Data Protection Statement
Information on data protection and data security as practiced by Hotel Mutterhaus Düsseldorf GmbH
Changing cookie settings
Data protection is a matter of trust, and your trust is important to us. We respect your privacy and your personal sphere, and so it is a key concern for us that we collect, process and protect your data in a manner that is fully compliant with the law. So that you feel safe when you visit our websites, we strictly observe legal provisions when processing your personal data and would like to inform you here about how we collect and use data.
We are fully committed to complying with the EU General Data Protection Regulation (GDPR)x as well as nationally applicable data protection laws. Data protection is a matter that has a high priority throughout our company, and we work only with partners who can also demonstrate an appropriate level of data protection in their processing structures. We process your data only if you have given us your express consent to do so, if it is for the purpose of concluding a contract or for initiating pre-contractual measures on the basis of a providing service, or if the applicable laws permit or even require data processing. The information following data protection statement covers both the currently applicable national legal framework and the requirements of the GDPR applicable throughout the European Union with effect from 25 May 2018. All references to a legal basis in the GDPR are authoritative as of 25 May 25 2018. Under no circumstances do we sell your data or pass it on to unauthorized third parties. We will be happy to give you detailed information about how your data is handled in our company.
You can print this document or save it using the relevant functions of your browser. This data protection statement explains what data is collected on our website and what data we process and use. We reserve the right to update the data protection statement in the future, in particular if our website changes, if we use new technologies or if the law or jurisdiction changes.
A Basic information in accordance with Arts. 13 & 14 GDPR
1 Name and address of controller
The controller in the sense of the EU General Data Protection Regulation), other national data protection laws of the Member States and other data protection regulations is:
Hotel Mutterhaus Düsseldorf GmbH
Telephone: +49 211-61727-0
Fax: +49 211-61727-1504
Represented by: Pfr. Ute Schneider-Smietana, Martin Baum
Responsible for web content:
Telephone: +49 211 – 61727-0
2 Name and address of data protection officer
The data protection officer appointed by the controller is:
TÜV Informationstechnik Gmb
HIT Security – Business Security & Privacy
Fachstelle für Datenschutz
c/o Peter Kattner, LL.M.
Am TÜV 1
Telephone: +49 201 – 8999-643
Fax: +49 201 – 8999-666
3 Competent supervisory authority for data protection
If you are of the opinion that we are not processing your personal data lawfully, you can submit a complaint to any data protection supervisory authority.
The competent supervisory authority for our company in accordance with Art. 55 GDPR is the State Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Telephone: +49 211/38424-0
Fax: + 49 211/38424-10
4 Your rights
According to statutory provisions, you as the data subject have the right to obtain free of charge and at any time information about your data stored by us.
In addition, you can assert your rights to rectification, deletion or restriction of processing or the right to object (see below) against our company at any time. You also have a right to data portability.
If you have provided us with your personal data on the basis of consent, you can revoke this consent at any time in the future.
4.1 Individual right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is carried out on the basis of Art. 6(1)(e) GDPR (data processing in the public interest) and Art. 6(1)(f) GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision in the sense of Art. 4(4) GDPR; profiling does not take place.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or that the processing serves to assert, exercise or defend legal claims.
4.2 Right to object to processing of data for direct marketing purposes
In isolated cases, we process your personal data in order to carry out direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Your objection requires no specific form and should be addressed to:
Hotel Mutterhaus Düsseldorf GmbH
Telephone: +49 211-61727-0
Fax: +49 211-61727-1504
B Purpose and scope of data processing by us
1.1 Processing of communication data
Each time a user accesses a page from our website and each time a file is retrieved, access data relating to this process is stored in a log file on our server.
Each record consists of:
- the page from which the file was requested (“referrer URL”)
- the name of the file
- the date and time of the request (“time stamp”)
- the volume of data transferred
- the access status (file transferred, file not found, etc.)
- a description of the type of internet browser used (e.g. Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, Apple Safari, Opera, etc.)
- a cookie
For the duration of your session, it is necessary to process your IP address in order to enable the delivery of our website to your end device. This serves the fulfilment of our tasks in the sense of Art. 6(1)(c) GDPR.
The data mentioned above is also stored in the so-called log files on our server. The IP address is anonymised so that no information can be traced back to individuals. The storage of data in log files is absolutely necessary for the operation of our website to ensure the functionality, optimisation and security of our IT systems. An evaluation of the data for marketing purposes does not take place in this context. The data is deleted after 12 months.
