Stores open 10 a.m. Opens 10 am

Search

Privacy policy

City Outlet Bad Münstereifel GmbH would like to thank you for your interest in our website and our offers. We respect your privacy. Data protection and data security are very important to us.

This privacy policy covers various areas of our business activities. Different provisions apply depending on the nature of your relationship with us:

  • Website visitorsPart I of this privacy policy
  • Tenants and prospective tenantsPart II of this privacy policy
  • Property management mattersPart III of this privacy policy

Personal data is all data that can be related to you personally, such as your name, address, e-mail address and user behavior.

Status: September 2025

Part I: Data protection for website visitors

1. name and contact details of the person responsible

Responsible person:
City Outlet Bad Münstereifel GmbH
Market Street 18
D-53902 Bad Münstereifel
E-mail: info@co-bam.com
Phone: +49 (0)2253 317 0000

2. collection and storage of personal data when visiting the website

When you visit our website www.cityoutletbadmuenstereifel.com, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file:

- IP address of the requesting computer
- Date and time of access
- Name and URL of the retrieved file
- Website from which the access is made (referrer URL)
- the browser used and, if applicable, the operating system of your computer and the name of your access provider

Purposes of the processing:
- Ensuring a smooth connection to the website
- Ensuring a comfortable use of our website
- Evaluation of system security and stability
- other administrative purposes

Legal basisArt. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest)

Hosting of the website - TimmeHosting

Our website is hosted by:

Timme Hosting GmbH & Co. KG
Ovelgönner Weg 43
21335 Lüneburg
Germany

The servers are located exclusively in Germany (ISO-certified data centers). TimmeHosting collects and processes the above-mentioned log file data as a processor in accordance with Art. 28 GDPR for the technical provision and security of our website.

Purpose of processing: Technical provision and operation of the website
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest)
Retention period: Log files are automatically deleted after 30 days
Data processing agreement: A data processing agreement has been concluded with TimmeHosting in accordance with Art. 28 GDPR

3. VIP Club membership and newsletter

Provider of the VIP Club functionalities - SevenD GmbH

We use for the technical implementation of our VIP Club and customer data collection:

SevenD GmbH
Oststraße 12
74072 Heilbronn
Germany
E-mail: hallo@sevend.de

Newsletter dispatch - MailChimp

To send our newsletter, we use the MailChimp service of:

The Rocket Science Group LLC (MailChimp)
Parent company: Intuit Inc.
675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308
USA

MailChimp is certified under the EU-US Data Privacy Framework and uses EU Standard Contractual Clauses (SCCs) for data transfers. An automatic order processing contract (Data Processing Addendum) is effective when using the service.

Collection and use of data:

You have the opportunity to become a VIP Club member. As a club member you receive:

- Exclusive invitations to VIP events and store openings
- A Day Discount Card as a birthday present with 10% extra discount
- Regular newsletter about current offers, promotions and competitions

Data collected: E-mail address, first name, surname, date of birth
Purpose: Newsletter dispatch, personalization, protection against misuse, issue of the birthday discount card
Legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR (consent)

We use the double opt-in procedure. You can unsubscribe at any time via the link in the newsletter or by sending an e-mail to info@co-bam.com.

Data transfer to the USA: MailChimp is certified under the EU-US Data Privacy Framework. In addition, EU standard contractual clauses have been agreed.

Storage period: Until withdrawal of consent or deletion of the account

4. contact form

Data collected: E-mail address, name, other voluntary information
Purpose: Processing your request
Legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR (consent)
Deletion: After completion of the request

5. online voucher order

Data collected: E-mail address, last name, first name, full address
Purpose: Processing and dispatch of vouchers
Legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR (consent)
Deletion: After completion of the order

6. cookies and cookie management

Cookie consent management with Borlabs Cookie

Our website uses cookie consent technology from:

Borlabs GmbH
Hamburger Str. 11
22083 Hamburg
Germany
E-mail: support@borlabs.io

Borlabs cookie consent technology is used to obtain the legally required consent for the use of cookies in accordance with the TDDDG (formerly TTDSG).

How it works:
Borlabs Cookie sets a technically necessary cookie called “borlabs-cookie” to store your cookie consent. This cookie is required for the website to function properly.

Information stored in the “borlabs-cookie” cookie:
- Your granted/denied consent to cookie categories
- Time stamp of the consent
- Unique, anonymous user ID (no personal data)
- Settings for the cookie banner

Data processing:
Borlabs Cookie does not process any personal data and does not transmit any information about you to us or third parties. All data is only stored locally in your browser.

PurposeManagement and verification of cookie consents
Legal basis: Art. 6 para. 1 lit. c GDPR (legal obligation according to TDDDG)
Storage period: 12 months

RevocationYou can revoke your consent at any time by deleting the cookie in your browser or by accessing the cookie settings via the corresponding link on our website.

More cookies:

We use different types of cookies:

- Technically necessary cookies: Necessary for the basic functions of the website (no consent required)
- Statistics cookies: For anonymous recording of website usage (only with your consent)
- Marketing cookies: For personalized advertising (only with your consent)

Legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest) for technically necessary cookies; Art. 6 para. 1 lit. a GDPR (consent) for non-essential cookies

You can deactivate cookies in your browser settings, but this may limit the functionality of the website.

7. analysis tools

7.1 Google Analytics

We use Google Analytics for the needs-based design and optimization of our website. Pseudonymized usage profiles are created. The IP addresses are anonymized (IP masking).

Provider:
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA

Processing in the EU: Google Ireland Limited acts as EU representative

Data transfer to the USA: Google is certified under the EU-US Data Privacy Framework. An order processing contract has been concluded with Google.

Transmitted information:
- Browser type/version
- Operating system
- Referrer URL
- Host name (anonymized IP address)
- Time of the server request

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) - Google Analytics is only activated after your express consent via the cookie banner

Purpose: Analysis of user behavior, optimization of the website and advertising measures

Storage period: 14 months (shortened retention period)

Opt-out: Browser add-on at https://tools.google.com/dlpage/gaoptout?hl=de or revocation via the cookie settings

7.2 Google AdWords conversion tracking

We use Google Conversion Tracking for statistical recording and optimization. Cookies lose their validity after 30 days and are not used for personal identification.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent)
Data transmission: USA (EU-US Data Privacy Framework)

8. social media plug-ins

We use social plug-ins from Facebook, Instagram and YouTube in a two-click process to protect your data. The plug-ins are managed by Borlabs Cookie and are only activated after you have given your consent.

Legal basis: Art. 6 para. 1 sentence 1 lit. a GDPR (consent)

9. order processing

The following service providers process personal data for us as processors:

TimmeHosting GmbH & Co. KG - Website hosting, server log files - Germany - AV contract according to Art. 28 GDPR

MailChimp (Intuit Inc.) - Newsletter distribution - USA - Data Processing Addendum, DPF certification

SevenD GmbH - VIP Club administration, customer data - Germany - DPA contract pursuant to Art. 28 GDPR

Borlabs GmbH - Cookie-Consent-Management - Germany - Technically necessary, no data transfer

Google LLC - Analytics, Conversion Tracking - USA - Data processing agreement, DPF certification

All processors have been carefully selected and are contractually obliged to process personal data only in accordance with our instructions and in compliance with the GDPR.

Part II: Data protection for tenancies

  1. Person responsible

City Outlet Bad Münstereifel GmbH
Marktstr. 18
D-53902 Bad Münstereifel, Germany
E-mail: info@co-bam.com
Phone: +49 (0)2253 317 0000

  1. Data collected and purposes of use
Data category Purpose of the processing Legal basis
Contact and contract data Conclusion, administration and fulfillment of the rental agreement Art. 6 para. 1 lit. b GDPR
Payment data (SEPA, credit card) Processing of direct debits and card payments Art. 6 para. 1 lit. b GDPR
Billing data Preparation of the operating and ancillary cost statement Art. 6 para. 1 lit. b GDPR
Communication data Information and correspondence relating to the tenancy Art. 6 para. 1 lit. b/f GDPR

2.1 Direct debit collections

We store the following in our accounting software (DATEV eG): First and last name, address, e-mail address. For SEPA direct debit mandates additionally: IBAN and BIC.

2.2 Credit card payment

When paying by card, we record the name, address and e-mail address for the booking. Credit card details are transmitted directly to the payment institution in encrypted form and are not stored.

  1. Recipient / processor
  • Cloud service: ISO 27001-certified cloud service with EU data centers
  • DSI - Dr.-Ing. Schmolke Immobilien GmbH (Große Telegraphenstraße 2, D-50676 Cologne): Billing of operating costs and ancillary costs

 

  1. Storage duration
  • Contract and payment data: Lease term plus 10 years
  • Billing data: 10 years (tax requirements)
  • Communication data: Until revocation/deletion request

 

Part III: Property management by CIS Colonia Immobilien Service GmbH

  1. Person responsible

CIS Colonia Immobilien Service GmbH
Horbeller Str. 31
D-50858 Cologne, Germany
E-mail: os@c-p-e.de
Phone: +49 221 165 335 30

  1. Processed data and purposes
Data category Purpose of the processing Legal basis
Contact and contract data Administration, communication, maintenance and billing Art. 6 para. 1 lit. b/f GDPR
Payment data (SEPA) Operating cost and ancillary cost statements Art. 6 para. 1 lit. b GDPR
Billing data Proof of costs through DSI Art. 6 para. 1 lit. b GDPR
Communication data Correspondence with tenants and owners Art. 6 para. 1 lit. b/f GDPR
  1. Processor
  • Cloud service: ISO 27001-certified, EU data centers
  • fynk GmbH (Vienna, Austria): Digital contract management, ISO 27001-certified
  • DSI - Dr.-Ing. Schmolke Immobilien GmbH: Billing services

 

General provisions for all areas

Forwarding of data

Your data will only be transmitted to third parties if:

  • Express consent (Art. 6 para. 1 lit. a GDPR)
  • Legal necessity (Art. 6 para. 1 lit. f GDPR)
  • Legal obligation (Art. 6 para. 1 lit. c GDPR)
  • Fulfillment of the contract (Art. 6 para. 1 lit. b GDPR)

 

Your rights as a data subject

You have the right to:

  • Information (Art. 15 GDPR)
  • Correction (Art. 16 GDPR)
  • Deletion (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Revocation of consent (Art. 7 para. 3 GDPR)
  • Complaint to the supervisory authority (Art. 77 GDPR)

 

Right of objection

In the case of processing based on legitimate interests (Art. 6 para. 1 lit. f GDPR), you have a right to object in accordance with Art. 21 GDPR.

Contact for data subject rights:

  • info@co-bam.com

Data security

We use SSL encryption (256-bit or 128-bit v3) and appropriate technical and organizational security measures to protect your data.

Up-to-dateness and changes

This privacy policy is currently valid and was last updated in July 2025.

It may become necessary to amend this privacy policy as a result of the further development of our website and services or due to changes in legal or official requirements. You can access and print out the current privacy policy at any time on the website at www.cityoutletbadmuenstereifel.com/rechtliches/datenschutz/.

Safe the Date!

Black Week from November 24 to 30 + Sunday on sale on 30.11. for the Festival of Lights at the City Outlet Bad Münstereifel!

Go to the event now!

Safe the Date!

BLACK WEEK

  • Black Week from November 24 to 30
  • open Sunday on 30.11. for the Festival of Lights
  • Discover our Black Week deals now!
  • and much more
Go to the event now!