Living Hotels Newsletter Serviced Apartments

PRIVACY POLICY

General information about the processing of your data

We are obliged by law to inform you about the processing of your personal data (hereinafter referred to as “data”) when you use our website. This data protection notice informs you about the details of the processing of your data and about your legal rights in this regard. For terms such as “personal data” and “processing”, the legal definitions pursuant to Art. 4 GDPR apply. We reserve the right to adapt the privacy policy with future effect, in particular in the event of further development of the website, the use of new technologies or changes to the legal bases or the corresponding case law. We recommend that you read this privacy policy from time to time and take a printout or a copy for your records.

Scope

This privacy policy applies to all pages of www.living-hotels.com. It does not cover any linked websites of other providers.

Controller

The following party is known as the controller under data protection law and therefore responsible for the processing of personal data within the scope of this privacy policy:

Derag Livinghotels AG + Co. KG
Hotelzentrale
Fraunhoferstraße 2
80469 Munich
Phone: +49 (0)89-23701-250
Email: info@living-hotels.com

Questions about data protection

If you have any questions about data protection with regard to our company or our website, you can contact our data protection officer:

SPIRIT LEGAL Fuhrmann Hense Partnership of Lawyers

Attorney-at-law and data protection officer

Peter Hense

Postal address:

Data protection officer

c/o Derag Livinghotels AG + Co. KG
Hotelzentrale
Fraunhoferstraße 2
80469 Munich

Contact via encrypted online form:

Contact data protection officer

 

If you have any questions regarding our Vienna hotels, you can contact the data protection officer we have appointed for these hotels:

Clever data GmbH
Data protection officer: DI Kurt Berthold
Postal address:
c/o Derag Livinghotels AG + Co. KG + Co. KG, Fraunhoferstraße 2, 80469 Munich
Contact data protection officer

Security

We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.

Your rights

You have the following rights with regard to the personal data concerning you that you can assert against us:

  • Right of access: You can request access to the personal data concerning you which we process, as set forth in Art. 15 GDPR.
  • Right to rectification: If the information concerning you is not (or no longer) correct, you can request its rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
  • Right to erasure: You may request the erasure of your personal data in accordance with Art. 17 GDPR.
  • Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted.
  • Right to object to processing: Pursuant to Art. 21(1) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data which occurs based on Art. 6(1) Sentence 1(e) or (f) GDPR. If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms. Processing will also continue if the processing serves to establish and exercise or defend against legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy policy, we draw your attention to this right to object when describing each processing operation.
  • Right to withdraw your consent: If you have given your consent for processing, you have a right to withdraw that consent under Art. 7(3) GDPR.
  • Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used, machine-readable format (“data portability”) and the right to transfer this data to another controller, if the prerequisites of Art. 20(1)(a), (b) GDPR are fulfilled (Art. 20 GDPR).

You can assert your rights by informing us using the contact details specified under “Controller” above or by contacting the data protection officer designated by us.

If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This also includes the data protection supervisory authority responsible for the controller:

Bayerisches Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, postal address: Postfach 1349, 91504 Ansbach, phone: +49981/180093-0, email: poststelle@lda.bayern.de, https://www.lda.bayern.de.

DialogShift

If you have any questions about our hotels, accommodation offers, leisure offers, your booking, or our company, you can contact us via the DialogShift chat window which appears (provider: DialogShift GmbH, Rheinsberger Straße 76/77, 10115 Berlin) and send us a message. You will be told whether someone is currently online to reply to you immediately. If this is not the case, you can still leave a message. Both your contact details (such as first name, last name and email address) and the information provided via the chat will be processed. DialogShift uses cookies and similar tracking technologies to enable you to use the chat. Some of the data mentioned under “Using our website” is transmitted to DialogShift. We use DialogShift to communicate with you better and more easily. As soon as processing is no longer necessary, we will erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data accordingly. The legal basis of this processing is your consent under Art. 6(1) Sentence 1(a) GDPR. For further information about data protection and how long your data is stored, please refer to: https://www.dialogshift.com/datenschutz

You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Using our website

In principle, you can use our website for purely informational purposes without disclosing your identity. When you access the individual pages of the website in this sense, this only results in access data being transferred to our web hosting service so that the website can be displayed to you. This involves the following data being processed:

  • Browser type / browser version
  • Operating system used
  • Language and version of the browser software
  • Date and time of access
  • Hostname of the accessing device
  • IP address
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Websites accessed via the website
  • Referrer URL (website visited before)
  • Notification of whether the access was a success and
  • Volume of data transferred.

