+++ Companies of the FTI GROUP file for insolvency. FAQs atwww.fti-group.com/en/insolvency. Support Hotline (German/English) at +49 (0)89 710 45 14 98. +++ +++ All departures up to and including 5 July 2024 are cancelled. From 6 July 2024, all package tours and certain individual services are cancelled. +++
+++ CAUTION: Fraud attempts are spreading via SMS and email asking for bank details. Please check carefully who the sender is. +++
1. Scope
The following privacy notice provides you with an overview of the collection and processing of your personal data in relation to:
- Your visit to and use of our website
- Processing your request
- Assertion of legal claims
- Responding to official inquiries
For persons residing in Switzerland and in the United Kingdom: The provisions of this data protection notice also apply mutatis mutandis to persons from Switzerland and from the United Kingdom and fulfil the information obligations pursuant to Article 19 of the Swiss FADP and under UK GDPR.
With regard to data processing in the context of your communication on our social media channels, we refer to our separate privacy notice for social media.
Our privacy notice with regard to the conclusion and execution of contracts for travel services by FTI Touristik, the mailing of newsletters, customer information and surveys, as well as with regard to the implementation of analyses and research projects can be found here (German).
2. Data controller
The controller pursuant to Art. 4 No. 7 GDPR for the processing of your personal data is
FTI Touristik GmbH
Landsberger Str. 88, 80339 Munich, Germany
You can contact our data protection officer at: dataprotectionofficer@fti.de
3. Object of data processing
Personal data is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.1 Your visit to and use of our website
As part of the hosting of our website, all data processed in connection with the operation and use of the website is stored. This is necessary to enable the operation of the website and to ensure the security of the website. Accordingly, the processing of personal data is based on our legitimate interest in accordance with Art. 6 (1) lit. f) GDPR.
We log your visit to our website in log files. The following personal data is processed: address of the website accessed, date and time of access, access status, the amount of data transferred, the browser type and version, the operating system you are using, the referrer URL (the website you previously visited), your IP address and the requesting provider.
To provide our online presence, we use services from web hosting providers, to whom we transmit the above-mentioned data.
Contact forms
You can contact us via our contact forms. We process your personal data (e.g. name, contact details, details of bookings made) and your message that you send to us exclusively for the purpose of processing and handling your enquiry.
Insofar as you indicate that the contact request concerns one of our subsidiaries, the object of our data processing is limited to the forwarding of this message. Please note the separate data protection notices of the respective companies:
- BigXtra Touristik GmbH (German)
- FTI Touristik AG (Schweiz) (German)
- Big Xtra Touristik AG (Schweiz) (German)
This data is processed by us on the basis of Art. 6 (1) lit. b) GDPR or Art. 6 (1) lit. f) GDPR in order to process and respond to your enquiry.
Cookies
In order to enable the use of certain services, we use cookies and other tracking technologies. These are, among other things, short data packets that are stored on your device and exchanged with other providers. Some of the cookies we use are deleted immediately after you close your browser (so-called session cookies). Other cookies remain on your device and make it possible to recognise your browser on your next visit (persistent cookies).
You can delete all cookies stored on your device and set the common browsers to prevent cookies from being stored. In this case, you may have to make some settings again each time you visit this website and accept the impairment of some functions.
Functional, Statistical and Marketing Services
As part of our online offering, we also use services from other providers, which we integrate in order to offer you certain content or functions (e.g. the display of a map or the integration of videos). By accessing and providing the content of another provider, personal data is processed (essentially your IP address). If you give your consent to this, data processing is carried out on the basis of Article 6 (1) lit. f) GDPR. In the case of essential services that are necessary for the provision of this website, the legal basis is our legitimate interest in accordance with Article 6 (1) lit. f).
With regard to the third-party services, please also refer to the privacy policy of the respective provider. You can find more information about the services and cookies used in our Preference Center, which you can access via the fingerprint icon.
3.2 Processing your request
We process personal data to process customer requests and complaints before and/or after the trip. In order to be able to process and understand the facts of the case concretely, it may be necessary to make enquiries, e.g. with service providers. You may also be required to provide us with sensitive information such as accident reports, medical records, death certificates, etc.
In connection with the processing of customer requests, the following categories of personal data may be processed: first and last name, address, mobile phone number, landline number, date of birth, nationality, e-mail address, title, booking number, file key, information on marital status and children, IP address, account data, transaction data, as well as all data transmitted by you in the context of your request
In addition, to the extent necessary to process your request, we process in particular the following special categories of personal data: degree of disability, mark (severely disabled person's pass), validity of the severely disabled person's pass, state of health, vaccination status, diagnosis, ethnic origin, nationality and all data transmitted by you in the context of your request.
Insofar as the processing of your personal data is necessary for the performance of the contract concluded with you, the legal basis for the processing of your personal data is Art. 6 (1) lit. b) GDPR. Insofar as you assert legal claims in the context of your complaint, the legal basis is Art. 6 (1) lit. f) GDPR. Our legitimate interest is to defend against legal claims. Insofar as the processing of your personal data is necessary for the processing of other concerns, the processing is based on Art. 6 (1) (a) GDPR. Insofar as the processing of special categories of personal data is necessary for the processing, the processing is based on Art. 9 (2) lit. a) GDPR.
Depending on the nature of the request, your personal data will be forwarded to the following categories of recipients in order to process your request: insurance companies, destination agencies, service providers for the booked travel service (such as airlines, hotels, car rental companies), booking travel agency, IT service providers, law firms, courts.
3.3 Assertion of legal claims
In the context of fraud prevention as well as in the event of late or incomplete deposit or final payment, we reserve the right to take the necessary steps in individual cases.
For identity confirmation and address verification, we may process the following categories of personal data and: name, address.
In this case, the processing of your personal data is based on Art. 6 (1) lit. f) GDPR. Our legitimate interest is to minimise the risk of non-payment.
In this context, your personal data will be forwarded to the following categories of recipients: Service providers for address validation and address verification.
In connection with the assertion of legal claims (such as due payment claims), the following categories of personal data may also be processed: name, address, information about the booking and the outstanding claim.
In this case, the processing of your personal data is based on Art. 6 (1) lit. b) GDPR. Insofar as receivables are assigned to debt collection agencies or the collection of the receivables is outsourced to them, the processing is based on Art. 6 (1) lit. f) GDPR. The legitimate interest in this case is to obtain compensation for the non-payment of the data subject and to reduce the amount of work required to recover individual claims.
In order to assert legal claims, your personal data will be transferred to the following categories of recipients: other FTI GROUP companies, law firms, debt collection agencies.
3.4 Responding to official inquiries
Authorities may request information about individual customers. This could happen, for example, in the case of a missing person report or in the context of the investigation of crimes. In such cases, we will provide information to the relevant authority if this is legally permissible.
In the context of responding to government requests, the following categories of personal data may be processed: name, destination, travel period and other information requested by the authority.
In this case, the processing of your personal data is based on Art. 6 (1) (c) GDPR in conjunction with the respective legal basis for the asserted right to information.
In order to respond to official requests, your personal data will be forwarded to the following categories of recipients: Requesting authorities.
4. Legal basis for transfers to third countries
Within our company, access to your data will only be granted to those departments or persons who need it to perform their respective tasks in connection with the processing activities referred to in this Privacy Notice.
Please note that we may transfer and process personal data in countries other than your country of residence. This may also apply to countries outside the EU or the EEA (so-called third countries). The laws of these countries may not guarantee a level of protection for your personal data comparable to that of your country of origin. If we transfer your personal data to such a country, we will ensure that the transfer is in accordance with the requirements of Art. 45 et seq. GDPR. We will only transfer your personal data to third countries if they have an adequacy decision by the EU Commission or if appropriate safeguards, including EU standard contractual clauses, are in place. Information and copies of this can be requested by you from the contact provided.
5. Automated decision-making, including profiling
Automated decision-making (including profiling) does not take place.
6. Duration of retention of personal data
We process and store your personal data only for as long as is necessary to fulfil the purpose for which it was collected. Thereafter, we delete or anonymise your personal data, with the exception of data that we are required to continue to store in order to comply with legal obligations (e.g. we are obliged to keep documents such as business letters, contracts and invoices for a certain period of time due to retention periods under tax and commercial law) or retain them within the framework of the statutory statute of limitations for the assertion, exercise or defence of legal claims.
7. Your rights
As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 18 and 21 of the GDPR. Please note that we will need to verify your identity before we can comply with your request to exercise your data protection rights. This practice allows us to protect our customers' personal data from fraudulent requests.
- Right of access
In accordance with Art. 15 GDPR, you can request information about your personal data processed by us. In your request for information, you should specify your request in order to make it easier for us to compile the necessary data. Please note that under certain circumstances, your right of access may be limited in accordance with the law.
- Right to rectification
If the information concerning you is no longer correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
- Right to erasure
Under the conditions of Art. 17 GDPR, you can request the deletion of your personal data. Your right to deletion depends, among other things, on whether the data concerning you is still required by us to fulfil our legal tasks or whether we have a legitimate interest in storing it.
- Right to restriction of processing
Within the framework of the provisions of Art. 18 GDPR, you have the right to request a restriction of the processing of data concerning you.
- Right to data portability
According to Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller, insofar as this is technically feasible.
- Right to object
In accordance with Art. 21 GDPR, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. However, we are not always able to comply with this, e.g. if legal provisions oblige us to process data as part of our official duties.
- Withdrawal of your consent
If we rely on your consent as the legal basis for processing your personal data, you can withdraw that consent at any time.
Exercising your rights
To revoke your consent to the use of data, to assert a right to information or the correction, blocking or deletion of your data, or to exercise the other rights of data subject mentioned above, please contact:
FTI Touristik GmbH
Att: Data Protection Officer
Landsberger Straße 88
D-80339 Munich, Germany
Email: datenschutz@fti.de
Right to lodge a complaint
If you believe that we have not complied with data protection regulations when processing your data, you can lodge a complaint with a supervisory authority. The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.
8. How we protect personal data
To ensure the security of the data transmitted to us, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the page link in the address bar of your browser.
Data that you transmit to our website - for example during enquiries or logins - cannot be read by third parties due to SSL encryption.
Recognizing that threats can arise and change at any time, we regularly review and update our security measures and infrastructure to mitigate operational risk and keep our security requirements up to date.
9. Changes to this privacy notice
This document is subject to periodic revision or supplementation.
Munich, 26. April 2024