Look forward to:
  • ArrivalDeparture

  • 2 Persons1 Room

    • Persons

    • Rooms

  • Cocktail with a view?

Book a table
  • Cocktail mit Aussicht?

Book a table
  • Start date and time

  • 8 Hours10 Participants

    • Meeting duration

    • Participants

Data Protection - Privacy Statement

Data Protection - Privacy Statement

The protection of personal data is a very important issue for us. Therefore, the processing of personal data is carried out in accordance with the applicable European and national legislation.

You can revoke your declaration(s) of consent with future effect at any time. Please contact then the controller referred to in Section 1 of this statement.

The following statement provides an overview of what kind of data is collected, how it is used and shared, what security measures we take to protect your information, and how you obtain information about the data you have provided to us.

Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing of personal data, the Art. 6 para. 1 sentence 1 lit. a) of the EU General Data Protection Regulation (GDPR) serves as legal basis.
In the processing of personal data required to fulfil a contract of which the data subject is a party, the Art. 6 para. 1 sentence 1 lit. b) of the GDPR serves as legal basis. This also applies to processing operations required to carry out pre-contractual measures.
Insofar as processing of personal data is required to fulfil a legal obligation to which we are subject, Art. 6 para. 1 sentence 1 lit. c) of the GDPR serves as legal basis.
If processing is necessary to safeguard the legitimate interests of our company or of a third party, and if the interest, fundamental rights and fundamental freedoms of the data subject do not prevail over the first mentioned interest, Art. 6 para. 1 sentence 1 lit. f) of the GDPR serves as legal basis for data processing.

Data erasure and duration of storage
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is not anymore applicable. The data may also be stored if the storage is provided for by the European or national legislator and prescribed by EU regulations, laws or other regulations to which we are subject. A blocking or deletion of the data takes place also when a storage period prescribed by the mentioned regulations expires, unless there is a need for further storage of the data for the purpose of a contract conclusion or a contract fulfilment.

§ 1 Controller and data protection officer

(1) Name and address of the controller
Party responsible for the processing of personal data for the purposes of the European Union General Data Protection Regulation (GDPR), or of other applicable data protection laws in the Member States of the European Union, and of other provisions relating to protection of personal data, is:

Wilhelm Bartels GmbH & Co. KG
Seewartenstraße 9
20459 Hamburg
040 /31113 - 0
info@hotel-hamburg.de
www.hotel-hafen-hamburg.de

(2) Name and address of the data protection officer:
SHIELD GmbH
Martin Vogel
Ohlrattweg 5
25497 Prisdorf
info@shield-datenschutz.de
www.shield-datenschutz.de

§ 2 Definitions

The privacy statement is based on the terms, which the European legislative and regulatory authority uses in the EU General Data Protection Regulation (hereinafter called GDPR). Our privacy statement aims to be easy to read and to understand. To guarantee this we shall first explain the most important terms used:

(1) Die Datenschutzerklärung beruht auf den Begrifflichkeiten, die durch den Europäischen Verordnungsgeber beim Erlass der EU-Datenschutz-Grundverordnung (nachfolgend: „DSGVO“ genannt) verwendet wurden. Die Datenschutzerklärung soll einfach lesbar und verständlich sein. Um dies zu gewährleisten, werden nachfolgend die wichtigsten Begriffe erläutert:

(2) Personal data means any information relating to an identified or identifiable natural person (hereinafter called 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(3) Data subject means any identified or identifiable natural person whose personal data is processed by the party responsible for the processing.

(4) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(5) Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

(6) Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(7) Controller or the party responsible for the processing means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for the nomination of the controller, may be provided for by Union or Member State law.

(8) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(9) Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

(10) Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

(11) Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

§ 3 Provision of the website and creation of log files

(1) Even in the case of merely informative use of the website, i.e. if you do not register or otherwise provide us with information, we collect in an automated way following data and information from the computer system of the calling computer each time the website is accessed:
a) browser types and versions used
b) operating system used by the accessing computer
c) Internet service provider of the user
d) date and time of access to our website
e) websites from which an accessing system of the user gets to our website
f) websites, which are accessed from the user’s system via our website
g) content of the call on the website (specific pages)
h) amount of data transferred in each case

The data is stored in the log files of our server. Not affected by this are the IP addresses of the user or other data that allow the assignment of the data to a user. This data is not stored together with other personal data of the user.

When using this general data and information, we do not draw any conclusions about the data subject. The data is evaluated only statistically.
The log files are stored anonymously, therefore an assignment to a person is excluded.

(2) The legal basis for the temporary storage of the log files is Art. 6 para. 1 sentence 1 lit. f) of the GDPR.

(3) The temporary storage of the IP address by the system is necessary
a) to allow delivery of the website to the computer of the user. For this the IP address of the user must be recorded for the duration of the session.
b) to optimize the content of our website as well as the advertising for it
c) to ensure the functionality of our information technology systems and of the technology on our website
d) to provide prosecution authorities with information necessary for law enforcement in the event of a cyberattack

For the abovementioned purposes, we pursue our legitimate interests in the processing of data according to Art. 6 para. 1 sentence 1 lit. f) of the GDPR.

(4) The data will be deleted as soon as it is no longer necessary for the purposes for which the personal data are processed - in this case, at the end of the use of our website.

(5) The compilation of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website, which is why there is no possibility to opt out.

§ 4 Use of cookies

(1) This website uses so-called cookies. Cookies are small text data files that, as soon as you visit a web page, are sent from a webserver to your browser and stored locally on your device (PC, notebook, tablet, smartphone etc.). Cookies are placed on your computer and they provide the user (us) with certain information. Cookies do not cause any damage to the computer and contain no viruses. Each cookie contains a characteristic string (so-called cookie ID), which enables a clear identification of the browser when the website is called up again.

(2) We use cookies to make our site more user-friendly, for example, to make it easier for you to fill in forms, to offer you different languages, or to make our multimedia content available to you. Some elements of our website require that the calling browser must be identifiable even after a page break.

(3) On our website we also use cookies
a) which enable an analysis of your web surfing behaviour,
b) for the integration of user-oriented advertisements as well as for market research purposes
c) of third-party providers for the use of various tools specified below
d) of the THN (The Hotels Network, www.thehotelsnetwork.com) for the identification and information of the user
e) from the company Silktide (Silktide Ltd, Brunel Parkway, Pride Park, Derby, DE24 8HR, UK). This is a plugin with which it is possible to obtain consent to the use of cookies and / or tracking technologies.

(4) When you visit our website, you will be informed about the use of cookies and your consent to the processing of the personal data used in this context will be obtained. On this occasion, a reference to this privacy policy will also be highlighted.

(5) The legal basis for processing of personal data using technically necessary cookies is provided in Article 6 (1) sentence 1 lit. f) of the GDPR. The legal basis for processing of personal data using cookies for analysis, for information and for advertising purposes is provided by the presence of the consent given by the user acc. to Art. 6 para. 1 p. 1 lit. a) of the GDPR; the same applies to third-party cookies.

(6) The purpose of using technically necessary cookies is to facilitate the use of websites for you. Some features of our website cannot be offered without the use of cookies. For such features it is necessary that the browser is recognized even after a page break. Cookies serve in particular the purpose of making the website more customer-friendly and secure, notably in collecting usage-related information, such as the frequency of use and the number of users of the websites as well as their behaviour patterns of the website activity. The user data collected by technically necessary cookies will not be used for creating user profiles.

(7) The purpose of using technically unnecessary cookies is to improve the quality of our website and its content. Through such cookies that conduct analysis we learn, how the website is used and this enables us to optimize the provision of our services continuously. The advertising cookies allow us to include advertising according to your interests, or rather to display it to you. This kind of information is also useful, if you visit the website again with the same device, as it helps to recognize you automatically and to make navigation easier for you. The third-party cookies allow us to provide you with tools that make using the website easier. The purpose of cookies containing information and identification characteristics is to identify the user by means of an ID and to be able to recognize this user when he visits the site again. The cookie is used to inform the user about how many other users are currently on the page and how many times the room that the user is currently viewing has already been booked.

(8) Persistent cookies remain stored even when the browser session is ended and can be recalled when the page is visited again. The THN (The Hotels Network) cookie is stored for a period of two years. The cookies are stored on your computer and transmitted by your computer to our site. Therefore, you also have full control over the use of cookies. If you do not want collection of data through the use of cookies, you can set your browser via the menu under "Settings" in such a way that you are informed about the placement of cookies, or you can generally block the setting of cookies, or delete cookies individually. It should be noted, however, that disabling cookies may limit the functionality of this website. As far as session cookies are concerned, they will be deleted automatically after leaving the website.

§ 5 Contact forms & e-mails

(1) A contact form is available on our website. It can be used for electronic contact. If you make use of this opportunity, the data entered in the input mask will be transmitted to us and saved. The data we collect:
a) E-mail address
b) Message
c) Name
d) Phone number

(2) A form for a request for reservation / conference facilities is available on our website, too. This form can be used for electronic contact. If you make use of this opportunity, the data entered in the input mask will be transmitted to us and saved. The data we collect:
a) E-mail address
b) Name
c) Phone number
d) Number of persons
e) Dates
f) In the conference booking form: name and address of the company, information on seating and technology, type of conference package, accommodation
g) In the reservation request for the restaurant: Type of event, message

(3) At the time of sending the message, the following data is also stored - anonymized:
a) IP address of the user
b) Date and time of registration
For the processing of the data, your consent is obtained within the transmission process and reference is made to this data protection statement.

(4) You are also welcome to contact us by e-mail. In this case, the personal data transmitted by e-mail will be stored. As far as this information concerns communication channels (e.g. e-mail address, phone number), you additionally agree that we may also contact you via this communication channel to answer your request. There is no disclosure of data to third parties on this occasion. The data is used exclusively for processing the conversation.

(5) Legal basis for processing of the data is provided by the presence of the consent of the user acc. to Art. 6 para. 1 p. 1 lit. a) of the GDPR. The legal basis for processing of the data transmitted in the course of sending an e-mail is provided in Article 6 (1) sentence 1 lit. f) of the GDPR. If the objective of the e-mail contact is to conclude a contract, the supplementary legal basis for the processing is in Art. 6 para. 1 sentence 1lit. b) of the GDPR.

(6) Processing of the personal data from the input mask serves only for the purpose of processing the contact. Naturally, we will only use the data from your e-mail inquiries for the purpose for which you make the data available to us when you contact us. The other personal data processed during the transmission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems. This is also our legitimate interest.

(7) The data will be deleted as soon as it is no longer necessary for the achievement of the purpose for which it is collected. For the personal data from the input mask of the contact form and the data sent by e-mail, this is the case when the respective conversation with the user is finished. The conversation is finished when it can be inferred from the circumstances that the matter in question has been finally settled. The additional personal data collected during the transmission process will be deleted not later than after a period of seven days. If the objective of the e-mail contact is implementation of a contract, the data will be deleted after expiry of the legal (commercial or fiscal) storage periods required for this purpose

(8) You have at any time the option to revoke your consent to the processing of the e-mail and its contents. In such a case the conversation cannot continue. Please contact for this purpose the person in charge as defined in the Section 1. This possibility of revocation shall however only exist, if the e-mail contact does not serve the preparation or execution of a contract.

§ 6 DialogShift chat application (chatbot)

Our website uses the chat application of Dialogshift GmbH, Rheinsberger Str. 76/77, 10115 Berlin (hereinafter referred to as "DialogShift"). This application processes personal data to operate the chat application and to respond to requests.

For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set - this is used to recognize you as a customer. A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, the chat application recognizes the device again and can retrieve past chat logs. This cookie is stored for 3 months since last use. You can disable the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be executed.

The data is processed in Germany and the USA. Although the USA is a third country that does not offer an adequate level of data protection, suitable guarantees are applied here in the form of EU standard data protection clauses in accordance with Art. 46 Para. 2 lit. c GDPR, which was issued by the European Commission in accordance with an examination procedure pursuant to Art. 93 GDPR. These standard data protection clauses can be found, for example, at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02010D0087-20161217 (as of 31.03.2021).

The legal basis for data processing is Article 6 Para. 1 lit. f GDPR based on our legitimate interest in effective customer service, for statistical analysis of user behavior and for optimization purposes of our offers. You have the right at any time to object to the storage of data for the purpose of storing a pseudonymized usage profile with effect for the future. To do so, please send an e-mail to the e-mail address given under "Name and address of the controller".

For more information about data protection at DialogShift, please visit: https://www.dialogshift.com/en/gdpr

§ 7 Newsletter (Message in a bottle)

(1) If you would like to subscribe to the newsletter offered on this website, we will need from you an e-mail address as well as information that allow us to verify that you are the owner of the e-mail address provided and consent to the receipt of the newsletter. No further data shall be collected or shall be collected only on a voluntary basis. We shall use such data only for the sending of the requested information and shall not share such data with any third parties.

(2) The processing of the information entered into the newsletter subscription form shall occur exclusively on the basis of your consent (Art. 6 Sect. 1 lit. a GDPR). You may revoke the consent you have given to the archiving of data, the e-mail address and the use of this information for the sending of the newsletter at any time, for instance by clicking on the "Unsubscribe" link in the newsletter. This shall be without prejudice to the lawfulness of any data processing transactions that have taken place to date.

(3) The data you archive with us for the purpose of the newsletter subscription shall be archived by us until you unsubscribe from the newsletter. Once you cancel your subscription to the newsletter, the data shall be deleted. This shall not affect data we have been archiving for other purposes.

(4) Revinate is a service that can be used to organize and analyze the sending of newsletters. The data you have entered for the purpose of subscribing to our newsletter (e.g. e-mail address) are stored on servers of Revinate in the USA. Revinate complies with the "EU-US Privacy Shield". The Privacy Shield is an agreement between the European Union (EU) and the US to ensure compliance with European privacy standards in the United States.

(5) Newsletters we send out via Revinate allow us to analyze the user patterns of our newsletter recipients. Among other things, in conjunction with this, it is possible how many recipients actually opened the newsletter e-mail and how often which link inside the newsletter has been clicked. With the assistance of a tool called Conversion Tracking, we can also determine whether an action that has been predefined in the newsletter actually occurred after the link was clicked (e.g. purchase of a product on our website). The data is processed based on your consent (Art. 6 Sect. 1 lit. a GDPR). You may revoke any consent you have given at any time by unsubscribing from the newsletter. This shall be without prejudice to the lawfulness of any data processing transactions that have taken place prior to your revocation. If you do not want to permit an analysis by Revinate, you must unsubscribe from the newsletter. We provide a link for you to do this in every newsletter message.

(6) The data you archive with us for the purpose of the newsletter subscription shall be archived by us until you unsubscribe from the newsletter. Once you cancel your subscription to the newsletter, the data shall be deleted from our servers as well as those of Revinate. This shall not affect data we have been archiving for other purposes.

(7) For more details, please consult the Data Protection Statement of Revinate at: https://www.revinate.com/privacy/. Execution of a contract data processing agreement. We have entered into a contract Data Processing Agreement with Revinate and implement the strict provisions of the EU General Data Protection Regulation to the fullest when using Revinate.

§ 8 Restaurant reservation

(1) On our website a form is available for making a reservation in our restaurant. If you make use of this opportunity, the data entered in the input mask will be transmitted to us and saved. The data we collect:
a) Desired time of reservation
b) Salutation
c) E-mail address
d) Name
e) Phone number
f) Number of persons
d) (Message)

At the time of sending the message, the following data is also stored - anonymized:
a) IP address of the user
b) Date and time of registration

For the processing of the data, your consent is obtained within the transmission process and reference is made to this data protection statement.

(2) The database is provided by Bookatable GmbH & Co. KG, Deichstr. 48-50, 20459 Hamburg, Germany, www.bookatable.com, an online service for booking restaurant reservations. The data booked via the platform will be forwarded to the company. The controller is the Bookatable Limited, 5th FL Elizabeth House, 39 York Road, London SE1 7NQ, United Kingdom. The data protection officer can be reached at legal@bookatable.com.

(3) Legal basis for the processing of data is the fulfilment of reservation agreement and thus Art. 6 para. 1 sentence 1 lit. b) of the GDPR.

(4) Processing of personal data from the input mask serves us to process the reservation request. Bookatable itself uses the data to offer you reservation services and to pass on your reservation to our restaurant. Furthermore, the data is used to indicate the earlier table reservations and cancellations. The other personal data processed during the transmission process serve to prevent misuse and to ensure the security of our information technology systems.

(5) The data will be deleted as soon as it is no longer necessary for the achievement of the purpose for which it is collected. This is the case for the personal data from the input mask when 3 years have passed since the last table reservation. Then the data will also be deleted from Bookatable. If new data is communicated, the data will be updated, which means that the cancellation period starts on the expiry of the three-year-period from the date of the last update.

§ 9 SSL encryption

Our website uses SSL encryption with regard to transmission of confidential or personal data. This encryption is used, for example, in payment transactions as well as in inquiries to us via this website. It is your responsibility to control and to make sure that this encryption is actually enabled and working. The status of the encryption is recognizable in the browser line, which changes in case of encryption from "http://" to https://. When encryption is enabled, your data is not readable by third parties. If the encryption is not activated, please do not hesitate to contact us via another way of contact.

§ 10 Room reservation

(1) For the room reservations through our website we have engaged the online service cBooking of HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin, Germany, www.hotelnetsolutions.de.

(2) If you want to book a room in our hotel, it is necessary for the conclusion of the contract that you provide such personal information which we need to process your booking. Mandatory data required for the execution of the contracts are marked separately, other details are voluntary. The data is entered into an input mask and transmitted to us and stored. The following data will be collected when making a booking:
a) IP address of the user
b) Date and time of the booking
c) Room category and number of persons
d) Desired dates for the stay
e) If necessary, additional matters (arrangements, restaurant, equipment)
f) If necessary, message to the hotel (special wishes)
g) Salutation
h) Name of the person making the booking
i) Name of the person intending to stay in the hotel (is different from the booking person)
j) Address
k) E-mail address
l) Phone number
m) If applicable, different billing address
n) Country
o) Credit card details

(3) The data will also be forwarded to the provider of the online service cBooking as well as to payment service providers (see Section 11). In general, the data is passed on to third parties only if the disclosure is necessary for the purpose of executing a contract, or for billing purposes, or to collect a fee, or if you have expressly given your consent to it. In this regard we pass on only the data required in each specific case.
Categories of data recipients are
a) the respective delivery / mail order company (disclosure of name and address)
b) debt collection agencies, if the payment must be collected forcibly (disclosure of name, address and order details)
c) payment institutions for the purpose of collecting debts, insofar as you have chosen direct debit as the method of payment
d) payment service providers - depending on the choice of payment method.

(4) The legal basis is provided by the Art. 6 para. 1 sentence 1 lit. b) of the GDPR. With regard to the voluntary data, the legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a) of the GDPR. There is a contract for processing reservations/orders between the controller and cBooking.

(5) The collected compulsory information is required to perform the contract with the user (for the purpose of sending the goods and confirming the content of the contract). We use for this reason the data to answer your inquiries, to process your booking, also when appropriate to check the creditworthiness, or the recovery of a claim, as well as for the purpose of technical administration of the websites. The voluntary information is provided to prevent misuse and, where appropriate, to help clearing up criminal offences. We may also process the information you provide to inform you about other interesting products in our portfolio, or to send you e-mails containing information.

(6) The data will be deleted as soon as it is no longer necessary for the achievement of the purpose for which it is collected. Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of ten years after execution of the contract. However, after 3 years, we restrict processing, i.e. your data will only be used to comply with legal obligations. If there is a continuing obligation between us and the user, we store the data during the entire contract period, and for a period of ten years thereafter (see above). With regard to the data provided voluntarily, we will delete the data on the expiry of the three-year-period from the date of the execution of the contract, insofar as no further contract is concluded with the user during this time; if this is the case, the data will be deleted when 3 years have passed after the date of execution of the last contract.

(7) If the data are necessary for the fulfilment of a contract or for the execution of pre-contractual measures, a premature deletion of the data is only possible, insofar as contractual or legal obligations do not preclude a deletion. Otherwise, you are free to have the personal data provided on registration deleted from the database of the controller as stated in the Section 1. With regard to the voluntary data, you can at any time withdraw your consent to processing by giving a notice to the controller as stated in the Section 1. In this case the voluntarily given data will be deleted immediately.

§ 11 E-Mail Assistant (Hotel Resbot)

On our website, we use a service of the provider Hotel Res Bot UG (haftungsbeschränkt), Mönchsgasse 48, 50737 Cologne (hereinafter referred to as "HERA").

HERA is a Hotel Email Reservation Assistant that scans our incoming emails and summarises available offers before our reservations staff even see the email. However, HERA is not able to respond fully automatically to all emails to our property - some still need to be managed by the hotel team. This add-in helps us by automatically extracting the most important information from the incoming email. As soon as you send us a booking request via email, HERA checks our hotel system for valid offers, puts them into an email, the reservation staff customises this offer to you and sends it to the requester.

We process your data for the quick and efficient handling of your reservation request, which is our legitimate interest. The legal basis for the processing in this respect is Art. 6 Para. 1 lit. f GDPR. Otherwise, the legal basis for the processing of your personal data related to your reservation or reservation request is the performance of the contract or the implementation of pre-contractual measures pursuant to Art. 6 Para. 1 lit. b GDPR. There is a Data Processing Agreement ("DPA") between us and Hotel Res Bot UG (haftungsbeschränkt) pursuant to Art. 28 Para. 3 GDPR.

Your data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Due to commercial and tax regulations, we are obliged to store your address, payment and order data for a period of 10 years after the contract has been carried out. However, after 6 years, we restrict processing, i.e. H. Your data will only be used to comply with legal obligations. If there is a permanent obligation between us and the user, we save the data for the entire term of the contract and for a period of ten years thereafter (see above). With regard to the voluntarily provided data, we will delete the data 6 years after the contract has been executed, provided that no further contract is concluded with the user during this time; In this case, the data will be deleted 6 years after the last contract has been carried out.

If the data is necessary to fulfill a contract or to carry out pre-contractual measures, the data can only be deleted prematurely unless there are contractual or legal obligations to prevent deletion. Otherwise, you are free to have the personal data provided during registration completely deleted from the data base of the person responsible. Regarding the voluntary data, you can revoke your consent to the person responsible at any time. In this case, the voluntary data will be deleted immediately.

Information on data protection at HERA can be found here: https://www.hotel-reservation-bot.de/en-privacy-policy/

§ 12 Voucher/ ticket shop

(1) For the purpose of ordering vouchers we have integrated on our website voucher and ticket system of the company Incert eTourismus GmbH & Co. KG, Leonfeldnerstr. 328, A-404 Linz, Austria, www.incert.at.

(2) If you order vouchers from us, it is necessary for the conclusion of the contract that you provide such personal data that we need for the processing of your order. Mandatory data required for the execution of the contracts are marked separately, other details are voluntary. The data is entered into an input mask and transmitted to us and stored. The following data will be collected when making an order:
a) IP address
b) date and time of booking
c) salutation
d) if applicable, title(s)
e) name
f) date of birth
g) address
h) e-mail address
i) phone number
j) country
k) vouchers purchased
l) method of payment
m) date of booking
n) price/amount
o) gift cards
p) if applicable, deviating billing address
q) if applicable, further data depending on the method of payment -> see under Payment services

(3) In general, the data is passed on to third parties only if the disclosure is necessary for the purpose of executing a contract, or for billing purposes, or to collect a fee, or if you have expressly given your consent to it. In this regard we pass on only the data required in each specific case. Categories of data recipients are
a) the respective delivery / mail order company (disclosure of name and address)
b) debt collection agencies, if the payment must be collected forcibly (disclosure of name, address and order details)
c) payment institutions for the purpose of collecting debts, insofar as you have chosen direct debit as the method of payment
d) payment service providers - depending on the choice of payment method.

(4) Legal basis is Art. 6 para. 1 sentence 1 lit. b) of the GDPR. With regard to the voluntary data, the legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a) of the GDPR. A contract for processing orders was concluded between the controller and the company Incert.

(5) The collected compulsory information is required to perform the contract with the user (for the purpose of sending the goods and confirming the content of the contract). We use thus the data to answer your inquiries, to process your booking, when appropriate to check the creditworthiness, or the recovery of a claim, as well as for the purpose of technical administration of the websites. The voluntary information is provided to prevent misuse and, where appropriate, to help clearing up criminal offences. We may also process the information you provide to inform you about other interesting products in our portfolio, or to send you e-mails containing information.

(6) The data will be deleted as soon as it is no longer necessary for the achievement of the purpose for which it is collected. Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of ten years after execution of the contract. However, after 7 years, we restrict processing, i.e. your data will only be used to comply with legal obligations. If there is a continuing obligation between us and the user, we store the data during the entire contract period, and for a period of ten years thereafter (see above). With regard to the data provided voluntarily, we will delete the data on the expiry of the seven-year-period from the date of the execution of the contract, insofar as no further contract is concluded with the user during this time; if this is the case, the data will be deleted when 7 years have passed after the date of execution of the last contract.

(7) If the data are necessary for the fulfilment of a contract or for the execution of pre-contractual measures, a premature deletion of the data is only possible, insofar as contractual or legal obligations do not preclude a deletion. Otherwise, you are free to have the personal data provided on registration deleted from the database of the controller as stated in the Section 1. With regard to the voluntary data, you can at any time withdraw your consent to processing by giving a notice to the controller as stated in the Section 1. In this case the voluntarily given data will be deleted immediately.

§ 13 Payment services

We have integrated payment services on our site. The integration solution is encrypted.

13.1 PayPal
(1) We have integrated PayPal components on this website. PayPal is an online payment service provider. Payments are made through virtual private or business accounts. In addition, PayPal allows you to process virtual payments through credit cards, if you do not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classical account number. PayPal makes it possible to trigger online payments to third parties or to receive payments. PayPal also takes on trustee duties and offers buyer protection services.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

(2) If you select "PayPal" as a payment option during the order process in our online shop, your data will be automatically transmitted to PayPal. By selecting this payment option, you consent to the transfer of personal data required for payment processing.

(3) The personal data transmitted to PayPal are usually first name, last name, address, email address, IP address, telephone number, mobile phone number or other data required for payment processing. For the execution of a purchase contract necessary details include personal data, which are in connection with the respective order.

(4) The purpose of the transmission of the data is payment processing and fraud prevention. We will transfer personal data to PayPal particularly if there is a legitimate interest in the transmission.

(5) PayPal may disclose, if necessary, personal information to affiliated companies and service providers or subcontractors, insofar as it this is required to fulfil the contractual obligations or to process the data on behalf of the controller.

(6) The data subject has at any time the opportunity to revoke the consent to the handling of personal data to PayPal. A revocation has no effect on personal data that must be processed, used or transmitted for (contractual) payment processing.

(7) The applicable privacy policy of PayPal is available at https://www.paypal.com/webapps/mpp/ua/privacy-full.

13.2 Credit card
(1) We have integrated on our website components for payment via credit card. These enable cashless payment for products and services on the Internet. The operating company is Concardis GmbH, Helfmann Park 7, 65760 Eschborn, www.concardis.com. For the payment procedure we use an encrypted interface between the hotel software and the Concardis GmbH. This interface is provided by 3C Payment Luxembourg S.A., 5-7 rue Léon Laval, L-3372 Leudelange, Grand Duchy of Luxembourg, www.3cpayment.com.

(2) If you select "credit card" as a payment option during the ordering process in our online shop, your data will be automatically transmitted to the credit card company. By selecting this payment option, you consent to the transfer of personal data required for payment processing.

(3) When making a purchase via credit card you submit your name, your credit card number, verification number and the expiration date of the credit card to the credit card company. The processing is done in encrypted form. Subsequently the credit card company proceeds with the payment to us after a technical check.

(4) The purpose of the transmission of the data is merely the processing of payments.

(5) For more information, please visit www.concardis.com.

13.3 Klarna
(1) We have included components from Klarna on our website. Klarna is an online payment service provider that allows you to buy on account or with flexible payment by instalments. In addition, Klarna offers other services such as buyer protection, or identity and credit checks. If you select during the booking process either "Purchase on account" or "Installment purchase" as a payment option, your data is automatically transmitted to Klarna. By selecting one of these payment options, you consent to the transfer of personal data required to process the invoice or instalment purchase, or to identity and credit checks.

(2) Operating company is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden.

(3) Personal data transmitted to Klarna are usually:
a) name
b) address
c) date of birth
d) gender
e) e-mail address
f) IP address
g) phone number and
h) if applicable, other data which are necessary for processing an invoice or an instalment purchase.

(4) The execution of a purchase contract also requires personal data, which are necessary in connection with the respective order. In particular, mutual exchange of payment information may emerge, including e.g. bank details, card number, expiry date and CVC code, number of items, article number, data on goods and services, prices and taxation, information on previous purchasing behaviour or other information about your financial situation.

(5) The purpose of the data transmission is, in particular, to verify identity, to administer payments and to prevent fraud. We will transmit your data to Klarna especially if there is a legitimate interest in the transmission. The personal data exchanged between Klarna and us are transmitted by Klarna to credit reference agencies. Aim of this transmission is to check identity and creditworthiness.

(6) Klarna also transfers the personal data to affiliated companies (Klarna Group) and service providers or subcontractors, insofar as this is necessary to fulfil the contractual obligations, or to process the data on behalf of the controller.

(7) To decide on the establishment, implementation or termination of a contractual relationship, Klarna collects and uses data and information about the previous payment behaviour of the data subject. Data and information are also used and collected on hand of behaviour scores to predict future behaviour (so-called scoring). Calculations of the scoring are carried out on the basis of scientifically recognized mathematical and statistical methods.

(8) You have the option of revoking the consent to the handling of personal data in relation to Klarna at any time. A revocation has no effect on personal data that indispensably must be processed, used or transmitted for (contractual) payment processing.

(9) Klarna's applicable privacy policy can be found at https://cdn.klarna.com/1.0/shared/content/policy/data/en_en/data_protection.pdf.

