Kurgesellschaft Schlema mbH thanks you for visiting our website and for your interest in our company. We take the protection and security of the personal data you have entrusted to us seriously and want you to feel secure and comfortable when you visit our websites and use our services.
Handling personal data responsibly is a high priority at Kurgesellschaft Schlema mbH. We would like you to know which data we collect and when, how we use it and, where necessary, share it with others. As we aim to keep our websites up to date, it may be necessary to amend this Data Protection Policy in connection with the use of new technology, and we reserve the right to do so.
We therefore recommend that you review this Data Protection Policy from time to time.
Provider and controller within the meaning of data protection legislation
Kurgesellschaft Schlema mbH
08301 Bad Schlema, Germany
Dr. Kathrin Bösecke-Spapens - Managing Director
Franz-Heinrich Kohl - Chair of the Supervisory Board
The Policy applies to the following websites of Kurgesellschaft Schlema mbH:
This Data Protection Policy provides you with information on the type, scope and purpose of the collection and use of your data by the controller.
The EU General Data Protection Regulation (GDPR) and the German Telemedia Act (TMG) provide the legal framework for data protection.
We process personal data for the purposes of handling queries, requests for information material, subscriptions to our newsletter and for booking services. You provide this information yourself. The legal basis for this is Art. 6 (1) b) GDPR. The data processed may include customer data, employee data and data of business partners where this serves to achieve the purpose within the scope of this Policy.
Art. 28 (1) GDPR provides the legal basis where it is necessary to share data with external processors.
All the information provided to us when you complete the contact forms or send us e-mails will be handled by us solely for the purpose of processing your enquiry. This data will be shared with third parties outside Kurgesellschaft Schlema mbH solely for the purpose of registering with the local spa physicians, where this is necessary following an enquiry about a planned spa treatment plan or a package, or if you expressly request us to do so.
Your data will not be sold to third parties, nor will it be marketed for other purposes.
We are under a legal obligation to provide information upon request to certain public bodies. These are law enforcement agencies, authorities that pursue administrative offences that are subject to a fine, and tax authorities. The data is disclosed in such cases on the grounds of our legitimate interest in preventing misuse and prosecuting criminal offences as well as in order to establish, assert and enforce claims pursuant to Art. 6 (1) f) GDPR, insofar as you do not have any overriding rights and interests in the protection of your personal data.
Generally, the further processing or use of your personal data is only possible if it is permitted by a legal regulation or if you have given your consent to the data processing. Where further processing of your data is necessary for a purpose other than originally intended, we will inform you of this and request your consent before taking any action.
Kurgesellschaft Schlema mbH does not collect, process or share any health data whatsoever online.
We will obtain the data required for the medical departments from you personally at the reception of the medical and therapeutic treatment areas. Even if you book your stay with us over the phone, we will only:
1) ask for your address to enable us to process the booking
2) ask about your level of mobility so that we can take this into account when scheduling your treatments and leave you enough time to get from your selected accommodation to the treatment areas without having to rush.
The data required from you in order to administer the treatment will be collected from you personally on the premises of Kurgesellschaft Schlema mbH and stored on an in-house server. Any necessary changes can be made only by authorised staff from the medical and therapeutic treatment areas.
These staff members are subject to an obligation of professional secrecy.
In accordance with the legal regulations of Book V of the German Social Code (SGB V), this data will only be disclosed to your health insurance provider in order to settle payment for our services.
We require your written consent if data such as information about your course of treatment or similar information is to be disclosed to third parties (excluding your consultant).
Upon each visit to this website, we or the web space provider automatically collect information.
This includes: name of the website, file, date, data volume, browser and browser version, operating system, your Internet provider’s domain name, the so-called referrer URL (the page from which you accessed our website) and your IP address.
Without this data, it would be technically impossible to a certain extent to transmit and display the website content. It is therefore essential for us to collect this data.
In addition, we use the anonymous information for statistical purposes without personally identifying you as the user. This helps us to optimise our website and the technology used. We also reserve the right to retroactively examine the log files if we suspect that our website is being used illegally.
Within this context, the legal basis for processing your data is Art. 6 (1) f) GDPR. Our legitimate interest in processing this data lies in ensuring that our website functions properly and ensuring the security of all transactions made in our online store.
