable tracking by deleting existing cookies and preventing the storage of new cookies. If you prevent cookies from being stored, please note that you may not be able to fully utilize Outdooractive's electronic databases. Preventing cookies from being stored is possible through your browser settings. The IP address transmitted by your browser will not be combined with other data we collect. Outdooractive will continue to use your GPS data when you use the electronic databases. We have no control over the data collected or the data processing operations, nor are we aware of the full extent of the data collection, the purposes of the processing, or the storage periods. We also have no information regarding the deletion of the collected data by Outdooractive. Outdooractive stores the data collected about you as user profiles and uses them for market research purposes and/or to tailor the electronic databases to user needs. You have the right to object to the creation of these user profiles; to exercise this right, you must contact Outdooractive. The legal basis for using Outdooractive's services is Article 6(1)(f) of the GDPR. Further information on the purpose and scope of data collection and processing by Outdooractive can be found in the privacy policy provided below. There you will also find further information on your rights and settings options for protecting your privacy. Privacy policy of Outdooractive GmbH & Co. KG, Missener Straße 18, 87509 Immenstadt: corporate.outdooractive.com/de/datenschutzrichtlinien/www.outdooractive.com/de/datenschutz.html

13.4 We use the urbnups service

urbnups provides various digital tourism content that you, as our users, can access. urbnups collects and processes the following data, which is technically necessary to display the requested service and to ensure stability and security (legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR): • IP address • Date and time of the request • Time zone difference to Greenwich Mean Time (GMT) • Content of the request (specific page) • Access status/HTTP status code • Amount of data transferred • Website from which the request originated • Browser • Operating system and its interface • Language and version of the browser software. • The IP address transmitted by your browser is not combined with other data we collect. We have no influence on the data collected and data processing operations of third-party providers, nor are we aware of the full extent of the data collection, the purposes of the processing, or the storage periods. The legal basis for using urbnups' services is Article 6(1)(f) GDPR. Further information on the purpose and scope of data collection and processing by urbnups can be found in the provider's respective privacy policy. There you will also find further information on your rights and settings options to protect your privacy. Privacy policy of urbnups UG (limited liability), Hamburg: https://urbnups.com/datenschutzerklaerung/

14. Payment providers

14.1 PayPal

We have integrated components from PayPal on this website. The European operating company of PayPal is PayPal (Europe) S.à.rl & Cie. SCA, 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. PayPal is an online payment service provider. Payments are processed via PayPal accounts, which are virtual personal or business accounts. PayPal also allows users to make virtual payments via credit card if they do not have a PayPal account. A PayPal account is linked to an email address, so there is no traditional account number. PayPal enables users to send and receive online payments. PayPal also acts as an escrow service and offers buyer protection.

If you select "PayPal" as your payment method during the ordering process in our online shop, your data will be automatically transmitted to PayPal. By selecting this payment option, you consent to the transfer of personal data necessary for payment processing.

The personal data transmitted to PayPal typically includes first and last name, address, email address, IP address, telephone number, mobile phone number, and other data necessary for payment processing. Personal data related to the specific order is also necessary for processing the purchase agreement.

The purpose of transmitting this data is payment processing and fraud prevention. We will transmit personal data to PayPal, in particular, when there is a legitimate interest in doing so. The personal data exchanged between PayPal and us may be transmitted by PayPal to credit reference agencies. This transmission is for the purpose of identity and creditworthiness verification.

PayPal may share personal data with affiliated companies and service providers or subcontractors to the extent necessary to fulfill contractual obligations or to process the data on its behalf.

You have the right to withdraw your consent to the processing of your personal data by PayPal at any time. Such withdrawal will not affect personal data that must be processed, used, or transmitted for the (contractual) processing of payments.

The use of PayPal is in the interest of proper and smooth payment processing. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR. Your personal data will only be transferred with your explicit consent in accordance with Article 6(1)(a) GDPR.

PayPal's current privacy policy can https://www.paypal.com/de/webapps/mpp/ua/privacy-full be accessed

15. Your rights as a data subject

15.1 Right to confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

15.2 Right of access Art. 15 GDPR

You have the right to obtain from us, at any time and free of charge, information about the personal data stored about you and a copy of this data in accordance with the legal provisions.

15.3 Right to rectification Art. 16 GDPR

You have the right to request the correction of inaccurate personal data concerning you. Furthermore, taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data.

15.4 Deletion Art. 17 GDPR

You have the right to request that we delete your personal data without undue delay, provided that one of the legally stipulated grounds applies and insofar as the processing or storage is not necessary.

15.5 Restriction of processing Art. 18 GDPR

You have the right to request that we restrict the processing of your data if one of the legal requirements is met.

15.6 Data portability Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of other persons.

15.8 Revocation of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

15.9 Complaint to a supervisory authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data.

16. Routine storage, deletion and blocking of personal data

We process and store your personal data only for the period necessary to achieve the purpose of storage or as provided for by the legal regulations to which our company is subject.

If the purpose for which the data was stored ceases to exist or a prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with legal requirements.

17. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period. After this period expires, the corresponding data is routinely deleted, unless it is still required for the performance of a contract or for initiating a contract.

18. Updates and changes to the privacy policy

This privacy policy is currently valid and was last updated in October 2025.

Due to the ongoing development of our website and services, or due to changes in legal or regulatory requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed and printed at any time on the website at "https://www.goerlitz.de/Datenschutz.html".

This privacy policy was created with the support of the data protection software: audatis MANAGER .