This website www.legoland.de uses cookies and similar technologies to enable you, the user, to personalize your visit to the website.
Further information on how personal data is processed in connection with the use of the website can be found in our privacy policy.
Some cookies and similar technologies can store data that may identify you and therefore have an impact on your privacy. This cookie statement is intended to inform you about the use of these functions in order to help you decide whether to give your consent.
- General information about cookies and similar technologies
- Types of cookies
- Similar technologies: Web Beacons & Scripts
- Legal basis and storage period
- Consent management and blocking
- Transaction and payment service provider
- Accesso
- PayPal
- Google Pay
- Profiling
- Analysis and tracking tools
- Google Analytics
- Google Tag Manager
- Marketing tools
- Google Ads remarketing and conversion tracking
- Double Click
- Facebook Custom Audiences
- Facebook Pixel
- Visual Website Optimizer
- Quantum Metric
- Content delivery networks
- Cloudflare
- Amazon (Cloudfront)
- Other third-party providers
- Queue-it
- Google ReCaptcha
- Use of social plugins
- Facebook and Instagram
- YouTube
- Tripadvisor
1. General information about cookies and similar technologies
Cookies are small data records that are stored on the end device when users visit websites (in the browser) and use apps. These cookies can then be sent back from the end device. Cookies are harmless in and of themselves and fulfill important functions for websites. Cookies can usually also be easily viewed and deleted.
a. Types of cookies
In general, there are three different ways of classifying cookies: how long they last (duration), where they come from (origin) and what purpose they serve:
DURATION
Session cookies - These cookies are temporary and expire as soon as you close your browser (or when your session ends).
Persistent cookies - This category includes all cookies that remain on your hard disk until you delete them or your browser does so, depending on the expiration date of the cookie. All persistent cookies should have an expiration date written in their code, but their duration may vary.
ORIGIN
First-party cookies - As the name suggests, first-party cookies are placed on your device directly by the website you are visiting.
Third party cookies - These are the cookies that are placed on your device, not by the website you are visiting, but by a third party such as an advertiser or analytics system.
PURPOSE
Strictly Necessary Cookies - These cookies help make a website usable by enabling basic functions such as page browsing and access to secure areas of the website. Without these cookies, the website cannot function properly.
Preference cookies - These cookies, also known as "functionality cookies", allow a website to remember choices you have made in the past, such as which language you prefer, which region you live in or what your username and password are, so that you can log in automatically.
Statistics cookies - These cookies, also known as "performance cookies", are used to improve the functionality of the website by collecting information about how you use a website, such as which pages you have visited and which links you have clicked on. None of this information can be used to identify you. It is all aggregated and therefore anonymized.
Marketing cookies - These cookies track your online activity to help advertisers serve more relevant ads or limit the number of times you see an ad. These cookies may share this information with other organizations or advertisers. These are persistent cookies, which almost always come from third parties.
b. Similar technologies: Web Beacons & Scripts
Websites, emails and mobile applications may contain small, transparent image files or lines of code called web beacons and scripts to help website owners understand how you interact with them. This information is used to make websites, newsletters and mobile apps more user-friendly and personalized.
c. Legal basis and storage period
The legal bases for the possible processing of personal data using cookies and similar technologies and their storage duration vary and are presented in the following sections. Insofar as we obtain consent for the use of analysis and tracking technologies, this also constitutes consent in accordance with Art. 6 GDPR and Section 25 TDDDG.
d. Consent management and blocking
When you navigate to our website or use a mobile app, you have the option of consenting to the use of cookies or other tracking tools.
Once you have given your consent to the use of cookies or other tracking tools, you can revoke your consent at any time for the future.
You can also object to the use of cookies or other tracking tools that we use on the basis of our legitimate interest, unless they are technically necessary for our offer.
WITH THE MERLIN COOKIE CONSENT TOOL:
You can set your cookie preferences at any time while navigating the LEGOLAND website by accessing the Consent Management Tool available at the bottom of each page by clicking on this icon:
You can withdraw your consent and object to the use of cookies or other tracking tools using our consent tool, where you can change your selection at any time.
OTHER STEPS YOU CAN TAKE TO MANAGE COOKIES
You can revoke your consent by simply deleting the cookie in your browser; when you re-enter/reload the website, you will be asked for your cookie consent again.
You can also configure your browser so that it manages cookies and, for example, refuses to accept third-party cookies or all cookies. We would like to point out that you may then not be able to use all functions of this website to their full extent.
2. Transaction and payment service provider
a. Accesso
We use payment software services from the Accesso Technology Group. The company is headquartered at 1025 Greenwood Blvd Suite 500 Lake Mary, FL 32746 USA.
Nature and purpose of data processing
Accesso offers solutions for ticketing, retail and marketing. Accesso offers services for theme parks, water parks, zoos, sports and cultural attractions. We use Accesso as part of the sale of our online tickets and annual passes. The personal data collected via German websites is stored in a data center in the UK. However, remote support can also be provided by US, EU or APAC service agents.
The following data can be processed during a transaction via Accesso:
- Surname, first name
- Address
- E-mail address
- Phone number
- Means of payment
- Customer number
- Invoice number
Storage duration
The data is stored until the purpose for which it was collected no longer applies and then deleted in accordance with the statutory retention periods. Document and invoice data must be stored for at least 10 years in accordance with § 147 AO, § 257 HGB.
Receiver
- Accesso LLC, USA
- Ingresso Group Ltd (Accesso Europe), Unit 5, The Pavillons, Ruscombe Park, Twyford, Reading RG10 9NN, England, UK
- VisionOne, Inc.
- VisionOne S.A. de C.V
Third country transfer
The information collected is stored on Accesso servers, primarily in the UK. However, transfer to or access to data from the USA cannot be ruled out. We have concluded a data processing agreement and the EU standard contractual clauses with the service provider to secure the data. There is currently an adequacy decision by the EU Commission for the USA, and Accesso is certified in accordance with the Data Privacy Framework:
Legal basis
Data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The legal basis for processing is therefore Art. 6 para. 1 sentence b GDPR.
Objection/ revocation
If and insofar as the legal requirements are met, you can terminate contracts with us. However, the legality of data processing up to this point remains unaffected.
b. PayPal
We offer the option of processing the payment transaction via the payment service provider PayPal. The provider is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
Nature and purpose of processing
We use PayPal to offer you an efficient and secure payment method. As part of the payment process, we pass on data to PayPal insofar as this is necessary for the fulfillment of the contract. This can be:
- First name
- Surname
- Address
- E-mail address
- Phone number
PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by installments" via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 lit. f GDPR on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data.
Storage duration
Your data will be stored until completion of payment processing, including the period in which complaints, reclaims etc. may arise. In accordance with § 147 AO, § 257 HGB, we also have a statutory retention period of 10 years for document data.
Receiver
- PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Third country transfer
There is no transfer to third countries.
Legal basis
The legal basis for the described data processing is the execution of the contract with you, Art. 6 para. 1 sentence 1 lit. b GDPR.
Possibility of revocation
We cannot process a payment via PayPal without the transmission of your personal data. However, you have the option of choosing another payment method.
Further information on data protection at PayPal can be found at: https://www.paypal.com/myaccount/privacy/privacyhub
c. Google Pay
We use Google Pay as a payment service provider on our website. The provider of this payment service is Google Ireland Limited, Ireland. If you choose this payment service, it is possible for you to use your customer data already stored with Google for your purchase in our online store without disclosing your payment data to us. Google only provides us with your contact details.
Details on the handling of your data can be found in the Google Pay privacy policy at https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de.
d. Profiling
In profiling or so-called 'automated decision-making' within the meaning of Art. 21 GDPR, a decision is only made via an automated processing process of your personal data, for example via a software code or algorithm, without any human intervention. We do not carry out automated decision-making, but we do maintain profiling through automated processes in order to tailor advertising measures to a specific customer.
If you are a customer who has signed up to receive marketing updates, we may use profiling to tailor marketing materials to your interests and to content that we think may be of interest to you. In certain circumstances, profiling may allow certain inferences to be drawn about you which may fall within the special categories of your personal data. However, we will only do this if we have obtained your express consent to do so.
3. Analysis and tracking tools
a. Google Analytics
If you have given your consent, Google Analytics, a web analysis service of Google LLC, is used on this website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
Nature and purpose of processing
Google Analytics uses cookies to help the website analyze how users use the site. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.
We use the User ID function. With the help of the user ID, we can assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and analyze user behavior across devices.