Data will be transmitted to external processors on the basis of Art. 28 (1) GDPR under the required appropriate contractual agreements.
So-called cookies are used on the web pages of Kurgesellschaft Schlema mbH. Their purpose is to make it easier for you to use our websites.
Cookies are small text files that are sent by our server to your computer and stored there the moment you visit our website. If you revisit our website using the same end device, the cookie indicates that you have already visited us, among other information. The cookies manage your connection with our websites and enable us to analyse how our websites are used. The cookie does not contain any personal information and does not allow third parties to identify you on their websites.
The cookies are not used to spread viruses or run programmes.
The following types of cookies are used:
1) Essential cookies
These are fundamentally essential to enable the website to function. This can include the assignment of anonymous session IDs, e.g. for consolidating several requests sent to a server or handling registration and orders.
2) Functional cookies
These store your selected settings or support website navigation, enabling us to remember your preferences for your next visit or manage the log-in process for the personalised website area.
3) Cookies for collecting statistical data
These help us to collect information on how you use our website. This includes information such as your Internet browser, the number of visits, the accessed page and the length of time you spent browsing the page. The cookies do not store any information that would enable you personally to be identified. The information is anonymised. We will not disclose this data to third parties or associate it with personal data without your consent.
You can prevent the installation of cookies or ensure that they are deleted automatically after every session by configuring your browser settings accordingly.
Users can also access our website without cookies. To do so, you must configure the relevant settings in your browser. Use the help function in your browser to find out how you can disable cookies. However, we should point out that, in this case, some of the functionalities of this website might be impaired and user convenience may also be restricted. You can manage online advertising cookies on the following websites: http://www.aboutads.info/choices/ (USA) and http://www.youronlinechoices.com/uk/your-ad-choices/ (Europe).
Furthermore, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: browser add-on for deactivating Google Analytics.
This website uses the online advertising programme Google AdWords and the conversion tracking function within this programme. Google AdWords sets a cookie on your computer if you access our website by clicking on a Google ad. These cookies lose their validity after 30 days and cannot be used to identify you personally. If you visit certain pages of our website and the cookie has not yet expired, we and Google can both see that you clicked on the ad and were redirected to this website. Each Google AdWords client is given a different cookie. This means that cookies cannot be tracked via the websites of other AdWords clients.
The information collected with the aid of the conversion cookie is used to compile conversion statistics for AdWords clients who have activated conversion tracking. This informs the clients of the total number of users who clicked on their ad and were forwarded to a page containing a conversion tracking tag. However, they do not receive any information that would enable them to personally identify users.
Embedded third-party services and conten
Our website includes content and services of other providers. These include maps provided by Google Maps, YouTube videos and graphics and images from other websites. In order to access and display this data in your browser, it is essential to transmit your IP address. The providers (hereinafter referred to as “third-party providers”) are thereby informed of your IP address.
Even though we strive to use the content and services of only those third-party providers who need the IP address for the sole purpose of delivering content, we have no influence on whether or not the IP address is stored. In this case, this process also serves statistical purposes.
Registration on our website
If you register on our website to use personalised services, we collect personal data. This includes your name, address, phone number and e-mail address in order to contact and communicate with you.
Registration enables you to access services and content that are only available to registered users. Where necessary, registered users can amend or delete the data provided during registration at any time. Upon request, we will advise you what personal data has been collected and stored. In addition, we will correct or delete the data at your request, provided that there are no statutory obligations to retain it. Please use the contact details provided in this Data Protection Policy if you have any questions or if you want your data be corrected or deleted.
Provision of fee-based services
We request additional data to enable us to provide fee-based services. This applies to payment details among other things.
To protect the security of your data during transmission, we use encryption protocols (such as SSL) via HTTPS that reflect the current state of the art in technology.
In our online store, customer data is processed solely for the purpose of processing the order (this data includes your name, address, and bank account details). This type of data processing is therefore necessary to perform a contract or in order to take steps prior to entering into a contract pursuant to Art. 6 (1) b) GDPR. Pursuant to Art. 6 (1) c) GDPR, placing an order in the online store gives rise to a legal obligation to process data further, e.g. under the German Commercial Code (HGB) Section 257 (1), whereby companies are obliged to retain business documents for a period of six years.
