Hotel am Schlosspark
Telephone: +49 (0) 33968 502-0
Fax: +49 (0) 33968 502-111
Forms of processed data:
– Inventory data (e.g. names, addresses).
– Contact data (e.g. email, telephone numbers).
– Contents data (e.g. text inputs, photographs videos).
– Usage data (e.g. accessed websites, content interest, access times).
– Metadata/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors to and users of the online offer (we hereafter also refer to the data subjects as “us-ers”).
Purpose of the processing
– The making of the online offer, its functions and contents available.
– Replying to contact requests and communicating with users.
– Security measures.
– Range determination/marketing
“Personal data“ are deemed to be all information that relates to an identified or identifiable natural person (hereafter referred to as the “data subject“); a natural person is deemed to be natural if he can be directly or indirectly identified, this especially being on the basis of an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie), or on the basis on one or more special factors that express the physical, physiologi-cal, genetic, mental, economic, cultural or social identity of that natural person.
“Processing“ means any operation or set of operations which is performed on personal data or on sets of personal data. The term is far-reaching and comprises almost all handling of data.
“Pseudonymisation’ means the processing of personal data in such a manner that the per-sonal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, econom-ic situation, health, personal preferences, interests, reliability, behaviour, location or move-ments.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of per-sonal data.
“Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Legal basis of the processing
We implement appropriate technical and organisational measures that ensure a level of se-curity appropriate to the risk measures pursuant to Art. 32 GDPR that take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Such measures especially include the ensuring of the confidentiality, integrity and availability of data by controlling the physical access to them, in addition to them being accessed, input, transferred, subject to a securing of the availability and their separation. We also take into account the protection of personal data during the development or selection of hardware, software and procedures in keeping with the data protection by technology design and with data protection-friendly settings (Art. 25 GDPR).
Cooperation with processors and third parties
In cases where we make disclosures to other persons and companies (processors or third parties) within the scope of our processing of data, transfer data to them, or grant them ac-cess to data otherwise, this is only carried out on the basis of statutory permission (e.g. should a transferring of data to third parties such as payment service providers be necessary in order to fulfil a contract pursuant to Art. 6 para. 1 letter b GDPR), you have consented to this, this is the subject of a legal obligation or this is based on our legitimate interests (e.g. when availing ourselves of representatives, web hosts, etc.).
In cases where we commission third parties with the processing of data on the basis of what is referred to as a “Commissioned Data Processing Agreement”, this is carried out on the basis of Art. 28 GDPR.
Transfers of personal data to third countries
Should we have data processed in third countries (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or disclose data so that we can avail ourselves of third party services or should we transfer data to third parties, we only do so should this be neces-sary in order for us to fulfil our (pre-)contractual obligations, you have consented to this, this is the subject of a legal obligation or this is based on our legitimate interests. Subject to statutory or contractual consents, we only process or have the data processed in a third country should the special requirements stated in Art. 44 et seq. GDPR exist, i.e. the pro-cessing takes place on the basis of special guarantees such as the officially recognised de-termination of a data protection level that corresponds to that in the EU (e.g. the “Privacy Shield” in the USA) or when observing officially recognised special contractual obligations (referred to as “standard contract terms”).
Rights of the data subject
You have the right to demand confirmation of whether your data are being processed and information concerning this data in addition to additional information and a copy of the data concerned conform with Art. 15 GDPR.
Conform with Art. 16 GDPR, you have the right to demand a completion of your data or a rectification of your data should they be incorrect.
Pursuant to 17 GDPR, you can demand that your data be erased without delay or you can alternatively demand that the processing of your data be restricted pursuant to Art. 18 GDPR.
Pursuant to Art. 20 GDPR, you have the right to demand that you be provided with your data and that they be transferred to another controller.
Pursuant to Art. 77 GDPR, you also have the right to file a complaint with the responsible supervisory authority.
Right of revocation
You have the right to revoke consent that you have granted pursuant to Art. 7 para. 3 GDPR with future effect. A revocation of the approval shall not have an effect on the lawful nature of the processing that has taken place on the basis of the consent prior to the revocation. Please address your revocation to: email@example.com
Right to Object
Pursuant to Art. 21 GDPR, you can at all times object to the processing of your data in the future. The objection can especially be filed against the processing for direct advertising pur-poses. Please address your objection to: firstname.lastname@example.org
Provision of data
The conclusion of a contract with us necessitates you providing personal data that is required for the initiation and implementation of the accommodation contract or which we have a legal obligation to acquire. We shall not normally be able to conclude the contract with you or exe-cute it without this data. Pursuant to Section 30 para. 2 of the German Federal Registration Act, we have an obligation to recording certain personal data in respect to yourself in the scope of a registration form. Should you not wish to provide us with the required information, we shall not be able to provide you with the services you desire or we shall be unable to pro-vide them fully.
Cookies and a right to object to direct advertising
“Cookies“ are small files that are stored on computers. The cookies can have diverse data stored in them. A cookie primarily has the task of storing the data of the user (or the device that the cookie is stored on) during or after a visit has been paid to an online offer. Tempo-rary cookies or “session cookies” or “transient cookies“ are cookies that are deleted after a user has left an online offer and has closed the browser. Such a cookie can store the con-tents of a shopping cart in an online shop or a login status for example. Cookies are deemed to be “permanent“ or “persistent“ if they remain stored after the browser has been closed. This enables the login status to be stored however should the user return to the offer after a number of days. The interests of the user can also be stored in such a cookie, it then being possible to use these for a range determination or for marketing purposes. “Third-Party cook-ies“ are cookies that are offered by providers other than the controller that operates the online offer (reference is otherwise only made to “First-Party cookies“ if they are cookies that only belong to him).
Should the user not wish to have cookies stored on his computer, he is requested to deacti-vate the corresponding option in the system settings of his browser. Stored cookies can be deleted in the system settings of the browser. An exclusion of cookies can result in re-strictions to the functions provided by this online offer.
With regard to the legal provisions that have validity in Germany, the storage is especially to be for a duration of 10 years pursuant to Section 147 para. 1 of the German fiscal code (AO), Section 257 para. 1 No. 1 and No. 4, para. 4 of the German commercial code (HGB) (ac-counts, written records, situation reports, accounting records, documents that are relevant for taxation, etc.) and 6 years pursuant to Section 257 para. 1 No. 2 and No. 3, para. 4 HGB (commercial letters).
We also process
– contractual data (e.g. subject matter of the contract, term, customer category),
– payment data (e.g. bank details, payment history)
from our customers, interested parties and business partners for the purpose of providing contractual performances, services and customer care, marketing, advertising and market research purposes.
The hosting services we avail ourselves of serve the provision of the following services: in-frastructure and platform services, computer capacity, storage space and database services security services and technical maintenance services, that we use for the operation of this online offer.
We or our hosting provider hereby process inventory data, contact data, content data, con-tract data, utilisation data, metadata and communication data from customers, interested parties and visitors to this online offer on the basis of our legitimate interests in an efficient and secure availability of this online offer pursuant to Art. 6 para. 1 letter f GDPR in conjunc-tion with Art. 28 GDPR (conclusion of a processing agreement).
Acquiring access data and log files
We or our hosting provider acquire data on each access to the server that our service is stored on (referred to as log files), this being on the basis of our legitimate interests in the meaning of Art. 6 para. 1 letter f. GDPR. The access data include the name of the accessed website, the file, date and time of the access, transferred data quantities, a report regarding the successful access, the browser type and version, the operating system of the user, the referrer URL (this being the site that was visited prior to this), the IP address and the request-ing provider.
Log file information is stored for a maximum duration of 7 days for security reasons (e.g. in order to clarify misuse or fraudulent actions) before they are erased. Data that are required for further processing as evidence are excluded from the erasure until final clarification has been made of the event concerned.
Provision of contractual services
We process inventory data (e.g. names and addresses in addition to the contact data of us-ers) and contract data (e.g. services that have been taken avail of, names of points of con-tact, payment information) so that we can fulfil our contractual obligations and provide our services pursuant to Art. 6 para. 1 letter b. GDPR. The information that is denoted in online forms as being mandatory, are required for the conclusion of the contract.
When our online services are used, we store the IP address and the time that the corre-sponding user action took place. The storage is carried out on the basis of our legitimate in-terests and in order to protect the user from misuse and other unauthorised use. A transfer-ring of this data to third parties do not basically take place, the exception being that this is necessary in order for us to assert our claims or should there be a legal obligation pursuant to Art. 6 para. 1 letter c GDPR.
