Privacy Policy

Data protection information according to Art. 13 and 14 of the EU Data Protection Regulation (EU-GDPR)

This data protection declaration informs you about the processing of your personal data by us as well as about the rights you are entitled to when using our services.

(Status: October 2022)

1. Who is the controller for data processing and whom can you contact?

The person responsible for data processing is DER Touristik Services S.L.U.

C./Genil 30, 3°planta, Pol. Son Fuster

07009 Palma de Mallorca





2. What data and what sources do we use?

We process data that we receive as part of our contractual relationship with you or based on your consent. We receive the data directly from you, e.g. as part of the travel booking or other order placement, e.g. via a tour operator.

If you provide us with personal data of other persons, you must ensure that they agree to this and that you may transmit the data. You must ensure that these persons know how their personal data can be processed by us and what rights they have.

Where necessary, we process the following categories of data:

  • Identification/authentication data (e.g. surname, first name)
  • Demographic data (e.g. age)
  • Physical characteristics (e.g. salutation, gender)
  • Communication data (e.g. address, email address, telephone number, correspondence, email correspondence)
  • Account data (e.g. credit card number)
  • Travel data (e.g. products booked)
  • Family relationship (e.g. children travelling with you)
  • Data in the context of complaints and crisis cases

3. On what legal basis and for what purpose is your data used?

Required to carry out pre-contractual measures in response to your request or to fulfil contractual obligations with you (Art. 6 para. 1 lit. b EU-GDPR).

We process your data for the preparation of offers and the execution of our contracts with you, i.e. in particular for the organisation, mediation and execution of the booked travel services, including complaints and crisis management (mediation/travel contract) by us or by authorised third parties. Further purposes are

  • To provide contact options to us (e.g. contact form, arranging appointments for consultation)
  • On the basis of legal requirements (Art. 6 para. 1 lit. c EU-GDPR).

We are subject to various legal obligations and statutory requirements. For the purposes of identity and age verification, prevention of criminal offences (e.g. fraud), the fulfilment of tax law/official control and reporting obligations, the assessment and management of risks, as well as storage under financial and tax law, your data may be processed by us or by authorised third parties.

  • Data processing for the protection of vital interests (Art. 6 para. 1 lit. d EU-GDPR)

In order to protect vital interests of you or another natural person, e.g. in order to provide emergency services with an evacuation list, your data may be processed by us or authorised third parties.

  • For the protection of legitimate interests (Art. 6 para. 1 lit. f EU-GDPR)

In the context of a balancing of interests, for the protection of legitimate interests, your data may be processed by us or by authorised third parties. This is done for the following purposes:

  • Function, availability and security of business operations (e.g. IT, other services).
  • Further development of services/travel services and additional products (e.g. quality management)
  • Assertion, exercise or defense of legal claims
  • Prevention and investigation of criminal offences (e.g. fraud)
  • Processing of enquiries and provision of necessary information (e.g. contact form)

Our interest in the respective processing results from the respective purposes (profit generation, avoidance of legal risks, assertion, exercise or defence of legal claims, provision and security of our business operations, efficient task fulfilment, process optimisation).

As far as the specific purpose allows, we process your data pseudonymously.

  • Based on your consent (Art. 6 para. 1 lit. a EU-GDPR)

If you have given us consent to process your personal data, this respective consent is the legal basis for the processing referred to therein. In particular, you may have consented to being contacted by e-mail, post, telephone or messenger service. You can revoke your consent at any time with effect for the future. To do so, please contact us at our contact address. The revocation only applies to future processing, not to processing that has already taken place.

4. Who receives my data?

Your personal data will only be passed on in compliance with the requirements of the EU-GDPR and only insofar as this is permitted by a legal basis. Your data will only be passed on to those bodies who need it to fulfil our contractual and legal obligations or to carry out their respective tasks, e.g.

  • Internal departments responsible for organising, arranging and carrying out the trip/processing your enquiry
  • Destination agency (e.g. tour guide, hotel reservation, transfer and possibly excursion services)
  • Transport service provider (airline, rail if applicable)
  • Accommodation provider (hotel management)
  • Service providers of other booked services
  • Public authorities (tax authorities, embassies of the destination country) in the event of a legal or official obligation
  • Other parties for which you have given us your consent to data processing

5. How long will my personal data be stored?


As far as necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract. In addition, we are subject to various storage and documentation obligations.

Personal data will be kept as long as you remain linked to us.

Once you are disconnected, the personal data processed for each purpose will be kept during the legally prescribed periods, including the period within which a judge or court may require them based on the limitation period of legal proceedings.

The data processed will be maintained for as long as until the referred purposes above are fulfilled and the legal deadlines referred to above do not expire, if there is a legal obligation to maintain them, or, if there is no legal deadline, until the interested party requests its deletion or revokes the consent granted.

We will keep all information and communications regarding your purchase or the provision of our service, during the term of the warranties of the products or services, in order to address possible complaints.

Processing for advertising purposes can be objected to free of charge at any time upon informal request in accordance with Art. 21 EU-GDPR; in this case, the data will be blocked for advertising purposes. Your data will be deleted when prio-rating retention periods have expired.

Your personal data will be deleted on the basis of your consent as soon as the purpose has been fulfilled or until revocation and when priority retention periods have expired.

6. Will my data be transferred to a third country?

We transfer your data to recipients outside the scope of the regulation of the EU-GDPR and if there is neither an adequacy decision according to Article 45(3) nor appropriate safeguards according to Article 46, including binding internal data protection regulations exist only to the extent that the transfer is necessary

  • for the conclusion or performance of the contract with you or for the performance of pre-contractual measures at your request
  • for the performance of a contract concluded in your interest by the controller with another natural or legal person
  • for the assertion, exercise or defence of legal claims
  • to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving his or her consent
  • you have given your consent

These data processing operations are permissible exceptions from Art. 49 EU-GDPR.

Insofar as a data transfer outside the scope of the EU Data Protection Regulation is necessary due to our predominantly legitimate interest or you have given us your consent, this is secured, among other things, with EU standard contractual clauses in accordance with Art. 46 (2) lit. c EU Data Protection Regulation. If necessary, the EU standard contractual clauses are supplemented by further contractual assurances. You can obtain information on this via the specified contact.

7. Do I have certain rights when dealing with my data?

You have the right to information (Art. 15 EU-GDPR), to correction (Art. 16 EU-GDPR), to deletion (Art. 17 EU-GDPR), to restriction of processing (Art. 18 EU-GDPR) and to data portability (Art. 20 EU-GDPR) under the respective legal conditions.

In addition, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 para 1 lit. f EU-GDPR, in accordance with Art. 21 EU-GDPR. This also applies to so-called “profiling” based on this provision within the meaning of Art. 4 No. 4 EU-GDPR. If a justified objection is made, we will no longer process this personal data for these purposes. An objection can be made informally to our contact address. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 EU-GDPR).

Agencia Estatal de Protección de datos (AEPD) –

8. Am I obliged to provide my data?

Within the scope of our business relationship, you only have to provide the personal data that is required for the establishment, implementation and termination of a business relationship or that we are legally obliged to collect. Without this data, we will usually have to refuse to conclude the contract or execute the order, or we will no longer be able to execute an existing contract and may have to terminate it.

9. Is there automated decision-making in individual cases?

As a matter of principle, we do not use automated decision-making pursuant to Art. 22 EU-GDPR for the establishment and implementation of the business relationship. Should we use this procedure in individual cases, you will be informed separately if this is required by law.

10. Will my data be used in any way for profiling?

We do not process your personal data for profiling.

11. Contact details of the data protection officer

If you have any questions on the subject of data protection, please contact:

DER Touristik Services S.L.U.

C./Genil 30, 3°planta, Pol. Son Fuster

07009 Palma de Mallorca


Data Protection Officer



12. Usage data/log files

We use information that we receive and store during your visit to our websites for the purposes of security and improving the functionality of the website.

This data set consists of:

  • the page from which the file was requested
  • the name of the file
  • the date and time of the request
  • the amount of data transferred
  • the access status
  • the description of the type of web browser used
  • the IP address of the requesting computer (see above anonymised after the period mentioned below).

We use this information to enable you to access our website, to control and administer our systems and to improve the design and function of the website.

We only store the IP address transmitted by your web browser, including the above-mentioned data record, for a period of time in order to be able to recognise, limit and eliminate malfunctions or errors (e.g. attacks on our servers). The storage ends after one month at the latest. After this period, we delete or anonymise the IP address.

This is done due to our predominantly justified interest in the security and functionality of our website Art. 6 para. 1 lit. f GDPR.

Cookie Consent Management Platform

When you visit our website, information may be stored on your computer in the form of cookies in order, to provide our website and recognize visitors’ preferences and to be able to design the website optimally.


We use BorlabsCookie on our website, which is, among other things, a tool for storing your cookie consent. Service provider is the German company Borlabs – Benjamin A. Bornschein, Rübenkamp 32, 22305 Hamburg, Germany. You can find out more about the data processed by using BorlabsCookie in the privacy policy at

As part of our cookie management tool, you can manage funcional cookies yourself. The declaration of your consent will be saved so that we do not have to ask you each time you visit our website and we can also prove your consent if required by law. This is stored either in an opt-in cookie or on a server. Depending on the provider of the cookie management tool, the storage period of your cookie consent varies. This data (e.g. pseudonymous user ID, time of consent, detailed information on the cookie categories or tools, browser, device information) is usually stored for up to

This is done due to our predominantly legitimate interest in the functionality and user-friendliness of our website Art. 6 para. 1 lit. f GDPR.

Essential WordPress Session Cookies: These only help to load the website faster and to use it properly, the cookies are deletes when ending the browser session.

They are also session cookies as they expire once the user logs out or exits the page. Mainly cookies are used for login to dashboard.

We use 3 types:

  • wordpress_logged_in_[hash]: to indicate when you are logged in, and who you are. This cookie is maintained on the front-end of the website as well when logged in.
  • wp-settings-{time}-[UID]: to customize the view of your admin interface and the front-end of the website. The value represented by [UID] is the individual user ID of the user as given to them in the users’ database table.
  • wordpress_test_cookie: to check if the cookies are enabled on the browser to provide appropriate user experience to the users. This cookie is used on the front-end, even if you are not logged in.

These cookies are strictly necessary without which the website will not function properly

This is done due to our predominantly legitimate interest in the functionality and user-friendliness of our website Art. 6 para. 1 lit. f GDPR.

Functional Language Cookies: WordPress Multilanguage (WPML) is used as a cookie to store the current language settings. It expires after 1 day.

The use is based on a legal basis Art. 6 para. 1 p. 1 lit. a GDPR. You can revoke your consent with effect for the future at any time under the CMP settings.

TLS encryption with https

TLS, encryption and https all sound very technical and they are. We use HTTPS (the Hypertext Transfer Protocol Secure stands for “secure hypertext transfer protocol”) to transmit data securely on the Internet. This means that the complete transmission of all data from your browser to our web server is secured – nobody can “eavesdrop”.

We have thus introduced an additional security layer and comply with data protection through technology design (Article 25 Paragraph 1 GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the Internet, we can ensure the protection of confidential data. You can recognize the use of this protection of data transmission by the small lock symbol in the top left of the browser, to the left of the Internet address and the use of the https scheme (instead of http) as part of our Internet address.