Privacy Policy


Thank you for your interest in the TUI Foundation and for visiting our website. Protecting your personal data is important to us. So we consider compliance with statutory provisions, especially the EU General Data Protection Regulation (“GDPR”) and the Federal Data protection Act (“BDSG”), to be a matter of course. In the following, we would like to inform you about how personal data are collected and processed on our website.


1. General provisions

1.1 Name and contact data of the controller

The controller for the purpose of the General Data Protection Regulation (GDPR), and the service provider for the purpose of the German Telemedia Act (Telemediengesetz; TMG), is

TUI Foundation
Karl-Wiechert-Allee 4
30625 Hannover

Tel.: +49 (0)511 566-1636
Fax: +49 (0)511 566-1901



1.2 Rights of the data subject

1.2.1 Access, rectification, erasure, restriction of processing, and data portability

Under the GDPR, you are among others entitled to the following rights:

  • 15 GDPR: Data subject’s right of access
    You have the right to obtain as to whether or not personal data concerning you are being processed by us.
  • 16 GDPR: Right to rectification
    You may demand that inaccurate data concerning you be rectified and incomplete data completed.
  • 17 GDPR: Right to erasure
    Under the conditions of Art. 17 GDPR, you are entitled that your personal data be erased. Your claim to erasure depends, among other things, on whether we still need the data concerning you to fulfil our contractual and legal obligations.
  • 18 GDPR: Right to restriction of processing
    Under the conditions of Art. 18 GDPR, you have the right to obtain the restriction of the processing of your personal data.
  • 20 GDPR: Right to data portability
    Under the conditions of Art. 20 GDPR, you may demand that the personal data you have disclosed be provided to you, or transmitted to another controller, in a structured, commonly used and machine-readable format.

1.2.2 Revocation of consent

If you have consented to the processing of your data, you can withdraw your consent at any time. Doing so will affect only the lawfulness of the processing of your personal data that occurs after you have notified us of such withdrawal. Moreover, the lawfulness of any processing of the data on other legal bases will not be affected. Where your consent was the sole basis for the processing of your data, and in particular, where we do not have a legitimate interest in the processing of your data under Article 6 (1) (f) GDPR, we will erase the data without undue delay when you withdraw your consent.

1.2.3 Objection to specific processing under Art. 21 GDPR

If we support the processing of your personal data for the purposes of legitimate interests (Art. 6 (1) (e or f) GDPR), you may lodge an objection against that processing for grounds relating to your particular situation. This is the case, in particular, if the processing is not required for the performance of a contract with you, which is described by us in each case in the following. When you make such an objection, we are asking you to state the reasons why you no longer allow us to process your personal data as we have done before. In case you provide a reason for your objection, we will review the situation and either stop or modify the processing of your data, or we will demonstrate compelling legitimate grounds of which we will continue processing your data.

1.2.4 Right to lodge a complaint with a supervisory authority

You have the right to complain to the regulatory authority if you consider that your data has been processed illegally. The address for our competent supervisory authority is: The State Official for Privacy Protection, Prinzenstraße 5, 30159 Hannover.

1.3 Recipient

We sometimes use external service providers to process your data. Those service providers have been carefully selected and appointed by us, are bound by our instructions, and are supervised periodically. This can entail the following categories of recipients: IT service providers.

1.4 Transmission to third countries

Due to collaborations such as those with IT service providers, especially regarding services which involve the maintenance, repair or securing of IT systems, your personal data might become known to employees of a service provider in a country outside the European Union. If no level of data protection exists in this country which is comparable to that in the European Union, and, accordingly, no “adequacy decision” of the European Commission exists regarding this country, we will protect your interests under data privacy law by concluding EU standard data privacy clauses, which were issued by the European commission and agreed with the recipient, or in other suitable ways. You can request a copy of the EU standard data privacy clauses (or other guarantees, as the case may be), under the contact data indicated under section 1.1.

We do not intend to transmit your personal data to countries outside the European Union, but do not rule this out (provided it is lawful).

1.5 Storage duration

We shall erase your personal data as soon as the reason for their storage no longer applies.

We may also store data if provided for by the European or national legislator in EU regulations, national laws, or other provisions by which we are governed. Exceptions to the principle of erasure after achievement of purpose can arise, for example, from the provisions of the GDPR and of federal German law, especially the BDSG. For example, no erasure will occur as long as retention obligations exist under commercial or tax law.

In individual cases, a longer storage can be required due to the assertion or possible assertion of claims against us which relate to a contract or pre-contractual measures.

1.6 Obligation to provide personal data

You are not legally or contractually obligated to transmit personal data to us. But you will need to do so if you wish to conclude a contract with us. If you do not transmit personal data to us in individual cases, you will be unable to conclude a contract with us.

The same applies if you wish to use our website’s services, such as our contact form.

