Privacy Policy

In A Nutshell:

In general, our website may be used anonymously. Providing personal data is purely voluntary and you will always be informed if and for what purpose we want to store your data. If you make use of other services, such as booking a stay with us, the processing of personal data may be necessary or even mandatory. Personal data are data that enable us to identify you personally and/or to contact you, such as your name, address or e-mail address.

We evaluate your visit to our website statistically with Google Analytics, to which you can object, see under “Google Analytics”.

In Detail:

Who We Are And How You Can Reach Us
The controller of the processing of personal data on this website is
Schloss Elmau GmbH & Co KG, In Elmau 2, D-82493 Krün, telephone +49(0)8823 18-0, fax +49(0)8823 18-177, e-mail: datenschutz@schloss-elmau.de.

Our data protection officer is Dr. Anke Thiedemann, RWT Anwaltskanzlei GmbH, Charlottenstraße 49, D-72764 Reutlingen, anke.thiedemann@rwt-gruppe.de.

 

What Data We Do (Not) Process, For What Purpose, For How Long And On What Legal Basis

Anonymous Use Of Our Website
You may use our website anonymously. When you visit our website, your web browser tells our web server your IP address so that communication is possible. Your IP address may be used to identify you. However, we do not store your IP address. You remain completely anonymous to us when visiting our website.

Logging And Evaluation In Case Of Attacks
Error messages – usually caused by attack attempts – are recorded and evaluated for reasons of security. Only the following data that may allow identification are used with respect to the recording of error messages: Your IP address, date and time, exact name (URL) of the requested data file(s), HTTP status code, volume of data transferred, referrer (website from which the file was requested), browser identification string that is sent from your browser (User Agent String). Such data shall be deleted after seven days if they are no longer useful (possibly for evidence).

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are ensuring of the functionality and security of our website as well as defence against attacks and other abuses.

 Use Of Google Adwords Conversion Tracking

Our website uses Google AdWords. This is an analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). In the context of use, Google Adwords will place a cookie on your computer (“conversion cookie”) once you click on a Google advertisement and thereby access our website. The cookies do not contain personal data and are thus not used for personal identification of the user. If you visit our Platform within this period Google and we will be informed of the fact that you have seen the advertisement provided by Google. As every AdWords customer is given a different cookie, cookies may not be traced via the websites of AdWords customers. The information gained with the help of the conversion cookie is used to compile conversion statistics for AdWords customers, who have opted-in to conversion tracking. AdWords customers learn how many users have clicked on their advertisement and have been redirected to a website provided with a conversion tracking tag. However, they do not obtain any information that could be used to identify any particular user. If you do not wish to participate in the tracking procedure you may reject the setting of the cookie required for the process – for example by deactivating the automatic setting of cookies in your browser settings. You may also deactivate cookies for conversion tracking by setting your browser to block cookies from the domain “www.googleadservices.com”. Google’s privacy policy for conversion tracking can be found at https://services.google.com/sitestats/de.html

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are our interest in the analysis, optimization and economical operation of our marketing and a better promotion of the sale of our products and services.

Google is certified under the Privacy Shield and thus offers an adequate level of data protection as decided by the EU Commission in an adequacy decision: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Use Of Google Remarketing Services

We use the marketing and remarketing services (“Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The Google Marketing Services allow us to target ads for our website in order to present users only with ads that potentially match their interests. When you visit a website that uses Google Marketing Services, (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. With their help, an individual “cookie”, i.e. a small text file, will be stored in your web browser (comparable technologies can also be used instead of cookies). By using the cookie, Google will collect information about which websites you have visited, which contents you are interested in and which ads you have clicked on, as well as technical information about the browser and operating system, referring websites, visit times and other information about the use of the website. As mentioned in the context of Google Analytics, your IP address will be anonymised within the European Union or the European Economic Area and only in exceptional cases completely transferred to a Google server in the USA and anonymised there. The IP address transferred by your browser within the framework of Google Remarketing Services will not be combined by Google with other data. The above information may also be combined by Google with such information from other sources. If you then visit other websites, the ads tailored to your interests can be displayed.

Users’ data will be processed pseudonymously within the framework of Google Marketing Services. This means that Google does not store and process, for example, the names or e-mail addresses of users but processes the relevant data cookie-related within pseudonymous user profiles. This means that from Google’s point of view, the ads are not managed and displayed for a specifically identified person but for the web browser that has the cookie set, regardless of who is using that web browser. This does not apply if a user has expressly permitted Google to process the data without pseudonymisation. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google’s servers in the USA.

We use the Google Marketing Service “Google AdWords”. Each AdWords customer is given a different “conversion cookie”. Users can therefore not be tracked across the websites of more than one AdWords customer. The information collected with the help of the cookie is used to generate conversion statistics. We learn the total number of users who clicked on our ads and were redirected to a page with a conversion tracking tag but no information that identifies users.

Further information on Google’s use of data for marketing purposes can be found at www.google.com/policies/technologies/ads. Google’s Privacy Policy can be found at https://www.google.com/policies/privacy

You can object to interest-based advertising by Google marketing services by using the setting and opt-out options provided by Google at https://www.google.com/ads/preferences.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are our interest in the analysis, optimization and economical operation of our marketing and a better promotion of the sale of our products and services.

