Privacy Policy
In accordance with the statutory requirements – in particular the EU General Data Protection Regulation (GDPR, available at http://eur-lex.europa.eu/legal-content/EN/TXT/uri=CELEX:32016R0679&qid=1527152699969) – we will provide you with information concerning our company’s processing of personal data below.

Contents:

I. General Information

1. Key Terms

2. Scope

3. Data Controller

4. Data Protection Officer

II. Details concerning data processing operations

1. General information about data processing operations

2. Accessing our services

3. Customer Feedback

4. Tracking

5. Social Media Plug-ins

III. Rights of data subjects

1. Right to object

2. Right to information

3. Right to rectification

4. Right to erasure (“Right to be forgotten”)

5. Right to restrict processing

6. Right to data portability

7. Right to withdraw consent

8. Right to lodge a complaint with a supervisory authority

I. General Information

In this section of the privacy policy, you will find information about the privacy policy’s scope, the data controller, its data protection officer and data security. We also explain in advance the meaning of key terms used in the Privacy Policy.

1. Key Terms
Browser: Computer program for displaying web pages (e.g., Chrome, Firefox, Safari)

Cookies: Text files that the accessed web server places on the user’s computer through the browser used. The stored cookie information may comprise both a cookie identifier which is used for recognition, as well as content information such as registration status or information about visited websites. During every subsequent new visit to this page, the browser will send the cookie information to the web server again with every request. Most browsers accept cookies automatically. You can manage cookies using the browser functions (usually under “Options” or “Settings”). In this way, the storage of cookies can be deactivated, made dependent on your consent in individual cases or otherwise restricted. You can also delete cookies at any time.

Third countries: Countries outside the European Union (EU)

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Council Directive 95/46/EC (General Data Protection Regulation), available at http://eur- lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L.2016.119.01.0001.01.eng

Personal data: All information relating to an identified or identifiable natural person. A natural person is deemed identifiable, directly or indirectly, if they can be identified by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features expressing that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

Profiling: Any automated processing of personal data consisting of the use of this personal data to evaluate certain personal aspects relating to a natural person, and particularly to analyse or predict aspects concerning this natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, residence or change of location.

Services: Our offers to which this privacy policy applies (see scope of application).

Tracking: The collection of data and its evaluation with regard to the behaviour of visitors to our services.

Tracking technologies: Tracking can be done both by using the log files stored on our web servers or by collecting data from your end device via pixels, cookies and similar tracking technologies.

Processing: Any operation or sequence of operations carried out with or without the aid of automated procedures in connection with personal data, such as the collection, recording, organization, ordering, storage, adaptation or modification, sorting, retrieval, use, disclosure by transmission, dissemination or any other form of provision, matching or linking, restriction, erasure or destruction.

Pixel: Pixels are also called tracking pixels, web beacons or web bugs. These are small, invisible graphics in HTML e-mails or on websites. When a document is opened, these small images will be loaded from a server on the internet, where the download is registered. This will allow the server operator to see if and when an e-mail has been opened or a website visited. This function is usually executed by calling a small program (JavaScript). This will enable certain types of information on your computer system to be recognized and passed on, such as the content of cookies, the time and date of page views and a description of the page on which the pixel code is located.

2. Scope
This privacy policy applies to the following offers:

● our “8.villas” online offer (website), which can be accessed in particular at 8.villas,

● whenever reference is made to this privacy policy from one of our offers (e.g. websites, sub-domains,
mobile applications, web services or integration into third party sites) irrespective of how you access
or use it.

All these offers will also be referred to collectively as “Services”.

3. Data Controller
The legal entity responsible for data processing – i.e. the entity which decides on the purposes and means of processing personal data – in connection with the services is:

Travel Graph GmbH

Hongkongstraße 1

20457 Hamburg

Germany

E-Mail: service@8.villas

4. Data Protection Officer
You can contact our data protection officer by post using the contact data mentioned in Section 3, and marking the letter for the attention of the Data Protection Unit, or through service@8.villas.

II. Details concerning data processing operations

In this section of the privacy policy, we will inform you in detail about the processing of personal data within the scope of our services. For the sake of clarity, we will structure this information according to specific functionalities of our services. During the normal use of the services, different functionalities and thus different processes also can come into play sequentially or simultaneously.

1. General information about data processing operations

Unless otherwise stated, the following applies to all processing operations described below:

a) No obligation to provide & consequences of failure to provide

The provision of personal data is not legally or contractually required and you are not required to provide data. During the input process, we will inform you if personal data is required for the respective service (e.g. by designating it an “obligatory field”). Failure to provide the required data will result in the non-provision of the respective service. Otherwise, failure to provide data may mean that we are unable to provide our services in the same form and quality.

b) Consent

In various situations, you will also have the option of giving us your consent (possibly for part of the data) to further processing in connection with the processing operations described below. In this case, and in connection with the issuance of the respective declaration of consent, we will provide you with information separately concerning all modalities and the scope of the consent and about the interests which we pursue with these processing operations. The processing operations based on your consent will therefore not be itemised here again (Article 13(4) of the GDPR).

c) Transfer of personal data to third countries

If we transfer data to third countries, i.e. countries outside the European Union, the transfer will be carried out exclusively in compliance with the statutorily regulated admissibility requirements.

If the transfer of data to a third country does not serve to fulfil our contract with you, if we do not have your consent or if the transfer is not necessary for asserting, exercising or defending legal claims and no other exception under Article 49 of the GDPR applies either, we will only transfer your data to a third country if there is an adequacy decision according to Article 45 of the GDPR or appropriate safeguards in accordance with Article 46 of the GDPR.

One of these adequacy decisions is the Commission’s implementing decision (EU) 2016/1250 of 12th July 2016 on the so-called “EU-US Privacy Shield” for the USA. The data protection level for transfers to companies certified in accordance with the EU-US Privacy Shield is generally considered appropriate within the meaning of Article 45 of the GDPR.

Alternatively or additionally, the conclusion the EU standard data protection clauses issued by the European Commission with the receiving body, creates appropriate safeguards according to Article 46 (2)(c) of the GDPR as well as an appropriate level of data protection. Copies of the EU standard data protection clauses can be found on the European Commission’s website at https://ec.europa.eu/info/law/law-topic/data/ pred resection/data-transfer-outside-EU/model contracts-personal-data-third-countries_de.

d) Hosting with external service providers

Our data processing is largely carried out with the involvement of so-called hosting service providers, who provide us with storage space and processing capacities in their data centres and also process personal data on our behalf in accordance with our instructions. Personal data may be transferred to hosting service providers for all of the following functionalities. These service providers process data either exclusively in the EU or we have guaranteed an adequate level of data protection through the EU standard data protection clauses (see c.).

e) Transmission to public authorities

We will transfer personal data to public authorities (including law enforcement agencies) if this is necessary to comply with a legal obligation to which we are subject (legal basis: Article 6 (1)(c) of the GDPR) or if this is necessary to assert, exercise or defend legal claims (legal basis Article 6 (1)(f) of the GDPR).

f) Retention period

The section titled “Retention period” indicates how long we will use the data for the respective processing purpose in each case. After this period, we will no longer process the data, and it will instead be erased at regular intervals, unless continuous processing and storage has been stipulated by law (especially because it is necessary to fulfil a legal obligation or to assert, exercise or defend legal claims) or you grant us consent going beyond this.

g) Designations of data categories

The following summarizing category names will be used for specific data types in the next sections:

● Personal master data: Title, salutation/gender, first name, surname, date of birth;

● Address data: Street, house number, any address supplements, ZIP code, city, country;

● Contact details: Telephone number(s), fax number(s), email address(es);

● Credentials: dates and technical information

● Booking information: booked journeys, prices and payment

● Payment information: Account information, credit card information, information to our payment services

● Press distribution list usage data: Accreditation topic, date of accreditation, approval of limitation of use/declaration of
consent, downloads of press materials;

● Newsletter use profile data: Opening of the newsletter (date and time), contents, selected links, as well as the following
information concerning the accessing computer system: internet protocol address used (IP address), browser
type and version, device type, operating system and similar technical information.

● Access information: Date and time of the visit to our service; the page from which the accessing system accessed our
site; pages accessed during use; session identification data (session ID); as well as the following information
concerning the accessing computer system: internet protocol address used (IP address), browser type and version,
device type, operating system and similar technical information.

2. Accessing our services

We will describe below how your personal data is processed when you access our services (e.g. loading and viewing the website, opening and navigating within the mobile device app).

We would particularly like to state that the transmission of access data to external content providers (see b.) is unavoidable due to the mode of operation of information transmission on the internet. The third parties themselves are responsible for the data protection-compliant operation of the IT systems they use. The service providers will decide how long the data will be stored.

a) Purpose of data processing and legal basis as well as any legitimate interests, retention period

Data category:

Access data

Purpose:

Establishing a connection; presentation of the contents of the service; detection of attacks on our site based on unusual activities; diagnostics;

Legal basis:

Article 6(1)(f) of the GDPR

Legitimate interest:

proper functioning of services; security of data and business processes; prevention of misuse; prevention of damage through interference in information systems

Retention period: 4 weeks

b) Recipient of the personal data

Recipient category:

External content providers who supply the content (such as images, videos, embedded postings from social networks, advertising banners, fonts, update information) that are required to display the service;

Affected data: Access data

Legal basis: Article 6(1)(f) of the GDPR

Legitimate interest: proper functioning of the services; (accelerated) presentation of content

Recipient category: IT security service providers

Affected data: Access data

Legal basis: Article 6(1)(f) of the GDPR

Legitimate interest: Prevention of attacks by exploiting security gaps / vulnerabilities

3. Customer Feedback

We will describe below how your personal data is processed when you contact our customer service.

Purpose of data processing and legal basis as well as any legitimate interests, retention period

Data category: Personal master data; contact data; contents of inquiries/complaints

Purpose: Processing of customer requests and user complaints

Legal basis: Article 6(1)(b) and (f) of the GDPR

Legitimate interest: Improvement of our service; customer loyalty

Retention period: Processing of the request

4. Tracking

We will describe below how your personal data is processed using tracking technologies to analyse and optimise our services and for advertising purposes.

The description of the tracking procedures also includes information on how you can prevent or object to data processing. Please note that this so-called “opt-out”, i.e. the refusal to consent to processing, is usually stored via cookies. If you use our services via a new terminal or in another browser or if you have deleted the cookies set by your browser, you must declare your refusal to consent again.

The tracking procedures described only process personal data in pseudonymous form. No connection with a specific, identified natural person, and consequently a combination of the data with information about the bearer of the pseudonym, will be made.

a) Tracking to analyse and optimise our services and their use

1. Purpose of the processing

The analysis of user behaviour via tracking helps us monitor the effectiveness of our services, optimise and adapt them to users’ needs and to correct errors. Furthermore, it serves to statistically determine characteristic values about the use of our services (range, intensity of use, surfing behaviour of users) – on the basis of uniform standard procedures – and thus to obtain market-wide comparable values.

2. Legal basis of the processing

Regarding services we provide in connection with a contract, tracking and the associated analysis of user behaviour are performed in order to fulfil our contractual obligations. The legal basis for this processing of personal data is Article 6(1)(b) of the GDPR. The evaluation of information gained through tracking is necessary to provide you with optimised services according to the contractual purpose and to guarantee you the greatest possible benefit.

Otherwise, i.e. outside a contractual relationship, the legal basis for this processing of personal data is Article 6(1)(f) of the GDPR. With this, we pursue the legitimate interest of providing the most efficient and attractive services possible on the basis of the information gained through tracking and marketing them in the best possible way.

3. Details concerning the tracking procedures used

Description of the service: Google Analytics

Scope(s): all

Mode of operation

This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies” which are text files stored on your computer to enable an analysis of your use of the website. The information generated by the cookie about your use of this website, namely

● Browser type/version;

● operating system used;

● Referrer URL (previously visited page);

● accessing computer’s host name (IP address);

● Time of the server request;

is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on this website Google will truncate your IP address beforehand within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of this website’s operator, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services relating to the use of the website and the internet. The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data. You may refuse the use of cookies by selecting your browser software’s corresponding setting. However, please note that if you do this, you may not be able to use this website’s full functionality. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link (http://tools.google.com/dlpage/gaoptout?hl=en ). You can also find out more about the browser add-on by clicking on the above link.

You can find more information about Google Analytics’ privacy here https://policies.google.com/privacy?hl=en/

Option to prevent processing (opt-out)

You can prevent collection by Google Analytics by clicking the following link. An opt-out cookie will be set which prevents the future collection of your data when visiting this website: Deactivate Google Analytics

III. Rights of data subjects

1. Right to object

If we process your personal data for direct marketing purposes, you have the right to object prospectively at any time to the processing of personal data concerning you for the purposes of such advertising. This also applies to profiling, if it is associated with such direct marketing.

You also have the right to object prospectively at any time, for reasons arising from your particular situation, to the processing of personal data concerning you under Article 6(1)(e) or (f) of the GDPR. This also applies to a profiling based on these provisions.

You can exercise the right to object at no cost. You can contact us using the contact details listed under I.3 or by the following means:

By e-mail to: service@8.villas

2. Right to information

You have the right to request confirmation from us as to whether personal data concerning you is being processed and, if applicable, to request information about this personal data and the other information listed in Article 15 of the GDPR.

3. Right to rectification

You have the right to demand immediate correction of any inaccurate personal data concerning you (Article 16 of the GDPR). Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data – also by means of a supplementary declaration.

4. Right to erasure (“Right to be forgotten”)

You have the right to request us to delete personal data relating to you immediately, provided that one of the reasons stated in Article 17(1) of the GDPR applies and the processing is not necessary for one of the purposes regulated in Article 17 (3) of the GDPR.

5. Right to restrict processing
You are entitled to demand a restriction on the processing of your personal data if one of the conditions set out in Article 18 (1)(a) to (d) of the GDPR is met.

6. Right to data portability
Under the conditions set out in Article 20(1) of the GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, current and machine-readable format, and the right to transmit this data to another person responsible without our interference. When exercising the right to data portability, you have the right to request that we transfer the personal data directly to another responsible party, insofar as this is technically feasible.

7. Right to withdraw consent
If the processing is based on your consent, you have the right to revoke the consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until the revocation.

8. Right to lodge a complaint with a supervisory authority
You have a right to lodge a complaint with the supervisory authority responsible for our company. The competent supervisory authority for our company is: