Data protection information for our customers

As of May 25, 2018

With this data protection notice, we inform you, our customers, in accordance with the EU General Data Protection Regulation (GDPR), which will apply from May 25, 2018, about the processing of your personal data by us and your rights. Where necessary, these instructions will be updated and published at aventoura-cuba.com  There you will also find further data protection information for visitors to our website, which are largely applicable to you.

1)  Who is responsible for data processing and who can you contact?

We are responsible for data processing – your tour operator avenTOURa GmbH, Rehlingstraße 17, 79100 Freiburg. You can contact our data protection officer, Mr. Juan Pablo Paltán Paredes, at the email address datenschutz (at) aventoura-cuba.com.

2)  Which data and which sources do we use? We process data that we receive in the course of processing our business relationship with you. We receive the data directly from you, e.g. as part of the travel or rental car booking or another order. Specifically, for the execution of our services we process:

• Master data for the implementation and fulfillment of the travel service. (e.g. name and address of the travel applicant, email address, telephone number, name of the people traveling with you, and the date of birth or age of all travelers)
• If necessary. Authentication data for VISA applications (e.g. ID card data)
• Data in connection with payment processing and, if necessary, as security for depositing travel services (e.g. bank details, credit card details)
• Correspondence (e.g. correspondence or email with you)
• Data of your past or previous bookings and stays as far as booked or arranged through us (e.g. previous trips, personal preferences, reviews)
• Advertising and sales data (e.g. about new potentially interesting offers)
• Health data for the prevention of accidents and for the protection of the traveler (e.g. degree of physical disability, severely disabled person’s pass, food intolerance, allergies, pregnancies)

3) On what legal basis is your data used (purpose of data processing)?

The following information provides information about why and for what purpose we process your data.

3.1) To fulfill contractual obligations (Art. 6 Para. 1 lit. b EU GDPR)

We process your data to carry out our contracts with you, i.e. in particular for the implementation and processing of the booked travel services. The purposes of the data processing depend on the specific travel services and the contract documents (e.g. overnight stay, transfer, rental car, flights)

3.2) In the context of balancing interests (Art. 6 Para. 1 lit.f EU GDPR) 

Your data can be used by us or by third parties to protect legitimate interests. This is done for the following purposes:

• Support of our sales organization in travel advice and support and sales in the context of travel support

• Further development of travel services and additional products

• Advertising, market and opinion research

• Assertion of legal claims and defense in legal disputes

• Crime prevention and investigation

• Ensuring IT security and availability of IT operations Our interest in the respective processing results from the respective purposes and is otherwise of an economic nature (efficient performance of tasks, sales, avoidance of legal risks). As far as the specific purpose allows, we process your data pseudonymized or anonymized

3.3) On the basis of your consent (Art. 6 para. 1 lit. a EU GDPR) 

If you have given us consent to the processing of your personal data, this respective consent is the legal basis for the processing mentioned there. In addition, you may have consented to advertising by email, phone or messenger service. You can withdraw your consent at any time with future effect. This also applies to declarations of consent that you gave us before the GDPR became applicable, i.e. before May 25, 2018. The revocation only applies to future processing, not to those who have already done so. Please contact our contact address.

3.4) Due to legal requirements (Art. 6 Para. 1 lit. c EU GDPR)

We are subject to various legal obligations and legal requirements (e.g. Civil Code (BGB), Commercial Code (HGB), GoB, Passenger Data Act, EU Package Travel Directive, Tax Laws of the Federal Republic of Germany). The purposes of the processing include identity and age verification, fraud prevention, the fulfillment of tax control and reporting obligations as well as the assessment and management of risks.

4) Who gets my data?

Your data will only be passed on in compliance with the EU GDPR and only to the extent that a legal basis permits this. Within our sales organization, only those places will receive your data that they need to fulfill our contractual and legal obligations or to fulfill their respective tasks (e.g. sales, customer care, travel management, tour operators, hotels, rental cars or transfer companies).

The following positions can also receive your data:

• Processors we use (Art. 28 EU GDPR), in particular in the area of ​​booking systems and IT services, logistics and printing services, which process your data for us in accordance with the instructions

• Public bodies and institutions (financial authorities, embassies of the target country) if there is a legal or official obligation (retention requirements, VISA procurement, obtaining entry requirements) and

• Other bodies for which you have given us your consent to the transfer of data.

5) How long will my personal data be saved?

If necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and processing of a contract for the processing of a travel service. In addition, we are subject to various storage and documentation obligations, which result from the Civil Code (BGB), the Commercial Code (HGB), the Tax Code (AO) and the EU Package Travel Directive. The periods for storage and documentation specified there are two to a maximum of ten years. Finally, the storage period is also assessed according to the statutory limitation periods, which are usually three years, for example, according to §§ 195 ff. Of the German Civil Code (BGB). Your personal data will be stored on the basis of your consent until further notice.

6) Will my data be transferred to a third country?

We only transfer your data to countries outside the European Union insofar as this is necessary for the execution and processing of travel services or is required by law or you have given us your consent (e.g. long-distance travel).

7) Do I have certain rights in handling my data?

Under the respective legal requirements, you have the right to information (Art. 15 EU GDPR, § 34 Federal Data Protection Act (BDSG) as of May 25, 2018), to correction (Art. 16 EU GDPR), to deletion (Art. 17 EU GDPR or § 35 BDSG), on processing restrictions (Art. 18 EU GDPR) and on data portability (Art. 20 EU GDPR). You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 EU GDPR or § 19 BDSG).

8) Is there an obligation for me to provide my data? 

As part of our business relationship, you only have to provide the personal data that is necessary for the establishment, implementation and termination of a business relationship or that we are legally obliged to collect. Without this data, we will usually have to reject the conclusion of the contract or the execution of the order or will no longer be able to carry out an existing contract and may have to terminate it.

9) Is there automated decision making in individual cases?

In principle, we do not use automated decision-making in accordance with Art. 22 EU GDPR to establish and carry out the business relationship. If we use these procedures in individual cases, you will be informed separately if this is required by law.

10) Is my data used in any way for profiling?

We process your data partially automatically with the aim of evaluating your potential interest in certain products, offers and services. (so-called “profiling” according to Art. 4 No. 4 EU GDPR) The evaluation is carried out using statistical methods, taking into account your previously booked trips and services with us. We use the results of these analyzes for a targeted and needs-based customer approach.

11) What rights do I have as a customer?

You have the right, for reasons that arise from your particular situation, at any time against the processing of your personal data, which is based on Article 6 paragraph 1 lit. f EU GDPR (data processing on the basis of a balance of interests) takes place to object. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 EU GDPR, which e.g. for customer advice and support. If you object, we will no longer process your personal data. In addition, according to Art. 15 EU GDPR, you have a permanent right to withdraw your consent to data processing for other purposes if you have given us your consent of this form. The objection can be made form-free to the contact address known to you. Every data subject has the right to lodge a complaint with the supervisory authority if they believe that the processing of their data violates data protection regulations. The right to lodge a complaint can be made, in particular, with the supervisory authority in your federal state or at the location of the relevant infringement. A current list of the responsible supervisory authorities can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html (accessed on March 15, 2018)