It is necessary for this data to be processed temporarily in order to make it technically possible for you to visit our website and to deliver the website to your device. The access data is not used to identify individual users and is not combined with other data sources. The data is also stored in log files, in order to ensure the functionality of the website and the security of the information technology systems. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in ensuring the functionality, integrity and security of the website. Storing access data in log files, in particular the IP address, for a longer period of time enables us to detect and prevent misuse. This includes, for example, defending against requests that would overload the service as well as against bots. The access data will be erased as soon as it is no longer required for achieving the purpose of its processing. In the case of recording the data to provide the website, this is the case when you end your visit to the website. The log data is generally stored directly and in such a way that it can only be accessed by administrators, and it is erased after seven days at the latest. After that, it is only indirectly available by reconstructing backups, and is finally erased after a maximum of four weeks.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Device information

In addition to the aforementioned access data, technologies are used when you use the website which store information in your device (e.g. desktop PC, laptop, tablet or smartphone) or access information which is already stored on your device. These technologies may include, for example, cookies, pixels, local storage, session storage, IndexedDB or browser fingerprinting technologies. These technologies can be used to recognise you across devices and websites.

According to Sect. 25(1) of the German Telecommunications and Telemedia Data Protection Act (TTDSG), we generally require your consent for the use of these technologies. According to Sect. 25(2) TTDSG, this is only not required if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service that you have expressly requested:

Technically necessary device information

Some elements of our website serve the sole purpose of transmitting a message (Sect. (2) No. 1 TTDSG) or are absolutely necessary to provide you with our website or individual features thereof (Sect. 25(2) No. 2 TTDSG):

  • Language settings
  • User preferences
  • Items in shopping basket
  • Login information.

The elements are erased after storage is no longer required.

You can prevent processing by adjusting your browser settings accordingly. For elements whose storage duration is not limited to the session, you can adjust your browser settings so that the elements are erased after your session has expired.

Technically non-essential device information

Our website also uses elements that are not technically necessary. We only use these technologies with your consent in accordance with legal requirements. Information about the individual technologies and features can be found in our “privacy settings” as well as in the following information, which is sorted according to the individual features:

“consentmanager” consent management platform

To make it easier for us to ask for your consent to the use of cookies or other tracking technologies so that we can process your device information and personal data when you visit our website, we use the consent tool “consentmanager”. consentmanager gives you the opportunity to accept or decline the processing of your device information and personal data using cookies or other tracking technologies for the purposes listed in consentmanager. Such processing purposes may include the integration of external elements, integration of streamed content, statistical analysis, reach measurement, personalised product recommendations, or personalised advertising. You can use consentmanager to grant or refuse your consent for all processing purposes, or to grant or refuse your consent for individual purposes or third-party providers. You can change your settings again later on. The purpose of integrating consentmanager is to allow users of our website to decide whether to allow cookies and similar technologies, and to offer them the opportunity to change settings that they have already made when they continue to use our website. When consentmanager is used, we process personal data as well as information from the devices used. Your data will also be sent to consentmanager (consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg). The information about the settings you have made is also stored on your device. The legal basis for the processing is Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 7(1) GDPR, insofar as the processing serves to fulfil the legally standardised obligations to provide evidence for the granting of consent. Otherwise, Art. 6(1) Sentence 1(f) GDPR is the relevant legal basis. Our legitimate interests in this processing lie in the storage of users’ settings and preferences with regard to the use of cookies and the evaluation of consent rates. Your user settings will then be saved again for this period, unless you delete the information about your user settings yourself beforehand in your device settings.

You may object to the processing, insofar as processing is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Contacting our company

When you contact our company, e.g. by email or using the contact form on the website, we will process the personal data you provide so that we can respond to your request. In order for us to process enquiries submitted via the contact form, it is essential that you provide a first and last name as well as a valid email address. At the time the message is sent to us, your IP address and the date and time of registration will be processed. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR and Art. 6(1) Sentence 1(b) GDPR, if the contact is made with the intention of concluding a contract. If the request is aimed at concluding a contract, it is necessary for you to provide your data. If you do not provide your data, it will not be possible to conclude/execute a contract and process the request. The other data processed during the submission process serves to prevent any misuse of the contact form and to ensure the security of our information technology systems. As soon as processing is no longer necessary, we erase the data generated here – usually two years after the end of the communication – or, if statutory retention obligations apply, restrict processing of the data.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Processing for contractual purposes

We process your personal data if and to the extent necessary for the initiation, creation, execution and/or termination of a legal transaction with our company. The legal basis for this results from Art. 6(1) Sentence 1(b) GDPR. It is necessary for you to provide your data in order to conclude the contract and you are contractually obliged to provide your data. If you do not provide your data, it will not be possible to conclude and/or execute a contract. Once the purpose has been achieved (e.g. contract processing), the personal data will be blocked for further processing or erased, unless we are entitled to keep processing the data on the basis of a consent granted by you (e.g. consent to the processing of your email address for sending promotional emails), a contractual agreement, a statutory authorisation (e.g. authorisation to send direct marketing) or on the basis of justified interests (e.g. retention for asserting claims).

Your personal data will be passed on to third parties if

  • it is necessary for the creation, execution or termination of legal transactions with our company (e.g. when transmitting data to a payment service provider), in accordance with Art. 6(1) Sentence 1(b) GDPR, or
  • a subcontractor or party we use to perform our obligations, which we use exclusively within the framework of providing the offers or services requested by you, needs this data (unless you are expressly informed otherwise, such auxiliary parties are only entitled to process the data insofar as this is necessary for the provision of the offer or service), or
  • there is an enforceable official order (Art. 6(1) Sentence 1(c) GDPR), or
  • there is an enforceable court order (Art. 6(1) Sentence 1(c) GDPR), or
  • we are legally obliged to do so (Art. 6(1) Sentence 1(c) GDPR), or
  • the processing is necessary in order to protect the vital interests of the data subject or another natural person (Art. 6(1) Sentence 1(d) GDPR), or
  • this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Art. 6(1) Sentence 1(e) GDPR), or
  • we can cite our overriding legitimate interests, or those of a third party, in the disclosure (Art. 6(1) Sentence 1(f) GDPR).

Your personal data will not be transmitted to other persons, companies or bodies unless you have effectively consented to such transmission. The legal basis for the processing is then Art. 6(1) Sentence 1(a) GDPR. In this privacy policy, we draw your attention to the respective recipients when describing each processing operation.

Application process

As part of the application process, we process your contact details such as your name, address, email address, telephone number(s), data from your application documents, in particular certificates, CV, cover letter, date of birth and gender, and, if applicable, special categories of personal data such as marital status and degree of disability. The purpose of this processing is to check your suitability for a position in our company and to conduct the application process. In the case of an (unsolicited) application by email, we also process metadata from your email, such as the date and time, in order to conduct the application process. The legal basis for this processing is Art. 6(1) Sentence 1(b) GDPR in conjunction with Sect. 26(1) of the German Federal Data Protection Act (BDSG), insofar as the data processing is necessary for hiring you and for carrying out the employment relationship. If we process special categories of personal data, the legal basis is Art. 9(2)(b) GDPR in conjunction with Sect. 26(3) BDSG. The provision of your data is necessary and obligatory in order to conclude and execute the contract. You will not be able to apply for a job with us if you do not provide your data. We will store your data for as long as necessary in connection with the employment relationship. As a rule, we will erase your personal data as soon as it is no longer required for the purposes mentioned above and unless otherwise required by law. In particular, we store personal data for as long as we need it to establish legal claims or to defend against claims. Accordingly, in the event of a rejection we erase the data of applicants six months after sending the rejection notification. The legal basis for the processing for legal enforcement purposes is Art. 6(1) Sentence 1(b) GDPR in conjunction with Sect. 26(1) BDSG. If we process special categories of personal data, in particular data concerning disabilities, the legal basis is Art. 9(2)(b) GDPR in conjunction with Sect. 26(3) BDSG or Art. 9(2)(f) GDPR. If you accept a job offer, we will store your data for the subsequent employment relationship within our employee data management system. Further details are available in the data protection information for employees.

