Privacy statement for the Berlin WelcomeCard App

1) Information on collecting personal data and contact details of the controller

1.1 We are pleased that you are visiting our Berlin WelcomeCard app („app“) and thank you for your interest. In the following sections we will inform you about the handling of your personal data when using our website. Personal data is all data with which you can be personally identified.

1.2 The controller of data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is Berlin Tourismus & Kongress GmbH, Schöneberger Str. 15, 10963 Berlin, Germany, Phone: 030/ 25 00 23 33, Fax: 030/ 25 00 24 24, E-mail: hallo [at] visitBerlin.de.. The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 The data controller has appointed a data protection officer, who can be contacted as follows: TÜV Rheinland i-sec GmbH, Mr. Oliver Gröger, Alboinstraße 56, 12103 Berlin, Germany, datenschutz [at] visitBerlin.de.

1.4 This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to the data controller). You can recognise an encrypted connection by the character string "https://" and the lock symbol in your browser line.

2) Data collection when visiting our website
During the purely informational use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (server log files). When you visit our website, we collect the following data, which is technically necessary for us to display the website to you:
- Our visited website
- Date and time accessed
- Quantity of data sent in bytes
- Source/link from which you reached the page
- Browser used
- Operating system used
- IP address used (if necessary in anonymised form)
Processing is carried out in accordance with Art. 6 para. 1 lit. f of the GDPR on the basis of our legitimate interest to improve the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to subsequently check the server log files if there are specific indications of unlawful use.

3) Location data
The app can access the location of your device if you enable this on your end device. Location sharing is used exclusively to display your current position within the app, for example to show your surroundings on the map.
We do not store, transmit or evaluate location data. The location data is processed exclusively on your end device and is not transferred to our systems. Permission to access the device location is controlled by the operating system settings of your end device and can be revoked or adjusted at any time. The processing is based on our legitimate interest pursuant to Article. 6 para. 1 lit. f of GDPR in enabling the map function of the app for technical reasons.

4) Making contact
Personal data is collected when you make contact with us (e.g. by contact form or e-mail). Which data is collected when you use a contact form is apparent from the contact form itself. This data is stored and used exclusively for the purpose of answering your request or for making contact, and the associated technical administration. The legal basis for the processing of data is our legitimate interest in responding to your request in accordance with Art. 6 para. 1 lit. f of the GDPR. If you make contact with a view to concluding a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b of the GDPR. Your data will be deleted after the final processing of your request. This is the case if the circumstances indicate that the matter in question has been conclusively clarified and provided there are no legal obligations to retain the data.

6) Use of customer data for direct advertising

6.1 Sending the e-mail newsletter to existing customers
If you have provided us with your e-mail address when purchasing goods or services, we reserve the right to regularly send you e-mail offers for similar goods or services to those you have already purchased from our range. In accordance with § 7 para. 3 of the Unfair Competition Act (UWG), we do not need to obtain your separate consent for this. In this respect, the data processing is carried out solely on the basis of our legitimate interest in personalised direct advertising in accordance with Art. 6 para. 1 lit. f of the GDPR. If you have initially objected to the use of your e-mail address for this purpose, no e-mails will be sent by us. You are entitled to object to the use of your e-mail address for the aforementioned advertising purpose at any time with future effect by notifying the data controller named at the beginning. In this case, you will only be charged transmission costs according to the base rates. After receipt of your objection, the use of your e-mail address for advertising purposes will cease immediately.

6.2 Newsletter dispatch via Optimizely GmbH
Our e-mail newsletters are sent via the technical service provider Optimizely GmbH, Wallstraße 59, 10179 Berlin ("Optimizely"), to whom we pass on the data you provided when registering for the newsletter. This transfer takes place in accordance with Art. 6 para. 1 lit. f of the GDPR and serves our legitimate interest in using an effective ad-vertising, secure and user-friendly newsletter system. The data you enter for the purpose of receiving the newsletter (e.g. e-mail address) is stored on Optimizely's servers in the EU.

Optimizely uses this information to send and statistically evaluate the newsletter on our behalf. For the evaluation, the e-mails sent contain web beacons or tracking pixels, which are single-pixel image files that are stored on our website or web content of the e-mail. This makes it possible to determine whether a newsletter message has been opened. Through tracking, technical information is collected (e.g. time of retrieval, IP address, browser type and operating system). The data is only collected pseudonymously and is not linked to your other personal data. A direct reference to an individual person is excluded. This data is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.
If you wish to object to data analysis for personalised evaluation purposes, you can do so within the e-mail sent to you. If you wish to object to the data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.
We have concluded an order processing agreement with Optimizely, with which we oblige Optimizely to protect our customers' data and not to pass it on to third parties.
You can view Optimizely's privacy policy here:
https://www.optimizely.com/de/legal/datenschutz/

6.3 Advertising by post
On the basis of our legitimate interest in personalised direct advertising, we reserve the right to store your first and last name, your postal address and – insofar as we have received this additional information from you as part of the contractual relationship – your title, academic degree, year of birth and your profession, industry or business name in accordance with Art. 6 para. 1 lit. f of the GDPR and to use it to send you interesting offers and information about our products by post.
You can object to the storage and use of your data for this purpose at any time by sending a message to the data controller.

7) Data processing for order processing
7.1 This app uses a booking widget from the Holidu Smart Destination reservation system of Holidu GmbH, Riesstraße 24, 80992 Munich. We hereby offer you the opportunity to order and purchase tourist products and services online as part of our online sales activities. Your personal data will be collected when you place an order and make a purchase. Your personal data will be passed on to the Holidu Smart Destination reservation system exclusively for the purpose of processing the online order in accordance with Article 6 para. 1 lit b of GDPR. In addition, the reservation system is used to provide the tickets in the app. For this purpose, we obtain your consent in accordance with Article 6 para. 1 lit. a of GDPR.

7.2 For the processing and issuance of public transport tickets contained in tourist cards, we pass on the necessary personal data to Berliner Verkehrsbetriebe (BVG), Holzmarktstraße 15-17, 10179 Berlin, and its ticketing service provider eos.uptrade GmbH, Schanzenstraße 70, 20357 Hamburg. The legal basis for the transfer of data is Article 6 para. 1 lit b of GDPR.

7.3 We use our own ticket gateway, ‘Public Ticket Solution’, to manage admission and validate tickets. Technical and statistical data is processed in a pseudonymised form. There is no direct assignment to individual persons. The processing is based on Article 6 para. 1 lit f of GDPR and serves the proper handling of the ticket process and statistical evaluation. The data is stored for a period of two years and then deleted.

7.4 In order to process your order, we work together with the service provider(s) listed below, who support us in whole or in part in the execution of concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.
The personal data collected by us will be passed on to the transport company commissioned with the delivery as part of the contract processing, insofar as this is necessary for the delivery of the goods. We pass on your payment data to the commissioned credit institution within the framework of payment processing, insofar as this is necessary for payment processing. If payment service providers are used, we will inform you explicitly about this below. The legal basis for the transfer of data is Art. 6 para. 1 lit. b of the GDPR.

7.5 Use of payment service providers (payment services)
- Nexi Germany GmbH
If you choose to pay by credit card using the payment ser-vice provider Nexi Germany GmbH, payment will be processed via the payment service provider Nexi Germany GmbH, Helfmann-Park 7, 65760 Eschborn, Germany, to whom we will pass on the information you provided during the ordering process, together with information about your order, in accordance with Art. 6 para. 1 lit. b of the GDPR. Your data will be passed on solely for the purpose of pro-cessing payment with the payment service provider Nexi and only to the extent necessary for this purpose. You can obtain further information on the data protection provisions of Nexi at the following Internet address: https://www.nexi.de/de/legal-footer/datenschutzerklaerung

- Paypal
If you pay via PayPal, credit card via PayPal, direct debit via PayPal or – if offered – purchase on account or payment by instalments via PayPal, we shall pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal") as part of the payment processing. The transfer takes place in accordance with Art. 6 para. 1 lit. b of the GDPR and only insofar as this is nec-essary for the payment processing.

For the payment methods credit card via PayPal, direct debit via PayPal or – if offered – purchase on account or payment by instalments via PayPal, PayPal reserves the right to carry out a credit check. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 lit. f of the GDPR on the basis of PayPal's legitimate interest in determining your solven-cy. PayPal uses the result of the credit check in terms of the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment meth-od. The credit report may contain probability values (score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognised mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. For further information on data protection law, including information on the credit agencies used, please refer to PayPal's data privacy policy: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full

You may object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for the contractual processing of payments.

- Google Pay
If you choose the payment method "Google Pay" of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), the payment processing is carried out via the "Google Pay" application of your mobile device running at least Android 4.4 ("KitKat") and hav-ing an NFC function by charging a payment card deposit-ed with Google Pay or a payment system verified there (e.g. PayPal). For the release of a payment via Google Pay in the amount of more than €25, the prior unlocking of your mobile end device by the respective verification measure set up (such as facial recognition, password, fin-gerprint or pattern) is required. For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, will be passed on to Google. Google then transmits your payment information stored in Google Pay in the form of a uniquely assigned transaction number to the source website, with which a completed payment is verified. This transaction number does not contain any information about the real payment data of your payment means stored in Google Pay, but is created and transmitted as a one-time valid numeric token. For all transactions via Google Pay, Google only acts as an intermediary to process the payment transaction. The transaction is carried out exclusively in the relationship between the user and the source web-site by debiting the means of payment deposited with Google Pay. If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 (1) lit. b DSGVO. Google reserves the right to collect, store and evaluate certain transactionspecific information for each transaction made via Google Pay. This includes the date, time and amount of the transaction, merchant location and description, a description of the purchased goods or services provided by the merchant, photos that you have attached to the transaction, the name and email address of the seller and buyer or the sender and recipient, the payment method used, your description for the reason for the transaction and, if applicable, the offer associated with the transaction. According to Google, this processing is carried out exclusively in accordance with Art. 6 para.1 lit. f DSGVO on the basis of the legitimate interest in proper billing, verification of transaction data and optimization and function maintenance of the Google Pay service. Google also reserves the right to merge the processed transaction data with other information that is collected and stored by Google when using other Google services. The terms of use of Google Pay can be found here: https://payments.google.com/payments/apis-se-cure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=en
Further information on data protection with Google Pay can be found at the following Internet address: https://payments.google.com/payments/apis-se-cure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en

7.6. Passing on personal data to debt collection agencies
If you as a customer do not meet your payment obligations, we will pass on your data to the following company for the purpose of implementing receivables management:
IHD Kreditschutzverein e.V., Augustinusstraße 11 B, D-50226 Frechen, Germany.
You can find more information about the IHD's data protection policy at the following Internet address: https://www.ihd.de/datenschutz/index-english.html

8) Online marketing
8.1 Apple Search Ads
In order to measure the success of our app marketing campaigns, we use Apple Search Ads, a service provided by Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
Apple provides us exclusively with aggregated and anonymised performance data that does not allow any conclusions to be drawn about individual persons.
The processing is carried out on the basis of our legitimate interest pursuant to Article 6 para. 1 lit. f GDPR in order to analyse the success of our advertising campaigns and optimise our marketing measures.
For further information, please refer to Apple's privacy policy at:
https://www.apple.com/legal/privacy/de-ww/

8.2 App Store Connect
We use App Store Connect, a developer portal provided by Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland.
Apple provides us exclusively with aggregated and anonymised performance data that does not allow any conclusions to be drawn about individual persons.
The processing is carried out on the basis of our legitimate interest pursuant to Article 6 para. 1 lit. f GDPR in order to analyse the success of our advertising campaigns and optimise our marketing measures.
For further information, please refer to Apple's privacy policy at:
https://www.apple.com/legal/privacy/de-ww/

8.3 Google Play Console
We use Google Play Console, a developer portal provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’).
Google provides us exclusively with aggregated and anonymised metrics on the use of our app (e.g. number of downloads or uninstallations). It is not possible to identify individual users.
The processing is carried out on the basis of our legitimate interest pursuant to Article 6 para. 1 lit. f of GDPR in order to evaluate and improve the technical functionality and reach of the app.
For further information, please refer to Google's privacy policy at:
https://policies.google.com/privacy

9) Webanalysedienste und sonstige Tools
9.1. Google Analytics for Firebase
With your consent, this app uses the Google Analytics for Firebase or Firebase Analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’). Firebase Analytics is used to analyse the use of our app in order to improve its stability and user-friendliness. For this purpose, pseudonymised event data is processed.

Firebase Analytics may share data with other Firebase services provided by Google (e.g. Crashlytics, Remote Config or Notifications). In addition, the integrated link to Google Ads can be used to evaluate the effectiveness of our advertising campaigns.

The processing is based on your consent in accordance with Article 6 para. 1 lit. a of GDPR, and the consent can be given when you first start the app. You may withdraw your consent at any time in the app settings under ‘Analysis & Improvement’ with effect for the future.

For more information on how Google Analytics for Firebase handles user data, please refer to Google's privacy policy:
https://support.google.com/analytics/answer/6004245?hl=de
https://support.google.com/analytics/answer/6004245?hl=de

9.2 Firebase Crashlytics
With your consent, this app uses the software development kit (SDK) from Firebase Crashlytics, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’). Firebase Crashlytics is used exclusively for analysing app errors and for technical optimisation.
Where legally required, processing is based on your consent in accordance with Article 6 para. 1 lit. a of GDPR. You may revoke your consent at any time with future effect in the app settings under Analysis & Improvement.
For more information on how Crashlytics handles user data, please refer to the Firebase Crashlytics privacy policy at:
https://firebase.google.com/support/privacy

9.3 Google Firebase Remote Config
We use the Firebase Remote Config service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’). Firebase Remote Config enables us to dynamically control and customise app content and functions.
The processing is based on our legitimate interest pursuant to Article 6 para. 1 lit. f of GDPR in order to keep the app technically up to date and to ensure its functionality. There is no analysis of user behaviour and no profiling.
For more information about Firebase Remote Config, please visit:
https://firebase.google.com/terms

9.4 - Google Maps
On our website, we use Google Maps (API) from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google Maps is a web service for displaying interactive (land) maps in order to visually display geographical information. By using this service, you will be shown various locations, and it will be easier for you to find them.

Information about your use of our website (such as your IP address) is transmitted to Google servers and stored there when you visit those sub-pages in which the Google Maps map is integrated; this information may also be transmitted to Google LLC servers in the USA. This occurs regardless of whether Google provides a user account via which you are logged in or whether a user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish to have your data associated with your Google profile, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them. The collection, storage and analysis are carried out in accordance with Art. 6 para. 1 lit. f of the GDPR on the basis of Google's legitimate interest in displaying personalised advertising, market research and/or the needs-based design of Google websites. You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right. If you do not agree to the future transmission of your data to Google in the context of the use of Google Maps, you also have the option of completely deactivating the Google Maps web service by switching off the JavaScript application in your browser. Google Maps and thus also the map display on this website can then not be used.

You can view Google's terms of use at https://policies.google.com/terms?hl=en-GB&gl=de, and the additional terms of use for Google Maps can be found at https://www.google.com/intl/de_US/help/terms_maps.html
Detailed information on data protection in connection with the use of Google Maps can be found on Google's website (Google Privacy Policy): https://policies.google.com/privacy?hl=en-GB&gl=de,

As far as legally required, we have obtained your consent in accordance with Art. 6 para. 1 lit. a of the GDPR for the processing of your data as described above. You can revoke your consent at any time with future effect. To exercise your right of revocation, deactivate this service in the Cookie Consent Tool provided on the website.

10) Rights of data subjects
10.1 The applicable data protection law grants you comprehensive data subject rights with respect to the data controller responsible for processing your personal data (rights of access and intervention) about which we inform you below:
- Right to information in accordance with Art. 15 of the GDPR: In particular, you have a right of access concerning your personal data processed by us, the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or is disclosed, the planned storage duration or the criteria for determining the storage duration, the existence of any right to rectification, erasure, restriction of processing, objection to processing, complaining to a supervisory authority, the source of your data if it was not collected from you by us, the existence of any automated decision making including profiling and if necessary important information on the logic involved and the scope concerning you and the desired effects of such processing as well as your right to notification about which guarantees exist as per Art. 46 of the GDPR on transferring your data to third countries;
- Right to rectification in accordance with Art. 16 of the GDPR: You have a right to immediate rectification of incorrect data concerning you and/or completion of your incomplete data stored by us;
- Right to erasure in accordance with Art. 17 of the GDPR: You have the right to demand erasure of your personal data subject to the provisions of Art. 17 para. 1 of the GDPR. However, this right shall not apply in particular if the processing is necessary to exercise the right to free expression of opinion and to information, to fulfil any legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- Right to restriction of processing in accordance with Art. 18 of the GDPR: You have the right to demand restriction of the processing of your personal data as long as the accuracy of our data disputed by you is reviewed, if you reject erasure of your data on account of unreliable data processing and instead demand restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims, after we no longer require such data once it has achieved its purpose or if you have submitted an objection for reasons pertaining to your specific situation, unless it is yet to be determined whether our legitimate reasons prevail;
- Right to information in accordance with Art. 19 of the GDPR: If you have asserted the right to rectification, erasure or restriction of processing to the data controller, this entity is obliged to inform all the recipients to whom the personal data concerning you has been disclosed of such rectification or erasure of data or restriction of processing, unless this proves to be impossible or is associated with disproportionate costs. You have the right to be informed of such recipients.
- Right to data portability in accordance with Art. 20 of the GDPR: You have the right to receive your personal data which you have made available to us in a structured, accessible and machine-readable format or to demand transmission to another data controller insofar as this is technically feasible;
- Right to revoke consent given in accordance with Art. 7 para. 3 of the GDPR: You have the right to withdraw your consent to the processing of data at any time with future effect. In the event of withdrawal, we will immediately delete the data concerned, unless further processing can be legally based on processing that does not require consent. The withdrawal of the consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal;
- Right to lodge a complaint in accordance with Art. 77 of the GDPR: If you are of the opinion that the processing of personal data concerning you is in breach of the GDPR, you have – regardless of any other administrative or legal remedy – the right to complain to a supervisory authority, particularly in the member state of your place of residence, your workplace or the place of the presumed infringement.
10.2 RIGHT TO OBJECT
IF AS PART OF THE BALANCING OF INTERESTS WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR PREVAILING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO SUBMIT AN OBJECTION TO SUCH PROCESSING WITH FUTURE EFFECT FOR REASONS ARISING FROM YOUR SPECIFIC SITUATION.
IF YOU MAKE USE OF YOUR RIGHT OF OBJECTION, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO FURTHER PROCESSING IF WE CAN PROVE COMPELLING GROUNDS FOR PROCESSING WORTHY OF PROTECTION WHICH OUTWEIGH YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING IS FOR THE PURPOSE OF ASSERTING, EXERCISING OR DEFENDING LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US IN ORDER TO CONDUCT DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH ADVERTISING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE.
IF YOU MAKE USE OF YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION FOR THE PURPOSE OF DIRECT ADVERTISING.

11) Duration of storage of personal data
The duration of the storage of personal data is measured on the basis of the respective legal basis, the processing purpose and - if relevant - also on the basis of the respective statutory retention period (e.g. retention periods under commercial and tax law).
When personal data is processed on the basis of express consent in accordance with Art. 6 para. 1 lit. a of the GDPR, this data is stored until the person concerned revokes his or her consent.
If there are statutory retention periods for data that is processed within the scope of legal obligations or similar obligations on the basis of Art. 6 para. 1 lit. b of the GDPR, this data will be routinely deleted after expiry of the retention periods, provided that it is no longer required for the performance of the contract or the initiation of the contract and/or there is no legitimate interest on When processing personal data on the basis of Art. 6 para. 1 lit. f of the GDPR, this data is stored until the data subject exercises his or her right to object in accordance with Art. 21 para. 1 of the GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is for the purpose of asserting, exercising or defending legal claims.
When processing personal data for the purpose of direct marketing on the basis of Art. 6 para. 1 lit. f of the GDPR, this data will be stored until the data subject exercises his or her right to object in accordance with Art. 21 para. 2 of the GDPR.
Unless stated otherwise in the other information in this statement about specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or processed.