We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalized ads (interests and demographic data) and ads can be delivered to these users in cross-device remarketing campaigns.
We use the 'anonymizeIP' function (so-called IP masking): Due to the activation of IP anonymization on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
During your visit to the website, the following data is recorded, among others:
- the pages you visit, your "click path"
- achievement of "website goals" (conversions, e.g. newsletter registrations, downloads, purchases)
- your user behavior (e.g. clicks, dwell time, bounce rates) -
your approximate location (region)
- your IP address (in abbreviated form)
- technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- your internet provider
- the referrer URL (via which website/advertising medium you came to this website)
On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.
Storage duration
The data sent by us and linked to cookies is automatically deleted after 14 months. The lifespan of Google Analytics cookies is 14 months. Data whose retention period has been reached is automatically deleted once a month.
Receiver
The recipient of the data is Google Ireland Limited as the processor. We have concluded a data processing agreement with Google for this purpose. Other recipients may be:
- Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection. The parent company Google LLC is based in California, USA. A transfer of data to the USA cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Google LLC is certified in accordance with the Data Privacy Framework:
Legal basis
The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. This does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
Alternatively, you can prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may limit the functionality of this and other websites. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by a. not giving your consent to the setting of the cookie or
b. downloading and installing
the browser add-on to deactivate Google Analytics HERE.
You can find more information on the terms of use of Google Analytics and on data protection at Google at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de.
b. Google Tag Manager
We use the Google Tag Manager. This is a service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Nature and purpose of processing
Google Tag Manager does not store any personal data itself, but forwards data if necessary. Google Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that are used, among other things, to measure traffic and visitor behaviour, record the impact of online advertising and social channels, set up remarketing and targeting and test and optimize websites.
Storage duration
No data is saved using the Tag Manager.
Receiver
- Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Third country transfer
This service may process data outside the European Union and the European Economic Area (EEA). There is currently an adequacy decision by the EU Commission for the USA. Google LLC is certified under the Data Privacy Framework:
Legal basis
The legal basis for the data processing described is your consent, Art. 6 para. 1 sentence 1 lit. a, 49 para.1 lit.a GDPR and § 25 para. 1 TDDDG.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The legality of the data processing until the revocation remains unaffected.
For more information on Google Tag Manager, see: https://www.google.com/intl/de/tagmanager/use-policy.html
4. Marketing tools
a. Google Ads remarketing and conversion tracking
We use the Google Ads service. Google Ads is an online advertising program from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Nature and purpose of processing
This means that we place Google Ads ads and also use Google Remarketing and conversion tracking as part of this. The ads are displayed after search queries on websites in the Google advertising network.
We also use ad remarketing lists for search ads. This allows us to customize search ad campaigns for users who have previously visited our website. The services allow us to combine our ads with certain search terms or to place ads for previous visitors that advertise, for example, services that visitors have viewed on our website. We can therefore display interest-based advertising to users of our website on other websites within the Google advertising network (as a "Google ad" as part of Google Search or on other websites).
An analysis of online user behavior is necessary for interest-related offers. Google uses cookies to carry out this analysis. When you click on an advertisement or visit our website, Google places a cookie on the user's computer.
With the help of this technology, Google and we as the customer receive information that a user has clicked on an ad and has been redirected to our websites. The information obtained in this way is used exclusively for ad optimization, i.e. for targeting the user. The statistics provided to us by Google include the total number of users who clicked on one of our ads and, if applicable, whether they were redirected to a page on our website with a conversion tag. Based on these statistics, we can see which search terms were clicked on our ad particularly often and which ads lead to the user making contact.
Storage duration
The cookies have a duration of 90 days. We store the data collected for remarketing for 14 months.
Receiver
- Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
- Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Third country transfer
The recipient of the data is Google Ireland Limited. The transmission of data to Google servers in the USA or access from the USA to data stored within the EEA cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Google LLC is certified in accordance with the Data Privacy Framework:
Legal basis
The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there.
You can also prevent the cookies required for these technologies from being saved, for example via your browser settings. In this case, your visit will not be included in the user statistics.
You also have the option of selecting the types of Google ads or deactivating interest-based ads on Google via the ad settings (https://adssettings.google.com/authenticated?hl=de). However, we and Google will continue to receive statistical information about how many users have visited this site and when. If you do not wish to be included in these statistics either, you can prevent this with the help of additional programs for your browser (e.g. the Privacy Badger add-on).
Further information on data protection in the context of Google Ads can be found at: https://policies.google.com/technologies/ads?hl=de.
b. Double Click
We use DoubleClick by Google on this website. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
Nature and purpose of processing
DoubleClick uses cookies to present you with advertisements that are relevant to you. A pseudonymous identification number (ID) is assigned to your browser in order to check which ads have been displayed in your browser and which ads have been viewed. The cookies do not contain any personal information.
The use of DoubleClick cookies only enables Google and its partner websites to place ads based on previous visits to our or other websites on the Internet. The information generated by the cookies may be transmitted by Google to a server in the USA for analysis and stored there.
Storage duration
The double-click cookies have a duration of 14 months. We store the data collected using Double Click for 14 months.
- Google Ireland Limited, EU
- Google LLC, USA
- Alphabet Inc., USA
Third country transfer
The transfer of data to the USA cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Google LLC is certified according to the Data Privacy Framework:
The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there.
Further information on data protection and cookies at Google can be found in Google's privacy policy: policies.google.com/privacy?hl=en
c. Facebook Custom Audiences
We use the Facebook Custom Audiences service of Meta Platforms Inc, 1601 S. California Avenue, Palo Alto, CA 94304, USA for usage-based online advertising.
Nature and purpose of processing
For this purpose, we use the Facebook Ads Manager to define target groups of users based on certain characteristics, who are subsequently shown advertisements within the Facebook network. Users are selected by Facebook based on the profile information they provide and other data provided through the use of Facebook. If a user clicks on an advertisement and subsequently reaches our website, Facebook receives the information that the user has clicked on the advertising banner via the Facebook pixel integrated on our website.
In principle, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which is transmitted to Facebook for analysis and marketing purposes. A Facebook cookie is set in the process. This collects information about your activities on our website (e.g. surfing behavior, subpages visited, etc.). Your IP address is also stored and used for the geographical targeting of advertising.
Facebook Custom Audiences via the customer list and the "advanced matching" function are not used by us.
Facebook cookies have a duration of 90 days.
The personal data collected by us using Facebook Custom Audiences is stored for 180 days .
Receiver
- Meta Platforms Inc.
- Meta Platforms Ireland Limited
Third country transfer
The transmission of data to Facebook servers in the USA or access from the USA to data stored within the EEA cannot be ruled out.
There is currently an adequacy decision by the EU Commission for the USA. Meta Platforms Inc. is certified according to the Data Privacy Framework:
https://www.dataprivacyframework.gov/list
The legal basis for data processing is your consent, Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG. Please note that your consent includes the transfer to the USA. Facebook Ireland transfers European data to Facebook, Inc. on the basis of processor-to-processor standard contractual clauses.
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there.
You can find more information about Facebook's Custom Audiences service at:
https://de-de.facebook.com/business/help/449542958510885
The deactivation of the "Facebook Custom Audiences" function is possible for logged-in users at https://www.facebook.com/settings/?tab=ads#_. You can also prevent the storage of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent.
Further information on data processing and storage duration can be found at https://www.facebook.com/about/privacy.
d. Facebook Pixel
We use Facebook Pixel on this website. Facebook Pixel is a tracking technology offered by Facebook Inc. and used by other Facebook services such as Facebook Custom Audiences. The controller within the EEA is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland.
Nature and purpose of processing
We use the pixel for tracking user behavior, its analysis and retargeting. This serves to improve our advertising campaigns and targeted advertising.
The following data may be collected through the use of this service:
- Facebook user ID
- Browser information
- Usage data
- Referrer URL
- Pixel ID
- User behavior
- Viewed advertisements
- Interactions with advertising, services and products
- Marketing information
- Respected content
- IP address
- Device information (device ID)
- Success of marketing campaigns
- Geographical location
Storage duration
The data is deleted as soon as it is no longer required for processing purposes. This is usually the case after 90 days.
Receiver
- Meta Platforms Inc.
- Meta Platforms Ireland Limited
Third country transfer
The transmission of data to Facebook servers in the USA or access from the USA to data stored within the EEA cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Meta Platforms Inc. is certified in accordance with the Data Privacy Framework:
https://www.dataprivacyframework.gov/list
Legal basis
The legal basis for the described data processing is your consent, Art. 6 para. 1 lit. a) GDPR and § 25 para. 1 TDDDG.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there.