13.4 Concardis

We use the payment service provider ConCardis from ConCardis GmbH, Helfmann-Park 7, 65760 Eschborn (hereinafter "ConCardis") for payment processing. ConCardis is certified according to the "Payment Card Industry Data Security Standard (PCI DSS)" of the credit card companies in order to guarantee the data security of credit card data.
With ConCardis we integrate the payment method credit card payment. If you send a payment request on our website, ConCardis will forward the payment information you have provided to your credit card provider.
Further information on data protection in connection with credit card payments and ConCardis can be found in the data protection conditions of your credit card provider and here:
https://www.concardis.com/de-en/protecting-your-data

§ 14 Data disclosure

We are responsible for the collection, processing and use of personal data of participants, provided that we process the data ourselves. We will use the personal details of a participant as well as his other personal data only within the scope of statutory provisions of data protection laws. We will only store, process and use the information insofar as this is necessary for the implementation of raffles or prize competitions, or if the participant has given his consent. This also includes usage of the data for exercising the granted rights of use. The data will be used exclusively for the implementation of a raffle and will be deleted afterwards. A transfer of personal data to third parties, or usage beyond the processing of the raffle, takes place only on legal claim, or in legal implementation according to Art. 28 of the GDPR. If forwarding data to third parties is required, the consent of the participant is deemed to have been granted in this respect. The participant may at any time request information about the data stored about his person.
Apart from that, our privacy policy is consistent with the one on our website.

14.1 Links to external websites
This website contains links to external sites. We are responsible for our own contents. We have no control over the contents on external links, and therefore we are not responsible for those, in particular, we do not adopt their content as our own. If you are directed to an external site, the privacy policy provided there applies. If you notice illegal activities or contents on this page, you are welcome to inform us. In this case, we will review the contents and react accordingly (Notice and take down procedure).

14.2 Rented server space
Please note that we use rented server space of the provider xport communication GmbH, Stechgrundstraße 2a, 01324 Dresden, Germany, www.xport.de. By visiting the website, the provider of the server space receives the following information:
a) browser type
b) operating system used
c) address of the origin
d) time of the server request
e) host name of the accessing computer
These are automatically stored by the rented server in so-called server log files (see Section 3), which your browser automatically transmits.

14.3 Google Maps
On this website we use the offer of Google Maps Google Inc. (Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA). This allows us to show you interactive maps directly on the website and makes the use of the map feature convenient for you. By visiting the website, Google receives the information that you have accessed the corresponding sub-page of our website.
The following data are transmitted in this context:

a) Device-specific information, such as the hardware used; the version of the operating system; unique device ID and information about the mobile network including your phone number.
b) Log data in the form of server logs. These include, among other things, details of the way the services were used, such as search queries; IP address; hardware settings; browser type; browser language; date and time of your request; original page; cookies that can be used to clearly identify your browser or Google Account
c) Location related information. Information about your actual location may be collected by Google. This data include, for example, your IP address, your Wi-Fi access points or mobile phone masts.
d) For more information about the data collected by Google, INC, please see the following link: https://policies.google.com/privacy?hl=en&gl=en

This occurs regardless of the matter whether Google provides a user account that you are logged in to, or if there is no user account. When you're logged in to Google, your data will be assigned directly to your account.

Legal basis for the processing of personal data is Article 6 (1) lit. P.1 of the GDPR. Google also processes your personal information in the United States and has committed itself to obey the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Google stores your data as usage profiles and uses them for purposes of advertising, market research and / or tailor-made website design. Such an evaluation is carried out in particular (even for users who are not logged in) to provide appropriate advertising, and to inform other users of the social network about your activities on our website. If you do not wish to be associated with your profile on Google, you must log out before activating the button.

You have the right to object to the creation of these user profiles, however, to exercise this right you must address the request to Google.
The duration of the storage depends on the storage periods of Google.

The processor is Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. For more information on the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the privacy policy of the provider. You can also find out more about your rights and settings available to protect your privacy using this link: http://www.google.com/intl/en/policies/privacy.

14.4 Einbinden von Vimeo-Videos
We have included in our online services Vimeo videos, which are stored on www.vimeo.com and can be played directly from our website. Vimeo is operated by Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011, USA. Clicking on a video will establish a connection to Vimeo's US-based servers. The following data are transmitted in this context:
a) visited websites
b) IP address, browser information
c) date and time of your request
d) original page
e) cookies through which your browser can unambiguously identified

More information about the data collected by Vimeo can be found using the following link: https://vimeo.com/privacy.
If you are logged in to Vimeo as a member, your data will be assigned directly to your account. Furthermore, Vimeo allows, for example, the rating or sharing of videos, if you log in with your user account at Vimeo or at other social networks (e.g. Facebook, Twitter, etc.)

The legal basis for the processing of personal data is provided by Art. 6 para. 1 sentence 1 lit. a) of the GDPR.
Integration of videos on our website serves the purpose of making the website more graphic for the user. Vimeo stores your data in form of a usage profile, and uses the data for following purposes: advertising, market research and / or tailor-made design of its own website. Such an evaluation is carried out in particular to provide appropriate advertising, and to inform other users of the social network about your activities on our website. If you do not wish to be associated with your profile on Vimeo, you must log out from the Vimeo account before using our website and also delete the related cookies of Vimeo.
The duration of the storage depends on the storage periods of Vimeo.
You have the right to object to the creation of these user profiles, however, to exercise this right you must address the request to Vimeo. The same applies to the right of objection of data processing. If you do not want to have your data collected, you should log out from your user account at Vimeo or you should not click the button “Vimeo”.
For further information on data processing and tips for privacy protection applied by Vimeo, please see the following link: https://vimeo.com/privacy.

§ 15 Web analysis of Google Analytics

(1) We use on our website services of Google Inc. (Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) for the purpose of analysing internet surfing behaviour of the users of our website. The software places a cookie on your computer (please see the Section 4 about cookies). From all the individual pages the user has visited following data will be stored:
a) 2 bytes of the IP address of the calling system of the user
b) the website visited
c) entry pages, exit pages
d) length of stay on the website and exit rate
e) frequency of calling the website
f) country of origin and regional origin, language, browser, operating system, screen resolution, usage of Flash or Java
g) used search engines and terms used for searches

(2) The information generated by the cookie about the use of this website by the users is usually transmitted to a Google server in the USA and stored there. This website uses Google Analytics with the extension "_anonymizeIp ()". The software is set so that the IP addresses are not saved in their entirety, but only in a shortened form. In this way, an assignment of the shortened IP address to the calling computer is no longer possible. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. However, the IP address transmitted by your browser to Google Analytics will not be merged with other data held by Google.

(3) Legal basis for the processing of personal data is provided by Art. 6 (1) sentence 1 lit. f) of the GDPR. For the exceptional cases in which personal data are transferred to the US, Google has committed itself to obey the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(4) Google will use this information on our behalf to evaluate your use of the website, and to compile reports on website activity. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and make it more user-friendly. These purposes justify our legitimate interest in the processing of the data. The anonymisation of the IP address sufficiently takes into account the interest of the user what comes to the protection of his personal data.

(5) The data will be deleted as soon as they are no longer needed for our record-keeping purposes. As far as we are concerned, this is the case after 14 months.

(6) The used cookies are stored on your computer and transmitted by this to our site. If you disagree with the collection and analysis of the usage data, you can prevent this by setting your browser software accordingly by deactivating or restricting the use of cookies. Already saved cookies can be deleted at any time. However, doing this may result in a situation in which you are not able to use all features of this website in full. You may also restrict Google from collecting data generated by the cookie and related to your use of the website (including your IP address), and moreover, you can also restrict Google from processing this data by downloading the browser plug-in available at the following website and by installing it. The current link is: "https://tools.google.com/dlpage/gaoptout?hl=en."

(7) If you visit our website with your mobile device, here too, you can object to the use of data by deactivating Google Analytics, which can be done by clicking on the following link: Google Analytics deaktivieren. As a result a cookie is set in your browser, and this cookie sends a message to Google to stop the tracking.

(8) The controller is Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, see the terms of use at https://www.google.com/analytics/terms/en.html, the overview of data protection at http://www.google.com/intl/en/analytics/learn/privacy.html and the privacy policy at https://www.google.com/intl/en/policies/privacy.

(9) We use Google Analytics only with your consent. You can revoke the consent which you have once given by

  • preventing the storage of cookies by setting your browser software accordingly; however, we point out that in this case you may not be able to use all functions of our website in full;
  • downloading and installing a browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de or
  • clicking this link: Google Analytics deaktivieren to prevent Google Analytics tracking on our website in the future. In doing so an opt-out cookie is stored in your browser. Please note that you must activate the opt-out cookie in each browser you use on all of your devices and if necessary, you must re-activate it if you delete all cookies in a browser.


§ 16 Bing Ads Conversion Tracking

(1) We use the Bing Ads service on our website. It is an analysis service of Microsoft Corporation, One Microsoft, Redmond, WA 98052-6399, USA. The service allows us to track your activity on our website, provided that you have accessed our website through advertisements from Bing Ads. The software sets a cookie on your computer (for cookies see Section 4). This tells us and Microsoft that a person has clicked on the ad, and that this person has been redirected to our site, and also the fact from which site the person comes to our site. We also learn the total number of users who clicked on an ad and were redirected to us.

(2) Neither Microsoft nor we receive personal data.

(3) The information generated by the cookie about the use of this website is usually transmitted to a server in the USA and stored there.

(4) The information collected by means of the conversion cookie is used to generate statistics for us. By analysing the data obtained we are able to compile information about the use of our advertisements. These purposes justify our legitimate interest for the data processing.

(5) Legal basis for the processing of personal data is provided by Art. 6 (1) sentence 1 lit. f) of the GDPR.

(6) The used cookies are stored on your computer and transmitted by this to our site. If you disagree with the collection and analysis of the usage data, you can prevent this by setting your browser software accordingly by deactivating or restricting the use of cookies. Cookies which have already been stored can be deleted at any time. However, doing this may result in a situation in which you are not able to use all features of this website in full.

(7) Third party service provider is Microsoft Corporation, One Microsoft, Redmond, WA 98052-6399, United States. For more information, see the privacy policy at https://privacy.microsoft.com/en-us/privacystatement.

§ 17 Facebook-, Custom Audiences and Facebook Marketing Services (Tracking Pixel)

(1) Within the scope of our online offer we have placed on our website the so-called Facebook pixel created by the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA. 94025, USA, or if you are located in the EU, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland ("Facebook"), with the purpose of pursuing our legitimate interests in the analysis, optimisation and cost-effective operation of our online offer.

(2) With the help of the Facebook pixel, it is on the one hand possible for Facebook to assess the visitors to our website as a target group for display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook Ads we have inserted only to those Facebook users who have shown interest in our online offering, or who have certain features (e.g. interest in certain topics or products based on the websites visited by them). We transmit data about before mentioned users to Facebook (so-called "Custom Audiences"). By means of the Facebook pixel we also want to make sure that our Facebook ads are in line with the potential interest of users and that the ads are not annoying. With the help of the Facebook pixel, we can also understand effectiveness of Facebook ads for statistical and market research purposes whereby we see, whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion"). This belongs to our legitimate interests.

(3) The Facebook pixel is integrated when calling our website directly through Facebook, and it can store on your device a so-called cookie, i.e. a small file. If you subsequently log in to Facebook or visit Facebook in the logged-in state, the visit to our online offer will be noted in your profile. The data collected about you are anonymous to us, and do not therefore give us any conclusions about the identity of the users. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible, and the data can be used by Facebook as well for its own market research and advertising purposes. If we should send data to Facebook for cross-checking purposes, they will be encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done solely with the purpose of crosschecking the data which Facebook likewise has encrypted.

(4) Furthermore, when using the Facebook pixel we use the additional function "Advanced Matching” to transfer data (such as telephone numbers, e-mail addresses or Facebook IDs of the users) for establishment of target audiences ("Custom Audiences" or "Look Alike Audiences") to Facebook (encrypted). For more information about "Advanced Matching", please see: https://www.facebook.com/business/help/611774685654668.

(5) Legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. f) of the GDPR and GDPR Art. 6 para. 1 sentence 1 lit. a). Facebook is certified under the Privacy Shield Agreement, which gives a guarantee of compliance with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

(6) Also on the basis of our legitimate interests (Article 6 (1) (f) GDPR) and your consent according to Art. 6 para. 1 lit. a) of the GDPR), we use the tool "Custom Audiences from File" of the social network Facebook, Inc. In this case, the e-mail addresses of the newsletter recipients are uploaded to Facebook. The upload process is encrypted. The upload is used solely to identify recipients of our Facebook ads. We want to make sure that the ads are only displayed to users who are interested in our information and services.

(7) The processing of the data by Facebook is part of Facebook's data use policy. Accordingly, general instructions on how to display Facebook Ads can be found in Facebook's Data Use Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook Pixel and how it works, visit the Facebook Ads Help Center: https://www.facebook.com/business/help/651294705016616.

(8) You may object to the capture of data by the Facebook Pixel, and to the use of your data for the purpose of displaying Facebook Ads. To set which types of ads you see in Facebook, you can go to the page set up by Facebook and follow the instructions for the usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform independent, i.e. they are adopted for all devices, such as desktop computers or mobile devices.

§ 18 Google Marketing & Remarketing Services

(1) Based on our legitimate interests (i.e. interest in analysis, optimization and economic operation of our online services subject to Art. 6 (1) (f) GDPR) we use the marketing and remarketing services of Google Inc. (Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA), shortened as "Google Marketing Services ".

(2) Google Marketing Services enable us to better target advertisements on our website to show only ads that are potentially relevant to interests of a website user. If ads are displayed to a user for products he's been interested in on other websites, this is called remarketing. For these purposes, so-called "Web Beacons" are integrated into the website when you call our website or other websites on which Google Marketing Services is active. With the help of web beacons an individual cookie, i.e. a small file (or instead of cookies, comparable technologies can be used) is stored on your device. This file indicates which web pages you visited, what content you are interested in and what kind of offers you clicked, it takes also notice of technical information of the browser and operating system, referring web pages, time spent on the website and other information on the use of online services. These are also our legitimate interests. Your IP address will also be recorded, but we inform you in regard to Google Analytics that the IP address will be truncated within member states of the European Union, or other parties to the Agreement on the European Economic Area, and only in exceptional cases will the IP address transferred to a server of Google in the US and shortened there. The IP address will not be merged with your data in other Google online services. The above information may, however, also be linked by Google with corresponding information from other sources. If you subsequently visit other websites, ads tailored to your interests may be displayed to you.

(3) The data of the users are processed pseudonymised by Google marketing services, i.e. Google stores and processes e.g. not your name or e-mail address, but relevant cookie-related data within pseudonymous user profiles. From the perspective of Google, the ads are not managed and displayed to a specifically identified person, but to the cookie owner, regardless of who that cookie owner is. This does not apply, if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about you by Google Marketing Services is transmitted to Google and stored on Google servers in the United States. Due to the pseudonymised storage of the data, your interests as a user are sufficiently safeguarded.

(4) In addition, we may use the "Google Tag Manager" to integrate and manage analysing and marketing services of Google on our website.

(5) Legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. f) GDPR and Art. 6 para. 1 sentence 1 lit. a) GDPR. Google is certified in accordance with the Privacy Shield Agreement, which guarantees compliance with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

(6). The controller is Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. For more information about Google's data usage for marketing purposes, see the overview page: https://www.google.com/policies/technologies/ads. Google's Privacy Policy is located at https://www.google.com/policies/privacy.

(7) If you wish to opt-out of interest-based advertising provided by Google Marketing Services, you can use Google's settings and opt-out options: http://www.google.com/ads/preferences.

§ 19 Google DoubleClick

(1) This website uses Google DoubleClick. It is a service for the integration of Google advertising by Google Inc. (Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA). DoubleClick transfers data to the DoubleClick server of each impression and each click, or of another activity. Each of these data transfers triggers a cookie request to your browser. If the browser accepts this request, DoubleClick sets a cookie (see Cookies, Section 4). Your browser will be assigned a pseudonymous identification number (ID) to check which ads have appeared in your browser and which ads have been viewed. Cookies enable Google and its affiliate websites, including us, to display ads based on previous visits to our website or to other websites. Each time you visit any of our individual pages that incorporate a DoubleClick component, the Internet browser will automatically be prompted to submit data to Google for the purposes of online advertising and settlement of commissions.

(2) It is also possible for DoubleClick by means of the identification cookies to track conversions. For example, conversions will be tracked if you previously have seen a DoubleClick ad, and then you are making a purchase on the advertiser's website using the same Internet browser.

(3) The cookies do not collect personal data. However, a DoubleClick cookie may contain additional campaign identifiers. A campaign ID identifies the campaigns you have already been dealing with.

(4) We have no influence on the collected data, nor are we aware of the full scope of data collection or time limit for the storage of data. Your data will be transmitted to the USA and evaluated there. If you are logged in with your Google Account, your details may be associated with it.

(5) Purpose of the cookie is to optimize and display advertisements that may be of interest to you in order to make our website more interesting to you and to finance it. The cookie may also be used to generate or improve reports on advertising campaigns and to avoid multiple overlays of the same advertisement.

(6) Legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR. For cases where personal information is transferred to the US, Google has committed itself to obey the EU-US Privacy Shield, please see at: https://www.privacyshield.gov/EU-US-Framework.

(7) You can disable Google DoubleClick cookie installation in several ways:
a) By setting your browser software accordingly. Especially the suppression of third-party cookies will prevent you from receiving any third-party advertisements; however, you may not be able to use all features of our websites in this case.
b) By permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome using the following link: https://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to use all features of the website offer in full.

(8) The controller is Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. For more information on the purpose and scope of data collection and processing, as well as other information about your rights and settings available to protect your privacy, visit http://www.google.com/intl/en/policies/privacy.

§ 20 Google Adwords Conversion with Remarketing

(1) This website uses Google Adwords. It is a service for the integration of advertising by Google Inc. (Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA).

(2) Google AdWords allows an advertiser to select keywords that display an ad on Google's search engine results only when the search engine retrieves a keyword-related search result. In the Google Display Network the ads are distributed to topic-relevant web pages using an automated algorithm and according to previously defined keywords..

(3) The aim of Google Adwords is to promote our website by displaying interest-based advertising on third-party sites, in the results of the search engine Google and in third-party advertisements on our site. It is in our interest to show you advertisements that are of interest to you, to make our website more interesting to you and to reach a fair calculation of advertising costs. These advertising materials are delivered by Google via so-called "ad servers". For this purpose, we use ad server cookies that measure certain performance parameters, such as display of advertisements or user clicks. If you access our website via a Google ad, Google Adwords will store a cookie on your PC. These cookies usually lose their validity after 30 days. This cookie stores usually for analysing purposes following parameters: the unique cookie ID, number of ad impressions per placement (Frequency), last impression (relevant to post-view conversions) and opt-out information (marking that the user no longer wants to be addressed).

(4) The cookies allow Google to recognise your internet browser (see also Section 4). If a user visits certain pages of an Adwords customer's website, and the cookie stored on his computer has not yet expired, Google and the customer can detect that the user clicked on the ad and was redirected to that page. Each Adwords customer is assigned a different cookie. Cookies cannot be tracked via the websites of Adwords customers. We receive only statistical evaluations provided by Google. By means of of these evaluations we can identify which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material, and above all, we cannot identify the users on the basis of this information. If you're registered with a service provided by Google, Google may associate the visit with your account. Even if you are not registered with Google, or have not logged in, there is a chance that the provider will find and store your IP address. We ourselves do not collect and process any personal data in the aforementioned advertising activities.

(5) Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence on the collected data, nor are we aware of the full scope of data collection or time limit for the storage of data. Your data is transmitted to and evaluated in the USA. By integrated AdWords Conversion, Google receives the information that you have accessed the relevant section of our website, or that you have clicked on an ad from us. Furthermore, both Google and we will receive information from the conversion cookie as to whether you generated any sales, if you came to our website through an AdWords advertisement.

(6) Remarketing: In addition to Adwords Conversion, we use the Google Remarketing application. This is a feature that allows us to show advertisements to internet users who have previously been on our website. The purpose of this is to display interest-relevant advertisements to you. This is done by means of cookies stored in your browser, through which your behaviour as a user during visits to various websites is recorded and evaluated by Google. With every visit to a website on which Google Remarketing's service has been integrated, the person's browser is automatically identified by Google. This is how Google detects your previous visit to our website. Within this technical process, Google gains knowledge of personal data, i.e. of your IP address or your surfing behaviour. The data, including your personal data, which has been collected in the context of remarketing and which may be stored by Google, will not be aggregated according to their own statements. However, also these data are transmitted to Google in the US and stored there.

(7) Legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. f GDPR. For cases where personal data is transferred to the US, Google has committed itself to obey the EU-US Privacy Shield, please see at: https://www.privacyshield.gov/EU-US-Framework.

(8) You can prevent participation in this tracking process in several ways:
a) by setting your browser software accordingly, especially the suppression of third party cookies will prevent you from receiving any advertisements from third party vendors; however, you may not be able to use all features of our websites in this case.
b) by disabling the cookies for conversion tracking by setting your browser to block cookies from the domain "www.googleadservices.com", at https://www.google.com/settings/ads, however, these settings will be deleted when you delete your cookies;
c) by deactivating the interest-based ads of the providers that are participating in the “About Ads” self-regulatory campaign, please see at: http://www.aboutads.info/choices, however, this deactivation will be deleted when you delete your cookies;
d) by permanent deactivation in your browsers Firefox, Internet Explorer or Google Chrome using the link http://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to use all features of this website in full.

(9) The controller is Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. For more information about privacy protection on Google, see http://www.google.com/intl/en/policies/privacy and https://services.google.com/sitestats.html. Alternatively, visit the Network Advertising Initiative (NAI) website at http://www.networkadvertising.org.

§ 21 Hotelchamp

In order to improve our online booking process and to personalize and optimize our interaction with you, we use the services of Hotelchamp B.V., Johan Huizingalaan 763, 1066 VH Amsterdam, Holland, a professional provider of online software and services.
In providing this service, Hotelchamp may process some of your personal data on our behalf. We and Hotelchamp can process data such as your e-mail address, IP address and your browser fingerprint in combination with your booking data and other interactions on our website to prepare content and offers that we think are relevant to you and can be appealing.
The legal basis is our legitimate interest in accordance with Art. 6 Para. 1 lit f GDPR, i.e. interest in secure and efficient provision and the optimization of our online booking process.
We have concluded a Data Processing Addendum (“DPA”) contract with Hotelchamp. In this we oblige Hotelchamp to protect the data of our customers and not to pass them on to third parties.
Further information can be found in Hotelchamp's data protection declaration at: https://www.hotelchamp.com/privacy-policy

§ 22 Vacancies

(1) We provide job advertisements on our website.

(2) You can send application documents to us via mail. In this context we process the information we receive from you and
a) the email address
b) if necessary, further information, which is transmitted via the e-mail.

(3) We do not conduct searches on you on the Internet (so-called background checks).

(4) In the course of the application process we will use no information stating racial and ethnic origin, political opinions, religious or ideological beliefs, trade union membership, nor genetic data, biometric data to unambiguously identify a natural person, health or sex life data, data on sexual orientation, pregnancy or family planning, age or gender. We ask you not to provide us with such information right from the outset.
Exceptions to the above mentioned are, if necessary, information on gender and possible severe disability. This information is necessary for us to take and respect protective measures or other actions required in order to comply with the legal requirements set for protection. However, you are under no circumstances obliged to provide us with such information.

(5) Your data will primarily be processed exclusively for the implementation of the application process. If your application is successful, the data becomes part of the personnel file and can be used for establishment and termination of employment relationship. If we are at the moment unable to provide you with employment, we process your data to defend ourselves against any legal claims, in particular on account of alleged discrimination in the application process. Insofar as you receive reimbursements, the corresponding accounting documents will be processed to fulfil retention obligations set by commercial or tax laws. Legal basis for data processing is Art. 6 para. 1 lit. b) GDPR, as far as the data are processed to make a decision on the establishment of an employment relationship, and as far as the data are then included in the employment relationship. If the data is stored to provide a security for claims, the legal basis is Art. 6 (1) lit. f) GDPR. Legitimate interest here is the access to documents providing evidence for possible defence. We process information and documents that are not required for the aforementioned purposes on the basis of your conclusive consent in accordance with Art. 6 para. 1 lit. a) GDPR, which you have given us by sending your application. If you receive reimbursements from us, legal basis is Art. 6 para. 1 lit. c) GDPR.

(6) Successful applications and employment relationship include necessary data that we store until the end of the employment relationship and for up to 3 years thereafter. The data concerning an application, which we had to opt for a rejection, we still process for a period of 6 months after having sent the letter of rejection to safeguard our legitimate interests. If a legal claim is lodged against us, we store the data until the legal process is completed. This also applies to the voluntarily obtained data. If you receive reimbursements, the corresponding accounting documents will be stored to fulfil retention obligations set by commercial or tax laws maximally until the 31st of March of the eleventh calendar year after the payment, and in the case of commercial and business letters or other tax-relevant documents until the seventh calendar year after their creation.

(7) With regard to data you have provided voluntarily, you have the right of revocation, which you at any time can exercise by consulting the controller pursuant to Section 1.

§ 23 Rights of the data subject

If your personal data is processed, you are a data subject as laid down in the GDPR and you have the following rights in relation to the controller referred to in Section 1:
‐ Right to access
‐ Right to rectification
‐ Right to restriction of processing
‐ Right to erasure
‐ Right to information
‐ Right to data portability
‐ Right to object to the processing
‐ Right to revoke the declaration of consent to data processing
‐ Right not to be subject to an automated decision including profiling
‐ Right to lodge a complaint with a supervisory authority

23.1 Right to access
(1) You may ask the controller to confirm if personal data concerning you is processed by us. If such processing is exists, you may at any time make a request to the controller free of charge and ask him about the personal data stored about you as well as the following information:
a) purposes of the processing for which the personal data are intended;
b) categories of personal data that are processed;
c) recipients or the categories of recipients to whom the personal data relating to you have been or will be disclosed;
d) planned duration of the storage of your personal data or, if specific information is not available, criteria for the determination of the retention period;
e) the existence of a right to rectification or erasure of personal data concerning you, of a right to restriction of processing by the controller, or of a right to object to such processing;
f) the existence of a right to lodge a complaint with a supervisory authority;
g) all available information on the origin of the data if the personal data are not collected from the data subject;
h) the existence of automated decision-making including profiling referred to in Article 22 (1) and (4) GDPR and - at least in those cases - substantial information about the scope of the data and the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) You have the right to request information about the fact whether the personal data relating to you are transferred to a third country or an international organization. This transfer is subject to appropriate safeguards and you can therefore request to be informed about suitable safeguards referred to in Art. 46 GDPR.

(3) This right to access may be limited insofar as it is likely to rule out or seriously damage realisation of research or statistical projects, along with the fact that the restriction is necessary for serving research or statistical purposes.

23.2 Right to recitification
You have the right to demand immediate correction and / or completion from the controller, if the processed personal data that concern you are inaccurate or incomplete.
This right to rectification may be limited insofar as it is likely to rule out or seriously damage realisation of research or statistical projects, along with the fact that the restriction is necessary for serving research or statistical purposes.

23.3 Right to restriction of processing
(1) Under the following conditions you may require the controller to immediately restrict the processing of your personal data:
a) if you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but you need them to establish, exercise or defend legal claims; or
d) if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is still pending whether the legitimate reasons of the controller override your reasons.

(2) If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of the processing according to the abovementioned conditions was obtained, you will be informed by the controller before the restriction of processing is lifted.

(3) This right to restriction of processing may be limited insofar as it is likely to rule out or seriously damage realisation of research or statistical projects, along with the fact that the restriction is necessary for serving research or statistical purposes.

23.4 Right to erasure
(1) You may require the controller to delete your personal information without delay, where one of the following grounds applies:
a) Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
b) You revoke your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
c) You object to the data processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
d) Your personal data has been processed unlawfully.
e) The erasure of personal data concerning you is required for compliance with a legal obligation in Union or Member State law to which the controller is subject.
f) The personal data concerning you were collected in relation to the offer of information society services offered referred to in Article 8 (1) GDPR.

(2) If the controller has made the personal data relating to you public and is obliged pursuant to Article 17 paragraph 1 of the GDPR to erase the personal data, the controller taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) The right to erasure does not exist if the processing is necessary:
a) for exercising the right of freedom of expression and information;
b) or compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.

23.5 Right to information
If you have exercised the right of rectification, erasure or restriction of the processing by turning to the controller, the latter is obliged to communicate to each recipient to whom the personal data concerning you have been disclosed, any such rectification / erasure / restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients by the controller.

23.6 Right to data portability
(1) You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. Apart from this you also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) e processing is carried out by automated means.

(2) In exercising this right, you have also the right to have the personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others shall not be adversely affected through this.

(3) The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For exercising the right to data portability, the data subject may at any time contact the controller.

23.7 Right to object
(1) You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions.

(2) The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of you, or for the establishment, exercise or defence of legal claims.

(3) Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data related to you shall no longer be processed for such purposes.

(4) Regardless of Directive 2002/58/EC, you have the option, in the context of the use of information society services, of exercising your right to object by automated means using technical specifications.

(5) You have the right to object, on grounds relating to your particular situation, to processing of personal data related to you for scientific or historical research purposes or statistical purposes pursuant to Article 89(1). This right to object to processing may be limited insofar as it is likely to rule out or seriously damage realisation of research or statistical projects, along with the fact that the restriction is necessary for serving research or statistical purposes.

(6) For exercising the right to object, the data subject may at any time contact the controller.

23.8 Right to revoke the declaration of consent to data processing
You have the right to revoke your declaration of consent to data processing at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation. You can contact the controller for this purpose.

23.9 Right not to be subject to an automated decision including profiling
(1) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you.
This shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between you and the data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) s based on your explicit consent.

(2) However, decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

(4) If the data subject wishes to exercise the right related to automated decision-making, he or she may contact the controller at any time.

23.10 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

§ 24 Changes to the privacy statement
We reserve the right to change our privacy practices and regulations to adapt them to changes in relevant laws or regulations, or to better serve your needs. Possible changes to our privacy practices will be available here accordingly. Please note hereto the current version date of the privacy statement.