If we do not have a vacancy but are in principle interested in working with you, then with your consent we will process your application documents in our talent pool so that we can contact you in the event of a vacancy. We will contact you separately to obtain your consent. The legal basis is your consent pursuant to Art. 6(1) Sentence 1(a) GDPR. Your data will be erased from the talent pool after two years, unless you have consented to a longer storage period.

You can withdraw your consent to the processing at any time by sending us a message using the contact details provided under “Controller”. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Booking and online shop

If you wish to place an order or purchase products in our online shop, it is necessary and obligatory for the initiation and conclusion of the contract that you provide personal data such as your first and last name, your address and your email address. The mandatory data required for booking, order or contract processing is marked as such; if you provide any further information, you do so voluntarily. We will process your data for booking or order processing and will, in particular, forward payment data to your chosen payment service provider or our main bank for this purpose. When you make your booking or a booking request, the booking information is also transmitted to external operators of internet booking engines (e.g. TourOnline AG, Borsigstraße 26, 73249, Wernau; “DIRS 21”) for purposes of contract performance or preparation. The legal basis for the data processing is Art. 6(1) Sentence 1(b) GDPR. The provision of your data is necessary and obligatory in order to conclude and execute the contract. If you do not provide your data, it will not be possible to conclude and/or execute a contract. To prevent unauthorised third parties from accessing your personal data, the order process on the website is encrypted using SSL technology. If it is necessary to send goods, we will pass your data on to shipping service providers.

You can voluntarily create a customer account in which we store your data for future bookings or orders. When you create a customer account, the data you enter is processed. Once you have successfully registered, you can edit or erase all further data independently in your customer account. For more information, please refer to the “Customer account” section.

As soon as storage is no longer necessary, we erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce the processing to compliance with our legal obligations.

Customer account

To create a customer account independently of a booking or order via our online shop, you will need to register by providing the following details:

  • Email address and
  • Password chosen by you
  • First and last name

When you register, your IP address and the date and time of registration will also be processed.

The following functions are available to you in the login area:

  • Edit your profile data
  • View past orders/bookings
  • Manage, modify or terminate your newsletter subscription.

If you use the login area of the website, e.g. to edit your profile data or to view your previous orders, we also process the data about your person required for the initiation or performance of the contract, in particular address data and information about the payment method. The legal basis for the processing is Art. 6(1) Sentence 1(b) GDPR. The provision of your data is necessary and obligatory in order to conclude and execute the contract. If you do not provide your data, you will not be able to register or use the login area, which means that it will not be possible to conclude and/or execute a contract.

Your data will be erased as soon as it is no longer required for the processing purpose. This is the case for the data collected during the registration process if the registration on the website is cancelled or modified. Otherwise, we will erase your data after erasing the customer account, unless we are obliged to retain the data due to legal regulations. In such cases we restrict the processing. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years.

Processing of personal data under Sect. 30 of the Federal Act on Registration (BMG)

Under Sect.  30 of the German Federal Act on Registration (BMG), commercial providers of accommodation, such as hotels in particular, are obliged to collect the following data from guests on the day of their arrival and to have the registration form signed by hand:

  • Date of arrival and planned departure
  • First and last name
  • Date of birth
  • Nationality
  • Address
  • Number of persons travelling together and their nationalities, in the cases of Sect. 29(2), second and third sentences of the German Federal Act on Registration (BMG)
  • In the case of foreign travellers, serial number of the recognised and valid passport or passport substitute.
  • If applicable, further data for collecting tourist and resort taxes.

We are obliged to keep registration forms available for the collection, processing and forwarding of this data within the framework of the BMG. The legal basis for the processing results from Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 30(1) BMG. You are required by law to provide your data. If you do not provide your data, it will not be possible to conclude or execute a contract. We will erase your registration data after 15 months at the latest.

Email marketing

Advertising to existing customers

We reserve the right to use the email address you provide when ordering in accordance with the statutory provisions in order to send you the following content by email at the time of or after your order, unless you have already objected to this processing of your email address:

  • Interesting aspects from our portfolio, especially regarding your stay in one of our hotels, leisure opportunities as well as special offers / temporary booking offers
  • Sending our catalogue
  • Invitations to events organised by our company to present our properties and offers
  • Information on how to get to the hotel, especially by public transport.

The legal basis of the data processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in the processing described lie in enhancing and optimising our services, conducting direct marketing and ensuring customer satisfaction. We will erase your data when you stop using the service, but no later than three years after termination of the contract. We use an external email marketing service to send the emails. For more information on this service provider, please refer to the “Email marketing service” section.

