Privacy Policy

Thank you for visiting our website! The protection of personal data is of particular importance to us. We would therefore like to take this opportunity to inform you about what kind of your personal data we collect when you visit our websites, for what purposes they are used and to whom we may make it available.

We declare our compliance with the legal provisions on data protection and data security. Personal data will be used exclusively for the purposes indicated below, as well as measures to ensure data security by ensuring that data is used properly and not made accessible to unauthorized persons. Our employees as well as authorized service providers and their employees are obliged to maintain secrecy of the data disclosed by us, unless there is a legally permissible reason for a transmission or disclosure of the data entrusted or made accessible to them.

This privacy policy applies to the website of the controller which can be accessed under the domain https://www.vagabondclub.com/ as well as the various subdomains (hereinafter referred to as “our websites”). We reserve the right to adapt this privacy policy with future effect, in particular in the event of further development of the website, the use of new technologies or the change to the legal basis or corresponding case laws.

1 Name and address of the controller

The following party is responsible for the processing of personal data within the scope of this privacy policy referred to in Art. 4 (7) of the EU General Data Protection Regulation (GDPR):

HRG Hotels Sechste Management II GmbH
Hauptstraße 66
12159 Berlin
Germany
Telephone: +43 1 333 737317
E-Mail: welcome@vagabondclub.com

2 Contact for data protection inquiries

HRG Hotels Sechste Management II GmbH
Hauptstraße 66
12159 Berlin
Germany
Telephone: +43 1 333 737317
E-Mail: datenschutz@vagabondclub.com

3 General information on data processing

3.1 Scope of processing of personal data

Personal data is any information relating to an identified or identifiable natural person. In principle, we collect and use personal data of our users only to the extent necessary to provide a functional website and to present our content and services. The collection and use of personal data of our users takes place only with the consent of the user. An exception applies in those cases where it is not possible to obtain prior consent and the processing of the data is permitted by a legal provision.

3.2 Legal bases for processing personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis for the processing of personal data.

For the processing of personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which the controller is subject, Art. 6 (1) (c) GDPR serves as the legal basis.

In the case that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.

If the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, Art. 6 (1) (f) GDPR serves as the legal basis for the processing.

3.3 Collection of data from third parties

We may obtain your personal data from third parties. This is particularly the case if a reservation is made for you by a travel agency, online booking portal or other third parties, which may be family members, travel companions and other representatives or intermediaries who work for you. For business trips, we obtain the information from your employer or other third parties who work on your behalf or for you. The legal basis for the processing of this data is Art. 6 (1) (b) GDPR, as this is initially necessary for the implementation of pre-contractual measures and for the subsequent fulfilment of a contract.

3.4 Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this is required by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The data will also be deleted or blocked if a storage period prescribed by the aforementioned conditions expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

4 Provision of the website and creation of log files

When you visit and use our website, we collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called log file. When you use our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:

Information about the browser type and version used
The user’s operating system
The user’s Internet service provider
The user’s IP address
Date and time of access
Websites from which the user’s system reaches our website
Websites accessed by the user’s system via our website

The data is also stored in the log files of our system. This does not affect the IP addresses of the user or other data that enable the assignment of the data to a user. A storage of this data together with other personal data of the user does not take place.

4.1 Legal basis

Art. 6 (1) (f) GDPR serves as the legal basis for the aforementioned data processing. The processing of the aforementioned data is necessary for the provision of a website and thus serves to safeguard a legitimate interest of our company.

4.2 Storage limitation

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

5 Use of cookies

Our website uses cookies. Cookies are small text files that are stored locally in the cache of the browser used. When a user accesses our website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that allows the browser to be uniquely identified when the website is called up again. Cookies do not become part of the PC system, cannot run programs and do not contain viruses.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change. The use of cookies may be technically necessary or cookies may be used for other purposes.

Various cookies are used on our websites, which differ in type and function.

