Privacy Policy

In this Privacy Policy, we provide information about the processing of personal data when you use our website.

Personal data is information that relates to an identified or identifiable individual. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, phone number, address, or email address. However, certain identifiers, such as your IP address or the device ID of the device you are using, are also considered personal data.

Contact

The contact person and the so-called “controller” responsible for processing your personal data when you visit this website, as defined by the General Data Protection Regulation (GDPR), is

FTM FrankenTourismus Marketing GmbH
Pretzfelder Straße 15
90425 Nuremberg
Phone +49 911 94151 20
Fax +49 911 94151 10
Email ftm@frankentourismus.de.

Visits to Our Website / Access Data

Every time you use our website, we collect the access data that your browser automatically transmits to enable you to visit the website. The access data includes what is known as HTTP header information, including the user agent, and specifically includes:

  • IP address of the requesting device;
  • Method (e.g., GET, POST), date, and time of the request;
  • Address of the accessed website and path of the requested file;
  • If applicable, the previously accessed website/file (HTTP Referer);
  • Information about the browser and operating system used;
  • Version of the HTTP protocol, HTTP status code, and size of the file delivered;
  • Request information such as language, content type, content encoding, and character sets;
  • Cookies from the accessed domain stored on the end device (including session IDs).

The processing of this access data is absolutely necessary to enable visits to the website, to ensure the ongoing functionality and security of our systems, and to perform general administrative maintenance of our website. For the purposes described above, the access data is also temporarily stored in internal log files so that, for example, in the event of repeated or malicious access attempts that jeopardize the stability and security of our website, we can identify the cause and take appropriate action.

The legal basis is Article 6(1)(b) of the GDPR, provided that the page visit occurs in the course of initiating or performing a contract, and otherwise Article 6(1)(f) of the GDPR based on our legitimate interest in the ongoing functionality and security of our systems.

Log files are generally stored for 7 days and then archived after being anonymized. In exceptional cases, individual log files and IP addresses are retained for a longer period to prevent further attacks from that IP address in the event of a cyberattack and/or to take legal action against the attackers.

Contact

You have various options for contacting us. This includes the contact form, e-mail or phone. In this context, we process data exclusively for the purpose of communicating with you.

The legal basis is Art. 6 para. 1 p. 1 lit. b DSGVO, insofar as your information is required to answer your inquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 p. 1 lit. f DSGVO due to our legitimate interest that you contact us and we can answer your inquiry.

The data we collect when you contact us will be automatically deleted after we have fully processed your request, unless we still need your request to fulfill contractual or legal obligations (see section "Duration of Storage").

Use of Cookies and Similar Technologies

This website uses various services and applications (collectively referred to as “tools”) provided either by us or by third parties. These include, in particular, tools that use technologies to store information on or access the user’s device:

  • Cookies: A cookie is a small text file stored on your device by your browser. It consists of a name, a value, the domain that stored it, and an expiration date. So-called session cookies (e.g., PHPSESSID) are deleted at the end of the session, while so-called persistent cookies are deleted after their specified expiration date. Cookies can also be deleted manually. Cookies are not used to run programs or download viruses onto your computer.
  • Web Storage (Local / Session Storage): Items in Web Storage are pieces of information stored on the user's device, consisting of a name and a value. Information in session storage is deleted after the session ends, while information in local storage has no expiration date and generally remains stored unless a mechanism for deletion has been set up (e.g., storing local storage with a time stamp). Information in local and session storage can also be removed manually.
  • JavaScript: These are pieces of code (scripts) embedded in or called by the website that, for example, set cookies and web storage or actively collect information from the user’s device or about visitors’ usage behavior. JavaScript may be used for “active fingerprinting” and the creation of usage profiles. JavaScript can be blocked via a browser setting; however, most services will then no longer function.
  • Pixels: A pixel is a tiny graphic automatically loaded by a service that can make it possible to recognize visitors through the automatic transmission of standard access data and, for example, to detect when an email is opened or a website is visited. Pixels can thus be used, where applicable, for “passive fingerprinting” and the creation of usage profiles. The use of pixels can be prevented, for example, by blocking images—such as those in emails—though this will significantly limit the display.

With the help of these technologies—and even simply by establishing a connection on a page—so-called “fingerprints” can be created, that is, usage profiles that do not rely on cookies or web storage but can still recognize visitors. Fingerprints based on the connection setup cannot be completely prevented manually.