We would like to point out that you can object to receiving direct marketing and to the processing of the data for direct marketing purposes at any time without incurring any costs other than the transmission costs according to the basic rates. Here you have a general right of objection without giving reasons (Art. 21(2) GDPR). To do this, click on the unsubscribe link in the relevant email or send us your objection to the contact details provided under “Controller”.  

Newsletter

You have the possibility to subscribe to our email newsletter on the website, which we use to inform you regularly about the following content:

  • Interesting aspects from our portfolio, especially regarding your stay in one of our hotels, leisure opportunities as well as special offers / temporary booking offers
  • Sending our catalogue
  • Invitations to events organised by our company to present our properties and offers
  • Offers, activities and events from our partners, provided you have given your consent to this
  • Information on how to get to the hotel, especially by public transport.

In order to receive the newsletter, you will need to provide your name or a pseudonym as well as a valid email address. We process the email address for the purpose of sending our email newsletter and for as long as you have subscribed to the newsletter. We use an external email marketing service to send the emails. For more information on this service provider, please refer to the “Email marketing service” section. The legal basis for the processing is Art. 6(1) Sentence 1(a) GDPR. We will process your data in connection with the sending of the newsletter until you withdraw your consent.

You can withdraw your consent to the processing of your email address for the purpose of sending you the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller”. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

In order to document your newsletter registration and to prevent abuse of your personal data, we use what is known as a double opt-in procedure for email newsletter registrations. Once you have entered the data marked as mandatory, we will send you an email to the email address you have provided, in which we ask you to expressly confirm your subscription to the newsletter by clicking on a confirmation link. We process your IP address, the date and time of your registration for the newsletter and the time of your confirmation. This is how we ensure that you really want to receive our email newsletter. We are legally obliged to be able to demonstrate that you have consented to the processing of your personal data in connection with registering for the newsletter (Art. 7(1) GDPR). Due to this legal obligation, this data processing is carried out on the basis of Art. 6(1) Sentence 1(c) GDPR.

You are not obliged to provide your personal data during the registration process. However, if you do not provide the required personal data, we may not be able to process your subscription or process it in full. If you do not confirm your newsletter subscription within 24 hours, we will block the information transmitted to us and erase it automatically after one month at the latest. Once you confirm your registration, we will process your data for as long as you have subscribed to the newsletter.

If you cancel your registration by withdrawing your consent, we will continue to process your data, in particular your email address, to ensure that you do not receive any more newsletters from us. For this purpose, we will add your email address to an opt-out list, which makes it possible to prevent you from receiving any more newsletters from us. The legal basis for the data processing is Art. 6(1) Sentence 1(c) GDPR, in order to comply with our obligations to provide evidence, and failing this, Art. 6(1) Sentence 1(f) GDPR. In this case, we have a legitimate interest in complying with our legal obligations to make sure that we stop sending you newsletters.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

We will also process the aforementioned data for the establishment, exercise or defence of legal claims. The legal basis for this processing is Art. 6(1) Sentence 1(c) GDPR and Art. 6(1) Sentence 1(f) GDPR. In these cases, we have a legitimate interest in the assertion or defence of claims.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

We also statistically evaluate newsletter opening rates and the number of clicks on links in newsletters in aggregated form in order to determine the popularity of our newsletter. The legal basis of the processing is Art. 6(1) Sentence 1(a) GDPR. We will erase your data if you unsubscribe from the newsletter.

You can withdraw your consent at any time, either by sending us a message (see the contact details under “Controller”) or by clicking directly on the unsubscribe link in the newsletter. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

CENDYN email marketing service

We use the email marketing service CENDYN, which is provided by Cendyn Group LLC/ Serenata IntraWare GmbH (Neumarkter Straße 18, 81673 Munich, Germany, dpo@cendyn.com). If you have subscribed to the newsletter, the data provided when registering as well as the data processed when you use our newsletters are processed on the servers of the aforementioned email marketing service. The email marketing service acts as our processor and is contractually limited in its authority to use your personal data for purposes other than to provide services to us in accordance with the applicable data processing agreement. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interest in using an external email marketing service lies in the optimisation and more targeted control and monitoring of our newsletter content. CENDYN also processes your personal data in the US. No EU Commission adequacy decision exists for data transfers to the US. We have concluded so-called standard contractual clauses with CENDYN in order to commit CENDYN to an appropriate level of data protection. A copy is of course available on request. For further information about the protection of your data and how long CENDYN stores your data, please refer to CENDYN’s privacy policy: https://www.cendyn.com/privacy-policy/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. 