Our website is hosted by an external provider, Mittwald CM Service GmbH & Co. KG. You can find more information about the provider’s data protection regime in their data protection statement: https://www.mittwald.de/datenschutz [in German].
1.2 Processing of content data
If it is possible to enter personal or business data (e-mail addresses, names, postal addresses) on the website, for example via our contact form, this data is disclosed by the user on an expressly voluntary basis in accordance with Art. 6(1)(a) GDPR or on the basis of the contractual relationship in accordance with Art. 6(1)(b) GDPR. Your data will be treated confidentially in this context and will not be passed on to third parties without your consent. No connection will be made with the above-mentioned communication data.
1.3 Data recipients
As a matter of principle, we do not pass on your data to third parties without your consent. However, in order to host and maintain our website and to send out our newsletter, we rely on service providers who we require to comply with the legal requirements by means of our order processing terms and conditions.
What are cookies and how do we use them?
Cookies are small text files that are transferred via the internet to your device along with any files requested. Cookies are stored on your device and kept there for retrieval later.
So-called session cookies are required in particular in the context of registration, as for convenience we use a so-called single sign-on concept in the authentication process and for controlling access to various areas of our portal.
This involves setting up a “session” between client and server that allows you to move around the entire portal without having to log in again for each area. This session is identified by a cookie in which contains a randomly generated number.
Furthermore, another cookie stores the login information assigned to you (user name, user rights and the validity of the session) for access control. You can think of this as substitute login information. Instead of prompting you to re-enter your login information wherever necessary, the cookie is sent to the server and is accepted as proof of identity.
Validity of cookies
The validity of both of these cookies is limited to the duration of your visit to our portal. They are automatically deleted when you close your browser. There is no linking with personal data and no conclusions can be drawn about the user’s activities.
You can also choose explicitly to have your user name permanently stored in a third cookie when you log in. This makes it easier for you to log in if you use the portal frequently, as your user name is already pre-filled in the registration form and you only need to enter your password. We expressly draw your attention to the risks of this procedure, as there is a chance that third parties could misuse your data.
Most browsers are set to accept cookies automatically. However, you can deactivate the acceptance and storage of cookies or set your browser to notify you as soon as cookies are set.
1.5 Social Plugins
We do not use any social plugins on our website.
When you contact our company, e.g. by e-mail or via the contact form on the website, the personal data you provide will be processed by us so that we can respond to your enquiry.
For us to able to process enquiries submitted via the contact form on the website, you must provide a name or a pseudonym, a title and a valid e-mail address.
The legal basis for the processing is Art. 6(1)(f) GDPR or, if the purpose of the contact is to conclude a contract, Art. 6(1)(b) GDPR.
The processing and storage of the personal data from the input mask enables us to process the contact, to conduct possible follow-up business and to send advertising by post later. In the case of contact by e-mail, the contact itself constitutes the necessary legitimate interest in processing the data. The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
No data is passed on to third parties in this context.
You have the right to object at any time to the processing of your personal data for the purpose of contact requests. This is the case in particular if the processing is not necessary for the fulfilment of a contract with you, which will be explained by us in advance in our description of the relevant function. In such a case, it may not be possible to continue processing the enquiry. In the event that your objection is justified, we will review the situation and either discontinue or adjust the data processing, or will demonstrate to you our compelling legitimate grounds on the basis of which we will continue the processing.
3 Processing and disclosure of personal data for contractual purposes
We process and store your personal data if and insofar as it is necessary for the initiation, establishment, performance and/or termination of a legal transaction with our company. The legal basis for this arises from Art. 6(1)(b) GDPR.
We also process and store personal data insofar as we are entitled to do so on the basis of consent given by you (e.g. consent to processing your e-mail address to send advertising e-mails), a contractual agreement, a statutory authorisation (e.g. authorisation to send direct advertising) or on the basis of legitimate interest for further retention (e.g. for the enforcement of claims) and processing as required in the respective context.