You can find Facebook's privacy policy at: https://www.facebook.com/privacy/explanation
e. Visual Website Optimizer
We use the web analysis service of Visual Website Optimizer, which is operated by Wingfy Software Pvt Ltd, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India.
Nature and purpose of data collection
The provider enables us to analyze the surfing behavior of our users. This allows us to optimize our website and our offers.
The service sends information to our server that allows us to track how the user moves around the website (e.g. which links they click on and how they move the mouse) and how changes to the website, such as to the design, navigation elements, individual input forms, affect the usage behavior (such as length of stay and use of elements) of the data subjects (so-called A/B testing). Among other things, cookies are used to recognize the user. In addition, Visual Website Optimizer collects your IP address, but pseudonymizes it immediately after collection in order to exclude a direct personal reference to the individual user.
Storage duration
99 days
Receiver
- Wingfy Software Pvt Ltd, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India
Third country transfer
Insofar as data is processed outside the EU or the EEA, where there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection.
Legal basis
Data is only collected and stored with your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
Possibility of revocation
Your consent can be revoked at any time with effect for the future.
Your data will be stored for the duration of [Please specify. The duration of data storage depends on the subscription. Can be viewed under Settings > Accounts > Usage.
The provider uses binding corporate rules and standard contractual clauses to ensure an appropriate level of protection. Further information on the scope of data collection and storage periods can be found at https://vwo.com/privacy-policy/.
f. Quantum Metric
Quantum Metric is a service of Quantum Metric, Inc, a Delaware corporation,10807 New Allegiance Drive, Ste 155 Colorado Springs, CO 80921 USA
Nature and purpose of data processing
QuantumMetrics is a web analytics tool designed to help us understand how the website is used and find ways to improve it to better meet the needs of our customers.
It uses cookies to identify a visitor's browser and track user behavior.
Your mouse clicks and sessions are recorded anonymously to improve the website, analyze errors and create heat maps and behavior reports.
Storage duration
364 days
Receiver
- Quantum Metric, Inc., a Delaware corporation10807 New Allegiance Drive, Ste 155 Colorado Springs, CO 80921 USA
Third country transfer
Insofar as data is processed outside the EU or the EEA, where there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection.
Legal basis
Data is only collected and stored with your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. Alternatively, you can also opt-out directly with Quantum Metric: https://www.quantummetric.com/legal/privacy-policy/#:~:text=Our%20sharing%20of%20yo
Further information on data protection at Quantum Metric can be found at: https://www.quantummetric.com/legal/privacy-policy/
5. Content delivery networks
a. Cloudflare
We use Cloudflare on our website to secure our website and improve loading times. Cloudflare is a service of Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107, USA.
Nature and purpose of processing
Cloudflare is a content delivery network (CDN). Put simply, Cloudflare creates copies of our website and stores them on its own servers. So when you visit our website, a load balancing system ensures that the main part of our website is delivered from a server that can display our website to you as quickly as possible. In addition to the fast delivery of web pages, Cloudflare also offers various security services, such as DDoS protection or the Web Application Firewall. Cloudflare blocks threats and limits abusive bots and crawlers that waste our bandwidth and server resources.
Storage duration
Cloudflare usually stores the data for less than 24 hours. For enterprise domains that have Cloudflare Logs (formerly called Enterprise LogShare or ELS) enabled, data can be stored for up to 7 days. If IP addresses trigger security alerts in Cloudflare, the data can be stored for longer.
However, there is also information that Cloudflare stores indefinitely as part of its permanent logs. This is done to improve the overall performance of Cloudflare Resolver and to identify potential security risks. You can find out exactly which permanent logs are stored at https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/. All data that Cloudflare collects (temporarily or permanently) is cleansed of all personal data. Cloudflare also anonymizes all permanent logs.
Receiver
- Cloudflare, Inc.
Third country transfer
Cloudflare stores data mainly in the United States and the European Economic Area. Cloudflare also works with third-party providers. However, they may only process personal data as instructed by Cloudflare and in accordance with the data protection guidelines and other confidentiality and security agreements. A transfer to the USA cannot be ruled out, but there is currently an adequacy decision by the EU Commission. Cloudflare, Inc. is certified according to the Data Privacy Framework:
https://www.dataprivacyframework.gov/list
Legal basis
The legal basis for the described data processing is our legitimate interest in the security and effective provision of our website, Art. 6 para. 1 lit. f GDPR. The legal basis is also § 25 para. 2 no. 2 TDDDG .
Possibility of objection
You have the right to object to the processing. Whether the objection is successful must be determined as part of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.
You can find out more about data protection at Cloudflare at https://www.cloudflare.com/de-de/trust-hub/gdpr/.
6. Amazon (Cloudfront)
We use the Content Delivery Network (CDN) Amazon CloudFront from Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS).
Nature and purpose of processing
We use CDNs such as Amazon Cloudfront to increase the security and delivery speed of our website.
A CDN is a network of globally distributed servers that is able to deliver optimized content to the website user. For this purpose, personal data may be processed in server log files by AWS.
Amazon collects the following data:
- IP address,
- website accessed,
- Referrer URL,
- the browser used
- operating system used.
In addition, we keep anonymized log files to improve the stability and security of our website.
Receiver
- Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg;
- Amazon.com, Inc, Seattle WA, USA
Third country transfer
AWS is the recipient of your personal data and acts as a processor for us. Since aws provides servers worldwide as a CDN, a transfer to third countries cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Amazon.com, Inc. is certified in accordance with the Data Privacy Framework:
https://www.dataprivacyframework.gov/list
AWS has implemented compliance measures for international data transfers. These apply to all global activities where AWS processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). Further information can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
Storage duration
Your personal data will be stored by AWS for as long as is necessary for the purposes described. It will then be deleted immediately. We delete the stored log files after 1876 days.
Legal basis
It is in our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR not to operate a content delivery network ourselves and yet to ensure the effective, modern and secure provision of our website. The legal basis is also § 25 para. 2 no. 2 TDDDG.
Possibility of objection
You have the right to object to the processing. Whether the objection is successful must be determined as part of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.
You can find out more about the data protection measures of AWS at:
https://aws.amazon.com/de/data-protection/
The current privacy policy of AWS can be found here:
https://aws.amazon.com/de/privacy/ and here in German translation:
https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf
You can find further information on objection and removal options vis-à-vis AWS at: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf
7. Other third-party providers
a. Queue-it
On this website we use the services of the provider Queue-it ApS, Skelbækgade 2-4, 1717 Copenhagen V, Denmark.
Nature and Purpose of the processing
Queue-it is a developer of virtual waiting rooms to control website and app traffic peaks. Queue-it enables us as an online ticket seller to protect our ticketing system from slowdowns and crashes during peak times by distributing the load across multiple data centers during such peaks. Visitors are temporarily redirected to a virtual waiting room and informed of their waiting time in real time. Your current IP address is processed in the process.
Receiver
- Queue-it Aps
Storage duration
The lifespan of the Queue IT cookie is 365 days.
Legal basis
The legal basis for the described data processing is our legitimate interest in the security and effective provision of our website, Art. 6 para. 1 lit. f GDPR. The legal basis is also § 25 para. 2 no. 2 TDDDG.
Possibility of objection
You have the right to object to the processing. To do so, please contact the contact details listed under point 1 or the data protection officer. Whether the objection is successful must be determined as part of a balancing of interests. It will have to be taken into account that this service is technically necessary for the secure provision of our offer.
You can find Queue-it's privacy policy at:
https://queue-it.com/privacy-policy/
b. Google ReCaptcha
We use reCaptcha v2 on our websites. reCaptcha is a service provided by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Nature and Purpose of the processing
ReCaptcha serves to prevent abusive automated entries in web forms and thus to protect the hoster's technical systems.
When you visit one of our websites in which reCaptcha is integrated, a connection to the Google servers is established. A reCaptcha cookie is set. Your IP address is transmitted to Google.
In addition, reCaptcha collects the following data by means of “fingerprinting”:
- Browser plugins used,
- the cookies set by Google in the last 6 months,
- the number of mouse clicks and touches you have made on this screen
- CSS information for the page accessed,
- Javascript objects,
- the date and
- the browser language
You can prevent the storage of cookies and fingerprinting by selecting the appropriate technical settings in your browser software; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
Third country transfer
Insofar as data is processed outside the EEA, where there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish a secure level of data protection.
You can find Google's privacy policy and terms of use here https://www.google.com/policies/privacy/ and here https://policies.google.com/terms.
Legal Basis
The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR.
Possibility of revocation
You can revoke your consent at any time with effect for the future by opening the data protection settings at the bottom left (“shield”) and activating the slider there accordingly.
8. Use of social plugins
a. Facebook and Instagram
We integrate third-party content such as Facebook and Instagram on our websites.
Nature and purpose of processing
Some articles include the option of displaying external content from these third-party providers. Such embedded third-party content is also referred to as social embeds.
To protect your data, we also block the display of external content via our consent tool. If you wish to view the external content, you have the option of giving your consent to the transfer of data in our cookie settings and displaying the content by clicking on it or not displaying the external content.
Third country transfer
The providers mentioned also process data outside the EU/EEA, especially in the USA. A transfer of data to the USA and access by US authorities to the data stored by Meta cannot be ruled out. Meta Platforms, Inc. is certified in accordance with the Data Privacy Framework and is listed in the Data Privacy Framework list of the International Trade Administration (ITA) at https://www.dataprivacyframework.gov/list. This means that Meta Platforms, Inc. has publicly committed to complying with the DPF obligations and any data transfer to the USA is harmless due to the current adequacy decision of the European Commission of July 10, 2023.
In addition, only pseudonyms are transmitted. As far as possible, we have concluded the EU standard contractual clauses with the providers and taken additional technical protective measures.
Legal basis
Data is only collected and stored with your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 TDDDG for the storage of information in your terminal equipment used, such as on a laptop or smartphone, as well as access to such information that is already stored in your terminal equipment.
Possibility of revocation
You can revoke your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. The legality of the data processing up to the time of revocation remains unaffected.
b. YouTube
We use the YouTube service to embed videos in the site. The provider is Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Nature and purpose of processing
With your consent, the video content is loaded from the Google servers. Data, including your IP address, is transmitted to Google, which tells Google that you have watched the video. If you are logged in to YouTube, this information will also be assigned to your user account. This can be prevented by logging out of YouTube before watching the video. We use YouTube videos to present our products clearly, to provide training content and to present our company.
The following data may be collected and processed via YouTube:
- IP address
- Referrer URL
- Device information
- Viewed videos
Storage duration
The personal data is stored for as long as it is required to fulfill the purpose of processing. The data will be deleted as soon as it is no longer required to achieve the purpose.
Receiver
In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of the processing:
- Google LLC.
- Alphabet Inc.
Third country transfer
The transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. There is currently an adequacy decision by the EU Commission for the USA. Google LLC is certified in accordance with the Data Privacy Framework:
https://www.dataprivacyframework.gov/list
Insofar as data is processed outside the EU/EEA, we have also concluded the standard contractual clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider to establish a secure level of data protection, which allow personal data to be transferred to a third country in individual cases.
Legal basis
The legal basis for the processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG for the storage of information in the terminal equipment you use, such as on a laptop or smartphone, as well as access to such information that is already stored in your terminal equipment.
Possibility of revocation
If you do not want YouTube to collect and process the aforementioned data, you can refuse your consent or revoke it at any time with effect for the future. The legality of the data processing until the revocation remains unaffected.
c. Tripadvisor
We use the Tripadvisor social plugin. The provider is TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494, USA.
Nature and purpose of processing
We use Tripadvisor to deliver usage-based online advertising. When you use Tripadvisor by "clicking through" from our website to Tripadvisor, we receive information about how you use our website. Information that Tripadvisor receives from us in this way may be combined by Tripadvisor with the information you provide.
Third country transfer
As things stand today, Tripadvisor is not yet certified for the Data Privacy Framework (DPF) program. A transfer of data to the USA and access by US authorities to the data stored on Tripadvisor cannot be ruled out. Insofar as data is processed outside the EU/EEA within the framework of Tripadvisor, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the service provider in order to establish a secure level of data protection, which allow personal data to be transferred to a third country in individual cases.
Legal basis
Data is only collected and stored with your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 TDDDG for the storage of information in your terminal equipment used, such as on a laptop or smartphone, as well as access to such information that is already stored in your terminal equipment.
Possibility of revocation
You can object to the collection and storage of data at any time with effect for the future by clicking on the following link: https://privacyportal-cdn.onetrust.com/