Payment service providers (PSPs)

Credit card payment

For the purpose of payment processing, we transmit the payment data required for the credit card payment to the bank commissioned with the payment or, if applicable, to the payment and invoicing service provider commissioned by us. This processing occurs on the basis of Art. 6(1) Sentence 1(b) GDPR. The provision of your payment data is necessary and obligatory in order to conclude and execute the contract. If you do not provide payment data, it will not be possible to conclude and/or execute a contract by means of credit card payment. The data required for payment processing is transmitted securely using SSL encryption and processed exclusively for payment processing. As soon as storage is no longer necessary, we erase the data generated in this context or, if statutory retention obligations apply, restrict processing of the data. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict the processing and reduce the processing to compliance with our legal obligations.

Enforcement of rights, address investigation, debt collection

In the event of non-payment, we reserve the right to pass on the data provided at the time of ordering to a lawyer and/or to external companies (e.g. Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss, Germany) in order to ascertain an address and/or enforce our rights. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests lie in fraud prevention and avoiding default risks. In addition, we may pass on your data to the extent necessary in order to safeguard our rights, as well as the rights of our affiliates, our partners, our employees and/or users of our website. Under no circumstances will we sell or rent your data to third parties. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in the processing for the purpose of enforcing our rights. As soon as storage is no longer necessary, we erase the data generated or, if statutory retention obligations apply, restrict processing of the data.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Hosting

We use external hosting services provided by Amazon Web Services, Inc. (440 Terry Ave N, Seattle, WA 98109, US), in order to provide the following services: infrastructure and platform services, computing capacity, storage resources and database services, security and technical maintenance services. For these purposes, all of the data required for the operation and use of our website – including the access data mentioned under “Using our website” – is processed. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. By using external hosting services, our aim is to make providing our website efficient and secure.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Website management by a digital agency

We use the services of a digital agency (Puetter GmbH, Lichtstraße 25, 50825 Cologne) to manage our website. As part of this management, the digital agency may process the access data mentioned under “Using our website” (e.g. when making backups), in particular your IP address and the data provided when you made your booking or placed your order.

The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. By using the services of our external digital agency, our aim is to make the provision of our website efficient and secure.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Content delivery network

Cloudflare

We use the services of the content delivery network (hereinafter referred to as “CDN”) of Cloudflare (Cloudflare Germany GmbH, Rosental 7, 80331 Munich and Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, US; hereinafter referred to as “Cloudflare”) on our website for the purpose of allowing our website to be displayed more quickly. When you visit the website, the CDN caches a library on your device in order to avoid reloading the content. During this process, your IP address is transmitted to the provider in the US. Cloudflare processes your data in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Cloudflare in order to commit Cloudflare, Inc. to an appropriate level of data protection. You can view a copy of the standard contractual clauses at: https://www.cloudflare.com/cloudflare-customer-dpa/ The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. By using Cloudflare, we are pursuing our legitimate interest in faster website retrieval as well as a more effective and improved presentation of our website. For further information about the protection of your data and how long Cloudflare stores your data, please refer to: https://www.cloudflare.com/en-gb/privacypolicy/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. 

jQuery

In addition, we use the services of the content delivery network (hereinafter referred to as “CDN”) jQuery, which is provided by OpenJS Foundation (548 Market St. PMB 57274, San Francisco, CA 94104, US), on our website for the purpose of allowing our website to be displayed more quickly. When you visit the website, the CDN caches a library on your device in order to avoid reloading the content. During this process, your IP address is transmitted to the provider in the US. jQuery also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. However, so-called standard contractual clauses have been concluded with jQuery, in order to commit jQuery to an appropriate level of data protection. A copy of the standard contractual clauses is available on request. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. By using jQuery, we are pursuing our legitimate interest in faster website retrieval as well as a more effective and improved presentation of our website. For further information about the protection of your data and how long jQuery stores your data, please refer to: https://openjsf.org/wp-content/uploads/sites/84/2021/04/OpenJS-Foundation-Privacy-Policy-2019-11-15.pdf

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

Integration of third-party content

The website integrates third-party content, such as map material, from other websites. This integration always requires that the providers of this content (“third-party providers”) perceive the IP addresses of users. This is because without the IP address they would not be able to send the content to the browser of the respective user. As such, the IP address is required to display this content. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can object or withdraw your consent.