Your data is disclosed in situations where
- it is necessary for the establishment, performance or termination of legal transactions with our company (e.g. in the case of the transfer of data to a payment service provider/shipping company involved in processing a contract with you), (Art. 6(1)(b) GDPR), or
- a subcontractor or vicarious agent that we use exclusively in the context of providing the products or services you have requested requires this data (such agents are authorised to process the data only insofar as this is necessary for the provision of the product or service, unless you are expressly informed otherwise), or
- an enforceable official order (Art. 6(1)(c) GDPR) exists, or
- an enforceable court order (Art. 6(1)(c) GDPR), exist, or
- we are under a legal obligation to do so (Art. 6(1)(c) GDPR), or
- the processing is necessary to protect the vital interests of the data subject or of another natural person (Art. 6(1)(d) GDPR), or
- we are authorised or even obliged to disclose data for the purposes of pursuing overriding legitimate interests (Art. 6(1)(f) GDPR).
Your personal data will not otherwise be disclosed to other persons, companies or bodies unless you have expressly consented to such a disclosure. The legal basis of the processing is then Art. 6(1)(a) GDPR.
4 Processing and disclosure of personal data in the online booking system
If you wish to make a booking in our online system, it is necessary for you to provide personal data such as your name, address and e-mail address in order to initiate and conclude the contract. The information mandatorily required to process the order and conclude the contract is clearly marked; all other information is provided voluntarily. We process your data in order to arrange your booking. In particular, we will forward payment data to the payment service provider you have chosen or to our bank. In the context of your booking or booking enquiry, the booking information will also be transferred to VIATO, the operator of our internet booking engine, for the fulfillment or preparation of the contract. The legal basis for the processing is Art. 6(1)(b) GDPR. To prevent unauthorised third parties from accessing your personal data, the ordering process on the website is encrypted using SSL/TLS technology.
We delete the data collected in this context after the storage is no longer required or, where there are statutory obligations to retain it, we restrict the processing of the data. We are required by statutory commercial and tax regulations to retain your address, payment and order data for a period of ten years.
5 Processing of personal data pursuant to Section 30 of the Federal Act on Registration (BMG)
Under Section 30 of the Federal Act on Registration (Bundesmeldegesetz, BMG), commercial accommodations such as hotels are obliged to collect the following data from guests on the day of arrival and to have guests personally sign the registration form including the following information:
- date of arrival and planned departure,
- given name(s),
- date of birth,
- number of persons travelling with together and their nationalities,
- in the case of non-Germans, the serial number of a recognized and valid passport or passport substitute
- if necessary additional data necessary for collecting local tourist and resort taxes.
Under the BMG, we are obliged to collect, process and disclose this data; the legal basis of the processing arises from Art. 6(1)(c) GDPR.
We delete this data or restrict processing of it as soon as it is permissible to do so in accordance with the provisions of the BMG and if we have no consent from you (Art. 6(1)(a) GDPR) and no other legitimate interest on our part in continuing its processing.
6 Processing and disclosure of personal data during the digital check-in and check-out process
In order to allow our guests to use our digital check-in and check-out process, the following data is forwarded to our booking service providers: personal data, communication data, contract data and billing data.
We cooperate with the Hotelbird booking service provider.
On the day of arrival, the guest receives an e-mail invitation to use the online check-in. Data relevant to the registration form is requested, is stored in the user profile for future check-ins and is transmitted via credit card in compliance with PSD2. We delete the data collected in this context when the storage is no longer necessary or restrict processing if we are under legal obligations to retain it.
7 Evaluation and comment functions on our website
You can leave a comment and/or make an evaluation on our website.
You must give the following data in order to be able to post your comment or evaluation:
- E-mail address
- Registered name
- User name
- Location (optional)
- Age (optional)
- Reason for stay (optional)
You do not have to use your real name – you can use a pseudonym to make a comment and/or evaluation.
When your entry is published, the e-mail address you provided will not be published, only the name/pseudonym you provide. We will not check your entry before publication. We reserve the right to remove entries at any time if they are found to be unlawful.
We process your e-mail address and your name/pseudonym in order to be able to determine, if necessary, whether the entry is a genuine testimonial. We would also like to be able to contact you if we receive an objection to your entry on the website as illegal, and so that we can defend ourselves against complaints or claims that may be brought against us due to your entry.
We will process your e-mail address for as long as the entry on the website remains or we are in litigation with respect to the entry.
We do not disclose the data to third parties unless we are obliged to do so by law, by official or judicial order, or unless the disclosure is necessary for the enforcement of our legitimate interests. The legal basis for the processing is Art. 6(1)(f) GDPR.
You can object to the processing of the data you have provided. If you wish to delete your entry, please contact our company (see “Name and address of controller”).
8 Processing of data for marketing purposes
8.1 Advertising to existing clients
We reserve the right to process in accordance with the statutory provisions the contact data provided by you as part of the booking/enquiry in order to be able to contact you during or after the fulfillment of the contract, provided that you have not already objected to the processing of your e-mail address with regard to:
- informing you about products and services in our portfolio
- informing you about events involving our company
- enquiring about follow-up business.
Legal basis for the processing is Art. 6(1)(f) GDPR. We undertake the aforementioned processing for the purposes of customer care and improving our services.
We draw your attention to the fact that you can object to receiving direct advertising at any time without incurring any costs other than the transmission costs at basic rates. To do so, click on the unsubscribe link in the newsletter or send your objection to the contact details listed under “Name and address of controller”.
You can subscribe to our e-mail newsletter via our website.
In order to send you the newsletter, we require the following personal data from you.
- recipient (name or pseudonym)
- valid e-mail address.
Registration for our e-mail newsletter uses a double opt-in procedure. After you have entered the data marked as required, we will send an e-mail to the address you have provided, in which we ask you to explicitly confirm your subscription to the newsletter (by clicking on a confirm link). This means we can be sure that you really wish to receive our newsletter. If we do not receive confirmation within 24 hours, we block the data provided to us and automatically delete it after one month at the latest.
We process your IP address, the time of your newsletter registration and the time of your confirmation in order to document your subscription to the newsletter and to prevent the misuse of your personal data. The legal basis for the processing is Art. 6(1)(f) GDPR. We process this data for a period of two years after termination of the contract. Insofar as the newsletter registration takes place without a contract being concluded, we process this data for a period of two years after the end of the use procedure. We delete the data when the newsletter subscription ends.
After we receive confirmation from you, we process the e-mail address and name/pseudonym for the purpose of sending our e-mail newsletter. The legal basis for processing is Art. 6(1)(a) GDPR. We delete the data when you terminate the newsletter subscription.
You can revoke your consent to the processing of your e-mail address in order to receive the newsletter at any time, either by sending a message to us (see contact details listed under “Name and address of controller”) or by clicking directly on the unsubscribe link provided in the newsletter.
9 Disclosure of data to payment service provider
9.1 Disclosure of personal data when paying by credit card
Your personal data will be disclosed only to the extent necessary for the performance of the contract. For the processing of payments in particular, we pass on the data required to the credit institution charged with making the payment or to the payment and invoice service provider commissioned by us, as applicable.
The processing is carried out in accordance with Art. 6(1)(b) GDPR (processing for the performance of a contract). The data required for payment processing is transmitted securely via SSL connection and is processed exclusively for payment. We delete the data collected in this context after the storage is no longer necessary or, if there are legal obligations to retain data, restrict the processing of it.
9.2 Disclosure of personal data for credit assessment purposes
In the event that you wish to pay on account, we reserve the right to disclose the data you provide at booking to external service providers (e.g. Verband der Vereine Creditreform e.V., Hellersbergstraße 12, D-41460 Neuss, Germany) in order to assess credit worthiness.
This data is disclosed on the basis of Art. 6(1)(f) GDPR, as we make advance payments for purchases on account and bear the risk of default. We delete the data collected in this context after storage is no longer necessary or, if there are legal obligations to retain data, restrict the processing of it.
You can object to this processing at any time, but you may then not be able to choose to pay on account.
9.3 Disclosure of personal data for the purposes of enforcing legal claims
In the event of non-payment, we reserve the right to pass on the data provided at the time of booking to a lawyer and/or external companies (e.g. Verband der Vereine Creditreform e.V., Hellersbergstraße 12, D-41460 Neuss, Germany) for the purposes of tracing an address and/or enforcing legal claims in the event of a legitimate interest in accordance with Art. 6(1)(f) GDPR.
In addition, we may disclose your data if this is necessary for us to exercise our rights, the rights of our affiliated companies, our cooperation partners, our employees and/or the users of our website. Under no circumstances will we sell or lease your data to third parties. This data is disclosed on the basis of Art. 6(1)(f) GDPR.
We delete the data collected in this context after storage is no longer necessary or, if there are legal obligations to retain data, restrict the processing of it.
You can object to the processing of your data at any time. This is the case if the processing is not necessary in particular for the performance of a contract as described by us. If your objection is well-founded, we will review the situation and either discontinue or adjust the data processing, or we will show you the compelling legitimate grounds on the basis of which we will continue the processing.
We use external hosting services to provide the following services: infrastructure and platform services, processing capacity, storage resources and database services, security and technical maintenance services. This involves the processing of all data required to operate and use our website.
We use external hosting services to operate this website. The purpose of using external hosting services is to ensure the efficient and secure provision of our website. The legal basis for the processing is Art. 6(1)(f) GDPR.
Collecting the data on the provision and use of the website and the processing of the data via external web hosts is absolutely necessary for the operation of the website. You can object to the processing. If your objection is well-founded, we will review the situation and either discontinue or adjust the data processing, or we will show you the compelling legitimate grounds on the basis of which we will continue the processing.
11 Integration of third-party content
The website integrates third-party content such as videos, maps, RSS feeds or graphics from other websites. This integration always requires that the providers of this content (“third-party providers”) can identify the IP addresses of the users. Without the IP address, they cannot send the content to the browser of the visitor our website. The IP address is thus required for the display of this content.
We endeavour to use content only from third-party providers who process IP addresses only to deliver the content. However, we have no influence on whether the third-party providers process the IP addresses in other ways, e.g. for statistical purposes. Insofar as we are aware of this, we inform you of this below.
Some third-party providers may process data outside the European Union.
This may mean that certain functions on the website are not available, however.
11.1 Integration of Google Maps
This website also uses the Maps service from Google to display map information. When Google Maps is used, Google also processes and uses data on how visitors to the websites use the Maps functions. Google stores your data as usage profiles and processes it for the purposes of advertising, market research and/or demand-oriented design of its website. This kind of evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website.
The legal basis for this processing is Art. 6(1)(f) GDPR. The processing serves to make our website more attractive and to offer you additional services. We have no knowledge of how long Google stores the data and no way of influencing it.
You have the right to object to the processing, although you must contact Google to exercise this right. You can deactivate or restrict the transfer of cookies by changing the settings in your internet browser. Any cookies that have already been stored on your device can be deleted at any time, also automatically. If cookies are deactivated for our website, you may not be able to use all the functions of the website to their full extent.
Bookmarks, e.g. to social networks such as Google+, allow you as a user of certain social networks to create links from our website on your profile in order to save them as bookmarks or share them with your contacts.
You can recognise the bookmarks on our website by the corresponding icons (e.g. “g+”) at the bottom of the page. When you open a page on our website, these bookmarks can store cookies (small text files containing a sequence of numbers that enable the browser to be recognised) on your end device/browser. If you have a profile on the social network, the cookie enables the operator of the social network to track which pages you visit, unless you have blocked cookies in your browser settings. If you use the bookmark, information is sent to the respective social network.
We can neither control comments by or the activities of persons using bookmarks are nor can we be held responsible for them. Persons who share our content via bookmarks are not authorised to speak for us or forr our website, nor are they permitted to create the impression to third parties that they do.
The legal basis for using these bookmarks is Art. 6(1)(f) GDPR. We have no knowledge of how long the operators of social networks store the data and no way of influencing it.
You have the right to object to the creation of user profiles, whereby you must contact the respective plug-in provider to exercise this right. You can also prevent the creation of user profiles in various ways and thus exercise your right of refusal:
- by changing the settings of your browser correctly; suppressing third-party cookies means that you do not receive advertisements from third-party providers;
- by deactivating the interest-based ads of the providers who are part of the self-regulation campaign About Ads. Follow the link http://www.aboutads.info/choices . Please note this setting is cancelled if you delete cookies from your browser.
12 Processing personal data as part of providing guest services
12.1 Processing guest data
Our main concern is to always provide excellent service for our guests. In order to do this, we collect and process personal data from you as a guest. This usually concerns contact details and other data related to your stay which we need to deal with your enquiry, your reservation and your stay at our hotel. The legal basis for this data processing arises from Art. 6(1)(b) GDPR.
12.2 Recipients of guest data
As a matter of principle, we do not pass on your data to third parties unless you have consented to it. However, we depend on the use of service providers to provide and maintain our hardware and software, as well as to destroy data media. We oblige these service providers to comply with the legal requirements when we commission them.
12.3 Storage of guest data
We store personal data for the duration of your stay in our hotel or for the duration of the invoicing process, unless we are obliged to keep it for longer due to legal retention requirements (e.g. pursuant to Section 257 of the German Commercial Code (HGB) and Secion 147 of the German Fiscal Code (AO)). After expiry of the legal retention period, your data will be deleted in accordance with data protection regulations.
Notwithstanding this, we will transmit your personal data to investigating authorities only if we are legally obliged to do so.
13 Public relations
13.1 Processing contact data
As part of our public relations work, we maintain intensive contacts with businesses, local government, research institutes, other organisations and agencies who have relations with Hotel Mutterhaus Düsseldorf. We also cherish our close relationship with the Kaiserswerther Diakonie. In this context, we process contact data within the scope of necessary communication. The legal basis for this data processing arises from Art. 6(1)(e) GDPR.
13.2 Recipients of contact data
Personal data are not disclosed to third parties without consent.
13.3 Storage of contact data
We store contact data until the purpose of the public relations work is fulfilled.
14 Staff and applicant data
14.1 Processing staff and applicant data
Personal data relating to you is collected directly from you – e.g. as part of the job application process – on the basis of Section 26(1) of the German Data Protection Act (BDSG) as amended on 25 May 2018. In addition, we may also have received data from third parties (e.g. job platforms such as Indeed, employment agencies).
In addition, we may process personal data that we have lawfully obtained from publicly accessible sources (e.g. professional social networks). If we collect data from such sources, we will inform you immediately in accordance with Art. 14 GDPR about the circumstances in which we collect your data, the purpose for which we collect it and how we intend to process it.
The categories of staff personal data we process include, in particular, master data (such as first name, surname, name affixes, nationality, personnel number), contact data (such as private address, (mobile) telephone number, e-mail address) as well as the data of the entire application procedure (cover letter, CV, (work) references, proof of qualifications).
If you have also voluntarily provided special categories of personal data (such as health data, religious affiliation, information on a disability) in your application or in the course of the application procedure, processing will only take place if you have consented to it.
We process personal staff and applicant data on the basis of and in compliance with the European General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant regulations in German labour law (e.g. AGG, BetrVG, SGB etc.).
The processing of your personal data within the scope of the application process primarily serves the application procedure, specifically determining the extent to which you are suitable for the advertised position. Processing your application data is necessary for us to decide on whether to establish an employment relationship with you. The primary legal basis for this is Art. 88 GDPR in conjunction with Section 26(1) BDSG.
14.2 Recipients of staff and applicant data
Within our company, your personal data will be disclosed only to those persons and departments who need it in order to make a decision about employing you, and to fulfil our legal and contractual obligations.
During the application process and whilst you are employed with us, we use services provided by the Kaiserswerther Diakonie which processes personal data on our behalf (data processor in the sense of Art. 28 GDPR).
However, we disclose staff personal data only when we are legally obliged to do so.
14.3 Storage of staff and applicant data
The personal application data transmitted to us will be deleted as soon as it is no longer required for the above-mentioned purposes and after 6 months at the latest. This does not apply if you have agreed to a longer storage period, if the storage is necessary for evidence purposes, or if legal regulations prevent deletion. For example, we retain your applicant data for as long as there is a possibility that you may assert legal claims against our company, e.g. due to infringement against provisions of the General Act on Equal Treatment (AGG).
If, on the other hand, your application leads to the establishment of an employment contract with you, your data will continue to be stored and used for the usual administrative and organisational processes and to implement of the employment relationship, in compliance with the applicable legal provisions.
14.4 What rights can staff or applicants assert?
Applicants as well as staff – like all data subjects – are entitled to data subject rights in accordance with Arts. 15–22 GDPR when their personal data is processed by our company. For details, see Point A(4) above. In addition, data subjects have the right to file a complaint with the data protection officer (see Point A(2) above) or with a data protection supervisory authority (see Point A(3) above).
15 Guest satisfaction surveys
We use guest satisfaction surveys to guarantee the quality of our services and to gather feedback from our guests.
However, we process personal data collected as part of a survey only if it is absolutely essential to the conducting of that survey (e.g. to check the eligibility to participate in a survey for a closed group of users). This means that the IP address, referrer URL, timing regarding voting behaviour etc. are not collected. Unless we specifically indicate otherwise, participation in guest satisfaction surveys is anonymous.
The legal grounds for processing personal data in the context of the online surveys described are, on the one hand, quality assurance in the context of accommodation or the accommodation contract (Art. 6(1)(b) GDPR) and, on the other, our legitimate interests in optimising our activities (Art. 6(1)(f) GDPR).
If you take part in one of our competitions (e.g. Kaiserswerther Sommernacht), we will use the personal data you give us only for the purposes of the competition. The respective terms and conditions of participation apply. We will publish the winners’ data only with their express prior consent or at their express request.
The legal grounds for processing the personal data of the raffle participants are Art. 6(1)(b) GDPR, as the processing is necessary for the establishment and operation of a competition agreement.
After the end of the competition and fulfilment of the competition contract between our hotel and the winners, the data will be deleted immediately if it is no longer required for the purpose of the contract, but no later than three months after the end of the competition.
17 Statistics, analysis and marketing service providers
In the following, we inform you about the services that we currently use on our website that are delivered by external providers, as well as about the purpose and scope of the processing in each case and about your options for objecting.
17.1 Matomo (formerly Piwik)
- page(s) accessed / name of requested file(s)
- date and time of request
- IP address in shortened, anonymised form
- operating system used
- browser type/version
- referrer URL (the page you left to come to our website).
The data collected is stored and evaluated exclusively for statistical purposes and to improve our services for you, in accordance with Art. 1(1)(f) GDPR. The information generated by the Matomo analysis tool cookie is not used in any other way and is not disclosed to third parties. Your IP address is anonymised immediately after processing and before storage, so that you as a user remain anonymous to us and no conclusions can be drawn about personal data.
If you do not agree to the storage and evaluation of the above-mentioned data by the Matomo analysis tool, you can object to it at any time with effect for the future. In this case, an opt-out cookie will be stored in your browser and Matomo will not collect any session data. Please note: If you delete the cookies in your browser, the opt-out cookie will also be deleted and you may have to reactivate it.
17.2 MHS Pixel
Our website uses myhotelshop to check availability and carry out bookings. The provider is myhotelshop GmbH, Flossplatz 6, 04107 Leipzig, Germany.
When you use the booking system on our website, myhotelshop receives your contact data and the information required to carry out the booking (e.g. date and duration of stay, reservation number, accommodation). We use MHS Pixel by myhotelshop on our booking confirmation page, which means we use myhotelshop cookies in accordance with the details in the paragraph “Cookies” above. The MHS Tracking Pixel enables us to see the conversion rate, or how many visitors to our website conclude a transaction. This helps us improve our service. The MHS Tracking Pixel gives us transaction data such as sale total, currency etc. We also receive the reservation number as part of fraud prevention.
The processing of your data takes place within the European Union, a transfer to non-EU countries is not intended in this context.
The legal basis for the processing is Art. 6(1)(f) GDPR or Art. 6(1)(b) GDPR, insofar as the processing is carried out for the performance or preparation of a contract. The processing of your data takes place within the European Union; transfer to third countries is not anticipated. The processing is carried out for the purposes of contract fulfilment, fraud prevention, measurement of the web audience, demand-based design of websites and for billing purposes. The data is processed by myhotelshop in performance of contractual obligations with us and will be delete on request insofar as statutory retention obligations do not exist.
You have the right to object to the processing. You have the right to object on grounds relating to your particular situation, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims (Art. 21(1) GDPR). You can deactivate or restrict the transmission of cookies by changing the settings in your browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.
Further information on the purpose and scope of processing by the provider can be found in the myhotelshop terms and conditions:
C Other information (security, scope of application, amendment notice)
We have taken extensive technical and organisational precautions to ensure your personal data is protected from unauthorised access, misuse, loss and other external interference. To this end, we regularly review our security measures and bring them into line with the state of the art.
This data protection statement applies to all the pages on www.hotel-mutterhaus.de. It does not cover any linked websites or internet pages maintained by third parties.
If you are not happy with the data protection measures described here or if you have any questions regarding the collection, processing and/or use of your personal data, please contact us. We will answer your questions as quickly as possible and will endeavour to implement any suggestions you may have. Please send all correspondence regarding data protection to firstname.lastname@example.org.
In the event of new legal provisions or significant changes to the scope of functions of our websites, this data protection statement will be updated with effect for the future. We therefore recommend that you read through it at regular intervals. In the event that we make material changes, we will publish a clear indication in this section.
Version and date of this data protection statement: 4.00 – March 2022