Data protection
Thank you for your interest in our company. The protection of personal data is particularly important to us, which is why we would like to provide you with detailed information about how we process your personal data. Personal data is always processed in accordance with the statutory provisions, in particular the General Data Protection Regulation (GDPR) and the applicable country-specific data protection laws. With this declaration, we provide information about the type, scope and purpose of the data collected, used and processed, and clarify the rights of those affected by data processing. As a company and data controller, we have taken extensive technical and organisational measures to ensure the highest possible level of protection for the personal data processed.
Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:
‘Das kleine Hotel Lahnau’
Laura Zimmermann
Rodheimer Straße 50a
35633 Lahnau-Waldgirmes
Telephone: +49 (0)6441 444060
Email: info@das-kleine-hotel-lahnau.de
Website: www.das-kleine-hotel-lahnau.de
III. General information on data processing
In our privacy policy, we use various terms that are based on legal principles and are explained below in order to make our privacy policy simple and easy to understand. For the purposes of this privacy policy, the term:
‘personal data’ refers to all information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); A natural person is considered identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution or any other form of provision, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their future processing;
‘Profiling’ means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those authorities shall be in accordance with applicable data protection rules for the purposes of processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
2) Scope of processing of personal data
In principle, it is possible to use our website without providing personal data. We only process our users’ personal data to the extent necessary to provide a functional website and our content and services. The processing of our users’ personal data is carried out regularly only with the user’s consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
3) Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 (1) (c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
As a responsible company, we refrain from profiling or other automated decision-making.
4) Data deletion and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this has been provided for by European or national legislators in regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
Description and scope of data processing, legal basis, purpose and storage period
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
(1) Information about the browser type and version used
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address
(5) Date and time of access
(6) Websites from which the user’s system accesses our website
(7) Websites accessed by the user’s system via our website
The data is also stored in our system’s log files. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Art. 6 (1) lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, the data helps us to optimise the website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing in accordance with Art. 6 (1) lit. f GDPR. Once the purpose for which the data was collected has been achieved, it is deleted or anonymised so that it is no longer possible to identify the client who accessed it. The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no possibility for the user to object.
Description and scope of data processing, legal basis, purpose, storage period, revocation and removal options
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is accessed again.
When visiting our website, users are informed about the use of cookies for analysis purposes and their consent is obtained for the processing of personal data used in this context. In this context, reference is also made to this privacy policy. The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) lit. f GDPR. The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 (1) lit. a GDPR, provided that the user has given their consent.
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. We require cookies for the following applications:
The user data collected by technically necessary cookies is not used to create user profiles. Analysis cookies are used for the purpose of improving the quality of our website and its content. Analysis cookies tell us how the website is used, enabling us to continuously optimise our offering. These purposes also constitute our legitimate interest in the processing of personal data in accordance with Art. 6 (1) lit. f GDPR. Cookies are stored on the user’s computer and transmitted to our site by the user. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent. The transmission of Flash cookies cannot be prevented via the browser settings, but by changing the settings of the Flash Player.
You are free to contact us at any time via a contact form or by email to express your wishes and goals. The data voluntarily provided by the user in this case will be stored in our database for processing and deleted once the purpose of the processing has been achieved. The data will not be passed on to third parties or compared with other data.
For the purpose of processing an application, applicant data is electronically recorded, stored and processed. This is particularly the case if the application is submitted electronically, for example by email. If an employment contract is concluded, the data will continue to be stored in your personnel file in accordance with legal requirements for the usual organisational and employment relationships. If no employment contract is concluded with the applicant, the applicant data will be automatically deleted from the database after the rejection has been announced. This does not apply if there are special legal conditions, such as the burden of proof under the General Equal Treatment Act, which require longer storage, or if you have expressly agreed to longer storage during the application process.
This website uses Google Fonts. Google Fonts is a service provided by Alphabet Inc. / Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Web fonts are intended for browser-based digital texts, which are usually requested from an external web server rather than from a computer’s local font collection when a website is accessed, and are added to the browser. The use of Google Fonts is not authenticated. Website visitors do not send cookies to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains fonts.googleapis.com or fonts.gstatic.com, so your font requests are separate from other information you send to google.com and do not contain any other information. The anonymised request information is deleted after 24 hours. Further information and more detailed explanations can be found at the following link: policies.google.com/privacy?hl=en
We use ‘Google reCAPTCHA’ (hereinafter ‘reCAPTCHA’) on our websites. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (‘Google’). reCAPTCHA is used to verify whether the data entered on our websites (e.g. in a contact form) is entered by a human or by an automated programme. To do this, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. reCAPTCHA evaluates various information for the analysis (e.g. IP address, length of time the website visitor stays on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. The reCAPTCHA analyses run completely in the background. Website visitors are not notified that an analysis is taking place. Data processing is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its web offerings from abusive automated spying and SPAM. Further information on Google reCAPTCHA and Google’s privacy policy can be found at the following links: google.com/intl/en/policies/privacy/ and google.com/recaptcha/intro/android.html.
If we process your personal data, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
You can request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you can request the following information from the controller:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data that are being processed;
(3) the recipients or categories of recipients to whom your personal data has been or will be disclosed;
(4) the planned duration of storage of your personal data or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information on the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether personal data concerning you is being transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
You have the right to obtain from the controller the rectification and/or completion of your personal data if the personal data processed concerning you is inaccurate or incomplete. The controller shall carry out the rectification without delay.
You may request the restriction of the processing of your personal data under the following conditions:
(1) if you dispute the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or
(4) you have objected to processing pursuant to Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override your grounds.
Where the processing of personal data concerning you has been restricted, such data may – apart from its storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
You may request that the controller erase personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay if one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing was based in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you has been unlawfully processed.
(5) The erasure of personal data concerning you is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
(6) The personal data concerning you has been collected in relation to the services offered by information society services in accordance with Article 8(1) of the GDPR.
Information to third parties
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17(1) GDPR, the controller shall, taking into account the available technology and the implementation costs, take appropriate measures, including technical measures, to inform data controllers who process the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data.
Exceptions
The right to erasure does not apply if the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defence of legal claims.
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about these recipients.
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that
(1) the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and
(2) the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services, you have the option of exercising your right to object by means of automated procedures using technical specifications, irrespective of Directive 2002/58/EC.
You have the right to revoke your data protection consent form at any time. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until revocation.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.
