Data protection / Analysis services
Status: June 2022
Data collection on our website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator:
JOY Beach Villas
4, Hin Kong Rd
84280 Koh Phangan
Surat Thani, Thailand
Tel: +66 (0)62 408 0324
E-mail address: email@example.com
For further information please refer to the imprint of our website.
Data Protection Officer
We fall below the number of employees processing personal data required for the appointment of a data protection officer according to § 38 BDSG-Neu.
What data do we process?
The categories of processed data include: Inventory data, contact data and content data that you provide to us via contact form or e-mail, as well as usage and communication data. This includes, among other things, your anonymized IP address, data on your software and hardware used.
In principle, we do not process any special categories of data - unless you provide us with this data via contact form.
We process data of visitors and users of our online offer as well as data of customers, interested parties and suppliers.
We process the collected data to provide our online offer, its functions and content, to provide contractual services and to answer contact requests and communicate with our customers.
How do we collect your data?
On the one hand, your data is collected by you providing it to us. This can be, for example, data that you enter in a contact form.
Other data may be collected automatically by our IT systems when you visit the website. This is mainly technical data (e.g. Internet browser, operating system or time of page view). This data is collected automatically as soon as you enter our website.
Legal basis for data processing
In accordance with the provision of Art. 13 DSGVO, we inform you here about the legal basis of our data processing. The legal basis for obtaining consent is Art. 6(1)(a), the legal basis for processing to fulfill our services and perform contractual measures and respond to inquiries is Art. 6(1)(b) DSGVO, the legal basis for processing to fulfill our legal obligations is Art. 6(1)(c) DSGVO, and the legal basis for processing to protect our legitimate interests is Art. 6(1)(f) DSGVO. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) lit. d DSGVO serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.
What rights do you have regarding your data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have a right to demand the correction, blocking or deletion of this data. For this purpose, as well as for further questions on the subject of data protection, you can contact us at any time at the address given in the imprint. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
We process users' personal data only in compliance with the relevant data protection provisions. This means that the users' data is only processed if a legal permission exists. I.e., in particular if the data processing is necessary for the provision of our contractual services (e.g. processing of orders) as well as online services, or is required by law, a consent of the user is available, as well as due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO, in particular in the case of range measurement, creation of profiles for advertising and marketing purposes, and collection of access data and use of third-party services.
We point out that the legal basis of the consents Art. 6 para. 1 lit. a. and Art. 7 DSGVO, the legal basis for processing for the performance of our services and implementation of contractual measures Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing to fulfill our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to protect our legitimate interests Art. 6 para. 1 lit. f. DSGVO.
We take appropriate technical and organizational measures in accordance with Art. 32 DSGVO, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk; The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access concerning them, input, disclosure, ensuring availability and their separation. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, deletion of data and response to data compromise. Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Article 25 of the GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
Cooperation with processors and third parties
If, in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, is necessary for the performance of the contract pursuant to Art. 6 (1) lit. b DSGVO), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of a so-called "order processing agreement", this is done on the basis of Art. 28 DSGVO.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in the context of using third-party services or disclosing, or transferring data to third parties, this will only happen if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special requirements of Art. 44 et seq. DSGVO are met. I.e. the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding to that of the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
Rights of the data subjects
You have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with Art. 15 DSGVO.
You have according to. Art. 16 DSGVO the right to request the completion of the data concerning you or the correction of incorrect data concerning you.
In accordance with Art. 17 DSGVO, you have the right to demand that data concerning you be deleted without delay or, alternatively, in accordance with Art. 18 DSGVO, to demand restriction of the processing of the data.
You have the right to request that the data concerning you that you have provided to us be received in accordance with Art. 20 DSGVO and to request that it be transferred to other data controllers.
You also have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 DSGVO.
Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
Right of revocation
You have the right to revoke given consents according to Art. 7 (3) DSGVO with effect for the future.
Right of objection
You may object to the future processing of data concerning you in accordance with Art. 21 DSGVO at any time. The objection can be made in particular against processing for purposes of direct advertising.
The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. The revocation of consent by the user is possible by returning the e-mail with the subject note 'Objection'.
All personal data stored in the course of contacting us will be deleted in this case.
Deletion of data
The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 DSGVO. Unless expressly stated within the scope of this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.
According to legal requirements, data is stored in particular for 6 years in accordance with § 257 para. 1 HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years in accordance with § 147 para. 1 AO (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).
Right to deletion - obligation to delete
You may request the controller to delete the personal data concerning you without delay, and the controller is obliged to delete this data without delay, if one of the following reasons applies: (1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed. (2) You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) DSGVO and there is no other legal basis for the processing. (3) You object to the processing pursuant to Art. 21 (1) DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) DSGVO. (4) The personal data concerning you have been processed unlawfully. (5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. (6) The personal data concerning you has been collected in relation to information society services offered pursuant to Article 8(1) DSGVO.
Information to third parties
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.
The right to erasure does not exist insofar as processing is necessary (1) for the exercise of the right to freedom of expression and information; (2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the field of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) of the GDPR, insofar as the right referred to in section (a) is likely to make impossible or seriously prejudice the achievement of the purposes of such processing; or; (5) for the establishment, exercise or defense of legal claims.
Right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions: (1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data; (2) the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data; (3) the controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defense of legal claims; or (4) if you object to the processing pursuant to Art. 21 (1) DSGVO and it has not yet been determined whether the legitimate grounds of the controller outweigh your grounds.
If the processing of personal data relating to you has been restricted, such data may - apart from being stored - only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, provided that (1) the processing is based on consent pursuant to Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO or on a contract pursuant to Art. 6(1)(b) DSGVO and (2) the processing is carried out with the help of automated procedures.
In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one controller to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed about these recipients by the data controller.
Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you is incorrect or incomplete. The controller shall make the rectification without undue delay.
When contacting us (via contact form or e-mail), the user's details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b) DSGVO.
The user's details may be stored in our customer relationship management system ("CRM system") or comparable inquiry organization.
We delete the inquiries if they are no longer required. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been conclusively clarified. We review the necessity every two years; we store inquiries from customers who have a customer account permanently and refer to the information on the customer account for deletion. In the case of legal archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
Online presences in social media
We maintain online presences within social networks and platforms in order to be able to communicate with customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.
You have the right to be informed about these recipients by the data controller.
Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the personal data concerning you that is being processed is inaccurate or incomplete. The controller shall make the rectification without undue delay.
When contacting us (via contact form or e-mail), the user's details are used for the purpose of processing the contact request and its settlement pursuant to 6 (1) lit. b) DSGVO.
The user's details may be stored in our customer relationship management system ("CRM system") or a comparable inquiry organization.
We delete the inquiries when they are no longer needed. In the case of personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when it is clear from the circumstances that the matter in question has been conclusively clarified. We review the necessity every two years; we store inquiries from customers who have a customer account permanently and refer to the information in the customer account for deletion. In the case of legal archiving obligations, deletion takes place after their expiry (end of the retention obligation under commercial law (6 years) and tax law (10 years)).
Online presences in social media
We maintain online presences within social networks and platforms in order to communicate with customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing guidelines of the respective operators apply.
Integration of third-party services and content
Within our online offer, we use content or service offers of third parties on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as "content"). This always requires that the third-party providers of this content are aware of the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is thus required for the display of this content. We endeavor to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as ""web beacons"") for statistical or marketing purposes. The ""pixel tags"" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their content, along with links to their privacy statements, which contain further information on the processing of data and, in part already mentioned here, opt-out options:
Social media channels
Online presence (fan page) on Facebook
Our presence on social networks and platforms serves to improve active communication with our customers and interested parties. We provide information there about us, our products and current offers and, if applicable, events.
When visiting our online presences on social media, your data may be automatically collected and stored for market research and advertising purposes. So-called usage profiles are created from this data using pseudonyms. These can be used, for example, to place advertisements within and outside the platforms that presumably correspond to your interests. Cookies are generally used on your terminal device for this purpose. In these cookies, visitor behavior and user interests are stored. This serves according to Art. 6 para. 1 lit. f. DSGVO to protect our legitimate interests in an optimized presentation of our offer and effective communication with customers and interested parties, which prevail in the context of a balancing of interests. If you are asked by the respective social media platform operators for consent (agreement) to the data processing, e.g. by means of a checkbox, the legal basis for the data processing is Art. 6 (1) lit. a DSGVO.
Insofar as the aforementioned social media platforms have their headquarters in the USA, the following applies: The European Commission has issued an adequacy decision for the USA. This goes back to the EU-US Privacy Shield. A current certificate for Facebook can be viewed here.
The data processing takes place on the basis of an agreement between the jointly responsible parties pursuant to Art. 26 DSGVO, the operator of the Fanpage (responsible party as named above under "Data collection on our website" and Facebook Inc.) which you can view here.
For detailed information on the processing and use of data by the providers on their pages, as well as a contact option and your rights and setting options in this regard to protect your privacy, in particular objection options (opt-out), please refer to the privacy notices of the providers linked below. If you still require assistance in this regard, you can contact us.