WE TAKE YOUR PERSONAL DATA SERIOUSLY.
Privacy policy
Information on data collection
durch Feine Privathotels e.V.
1 Scope of application
1.1 This information on the collection and further processing of personal data applies to the business activities of the controller:
FEINE PRIVATHOTELS E.V.
c/o SCHLOSSHOTEL BURG SCHLITZ
Burg Schlitz 2
17166 Hohen Demzin
- hereinafter also referred to as ‘FPH’ -
1.2 This includes data collection and further data processing in connection with the use of thewww.feine-privathotels.de. For content from other providers to which reference is made, e.g. via links from the websites on www.feine-privathotels.de, the information on data protection there applies. In particular, these providers are responsible for their own content and the data processing there.
1.3 For area-specific collection and processing of personal data that is not included in this data protection information, we will provide separate information at the appropriate point.
2 Data protection
A data protection officer was not appointed as the legal requirements were not met.
3 Definitions
In the following, we provide interested parties, users or customers (contractual partners) affected by our data processing, hereinafter also referred to as: ‘you’/‘you’/‘your’ or ‘data subject’/‘data subject’, with an overview of the collection and further processing of your personal data by us and inform you about your rights under data protection law. In the statutory wording, the term:
3.1 ‘Controller or controller responsible for the processing’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
3.2 ‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3.3 ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.3.4 ‘Collection’ means the obtaining of personal data, either with the cooperation of the data subject or with the cooperation of a third party.
3.4 ‘Collecting’ means obtaining personal data, either with the co-operation of the data subject or with the co-operation of a third party.
4 Purposes for which personal data is to be processed and legal basis for processing
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) to fulfil contractual obligations or pre-contractual measures (see 4.1 below), on the basis of your consent (see 4.2 below), on the basis of legal requirements (see 4.3 below) or as part of a balancing of interests (see 4.4 below).
4.1 Data processing for the fulfilment of contractual obligations or pre-contractual measures (Art. 6 para. sentence 1 b GDPR)
4.1.1 The processing of personal data is carried out to fulfil the statutory purposes of the controller, Feine Privathotels e.V., an association of private hoteliers who share common values and common passions for the genuine, the passion for culture and joie de vivre as well as the unconditional commitment to individual hospitality and wish to publicise and disseminate them through joint marketing and related services, in particular for the execution of our contracts with you or for the execution of pre-contractual measures that take place upon request and for the execution of your voucher or brochure orders and other orders as well as all activities necessary for the operation and administration of these tasks.
Vouchers can be ordered online via our website. The user of our website has the option of placing the desired order on the website by providing personal data. The personal data to be provided to us and transmitted to us via buttons is determined by the respective input mask used for the booking. The personal data entered by the customer is collected and processed exclusively for internal use for our own purposes. Details provided by the customer to personalise the voucher (‘For’, ‘From’, ‘Dedication’) are only stored for a short time for the preview and as part of the ordering process, but are then deleted. Online orders via our website are processed by a processor. We only arrange for personal data to be passed on to this processor or other processors for the internal processing of personal data that is attributable to us.
4.1.2 In addition, we process personal data for all ancillary activities that are conducive to the main purpose of our services or are necessary for the provision of the services. These are, for example, legal relationships with suppliers, utilities, consultants, authorities and offices.
4.1.3 We provide further information on the storage period/deletion in section 9.
4.2 Data processing based on your consent (Art. 6 para. 1 sentence 1 a GDPR)
4.2.1 Subscription to the newsletter and dispatch with Brevo.
4.2.1.1 On our website, users are given the opportunity to subscribe to our company's newsletter. Which personal data is transmitted to us when ordering the newsletter is determined by the input mask used for this purpose.
4.2.1.2 We inform our customers and business partners at regular intervals by means of this newsletter about offers from our company.
4.2.1.3 The newsletter of our company can only be received by the data subject if (1) the user has a valid e-mail address and (2) the user registers to receive the newsletter. For legal reasons, a confirmation email is sent to the email address entered by the user for the first time for the newsletter subscription using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address as the user has authorised receipt of the newsletter.
4.2.1.4 When registering for the newsletter, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the user at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a user's e-mail address at a later point in time and therefore serves our legal protection.
4.2.1.5 The personal data collected when registering for the newsletter is used exclusively to send our newsletter. Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or in the event of a change in technical circumstances. The personal data collected as part of the newsletter service will not be passed on to third parties.
4.2.1.6 The subscription to our newsletter can be cancelled by the user at any time. The consent to the storage of personal data that the user has given us for the newsletter dispatch can be revoked at any time. There is a corresponding link in every newsletter for the purpose of revoking consent. It is also possible to unsubscribe from the newsletter at any time directly on our website or to inform us of this in another way.
4.2.1.7 Our newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails that are sent in HTML format to enable log file recording and log file analysis. This allows the success or failure of online marketing campaigns to be statistically analysed. Based on the embedded tracking pixel, we can recognise whether and when an email was opened by a data subject and which links in the email were accessed by the user. Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by us in order to optimise the newsletter dispatch and to adapt the content of future newsletters even better to the interests of the data subject. This personal data is not passed on to third parties. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure. After a cancellation, this personal data will be deleted by us. Unsubscribing from the newsletter is automatically interpreted as cancellation.
4.2.1.8 After successful registration, we will automatically send our newsletter by e-mail to the specified address via MailChimp. MailChimp is a service provided by MailChimp, a service in the USA. The use of MailChimp on our website essentially ensures that emails are sent reliably and, above all, that they are less likely to end up in your spam filter. The IT systems used by MailChimp are located in the USA, which means that data is transferred to third parties in a non-secure third country. Different data protection regulations apply in the USA. In terms of data protection law, an adequate level of data protection must be ensured when processing data in a non-EU member state such as the USA. In the case of MailChimp, this is achieved through the so-called ‘Privacy Shield’. According to a decision by the EU Commission, companies on the ‘Privacy Shield List’ can generally be assumed to have an ‘adequate level of data protection’ when processing personal data in these companies. The Rocket Science Group, LLC, which operates MailChimp, is certified in accordance with the requirements of the Privacy Shield. In this respect, the requirements for data protection-compliant handling of the data are met.
4.2.1.8 The legal basis for the collection is Art. 6 para. 1 sentence 1 a GDPR for ordering and delivering the newsletter (consent of the data subject) and Art. 6 para. 1 sentence 1 f GDPR for the collection in accordance with section 4.2.1.7 (legitimate interest of the controller). Our legitimate interest follows from the data collection purposes listed above.
4.2.2 Contact by telephone, contact by e-mail
4.2.2.1 You can contact us by telephone using the telephone number provided on our website. It is also possible to contact us via the email addresses given there.
4.2.2.2 Data collection and further processing is carried out in accordance with Art. 6 para. 1 sentence 1 letter a GDPR on the basis of a voluntarily given consent or, insofar as a pre-contractual or contractual relationship exists, in accordance with Art. 6 para. 1 sentence 1 letter b GDPR.
4.2.2.3 If you contact us by telephone, we may also collect personal data for other purposes that are only communicated to us during the telephone call. If we collect personal data from the caller on the basis of the telephone call, about the processing of which the caller has not yet been informed, we will inform them separately if necessary.
4.2.2.4 If no caller ID suppression is preset with regard to the transmission of the caller's telephone number to our telephone system, our telephone system stores the telephone number and the duration of the call made and - without further personal data - for a maximum period of 7 days.
4.2.2.5 We provide information on the storage period/deletion in Section 9.
4.2.3 CCM19
Our website uses CCM19 to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Papoo Software & Media GmbH, Auguststraße 4, 53229 Bonn (hereinafter ‘CCM19’):
When you enter our website, a connection is established to the CCM19 servers in order to obtain your consent and other declarations regarding the use of cookies. CCM19 then stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the CCM19 cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.
CCM19 is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.
Order processing: We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
4.3 Datenverarbeitung im Rahmen der Interessenabwägung (Art. 6 Abs. 1 Satz 1 f DS-GVO)
4.3.1 Log files when visiting our website
4.3.1.1 When using our website for information purposes only, i.e. if the user does not make a booking or otherwise provide us with information or does not enter into a contract with us, we may collect data relating to a person via the IP address. For technical reasons, users must use an IP address assigned to them by an access service when they access our websites. The IP address used could allow conclusions to be drawn about the person and make them identifiable to us.
4.3.1.2 When our websites are simply accessed by the programme used by the visitor (user) to display Internet pages (the so-called ‘web browser’ or just ‘browser’), which the user has installed on the end device used by them (computer, smartphone, tablet), the following information is transferred to the web server used by us:
the IP address of the requesting device,
the date and time our web pages were accessed,
the time difference between the requesting host and the web server,
the content of the request or the retrieved file that was transmitted to the user,
the access status (successful transmission, error, etc.),
the amount of data transferred in bytes,
the website from which the user accessed the website,
the browser used by the user, the operating system, the interface, the language of the browser and the version of the browser software.
This information is stored by us on our web server in a so-called log file (in a ‘log file’). This would enable us, at least indirectly, to establish a personal reference, i.e. by determining the owner or company owner of the IP address via information from the access service providing the IP addresses
However, this is only possible if this access service is legally authorised to provide the information and we process the aforementioned log files for the following purposes:
Ensuring a smooth connection to our website,
Ensuring a comfortable use of our website,
Analysing the system security and stability of our website.
4.3.1.3 The legal basis for the collection is Art. 6 para. 1 sentence 1 f GDPR (legitimate interest of the controller). Our legitimate interest follows from the purposes for data collection listed above. Under no circumstances do we use the data collected for the purpose of drawing conclusions about the person of the user, with the exception of cases of intentional disruption to the functionality of our website or cases of misuse of our services. Apart from these exceptions, no personal user profiles are created and the data is not passed on to third parties.
4.3.1.4 To protect against attacks and to ensure proper operation, all access to our website with the full IP address is temporarily and access-protected on a security system (firewall) and automatically analysed for possible risks.
4.3.1.5 We will only attempt to find out who is behind an IP address in the event of unlawful attacks or misuse of our services. Otherwise, this information remains hidden from us and we do not attempt to obtain the data of the owner of an IP address.
4.3.1.6 Log files are stored for a maximum of seven days. Excluded from this short storage period are log files on accesses that are required for the further tracking of attacks and faults.
4.3.2 Our own cookies when you visit our website
4.3.2.1 We use our own cookies when you visit our website. Cookies are small text files that our web server sends to the end device of the user of our websites and that are usually stored on the hard drive of the user's end device. They are not programmes that can penetrate the user's system and cause damage. Although cookies can identify the user's end device, cookies themselves do not store any personal data. Cookies do not cause any damage to the user's end device and do not contain any viruses, Trojans or other malware. Information is stored in a cookie that arises in connection with the specific end device used.
4.3.2.2 The basic purpose of cookies is to evaluate the content of the cookie when the website is accessed again, i.e. to recognise the user and their previous actions. If the cookie is deleted, for example because the user has deleted it or because it has deleted itself, then such recognition is not possible and the cookie cannot be ‘read’.
4.3.2.3 So-called http cookies (also known as ‘browser cookies’) have a corresponding value (content). These cookies are either automatically deleted when the browser is closed (so-called ‘transient’ cookie) or have a programmed expiry date (so-called ‘persistent cookie’).
4.3.2.4 Our web server uses the following cookies, the scope and function of which are explained below:
Session cookie: The value of this cookie is the so-called session ID. A session ID makes it possible to assign several related requests from a user to the user's current ‘session’ in order to make it easier for the user to use the various areas of the website. Our session cookie is automatically deleted when the browser is closed.
No personal identification: With our own cookies, we do not use any technology that links information through cookies with the user's personal data. This means that neither the identity nor, for example, the e-mail address can be determined and the legal basis for the collection is Art. 6 para. 1 sentence 1 f GDPR (legitimate interest of the controller).
Our legitimate interest follows from the purpose of the cookies described above.
4.3.2.5 Users can delete cookies at any time in the security settings of their browser.
4.3.2.6 Most browsers accept cookies automatically. However, users can configure their browser so that no cookies are stored on their computer or a message always appears before a new cookie is created. However, the complete deactivation of cookies may mean that the user cannot use all the functions of our website.
4.3.2.7 By deactivating cookies via the browser settings, the user can therefore ‘object’ to the setting of cookies by us by means of an automated procedure.
4.3.2.8 We provide information on third-party cookies (third-party cookies) in section 3.4.3. These third-party providers may be companies that are behind displayed advertising or social networks, for example if a Like or Share button is provided on the website.
4.3.3 Analysis of our users when visiting the website - third-party cookies
The analysis measures listed below and used by us are carried out on the basis of Art. 6 para. 1 sentence 1 f GDPR.
4.3.3.1Google Analytics.
4.3.3.1.1 This website uses Google Analytics including the Google Analytics advertising functions. This is a web analysis service provided by Google Inc (‘Google’). Google Analytics uses so-called ‘cookies’, text files which are stored on the user's computer and which enable the use of the website by the user to be analysed.
4.3.3.1.2 Google Analytics is used exclusively with activated IP anonymisation (so-called IP masking). This means that the IP address of Google users within member states of the European Union or in other signatory states to the Agreement on the European Economic Area is truncated. Only in exceptional cases, e.g. if there are technical failures in Europe, will the full IP address be transmitted to a Google server in the USA and truncated there. With the IP anonymisation method used by Google, the full IP address is not written to a hard drive at any time, as the entire anonymisation takes place almost immediately after receipt of the request in the working memory. The IP address transmitted by the user's browser is not merged with other Google data.
4.3.3.1.3 On behalf of the operator of this website, Google will use this information to analyse your use of the website on the basis of Article 6(1)(f) GDPR, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage, in particular functions for display advertising and Google Analytics reports on performance according to demographic characteristics and interests. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Under no circumstances will this be personal data. In the Google Analytics reports on performance according to demographic characteristics and interests, data obtained via interest-based advertising from Google and visitor data from third-party providers (such as age groups or interest groups) are used.
4.3.3.1.4 You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
4.3.3.1.5 You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: Download and install the Google browser plugin
4.3.3.1.6 You can also prevent Google Analytics from collecting data by clicking on the following link. An opt-out cookie will be set to prevent the future collection of your data when you visit this website: Deactivate Google Analytics.
4.4.3.1.7 Google LLC , USA is certified in accordance with the Privacy Shield requirements Further information on terms of use and data protection information can be found at https://www.google.de/analytics/terms/de.html or under https://www.google.de/intl/de/policies/ and https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active .
We would like to point out that on this website Google Analytics has been extended by the code ‘anonymizeIp’ in order to ensure anonymised collection of IP addresses (so-called IP masking).
4.4.3.1.8 We provide information on the storage period in Section 9.
4.3.3.3 With the analysis measures used, we want to ensure that our website is designed to meet requirements and is continuously optimised. On the other hand, we use the analysis measures to statistically record the use of our website and to evaluate it for the purpose of optimising our offer. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
4.3.3.4 If the user does not wish to participate in the analysis, he can object to the analysis measure under 4.3.3.1.4, 4.3.3.1.5 and 4.3.3.1.6 and determine his status.
4.3.4 CCM19
Our website uses CCM19 to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Papoo Software & Media GmbH, Auguststraße 4, 53229 Bonn (hereinafter referred to as ‘CCM19’):
When you enter our website, a connection is established to the CCM19 servers in order to obtain your consent and other declarations regarding the use of cookies. CCM19 then stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the CCM19 cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected.
CCM19 is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.
Order processing: We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
4.3.5 Social-Media-Plugins
4.3.5.1 Facebook and Instagram
a) We currently use the following social media plug-ins: Facebook and Instagram. We use the so-called two-click solution. This means that when you visit our website, no personal data is initially passed on to the providers of the plug-ins. You can recognise the provider of the plug-in by the marking on the box above its initial letter or the logo. We give you the option of communicating directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it will the plug-in provider receive the information that you have accessed the corresponding website of our online offering. In addition, the data mentioned under 4.3.4.1 c) of this information is transmitted. In the case of Facebook and Instagram, according to the provider in Germany, the IP address is anonymised immediately after collection. By activating the plug-in, your personal data is therefore transmitted to the plug-in provider and stored there (including by US providers in the USA). As the plug-in provider collects data via cookies in particular, we recommend that you delete all cookies via your browser's security settings before clicking on the greyed-out box.
b) We have no influence on the data collected and data processing procedures, nor are we aware of the full scope of data collection, the purposes of processing or the storage periods. We also have no information on the deletion of the data collected by the plug-in provider.
c.) The plug-in provider stores the data collected about you as usage profiles and uses these for the purposes of advertising, market research and/or customising its website. Such an evaluation is carried out in particular (even for users who are not logged in) to display customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. We offer you the opportunity to interact with the social networks and other users via the plug-ins so that we can improve our offering and make it more interesting for you as a user.
The legal basis for the use of the plug-ins is Art. 6 para. 1 sentence 1 lit. f GDPR.
d) Data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, your data collected by us will be assigned directly to your existing account with the plug-in provider. If you press the activated button and, for example, link the page, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will prevent you from being assigned to your profile with the plug-in provider. You can log out of your Facebook account here and Instagram here.
e) Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the data protection information of these providers. There you will also find further information on your rights in this regard and setting options to protect your privacy.
f) Facebook and Instagram share infrastructure, systems and technology with other Facebook companies. The addresses of the Facebook plug-in provider and the URL with their data protection information can be found at:
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA und Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland;
http://www.facebook.com/policy.php; Further information on data collection:
http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo.
You can find the Instagram data protection information at
https://help.instagram.com/519522125107875?helpref=page_content
Facebook USA has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
4.3.5.2 Any redirection of the user to providers of other social media services such as YouTube, LinkedIn etc. takes place via a link, so that data about the user's visit to our websites (e.g. the log files described) or data available on the user's end device (e.g. cookie information) is only transferred to the respective providers when the link is consciously used.
4.3.5.3 As the legal basis for the processing of data by Facebook and Instagram, the respective user has given their consent to the operator Facebook. We do not collect any data from the user when using this link.
4.3.6 Request for brochures and advertising letters
4.3.6.1 We inform our customers, interested parties and business partners about us and our member companies at regular intervals by means of our brochures and other promotional letters, which we send by post.
4.3.6.2 Our website therefore offers users the opportunity to subscribe to our brochure or brochures about our member companies. Subscriptions can of course also be ordered by telephone or email. Which personal data is transmitted to us when ordering the brochures can be seen from the input mask used for this purpose on our website.
4.3.6.3 The legal basis for the collection is Art. 6 para. 1 sentence 1 f GDPR (legitimate interest of the controller). Our legitimate interest follows from the purpose described above.
5 Recipients or categories of recipients of the personal data
5.1 The personal data of the data subject will only be disclosed or transferred to third parties in cases other than those described in this information if:the data subject has given their express consent in accordance with Art. 6 para. 1 sentence 1 letter a GDPR,
the disclosure pursuant to Art. 6 para. 1 sentence 1 letter f GDPR is necessary for the assertion, exercise or defence of legal claims and there is no reason to assume that the data subject has an overriding interest worthy of protection in not disclosing their data,
there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 sentence 1 letter c GDPR, and
this disclosure is legally permissible and necessary for the processing of contractual relationships with the data subject in accordance with Art. 6 para. 1 sentence 1 letter b GDPR.
5.2 Within our company, access to the data of the data subject is granted to those persons who need it to fulfil our contractual and legal obligations. Processors, service providers and vicarious agents employed by us may also receive data for these purposes if they comply with our instructions under data protection law.
5.3 We use processors in particular for our online voucher orders and for the operation, maintenance and care of our IT systems (e.g. support services, data centre services), web hosters and as far as already mentioned elsewhere in this information.
5.4 Recipient categories of personal data outside our company and the processors may be, for example: Payment service providers, such as Klarna and E-Guma, data destruction services, receivables processors, tax consultants, etc.
5.5 If chargeable services are ordered via our website (online order hotel voucher), the data collected for this after the input window about the purchase will be passed on to E-Guma voucher system and to Klarna (formerly Sofort Überweisung) for processing the payment. E-Guma's data protection information can be viewed here. Klarna's data protection information can be viewed here. The payment processing services themselves are ‘responsible’ for data processing.
6 Categories of personal data processed
Which personal data is processed in detail and how it is used depends largely on the services used or agreed. Therefore, not all parts of the following information will apply to the data subject. The categories of data to be processed are or may be:Personal identification data, e.g.: Name, title, (private and professional) address, previous addresses, (private, professional) telephone number, fax number, (private, professional) e-mail addresses, (private, professional) SMS or messenger service addresses.
Electronic identification data, e.g: IP addresses, cookies, connection times, electronic signature, mail headers, log files..
Financial identification data: Bank identification and bank account number (IBAN/BIC).
Inventory data (contract data): personal data required for the establishment, content or amendment of a contractual relationship between us and our customers.
Usage data: Log files on the usage actions of customers on the electronic administration interfaces provided for their customer and system accesses.
Billing data.
7 Data sources
7.1 We generally collect personal data directly from the data subjects who provide it to us for our purposes, i.e. who make it available to us with their co-operation. In addition, we process - to the extent necessary for the provision of our services - personal data that we have legitimately received from other companies (e.g. for the execution of orders and fulfilment of contracts or on the basis of consent given by you).
7.2 Exceptionally, we use publicly accessible sources in the context of contract initiation and primarily use Internet search engines to verify the identification details of our contractual partners before or after the contract is established.
8 Intended third country transfer
8.1 Our data processing is carried out on servers located in Germany.
8.2 There is no intention to transfer personal data to a third country (a country outside the European Union or the European Economic Area), unless already described here.
8.3 Data will only be transferred to a third country if there is an adequacy decision by the European Commission (e.g. Switzerland) or if we have suitable guarantees including binding internal data protection information (e.g. Privacy Shield, USA). We will refer to the appropriate or adequate safeguards and indicate how to obtain a copy of them or where they are available.
8.4 We are permitted to transfer data to a third country without the requirements set out in the previous paragraph if the statutory exceptions apply, in particular if the data subject has given their express consent or if the transfer is necessary for the fulfilment of a contract between the data subject and us or for the implementation of pre-contractual measures at the request of the data subject or if the transfer is necessary for the conclusion or fulfilment of a contract concluded by us with another natural or legal person in the interest of the data subject.
9 Storage period
9.1 We store the personal data collected by us for as long as is necessary for our purposes or the data subject has consented to storage beyond this in accordance with the provisions of the data protection information.
9.2 In the provisions of this data protection information, we have already provided information on the storage period or the criteria for determining this period in various places for specific areas.
9.3 The personal data collected for the purposes of a contract will also be stored until the expiry of the statutory retention obligations arising for our activities. They will then be deleted unless processing is still required to fulfil a legal obligation to which we are subject.
9.4 The relevant retention and documentation obligations under tax and commercial law provide for a retention period of six or ten years for the commercial documents specified in Sections 238 and 257 of the German Commercial Code. Section 147 of the German Fiscal Code contains corresponding provisions for the retention of the documents mentioned therein
9.5 The expiry of the retention period does not automatically result in a deletion obligation, as there may still be a legitimate interest in archiving, e.g. in order to be able to provide information in the event of legal disputes. This also applies to cases of preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.
10 Data subject rights
Data subjects affected by data processing have the right toin accordance with Art. 15 GDPR, to request information about the processing of personal data with the information from Art. 15 para. 1 and 2 GDPR,
in accordance with Art. 16 GDPR, to request the rectification of inaccurate personal data concerning you,
in accordance with Art. 17 GDPR, to demand that personal data concerning them be deleted immediately, and we are obliged to delete personal data immediately if one of the reasons stated in the regulation applies,
in accordance with Art. 18 GDPR, to demand restricted processing if one of the reasons stated in the provision applies,
in accordance with Art. 21 GDPR, to object at any time to the processing of personal data concerning them for reasons arising from their particular situation, if the processing is based on our legitimate interests. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims,
in accordance with Art. 20 GDPR, to receive the personal data concerning them, which they have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.
11. Right to object in the event of a balancing of interests
11.1 Data subjects have the right to object to the processing of their personal data on grounds relating to their particular situation. The prerequisite for this is that the data processing is carried out on the basis of our balancing of interests in accordance with Art. 6 para. 1 letter f GDPR.
11.2 These cases are described in this data protection information.
In the event of an objection, we will no longer process the personal data. Unless we can demonstrate compelling legitimate grounds for the processing of this data which override the interests, rights and freedoms of the data subject. This is also the case if the personal data serves the assertion, exercise or defence of legal claims.
11.3 The objection can be made informally with the subject ‘Objection’, stating the name, address and date of birth of the data subject, and should be addressed to:
FEINE PRIVATHOTELS E.V.
c/o SCHLOSSHOTEL BURG SCHLITZ
Burg Schlitz 2
17166 Hohen Demzin
11.4 Where technically feasible, we provide the data subject with the option of exercising the objection by means of an automated procedure that uses technical specifications. This can be done, for example, via our website or via functions of the Internet browser used by the user of our website. These cases are also described in this data protection information.
12 Revocability of consent
12.1 If the data subject has given us consent to process personal data for specific purposes, the processing of this data is lawful. The data subject can revoke their consent to us at any time. This also applies to the withdrawal of declarations of consent given to us by the data subject before the GDPR came into force, i.e. before 25 May 2018. The withdrawal of consent does not affect the lawfulness of the data processed prior to the withdrawal.
12.2 The revocation of consent can be made informally with the subject ‘Revocation’, stating the name, address and date of birth, and should be addressed to:
FEINE PRIVATHOTELS E.V.
c/o SCHLOSSHOTEL BURG SCHLITZ
Burg Schlitz 2
17166 Hohen Demzin
12.3 As far as technically possible, we give the data subject the opportunity to declare the cancellation as easily as the consent was declared by him.
13 Right to lodge a complaint
Affected persons have the right to lodge a complaint with a supervisory authority about our handling of their personal data.
14 Commitment to provide
As part of our business relationship, users, interested parties or future customers must provide the personal data that is required for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to fulfil an existing contract and may have to terminate it. An anonymous conclusion of a contract is not intended, nor is the anonymous brokering of contracts with third parties.
15 Automated decision making
In principle, we do not use fully automated decision-making in accordance with Art. 22 GDPR to establish and conduct the business relationship. Should we use these procedures in individual cases, we will inform the data subject separately if this is required by law.
16 Data security
16.1 We use the widely used SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by the user's browser to protect communication with us when visiting our website. As a rule, this is 256-bit encryption. If the user's browser does not support 256-bit encryption, we use 128-bit v3 technology instead. The user can recognise whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the status bar of their browser.
16.4 We also use suitable technical and organisational security measures to protect the personal data of the data subject that we have collected against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
