Data protection

We take data protection seriously. This privacy policy explains how we process your data and what rights you have under data protection law. Valid from 25 May 2018.

1. Data processing controller and contact details

Contact details of our data protection officer:

Rechtsanwälte Ehspanner PartG
Matthias Ehspanner, Attorney
Data protection officer: Erfurt Tourismus und Marketing GmbH
Benediktsplatz 1
99084 Erfurt


Controller as defined in data protection law

Erfurt Tourismus und Marketing GmbH
Benediktsplatz 1
99084 Erfurt
Tel: +49 (0)361 664 0200
Fax: +49 (0)361 664 0290


If you have any questions regarding the collection, processing or use of your personal data, or for information, correction, blocking or erasure of data or for the withdrawal of consents given, please contact our data protection officer.

You can contact our data protection officer by email at or by writing to our postal address and marking the envelope for the attention of ‘Datenschutzbeauftragter’.

2. Information on the collection of personal data

Legal basis and purposes of collection
We use personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Data Protection Act (BDSG) and other applicable data protection provisions (details below). What specific data is used and how it is used is determined primarily by the services requested or agreed. Further details and additional information concerning the purposes of data processing can be found in the relevant contract documents, forms, declaration of consent and/or other information provided to you (e.g. in connection with the use of our website or in our terms and conditions). In addition, this privacy statement may be updated from time to time. Please visit our website for information.

For the performance of a contract or to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR)
Personal data is processed in order that we can perform our contracts with you. We also process data in order to fulfil your orders and to carry out steps and activities prior to entering into a contract (for example with interested parties). The primary purpose of the processing is to facilitate the provision of tourist services and delivery of products in accordance with your orders and wishes. It includes the measures, services and activities necessary for this. These include the contract-related communication with you, the traceability of transactions, orders and other agreements, quality control through appropriate documentation, goodwill procedures, and measures for the control and optimisation of business processes as well as for the fulfilment of the general duties of care, control and inspection by affiliated companies; statistical evaluations for monitoring purposes, cost recording and financial control, reporting, internal and external communication, crisis management, billing and tax assessment of operational services, risk management, assertion of legal claims and defence in legal disputes; ensuring IT security (including system and plausibility testing) and general security, ensuring the integrity, authenticity and availability of data, preventing and investigating criminal offences; inspections by supervisory or monitoring bodies (e.g. internal audit).

When you contact us by email or via a contact form, we will store the data you provide (your email address, possibly your name and telephone number) in order to answer your questions. We delete the data arising in this connection once storage is no longer necessary, or restrict the processing if there are statutory record retention requirements.

For the purposes of a legitimate interest pursued by us or a third party (Art. 6 (1) (f) GDPR)
Beyond the actual performance of the contract or pre-contractual measures, we may use your data if this is necessary to protect our legitimate interests or those of a third party, in particular:

  • for advertising or market and opinion research, provided that you have not objected to the use of your data;
  • for the testing and optimisation of needs analysis procedures;
  • for the further development of services and products as well as of existing systems and processes;
  • for the enrichment of our data, including through the use or research of publicly available data;
  • for statistical evaluations or market analysis;
  • for benchmarking.

For compliance with legal obligations (Art. 6 (1) (c) GDPR) or in the public interest (Art. 6 (1) (e) GDPR)
Like everyone who participates in business activities, we are subject to a number of legal obligations. These are primarily statutory requirements (e.g. trade and tax laws), but also regulatory and other official requirements. The purposes of the processing may include identity and age verification, fraud and money laundering prevention, the prevention, combating and investigation of terrorist financing and asset-endangering crimes, checking against European and international anti-terror lists, the fulfilment of fiscal control and reporting obligations, and the archiving of data for the purposes of data protection and data security as well as auditing by tax and other authorities. In addition, the disclosure of personal data may become necessary in the course of governmental/judicial action for the purpose of gathering evidence, prosecuting crimes or enforcing civil claims.

Recipients or categories of recipients of your data
Within our company, the internal departments or organisational units that need your data to fulfil our contractual and statutory obligations or in connection with processing and implementing our legitimate interest will receive it. Your data will not be passed on to external bodies except

  • in connection with the performance of the contract;
  • for purposes of meeting legal obligations that require us to provide information, or report or pass on data, or if the passing on of data is in the public interest;
  • if external service providers process data on our behalf as processors or contractors (e.g. external computer centres, support/maintenance of IT applications, archiving, receipt processing, financial control, data screening for anti-money laundering purposes, data validation or plausibility checks, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk control, billing, telephony, website management, auditing services, banks, printers or data disposal companies, courier services, logistics);
  • on the basis of our legitimate interest or the legitimate interest of the third party for the purposes specified under clause 2.2 (e.g. to government authorities, credit agencies, debt collection agencies, lawyers, courts, experts, Group companies and committees and supervisory bodies);
  • if you have given us consent to share your data with third parties.

Other than in the aforementioned instances, we will not share your data with third parties. Service providers commissioned by us to process data will be required to provide a certificate confirming compliance with data processing requirements in order to ensure consistent security standards. In other cases, recipients of the data may use it only for the purposes for which it was sent to them.

Collection of personal data when you visit our website

(1) If you only use the website for information purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data which is necessary for technical purposes, both to enable you to view our website and to guarantee stability and security (legal basis is Art. 6 (1) sentence 1 (f) GDPR):

  • IP address 
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Quantity of data downloaded
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

(2) Statistical analysis using Matomo. This website uses the open-source software Matomo ( to conduct statistical analyses of user access. Cookies, i.e. small text files that are stored on your computer, are used for this purpose. The usage data obtained through these cookies is communicated to our server and stored there for the purpose of conducting usage analyses, which help us optimise our website. Your IP address is anonymised immediately in this process, i.e. users remain anonymous. The server on which the statistical data is stored is from a German provider and is also physically located in Germany. Cookies cannot execute programs or transmit viruses to your computer. They serve to make our website more user-friendly and effective overall. If you do not want this data about your visit to our website to be stored and analysed, you can object to the storage and use of your data at any time by clicking in the box at the end of this privacy notice. An opt-out cookie will then be placed on your computer, which will ensure that Piwik cannot collect any session data. Please note: Deleting all cookies from your hard drive will also delete the opt-out cookie, so you will subsequently need to re-enable it.

(3) Use of cookies:

a) This website uses the following types of cookies, the scope and functionality of which are explained below:

  • Transient cookies (see b)
  • Persistent cookies (see c).

b) Transient cookies are automatically deleted when you close your browser. They include, in particular, session cookies that store a ‘session ID’ which can be used to assign various requests from your browser to the shared session. This enables the website to recognise your computer when you next visit. Session cookies are deleted when you log out or close your browser.

c) Persistent cookies are automatically deleted after a specified period which is determined by the cookie. You can delete the cookies in the security settings of your browser at any time.

d) You can configure your browser settings to suit your preferences and, for example, refuse to accept third-party cookies or any cookies. We would like to point out that this may prevent you from being able to use all the functions of this website.

e) [We use cookies to identify you for subsequent visits if you have an account with us. Otherwise you would have to log in again each time you visit.]5

f) [The Flash cookies used are installed not in your browser, but in your Flash plug-in. We also use HTML5 storage objects that are stored on your device. These objects store the required data regardless of the browser you are using and do not have an automatic expiry date. If you do not want the Flash cookies to be processed, you must install an appropriate add-on, such as ‘Better Privacy’ for Mozilla Firefox ( or the Adobe Flash Killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using private mode in your browser. We also recommend that you regularly delete your cookies and browser history manually.]

3. Your rights

(1) You can assert your data protection rights against us in certain circumstances.

  • Right of access
    Under Art. 15 GDPR, you have the right to obtain information from us about the data we hold about you (where applicable subject to the limitations set out in section 34 BDSG).
  • Right to rectification or erasure
    In accordance with Art. 16 GDPR, we will, on request, rectify the personal data that we hold about you if this is inaccurate or incorrect. If you wish, we will erase your data in accordance with the principles of Art. 17 GDPR unless other statutory provisions (e.g. statutory record retention requirements or the restrictions of section 35 BDSG) or an overriding interest on our part (e.g. to defend our rights and claims) prevent this.
  • Right to restriction of processing
    Subject to the provisions of Art. 18 GDPR, you can demand that we restrict the processing of your data.
  • Right to object to processing
    Under Art. 21 GDPR, you can also object to the processing of your data, in which case we have to stop processing your data. However, this right to object only applies where there are very special circumstances relating to your personal situation, and the rights of our company may override your right of objection.
    Information about your right to object (Art. 21 GDPR
    You have the right, at any time, to object to the processing of your data which is carried out on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balancing of interests) or Art. 6 (1) (e) GDPR (data processing in the public interest), if there are reasons for doing so relating to your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 no. 4 GDPR.
    If you file an objection, we will no longer process your personal data unless we can prove there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing is necessary for the assertion, exercise or defence of legal claims.
    You also have the right to revoke your consent to the processing of personal data at any time with effect for the future (see clause 2.3).
  • Right to data portability
    You have the right to receive your data on the conditions set out in Art. 20 GDPR in a structured, commonly used and machine-readable format or to transmit it to a third party.

(2) You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data by us (Art. 77 GDPR). However, we recommend that you always address any complaint to our data protection officer in the first instance.

Your requests concerning the exercise of your rights should, if possible, be sent in writing to the above address or directly to our data protection officer.

4. Period for which your data may be stored

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.

We are also subject to various record retention and documentation requirements, including those arising from the German Commercial Code (HGB) and Tax Code (AO). The periods for retention and documentation specified there are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.

Furthermore, special statutory provisions may require a longer record retention period, e.g. the preservation of evidence in connection with the statutory limitation periods. Pursuant to sections 195 et seq. of the German Civil Code (BGB), the general limitation period is three years; however, limitation periods of up to 30 years may also be applicable.

If the data is no longer required for the fulfilment of contractual or statutory obligations and rights, it will be periodically deleted unless there is an overriding legitimate interest that requires its further processing – for a limited period of time – for the purposes listed under clause 2.2. Such an overriding legitimate interest also exists, for example, if erasure is not possible due to the special type of storage or would involve a disproportionate effort and if appropriate technical and organisational measures are in place to prevent the data from being processed for other purposes.

5. Scope of your obligations to provide us with your data

You only need to provide the data that is necessary for the establishment and performance of a business relationship or for a pre-contractual relationship with us or that we are legally obliged to collect. Without this information, we will usually not be able to enter into or perform the contract. The obligation to provide data may also refer to data required later within the framework of the business relationship. If we request further data from you, you will be informed of the voluntary nature of the provision of information separately.

Personal data is collected when you voluntarily provide it to us on a contact form, or when reserving rooms or buying tickets for a guided tour, or when placing an order in the online shop.

Your personal data may be shared with service providers used by us in connection with the fulfilment of the order.

6. Data security

During the ordering process, your data is transmitted over the internet in encrypted form. We put technical and organisational measures in place to secure our website and other systems and to protect your data against loss, destruction, access, alteration and distribution by unauthorised persons. You should always keep your access information confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.

Remember that data transmission over the internet can always be subject to security vulnerabilities. It is not possible to completely exclude the possibility of access by third parties.

7. Liability for content

Every effort is made to ensure that the content of this website is accurate. However, we are unable to guarantee that the information provided is complete, accurate and up to date. Pursuant to section 7 (1) of the German Telemedia Act (TMG), as an online provider we are responsible for our own content under the generally applicable laws. However, as an online provider we are under no obligation to monitor third-party information that is saved or provided to us, or to actively look for circumstances that indicate unlawful activity (sections 8–10 TMG). This does not affect our obligation under the generally applicable laws to remove or block access to information. However, any liability to that effect is accepted only from the point at which specific breaches of law become known. If we become aware of any such breaches of law, we will remove this content immediately.

8. Liability for links

In its judgment of 12 May 1998, the Hamburg regional court ruled that the provision of a link can establish responsibility for the content of the site to which the link is provided. According to the court, this can only be avoided by dissociating oneself explicitly from such content. Our website contains links to other websites. In respect of all of these links, we would like to explicitly state that we have no influence whatsoever on the design or the content of any of the linked websites. We therefore explicitly dissociate ourselves from the entire content on all pages to which links are provided on this website. This statement extends to all links provided on our website. The providers or operators of the linked sites are exclusively responsible for their content. We cannot reasonably be expected to review the content of linked websites on an ongoing basis without any indication of a breach of law. If we become aware of any such breaches of law, we will remove the link immediately.

9. Copyright

The content and works produced by the site operator on these pages are subject to German copyright law. Replication, editing, distribution and reuse of any kind beyond the scope of copyright law require the written consent of the party that wrote or produced the contribution. Downloads and copies of this page are permitted only for personal, non-commercial use. Where the content on these pages was not created by the site operator, the copyright of third parties has been respected. Third-party content is identified as such. Please notify us should you identify a breach of copyright. If we become aware of any such breaches of law, we will remove this content immediately.

Our privacy policy as well as information on data protection regarding our data processing activities according to Articles 13, 14 and 21 GDPR may be amended from time to time. All changes will be published on this page.

At this stage, you can decide whether you want to accept a unique web analysis cookie being stored in your browser in order to enable the website operator to collect and analyse a variety of statistical data.
If you decide not to accept it, you need to uncheck the box below in order to store the Matomo opt-out cookie in your browser.

<iframe style="border: 0; width:100%; margin:-8px;" src=""></iframe>