Data protection information
Protecting your privacy and personal data is a top priority for A-ROSA UK & Ireland, and in our internet activities we are very careful in this regard. We collect, process and use personal data in accordance with applicable data protection laws, including particularly the Data Protection Act (GDPR).
We implement technical and organisational security measures in order to optimally protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised parties. These security measures are upgraded on an ongoing basis to keep up with technological advancements.
OBJECT OF DATA PROTECTION / PERSONAL DATA
Personal data are the object of data protection measures. Data is personal if it is referenceable to an identified or identifiable person. This includes such information as name, address, e-mail address and telephone number. Sensitive data (such as health data) are subject to special protections. Information not directly related to your actual identity (such as favourite websites or number of page users) is not covered.
Within the meaning of the GDPR, all information relating to an identified or identifiable natural person is personal data. A natural person is deemed identifiable if the person can be directly or indirectly identified, particularly by means of referencing such identifiers as name, ID number, location data, username or one or more special attributes which characterise the physical, physiological, genetic, mental, financial, cultural or social identity of that natural person. Personal data are only stored as necessary to provide the booked services, comply with legal requirements or fulfil the purposes stated below.
Other than in the cases outlined under Automated Collection and Processing of Data of Visitors to our Websites, data collection and data processing are only allowed if you voluntarily provide your personal data. This applies in particular to the following situations:
TRAVEL BOOKING AND CONTRACT FULFILLMENT (PURPOSE OF COLLECTION)
Personal data provided during registration and/or booking is collected, processed and used for the purposes of fulfilling travel contracts, utilising services on our website, providing customer service and complying with legal obligations. Such data include information provided for ship manifests and customer satisfaction surveys. In accordance with applicable laws, such data are generally only collected for the purpose of providing the services you wish to receive or require. Any other information we request on our forms is provided by you on a strictly voluntary basis, and is designated as voluntary.
These personal data are forwarded to our service providers for travel contract fulfilment. When booking a cruise, the personal data of persons travelling with you may also be collected. We therefore request that you ensure that such data are provided with the consent of the persons travelling with you. Personal data of children and other minors (under the age of 18) are collected, stored and used solely for travel contract fulfilment.
LEGAL BASES FOR PROCESSING
The legal basis for personal data processed pursuant to our obtaining the consent of the data subject is Article 6 (1) a) of the EU General Data Protection Regulation (GDPR).
The legal basis for processing of personal data necessary for the performance of a contract to which the data subject is a party is Article 6 (1) b) GDPR. This also applies to processing performed to enable pre-contractual actions.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
The transfer of your personal data occurs exclusively in compliance with applicable laws, including particularly data protection and competition laws.
As necessary for the performance of the contractual services or fulfilment of our legal obligations, your data may also be transferred to sub-contractors or service providers for the provision of services in our name or on our behalf (technical processing of postal and e-mail dispatch, payment processing, customer service, etc.). Data are also transferred to persons or companies in order to process your order or booking, including particularly to airlines for travel services, other tour operators, hotels, travel agencies, destination agencies and government agencies, among other parties.
Only the data required to render and invoice the travel service and to issue invitations to complete opinion surveys and submit reviews is transmitted to third parties (e.g. contract data to the airline, data from the ship manifest to the port authorities, contact data such as e-mail address for invitations to review our products / services). Further to their legal obligation to comply with all data protection regulations, these service providers are also bound by data protection provisions put in place by us.
DATA TRANSFER TO COUNTRIES OUTSIDE THE EU
As necessary for the fulfilment of travel contracts we may also transfer your data to non-EU recipients if we are able to ensure that the data recipient guarantees an adequate level of data protection and there are no other legitimate interests against the transfer of data. In particular, we utilise the model contracts of the EU Commission for the transfer of personal data to third countries in order to ensure that the data recipient affords an adequate level of protection.
The transfer of data to A-ROSA Reederei GmbH in Switzerland, which is responsible for the operational aspects of your travel, is necessary for the fulfilment of travel contracts. The basis for data transfer to Switzerland is an adequacy decision. Switzerland provides an adequate level of protection, and does not require any special authorisation for data transfer.
STANDARD PERIODS FOR DELETION OF DATA
Data are deleted in accordance with retention obligations and periods applicable for the specific processing purposes. Financial accounting and reporting data for a concluded financial year are deleted after a maximum period of 10 years in accordance with legal requirements (tax law) unless a longer retention period is required pursuant to regulations or for legitimate reasons. Manifest data are deleted 2 years after the conclusion of travel (EU Package Travel Directive).
A-ROSA UK has implemented the necessary technical and organisational measures to protect your personal data against manipulation, loss, destruction or access by unauthorised persons, to protect your rights and to comply with applicable data protection laws of the EU and the UK. The measures taken are designed to ensure the confidentiality and integrity of your data and the long-term availability and reliability of our systems and services in processing your data. In addition, these measures are designed to ensure the rapid restorability of data to a state of availability and accessibility in the event of a physical or technical incident.
All of our employees and all persons involved in data processing are obliged to comply with the GDPR and other data protection laws and to comply with rules governing the confidential handling of personal data. Our employees are trained accordingly. Internal and external audits are conducted to ensure that all data protection-relevant processes at A-ROSA UK are compliant.
Our security measures include the encryption of your data. Transport Layer Security (HTTPS) is utilised for encryption of your data in transfer to us. All data you enter online are transmitted via an encrypted transmission path which ensures that they can at no point in time be viewed by unauthorised third parties.
The data processing and security measures we employ are constantly being improved in line with technological advancements.
NEWSLETTER AND POSTAL ADVERTISING
If you wish to receive our newsletter and register for it, we need to have a functioning e-mail address referenceable to you which allows us to verify that you are the owner of the given e-mail address. In addition to your e-mail address, the data we collect include your form of address, first name and surname. This information is used to personalise the salutation of the recipient.
Consent to saving of your e-mail address and other personal data provided by you (form of address, first name, surname) and to use thereof to send out the newsletter may be withdrawn at any time with non-retrospective effect.
Registration for our newsletter involves a ‘double opt-in’ procedure. This means you receive an e-mail after registration requesting you to confirm your registration. This confirmation is necessary to eliminate the possibility of anyone registering from a different e-mail address.
Newsletter registrations are logged to document that the registration process accords with the legal requirements. This involves saving of the time of login and confirmation and of your IP address. Changes to your stored data are also logged.
To process your registration to receive the newsletter we collect technical information including data about the browser and system you are using, your IP address and the time of retrieval. These data are utilised to improve the technical performance of services based on technical data or target groups and their reading habits, based on location of retrieval (determinable via the IP address) and access times.
Statistical data gathered include determination of whether the newsletter is opened, when it is opened and which links are clicked on. For technical reasons, this information is referenceable to individual newsletter recipients. It is not our interest however to monitor individual users. Rather, analysis is performed to enable us to identify the reading habits of our users, adapt our content to their needs and send differing content based on the interests of our users.
Statistical data gathering and analysis and logging of the registration procedure are performed on the basis of our legitimate interests in line with Article 6 (1) f) GDPR. Our interest is in deploying a user-friendly and secure newsletter system which both serves our business interests and meets the expectations of our users.
You can unsubscribe from the newsletter at any time, i.e. revoke your consent to use of your data for that purpose. This means your consent to newsletter dispatch and to related statistical analysis is revoked. Unfortunately it is not possible to separately revoke your consent to sending of the newsletter and to statistical analysis.
If you no longer wish to receive our newsletter, click on the link "Unsubscribe from the newsletter" which appears at the end of every newsletter we send out.
