Phantasialand Schmidt-Löffelhardt GmbH & Co. KG
Phantasialand Verwaltungsgesellschaft mbH
Phantasialand Gastronomie GmbH
Scope of application
The following information refers to and applies to the domains and mobile applications listed below.
Our websites (online presences) include the domains:
www.phantasialand.de and associated subdomains, for example www.magazin.phantasialand.de, www.shop.phantasialand.de and www.phantasialandblog.de
Our mobile applications include:
Types of data processed:
- Inventory data (e.g., names, addresses).
- Contact details (e.g., e-mail, telephone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).
Categories of persons concerned
Visitors and users of the online service (hereinafter referred to as "users").
Purpose of processing
- Provision of the online service, its functions and contents.
- Answer contact requests and communicate with users.
- Security measures.
"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
"Processing" means any operation or series of operations in connection with personal data carried out with or without the aid of automated procedures. The term has a very broad meaning and covers practically every type of data handling.
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that personal data is not attributed to an identified or identifiable natural person.
"Profiling" means any automated processing of personal data where the purpose is the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person.
“Controller " means the natural or legal person, authority, institution or other body that alone or together with others decides on the purposes and means of processing personal data.
"Processor" means a natural or legal person, authority, institution or other body processing personal data on behalf of the controller.
Applicable legal bases
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in accordance with Art. 32 GDPR.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. We have also established procedures to ensure the exercise of data subject rights, deletion of data and reaction to endangerment of data. We already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly presetting (Art. 25 GDPR).
Collaboration with contract processors and third parties
If we disclose data to other persons and companies (contract processors or third parties) within the context of our processing, transmit it to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission (e.g. if transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 Para. 1 lit. b GDPR is necessary for contract fulfilment), to which you have given your consent, if there is a legal obligation to do so or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of what is referred to as an "order processing contract", this is performed on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this only takes place if it occurs for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 ff. GDPR apply. This means, for example, that processing is performed on the basis of special guarantees, such as the officially recognised level of a data protection corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognised special contractual obligations (referred to as "standard contractual clauses").
Rights of data subjects
In accordance with Art. 15 GDPR you have the right to request confirmation whether the data concerned is being processed and to request information about this data as well as further information and a copy of the data.
In accordance with Art. 16 of the GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
In accordance with Art. 17 GDPR, you have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Art. 18 GDPR.
In accordance with Art. 20 GDPR you have the right to request to be provided with the data concerning you that you have provided to us and to request its transmission to other responsible persons.
In accordance with Art. 77 GDPR you also have the right to file a complaint with the competent supervisory authority.
Right of revocation
You have the right to revoke consents granted in accordance with Art. 7 para. 3 GDPR with effect for the future.
Right of objection
You can object to the future processing of the data concerning you at any time in accordance with Art. 21 GDPR. The objection may be lodged in particular against processing for direct marketing purposes.
Cookies and right of objection in direct advertising
"Cookies" are small files that are stored on the user's computer. Various information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an online service and closes their browser. For example, the content of a shopping basket in an online shop or a login status can be stored in such a cookie. Cookies are referred to as "permanent" or "persistent" if they remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. Likewise, the users interests may be stored in such a cookie and used for coverage or marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the controller for operating the online service (otherwise, if they are only cookies offered by the controller for operating the online service, they are referred to as "first-party cookies").
If users do not want cookies to be stored on their computer, they are asked to deactivate the option in the system settings of their browser. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to functional restrictions with this online service.
Deletion of data
According to German legal requirements, the retention period is 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 no. 1 and 4, para. 4 HGB (books, records, management reports, accounting documents, trading books, documents relevant for taxation, etc.) and 6 years in accordance with § 257 para. 1 no. 2 and 3, para. 4 HGB (commercial letters).
We also process
- Contract data (for example, object of the contract, term, customer category).
- Payment data (e.g., bank details, payment history)
from our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
Order processing in the online shop and customer account
We process our customer’s data as part of the order processes in our online shop to enable them to select and order the selected products and services, as well as to execute their payment and delivery.
The processed data includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services in the context of operating an online shop, billing, delivery and customer services. We use session cookies for storing the contents of the shopping cart and permanent cookies for storing the login status.
Processing is carried out on the basis of Art. 6 Para. 1 lit. b (execution of order processes) and c (legally required archiving) GDPR. The information marked as necessary is required to establish and fulfil the contract. We disclose the data to third parties only within the context of delivery, payment or within the context of legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. at the customer's request upon delivery or payment).
Users have the option of creating a user account in which they can see their orders. During the registration process the users are informed of the required mandatory information. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regards to the user account is deleted, unless retention is necessary for commercial or tax reasons according to Art. 6 Para. 1 lit. c GDPR. Data in the customer’s account is retained up to its deletion unless archived in the case of a legal obligation. It is the user's responsibility to save their data before the end of the contract if they have given notice of termination.
When registering at each login and using our online services we store the IP address and the time of the particular user action. The data is stored on the basis of our legitimate interests as well as the user's protection against misuse and other unauthorized use. This data is not passed to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so according to Art. 6 Abs. 1 lit. c GDPR.
The data is deleted after the expiry of statutory warranty and comparable obligations, the requirement to retain the data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
External payment service providers
American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html)
As part of the fulfilment of contracts we employ payment service providers on the basis of Art. 6 para. 1 lit. b. GDPR. We also employ external payment service providers on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. b. GDPR to provide our users with effective and secure payment options.
The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, total sums and recipient information. This information is required to execute the transactions. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card related information, but only information with confirmation or negative information about the payment. The data may be transferred by the payment service providers to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For this we refer to the terms and conditions and data protection information of the payment service providers.
Applicable for payment transactions are the terms and conditions and the data protection information of the respective payment service providers, which can be accessed within the respective websites or transaction applications. We refer to these also for the purpose of further information and assertion of rights of revocation, information and other interested parties.
Administration, financial accounting, office organisation, contact management
We process data in the context of administrative tasks as well as the organisation of our company, financial accounting and compliance with legal obligations, e.g. archiving. We process the same data that we process in the course of providing our contractual services. The processing bases are Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, prospects, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, archiving of data; therefore tasks which serve the maintenance of our business activities, perception of our tasks and provision of our services. The deletion of the data with regard to contractual services and contractual communication is the same as the information provided in these processing activities.
We disclose or transmit data to the tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.
We also store information on suppliers, event organisers and other business partners on the basis of our business interests, e.g. for the purpose of making contact at a later date. We store this data, which is mainly company-related, permanently.
Business analyses and market research
In order to operate our business economically, to be able to recognize market tendencies, wishes of the contracting parties and users, we analyse the data available to us on business processes, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include contractual partners, interested parties, customers, visitors and users of our online service.
The analyses are carried out for the purpose of economic evaluations, marketing and market research. We can take into account the profiles of registered users with information, e.g. on the services they have used. The analyses is used to increase the user-friendliness, the optimisation of our offer and the economic efficiency. We alone use analyses and they are not disclosed externally, unless they are anonymous analyses with summarised values.
If these analyses or profiles are personal, they will be deleted or made anonymous upon the user’s termination, otherwise after two years from the conclusion of the contract. Overall economic analyses and general trend determinations are prepared anonymously wherever possible.
Users can create a user account in our online shop (shop.phantasialand.de). During the registration process the users are informed of the required mandatory information which is processed on the basis of Art. 6 para. 1 lit. b GDPR for the purpose of providing the user account. The processed data includes in particular the login information (name, password and an e-mail address). The data entered during registration is used for using the user account and its purpose.
Users can be notified by e-mail of information relevant to their user account such as technical changes. If users cancel their user account, their data relating to the user account is deleted, subject to a legal obligation to retain data. It is the user's responsibility to save their data before the end of the contract if they have given notice of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
As part of the use of our registration and login functions and using our online services we store the IP address and the time of the particular user action. The data is stored on the basis of our legitimate interests as well as the user's protection against misuse and other unauthorized use. This data is not passed to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so according to Art. 6 Abs. 1 lit. c GDPR. The IP addresses are anonymized or deleted after 7 days at the latest.
When contacting us (using the contact form, e-mail, telephone or social media), the user's details are used for handling the contact enquiry and its processing in accordance with Art. 6 para. 1 lit. b) GDPR. User information can be stored in a customer relationship management system ("CRM system") or comparable enquiry organisation.
We delete the enquiries as soon as they are no longer required. We review this requirement every two years; the statutory archiving obligations also apply.
The following information is to notify you regarding the contents of our newsletter and the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter you agree to its receipt and the procedures described.
Contents of the newsletter: We will only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter "newsletters") with the consent of the recipients or a legal permission. If the contents of a newsletter are specifically described as part of a registration, they are deemed to have the consent of the user. Our newsletters also contain information about our services and us.
Double opt-in and logging: The registration for our newsletter uses procedure referred to as a double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can register using different e-mail addresses. Subscriptions to the newsletter are logged to be able to prove the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. The changes to your data stored with the shipping service provider are also logged.
The dispatch of the newsletter and the associated performance measurement are based on the recipient's consent pursuant to Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 para. 2 no. 3 UWG or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6 para. 1 lit. f. GDPR in conjunction with § 7 para. 3 UWG.
The registration procedure is logged on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest lies in the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of users and also allows us to provide proof of consent.
Cancellation / Revocation – You can cancel the receipt of our newsletter at any time, this means to revoke your consent. Click on the following link to cancel the newsletter:
Unsubscribe to the newsletter
You will also find this link at the end of each newsletter. To protect our legitimate interests, we may store the e-mail addresses we have unsubscribed for up to three years before we delete them, in order to be able to prove a previously given consent. The processing of these data is limited to the possible defence against any claims. An application for cancellation can be made at any time, provided that the existence of previous consent is confirmed at the same time.
Newsletter – Shipping service provider
The shipping service provider can use the recipient's data in pseudonymous form, i.e. without assignment to a user, to optimise or improve its own services, e.g. to technically optimise the dispatch and presentation of the newsletter or for statistical purposes. However, the shipping service does not use the data of our newsletter recipients in order to write to them themselves or to pass the data on to third parties.
Newsletter - Performance measurement
The newsletters contain what is referred to as a "web-beacon", i.e. a pixel-sized file which is downloaded from our server when the newsletter is opened or, if we use a shipping service provider, from their server. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval are initially collected.
This information is used to technically improve the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. This information can be assigned to the individual newsletter recipients for technical reasons. However, it is neither our endeavour, nor, if used, that of the shipping service provider, to observe individual users. These evaluations are used more to recognise the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.
Hosting and e-mailing
The hosting services we use are designed to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, e-mailing, security and technical maintenance services we use to operate this online service.
In this context we, or our hosting provider process inventory data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested parties and visitors to this online service on the basis of our legitimate interests in an efficient and secure provision of this online service acc. to Art. 6 para. 1 lit. f GDPR in connection with Art. 28 GDPR (conclusion of data processing contract).
Collection of access data and log files
We, or our hosting provider, collect the following data on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR, on each access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Logfile information is stored for security reasons (e.g. to investigate abusive or fraudulent activities) for a maximum of 30 days and then deleted. Data whose further retention is required for evidential purposes shall be exempted from the cancellation until final clarification of the incident.
Google Tag Manager
Google Tag Manager is a solution with which we can manage website tags via an interface (and integrate Google Analytics and other Google marketing services into our online service, for example). The Tag Manager itself (which implements the tags) does not process any of the user’s personal data. With regard to the processing of users' personal data, reference is made to the following information on the Google services. Guidelines for use: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activities within this online service and to provide us with further services related to the use of this online service and internet usage. In this case, pseudonymous usage profiles of the users can be created from the processed data.
We use Google Analytics only with enabled IP anonymization. This means that Google will truncate the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Your full IP address will only be transmitted to a Google server in the USA and truncated there in exceptional cases.
The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent the collection by Google of the data generated by the cookie and related to their use of the online service and the processing of such data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
As an alternative to the browser plug-in or within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent future collection by Google Analytics within this website (this opt-out cookie only works in this browser and only for this domain, if you delete your cookies in this browser, you must click this link again):
Deactivate Google Analytics
The personal data of users will be deleted or anonymized after 26 months.
Google AdWords & Conversion-Tracking
We use the "Google AdWords" online advertising program and conversion tracking as part of Google AdWords. The Google Conversion Tracking is an analysis service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). When you click on an ad served by Google, a conversion tracking cookie is placed on your computer. These cookies lose their validity after 30 days, do not contain any personal data and are therefore not used for personal identification.
If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognise that you clicked on the ad and were redirected to this page. Each Google AdWords customer receives a different cookie. This means that it is not possible to track AdWords customers via cookies on the websites.
The information collected using the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. Customers can see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, you will not receive any information that personally identifies users.
However, we would like to point out that you may not be able to use all functions on our website in this case. By using this website, you are declaring that you consent to the data collected by Google being processed in the manner and for the purpose described.
Facebook-Pixel, Custom Audiences, Facebook-Conversion & Facebook Remarketing/Retargeting
To support our legitimate interests in the analysis, optimisation and economic operation of our online service the "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used within our online service.
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
With the help of the Facebook pixel, Facebook is able to determine the visitors of our online service as a target group for the presentation of ads (referred to as "Facebook ads"). Therefore we use the Facebook pixel to display the Facebook ads we post only to Facebook users who have also shown an interest in our online service or who have certain features (e.g. interests in certain topics or products that are determined by the websites visited) that we transmit to Facebook (referred to as "custom audiences"). We also use the Facebook pixel to ensure that our Facebook ads meet the potential interest of users and are not a nuisance. The Facebook pixel also helps us understand the effectiveness of Facebook ads for statistical and market research purposes by showing whether users have been redirected to our website after clicking on a Facebook ad (referred to as "conversion").
Facebook processes the data in accordance with Facebook's Data Usage Policy. General information on the display of Facebook ads is contained in Facebook's Data Usage Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook Pixel and how it works, visit the Facebook Help section: https://www.facebook.com/business/help/651294705016616.
You can object to the collection by the Facebook pixel and use of your data to display Facebook ads. To set what types of ads you see within Facebook, you can visit the page set up by Facebook and follow the instructions on usage-based advertising preferences: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
Twitter Social Plugins
Our website incorporates plugins for the social media network Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. Twitter plugins (tweet buttons) are marked by a Twitter logo on our website. You will find an overview of the various tweet buttons here:
If you do not want Twitter to be able to trace your visit on our website to your Twitter user account, please log out of your Twitter account before visiting our website.
We use swat.io to edit our social media channels. The provider is "Die Socialisten" Social Software Development GmbH Andreasgasse 6, Top 1, 1070 Vienna.
The basis for data processing is Art. 6 para. 1 lit. F GDPR. We have a legitimate interest in analysing user behaviour and optimising efficient communication, customer service and our advertising.
Online presence in social media
We maintain online presences within social networks and platforms to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Use of Webfonts
On our site we use the following webfonts:
Revocation, right to information, right to correction, deletion and blocking
You have the right to obtain information about which personal data we have stored at any time, including the origin and recipient of your data and the purpose for which it is processed. In addition, you can obtain information about personal data or object to the use of personal data at any time or revoke your consent. Please withdraw your approval or request in writing or by email by contacting:
Phantasialand Schmidt-Löffelhardt GmbH & Co. KG
Berggeiststraße 31 – 41
D - 50321 Brühl
Information regarding the use of personal data can be found on the corresponding section of our website and cannot be amended retrospectively.
Data acquisition for regional identification codes
Phantasialand Brühl records the regional identification code on the number plates of all arriving vehicles. It does not store the individual number plates for individual vehicles belonging to its visitors. The camera's signal is rendered anonymous by the local storage device and then immediately deleted.