5.1 Session cookies and persistent cookies

A session cookie is a form of cookie that is deleted as soon as the user closes the browser after their current session. We use technically necessary session cookies, which store a session ID. With this session ID various requests from your browser can be assigned to the joint session. Some elements of our website require that the calling browser can be identified even after a page change.

Persistent cookies are stored on the user’s device to provide a user’s login information, settings or preferences the next time they visit the website. They serve to enable a more convenient and faster use of the website. This storage of these cookies is limited to a certain storage period, after which they are automatically deleted. Note that the storage period may vary depending on the cookie. You can also delete these cookies from your system beforehand by using the usual functionality of your browser.

The legal basis for this processing is Art. 6 (1) (f) GDPR.

5.2 Functional cookies

Functional cookies are necessary for the use of the website. In particular, we can recognize the device used when you return to the website. The legal basis for this processing is Art. 6 (1) (f) GDPR. We use functional cookies to to ensure the basic functions of our website. The functional cookies are deleted as soon as you log out or close the browser.

The user data collected by functional are not processed for the creation of user profiles.

5.3 Non-essential cookies

These cookies are used to make the use of the website more efficient and attractive. These are not necessary to use basic functions of our website. The legal basis for this processing is Art. 6 (1) (a) GDPR and is provided by your consent in the cookie banner. Non-essential cookies are automatically deleted after a specified storage period, which may differ depending on the cookie.

5.3.1 Analytical Cookies

Analytical cookies help website providers to understand how visitors interact with websites by collecting and reporting information anonymously.

5.3.2 Marketing Cookies

Third-party advertising cookies make it possible to show you various offers that match your interests. These cookies can be used to record users’ web activities over a longer period of time. You may recognize these cookies on various devices you use.

5.4 Legal basis for data processing

The legal basis for the processing of so-called functional cookies is our legitimate interest in the processing of personal data in accordance with Art. 6 (1) (f) GDPR. For non-essential cookies or so-called third-party cookies, we need your consent. If you have given us your consent regarding the use of non-essential cookies via the “cookie banner”, the legality of the use is based on Art. 6 (1) (a) GDPR. You can revoke this consent at any time by deactivating cookies in your browser settings for the future.

5.5 Storage limitation

As soon as the data transmitted to us via the cookies is no longer required to achieve the purposes described above, this information will be deleted, in particular if the cookies are deactivated. Further storage may take place in individual cases if this is required by law.

5.6 Configuration of browser settings

The administration of the cookie settings is possible for you via the configuration options of your browser settings listed below.

Most browsers are preset to automatically accept cookies. By changing the settings in your Internet browser, you can completely deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. However, we would like to point out that you may no longer be able to use all the functions of our website to their full extent if cookies are deactivated by your browser settings on our website. You can also use your browser settings to delete cookies already stored in your browser or display the storage period. Furthermore, it is possible to receive a notification before cookies are stored via respective browser settings. The different browsers differ in their respective functions, so we ask you to use the respective help menu of your browser for configuration options.

6 Bookings via our website

If you make bookings directly on our website, we process personal data that is necessary for the performance of a contract in accordance with Art. 6 (1) (b) GDPR. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

As part of the booking process on our website, we collect the following data:

Title
First name
Surname
Telephone
E-mail address
Booking details (destination, arrival and departure dates, number of guests per room, information about the payment method you have selected)

as well as any comments or information that you provide to us in the comment section.

The legal basis for the processing is the performance of a contract, the fulfilment of legal obligations, as well as your consent regarding any given voluntary information. Data processed for the stated reason will be stored for the duration of the statutory retention period and then deleted, unless there is a special reason for storage in the individual case that justifies or requires a longer storage period. The following third parties process data on our behalf: External accounting.

Your consent to the processing of data categories voluntarily provided by you can be revoked at any time. For the revocation, an informal notification to datenschutz@vagabondclub.com is sufficient. Your revocation makes further processing of your data on the basis of the consent inadmissible, but has no effect on the admissibility of the processing before the revocation.

Your rights as a data subject can be found in the chapter “Rights of the data subject”.

7 Contact form and e-mail contact

Contact forms are available on our websites, which can be used for electronic contact. If you choose this option, the data entered in the input mask will be transmitted to us and stored. The following data will be collected as part of our contact form:

First name
Surname
Company (optional)
E-mail address
Details of the request

Usage of the contact form takes place on a voluntary basis and is initiated by yourself. If you provide information on how to contact you, we will use these channels to contact you according to your request. For the processing of the data, your consent will be obtained as part of the sending process and a link to our privacy policy is provided. Alternatively it is possible to contact us via the e-mail address welcome@vaganondclub.com. In this case, the user’s personal data transmitted with the e-mail will be stored. The data will be deleted as soon as the purpose of the processing has been achieved, unless there is another legal retention period. The conversation is concluded when it can be inferred from the circumstances that the facts in question have been conclusively clarified. In this context, the data will not be passed on to third parties. The data will be used exclusively for the processing of your request or the purpose of contacting us.

The legal basis for the processing of the data is Art. 6 (1) (a) GDPR if the user has given their consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. If the e-mail contact is aimed at the conclusion of a contract, additional legal basis for the processing is Art. 6 (1) (b) GDPR.

8 Newsletter

8.1 Scope of data processing

On our website there is the possibility to subscribe to a newsletter. When registering for the newsletter, the e-mail address you provided will be transmitted to us.

The registration for our newsletter takes place through a double opt-in procedure. We will then send you a confirmation e-mail to the e-mail address you have provided, in which we ask you to confirm your subscription to the newsletter. You can agree by clicking on the confirm button you received. In this way, we can ensure that this is your e-mail address and that you wish to receive our newsletter.

Furthermore, the following data will be processed at the time of registration for the newsletter:

IP address
Date/time of subscription to the newsletter
Time of your confirmation by clicking the confirmation link

8.2 Legal basis of data processing

The legal basis for the processing of the data to receive our newsletter is Art. 6 (1) (a) GDPR if the user has given their consent.

8.3 Purpose of data processing

The storage of the user’s e-mail address serves to deliver the newsletter. The collection of other personal data as part of the registration process as described above serves to prevent misuse of the services or the e-mail address used.

8.4 Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user’s e-mail address will therefore be stored for as long as the subscription to the newsletter is active.

8.5 Revocation of consent

A revocation of your consent to the processing of the e-mail address for the receipt of the newsletter is possible at any time by directly clicking on the link to unsubscribe contained in the newsletter. The legality of the data processing carried out on the basis of the consent before the revocation is not affected by the revocation itself.

9 Registration on our website

On our website, we offer users the opportunity to register by providing personal data. The data submitted by the user is transmitted to us and stored. The data will not be passed on to third parties. If you register on our website, you can manage your reservation information.

9.1 Scope of data processing

The following data is collected as part of the registration process:

First name
Surname
Email
Address

At the time of registration, the following data is also stored:

The user’s IP address
Date and time of registration

9.2 Legal basis of data processing

As part of the registration process, the user’s consent to the processing of this data is obtained. The legal basis for the processing of the data is Art. 6 (1) (a) GDPR if the user has given their consent.

9.3 Purpose of data processing

The user’s registration is required for the provision of certain content and services on our website. The identification of the user is therefore necessary in order to provide this content and services.

9.4 Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were stored. This is the case for the data collected during the registration process if the registration on our website is cancelled or changed.

9.5 Revocation of consent

As a user, you have the option of cancelling the registration at any time.

10 Use of Analytics tools

To make our website as pleasant and comfortable as possible for you, we occasionally use the services of external service providers. In the following, you can inform yourself about the services and functions used.

If you have given your consent in the cookie banner, our website uses functions of web analysis services. For this purpose, cookies are used that enable an analysis of how the website is used. The information generated in this way is transferred to the provider’s server and stored there.

The use of analytical and marketing cookies requires your consent in accordance with Article 6 (1) (a) GDPR. When you first visit our website, a cookie banner opens where you can give your consent to the use of analytical and marketing cookies.

10.1 Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountainview, CA 94043 USA (“Google”). Google Analytics uses cookies that are stored on your computer and that enable an analysis of your use of the website.

The information generated by these cookies, for example about the time, place and frequency of your use of this website, is transmitted to a server operated by us in the EU and stored there. We would like to point out that Google may transfer this information to third parties if this is required by law, or if third parties process this data on behalf of Google.

Google will use the information generated by cookies on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage to the website operator. You can prevent the storage of cookies in general by setting your browser software accordingly. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.

In order to ensure the best possible protection of your personal data, Google Analytics has been extended on this website by the code “anonymizeIp”. This code causes the last 8 bits of the IP addresses to be deleted and your IP address is thus recorded anonymously (so-called IP masking). Your IP address will be shortened by Google before transmission within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and thus anonymized.

As part of the use of Google Analytics, personal data may be transferred to countries outside the EU/EEA, in particular to the USA. The US is considered by the European Court of Justice to be a country with an insufficient level of data protection according to EU standards. In particular, due to the absence of an adequacy decision and without appropriate safeguards, there is a risk that your data may be processed by US authorities for control and monitoring purposes, possibly without redress. In this respect, we would like to point out that there may currently be no suitable guarantees for data transfer to the USA.

Further information can be found under http://tools.google.com/dlpage/gaoptout or under https://policies.google.com/ (general information on Google Analytics and data protection).

Further information on Google’s use of data for advertising purposes, setting and objection options can be found on Google’s websites: www.google.com/intl/de/policies/privacy/partners/ (“Use of data by Google when you use websites or apps of our partners”), www.google.com/policies/technologies/ads (“Use of data for advertising purposes”), www.google.de/settings/ads (“Manage information that Google uses to show you advertisements”) and www.google.com/ads/preferences/ (“Determine which ads Google shows you”). Order data agreement https://privacy.google.com/businesses/processorterms/; Data protection declaration for GDPR https://policies.google.com/privacy/update?hl=de.

1.1.1 Legal basis

The legal basis for the use is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time by deactivating cookies in your browser settings for the future.

1.1.2 Duration of Storage

The website operators have limited the storage period of the data in Google Analytics to 14 months.

10.2 Facebook Custom Audience Pixel

We use “Facebook Custom Audience Pixel” by Meta/Facebook on our website to optimize our advertising. The operator is Facebook, Inc. 1 Hackerway, Menlo Park, CA 94025, USA. For persons living outside the United States or Canada, the controller is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Habour, Dublin 2, Ireland. We use Facebook Custom Audience Pixel to show personalized ads to people who visit our website while logged in to Facebook. It also allows us to measure the effectiveness of our advertising by analyzing actions that users perform on our website. No personal data is provided to us. Facebook itself stores and processes the data at the same time, so that Facebook can connect to the respective Facebook user profile.

The legal basis for the storage of cookies and integration of the Facebook pixel is your consent in accordance with Art. 6 (1) (a) GDPR, if you have given your consent via the cookie banner. You have the option of preventing the storage of cookies and the integration of the web analysis service by means of selecting the corresponding settings.

For information on the processing and use of personal data by Facebook, please refer to the “Privacy Policy” published by Facebook. These can be found at: https://www.facebook.com/about/privacy/

Facebook may use your data for its own advertising purposes in accordance with the Privacy Policy.

11 Rights of the data subject

According to Art.15 GDPR in conjunction with § 34 BDSG you have the unrestricted right to free information about your data stored by us and according to § 35 BDSG the right to delete or block inadmissible data or the right to correct incorrect data.

If your personal data is processed by the controller, you are a data subject within the meaning of the GDPR and you have the following rights listed below.

11.1 Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in (10) shall not adversely affect the rights and freedoms of others.

11.2 Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

11.3 Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the abovementioned circumstances, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to the conditions above shall be informed by the controller before the restriction of processing is lifted.

11.4 Right to erasure (‘right to be forgotten’)

11.4.1 Right to erasure

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

11.4.2 Information to third parties

Where the controller has made the personal data public and is obliged pursuant to the abovementioned conditions to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

11.4.3 Exceptions

The right to erasure does not exist if the processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in the aforementioned paragraphs is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.

11.5 Right to information

If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

11.6 Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR; and where the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to the abovementioned conditions, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right referred to above shall be without prejudice to Article 17 GDPR (Right to erasure). That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The right referred to above shall not adversely affect the rights and freedoms of others.

11.7 Right to object to processing

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

11.8 Right to revoke consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

11.9 Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision:

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on the data subject’s explicit consent.

However, these decisions may not be based on special categories of personal data pursuant to Article 9 (1) GDPR, unless Article 9 (2) (a) or (g) applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

11.10 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can complain to the respective supervisory authority.

In Germany, the supervisory landscape under data protection law is federally structured. The non-public area is generally managed by the state data protection authorities. An overview of the responsible supervisory authorities and the current contact information can be found here:https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html;jsessionid=5F55BBA3E8CEAE0B6033C0E593DEFEE1.intranet231.

12 Hyperlinks to external websites

On our websites we use so-called hyperlinks to the websites of other providers. If these hyperlinks are activated, you will be redirected directly from one of our websites to the website(s) of the other providers. You can observe this, among other things, by the change of the URL. We are not responsible for the handling of your data on the websites of third parties, as we have no influence on whether these companies comply with the data protection regulations. Please inform yourself about the handling of your personal data by these companies directly on their websites.

12.1 Notice – Processing with joint responsibility

On our Facebook “fan page”, we process personal data together with Facebook, which provide information about the interaction of users and serve to optimize the usability of the website and marketing activities. For this purpose, we may refer to an agreement on joint responsibility, available at https://www.facebook.com/legal/controller_addendum or https://www.facebook.com/legal/terms/page_controller_addendum. Further information on the joint processing of personal data can be found in Facebook’s privacy policy under https://www.facebook.com/policy.php and under https://www.facebook.com/legal/terms/information_about_page_insights_data. In accordance with Art. 6 (1)(f) GDPR (“legitimate interest”), we use this information to create aggregated evaluations of the use of our social media presence and to optimize our marketing activities. This data will be stored by Facebook in accordance with the deadlines set out in https://www.facebook.com/policy.php, chapter: “Data storage, deactivation and deletion of accounts”.

13 Data integrity

We are committed to protecting your privacy and keeping your personal information confidential. To avoid manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly checked and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures are not observed by other persons or institutions that are not within our area of responsibility. In particular, data disclosed unencrypted – e.g. if this is done by e-mail – can be read by third parties. We have no technical influence on this. It is the responsibility of the user to protect the data provided by him or her by encryption or in any other way against misuse.

14 Changes to the Privacy Policy

Due to the further development of our apps and services, websites, newsletters as well as the content and services offered by us, it may be necessary to change this privacy policy. Vagabond Club GmbH reserves the right to change the privacy policy at any time with effect for the future. The current version is available at https://www.vagabondclub.com/privacy-policy/ . We recommend you to re-read the current privacy policy from time to time.

Vienna, 26.04.2022

Privacy Policy for Job Applicants

1 Name and address of the controller

The following party is responsible for the processing of personal data within the scope of this privacy policy referred to in Art. 4 (7) of the EU General Data Protection Regulation (GDPR):

Vagabond Club GmbH
Parkring 12/1/23
1010 Wien
AUSTRIA
Telephone: +43 1 333 737317
E-Mail: welcome@vagabondclub.com

2 Contact for data protection inquiries

Vagabond Club GmbH
Parkring 12/1/23
1010 Wien
AUSTRIA
Telephone: +43 1 333 737317
E-Mail: datenschutz@vagabondclub.com

3 Data processing in the context of application procedures

3.1 Scope of processing of personal data

As part of the application process, we only process your personal data that is related to your application and that is required to determine your professional and personal skills in relation to the position to be filled. We only use the information that you have given us directly. This may also include information that you have provided on online career networks or other job portals.

3.2 Type of personal data

We only collect personal data that is relevant to the application process. This can be general data about you, information about your professional qualifications and training, information about professional training or your professional career or other information that you would like to give us in connection with your application. If you are a non-EU citizen, you will need a work permit. That’s why we ask you about your nationality during the application process. We only record other information about you, in particular in the form of your preferred form of address, in order to be able to contact you accordingly.

3.3 Legal bases for processing personal data

We process the data mentioned for the purpose of making a decision on whether or not the job application shall result in employment, and, if necessary, for the implementation or termination of the employment as well as for exercising or fulfilling legal rights and obligations on the basis of § 26 BDSG. In addition, we can process personal data about you insofar as this is necessary to assert or defend against legal claims arising from the application process. We process the personal data you provide to carry out the application process with you and to ensure optimal staffing within our entire organization. We do this on the legal basis of our legitimate interest in order to carry out an efficient application process (Art. 6 (1) (f) GDPR) and on the basis of the need to carry out pre-contractual measures in accordance with Art. 6 (1) (b) GDPR . We collect this data as part of the application process either by you making it available to us (e.g. by sending your CV by email) or by collecting it ourselves (e.g. by taking notes during the job interview). You are not obliged to provide us with your personal data. However, if you do not provide information required for the job application, we will not be able to carry out the application process with you.

3.4 Transmission of data

Only those persons who need it for the stated purposes have access to your personal data. We only pass on your personal data to external recipients if there is legal permission or if you have given your consent. Your personal data will be treated as strictly confidential and only made accessible to the responsible persons involved in the application process.

3.5 Collection of data from third parties

If you do not send your application directly to us but via an external online portal, we will first collect your data via this third party.

3.6 Duration of Storage and Deletion

We delete your personal data after the end of the application process, unless a legal permit or your consent allows longer storage. In these two cases, we will delete your personal data after the legal permission no longer applies or after the consent has been revoked.

4 Rights of the data subject

If your personal data is processed by the controller, you are a data subject within the meaning of the GDPR and you have the following rights listed below.

4.1 Right of access by the data subject

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in (10) shall not adversely affect the rights and freedoms of others.

4.2 Right to rectification

4.3 Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

A data subject who has obtained restriction of processing pursuant to the conditions above shall be informed by the controller before the restriction of processing is lifted.

4.4 Right to erasure (‘right to be forgotten’)

4.4.1 Right to erasure

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

4.4.2 Information to third parties

4.4.3 Exceptions

The right to erasure does not exist if the processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) GDPR;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in the aforementioned paragraphs is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.

4.5 Right to information

4.6 Right to data portability

The right referred to above shall not adversely affect the rights and freedoms of others.

4.7 Right to object to processing

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4.8 Right to revoke consent under data protection law

4.9 Automated individual decision-making, including profiling

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on the data subject’s explicit consent.

4.10 Right to lodge a complaint with a supervisory authority

5 Data integrity

6 Changes to the Privacy Policy

Due to the further development of our apps and services, websites, newsletters as well as the content and services offered by us, it may be necessary to change this privacy policy. Vagabond Club GmbH reserves the right to change the privacy policy at any time with effect for the future. The current version is available at https://www.vagabondclub.com/en/privacy-policy/. We recommend you to re-read the current privacy policy from time to time.

Vienna, 26.04.2022