If you have booked a trip with A-ROSA Flussschiff GmbH or are interested in booking a trip, we utilise your postal address to send you product information and individually optimised travel offers. You can object to the use of your postal address for advertising purposes at any time as outlined in the aforementioned section of this data protection policy (Right to Information, Correction, Deletion and Restriction, Rights of Objection and Revocation).
DATA COLLECTION BY THIRD-PARTY PROVIDERS/SOCIAL NETWORKS
Our website contains links to social networks (Facebook, Google Plus, Twitter, Instagram, XING, YouTube, Pinterest, etc.). These social networks are exclusively operated by third parties. If you follow the corresponding links, data may be transmitted to these third parties (but no personal data within the meaning of the GDPR). Please see the data privacy policies of the respective operators for information regarding the purpose and scope of data collection by the social networks, further processing of and use of your data by those networks, your relevant rights and the settings you can configure to protect your privacy.
We also use social media to present our company to users and facilitate communication with them.
When visiting these social media pages, it may occur that user data is processed outside the European Union. In general, UK and European data protection legislation is not valid in these jurisdictions. This can make it more difficult to exercise your rights. US providers with Privacy Shield certification have undertaken to comply with EU data protection standards.
The data collected from social media users is normally processed for market research and advertising purposes. The content retrieved can be used to set up user profiles that are in turn used to display advertisements both on and off social media that are intended to match the user's interests. This process is usually facilitated by cookies stored on the user's computer.
However, providers can also use other methods to store data collected from social media users, particularly if these users are registered with and logged into the respective social media platforms.
The user's personal data is processed on the basis of Art. 6(1) lit. f GDPR. As the operator of a social media page, we have a legitimate interest in communicating with users and ensuring that they receive information in an efficient manner. If the user has agreed to the processing of their data – for example by clicking on a check box – the legal basis for processing this data is Art. 6(1) lit. a, Art. 7 GDPR.
Additional information about data processing and opt-out possibilities is available from the respective providers, who are listed below.
Requests for information and communications relating to the exercise of other user rights are best directed to the providers themselves. This is because they are the only parties with access to all user data and are thus the only ones able to provide the desired information or initiate the relevant measures.
– Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland) – Privacy: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com/de/praferenzmanagement/, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Activ.
– Google/YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Privacy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated?hl=de, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
This website contains content from third-party providers. This content is provided by Google Inc ("the Provider").
YouTube is operated by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”).
The advanced privacy setting is enabled for YouTube videos that are embedded on our website. This means that no data of website visitors are collected and stored by YouTube unless such a video is played.
When you visit our websites, we collect the data necessary to enable your usage of the site (usage data). These include your IP address and data about the start and end points of your usage of the website and why you are using the website and potentially certain identification data (such as your login data if you log in to a secure area). These data are required to provide services and design services to meet user needs. These data are deleted if and when you revoke consent to processing. See below regarding the processing of pseudonymous user profiles.
// for End Customers
End customers (consumers) can utilise the A-ROSA website to find out about A-ROSA River Cruises.Information on the website is made available publicly in the form of text, images, video and downloads with no data entry required.
A-ROSA Website: https://www.arosa-cruises.co.uk
// for Travel Agencies
Travel agencies can utilise the A-ROSA extranet to find out about offers of A-ROSA River Cruises..
Information on the A-ROSA extranet is made available to travel agencies in the form of text, images, video and downloads; data entry is required in some cases.
A-ROSA extranet: https://www.a-rosa.de/a-rosa-extranet.html
The entire A-ROSA website is encrypted.
The A-ROSA BLOG contains information on A-ROSA cruises, travel photos and special cruise offers. This content is freely accessible to the public in the form of text, images and video.
The entire A-ROSA BLOG is encrypted.
DATA PROCESSING TO ENABLE WEBSITE USAGE
You can disable the storage of cookies via your browser configurations and delete them from your hard drive at any time. Please be advised that only limited use of our offers on the website is possible without cookies. In particular, it is not at all possible to book travel without cookies, as these are required to verify booking data.
You can however prevent certain cookies (e.g. third-party cookies) from being placed via your browser settings, for example if you wish to prevent web tracking. See the Help function of your browser for more detailed information.
The cookie storage period is 60 days.
Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. These can be found for each browser under the following links:
An explanation is provided below of how to notify the individual service providers of your objection to web tracking.
This website utilises Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics employs cookies (see ‘Cookies’) to enable analysis of website usage. The information generated by the cookie about the use of this website is generally transmitted to a Google server in the USA, where it is then stored. However, your IP address is truncated and anonymised by Google within member states of the European Union and other countries party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and then truncated. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports about website activities and to provide for the website operator further services connected to the website use and the Internet use. The IP address transmitted by your browser as part of Google Analytics shall not be combined with other Google data.
You can prevent the storage of cookies by configuring your browser software accordingly (see ‘Cookies’) or utilising a privacy plug-in. You can also prevent recorded data generated by the cookie concerning your use of the website (including your IP address) from being sent to Google and the processing of these data by Google by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you can prevent collection by Google Analytics by placing an ‘opt-out cookie’ on your computer. For more information about data protection and Google Analytics, see: https://www.google.com/intl/en/policies/.
GOOGLE ADWORDS CONVERSION
We utilise Google Analytics for statistical analysis of data derived from the Google AdWords service. This enables us to analyse behaviour after a user clicks on our ad – whether the user purchased our product or viewed the ad from a mobile phone, for example – and thereby improve our offers. These services are also utilised so that you receive interest-based advertising. If you are opposed to this, you can disable the functionality via the Google Ads Settings: http://www.google.com/settings/ads/onweb/?hl=en
GOOGLE TAG MANAGER
You can request information about which personal data of yours is stored by A-ROSA Flussschiff GmbH at any time and free of charge, as well as the correction, restriction and deletion of these data if the legal conditions for such are met. You can exercise your right of objection in the aforementioned cases and if you receive marketing communications from A-ROSA Flussschiff GmbH. You can revoke any consent granted per data protection law at any time with non-retrospective effect.
YOUR RIGHTS IN THE OVERVIEW
Pursuant to Article 15 GDPR, data subjects have the right to obtain information from a processor about which personal data of theirs is stored by that processor.
If a data subject finds that his/her personal data on file are incorrect, these data must be corrected pursuant to Article 16 GDPR.
Data subjects have the right pursuant to Article 17 GDPR to request the deletion of their data. Deletion is only permitted however after any statutory retention periods have elapsed.
You may have the right to restrict data from processing pursuant to Article 18 GDPR under certain circumstances (such as if you as the data subject disagree with the data processor as to whether data stored are correct).
Pursuant to Article 21 GDPR, you may object to the processing of your personal data at any time with non-retrospective effect. Please note that if you file an objection with respect to mandatory data required for the use of our offer, you will no longer be able to use the offer.
You enjoy a right to data portability under Article 20 GDPR in certain processing cases if the data were collected on the basis of consent or for performance of a contract.
To exercise your rights as data subject, please contact A-ROSA Flussschiff GmbH and/or the data protection officer of A-ROSA Flussschiff GmbH either in person or in writing.
Responsible body in the sense of the data protection law is:
A-ROSA UK & Ireland
Managing Director: Lucia Rowe
Abacus House, Caxton Place, Cardiff CF23 8HA
Phone: 02922 672600
Data protection officer of A-ROSA UK is Hugh Clayson.
If you believe that your personal data have been processed in violation of data protection law, you can contact the data protection officer of A-ROSA Flussschiff GmbH in line with Article 38 (3) GDPR (see the ‘Data Protection Officer’ section for contact details), or the competent supervisory authority in line with Article 77 (1) GDPR. The supervisory authority responsible for A-ROSA UK is: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone – 0303 123 1113
Fax – 01625 524510
Data protection information from 31 October 2019