We process user data (e.g. the visited webpages in our online offer, interest in our products) and content data (e.g. entries made in the contact form or the user profile) in a user profile for advertising purposes so that we can display product information on the basis of the ser-vices he has availed himself of in the past, for example.
The data are erased after expiry of the statutory warranty and comparable obligations and the necessity for the storage of the data is reviewed at three-year intervals: should a statuto-ry archiving duty exist, the erasure takes place after this has expired. Information included in a customer account that might exist remains there until it is erased.
Administration, financial accounting, office organisation, contact administration
We process data in the scope of administrative tasks and the organisation of our business, the financial accounting and the acting conform with statutory obligations such as archiving. We hereby process the same data that we process in the scope of our providing of our con-tractual services. The processing is based on Art. 6 para. 1 letter c. GDPR, Art. 6 para. 1 letter f. GDPR. Customers, interested parties, business partners and website visitors are the data subjects in this regard. The purpose and our interest in the processing is in connection with the administration, financial accounting, office organisation and the archiving of data, these being tasks that serve the maintaining of our business activities, the performing of our duties and the provision of our services. Data that are connected to contractual services and the contractual communication are erased after expiry of the statutory storage periods. Please refer to “Data erasure“..
We hereby disclose or transfer data to the fiscal administration, consultants such as tax con-sultants, lawyers or chartered accountants in addition to billing centres and payment service providers for example.
On the basis of our business interests, we also store data in connection with suppliers, event organisers and other business partners for the purpose of establishing contact later for ex-ample. We basically store this data that is mainly company-related permanently.
Data protection information for application process
Applicants can send us their applications by email but please note that emails are not sent in an encrypted form and that the applicant is responsible for the encryption. We are therefore unable to assume responsibility for the transmission path that the application takes between the sender and it being received on our server so that we therefore recommend that it be sent by post.
We only process the data of the applicant for the purpose and within the scope of the appli-cation process, this being conform with statutory requirements. The processing of the data of the applicant is carried out for the purpose of establishing an employment relationship pursu-ant to Section 26 of the German Data Protection Act (BDSG) and Art. 6 para. 1 letter f. GDPR in as far as the data processing is necessary for us in the scope of legal proceedings for example.
The application process necessitates the applicant providing us with the data of the appli-cant. We shall be sent the required data of the applicant by mail. The data are otherwise in-cluded in the job description and always include the personal data, the postal and contact addresses and the documents that form a part of the application such as the covering letter, the Curriculum Vitae and the certificates and references. The applicant can also provide us with additional information on a voluntary basis.
Should special categories of personal data be imparted voluntarily in the meaning of Art. 9 para. 1 GDPR, these are subjected to additional processing pursuant to Art. 9 para. 2 letter b GDPR (e.g. health data, such as a severe disability or ethnic origin). Should special catego-ries of personal data be requested in the scope of the application process, these are pro-cessed pursuant to Art. 9 para. 2 letter a GDPR (e.g. health data should this be necessary in connection with the work that is to be carried out).
The data that are provided by the applicant can be subjected to further processing by us should the application be successful, this then being for the purpose of the employment rela-tionship. Should this not be the case and the application is unsuccessful, the data of the ap-plicant shall be erased. The data of the applicant shall also be erased should an application be withdrawn, the applicant being entitled to do so at all times.
Subject to a justified objection on the part of the applicant, the erasure takes place after expi-ry of a period of six months so that we can respond to any follow-up questions regarding the application in addition to us meeting our obligations pursuant to the German General Equal Treatment Act. Invoices in connection with any reimbursements of travel expenses shall be archived conform with fiscal law requirements.
When we are contacted (e.g. by contact form, email, telephone or via social media), we pro-cess the data of the user for the purpose of processing the contact request and its handling pursuant to Art. 6 para. 1 letter b) GDPR. The user information can be stored in a Customer Relationship Management System („CRM System“) or a similar request system.
We erase the request as soon as it is no longer required. We validate the necessity every two years and the statutory archiving obligations also have validity.
Online presences in social media
We maintain online presences within social networks and platforms so that we can com-municate with customers, interested parties and users that are active there and so that we can inform them on our services. Should the corresponding networks and platforms be ac-cessed, this is subject to the Terms and Conditions and the data processing guidelines of the respective operator.