Information on data collection and processing in the HotMiles programme
1. Name and address of the data controller
The data controller for the HotMiles programme, as referred to in Art. 4 point 7 of the General Data Protection Regulation, in other data protection laws in force in the European Union member states and other provisions of a data protection nature, is:
My H-Hotels GmbH
Braunser Weg 12
34454 Bad Arolsen
2. Contact details of the data protection officer:
RKM Data GmbH
Tel: +49 (0) 551 707 280
E-Mail: [email protected]
3. What data do we collect?
3.1 Master data
If you sign up for the HotMiles programme, we collect several personal details from the online form, such as title, name and surname and email address. This data is required for concluding a contract.
In addition, you can voluntarily provide us with further data when registering or later, e.g.: address, date of birth. If you do not provide us with this information, you can still become a participant in the HotMiles programme.
Upon opening your HotMiles account, we issue you with a HotMiles-participant-ID. It is used to uniquely identify you as a participant.
3.2 Programme data
When you collect or redeem HotMiles, we record them as "programme data". This includes the information we need for the credits and for administration, development and marketing of the programme. This includes information pertaining to the partners from whom you collect HotMiles, as well as information about the services provided, for which you receive credits. When redeeming the HotMiles, this includes information about the premium requested and the number of HotMiles redeemed.
3.3 Status data
If you have been awarded a status at HotMiles (Silver, Gold, Platinum), we will store the required data such as the type of status, the number and the dates of your stay.
4. How do we use your personal data?
We collect, process and use your personal data:
- to process your application for participation in the programme;
- to enable you to collect and redeem HotMiles, especially in order to be able to credit the HotMiles you have collected to your account and charge your HotMiles account accordingly when a premium is requested;
- to always be able to check whether the correct number of HotMiles has been credited to you and whether the correct number has been calculated when a premium is requested;
- to be able to manage the HotMiles Status that you have achieved;
- to provide you with other up-to-date information about HotMiles;
- in order to fulfil our legal obligations, in particular retention obligations.
If you have given us your separate consent, we will send you, via email or other electronic means,
- Information on your HotMiles balance, interesting offers, your status, information about the HotMiles programme and affiliated partners and their services; given your consent, we can process your master, programme and status data, as well as analytical data collected in using our services (website, app, newsletter or other media), to provide you with customised information,
- Market research surveys to improve the HotMiles programme.
5. Do we transfer your personal data to third parties or processors?
We will only pass on data to third parties if this is necessary for the collection and redemption of the HotMiles or if there is a legal obligation. We also send the status you have obtained to hotels within the network, so you will receive the corresponding services there. For a list of all affiliated hotels, see https://www.h-hotels.com/en/hotmiles/participating-hotels.
Your data is processed by processors such as Oracle (Opera), Datev, newsletter distributors, data centre operators, software as a service providers (SaaS) for the processing of data for the bonus programmes and providers of vouchers. These processors are bound by contracts under Art. 28 GDPR.
6. Legal basis for processing
We process the data in order to fulfil our contract with you, for the fulfilment of legal obligations and, insofar as you have given your consent, on the basis of your consent (Art. 6, para. 1 lit. a), b), c) GDPR). You may revoke your consent at any time without prejudice to the legality of the processing carried out on the basis of the consent up to the time of revocation.
7. Routine deletion and locking of personal data
We store the data for the period in which you are a participant of the HotMiles programme. When your contractual relationship with us ends, we will lock this data and store it for the period required to fulfil legal retention obligations.
8. Collection of location data by the HotMiles App
For data collection within the scope of using the HotMiles App, we refer to the App’s own data protection policy. The App can be found in the Apple App Store and Google Play Store.
9. Creation of log files
Each time the website is accessed, we collect data and information through an automated system. This is stored in the server log files.
This includes, in particular, information about the browser type and the version used, the user's operating system, the user's internet service provider, the user's IP address, the date and time of access, websites from which the user's system accesses our website (referrer), websites accessed by the user's system via our website.
The data is processed in order to deliver the contents of our website, to ensure the functioning of our information technology systems and to optimise our website. Log file data is always stored separately from other personal data of the users.
11. Web analytics
This Website uses Google Analytics, a web analysis service provided by Google Inc. („Google“). Google Analytics uses "cookies", text files that are stored on your computer and which make it possible to analyse your use of the website. The information generated by the cookie about your use of this website is generally sent to a Google server in the USA and stored there. If IP anonymisation is activated on this website, your IP-address will be shortened by Google within member States of the European Union or in other states within the contractual agreement of the European economic area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, compiling reports on website activities and to provide further services to the website operator related to the website usage and internet usage.
This website uses Google Analytics with the extension " _anonymizeIp()". As a result, IP addresses are further processed in a shortened form, thus preventing any direct association to an individual being made.
The IP address sent by your browser for the purposes of Google Analytics will not be merged with other data from Google.
You can prevent the storage of cookies by adjusting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website in full.
You can also prevent the data generated by the cookie and related to your use of the website (incl. your IP-address) being collected and processed by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
The use of Google Analytics is carried out in accordance with the requirements agreed between the German data protection authorities and Google. Details of the third party provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms and conditions: http://www.google.com/analytics/terms/de.html. Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as the privacy statement: http://www.google.de/intl/de/policies/privacy.
12. Use of social media plug-ins
12.1 Social media plug-ins used
We have no influence over the data that is collected and data processing operations, nor are we aware of the full scope of data collection, the purposes of processing or the storage periods. We also have no information about the deletion of the collected data by the plug-in provider.
The plug-in provider stores the collected data as user profiles and uses it for the purposes of advertising, market research, and/or demand-oriented design of its website. The purpose of such an evaluation is in particular (even for users that are not logged in) to be able to display appropriate advertising and to inform other social network users of their activities on our website. You are entitled to object to the creation of these user profiles, whereby you must contact the respective plug-in provider in order to exercise this right. Through the plug-ins we offer you the opportunity to interact with social networks and other users, so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6, para. 1 p. 1 lit. f GDPR.
The data is transferred regardless of whether you have an account with the plug-in provider and are logged in there or not. If you are logged in to the plug-in provider, your data that is collected by us will be directly assigned to your existing account with the plug-in provider. If you press the activated button and link the page, for example, the plug-in provider also stores this information in your user account and informs your contacts publicly. We recommend that you log out regularly after using a social network, especially before activating the button, so you can prevent your profile being correlated with the plug-in provider.
12.2 Data protection statements of providers
For more information about the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the privacy statements of these providers as disclosed below. You can also find out more about your rights in this regard and settings options for protecting your privacy.
Addresses of the respective plug-in providers and URL with their privacy statements:
- a) Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland; http://www.facebook.com/policy.php; for more information about the data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook adheres to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- b) Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 10011600; https://www.google.com/policies/privacy/partners/?hl=de. Google adheres to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- c) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter adheres to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- d) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn adheres to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
- e) Xing AG, Gänsemarkt 43, 20354 Hamburg, DE; http://www.xing.com/privacy
- f) Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; https://policy.pinterest.com/de/privacy-policy
12.3 Integration of YouTube videos
We have integrated YouTube videos into our online offer, which are stored on http://www.YouTube.com and can be played directly from our website. These are all integrated in "advanced privacy mode", meaning that no data about you as a user will be transferred to YouTube if you do not play the videos. Data is only transmitted when you play the videos. We have no influence on this data transmission.
When you visit the website, YouTube receives the information that you have accessed the corresponding page of our website. This is done regardless of whether YouTube provides a user account through which you are logged in, or whether there is no user account. If you are logged in to Google, your data will be assigned directly to your account. If you do not want to link your profile to YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses it for the purposes of advertising, market research and/ or targeted design of its website. The purpose of such an evaluation is in particular (even for users that are not logged in) to be able to display appropriate advertising and to inform other social network users of their activities on our website. You have the right to object to the creation of these user profiles, in which case you need to approach YouTube yourself in order to exercise this right.
To improve the user experience on our websites, we use the software Hotjar (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe). Using Hotjar, we can measure and evaluate user behaviour (mouse movements, clicks, scroll height, etc.) on our websites. To this end, Hotjar places cookies on user devices and can store user data, such as browser information, operating system, time spent on page, etc. You can find more about data processing by Hotjar at https://www.hotjar.com/privacy.
13. Rights of data subjects
If your personal data is processed, you are considered a data subject according to the GDPR and you have the following rights vis-à-vis the data controller:
13.1 Right to information
You can obtain confirmation from the controller of whether personal data relating to you, is being processed by us.
If such processing is taking place, you can request information from the controller about the following information:
- a) the purposes for which personal data is being processed;
- b) the categories of personal data being processed;
- c) the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are yet to be disclosed;
- d) the planned duration of the storage of personal data relating to you or, if no concrete information can be given on this, criteria for determining the storage period;
- e) the existence of a right to rectification or erasure of the personal data, a right to restriction of processing by the controller or a right to object to the processing;
- f) the existence of a right to object to a supervisory authority;
- g) all the available information about the origin of the data, if the personal data is not collected from the data subject;
- h) the existence of automated decision-making including profiling in accordance with Art. 22, Para. 1 and 4 GDPR and – at least in these cases, – meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for the data subject.
You have the right to request information about whether the personal data will be transferred to a third country or an international organisation. In this context, you may request to be informed about the appropriate guarantees in accordance with Art. 46 GDPR relating to the transmission.
13.2 Right to rectification
If, despite our efforts, incorrect information is stored, we will gladly correct it upon request. You can keep most of your master data up-to-date at any time in your customer profile on our website.
13.3 Right to restrict processing
Under the following conditions, you may request restrictions on the processing of your personal data:
- a) if you dispute the accuracy of the personal for a period of time, which allows the controller to verify the accuracy of personal data;
- b) the processing is unlawful and instead of allowing the personal data to be deleted, you request the restriction of the use of the personal data;
- c) the controller no longer needs the personal data for the purposes of processing, but they need it for the assertion, exercise or defense of legal claims, or
- d) if you object to the processing pursuant to Art. 21, Para. 1 GDPR and it has not yet been determined whether the justifiable grounds of the controller prevail over your own reasons.
If the processing of your personal data has been restricted, this data may – with the exception of its storage – only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a member state.
If processing was restricted according to the above-mentioned conditions, you will be informed by the controller before the restriction is lifted.
13.4 Right to deletion
You may require the controller to delete the personal data relating to you without delay and the controller is obliged to delete such data without delay, provided that one of the following reasons applies:
- a) The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed.
- b) You revoke your consent on which the processing relied, pursuant to Art. 6, para. 1 lit. a or art. 9, Para. 2 lit. GDPR and there is no other legal basis for processing.
- c) You object to the processing pursuant to Art. 21, Para. 1 GDPR, and there are no overriding legitimate grounds for processing, or you object to processing pursuant to Art. 21, Para. 2 GDPR.
- d) Personal data relating to you has been processed unlawfully.
- e) The deletion of personal data relating to you is necessary to fulfil a legal obligation under Union law or the law of the member states to which the controller is subject.
- f) The personal data relating to you was collected in terms of information society services provided pursuant to Art. 8, Para. 1 GDPR.
If the controller published your personal data and he is obligated to delete it according to Art. 17, Para. 1 GDPR, taking into account the available technology and implementation costs, he shall take appropriate measures, including technical measures, to inform data controllers who are responsible for processing the personal data, that you as data subject, have requested him to delete all links to this personal data or copies or replications of this personal data.
The right to deletion does not exist insofar as the processing is necessary
- a) to exercise the right to freedom of expression and information;
- b) in order to fulfil a legal obligation required by the law of the Union or of the member states to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority conferred on the controller;
- c) for reasons of public interest in the field of public health pursuant to Art. 9, Para. 2 lit. h and i and Art. 9 Para. 3 GDPR;
- d) for archival purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89, Para. 1 GDPR, insofar as the right as stated in Para. 1 is likely to render the objectives of such processing impossible or seriously affected; or
- e) for the establishment, exercise or defense of legal claims.
13.5 Right to be informed
If you have exercised the right to rectification, deletion or restriction of processing vis-à-vis the controller, he is obliged to inform all recipients to whom the personal data has been disclosed, of the correction or deletion of data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed by the controller of such recipients.
13.6 Right to data portability
You have the right to obtain the personal data relating to you that you have provided to the data controller in a structured, standard and machine-readable format. In addition, you have the right to transfer this data to another data controller without hindrance by the data controller to whom the personal data has been provided, provided that:
- a) the processing relies on consent according to. Art. 6, para. 1 lit. a GDPR or Art. 9, Para. 2 lit. a GDPR or on a contract pursuant to art. Art. 6, para. 1 lit. b GDPR, and
- b) automated processes are used for processing.
In the exercise of this right, you also have the right to effect that your personal data are transmitted directly by one data controller to another controller, insofar as this is technically feasible. This shall not affect the freedom and rights of other persons.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or for the exercise of public authority conferred on the controller.
13.7 Right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is carried out on the basis of Art. 6, Para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions.
The controller may no longer process your personal data, unless he can provide compelling legitimate evidence of the reasons for processing, which outweigh your interests, rights and freedoms, or if the processing serves the establishment, exercise or defense of legal claims.
If your personal data are being processed for direct marketing purposes, you have the right, at any time, to object to the processing of your personal data for the purposes of such advertising. This also applies to profiling, insofar as this is related to such direct advertising.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, notwithstanding Directive 2002/58/EC, to exercise your right to object in connection with the use of information society services by means of automated procedures where technical specifications are used.
13.8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent shall not affect the legality of the processing carried out on the basis of the consent until the time of revocation.
13.9 Automated decision-making in individual cases, including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which has a legal effect on you or which has a similarly significant negative impact on you. This does not apply if the decision
- a) is necessary for the conclusion or fulfilment of a contract between you and the controller,
- b) is admissible under Union or member state legislation to which the controller is subject and that legislation contains appropriate measures to safeguard his rights and freedoms and his legitimate interests; or
- c) is with your express consent.
However, these decisions may not be applied to specific categories of personal data according to Art. 9, Para. 1 GDPR, if Art. 9, Para. 2 lit. a or g do not apply and appropriate measures have been taken to protect rights and freedoms and your legitimate interests.
With regard to the cases mentioned in a. and c., the controller shall take appropriate measures to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, the right to state one’s own position and to challenge the decision.
13.10 Right to file a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the member state in which you reside, have your workplace or which is the location of the suspected infringement, if you believe that the processing of your personal data is in violation of the GDPR.
You may also file a complaint with the supervisory authority under whose authority we fall:
The Hessian Data Protection Commissioner
Fax 0611/1408-900 or -901
The supervisory authority where the complaint is filed shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy according to Art. 78 GDPR.