1. Personal data

Personal data within the meaning of the GDPR comprises all information relating to an identified or identifiable natural person; a natural person is regarded as identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data is stored only to the extent necessary to provide the booked service, to comply with legal requirements, or for the purpose stated below.

3. The purpose for collecting personal data

You can access this online booking tool (“OBT”) without the collection of personal data being required. However, certain anonymized data is stored with each access, e.g., which offer was accessed. As a rule, this data is not personal and therefore does not fall under the statutory provisions of the GDPR or the BDSG.

TOAG collects data about accesses to the OBT and stores these as “server log files”. The following data is logged:

• Website visited
• Time at the moment of access
• Amount of data sent in bytes
• Source/referrer from which you reached the page
• Browser used
• Operating system used
• IP address used

The collected data serves solely for statistical evaluations and to improve the website. The website operator reserves the right to subsequently check the server log files if there are concrete indications of unlawful use.

Anonymous data is collected exclusively for statistical evaluation in order to improve our services. Please also refer to the section “Right of Access / Right to Withdraw.”

The collection of personal data becomes necessary if you book accommodation or another service through our OBT, for which personal data is indispensable to process the booking.

In line with the statutory principles of data minimisation, we generally collect only the data required to provide the specific service. Where our forms request additional information, providing it is always voluntary and labelled as such.

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this, the user’s IP address must remain stored for the duration of the session. Storage in log files also takes place to ensure the website’s functionality. In addition, the data helps us optimise the website and ensure the security of our IT systems. No evaluation of the data for marketing purposes takes place in this context. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.

If you wish to contact a host directly via the contact form displayed for that host, the data you provide for this purpose will be stored and processed by us and transmitted to the respective host so they can contact you. No disclosure to third parties takes place.
In the event of booking a trip or another service, the data collected for this purpose will be used to process this booking, for advertising purposes within the statutory framework, and for statistical purposes.

5. Disclosure of Personal Data to Third Parties

Your personal data will be disclosed exclusively in compliance with the relevant statutory provisions, in particular data protection and competition law.

Where necessary for the performance of our contractual obligations or legal duties, your data may also be passed on to subcontractors or service providers to provide the service on our behalf or in our name (e.g., technical handling of postal and email dispatch, payment processing, customer service).

In addition, data is passed on to persons or companies to process your booking, in particular to airlines, tour operators, hotels, travel agencies, car rental companies, cruise lines, authorities, etc. Please note that the data protection provisions at the registered office of these persons and companies may differ from those in Germany.

Disclosure and transmission of your data to third parties also takes place where we are obliged to do so by law or by final court order.
You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

7. Storage and Deletion of Data

Within the scope of the purposes stated under “Purpose of Collecting Personal Data,” your personal data is stored. The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may take place beyond this if provided for by the European or national legislator in EU regulations, laws, or other provisions to which the controller is subject. The legislator has enacted diverse retention obligations and periods. Blocking or deletion of the data also takes place when a retention period prescribed by the aforementioned standards expires, unless there is a necessity for further storage of the data for the conclusion or fulfilment of a contract.

9. Use of Google Analytics

This website uses the Google Analytics 4 web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

If consent is given, Google Analytics 4 uses cookies that enable an analysis of website use. In this case, the legal basis is Art. 6(1)(a) GDPR. The information collected about website use (e.g., pages viewed, interactions, device type, approximate location) is generally transmitted to a Google server and stored there.

We have also implemented Google Consent Mode V2. This ensures that the processing of personal data depends on your consent:

• If consent is given, processing takes place as described above using cookies.
• If consent is refused, no cookies are set. Instead, Consent Mode transmits so-called pings (cookieless signals) to Google. These contain only basic technical information (e.g., timestamp, referrer, consent status, browser information). Google uses this information to create modeled conversions, enabling us to obtain aggregated statistical evaluations even without cookies.

Within Consent Mode V2, the following consent types are particularly considered:

• ad_storage (ad storage)
• analytics_storage (analytics storage)
• ad_user_data (user data for advertising purposes)
• ad_personalization (personalised advertising)

The processing of personal data based on the signals transmitted via Consent Mode V2 takes place pursuant to Art. 6(1)(f) GDPR (legitimate interest), as we have a legitimate interest in the statistical analysis of user behaviour and in optimising our online offering.

Data may be transferred to Google servers in the USA. For transfers to the USA, Google relies on the EU–US Data Privacy Framework. Further information about Google’s data processing can be found at: https://policies.google.com/privacy.

The Google tracking codes on this website use the function “_anonymizeIp()”, so IP addresses are further processed only in truncated form in order to exclude direct personal reference. You may object to data collection and storage at any time with future effect. By clicking the “Disable” button, tracking is completely prevented. You can withdraw or change any consent you have given at any time via the consent management tool implemented on our website. For the objection to be stored permanently, the browser used must accept cookies.
Alternatively, you can object to data collection by using a Google browser plug-in to prevent information collected by cookies (including your IP address) from being sent to and used by Google Inc. The following link leads to the relevant plug-in: https://tools.google.com/dlpage/gaoptout?hl=de

11. Use of Microsoft Clarity

Our online presence uses the analytics service Microsoft Clarity, offered by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When visiting this website, personal data is processed. In particular, categories of data are processed that serve to produce usage statistics.

Purpose of processing:
Processing is carried out for anonymisation, for creating statistical evaluations, and for analysing the usage behaviour of our website visitors. This information helps us improve our online offering technically and make it more user-friendly.

Legal basis for processing:
Your personal data is processed on the basis of your consent pursuant to Art. 6(1)(a) GDPR.

Recipient of the data:

Data is transferred to the independent controller Microsoft Ireland Operations Ltd.
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

The legal basis for transferring data to Microsoft Ireland Operations Ltd. is likewise your consent pursuant to Art. 6(1)(a) GDPR.

Personal data may also be transferred to a country outside the European Union. Transfers of data to the USA take place pursuant to Art. 45 GDPR in conjunction with the European Commission’s adequacy decision C(2023) 4745, as the data recipient has committed to complying with the principles of the EU–US Data Privacy Framework (DPF).

Further information on data protection at Microsoft can be found at:
https://privacy.microsoft.com/de-de/privacystatement

For data protection inquiries to the Data Protection Officer of Microsoft Ireland Operations Ltd., you can use the following contact form:
https://www.microsoft.com/en-us/concern/privacyrequest-msa

13. Use of Error Logging

Our online presence uses Sentry. The service is offered by Functional Software, Inc., 132 Hawthorne St, San Francisco, CA 94107. The service collects and stores data that is compiled from anonymised usage profiles. This serves exclusively to analyse error cases and monitor system stability. Cookies are used for this purpose. You may object to Sentry’s data collection and storage at any time with future effect by disabling cookies in your browser settings. Sentry’s Privacy Policy is available at https://sentry.io/privacy/.

15. Automated Individual Decision-Making

A fully automated decision means decisions made by technical means without the direct involvement of a person.
Automated decision-making pursuant to Art. 22 GDPR does not take place on our website. If we use this procedure in individual cases, we will inform you separately—where required by law.

17. Competent Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement—if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged informs the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

You can contact the supervisory authority competent for you for complaints within the meaning of Art. 77 GDPR at the following contact details:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

Street address:

Königstraße 10a

70173 Stuttgart

Postal address:

Postfach 10 29 32

70025 Stuttgart

Phone: 0711 / 61 55 41 – 0

Email: poststelle@lfdi.bwl.de