Information Regarding Collection and Processing of Data
1. Name and address of the party responsible for data processing
The responsible party, in the sense of Section 4(7) of the General Data Protection Regulation, other valid data protection regulations applicable to member states of the European Union and other stipulations relating to data protection for the website www.h-hotels.com is:
Braunser Weg 12
34454 Bad Arolsen
Tel: +49 5691 / 878-0
Email: [email protected]
2. Name and address of the party responsible for data protection
The party responsible for data processing is:
RKM Data GmbH
Tel: +49 (0) 551 707 280
E-Mail: [email protected]
3. Collected data, reasons for processing, recipients of data
3.1 Hotel bookings
When you book a hotel room, we store your name and your email address. We then submit this data to the company responsible for the management of the hotel. The legal basis for the data processing is the Section 6(1) letter b of the GDPR. If you are a member of HotMiles, or if you have a PAYBACK or Miles & More customer card, we will transmit your name, the appropriate membership number, provided services and payments as well as further information to HotMiles, PAYBACK or Miles & More accordingly. Here you can read the details about HotMiles, PAYBACK and Miles & More. The legal basis for the processing of this data is the Section 6(1) letter b of the GDPR.
If you subscribe to our company newsletter, your data will be transmitted to us via the respective input masks.
When you register for the newsletter, the user IP address but also the date and time of registration will be saved; this serves to prevent abuse of the services and the email address of the affected person. Transmission of this data is exclusively restricted to the service provider responsible for sending the newsletter. The only exception is if we are obliged by law to disclose your data.
The information is used exclusively for the sending of the newsletter. The legal basis for the processing of the data is the Section 6(1) letter b of the GDPR. Subscription to the newsletters can be cancelled any time. The agreement to save personal data can also be revoked at any time. For this purpose, there is a corresponding link in every newsletter.
3.3 Establishment of contact
When you contact us, we will ask for your name, your contact data and various other information that we require from you. We use the data you provide to respond to requests and to adhere to legal requirements. The legal basis for this is Section 6(1) letter b and c of the GDPR.
3.4 Vouchers offered by Sovendus GmbH
If you are interested in one of the voucher offers from Sovendus GmbH, Moltkestr. 11, 76133 Karlsruhe (Sovendus) and click on the voucher banner, we will transmit your title, name, email address, and IP address to Sovendus in encrypted format, so that they can process the voucher. We will also transfer your order number, the value of your order, including currency, the session ID, the coupon code, and the time stamp to Sovendus in anonymised form, the legal basis for this is Section 6(1) letter b of the GDPR. For further information regarding the processing of your data by Sovendus, please see the online data protection information at www.sovendus.de/datenschutz.
3.5 Transmission to service providers and third parties
We receive your data processed by external data processing providers such as Oracle (Opera), Datev, the provider responsible for sending the newsletter, data centre operators, and Software as Service providers (SaaS) for data processing purposes relating to bonus programmes, and providers of vouchers. These data processing providers are bound by contracts, according to Section 28 of the GDPR.
We only transmit your data insofar as this is necessary for the fulfilment of the tasks you have assigned to us, or insofar as we are obliged to do so by law.
4. Compilation of log files
Every time the website is accessed, we capture data and information through an automated system; this data is saved in the log files on the server.
The following data can be captured in the process:
- Information regarding the type of browser and the version used
- The user’s operating system
- The user’s internet service provider
- The user’s IP address
- Date and time of access
- Websites from which the user’s system gained access to our site (referrer)
- Websites from which the user’s system accesses our website
The processing of the data serves enables the delivery of the contents of our website but also guarantees the functionality of our information systems and the optimisation of our website. In the process, the log file data is always saved separately from other personal user data.
6. Web Analytics
This website uses Google Analytics, a web analysis service from Google Inc. (Google). Google Analytics uses so-called “cookies”, text files that are saved on your computer, which enable the analysis of your use of the website. The information collected by the cookie, regarding your use of the site is usually sent to a Google server in the USA, where it is saved. However, within member states of the European Union and other countries that are contracted into the European Economic Community agreement, your IP address will be shortened in advance if you activate the IP anonymisation on this website. Only in certain exceptional cases is the full IP address transmitted to a Google server in the USA, where it is shortened then. On behalf of the operator, Google uses this information to assess your use of the website, to compile reports regarding website activity, and to perform other services for the operator of the site, relating to the use of the website and the internet.
This website uses Google Analytics with the add-on “_anonymizeIp()”. The IP addresses are, as a result of this, further processed in shortened form, making it impossible to allocate them directly to specific people.
The IP address that is transmitted by your browser within the context of Google Analytics is not combined with any other data from Google.
You can prevent cookies from being saved by adjusting your browser software settings accordingly; however, we would like to bring to your attention that in some cases, if applicable, you might not be able to use the full scope of the functions of this website.
Furthermore, you can prevent Google from capturing the data generated by the cookie, relating to your use of the website (incl. your IP address), and the processing by Google, by downloading and installing the plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Google Analytics is used as per the conformities contained in the agreement between the German Data Protection Authority and Google. Details of the external provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Republic of Ireland, Fax: +353 1 436 1001. User conditions: http://www.google.com/analytics/terms/de.html, Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, and data protection statement: http://www.google.de/intl/de/policies/privacy.
7. Use of Social Media Plug-ins
7.1 Social media plug-ins used
We have neither influence on what data that is captured nor how the information is processed. Furthermore, we do not know the full scope of the data gathered, the purposes for processing, or the data retention periods. We also have no information regarding the deletion of the data captured by the plug-in provider.
The plug-in provider saves your captured data in the form of a user profile and uses it for advertising, market research and needs-based organisation of their website. This form of assessment is used, in particular, for the presentation of needs-appropriate advertising (also for users who are not logged in), and also serves to inform other users of the social network regarding your activities on our website. You are entitled to object to the creation of these user profiles. However, please contact the plug-in provider to do so. Via the plug-ins, we offer you the opportunity to interact with the social networks but also with other users, which enables us to improve our offer and give it a more exciting design for you, the user. The legal basis for the use of plug-ins is Section 6(1) letter f of the GDPR.
The data is transmitted, regardless of whether or not you have an account with the plug-in provider and whether or not you have logged in. If you have logged into the plug-in provider, your data, which we have captured, will be assigned directly to your existing account with the plug-in provider. If you click on the activated button and link the page, for example, the plug-in provider will also save this information in your user account and share it openly with your contacts. We recommend that you log out of social networks regularly, in particular, before activating any buttons. This way, you can prevent the plug-in provider from allocating your activities to your profile.
7.2 Data protection statement of the provider
Further information on the purpose and scope of the data captured and the processing by the plug-in provider is available from the following data protection statements, which have been supplied by the providers. They also provide you with further details on your rights on them and the available security settings for the protection of your privacy.
Here is a list of the addresses and URLs of the respective plug-in providers, where their data-protection information can be accessed:
- a) Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data capturing: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has submitted to the EU-US Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- b) Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland; https://www.google.com/policies/privacy/partners/?hl=de. Google has submitted to the EU-US Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- c) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has submitted to the EU-US Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- d) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn has submitted to the EU-US Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- e) Xing AG, Gänsemarkt 43, 20354 Hamburg, DE; http://www.xing.com/privacy
- f) Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; https://policy.pinterest.com/de/privacy-policy
7.3 Integration of YouTube videos
We have linked some YouTube videos to our online offers. They are saved at http://www.YouTube.com and can be played directly from our website. They are all connected in “extended data protection mode”, which means that none of the user data is transmitted to YouTube if you do not play the videos. Information is only sent if you play a video. We do not influence the transmission of this data.
When you visit the web page, YouTube receives the information that you have accessed the relevant sub-page of our website; this occurs irrespective, of whether you have a YouTube user account through which you have logged in, or not. If you have logged into Google, your data will be assigned to your account directly. If you do not want your visit to the web page to be assigned to your YouTube profile, you must log out before you activate the button. YouTube saves your data as a user profile and uses it for advertising, market research as well as the needs-based organisation of their website. This form of assessment is used, in particular, for the provision of needs-appropriate advertising (also for users who are not logged in), and serves to inform other users of the social network regarding your activities on our website. You are entitled to object to the creation of this user profile. However, to do so, please contact the YouTube.
Further information on the purpose and scope of the data captured and the processing by YouTube is available from their data protection statement. They also provide you with further information on your rights on them, and the available security settings for the protection of your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your data in the USA, they also have submitted to the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
We use Hotjar (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe) to improve the user experience on our website. With Hotjar, we can measure and assess user behaviour (movement of the mouse, clicks, scrolling, and so forth) on our website. For this purpose, Hotjar places cookies on the users’ end devices; this enables them to save user data, e.g. browser information, operating system, length of visit to the website and so forth. For more information on Hotjar’s processing, please visit https://www.hotjar.com/privacy.
8. Routine deletion and blocking of personal data
The data is processed and saved for as long as is required to fulfil the purposes of storage. The information is permanently deleted, as soon as this is permissible by law.
9. Rights of the affected person
If your data is processed, you are the affected party as per GDPR. Thus, the responsible party is obliged to grant you the following rights:
9.1 Right to information
You are entitled to request confirmation from the responsible party if we process any personal data that affects you.
Should this be the case, you are entitled to request the following information:
- a) the purposes for which the personal data is processed;
- b) the categories of personal data that are processed;
- c) the recipient or types of recipients to whom the personal data was revealed or will be revealed;
- d) the planned duration of storage of the affected personal data or, if possible, to give specific details thereof, the criteria for the determination of the length of storage;
- e) the existence of the right of rectification or deletion of the personal data that affects you, the right to restrict the processing by the responsible party, or the right of objection to processing;
- f) the existence of the right to object to a supervisory authority;
- g) all available information on the origin of the data if the personal data was not captured directly from the affected person;
- h) the existence of automated decision-making, including profiling, according to Sections 22(1) and 22(4) of the GDPR and – at least in these cases – comprehensive information on the logic and scope involved and the desired result of such processing for the affected party.
You have the right to request information as to whether the personal data that affects you is passed on to any other country or international organisation. In this regard, you are entitled to request information regarding the appropriate guarantees, according to Art. 46 of the GDPR, on the transmission of your data.
9.2 Right of amendment
You have the right to request that the responsible party rectifies or supplements your data, provided that the processed information is incorrect or incomplete. The liable party is obliged to remedy the data without delay.
9.3 Right of restriction of processing
Under the following conditions, you can request restriction of the processing of your data:
- a) if you dispute the accuracy of your data, for a period that would enable the responsible party to check the accuracy of your data;
- b) if the processing is unlawful and you refuse the deletion of your data and also request the limitation of the use of your data instead;
- c) if the responsible party no longer needs your information for processing purposes, or if you need it for the assertion, exercising, or defending a legal claim or;
- d) if you have filed an appeal against the processing, according to Art. 21, Para. 1 of the GDPR, and it has not yet been clarified, whether the responsible party’s legitimate reasons override your reasons for objection.
If the processing of your data has been restricted, apart from storage, only be processed with your consent, or for purposes of asserting, exercising, or defending your rights or to protect the rights of another legal or natural person, but also for reasons of significant public interests of the EU or one of its member states.
If the restriction of the processing was done according to the abovementioned conditions, you will be informed by the responsible party before the restrictions are lifted.
9.4 Right of deletion
You are entitled to request that the responsible party delete your data immediately, and the liable party is obliged to do so without delay, insofar as one of the following reasons applies:
- a) Your information is no longer required for the purposes for which it was captured or processed.
- b) You revoke your consent concerning the processing according to Section 6(1) letter a or Section 9(2) letter a, of the GDPR, and no other legal grounds exist for processing the data.
- c) You lodge an appeal against the processing of the data, according to Section 21(1) of the GDPR and there are no overriding legitimate reasons for processing thereof, or if you lodge an appeal against the processing of the data, according to Section 21(2) of the GDPR.
- d) Your data was processed unlawfully.
- e) The deletion of your information is required to fulfil a legal obligation according to EU law or the laws applicable in member states to which the responsible party is subordinate.
- f) Your data has been gathered in connection with services offered by the information organisation, according to Section 8(1) of the GDPR.
If the responsible party has published your data and is obliged to delete it according to Section 17(1) of the GDPR, it must take appropriate technical measures, under consideration of the available technologies and the costs of implementation, to inform the person responsible for the processing of your personal data, that you, as the affected party, have requested all the links to our data and any copies of the aforementioned information to be deleted.
No right of deletion exists insofar as the data is required for processing
- a) concerning the exercising of the right of freedom of opinion and information;
- b) concerning the fulfilment of a legal obligation according to EU law or the laws applicable in member states to which the responsible party is subordinate, or is required to do so, or which is required in order to honour a task in the interests of the public, or in the exercising of official authority, which has been delegated to the responsible party;
- c) for reasons of public interest in the areas of public health, according to Section 9(2) letter, Section 9(2) letter I, as well as Section 9(3) of the GDPR;
- d) for archiving purposes, in the interests of the public, for scientific or historical research purposes or for statistical purposes according to Section 89(1) of the GDPR, insofar as the processing is likely to affect rights referred to in Section 89(1), making them impossible or severely impeding them, or;
- e) to exercise, perform or defend legal rights.
9.5 Right of Information
If you have exercised your right of amendment, deletion, or restriction of the processing, the responsible party is obliged to inform all recipients to whom your data has been made available, regarding the amendment, deletion, or restriction of the processing of your data, unless this is not possible or if it would involve unreasonable effort.
You have the right to request information from the responsible party concerning the recipients mentioned above.
9.6 Right of data transferability
You have the right to receive the personal data that you have submitted to the responsible party in a structured, standard, and electronic format. Furthermore, you have the right to transmit this information to another responsible party, without any hindrance by the liable to whom the personal data was submitted, insofar as
- a) the processing was done based on an agreement according to Section 6(1) letter or Section 9(2) letter a, of the GDPR or on a contract according to Section 6(1)letter b of the GDPR and;
- b) the processing is done via an automated process.
In exercising this power, you also have the right to have the data directly transmitted from one responsible party to another, insofar as this is technically possible. However, the freedoms and rights of other parties may not be affected in the process.
The right of transmission of data does not apply to the processing of personal data that is required to perform, or which is needed to honour a task in the interests of the public, or in the exercising of official authority, which has been delegated to the responsible party.
9.7 Right of objection
You have the right, for reasons resulting from specific situations, to appeal against the processing of your data, based on Section 6(1) letter e or Section 6(1) letter f, of the GDPR; this also applies to the process of profiling, based on these provisions.
The responsible party no longer processes your data, unless it can prove that compelling legal grounds exist for the processing thereof, that override your interests, rights and freedoms, or if it serves towards the exercising, performance or defence of legal claims.
If your data is used for purposes of direct advertising you have the right to appeal against the processing for such advertising; this also applies to the process of profiling, insofar as it is connected to direct advertising.
If you object to the processing of your data for purposes of direct advertising, your data will no longer be used for these purposes.
You have the option of exercising your right of objection regarding the use of services provided by the information organisation – notwithstanding Directive 2002/58/EG – via automated processes using technical specifications.
9.8 Right of revocation of the data protection declaration of consent
You have the right to revoke your declaration of consent at any time. By withdrawing your approval, the legality of the data processed up to the time of revocation is not affected.
9.9 Automated decision in individual cases, including profiling
You have the right not to be subjected to solely automated processing decision – including profiling – which has legal implications, or which significantly affect you in any similar manner; this does not apply if the decision
- a) is required for the closing or fulfilment of a contract between yourself and the responsible party;
- b) is permissible, based on the legal requirements of the EU or its member states, which apply to the liable party, and provided that appropriate measures are in place to guarantee your rights, freedoms and justified interests, or;
- c) has been made with your express agreement.
However, these decisions may not affect specific categories of personal data according to Section 9(1) of the GDPR, insofar as Section 9(2) letter a or Section 9(2) letter g are applicable and appropriate measures have been taken for the protection of your rights, freedoms and justified interests.
Regarding the cases mentioned in a and c, the responsible party shall take appropriate measures to ensure that your rights, freedoms and justified interests are guaranteed; this includes, at least, that the liable party grant the affected party the right of intervention, so that he/she can state his/her case and challenge the decision.
9.10 Right of appeal to a supervisory authority
Without prejudice of any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, particularly, in the member state in which you reside or work, or in which the alleged infringement took place, if you believe that your data has been processed contrary to the conditions contained in the GDPR.
You are also entitled to submit a complaint to the responsible supervisory authority:
Hessische Datenschutzbeauftragte (Data Protection Officer of Hesse)
65189 Wiesbaden, Germany
Tel: +49 611/1408 0
Fax: +49 611/1408 900 or 901
The supervisory authority to which the complaint is submitted shall inform the complainant regarding the status and the results, including the possibility of legal action according to Section 78 of the GDPR.