The data collected in connection with enquiries submitted using the online contact form is used solely to respond to the enquiry and can be forwarded internally to the department responsible for handling the particular enquiry in order to ensure that the person concerned receives a satisfactory response; this is similarly permitted under Art. 6 (1) b) GDPR.
Personal data submitted in order to participate in competitions is used solely to determine and notify the winner and to send the prize. After the competition has ended and the winner has been notified, the participants’ data is deleted. You can participate in competitions without signing up for our newsletter.
The minimum age for participating in competitions is 18.
Embedded social media plug-ins and third-party content
Buttons for the following social media networks are used on our website:
Facebook & Instagram, Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA
Google+, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
The buttons are marked with the logo of the respective provider and contain a link. The buttons have to be activated separately by clicking on them; if they are not activated, no data will be transmitted to the social media networks. Only by clicking on the buttons and thereby declaring your consent to a connection being established with the servers of these networks will the buttons be activated and a connection established.
Following this, the button acts as a share plug-in. Through this plug-in, information is sent to the social network via the accessed page so that you can share it on the network with your contacts. You must be logged in to use the share function. If you are not logged in, you will be forwarded to the log-in page of the respective provider and are no longer on the Kurgesellschaft Schlema mbH website. Once you have logged in, the network sends information that you would like to recommend something.
If the button has been activated, information that you have clicked on the button and accessed our website, as well as your IP address, your browser and language settings, will be sent to the social media network. The data usage guidelines of the social network will then apply.
If the button is activated, we no longer have any influence on the collection and processing of data and are no longer responsible for this; i.e. Kurgesellschaft Schlema mbH is no longer the controller within the meaning of the GDPR.
Data is transmitted irrespective of whether an account has been created with the respective provider. If you are logged in, the data will be associated with your account. The provider may also set cookies on your computer to track you.
Privacy policies for social media
Kurgesellschaft Schlema mbH takes the current discussion about data protection on social media networks very seriously. At present, it has not yet been conclusively established from a legal perspective if and to what extent the services of these networks are offered in compliance with European data protection regulations.
We should therefore expressly point out that, to the best of our knowledge, the Facebook and Google+ services used by us store their users’ data (e.g. personal information, IP address) and use it for commercial purposes in accordance with their guidelines on data usage. This means that they create user profiles that are used for the purpose of advertising, market research and the needs-based design of their website. In particular, this aims to inform other network users about your visit to our website.
You have the right to object to the creation of these user profiles; you must contact the respective provider to exercise this right.
You can find information about the purpose and scope of data collection, the processing and use of data by the social media network, your rights and the options for protecting your privacy by selecting certain settings at the following pages:
We, the Kurgesellschaft Schlema mbH, have no influence on the collection of data and the further use of it by the social media networks. We are not aware of the scope of the data stored, where it is stored, for how long it is stored, to what extent the networks comply with existing obligations to delete data, what analyses and links are created from the data and to whom the data may potentially be disclosed. If you do not want these social media networks to receive your data, do not click their buttons.
If you subscribe to our newsletter, we use the data provided by you solely for this purpose or to inform you about this service or the rules that apply to it and the required processes. We do not share this data with third parties.
You must have a valid e-mail address in order to receive the newsletter. The IP address you use to subscribe to the newsletter and the date on which you subscribed are also stored. This data serves as evidence in the event of misuse where another person’s e-mail address is used to subscribe to the newsletter. As an additional safeguard against third parties misusing an e-mail address and entering it on our distribution list, we use the legally compliant double opt-in process. As part of this process, subscription to the newsletter, dispatch of the confirmation e-mail and receipt of the confirmation of subscription are logged.
Subscription to the newsletter is always independent of other processes such as orders, competitions, bookings, etc.
You can withdraw your consent to the storage of this data, your e-mail address and the use of these to send the newsletter at any time. To withdraw your consent, you can click the link provided for this purpose in each newsletter and on the website. You may also inform us of your decision to withdraw your consent using the contact details provided in this document.
Data minimisation/standard periods for the deletion of data
We follow the principles of data avoidance and data minimisation in relation to the storage of personal data and only store it as long as this is necessary or stipulated by law (statutory retention periods).
Numerous data retention obligations and retention periods relating to these have been prescribed by law. Once these periods have expired, the data is routinely deleted.
If the purpose for which the data was collected no longer applies or if the retention period has expired, we will block or delete the data.
Where there are no conflicting provisions, we will store the data collected by us as long as this is necessary to achieve the purposes for which it was collected.
Security / Technical data protection
To protect your personal data, we have adopted technical and organisational measures, and we have incorporated our business processes into these. Kurgesellschaft Schlema mbH uses various technical and organisational measures to protect your data against loss, destruction, manipulation or access by unauthorised persons.
We use security procedures, technical restrictions and access restrictions where it is necessary for us to collect, process and transmit your data. Only authorised staff members have access to your personal data to ensure that each task is completed correctly and as intended.
In addition to securing our operating environment, we also use encryption protocols to protect your personal data to the greatest extent possible. The information relating to you is transmitted via an SSL (secure socket layer) protocol and automatically verified. In this way, data misuse by third parties can be prevented. A connection is secure when the address bar starts with https... and the padlock symbol in the status bar of your browser is closed.
The measures adopted for both your data security and ours are regularly examined, continually optimised in keeping with the latest technologies and, where necessary, immediately adapted or corrected.
Your rights of access to information, to rectification, blocking and erasure, and to object
You have fundamental rights in relation to your personal data. These include the right of access to information, the right to rectification of inaccurate data, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right to lodge a complaint with the competent supervisory authority.
Right of access: You have the right to request that information about the personal data stored by us be provided to you free of charge under Art. 15 GDPR. Please send your request by post or e-mail to the contact addresses of Kurgesellschaft Schlema mbH.
Right to rectification of inaccurate data: You have the right to request that we rectify personal data relating to you without undue delay under Art. 16 GDPR. To request this, please contact Kurgesellschaft Schlema mbH at the addresses provided.
Right to erasure: If there are legal grounds under Art. 17 GDPR, you have the right to have your data erased without undue delay, e.g. where the data is no longer necessary for the purpose of the processing for which it was originally collected or if you have withdrawn your consent to the processing and where there is no other legal ground for the processing, or if you have objected to the processing. In this case, too, please use the contact addresses provided.
Right to restrict the processing: Where any of the conditions of Art. 18 GDPR apply, you can request that we restrict the processing of your data. This could be in the event of an objection submitted by the data subject pursuant to Art. 21 (1) GDPR. Please use the contact addresses provided to exercise this right.
Right to data portability: Under Art. 20 GDPR, you can request that the personal data relating to you be provided to you in a commonly used format and that the data be transmitted to other organisations. In this case, it is important that consent has been given to the processing or that the processing is carried out by automated means on the basis of a contract. For all such requests, please also use the contact addresses provided.
Right to object: On grounds relating to your particular situation, you have the right under Art. 21 GDPR to object at any time to the processing of personal data relating to you based on Art. 6 (1) e) or f) GDPR.
Kurgesellschaft Schlema mbH will stop processing this data unless it has legitimate reasons to continue doing so that override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims. Please use the contact addresses provided to exercise this right.
Right to lodge a complaint with a supervisory authority: If you believe that the processing of your personal data within our company is unlawful, you can lodge a complaint with the competent supervisory authority.
Contact details of supervisory authority:
The Data Protection Commissioner for Saxony
Tel: +49 (0)3 51/49 3-5401
Fax: +49 (0)3 51/49 3-5490
Contact details for Kurgesellschaft Schlema mbH
Kurgesellschaft Schlema mbH
08301 Bad Schlema, Germany
Data Protection Officer
An in-house Data Protection Officer has been appointed at Kurgesellschaft Schlema mbH due to the type and scope of data collected.
This officer is responsible for reviewing and analysing data protection, checking that electronic data processing is lawful, and monitoring the rights of data subjects in accordance with the provisions of the GDPR.
He is, of course, also your point of contact if you have any queries, concerns or problems relating to data protection at Kurgesellschaft Schlema mbH.
In his role as Data Protection Officer, he is subject to an obligation of confidentiality under Section 203 of the German Penal Code [StGB].
Data Protection Officer, TÜV-certified
08301 Bad Schlema, Germany
Sources: Data protection generator, template documents provided by TÜV Süd Academy