Data Protection Policy

This data protection policy applies for data processing by

Geopark Ries e. V.
(hereinafter "Association" or "Controller")
Pflegstr. 2
86609 Donauwörth
Germany

Internet: www.geopark-ries.de
Email: info@geopark-ries.de
Telephone: 0906/74 6030
Fax: 0906 /74 6040

Further information can be found in the imprint of this website.

If you have any comments or questions about the data processing by the Association, we are at your disposal at any time under the aforementioned contact data.

When you open our website, the browser used on your end device automatically sends information to our website server. This information is saved temporarily in a log file. The following information is collected without any action on your part and saved until it is automatically deleted:

• IP address of the requesting computer,
• date and time of the access,
• name and URL of the requested file,
• website from which the access is made (referrer URL),
• browser type and version and further information sent by the browser (such as your computer's operating system, the name of your access provider, geographical origin, language setting etc.).

In addition, two persistent, technically necessary cookies are used.

We process and evaluate the cookies and the specified data for the following purposes:

• ensuring a smooth connection set-up to the website,
• ensuring user-friendly use of our website,
• evaluating the system security and stability and
• for further administrative purposes.

The legal base for the data processing is Art. 6 (1) sentence 1 lit. f GDPR and Section 25 (2) no. 2 Telecommunications Digital Services Data Protection Act. Our legitimate interest lies in a functional and secure website. Under no circumstances shall we use the data collected for the purpose of drawing conclusions about you as an individual.

The data stored in the log file and the persistent cookies will be deleted automatically after 30 days.

If you place an order via our shop, we process the data you enter here to conclude a contract (e.g. contact and payment data). The data processing is carried out on the basis of Art. 6 (1) sentence 1 lit. b GDPR and is necessary for the fulfilment of the contract with you. We pass on your contact details to a postal service provider for the purpose of dispatch. In addition, we use cookies and analysis services when our website is visited. Further explanations about this can be found below.

The personal data collected by us for the order will be stored for the period of order fulfilment and deleted after one year at the latest, provided that there are no statutory retention periods to prevent deletion.

If you contact us via the contact form or otherwise, we will process your contact information and your other details. We process your data on the basis of Art. 6 (1) sentence 1 lit. f GDPR, as we have a legitimate interest in processing your enquiries.

If your message is aimed at the conclusion of a contract or is in the context of an existing contract, the data processing required for this is carried out on the basis of Art. 6 (1) sentence 1 lit. b GDPR.

We have commissioned Magenta4 GmbH, Pfahlstr. 25, 85072 Eichstätt with the technical implementation of the contact process via the contact form. A data processing contract pursuant to Art. 28 GDPR has been concluded with Magenta4 GmbH.

The data will be deleted after the enquiry has been processed, provided that there are no legal retention periods to prevent deletion.

If you order our newsletter, we process the data from the registration form on the basis of your consent (Art. 6 (1) sentence 1 lit. a GDPR). You can revoke your consent at any time with effect for the future, e.g. by clicking the unsubscribe button in the newsletter. After you have entered the information, we will first send you a confirmation e-mail. Please click on the confirmation link in this e-mail to be added to the newsletter mailing list. As part of this double opt-in procedure, we store the IP address with which you register on our website, to whom the confirmation is sent and the time of these actions. The legal base for this processing is Art. 6 (1) sentence 1 lit. f GDPR. Proof of consent to receive our newsletter constitutes a legitimate interest. The data will be deleted as soon as the purpose is fulfilled.

On the basis of our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f GDPR, we use the Plausible Analytics service provided by Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, in self-hosting mode on our own servers.

Plausible Analytics enables us to analyse and optimise our website in order to design content and functions in line with requirements. Only information that your browser automatically transmits when you visit our website is processed and this is immediately aggregated and anonymised. This includes:

• IP address (truncated and hashed)
• the URL visited,
• referrer (the previously visited page),
• end devices used (e.g. operating system, browser type, language settings),
• date and time of the access.

There is no permanent recognition or profiling. Plausible works completely without cookies or similar technologies. No data are stored or retrieved on your end device.

Our legitimate interest in the analysis and optimisation of our website outweighs the interests of data subjects due to the minimal interference. This is due in particular to the fact that:

• no personal data are permanently stored,
• only aggregated and anonymised data are processed,
• no cookies or end device accesses are involved,
• and tracing to individual persons is impossible.

After 24 hours at the latest, the raw data are completely deleted and only the fully anonymised data are processed further.

We offer the option of booking standard guided tours on our website. If you choose such a tour, we will process your details when you make your booking enquiry. The legal base for this processing is Art. 6 (1) lit. b GDPR. Your data will be deleted once the purpose for which it was collected no longer applies; this will generally be the case once the contract has been fulfilled and the statutory retention periods have expired.

This website uses the open source-based Java script library Leaflet API to display maps from the OpenStreetMap Foundation, 132 Maney Hill Road, Sutton Coldfield, West Midlands, B72 1JU, Great Britain (hereinafter referred to as ‘OpenStreetMap’). OpenStreetMap collects freely usable geodata and stores it in a database for free use.

By clicking on the button, you activate OpenStreetMap and agree to the use of cookies and the transfer of data.

To integrate and display the map material, the web browser used establishes a connection to other servers. As a result, information about your use of this website and personal data (in particular your IP address) is processed. The legal basis for the processing is your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR and Section 25 (1) sentence 1 Telecommunications Digital Services Data Protection Act, which can be revoked at any time with effect for the future.

For the transfer of personal data to the UK, we rely on the adequacy decision of the EU Commission pursuant to Art. 45 (1) GDPR.

Further information on data protection in connection with OpenStreetMap can be found here.

Your data will be deleted as soon as the purpose is fulfilled.

On our website we use components (videos) from YouTube, a Google Ireland Limited company, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "YouTube").

The implementation is on the basis of your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR  and GDPR and Section 25 (1) sentence 1 Telecommunications Digital Services Data Protection Act. You can revoke your consent at any time with effect for the future in the cookie settings. Loading the videos on our website will send data to Google. In particular, data about which of our Internet pages you have visited and device-specific information including the IP address will be sent to Google.

Here, we use the "privacy-enhanced mode" option provided by YouTube. If you open a page that has an embedded video, a connection to the YouTube servers will only be made and the content shown on the Internet page by instruction to your browser, if you actually watch the video.

If you are logged in with YouTube at the same time, that information will be assigned to your member account at YouTube. You can prevent this by first closing your member account before visiting our website.

Further data protection information in conjunction with YouTube can be found in the Google data protection policy.

Google also sends the information to Google servers in the USA (See also Point 3). On 10 July 2023, the EU Commission issued an adequacy decision for the Data Privacy Framework for the transfer of data to recipients based in the USA. Accordingly, an adequate level of data protection is assumed when data are transferred to certified recipients based in the USA. In addition, Google has also undertaken to conclude suitable guarantees in the form of the EU standard contractual clauses in order to ensure an appropriate level of data protection by contract. You can find them here.

Your data will be deleted as soon as the purpose is fulfilled.

On our website, we use the Klaro! service, a consent manager from KIProtect GmbH, Am Bassin 4, 14467 Potsdam, Germany ("Klaro!"). Klaro! enables us to obtain, manage and document the consent of our users to the processing of cookies and similar technologies. Consent is stored by a cookie, which contains information such as the status of the consent and the respective preference. We store your settings on the basis of Art. 6 (1) sentence 1 lit. f GDPR, as we have a legitimate interest in effective cookie management.  The consent data stored by Klaro! will be held for a period of 12 months unless you revoke your consent beforehand. Data are automatically deleted once this period has expired.

In conjunction with data processing, data may be transferred to third countries, i.e. to recipients outside the EU or the European Economic Area (EEA). If a decision of the European Commission on the existence of an adequate level of protection (see Art. 45 para. 3 GDPR) exists with regard to the third country, no additional measures are required for the data transfer. In the case of data transfer to recipients based in the USA, this takes place on the basis of the so-called Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided that the recipient has a corresponding certification. You can find a list of the currently certified companies here. In other cases and in the case of data transfers to other so-called non-secure third countries, data will only be transferred if the requirements of Art. 46 ff GDPR are met. Specifically, this means that a transfer to third countries only takes place if 

• the recipient offers appropriate safeguards pursuant to Art. 46 GDPR for the protection of the personal data,
• you have explicitly consented to the transfer, after we informed you about the risks, pursuant to Art. 49 (1) lit. a) GDPR,
• the transfer is required to fulfil contractual obligations between you and us or
• another exception under Art. 49 GDPR applies.  

Which of the aforementioned principles applies in individual cases is shown to you in the respective processing.

Data transfers to recipients based in the USA who do not have DPF certification and for whom an adequate level of data protection cannot be established by means of guarantees within the meaning of Art. 46 GDPR will only be made with your consent within the meaning of Art. 49 (1) lit. a GDPR, as no adequate level of data protection comparable to that in the EU can be guaranteed in the USA without DPF certification. The following risks arise when sending personal data to the USA: There is a risk that US authorities can gain access to the personal data under the PRISM and UPSTREAM surveillance programs based on Section 702 FISA (Foreign Intelligence Surveillance Act) and on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective possibilities of legal protection against such access in the USA or in the EU.

Further information and a copy or reference to the respective appropriate safeguards can be found in the description of the respective processing.

You have the right:

• pursuant to Art. 15 GDPR to demand information about your personal data we process. In particular, you can demand information about the purposes of the processing, the categories of the personal data, the categories of recipients to whom the personal data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of or objection to processing, the existence of a right to lodge a complaint, the origin of your data in so far as not collected by us, and about the existence of automated decision-making including profiling and where appropriate meaningful information about the details thereof;
• pursuant to Art. 16 GDPR to demand the rectification of inaccurate or completion of incomplete personal data stored by us without undue delay;
• pursuant to Art. 17 GDPR to demand the erasure of your personal data stored by us, in so far as the processing is not required for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
• pursuant to Art. 18 GDPR to demand the restriction of the processing of your personal data, in so far as you contest the accuracy of the data, the processing is unlawful but you oppose their erasure; we no longer need the data but you do for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to Art. 21 GDPR;
• pursuant to Art. 20 GDPR to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format or to demand they be transmitted to another controller;
• pursuant to Art. 7 (3) GDPR to revoke your consent to us at any time. This means that we may no longer continue data processing based on that consent in the future and
• pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority for your habitual residence, place of work or our registered offices.

In so far as your personal data are processed on the basis of justified interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right pursuant to Art. 21 GDPR to object to the processing of your personal data in so far as there are reasons which arise from your particular situation or the objection is to direct advertising. In the latter case, you have a general right to object which we will implement without your having to specify a particular situation.

To exercise your right to object, please contact: info@geopark-ries.de

To assert your rights, please use the contact data provided at the beginning of this data protection policy.

This data protection policy is the currently valid version and was last amended in January 2025

The further development of our website and offers on it or changes in statutory or official requirements may make it necessary to change this data protection policy.