Honeypot

We use Honeypot on our website. This service is provided by Nocean (Nocean, Ryan McLaughlin, 74 Hooker St. Welland, Ontario, L3C 5H1, Canada, https://www.nocean.ca/contact/, hereinafter referred to as “Honeypot”). Honeypot is used to check whether data entered on the website (e.g. in a contact form and when booking) is provided by a person or by an automated program. To do this, Honeypot analyses various aspects of the way in which the visitor behaves when entering data. This analysis starts automatically as soon as the user starts entering data. For the purpose of this analysis, Honeypot evaluates the input in the data fields. The data collected during the analysis is forwarded to Honeypot. This data processing occurs on the basis of Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in protecting our website from abusive automated spying and unsolicited email advertising (spam). Honeypot also processes your personal data in Canada. An EU Commission adequacy decision exists for data transfers to Canada. Further information about Honeypot and how long your data is stored is available on the Honeypot website: https://www.nocean.ca/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller”. 

Google Tag Manager

Our website uses Google Tag Manager, which is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as “Google” and “Google Tag Manager”). Google Tag Manager is a solution that allows website tags and other elements to be managed through a single interface.

Firstly, when you visit the website with Google Tag Manager, an HTTP request is sent to Google. As a result, device information and personal data – such as your IP address and information about your browser settings – are transmitted to Google. We use Google Tag Manager to facilitate electronic communications by providing information to third-party providers, including through programming interfaces. Google Tag Manager implements the respective tracking codes of the third-party providers without us having to go to the effort of changing the source code of the website ourselves. Instead, integration is performed by a container that places what is known as placeholder code in the source code. Google Tag Manager also enables the exchange of users’ data parameters in a certain order, in particular by ordering and systematising the data packets. The legal basis for the data processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in the processing for the purposes of facilitating and carrying out electronic communication by identifying communication endpoints, control options, exchanging data elements in a defined order, and identifying transmission errors. In isolated cases, your data will also be transferred to the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs Google Tag Manager does not initiate data storage. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above.

You can prevent the processing by deleting the browser history and other website data in your browser settings or by opening your browser in “private mode”.

On the other hand, Google Tag Manager integrates tags from third-party providers for example, such as tracking codes or tracking pixels, on our website. The tool triggers other tags, which in turn record your data; our privacy policy explains this separately in each case. Google Tag Manager itself does not evaluate the device information and personal data of users collected by the tags. Rather, your data is forwarded to the specific third-party service for the purposes specified in our consent management tool. We have configured Google Tag Manager to work with our consent management tool in such a way that triggering certain third-party services in Google Tag Manager depends on the selections you make in our consent management tool, so that only those tags from third-party providers trigger data processing for which you have given consent. The use of Google Tag Manager is subject to your consent for the specific third-party service. The legal basis of this processing is your consent under Art. 6(1) Sentence 1(a) GDRP. Google also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The following descriptions of the individual third-party services specify how long your data will be stored in each case. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy

You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool privacy settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Services for statistical, analysis and marketing purposes

We use services from third parties for statistical, analysis and marketing purposes. This enables us to offer you a user-friendly, optimised experience when visiting the website. The third-party providers use cookies, pixels, browser fingerprinting or other tracking technologies to control their services. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can withdraw your consent.

Facebook Analytics

We use the Facebook tool Facebook Analytics (the provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and Meta Platforms Inc. 1601 Willow Rd, Menlo Park, California, US; hereinafter referred to as “Facebook” and “Facebook Analytics”). In order to use Facebook Analytics, we use so-called Facebook pixels for the purpose of analysing how people use our website and online presences, e.g. on social networks such as Facebook and Instagram, how users interact with our website and online presences, and measuring the reach of our ads. Your browser uses Facebook pixels – small graphics that are also embedded on our website, are automatically loaded when you visit our website, and enable tracking of user behaviour – to automatically establish a direct connection with the Facebook server. Embedding Facebook pixels allows Facebook to process the information generated by cookies about the use of our website by your device – e.g. the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before, the Facebook ID and the date and time of the server request, for the purposes of analysing our website and other online presences, analysing user interactions and measuring the reach of our ads. For these purposes, it is also possible to determine whether different devices belong to you or to your household. The information we obtain with the help of Facebook pixels serves statistical purposes only, is transmitted to us by Facebook in the form of anonymous statistics, and does not provide any personal information about users. If you are registered with a Facebook service, Facebook can associate the information recorded with your account. Even if a user is not registered with Facebook or has not logged in, it is possible that Facebook will obtain and process their IP address and other identifying information. With regard to the storage of and access to information in your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Facebook also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. Standard data protection clauses have been concluded with Meta Platforms Inc. in order to commit Meta Platforms Inc. to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Facebook at: https://www.facebook.com/help/contact/341705720996035 The information in Facebook cookies will be stored for a maximum of three months. For further information about the protection of your data and how long Facebook stores your data, please refer to: https://www.facebook.com/privacy/explanation and https://www.facebook.com/policies/cookies/

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool “Privacy Settings”. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Google Analytics

In order to tailor our website perfectly to user interests, we use Google Analytics, a web analytics service from Google (Google Ireland, Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (hereinafter referred to as “Google” and “Google Analytics”). Google Analytics uses cookies, which are stored on your device. Google uses the cookies to process the information generated about the use of our website by your device – e.g. the fact that you have visited a certain page – and process, among other things, the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of statistical analysis of how people use our website. For this purpose, it is also possible to determine whether different devices belong to you or to your household. This website uses Google Analytics with the “anonymizeIp()” extension. This shortens IP addresses before they are processed, in order to make it much more difficult to identify individuals. According to Google, your IP address is shortened within member states of the European Union or contracting states of the European Economic Area before being transmitted to Google in the US. Only in exceptional cases will the full IP address be transferred to a Google server in the US and shortened there. Google will process this information for the purpose of evaluating your use of this website, compiling reports for us on website activity, and – where we point this out separately – providing us with other services relating to website usage. If a user is registered with a Google service, Google can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information in your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs Your data processed in connection with Google Analytics will be erased after twenty-four months at the latest. For further information about privacy at Google, please refer to: http://www.google.de/intl/en/policies/privacy

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool “Privacy Settings”. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Google Ads Remarketing

We use the Google Ads tool with the Dynamic Remarketing feature, which is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”). The Dynamic Remarketing feature allows us to recognise users of our website on other websites within the Google advertising network (in Google Search or on YouTube, so-called Google Ads, or on other websites) and present ads tailored to their interests. Ads may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, e.g. which offers a user was interested in, so that we can display targeted advertising to users on other sites after they have left our website. When you visit our website, Google Ads stores a cookie on your device. Google uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. If a user is registered with a Google service, Google can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information in your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The maximum storage period with Google is 24 months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool “Privacy Settings”. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Google Ads Conversion

We use Google Ads, which is a service provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”), in order to use ads (formerly known as “Google AdWords”) to draw attention to our attractive services on external websites. In relation to the data of the advertising campaigns, we can determine how successful the individual advertising activities are. These ads are delivered by Google via so-called ad servers. For this purpose, we use ad server cookies, which can be used to measure certain parameters for reach measurement, such as the display of ads or clicks by users. If you reach our website via a Google ad, Google Ads stores a cookie on your device. Google uses the cookies to process the information generated by your device about interactions with our ads (retrieval of a particular web page or clicking on an ad), and the data mentioned under “Using our website” – in particular the IP address, browser information, the website visited before and the date and time of the server request – for the purpose of analysing and visualising the reach measurement of our ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will obtain and process your IP address. We only receive statistical analyses from Google for the purpose of measuring the success of our ads. With regard to the storage of and access to information in your device, the legal basis is Sect. 25(1) TTDSG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. No EU Commission adequacy decision exists for data transfers to the US. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: https://cloud.google.com/terms/sccs The maximum storage period with Google is 24 months. For further information about the protection of your data and how long Google stores your data, please refer to: https://policies.google.com/privacy

You can withdraw your consent to the processing at any time by moving the slider back in the consent tool “Privacy Settings”. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Copyright by Spirit Legal