Privacy Policy


Thank you for your interest in the TUI Foundation and for visiting our website. Protecting your personal data is important to us. So we consider compliance with statutory provisions, especially the EU General Data Protection Regulation (“GDPR”) and the Federal Data protection Act (“BDSG”), to be a matter of course. In the following, we would like to inform you about how personal data are collected and processed on our website.


1. General provisions

1.1 Name and contact data of the controller

The controller for the purpose of the General Data Protection Regulation (GDPR), and the service provider for the purpose of the German Telemedia Act (Telemediengesetz; TMG), is

TUI Foundation
Karl-Wiechert-Allee 4
30625 Hannover

Tel.: +49 (0)511 566-1636
Fax: +49 (0)511 566-1901



1.2 Rights of the data subject

1.2.1 Access, rectification, erasure, restriction of processing, and data portability

Under the GDPR, you are among others entitled to the following rights:

  • 15 GDPR: Data subject’s right of access
    You have the right to obtain as to whether or not personal data concerning you are being processed by us.
  • 16 GDPR: Right to rectification
    You may demand that inaccurate data concerning you be rectified and incomplete data completed.
  • 17 GDPR: Right to erasure
    Under the conditions of Art. 17 GDPR, you are entitled that your personal data be erased. Your claim to erasure depends, among other things, on whether we still need the data concerning you to fulfil our contractual and legal obligations.
  • 18 GDPR: Right to restriction of processing
    Under the conditions of Art. 18 GDPR, you have the right to obtain the restriction of the processing of your personal data.
  • 20 GDPR: Right to data portability
    Under the conditions of Art. 20 GDPR, you may demand that the personal data you have disclosed be provided to you, or transmitted to another controller, in a structured, commonly used and machine-readable format.

1.2.2 Revocation of consent

If you have consented to the processing of your data, you can withdraw your consent at any time. Doing so will affect only the lawfulness of the processing of your personal data that occurs after you have notified us of such withdrawal. Moreover, the lawfulness of any processing of the data on other legal bases will not be affected. Where your consent was the sole basis for the processing of your data, and in particular, where we do not have a legitimate interest in the processing of your data under Article 6 (1) (f) GDPR, we will erase the data without undue delay when you withdraw your consent.

1.2.3 Objection to specific processing under Art. 21 GDPR

If we support the processing of your personal data for the purposes of legitimate interests (Art. 6 (1) (e or f) GDPR), you may lodge an objection against that processing for grounds relating to your particular situation. This is the case, in particular, if the processing is not required for the performance of a contract with you, which is described by us in each case in the following. When you make such an objection, we are asking you to state the reasons why you no longer allow us to process your personal data as we have done before. In case you provide a reason for your objection, we will review the situation and either stop or modify the processing of your data, or we will demonstrate compelling legitimate grounds of which we will continue processing your data.

1.2.4 Right to lodge a complaint with a supervisory authority

You have the right to complain to the regulatory authority if you consider that your data has been processed illegally. The address for our competent supervisory authority is: The State Official for Privacy Protection, Prinzenstraße 5, 30159 Hannover.

1.3 Recipient

We sometimes use external service providers to process your data. Those service providers have been carefully selected and appointed by us, are bound by our instructions, and are supervised periodically. This can entail the following categories of recipients: IT service providers.

1.4 Transmission to third countries

Due to collaborations such as those with IT service providers, especially regarding services which involve the maintenance, repair or securing of IT systems, your personal data might become known to employees of a service provider in a country outside the European Union. If no level of data protection exists in this country which is comparable to that in the European Union, and, accordingly, no “adequacy decision” of the European Commission exists regarding this country, we will protect your interests under data privacy law by concluding EU standard data privacy clauses, which were issued by the European commission and agreed with the recipient, or in other suitable ways. You can request a copy of the EU standard data privacy clauses (or other guarantees, as the case may be), under the contact data indicated under section 1.1.

We do not intend to transmit your personal data to countries outside the European Union, but do not rule this out (provided it is lawful).

1.5 Storage duration

We shall erase your personal data as soon as the reason for their storage no longer applies.

We may also store data if provided for by the European or national legislator in EU regulations, national laws, or other provisions by which we are governed. Exceptions to the principle of erasure after achievement of purpose can arise, for example, from the provisions of the GDPR and of federal German law, especially the BDSG. For example, no erasure will occur as long as retention obligations exist under commercial or tax law.

In individual cases, a longer storage can be required due to the assertion or possible assertion of claims against us which relate to a contract or pre-contractual measures.

1.6 Obligation to provide personal data

You are not legally or contractually obligated to transmit personal data to us. But you will need to do so if you wish to conclude a contract with us. If you do not transmit personal data to us in individual cases, you will be unable to conclude a contract with us.

The same applies if you wish to use our website’s services, such as our contact form.

1.7 Security

We use technical and organizational security measures to protect data we are managing against manipulation, loss, destruction and unauthorized access. Our security measures are continually improved, according to technological progress.


2. Collection of data during website visits

2.1 Processing of data transmitted in the background

The type and scope of the processing of your personal data is distinguished by whether you visit our website only to retrieve information, or to use the site’s services (such as our contact form).

If you are using the website only for information, and thus will not be registering or otherwise transmitting information to us, we will collect the following data and store them in our system’s log files. These data include the following:

  • IP address,
  • Data and time of the request,
  • Time zone difference with Greenwich Mean Time (GMT),
  • Content of the request (specific page),
  • Access status / HTTP status code,
  • The quantity of any transmitted data,
  • The website from which the request comes,
  • The operating system and its interface,
  • The browser, language and version of the browser software.

The legal basis for processing the personal data (IP address) is Art. 6 (1) (f) GDPR. Processing personal data helps us show you our website and guarantee its stability and security. This also constitutes our legitimate interest in processing those data.

The anonymous data of the log files are stored separately from all the personal data you have provided. These anonymously collected data and information are evaluated for statistical purposes and to increase data protection and data security, so we can ensure an optimal level of protection for the personal data we process.

2.2 Cookies

In addition to the aforementioned data, we will store cookies on your computer when you use our website. Cookies are small text files that are stored by your browser on your hard drive and send certain information to the entity placing the cookie (in this case, us). Cookies cannot execute programs or transmit viruses to your computer. They only help make the website more user-friendly and effective overall.

You can configure your browser settings to suit your preferences – to reject third-party cookies or all cookies, for instance. But keep in mind that if you do so, you may not be able to use all of this website’s functions.

2.3 Contact form; Email contact

Our website has a form which can be used to contact us electronically. If you take advantage of this option, the data you enter into the form will be transmitted to and stored by us. Those data are your first and last name, as well as your email address. When the message is sent, your IP address and the date and time will also be stored.

You can also contact us via the email address provided. In this case, the personal data you transmit to us in the email will be stored.

The legal basis for processing the data if the contact form is used and you give your consent is Art. 6 (1) (a) GDPR. If you contact us to enter into a contract, the processing of your data is also based on Article 6 (1) (b) GDPR. Furthermore, the legal basis for processing is Art. 6 (1) (f) GDPR (legitimate interest).

The legal basis for processing data transmitted by email is Art. 6 (1) (f) GDPR. If the email contact aims to conclude a contract, the processing is also based on Article 6 (1) (b) GDPR.

Personal data entered into the contact form, and possibly your email, are processed only to execute the contract. If you contact us by email or the contact form, this also gives rise to the legitimate interest in a processing of the data. Any other personal data processed while sending the form are used to prevent a fraudulent use of the contact form and to protect the safety of our IT systems.

2.4 Analysis tool (“Google Analytics”)

This website uses Google Analytics, a web analytics service. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there.

Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO. The website operator has a legitimate interest in analyzing user behavior to optimize both its website and its advertising.

IP anonymization

We have activated the IP anonymization feature on this website. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases is the full IP address sent to a Google server in the US and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and Internet usage for the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.

Browser plugin

You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website. You can also prevent the data generated by cookies about your use of the website (incl. your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link:

Objecting to the collection of data

You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.

For more information about how Google Analytics handles user data, see Google’s privacy policy:

2.5 Embedding YouTube videos

We sometimes embed YouTube videos in our online services. Those videos are stored on and can be played directly from our website. These are all embedded in “expanded data privacy mode,” meaning that no data about you as a user will be transmitted to YouTube unless you play the videos. Only when you play the videos will data be transmitted to YouTube. We have no influence on this data transmission.

When you visit our website, YouTube is informed that you have accessed the respective subpages of our website. Moreover, the data specified in section 2.1 of this privacy notice will be transmitted as well. This is independent on whether YouTube provides a user account into which you are logged, or whether no such account exists. If you are logged into Google, your data will be assigned directly to your account. If you do not want that data to be assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as a user profile and uses them for advertising or market research purposes, to customize the design of its website, or both. The data is particularly analyzed (including for users that are not logged in) to display interest-based advertising and inform other users of the social network about your activities on our website You may object to the creation of these user profiles, but you will have to ask YouTube to do so.

You can find further information about the purpose and scope of the data collection, and how YouTube processes the data, in YouTube’s data privacy statement. There, you will also find further information about your rights and available settings that allow you to protect your privacy: Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield,