Privacy policy

1. Data protection information for our website

We are delighted that you have visited our website and would like to provide you with as much information as possible about how your data is processed in connection with this.

When you visit our website, we collect personal data from you. This is data that is necessary for you to use our website or that enables us to take your preferences into account. It may also be information that you yourself provide to us via the contact options offered on these pages.

We use this data to ensure the proper operation and all functionalities of our website and to respond to your inquiries.

Below, we provide information about what data is collected on our website and for what purposes it is processed. You will also find information about your rights and contact details for us and our data protection officer.

2. Contact and data protection officer

This privacy policy applies to the website of

Golf- und Sporthotel Wiesensee Betriebs GmbH
Am Wiesensee
56457 Westerburg

Phone: 02663 991100
Email: info@golfhotel-wiesensee.de

The data protection officer of the controller is:

Jörg Hoffmann
LOROP GmbH
Landgrafenstraße 16
10787 Berlin

Email: datenschutz@lorop.de
Phone: 030 330962627

3. Purposes and legal basis of data processing, processors, transfer to third parties in third countries

We only use the personal data you provide to us for the purposes for which it is intended.

The legal basis for the processing of your data may be, in particular

• your consent in accordance with Art. 6 (1) (a) GDPR, for example by agreeing to the use of cookies or web analysis,
• the initiation and execution of a contract pursuant to Art. 6 (1) (b) GDPR, for example when you contact us via the form,
• our legitimate interest pursuant to Art. 6 (1) (f) GDPR, for example in the context of public relations, ensuring the necessary functionality of the website, IT and internet security, quality assurance, fraud prevention, and the prosecution of criminal offenses.

If you have given us your consent for a specific purpose, you can revoke this at any time without formal requirements.

Personal data is only transferred to government institutions and authorities on the basis of mandatory national legislation.

The persons commissioned by us to process the data are obliged to maintain confidentiality and to process the data lawfully. In the event of further processing of your personal data for a purpose other than the original purpose, we will notify you accordingly.

We use the support of external service providers (processors) for certain technical processes relating to data analysis, processing, and/or storage. Both we and the processor are obliged to comply with the technical and organizational measures set out in Art. 32 GDPR, and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions. Any processing of your personal data beyond this commissioned data processing will only take place with your explicit consent or in cases required by law or ordered by authorities or courts.

Data will only be transferred to third countries (countries outside the European Economic Area – EEA) if this is necessary for the fulfillment of the contract, if it is required by law, if you have given your consent to the data processing, or if it is necessary to ensure various functionalities on the website. We will inform you separately about the details, if required by law.

4. Duration of data storage

In connection with the purely informational use of our homepage, we store the data that your browser transmits to our server for the period of time necessary to remedy malfunctions or error messages. Deletion usually takes place within 7 days after the end of the Internet connection.

Further deletion periods depend on your use of the website.

If you contact us with a request using our contact options, we will store your personal data from the time of collection. We store the data collected in this way for the duration of our business relationship, which includes, among other things, the initiation and execution of a contract. In addition, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (HGB), the German Fiscal Code (AO) or other tax laws, among others. The storage periods prescribed there are up to ten years after the end of the year in which the contractual relationship was terminated. Finally, the storage period is also assessed with regard to the possibility of defending against legal claims and proving compliance with data protection obligations in accordance with the statutory limitation periods, which, according to §§ 195 ff. of the German Civil Code (BGB), are generally 3 years from the end of the year in which they arose.

In the event of further deletion periods, you will be informed in the further course of the privacy policy.

5. Rights of data subjects (information for data subjects according to Chapter 3 GDPR)

You have the following rights as a data subject:

• the right to information pursuant to Art. 15 GDPR,
• the right to rectification pursuant to Art. 16 GDPR,
• the right to erasure pursuant to Art. 17 GDPR,
• the right to restriction of processing of personal data pursuant to Art. 18 GDPR,
• the right to data portability pursuant to Art. 20 GDPR, and
• the right to object to the processing of personal data pursuant to Art. 21 GDPR.

In addition, Art. 77 GDPR grants you the right to lodge a complaint with a data protection authority. The complaint can be lodged with the data protection authority of the country in which you reside or work or in which the alleged infringement occurred. If the data protection authority of another member state is responsible for the entity you are complaining about, the national data protection authority will coordinate with the other data protection authority. An overview can be found here:

www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

The supervisory authority responsible for us is

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestr. 2-4
40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-999
Email: poststelle@ldi.nrw.de

 

6. Functionality and presentation of the website

6.1. Cookies

We use cookies. Cookies are text files that are stored on a computer system via an Internet browser.

Cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific Internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish your individual browser from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified via the unique cookie ID.

By using cookies, we can provide users of this website with more user-friendly services. Information and offers on our website can be optimized for the user, for example by recognizing the user of the website. This means that access data does not have to be re-entered each time the website is visited, as this is taken over by the website and the cookie stored on the user's computer system.

However, when using cookies, a distinction must be made with regard to different purposes. If these small files are absolutely necessary for the website to be displayed properly, their use is not voluntary. In this case, the legal basis for the integration of cookies is Art. 6 (1) lit. f GDPR.

In addition, cookies are also used on the website for the purpose of analyzing user behavior or for marketing purposes. However, this only occurs if you have given us your consent in accordance with Art. 6 (1) lit. a GDPR when you first visit the website. However, you can prevent the setting of cookies by our website at any time by adjusting the settings of your internet browser and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the setting of cookies is deactivated in the Internet browser used, it may not be possible to use all the functions of our website to their full extent.

6.2. Server log files

The provider of our website automatically collects and stores information in so-called server log files, which are automatically transmitted to us by your browser. The following may be recorded

• browser types and versions used,
• the operating system used by the accessing system,
• the website from which an accessing system reaches our website (so-called referrer),
• subwebpages that are accessed on our website via an accessing system,
• the date and time of access to the website,
• an Internet Protocol address (IP address),
• the Internet service provider of the accessing system, and
• other data and information that serves to avert danger in the event of attacks on our information technology systems.

We do not draw any conclusions about you when using this general data and information. Rather, this information is required in order to

• deliver the content of our website correctly,
• optimize the content of our website and the advertising for it,
• ensure the long-term functionality of our information technology systems and the technology of our website, and
• provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

We therefore evaluate this data and information statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data we process. The processing is carried out within the scope of our legitimate interest in accordance with Art. 6 (1) f GDPR. The anonymous data in the server log files is stored separately from all your personal data. This data is not merged with other data sources. However, if there are indications of illegal use of our website, we may subsequently review this data.

7. Communication

7.1. Online application form

We have provided the option of applying online on our website. Applicants can actively enter their data into the integrated application form. It is also possible to upload documents.

We collect and process the personal data of applicants for the purpose of handling the application process and initiating a contract in accordance with Art. 6 (1) (b) GDPR in conjunction with § 26 BDSG.

If an employment contract is concluded with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of ours prevent deletion.

Other legitimate interests in this sense include, for example, the burden of proof in proceedings under the General Equal Treatment Act (AGG). If applicants and employers are interested in being included in an applicant pool and, accordingly, in the long-term storage of data, the applicant's consent is required. In this case, the applicant will be informed about the company's privacy policy and the specific provisions of the company's applicant data protection policy. Subsequently, a written declaration of consent to data processing for the purpose of the application will be obtained to ensure verifiability, and at the same time the applicant will be informed that they can revoke their consent at any time with effect for the future.

We use an external service provider (processor) for this technical process. Both we and the processor are obliged to comply with the technical and organizational measures in accordance with Art. 32 GDPR, and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions.

Data protection information for applicants:

If you are interested in working for our company, you can apply and submit your application documents by email, post, or via our social media channels. You can find relevant job offers on our website.

During the application process, you may share very personal information about yourself with us. In this context, we process the data that you provide to us in your application letter. We collect your personal data as listed below in direct contact with you. In addition, and to the extent necessary for the evaluation of your application, we may process data obtained from other sources or from other third parties or publicly available sources in a permissible manner.

We process your data if this is necessary for the implementation of a pre-contractual measure for the purpose of processing the application procedure in accordance with Art. 6 (1) b GDPR in conjunction with § 26 BDSG. This includes reviewing and assessing your suitability for the position to be filled, evaluating your performance and conduct to the extent permitted by law, preparing the employment contract if necessary, and pre-contractual or contract-related communication (including scheduling appointments) with you.

For the purposes mentioned above, we regularly process the following personal data: title/gender, address data, personal data (name, date of birth), residential address, professional activities/current job, nationality, professional qualifications/professional experience, references, start/end of employment.

The data is necessary for the proper execution of the selection process. If you do not provide us with the information, we may not be able to consider your application. There is no legal obligation to provide the data.

If an employment contract is concluded with an applicant, the data provided will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of ours prevent deletion. Other legitimate interests in this sense include, for example, the burden of proof in proceedings under the General Equal Treatment Act (AGG).

In addition, we process your data if you have given us your consent in accordance with Art. 6 (1) a GDPR or Art. 9 (2) a GDPR. You can give your consent for us to obtain references from previous employers and to store your application in an applicant pool for future vacancies for a longer period of time.

We will obtain your consent to data processing separately if necessary. You can revoke your consent at any time with effect for the future. Revoking your consent does not affect the lawfulness of the processing carried out on the basis of your consent until revocation.

If a life-threatening emergency occurs and you require medical assistance, we base the processing of your data on Art. 6 (1) lit. d GDPR in order to protect your vital interests. This includes, in particular, the transfer of relevant data to paramedics, doctors, or other emergency personnel.

Where applicable, data processing is carried out in our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest in data processing is fraud prevention; measures to ensure and improve the security of IT systems; measures to protect our company from illegal activities; assertion of claims for damages; internal administrative purposes, in particular exchange within our company; assertion of legal claims and defense in legal disputes—where applicable, disclosure to legal representatives acting on our behalf; ensuring uniform applicant management and uniform quality standards within our company.

No automatic evaluation systems are used for data processing in our company.

The data we collect is also transferred to other recipients and third parties in compliance with legal regulations. These are internal recipients such as management and department heads. These are also external recipients such as external data processors for data protection-compliant file destruction; to ensure IT functionality, maintenance, and security; our own legal representatives in the event of a legal dispute; tax authorities; tax advisors.

7.2.Evaluation via HolidayCheck

When using our online review option via HolidayCheck, personal data such as name, address, contact and communication data (telephone number and email address) are collected.

The responsible body is HolidayCheck Group AG, Neumarkter Str. 61, 80796 Munich.

This company collects and uses your personal data exclusively within the framework of the statutory provisions. Reviews are voluntary. Your data will only be collected, processed, and used for the purpose of processing reviews.

Provided that there are no legal retention obligations to the contrary, HolidayCheck will also correct or delete this data at your request. To do so, please contact HolidayCheck directly. You can find HolidayCheck's privacy policy at www.holidaycheckgroup.com/privacy/

7.3. Review via Customer Alliance

When using our online review options via Customer Alliance, personal data such as name, address, contact and communication data (telephone number and email address) are collected.

The operating company is Customer Alliance GmbH, Ullsteinstr. 118, Tower B in 12109 Berlin.

This company collects and uses your personal data exclusively within the framework of the statutory provisions. Reviews are voluntary. Your data will only be collected, processed, and used for the purpose of processing reviews.

In addition, to ensure the functionality of our website, personal data may be transmitted to Customer Alliance via your browser.

The legal basis for data processing is Art. 6 (1) lit. f GDPR. The legitimate interest lies in the error-free functioning of the website. The data will be deleted as soon as the purpose for which it was collected has been fulfilled. Further information on the handling of the transferred data can be found in the Customer Alliance privacy policy: www.customer-alliance.com/de/datenschutzbestimmungen/#. You can prevent Customer Alliance from collecting and processing your data by deactivating the execution of script code in your browser or installing a script blocker in your browser (you can find these at www.noscript.net or www.noscript.net, for example).

7.4. Bookings via the website

In order to process bookings via our website, the personal data necessary for the implementation of the booking is collected. This usually includes first name, last name, address, date of birth, gender, email address, IP address, telephone number, mobile phone number, and other data necessary for processing the booking. Personal data related to the respective booking is also required to process the booking. In particular, there may be a mutual exchange of payment information, such as bank details, card number, expiration date and CVC code, prices and tax charges, information on previous purchasing behavior, or other information relating to your financial situation.

The purpose of transmitting the data is, in particular, to verify identity, administer payments, and prevent fraud. The purpose of data collection is therefore to fulfill (pre-)contractual obligations in accordance with Art. 6 (1) (b) GDPR.

7.5. Contact and contact form

Our website contains information that enables you to quickly contact our company electronically and communicate with us directly, including a general address for electronic mail (email address).

We have also integrated a contact form that you can use to contact us. You have the option of voluntarily providing your title, first name, last name, and telephone number. However, in order to communicate with us, it is essential that you provide your email address and your specific request in the message.

If you contact us by email or via the contact form, the personal data you provide will be stored automatically. Such personal data provided on a voluntary basis will be stored for the purpose of processing or contacting you. This personal data will not be passed on to third parties.

Data transmission via the contact form is voluntary and takes place in accordance with Art. 6 (1) (a) GDPR. If processing is necessary for the performance of a contract or takes place in the context of the implementation of a pre-contractual measure, data processing is carried out in accordance with Art. 6 (1) (b) GDPR.

We use an external service provider (processor) for this technical process. Both we and the processor are obliged to comply with the technical and organizational measures in accordance with Art. 32 GDPR, and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions.

7.6. Newsletter subscription

You have the option of subscribing to our newsletter. By subscribing, you consent to the sending of newsletters by email in accordance with Art. 6 (1) (a) GDPR and the associated tracking. In this newsletter, we regularly inform you about offers and news relating to various topics.

To subscribe to the newsletter, we collect data exclusively in direct contact with you. To send the newsletter, we process your email address as personal data. You can only receive our company's newsletter if

• you have a valid email address and
• you have registered to receive the newsletter.

The personal data collected when you subscribe to the newsletter will be used exclusively for sending our newsletter. Furthermore, subscribers to the newsletter may be informed by email if this is necessary for the operation of the newsletter service or for registration in this regard, for example in the event of changes to the newsletter offer or changes to the technical conditions.

We use the service provider XXXX to send the newsletter. We have concluded a data processing agreement with this service provider.

You can unsubscribe from our newsletter at any time. You can revoke your consent to the storage of personal data that you have provided to us for the purpose of sending the newsletter at any time. Your data will only be stored for as long as you have given us your consent. To revoke your consent, you can contact us at any time using the contact details provided on this page or use the unsubscribe function in each newsletter.

Newsletter tracking:

Our newsletters may contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails sent in HTML format to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns to be carried out. The embedded tracking pixel allows us to see if and when an email has been opened by a recipient and which links in the email have been clicked on.

We store and evaluate such personal data collected via the tracking pixels contained in the newsletters in order to optimize the newsletter dispatch and to better tailor the content of future newsletters to the interests of the recipients. This personal data is not passed on to third parties.

Data subjects are entitled to revoke their separate consent given via the double opt-in procedure at any time. After revocation, this personal data will be deleted by the controller, unless the right to deletion is restricted by law. We consider unsubscribing from the newsletter as a revocation of consent.

8. Maps / Route planner

Google Maps link

As part of our website, for example to find our company locations, we offer links to Google Maps on the basis of legitimate interest pursuant to Art. 6 (1) (f) GDPR.

The operating company is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

To use this service, click on the link to be redirected to Google's interactive map. Only after clicking on the link will your personal data, such as your IP address, be passed on to Google and processed by them. Use of the map service is voluntary. We have no influence whatsoever on Google's data processing or Google's transfer of data to third parties. If you do not want your data to be transferred, please do not use the link.

Further information and Google's applicable data protection regulations can be found at https://policies.google.com/privacy and https://policies.google.com/terms.

9. Social media

9.1. Use of social media plugins

The website also uses social media platforms such as Facebook, Twitter, and Instagram. These platforms sometimes contain buttons and plugins that transfer data to the operators of the respective network platform as soon as the page is loaded, i.e., without any further action on the part of the user.

9.2. Facebook (link via icon)

We have integrated components from the Facebook company as links on this website. Facebook is a social network. A social network is a social meeting place operated on the Internet, i.e., an online community that generally allows users to communicate with each other and interact in virtual space. A social network can serve as a platform for exchanging opinions and experiences or enable the Internet community to provide personal or company-related information. Facebook allows users of the social network to create private profiles, upload photos, and network via friend requests, among other things.

Voluntarily clicking on the icon will redirect you to Facebook, over which we have no control.

The operating company of Facebook is Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller responsible for the processing of personal data is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If you do not want Facebook to process your data, please do not click on the link.

The data policy published by Facebook, which is available at www.facebook.com/about/privacy/, provides information about the collection, processing, and use of personal data by Facebook. It also explains the settings options Facebook offers to protect your privacy.

Insight data analysis

The Conference of Independent Data Protection Authorities of the Federal Government and the Länder (Data Protection Conference – DSK) has pointed out that Facebook is obliged to obtain effective consent to the use of data from all visitors to the Facebook page. The operators of a Facebook fan page, on the other hand, are obliged to obtain the necessary information about Facebook's use of data.

When you visit our fan page, Facebook collects personal data from users within the scope of its responsibility. Such data collection by Facebook may also occur for visitors to this page who are not logged in to Facebook or registered as members. Information about data collection and further processing by Facebook, as well as information about the implementation of your rights and options for decision-making, can be found in Facebook's privacy policy.

By using the Facebook platform, we assume no responsibility for the processing of personal data and its transfer outside the European Union, in particular no responsibility for the implementation of the rights of data subjects and the effectiveness of consent.

We have no influence on the scope and no full access to the data collected or your profile data. You decide what information we receive within the exclusive responsibility of Facebook with your Facebook settings or your browser settings when visiting a publicly accessible page. In addition, you have the option in your Facebook settings to actively hide your "likes" or to stop following the fan page. Your profile will then no longer appear in the list of fans of this fan page.

We receive anonymous statistics from Facebook on the use and utilization of the fan page. The following information is provided here, for example (so-called insight data):

• Followers: Number of people who follow our fan page – including growth and development over a defined time frame
• Reach: Number of people who see a specific post on our fan page and number of interactions on a post
• Ad performance: Number of people who have seen an ad
• Demographics: average age of visitors, gender, place of residence, language

We use these statistics, from which we cannot draw any conclusions about individual users, to continuously improve our online offering on Facebook and to better respond to the interests of our users. We cannot link the statistical data to the profile data of our fans. You can use your Facebook settings to decide in what form targeted advertising is displayed to you.

We have entered into an agreement with Facebook regarding the processing of personal data as joint controllers in accordance with Article 26 of the GDPR.

Accordingly, Facebook is solely responsible for the processing of Insight data. In this regard, Facebook is responsible for fulfilling the information obligations under Articles 12 and 13 of the GDPR, for exercising the rights of data subjects under Articles 15 to 22 of the GDPR, for data security, and also for reporting data protection violations (Articles 32 to 34 GDPR). Furthermore, Facebook remains the sole controller for the processing of other personal data.

We receive personal data via Facebook when you actively provide it to us via a personal message on Facebook or when you use a form to transmit the data to us and actively send the data to us by clicking on a button. We use the data you provide (e.g., first name, last name) to respond to your request, if necessary.

9.3. Instagram (link via icon)

We have integrated components of the Instagram service as links on our website. Instagram is a service that qualifies as an audiovisual platform and enables users to share photos and videos and also to redistribute such data on other social networks. If you voluntarily click on the link, you will be redirected directly to Instagram. We have no influence on the data processing by Instagram. If you do not agree to data processing by Instagram, please do not click on the link.

The operator of Instagram's services is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA. Instagram is a subsidiary of Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, represented in the EU by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Further information and Instagram's applicable privacy policy can be found at www.instagram.com/about/legal/privacy/.

9.4. X

We have integrated components from X into this website. X is a multilingual, publicly accessible microblogging service on which users can publish and distribute so-called tweets, i.e., short messages limited to 140 characters. These short messages are accessible to everyone, including people who are not registered with Twitter. However, the tweets are also displayed to the respective user's followers. Followers are other Twitter users who follow a user's tweets. Furthermore, X enables a broad audience to be addressed via hashtags, links, or retweets.

The operating company of X is X Corp. 1355 Market Street, Suite 900, San Francisco, CA 94103, USA

According to Implementing Decision (EU) 2021/914 of the EU Commission of June 4, 2021, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses.

Each time you visit one of the individual pages of our website that has an X component (X button) integrated into it, the Internet browser on your system is automatically prompted by the respective X component to download a representation of the corresponding component from X. As part of this technical process, X obtains information about which specific subpage of our website you are visiting.

If you are logged in to X at the same time, X recognizes which specific subpage you are visiting each time you visit our website and for the entire duration of your visit to our website. This information is collected by the X component and assigned to your respective X account by X. If you click on an X button integrated into our website, Twitter assigns this information to your personal X user account and stores this personal data.

X always receives information via the X component that you have visited our website if you are logged into X at the same time as visiting our website; this occurs regardless of whether you click on the X component or not.

If you do not want this information to be transmitted to X, you can prevent the transmission by logging out of your X account before visiting our website.

Further information and the applicable data protection provisions of X can be found at https://privacy.x.com/de.

9.5. YouTube (link via icon or video)

We have integrated components of the YouTube service as links on our website.

YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, and videos created by users themselves, are available via the internet portal.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

As soon as you click on the link, YouTube will process your data. If you do not want this data to be processed, you can prevent the transfer by not clicking on the link. We have also embedded videos on our website that are only activated when you actively click on the respective video, and only then does the data transfer to YouTube begin.

We do not know and have no control over whether and to what extent data is transferred to YouTube after clicking on the link or a video, and whether and to what extent data is also transferred to the USA. 

According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses, see here business.safety.google/gdprcontrollerterms/ and here business.safety.google/gdprcontrollerterms/sccs/. 

In addition, the operator is registered in the EU-US Privacy Framework Register.

Further information and the applicable data protection regulations of YouTube and Google can be found at policies.google.com/privacy.

10. Analysis tools

Google Tag Manager

We have integrated the Google Tag Manager component into our pages, which manages website tags via an interface. This triggers other tags. Please note that the triggered tags may collect data, but this data is not used by Tag Manager.

Data processing on our website by Google is carried out with your express consent in accordance with Art. 6 (1) (a) GDPR via the consent banner we use. The following data is processed by Google on the basis of this component: mouse movement, time, IP address, location, visitor behavior, browser, tracking media, website visited, time zone.

The operating company is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the US are based on standard contractual clauses, see here business.safety.google/gdprcontrollerterms/ and here business.safety.google/gdprcontrollerterms/sccs/.

For more information and Google's applicable privacy policy, please visit policies.google.com/privacy and policies.google.com/terms.

11. Online marketing

Google Ads conversion tracking

Our website uses Google Conversion Tracking for advertising measures through Google Ads to promote our offers and attract the attention of potential customers and interested parties. Data processing by Google on our website is carried out with your prior consent in accordance with Art. 6 (1) lit. a GDPR. You can revoke your consent at any time.

The operating company is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.

According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the US are based on standard contractual clauses, see here business.safety.google/gdprcontrollerterms/ and here business.safety.google/gdprcontrollerterms/sccs/.

Google Ads is an internet advertising service that allows advertisers to place ads in Google's search engine results as well as in the Google advertising network. Google Ads allows advertisers to specify certain keywords in advance, which are used to display an ad in Google's search engine results only when the user enters a keyword-relevant search result in the search engine. In the Google advertising network, the ads are distributed to relevant websites using an automatic algorithm and taking into account the previously specified keywords.

If you access our website via a Google ad, Google will place a so-called conversion cookie on your system. A conversion cookie expires after thirty days and is not used to identify you. The conversion cookie is used to track whether certain subpages, such as the shopping cart of an online shop system, have been accessed on our website, provided that the cookie has not yet expired. The conversion cookie allows both us and Google to track whether you have accessed our website via an ad and generated a sale, i.e., completed or canceled a purchase.

The data and information collected through the use of the conversion cookie is used by Google to compile visit statistics for our website. We in turn use these visit statistics to determine the total number of users who were referred to us via Ads, i.e., to determine the success or failure of the respective Ads and to optimize our Ads for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify you.

The conversion cookie stores personal information, such as the websites you have visited. Each time you visit our website, personal data, including your IP address, is transmitted to Google. This personal data is stored by Google.

Further information and Google's applicable privacy policy can be found at policies.google.com/privacy and policies.google.com/terms.

You can prevent cookies from being set at any time by adjusting the settings of your internet browser and thus permanently object to the setting of cookies. To do this, you can generally deactivate the automatic setting of cookies or specifically block cookies from the domain googleleadservices.com.

Furthermore, the data subject has the option of objecting to interest-based advertising by Google. To do so, please use the following link: adssettings.google.com/.

12. Payment options

12.1. EC and debit cards

On our website, we offer payment by EC and Girocard, among other methods.

The provider of these payment services is Telecash GmbH & Co. KG, Konrad-Adenauer-Allee 1, 61118 Bad Vilbel. The contractual partner for billing is Concardis GnbH, Helfmann-Park 7, 65760 Eschborn.

If you select payment by EC and debit cards, the data you enter will be transmitted to the providers for the payment transaction. This is done on the basis of Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (processing for the performance of a contract).

12.2. Credit cards

On our website, we offer payment by credit card, e.g., Mastercard, Maestro, JCB, Vpay, or American Express.

The provider of these payment services is First Cash Solution GmbH, Okenstraße 7, 77652 Offenburg. The contractual partner for billing is Concardis GnbH, Helfmann-Park 7, 65760 Eschborn.

If you choose to pay by credit card, the data you enter will be transmitted to the providers for the payment transaction. This is done on the basis of Art. 6 (1) (a) GDPR (consent) and Art. 6 (1) (b) GDPR (processing for the performance of a contract).

12.3. PayPal

We have integrated components from the company PayPal into our website.

PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. PayPal also offers the option of processing virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no traditional account number. PayPal enables online payments to be made to third parties or payments to be received. PayPal also performs trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If you select "PayPal" as your payment option during the ordering process in our online shop, your data will be automatically transmitted to PayPal. By selecting this payment option, you consent to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal usually includes your first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. Personal data related to the respective order is also necessary for the execution of the purchase contract.

The purpose of transferring the data is to process payments and prevent fraud. We will transfer personal data to PayPal in particular if there is a legitimate interest in the transfer. The personal data exchanged between PayPal and us may be transferred by PayPal to credit agencies. The purpose of this transfer is to verify identity and creditworthiness.

PayPal may pass on personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfill contractual obligations or if the data is to be processed on behalf of PayPal.

You have the option to revoke your consent to the processing of personal data by PayPal at any time. Revocation does not affect personal data that must be processed, used, or transmitted for (contractual) payment processing.

PayPal's current privacy policy can be found at www.paypal.com/de/webapps/mpp/ua/privacy-full.

13. Information on the use of Google services in Consent Mode v2 (CMv2) 

Below, we explain how your personal data is processed in connection with Google Consent Mode V2 (CMv2). CMv2 is a tool from Google that enables website operators to manage user consent for the use of cookies and other tracking technologies.

The data processed within the scope of CMv2 is used to:

• Manage your consent decisions
• Provide you with a personalized user experience
• improve the performance of CMv2

The following data is processed within the scope of CMv2:

• Your IP address: This is used to determine your approximate location and verify the validity of your consent.
• Your browser type and operating system version: This information is used to ensure that CMv2 is compatible with your device.
• The URL of the website you are visiting: This information is used to determine which cookies should be set on the website.
• Your consent decisions: This information is stored to record whether you have consented to the use of cookies and other tracking technologies.

The data processed within the scope of CMv2 is stored for a period of 13 months.

As a website operator, we are a customer of Google Ireland Limited Gordon House, Barrow Street Dublin 4. Ireland. Google acts as our data processor for Google Analytics. This is specified in the data processing terms for Google Ads

(https://support.google.com/analytics/answer/3379636?hl=de).

Google Analytics is also considered a data processor within the meaning of the GDPR, as personal data is collected and processed in Google Analytics on our behalf and in accordance with our instructions. We are the data controllers who can exercise all rights relating to the collection, access, storage, and deletion of our customer data at any time. Google's use of data is subject to the terms of the respective agreements between Google Analytics and us as customers, as well as the settings we make via the product's user interface.

Google CMv2 is primarily used to control Google tags, through which the individual Google services are played out. It allows these tags to be adjusted depending on whether or not consent for Google cookies/tools has been given via the consent banner (cookie banner). Google provides an overview of the two variants of Consent Mode here and here.

Google tags for the following products have integrated consent checks and adjust their functionality based on the consent status:

• Google tag
• Google Analytics
• Google Ads
• Floodlight
• Conversion Link

* Supports conversion tracking and segments with self-collected data; support for call conversions pending.

There are basically two integration options:

• Basic Mode (simple consent mode):

When consent is given for Google services via the Consent Tool, the Google tags are controlled directly, the Consent Mode APIs are executed, and the corresponding cookies are set.

The tags send the consent status to Google in the following order:

1. Default status for consent
2. Updated consent status

If you, as a user, do not give your consent, no data will be transferred to Google—not even the consent status. The triggering of Google tags is completely blocked. In this case, the conversion modeling for consent mode in Google Ads is based on a general model.

If all services are rejected, Google tags are blocked. However, in Basic Mode, users' IP addresses may be transferred to Google (more information here). The IP addresses are truncated immediately after collection or transferred and stored in anonymized form only.

• Advanced Mode (extended consent mode):

Compared to the simple implementation, the advanced implementation allows us to perform better data modeling.

When using Advanced Mode, even if all Google services are rejected in the consent banner, so-called pings from Google are used to record user activities (information about the device type, user country, browser, and conversion data).

Google tags are loaded when a user visits the website or opens the app.

The tags load the Consent Mode APIs and perform the following:

1. Setting the default status for consent. If no individual settings have been specified, consent is denied by default.
   Even if consent is denied, pings without cookies are sent via the Google tags.
    
2. Waiting for a user's consent decision and updating the consent status:

The complete measurement data is only transmitted via Google tags if the user gives their consent to data collection. Further information

Since this involves information that is stored on the user's device, the legal basis is § 25 (1) TTDDG (German Telemedia Act) and, accordingly, consent is required for access to and transmission of this information. This applies regardless of whether the data is personal or not.

As already mentioned, Google CMv2 is primarily used to control Google tags, through which the individual Google services are played out. It allows these tags to be adjusted depending on whether or not consent for Google cookies/tools has been given via the consent banner (cookie banner).

14. Digital customer journey ("GUEST JOURNEY")

We rely on largely digital processes in our hotel and apartment building so that we can offer our guests a unique hotel service and stay, from booking, check-in, and access to our hotel to check-out, which can be organized and designed by our guests via their mobile device according to their needs (hereinafter "guest journey"). The following information for the website also applies mutatis mutandis to apps and other channels of our hotel that are used to design the Guest Journey.

For the Guest Journey, we use the software-supported hotel management solution and central Shiji Deutschland GmbH Saarbrücker Str. 36 A, 10405 Berlin (hereinafter referred to as "Platform"), which enables the control, monitoring, processing, analysis, and evaluation of accommodation processes in hotel facilities and combines all functions of the areas of reservations, front office, and property management in a single interface. Interfaces connect the platform with other applications and infrastructure for the operation and management of our hotel. Furthermore, the platform also bundles access for us via corresponding interfaces to application programs licensed by us from third parties and thus supports defined services in the area of essential, hotel-typical operating processes within the framework of the guest journey, such as booking, billing, guest check-in and check-out processing, guest communication, guest hospitality, locking system management, cleaning management, etc. We, the hotel, are responsible for the data stored on the platform.

We have entered into an order processing agreement with Shiji GmbH to ensure the protection of your personal data.

15. COLLECTION AND PROCESSING OF PERSONAL DATA

15.1. Categories of personal data

Personal data that we collect from you and other persons (e.g., family members, accompanying persons) in connection with the guest journey via our website, apps, and other channels is stored and processed in the aforementioned platform.

This includes the following categories of personal data in particular:

• Data and information provided to us when booking rooms (in particular title, first and last name, address, email address, date of birth, telephone number, language, booking details [date of stay, number of rooms, room category, number of persons covered by the booking, selected additional packages, etc.], credit card information (PCI/DSS-compliant encrypted), date and time of booking [timestamp]; if applicable, expected arrival time, desired bed type and/or other preferences, comments)
• Data and information that is disclosed to us or becomes known to us in connection with your stay at our hotel, in particular for the purpose of fulfilling legal reporting requirements (first and last name, address, date of birth, place of birth, nationality, arrival and departure dates; including a copy of your official ID and signature, room number), in connection with the purchase of additional (paid) services such as restaurant, mini-bar, wellness, excursion offers, sports offers, etc. (in particular first and last name, service item, time of service purchase/provision, or what you inform us about (e.g., preferences)
• Data and information collected in connection with the use of our facilities, the common areas, and your room (i.e., date and time of access)
• Data and information disclosed to us when using the communication function and in the course of communication with you (in particular first and last name or, if applicable, user name; communication channel; communication product/solution; email address and/or telephone number; date and time of communication; status of messages (opened, read, clicked on); content of communication)
• Data provided to us when opening a customer account (in particular first and last name, email address, password [encrypted as hash with salt], date and time of registration [timestamp], status of email verification)
• Data provided to us when logging into the customer account, depending on the type of login you have chosen (email login authentication data [email address, password] or social login authentication data [email address, ID token], date and time of login [timestamp])

This personal data is generally collected from our guests themselves. However, it may also be collected via third parties, for example, if a guest provides us with personal data of other persons/accompanying persons (e.g., family members) or if a booking is made by a third party. If you provide us with personal data of other persons (e.g., family members, accompanying persons), we ask you to ensure that these persons are aware of this privacy policy and only share their personal data with us if you are authorized to do so and this personal data is correct.

We then receive certain data from you via interfaces that the platform has with third-party licensed application programs in connection with the guest journey in the area of essential, hotel-typical operational processes such as booking, billing, guest check-in and check-out processing, guest communication, guest hospitality, lock system management, cleaning management, etc., as well as with the other applications and infrastructure of our hotel.

If a booking or check-in is made using a customer account, the data already stored in the customer account and required for the booking or check-in, such as title, first and last name, address, email address, date of birth, telephone number, language, and registration form data, will be used.

If you make your bookings for your stay at our hotel via a third-party platform, we receive various personal data and information about you from the respective platform operator, which we store and process in the platform we use. This is essentially data and information that we also collect when we receive a booking without a third-party platform, i.e., title, first and last name, address, email address, date of birth, telephone number, language, booking details (date of stay, number of rooms, room category, number of people covered by the booking, selected additional packages, etc., date and time of booking [timestamp]; expected arrival time, bed type, and/or other preferences, comments, if applicable).

15.2. Central storage and linking of your data

The data and information mentioned in section 5.1 above, which we collect in particular in connection with the guest journey, is systematically recorded and linked by us for the purpose of processing your bookings and handling the contractual services. As mentioned above, we use the software-supported hotel management solution and central data management platform for this purpose. Via interfaces that connect the platform with third-party licensed application programs in connection with the guest journey in the area of essential, hotel-typical operational processes such as booking, billing, guest check-in and check-out processing, guest communication, guest hospitality, locking system management, cleaning management, etc., as well as with the other applications and infrastructure of our hotel, your personal data is transferred to the platform.

In order to store and link our guests' personal data, a separate guest ID is created for each guest for the respective hotel or hotel group. Accordingly, we also attempt to identify the guest in our database for each booking. If we have already welcomed you to our hotel or hotel group in the past and we are authorized to do so, we will also compare your personal data with any data we may have stored, in particular to keep our customer data up to date, to enable you to check in efficiently, and to provide you with a stay tailored to your needs.

We base this processing on our legitimate interest in the efficient management and control of our hotel and in customer-friendly and efficient customer data management.

We would also like to point out that, with your consent to this privacy policy, we may also use the above-mentioned personal data and information about you, which we store and link on the platform, with the help of the software-supported hotel management solution we use, to analyze certain personal aspects such as personal preferences, interests, etc. We may use the insights gained from this to tailor your stay to your needs or to make you offers tailored to your personal interests and preferences. Furthermore, such data generally helps us to increase the efficiency of our operational processes and to continuously improve our offerings for our guests.

15.3. Disclosure of personal data

The personal data collected from you as part of the guest journey will, where necessary, be passed on to internal departments or, via appropriate interfaces, to external service providers in Germany and abroad, namely in the context of processing and handling your bookings and in the context of your stay. External service providers to whom your personal data may be forwarded or who have or may have access to it include, in addition to the aforementioned platform, other order processors and service providers (including IT service providers, services for processing reservation data [property management] or in the areas of CRM, payment processing, digital key solutions, etc.).

If, in connection with the use of external service providers, it is necessary to transfer personal data to a country whose level of data protection does not correspond to that of Europe, we contractually ensure the protection of your personal data (e.g., by using the EU standard contractual clauses for the transfer of personal data).

Otherwise, we only pass on your personal data if you have expressly consented to this, if it is necessary for the initiation or execution of a contract, if there is a legal obligation to do so, or if it is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship or other rights, or if the processing is carried out to safeguard a legitimate interest on our part or on the part of third parties. In rare cases, the disclosure of personal data may be necessary to protect the vital interests of the data subject or another natural person.

15.4. Retention period

Without your consent, we will only store your personal data on the platform beyond your stay to the extent and for as long as it is necessary to comply with our legal obligations or if we have a legitimate interest in doing so (such as, in particular, an interest in providing evidence in the event of claims, documentation of compliance with legal or other requirements, or an interest in non-personal evaluations). In particular, we store contract data in accordance with the statutory retention obligations. Retention obligations that require us to store data arise from regulations on reporting rights, accounting, and tax law. According to these regulations, business communications (including emails), concluded contracts, and booking receipts must be retained for up to 10 years. If we no longer need this data to perform services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

If we are permitted to process your personal data beyond the initiation and execution of the contract with your consent, we will generally process this data without a specific time limit. We store this data for as long as is necessary to achieve the processing purposes, or until you request us to terminate this processing (and for a short period thereafter so that we can comply with your request), unless we have other legally permissible reasons for further storage of your personal data. We also record the fact that you have asked us not to process your data any further so that we can continue to comply with your request. Consent to storage can be revoked at any time with future effect by email.

If you have a customer account, we will store the data stored in your customer account or linked to it until you delete your customer account, unless and to the extent that this conflicts with any legal retention obligations or legitimate interests on our part.

As of 07/2025