1.7 Security

We use technical and organizational security measures to protect data we are managing against manipulation, loss, destruction and unauthorized access. Our security measures are continually improved, according to technological progress.


2. Collection of data during website visits

2.1 Processing of data transmitted in the background

The type and scope of the processing of your personal data is distinguished by whether you visit our website only to retrieve information, or to use the site’s services (such as our contact form).

If you are using the website only for information, and thus will not be registering or otherwise transmitting information to us, we will collect the following data and store them in our system’s log files. These data include the following:

  • IP address,
  • Data and time of the request,
  • Time zone difference with Greenwich Mean Time (GMT),
  • Content of the request (specific page),
  • Access status / HTTP status code,
  • The quantity of any transmitted data,
  • The website from which the request comes,
  • The operating system and its interface,
  • The browser, language and version of the browser software.

The legal basis for processing the personal data (IP address) is Art. 6 (1) (f) GDPR. Processing personal data helps us show you our website and guarantee its stability and security. This also constitutes our legitimate interest in processing those data.

The anonymous data of the log files are stored separately from all the personal data you have provided. These anonymously collected data and information are evaluated for statistical purposes and to increase data protection and data security, so we can ensure an optimal level of protection for the personal data we process.

2.2 Cookies

In addition to the aforementioned data, we will store cookies on your computer when you use our website. Cookies are small text files that are stored by your browser on your hard drive and send certain information to the entity placing the cookie (in this case, us). Cookies cannot execute programs or transmit viruses to your computer. They only help make the website more user-friendly and effective overall.

You can configure your browser settings to suit your preferences – to reject third-party cookies or all cookies, for instance. But keep in mind that if you do so, you may not be able to use all of this website’s functions.

2.3 Contact form; Email contact

Our website has a form which can be used to contact us electronically. If you take advantage of this option, the data you enter into the form will be transmitted to and stored by us. Those data are your first and last name, as well as your email address. When the message is sent, your IP address and the date and time will also be stored.

You can also contact us via the email address provided. In this case, the personal data you transmit to us in the email will be stored.

The legal basis for processing the data if the contact form is used and you give your consent is Art. 6 (1) (a) GDPR. If you contact us to enter into a contract, the processing of your data is also based on Article 6 (1) (b) GDPR. Furthermore, the legal basis for processing is Art. 6 (1) (f) GDPR (legitimate interest).

The legal basis for processing data transmitted by email is Art. 6 (1) (f) GDPR. If the email contact aims to conclude a contract, the processing is also based on Article 6 (1) (b) GDPR.

Personal data entered into the contact form, and possibly your email, are processed only to execute the contract. If you contact us by email or the contact form, this also gives rise to the legitimate interest in a processing of the data. Any other personal data processed while sending the form are used to prevent a fraudulent use of the contact form and to protect the safety of our IT systems.

2.4 Analysis tool (“etracker”)

Data are collected and stored on this website for marketing and optimization purposes, using the technology of etracker GmbH ( User profiles can be created from those data using a pseudonym. Cookies can be used for this. The cookies allow us to recognize the internet browser. The data collected with etracker technologies are not used to personally identify visitors to this website, and will not be combined with personal data about a party who has been given a pseudonym, without the separately granted consent of the data subject. An objection against the collection and storage of data can be lodged at any time, with effect for the future.

Objecting to data collection with etracker

We use etracker to analyze the use of our website and improve it on a regular basis. The anonymized information generated about the use of this website serves to create assessments and charts about the number of visitors and visual contacts. We use these exclusively to optimize and design customized websites. The statistics we receive allow us to improve our services and make our website more interesting to use. The collected data are stored and pseudonymously analyzed over the long term. The legal basis for using etracker is Art. 6 (1) (f) GDPR.

Information about the third-party provider: etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg;

2.5 Embedding YouTube videos

We sometimes embed YouTube videos in our online services. Those videos are stored on and can be played directly from our website. These are all embedded in “expanded data privacy mode,” meaning that no data about you as a user will be transmitted to YouTube unless you play the videos. Only when you play the videos will data be transmitted to YouTube. We have no influence on this data transmission.

When you visit our website, YouTube is informed that you have accessed the respective subpages of our website. Moreover, the data specified in section 2.1 of this privacy notice will be transmitted as well. This is independent on whether YouTube provides a user account into which you are logged, or whether no such account exists. If you are logged into Google, your data will be assigned directly to your account. If you do not want that data to be assigned to your YouTube profile, you must log out before activating the button. YouTube stores your data as a user profile and uses them for advertising or market research purposes, to customize the design of its website, or both. The data is particularly analyzed (including for users that are not logged in) to display interest-based advertising and inform other users of the social network about your activities on our website You may object to the creation of these user profiles, but you will have to ask YouTube to do so.

You can find further information about the purpose and scope of the data collection, and how YouTube processes the data, in YouTube’s data privacy statement. There, you will also find further information about your rights and available settings that allow you to protect your privacy: Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield,