Data Protection Policy

Empowering Entrepreneurship Initiative: 

Tourism Recovery Programme


The Empowering Entrepreneurship Initiative has launched the third standalone programme designed to deliver economic relief from the COVID-19 crisis to tourism-related businesses: Tourism Recovery Programme.

A total of 315 teams of innovative travel and tourism businesses in the Arab Republic of Egypt, the Republic of Kenya, the United Mexican States and the Republic of South Africa will be supported by the programme with a combination of mentoring, workshops, network building and financial support. The programme will be implemented in cooperation with the TUI Care Foundation.

The Empowering Entrepreneurship Initiative was developed by the non-profit organisation enpact e.V. and was launched in 2020 with two programmes designed to deliver economic relief from the COVID-19 crisis. The Tourism Recovery Programme is the third standalone programme of the initiative, aimed to support the resilience and recovery of businesses in the tourism sector. The COVID-19 Relief Programme is supported by Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH on behalf of the Federal Ministry for Economic Cooperation and Development (BMZ) and is implemented together with enpact and TUI Care Foundation.

During the application process, your personal data is collected by enpact e.V. (“enpact”, “we”, “us”) as data controller.

Since we are located in Germany, your data is processed in the European Union. With regard to the processing of your personal data, your fundamental rights and freedoms as a natural person are protected by the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and further applicable national law.

Scope of this policy

This Data Protection Policy applies to all personal data collected, processed and used by enpact during the application process, the execution of the Programme and additional services offered in this context. It does not apply to the data processing of third parties involved in the Programme who act as independent data controllers, e.g. the Deutsche Gesellschaft Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH, the European Union, the TUI Care Foundation and our partners, if they are not acting as data processors acting on behalf of us (Article 28 GDPR).

Data controller and authorized representatives

enpact e.V. (registered association)

Address: Albrechtstrasse 10, 10117 Berlin, Germany


Representatives: Matthias Treutwein, Dr. Sebastian Rubatscher

Collection and processing of data

We collect the following categories of personal data for the purpose of assessing your application, including communication with you and our partners, and executing the Programme in case of admittance to the Programme:

(a) Identifying, e.g. name, date of birth, gender, government issued identification;

(b) Contact, e.g. email address, physical address, telephone number, LinkedIn profile;

(c) Communication, e.g. emails, letters;

(d) Professional, e.g. employer, job title, salary, ownership with regard to the employer;

(e) Financial Account, e.g. bank account;

(f) Authenticating, e.g. password for access to this platform;

(g) Computer Device, e.g. IP address, browser fingerprint;

As an additional service you can optionally register for a newsletter and further information services (“Information Services”). For this purpose, the data categories (a) and (b) are processed, limited to the minimum data required.

Legal basis for the processing of data

Programme: Your personal data is processed for the completion of pre-contractual and contractual measures (Article 6(1)(b) GDPR) (data categories (a) to (f)) and to pursue our legitimate interests (Article 6(1)(f) GDPR) (data category (g)), such as fraud prevention and the further development of this website.

Information Services: The processing of your personal data is based on your consent (Article 6(1)(a) GDPR) that can be withdrawn at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Data retention periods and right to erasure

Your personal data will be automatically deleted from our systems and associated paper files will be destroyed once it is no longer necessary in relation to the purposes for which it was collected or otherwise processed. The following retention periods apply.

Programme: If your application was not successful, then your personal data will be deleted or destroyed twelve months after the decision was communicated to you. If you participate in the Programme, then your personal data will be retained for three years after the completion of the Programme, starting at the end of the respective year. The retention periods may be extended if required by the Deutsche Gesellschaft Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH, the European Union or the TUI Care Foundation as our cooperation partners.

Information Services: Your personal data, limited to the minimum data required, will be stored for two years after our consent was given. Afterwards, we will delete your data automatically if we do not ask you for re-consent to extend the retention period.

Data transfer to third parties in different countries

Your personal data will be transferred to the following third parties and countries:

(a) Deutsche Gesellschaft Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH in Germany and the European Union, for the purpose of auditing the Programme;

(b) TUI Care Foundation in The Netherlands;

(c) our local partners in Germany, in other member states of the European Union and in other countries, including your country, for the purpose of organising mentoring and training measures, and to provide local support.

The legal basis for all data transfers is completion of pre-contractual and contractual measures (Article 6(1)(b) GDPR). The transfer to countries outside the European Union will be either based on an adequacy decision by the European Commission (Article 45(3) GDPR), or it will be subject to appropriate safeguards (Article 46 GDPR). In the absence of an adequacy decision pursuant to Article 45(3) GDPR, or of appropriate safeguards pursuant to Article 46 GDPR, the data transfer will be based on the necessity for the conclusion and performance of the contract concluded in the interest of you (as data subject) and us (as data controller) pursuant to Article 49(1)(c) GDPR.

Your rights with regard to our data processing

Where permitted by law and technically feasible, you have the right to request information about your personal data (Article 15 GDPR), to update or correct your personal data (Article 16 GDPR), to request that your personal data to be deleted from your systems and files (Article 17 GDPR), to restrict the processing of your personal data under certain circumstances (Article 18 GDPR), to withdraw your consent at any time, as far as your personal data is being processed based on your consent (Article 7 GDPR), to object at any time to the processing of your personal data (Article 21 GDPR), to have your personal data supplied in an electronic format (Article 20 GDPR).

You may file a complaint with us, with our data protection officer (“DPO”), or with the relevant data protection authority. The relevant data protection authority is: Berliner Beauftragte für Datenschutz und Informationsfreiheit. By request, our DPO will handle your complaint with strict confidentiality, so that your identity will not be disclosed to us.

Data protection officer

Leu Rechtsanwaltsgesellschaft mbH

Attn: Dr. Norman-Alexander Leu

Heinrich-Hoffmann-Strasse 3

60528 Frankfurt am Main, Germany

Telephone: +49 69 348 731 880

Fax: +49 69 348 731 889