Most browsers are set by default to accept cookies, execute scripts, and display images. However, you can usually adjust your browser settings to reject all or only certain cookies, or to block scripts and images. If you completely block the storage of cookies, the display of images, and the execution of scripts, our services will likely not function or may not function properly.

The tools we use are listed below by category; we provide specific information regarding the tool providers, the retention period for cookies or data in local storage and session storage, and the sharing of data with third parties. We also explain in which cases we obtain your voluntary consent to use these tools and how you can revoke that consent.

If—despite our best efforts—the information in the cookie banner contradicts that in this Privacy Policy, the information in this Privacy Policy takes precedence.

Legal Basis and Right of Withdrawal

Legal Basis

We use tools necessary for website operation based on our legitimate interest pursuant to Article 6(1)(f) of the GDPR to provide the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures; in such cases, processing is carried out pursuant to Article 6(1)(b) of the GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(2) of the TDDDG.

We use all other non-essential (optional) tools that provide additional functions based on your consent in accordance with Article 6(1), sentence 1, letter a of the GDPR. Access to and storage of information on the end device is then based on the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(1) of the TDDDG. Data processing using these tools takes place only if we have obtained your prior consent.


If personal data is transferred to third countries, we refer you to the section “Data Transfers to Third Countries,” including with regard to any associated risks. We will inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other safeguards have been implemented for the use of certain tools. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we will transfer the data processed during the use of the tools to third countries (also) on the basis of this consent in accordance with Article 49(1)(a) of the GDPR.

Obtaining your consent

To obtain and manage your consent, we use a tool provided by KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin, Germany (“Klaro”). This tool generates a banner that informs you about data processing on our website and allows you to consent to all, some, or none of the data processing activities using optional tools.

This banner appears the first time you visit our website and when you revisit your settings to change them or withdraw your consent. The banner also appears on subsequent visits to our website if you have disabled cookies or if the cookies have been deleted or have expired.

Klaro does not collect or store any personally identifiable data from website visitors. When a visitor gives consent, only a technical record of that consent is stored on the server, which enables compliance with the GDPR’s requirements for documenting consent. This includes information about the individual consent decision, the Klaro configuration ID, the type of consent, the URL, and the subpage of the website where consent was given, as well as anonymized information about the visitor. For more information on this, please see Klaro’s Privacy Policy. In addition, necessary information is stored on your device to document the consents you have given and any revocations (cookie: “timm4cookie-consent” for 1 year).

Data processing by Klaro is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for using Klaro is Article 6(1), first sentence, subparagraph (f) of the GDPR, based on our interest in fulfilling the legal requirements for consent management. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out in accordance with the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(2) of the TDDDG.

Withdrawing Your Consent or Changing Your Selection

You can revoke your consent for certain tools at any time, effective for the future. To do so, click the “Privacy Settings” link at the bottom of the website’s footer. There, you can also change which tools you consent to and find additional information about the cookies and their respective retention periods. Alternatively, you can submit your revocation directly to the provider for certain tools.

Datenschutz-Einstellungen öffnen

Required Tools

We use certain tools to enable the basic functions of our website (“necessary tools”). These include, for example, tools for processing and displaying website content, as well as for managing and integrating tools. Without these tools, we would not be able to provide our service. Therefore, necessary tools are used without consent based on our legitimate interests pursuant to Article 6(1)(f) of the GDPR, or to fulfill a contract or to take steps prior to entering into a contract pursuant to Article 6(1)(b) of the GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(2) of the TDDDG.

First-Party Cookies

We use our own necessary cookies (such as “PHPSESSID” for the duration of the session), in particular

  • to save your language settings,
  • to save your form entries or map and filter settings,
  • to note that you have viewed a piece of information displayed on our website—so that it is not displayed again the next time you visit the website.

YouTube-Videos

We have embedded videos on our websites that are stored on YouTube and can be played directly from our websites. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), which is provided to users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”).

In this process, YouTube may use technologies such as local storage, session storage, and JavaScript, which access information on your device. We have enabled YouTube's enhanced privacy mode. According to YouTube's own documentation, this means that Google receives less usage information and does not personalize video recommendations or advertisements. Cookies are no longer stored.

The following information may be stored in local storage:

  • “yt-remote-device-id”: Storage of the device ID;
  • “yt-player-headers-readable”: Storage of the ability to read player header information;
  • “yt.innertube::requests”: Storage of the user’s requests;
  • “yt.innertube::nextId”: Stores the ID of the next video;
  • “yt-remote-connected-devices”: Stores the connected devices;
  • “yt-player-bandwidth”: Stores the connection bandwidth;
  • “yt-player-volume”: Stores the video volume;
  • “yt-player-quality”: Stores the video resolution/quality;
  • “yt-player-performance-cap”: Stores a possible resolution cap based on the connection’s bandwidth;
  • “yt-player-performance-cap-active-set”: Stores a possible resolution cap based on the connection’s bandwidth;
  • “ytidb::LAST_RESULT_ENTRY_KEY”: Stores the most recently searched-for video.

The following information can be stored in session storage:

  • “yt-remote-session-app”: Stores the type of device;
  • “yt-remote-cast-installed”: Stores whether YouTube streaming is installed;
  • “yt-remote-session-name”: Stores the type of device;
  • “yt-remote-cast-available”: Stores whether YouTube streaming is available;
  • “yt-remote-fast-check-period”: Stores the interval for checking the connection’s bandwidth;
  • “yt-player-volume”: Stores the video’s volume.

The legal basis for this data processing is Article 6(1), first sentence, subparagraph (f) of the GDPR, based on our legitimate interest in embedding and playing videos on our website at your request. Access to and storage of information on your device is absolutely necessary in these cases and is carried out in accordance with the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(2) of the TDDDG. A connection to YouTube is established only after you click on the thumbnail. In this regard, we have implemented the so-called “two-click solution” to ensure that YouTube videos are loaded only upon your explicit request.

When you visit our website, YouTube and Google receive information indicating that you have accessed the corresponding page on our website. This occurs regardless of whether you are logged in to YouTube or Google. YouTube and Google may also use this data for advertising, market research, and to tailor their services to user needs. If you access YouTube on our website while logged into your YouTube or Google account, YouTube and Google may also associate this activity with your respective accounts. If you do not wish for this association to occur, you must log out of Google before visiting our website.

You also have the option to disable personalized ads in Google's ad settings. In this case, Google will only display non-personalized ads: adssettings.google.com

Data generated through the use of YouTube may be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has completed the certification process under the EU-U.S. Data Privacy Framework and is therefore eligible to rely on the European Commission’s new adequacy decision (Art. 45 GDPR) for the United States: www.dataprivacyframework.gov

For more information, please see Google’s Privacy Policy, which also applies to YouTube: policies.google.com/privacy.

Google Search Engine (CSE)

On our website, we use the Google search engine (CSE) to search for content and posts. For individuals in the European Economic Area and Switzerland, this service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other individuals, by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”). As part of the search function, standard access data and the search terms entered are processed.

The legal basis for this data processing is Article 6(1)(f) of the GDPR, based on our legitimate interest in ensuring that you can find the content on our website quickly and easily. Access to and storage of information on the end device is absolutely necessary in these cases and is carried out in accordance with the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(2) of the TDDDG.

The data generated when using the Google search engine (CSE) may be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has completed the certification process under the EU-U.S. Data Privacy Framework and may therefore invoke the European Commission’s new adequacy decision (Article 45 of the GDPR) for the United States: www.dataprivacyframework.gov

Functional Cookies

We also use tools to improve the user experience on our website and to offer you additional features (“functional tools”). While these are not strictly necessary for the basic functionality of the website, they can provide users with significant benefits, particularly in terms of user-friendliness and the provision of additional communication, display, or payment channels.

The legal basis for the functional tools is your consent pursuant to Article 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(1) of the TDDDG. To withdraw your consent, see the section “Withdrawing Your Consent or Changing Your Selection.”

Analysis Tools

To improve our website, we use optional tools to recognize visitors and to collect and analyze general usage patterns based on access data (“analytics tools”). We also use analytics services to evaluate the use of our various marketing channels. The usage information collected is aggregated and enables us to understand the usage habits of our visitors. This helps us adapt and optimize the design of our website and make the user experience more enjoyable.

The legal basis for the analytics tools is your consent pursuant to Art. 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on the implementing laws of the EU Member States’ ePrivacy Directive; in Germany, this is pursuant to Section 25(1) of the TDDDG. To withdraw your consent, see the section “Withdrawing Your Consent or Changing Your Preferences.” 

Plausible Analytics

We use Plausible Analytics on our websites, a web analytics tool provided to us by Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia.

We self-host Plausible Analytics, so all collected data is processed exclusively on our own servers. No data is shared or transferred to third parties.

Plausible Analytics does not set any cookies or store any information in users’ browsers. Plausible Analytics uses only a script to collect usage data for statistical purposes. This data consists of aggregated information about the pages visited, the referring pages (referrers), the date and time of visits, the browsers, devices, and operating systems used, as well as the approximate location. In this context, a person can only be identified for the duration of one day based on a hashed fingerprint derived from your IP address, your browser’s user agent, and a randomly generated value that changes daily (known as a “salt”). However, no visitor profiles are created. We use the insights gained to optimize our content and services accordingly.

The legal basis for this data processing is your consent pursuant to Article 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on the laws implementing the EU ePrivacy Directive in each EU member state; in Germany, this is pursuant to Section 25(1) of the TDDDG.

For more information, please see the Plausible Analytics Privacy Policy: plausible.io/privacy.

Umami Analytics

We use Umami Analytics on our website, a web analytics tool provided by Umami Software, Inc., 1362 42nd Ave, San Francisco, California, 94122, USA.

We self-host Umami Analytics, so all collected data is processed exclusively on our own servers. No data is shared or transferred to third parties.

Umami Analytics does not set cookies or store any information in users' browsers. Umami Analytics uses only a script to collect usage data for statistical purposes. This information includes pages visited, referring pages (referrers), the date and time of visits, the browsers, devices, and operating systems used, screen size, interactions such as clicked links and buttons, as well as the language and approximate location (country, city, region). It is possible to identify an individual using a hashed fingerprint based on your IP address, your browser’s user agent, and a random value that changes monthly (known as a “salt”). In addition, profiles are created based on the usage activity of individual visitors, including the number of visits and page views. Furthermore, sessions can be tracked in their entirety and in real time. We use the insights gained to optimize our content and services accordingly. In addition, A/B testing is also possible to evaluate the effects of different designs.

The legal basis for this data processing is your consent pursuant to Article 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on the laws implementing the ePrivacy Directive in EU member states; in Germany, this is pursuant to Section 25(1) of the TDDDG.

For more information, please see the Umami Analytics Privacy Policy: umami.is/privacy.

Marketing Tools

We also use optional tools for advertising purposes (“marketing tools”). Some of the access data generated when you use our website is used to create usage profiles that, in particular, store your usage behavior, the advertisements you have viewed or clicked on, and, based on this, your classification into advertising categories, interests, and preferences. By analyzing and evaluating this access data, we are able to display personalized advertising—that is, advertising that corresponds to your actual interests and needs—on our website and on the websites of other providers. In doing so, we also analyze your usage behavior to recognize you on other sites and address you in a personalized manner based on your use of our site (so-called retargeting). In addition, we evaluate the effectiveness and success of our advertising campaigns (in particular, so-called conversions and leads).

The legal basis for the marketing tools is your consent pursuant to Article 6(1)(a) of the GDPR. Access to and storage of information on your device is then based on the laws implementing the EU ePrivacy Directive in the respective EU member states; in Germany, this is pursuant to Section 25(1) of the TDDDG. To withdraw your consent, see the section “Withdrawing Your Consent or Changing Your Preferences.”


In the following section, we would like to explain these technologies and the providers used for them in more detail. The data collected may include, in particular:

  • the device’s IP address;
  • information from a cookie or stored in local or session storage;
  • the device identifier of mobile devices (e.g., device ID, advertising ID);
  • referrer URL (previously visited page);
  • pages accessed (date, time, URL, title, duration of visit);
  • downloaded files;
  • links clicked to other websites;
  • where applicable, achievement of specific goals (conversions);
  • Technical information: operating system; browser type, version, and language; device type, brand, model, and resolution;
  • Approximate location (country and, if applicable, city).

However, the collected data is stored exclusively in pseudonymized form, so that no direct conclusions about individuals can be drawn.

Google Analytics 4

Our website uses the Google Analytics 4 service ("Google Analytics"), which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google") for all other persons.

Google Analytics uses JavaScript and pixels to read information on your terminal device and cookies to store information on your terminal device. This is used to analyze your usage behavior and improve our website. We will process the information obtained to evaluate your use of the website and to compile reports on website activities for the website operators. The data generated in this context may be transferred by Google to a server in the USA for evaluation and stored there.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. This is done in particular for forecast metrics on the future behavior of visitors based on structured event data, such as the predicted turnover, the probability of purchase and the probability of churn. The forecast metrics can also be used for forecast target groups. To learn more, visit: support.google.com/analytics/answer/9846734. In addition, Google Analytics 4 models conversions where insufficient data is available to optimize analysis and reports. Find out more at: https://support.google.com/analytics/answer/10710245. Data evaluations are automated using artificial intelligence or based on specific individually defined criteria. You can find out more about this at: support.google.com/analytics/answer/9443595.

We have made the following data protection settings for Google Analytics:

  • IP anonymization (shortening of the IP address before evaluation);
  • Automatic deletion of old visit logs by limiting the storage period to 2 months;
  • No reset of the retention period in case of new activity;
  • Disabling the collection of accurate location and position data;
  • Disabled collection of accurate device data;
  • Disabled cross-device and cross-page tracking (Google Signals);
  • Disabled data sharing with other Google products and services, benchmarking, technical support, account manager.


The following data is processed by Google Analytics:

  • IP address;
  • User ID and device ID;
  • Referrer URL (previously visited page);
  • Pages viewed (date, time, URL, title, time spent);
  • Downloaded files;
  • Clicked links to other websites;
  • Achievement of specific goals (conversions), if applicable;
  • Technical information: Operating system; Browser type, version and language; Device type, brand, model and resolution;
  • Approximate location (country and city, if applicable, based on anonymized IP address).

Events/ optimised analyses:

We have activated the optimised analyses in Google Analytics. This means that in addition to the automatically recorded events (page views, start of page view, duration of use, first call to the website) and website-specific events, additional events and interactions of the visitors are also recorded and evaluated with regard to various parameters. You can find more information on this at: support.google.com/analytics

  • Possible website-specific events: Page depth equal to/greater than two, click external accommodation page, click holiday planner, brochure viewed, fill holiday planner, click mail link, brochure ordered, click phone number, click link YouTube, social media link in footer, contact form sent, download PDF holiday planner, click link Facebook, click link Instagram, click link Twitter, click external links, click link komoot, use leaflet catalogues.
  • Events through optimised analytics: scrolls, clicks on external links, website search, interaction with videos, file downloads

Advertising function/ personalised ads:

"As part of Google Analytics, we also use the advertising function for personalised ads. This allows us to personalise our advertisements in Google Ads according to your usage behaviour and interests. These personalised ads are only created and played in German-speaking countries (DACH). You can find more information on this at: support.google.com/analytics/answer/9626162

Google Analytics sets the following cookies for the specified purpose with the respective storage period:

  • "_ga" (2 years), "_gid" (24 hours): Recognition and differentiation of visitors by a user ID;
  • "_ga_[GA-ID]" (2 years): Retention of the information of the current session;
  • "_gac_gb_[GA-ID]" (90 days): Retention of campaign-related information and link to Google Ads Conversion Tracking, if applicable;
  • "IDE" (13 months), if applicable: Recognition and differentiation of visitors by a user ID, recording of interaction with advertising, playing out personalized advertising.


For more information about Google Analytics 4 cookies, please visit: support.google.com.

The legal basis for this data processing is your consent pursuant to Art. 6 Para. 1 p. 1 lit. a DSGVO. Access to and storage of information in the end device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 (1) TTDSG.

The data generated in this context may be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has undergone the certification procedure in accordance with the EU-U.S. Data Privacy Framework and can thus invoke the new adequacy decision of the EU Commission (Art. 45 GDPR) for the USA:

www.dataprivacyframework.gov

For more information, please see Google's privacy policy: support.google.com/analytics/answer/6004245.

Google Tag Manager

Our website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together "Google") for all other persons.

The Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by the Google Tag Manager with your consent. The Google Tag Manager uses JavaScript and does not use cookies.

The legal basis for this data processing is your consent in accordance with Art. 6 Para. 1 S. 1 lit. a DSGVO. Access to and storage of information in the terminal device is then carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

For the purposes of ensuring stability and functionality, Google collects information on which tags are integrated by our website within the scope of using the Google Tag Manager. However, the Google Tag Manager does not store any personal data beyond the mere establishment of the connection, in particular no data on user behaviour or the pages visited.

The data generated when using the Google Tag Manager may be transferred by Google Ireland Limited to Google LLC in the USA. Google LLC has undergone the certification procedure in accordance with the EU-U.S. Data Privacy Framework and can thus invoke the new adequacy decision of the EU Commission (Art. 45 DSGVO) for the USA: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

For more information, see Google's information on the Tag Manager: https://support.google.com/tagmanager/answer/6102821.

Online presence in social networks

We maintain online presences on social media platforms to, among other things, communicate with customers and prospective customers and provide information about our services and offerings.

1. Processing for Advertising Purposes by Social Network Providers

User data is generally processed by the respective social networks for market research and advertising purposes. This allows usage profiles to be created based on users’ interests. For this purpose, cookies and other identifiers are stored on users’ computers. Based on these usage profiles, advertisements are then displayed, for example, within the social networks as well as on third-party websites.

Please refer to the privacy policies of the respective social networks for the legal basis of the data processing carried out by the social networks under their own responsibility. You can also find further information on the respective data processing activities and your options for objecting via the links below.

2. Processing for Statistical Purposes

As part of the operation of our online platforms, we may have access to information—such as statistics on the use of our online platforms—provided by social networks. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region, country) and data regarding interaction with our online platforms (e.g., likes, subscriptions, shares, viewing of images and videos) and the posts and content shared through them. This information may also provide insights into users’ interests and which content and topics are particularly relevant to them. We may also use this information to adapt the design, activities, and content on our online presence and to optimize them for our audience. Please refer to the list below for details and links to the data from social networks that we, as operators of our online presence, can access. The collection and use of these statistics are generally subject to joint responsibility. Where applicable, the relevant agreement is listed below.

The legal basis for data processing is Article 6(1), first sentence, subparagraph (f) of the GDPR, based on our legitimate interest in effectively informing users and communicating with them, or Article 6(1), first sentence, subparagraph (b) of the GDPR, in order to stay in contact with our customers and keep them informed, as well as to carry out pre-contractual measures with prospective customers and interested parties.

3. Access to Publicly Available Information

If you have an account on the social network, we may be able to view the information you have made publicly available (e.g., your username) and media (e.g., images and videos) when we visit your profile. In addition, the social network may allow us to contact you. This can be done, for example, via direct messages or through posted content. The content of communications via the social network and the processing of that content are the responsibility of the social network as a messaging and platform service. For this processing, please refer to the privacy policy of the respective social network.

4. Processing of Publicly Available Information

Once we import or further process your personal data into our own systems, we are solely responsible for it. The processing is then carried out to implement pre-contractual measures and to fulfill a contract in accordance with Article 6(1)(b) of the GDPR, or to protect our legitimate interests in accordance with Article 6(1)(f) of the GDPR, in order to contact customers.

5. Data Protection Rights

Please note that data protection requests can be most efficiently addressed by contacting the respective social media provider, as only these providers have access to the data and can take appropriate action directly. Of course, you may also contact us with your request. In that case, we will process your request and forward it to the social media provider.

Online Resources Used

Below is a list of information about the social media platforms where we maintain an online presence:

Facebook, Instagram, Threads

The Franconia Tourism Association maintains social media profiles on Meta’s social networks, including Facebook, Instagram, and Threads (so-called “fan pages”). These are provided by Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (“Meta”).

We regularly share offers, recommendations, and similar content on our fan page.

When you visit our fan pages or other social media sites, the social network operator uses cookies and similar technologies to track your usage behavior. As fan page operators, we can view general statistics regarding the interests and demographic characteristics (such as age, gender, and region) of the fan page audience. When you use social networks, the nature, scope, and purposes of data processing on social networks are primarily determined by the operators of the social network.

When you visit our fan pages, we generally collect all messages, content, and other information that you share directly with us there—for example, when you post something on a fan page or send us a private message—in order to respond to your communication. If you have an account with the respective social network, we can of course also view your public information, such as your username, information in your public profile, and content you share with a public audience. Please note, however, that as the author of the posts, you are independently writing posts and messages that ultimately fall within Meta’s sphere of responsibility. Meta acts as the operator of the messenger, posts, and content and, as an OTT service, is solely responsible for this function.

The situation is different for the data processing described below in connection with usage analysis (Page Insights); for this, we are jointly responsible with Meta. With every interaction with fan pages, Meta uses cookies and similar technologies to track the usage behavior of visitors to the fan page. Based on this, fan page operators receive what are known as “Page Insights.” Page Insights contain only statistical, depersonalized (anonymized) information about visitors to the fan page, which therefore cannot be attributed to any specific individual. We do not have access to the personal data used by Meta to generate Page Insights (“Page Insights data”). The selection and processing of Page Insights data are carried out exclusively by Meta.

Page Insights provide us with insights into how our fan pages are used, what interests our fan page visitors have, and which topics and content are particularly popular. This allows us to optimize our fan page activities, for example, by better tailoring the planning and selection of our content to the interests and usage habits of our audience.

We and Meta are jointly responsible for processing your data to provide Page Insights. To this end, we and Meta have entered into an agreement specifying which company fulfills which data protection obligations under the GDPR with respect to the processing of Page Insights data.

Further information on Page Insights:

Please note that when you use our fan pages, Meta also processes your data for its own purposes, which are not covered in this Privacy Policy. We have no control over these data processing activities by Meta. In this regard, we refer you to the privacy policies of the respective social networks:

The legal basis, insofar as you have consented to Facebook’s collection of Page Insights as described above, is Article 6(1)(a) of the GDPR (consent). Otherwise, the legal basis is Article 6(1), first sentence, letter f of the GDPR (legitimate interest), whereby our legitimate interests lie in the purposes mentioned above, namely effectively informing users and communicating with them.

The data subject rights described in the “Your Rights” section naturally also apply to the processing of your data in connection with our fan pages.

With regard to the joint processing of your Page Insights data with Meta, we have agreed that Meta is primarily responsible for providing you with information about the processing of your Page Insights data and for enabling you to exercise your data protection rights under the GDPR (e.g., the right to object). For more information about your data protection rights in connection with Page Insights and how you can exercise them directly with Meta, please visit: https://www.facebook.com/legal/terms/information_about_page_insights_data

Of course, you can also contact us with your request, and we will forward it to Meta on your behalf.



komoot

Provider: komoot (komoot GmbH, Friedrich-Wilhelm-Boelcke-Straße 2, 14473 Potsdam, Germany);

YouTube

Provider: YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland);

LinkedIn

Provider: LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland);

Xing

Provider: Xing (New Work SE, Dammtorstr. 30, 20354 Hamburg, Germany)

As a general rule, we will only disclose the data we have collected if there is a legal basis under data protection law for doing so in a specific case, in particular if:

  • you have given your explicit consent pursuant to Article 6(1), first sentence, subparagraph (a) of the GDPR,
  • the disclosure is necessary pursuant to Article 6(1), first sentence, subparagraph (f) of the GDPR for the assertion, exercise, or defense of legal claims, and there is no reason to believe that you have an overriding legitimate interest in preventing the disclosure of your data,
  • we are legally obligated to disclose the data pursuant to Article 6(1)(c) of the GDPR, in particular if this is required due to binding regulations, requests from public authorities, court orders, and legal proceedings for the purpose of pursuing or enforcing legal claims, or
  • this is permitted by law and necessary under Article 6(1), first sentence, letter b of the GDPR for the performance of contractual relationships with you or for the implementation of precontractual measures taken at your request.

Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this Privacy Policy, these may include, in particular, data centers that host our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies, and consulting firms. If we disclose data to our service providers, they may use the data solely for the purpose of fulfilling their tasks. We have carefully selected and commissioned these service providers. They are contractually bound by our instructions, have appropriate technical and organizational measures in place to protect the rights of data subjects, and are regularly monitored by us.


In addition, we may transfer your personal data to other recipients who process your personal data under their own responsibility. These may include, in particular:

  • Mail service providers;
  • Credit institutions and payment service providers;
  • Tax advisors, attorneys, or auditors;
  • Credit bureaus;
  • Public authorities such as government agencies and courts.

Data Transfers to Third Countries

We may use services whose providers are located in so-called third countries (outside the European Union or the European Economic Area) or that transfer personal data to such countries—that is, countries whose level of data protection does not correspond to that of the European Union.

If an adequacy decision by the European Commission (Art. 45 GDPR) exists for these countries, we base the data transfer on that decision. This applies, for example, to transfers to Argentina, Israel, Japan, Canada, the Republic of Korea, New Zealand, Switzerland, Uruguay, or the United Kingdom. In the case of the United States, this applies only to the extent that the U.S. recipient has been certified under the EU-U.S. Data Privacy Framework.

If no adequacy decision (Art. 45 GDPR) has been issued for the relevant country, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include, among other things, the European Union’s Standard Contractual Clauses or binding internal data protection policies (Art. 46 GDPR).

Where this is not possible, we base the data transfer on the exceptions set forth in Article 49 of the GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.

If a transfer to a third country is planned and there is no adequacy decision or appropriate safeguards in place, it is possible—and there is a risk—that authorities in the respective third country (e.g., intelligence agencies) may gain access to the transferred data in order to collect and analyze it, and that the enforceability of your rights as a data subject cannot be guaranteed. If we seek your explicit consent, you will also be informed of this.

Retention period

As a general rule, we store personal data only for as long as necessary to fulfill the purposes for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiration of the statutory limitation period for evidentiary purposes regarding civil claims, due to statutory retention obligations, or if there is another legal basis under data protection law for the continued processing of your data in a specific individual case.

For evidentiary purposes, we must retain contract data for three years from the end of the year in which our business relationship with you ends. Any claims become time-barred at the earliest at this point, in accordance with the statutory limitation period.

Even after that, we may still need to retain some of your data for accounting purposes. We are required to do so due to statutory documentation obligations, which may arise, for example, from the German Commercial Code or the German Fiscal Code. The retention periods specified therein range from two to ten years.

Your Rights, Including the Right to Withdraw Consent and the Right to Object

1. Overview of Your Rights

Provided the relevant legal requirements are met, you are entitled at any time to the data subject rights set forth in Article 7(3) and Articles 15–22:

  • Right to withdraw your consent (Article 7(3) of the GDPR);
  • Right to object to the processing of your personal data (Article 21 of the GDPR);
  • Right to access your personal data processed by us (Article 15 of the GDPR);
  • Right to rectification of your personal data stored by us that is inaccurate (Article 16 of the GDPR);
  • Right to erasure of your personal data (Article 17 of the GDPR);
  • Right to restrict the processing of your personal data (Art. 18 GDPR);
  • Right to data portability of your personal data (Art. 20 GDPR);

The right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, including, where applicable, the right to obtain human intervention on the part of the controller, to express your point of view, and to contest the decision (Art. 22 GDPR).

To exercise the rights described here, you may contact us at any time using the contact information provided above. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection. Provided that the relevant legal requirements are met, we will comply with your data protection request.

Your requests to exercise data protection rights and our responses to them will be retained for documentation purposes for a period of up to three years and, in individual cases, for a longer period to assert, exercise, or defend legal claims. The legal basis is Article 6(1)(f) of the GDPR, based on our interest in defending against any civil claims under Article 82 of the GDPR, avoiding administrative fines under Article 83 of the GDPR, and fulfilling our accountability obligations under Article 5(2) of the GDPR.

2. Right to Withdraw Consent and Right to Object

2.1 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw your consent at any time. As a result, we will no longer continue processing data based on that consent in the future. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent prior to withdrawal.

2.2 Right to Object (Art. 21 GDPR)

General Right to Object: To the extent that we process your data based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. 

Objection to Direct Marketing: If the objection concerns data processing for direct marketing purposes, you have a general right to object, which we will honor even without you providing a reason.

2.3 Exercising Your Rights


If you wish to exercise your right of withdrawal or right to object, simply send an informal notice to the contact information provided above.


3. Right to File a Complaint


Finally, you have the right to file a complaint with a data protection supervisory authority. You may exercise this right, for example, with a supervisory authority in the Member State where you reside, where you work, or where the alleged violation occurred. In Nuremberg, where we are headquartered, the competent supervisory authority is: Bavarian State Office for Data Protection Supervision, mailing address: P.O. Box 1349, 91504 Ansbach. Further information can be found here: https://www.lda.bayern.de/de/kontakt.html.


Changes to the Privacy Policy

We occasionally update this Privacy Policy, for example, when we make changes to our website or when legal or regulatory requirements change.


© TVF – Version: 1.3 / As of: March 2025