Google is certified under the Privacy Shield and thus offers an adequate level of data protection as decided by the EU Commission in an adequacy decision: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Use Of Google Tag Manager

We use the Google Tag Manager on our website to manage content such as tags on our website, for example for AdWords Conversion Tracking, Google Analytics and AdWords Remarketing. Tags are small code elements on our website that are used, among other things, to measure traffic and visitor behavior, to measure the impact of online advertising and social channels, to use remarketing and targeting, and to test and optimize our website.

The tool Google Tag Manager itself (which implements the tags) is a cookieless domain. The tool triggers other tags (such as Google Analytics, Adwords or Remarketing) that may in turn collect data. Google Tag Manager does not access this data.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are our interest in the analysis, optimization and economical operation of our marketing and a better promotion of the sale of our products and services.

Google is certified under the Privacy Shield and thus offers an adequate level of data protection as decided by the EU Commission in an adequacy decision: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Google Analytics
We use Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). For more information on how Google uses data when you use websites or apps provided by Google's partners, click here: https://policies.google.com/technologies/partner-sites?hl=en

Google Analytics uses “cookies”, small text files that are stored in your web browser and that permit to analyse how you use our website. The information generated by the cookie regarding your use of our website is normally transferred to a Google server in the USA, and is stored there. As the IP anonymize function is activated on our website, your IP address will, within Member States of the European Union or other contracting states of the Agreement on the European Economic Area, first be shortened by Google. Only in exceptional cases will Google transfer the full IP address to a Google server in the USA, and will shorten it there. On behalf of us, Google will use this information in order to analyse your usage of our website, to compile reports on website activities, and to provide further services to us relating to the usage of the website and the internet. The IP address transferred by your browser within the framework of Google Analytics will not be combined by Google with other data.

You can prevent the storage of cookies by setting your browser software, however, in such case, you may possibly not be able to fully use all features on our website. Furthermore, you can prevent collection by Google of the data generated by the cookie and relating to your use of our website (including your IP address), as well as processing of these data by Google, by downloading and installing the browser plug-in provided under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

As an alternative to the browser plugin or within browsers on mobile devices, you can click this link in order to opt-out from being tracked by Google Analytics within our website in the future (the opt-out applies only for the browser in which you set it and within this domain):

Click here to opt-out.

An opt-out cookie will be stored on your device, which means that you’ll have to click this link again if you delete your cookies.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are our interest in the analysis, optimization and economical operation of our website and of our marketing and a better promotion of the sale of our products and services.

Google is certified under the Privacy Shield and thus offers an adequate level of data protection as decided by the EU Commission in an adequacy decision:
https://www.privacyshield.gov/participant?id=a2zt00000000001L5AAI&status=Active

Data Processing Upon Contact
If you call us or send us a message, for example via the contact form or by e-mail, we need your e-mail address, your postal address or a telephone number if you want us to reply to you. You may also use a pseudonym instead of your name. We will use this data as well as data and time of your contact exclusively to handle your request. Your data will not be passed on to third parties but only internally to the department responsible for your particular request. We will delete your data as soon as it is no longer needed for this purpose, i.e. usually three months after the last contact with you. If you have any further questions, please contact us again within three months. The legal basis for the data processing is Art. 6 para. 1 subpara. 1 letters b and f GDPR. The legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR is to fulfil your request.

Exceptions: We are required to retain business and commercial letters and other tax-relevant documents in order to fulfil our commercial and tax law archiving obligations; we will delete them by 31 March of the seventh calendar year following their creation, and in the case of booking receipts of the eleventh calendar year following their creation. Our accounting department has access to these data. The legal basis for tax law retention is Art. 6 Para. 1 Para. 1 Letter c GDPR in connection with sections 147 AO, 257 HGB.

If your request is for a special purpose (e.g. ordering, quotation request, newsletter order), only the explanations in the respective section for that special purpose apply to data processing in this context.

Data Processing For Newsletter Subscription
If you subscribe to one or more of our newsletters, we need your e-mail address, otherwise we cannot send you the newsletter. All other information is voluntary. Your data will not be passed on to third parties, and we use it only for sending our newsletter. You will first receive an email with a link you must click to confirm that you want to receive the newsletter (“Double-Opt-In”). This will prevent others from subscribing to the newsletter in your name. We will analyze which links you click on in order to tailor the newsletter to your specific preferences and when you read the newsletter so that we can send it to you at your favourite time. In addition, we store your registration for the newsletter, your consent to the usage analysis and your confirmation to be able to prove that you have registered and agreed. For the purpose of sending the newsletter and analyzing its use, we will store your data until you revoke your consent or until the newsletter is permanently discontinued; for the purpose of customer service, we will delete your data as soon as you object or by 31 March of the fifth calendar year following your last order or enquiry or expression of interest; for the purpose of proof of consent by 31 March of the fourth calendar year following the last newsletter dispatch. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Please confirm your registration (“Double-Opt-In”) within 24 hours, otherwise you have to register again. Our marketing department and our customer service have access to your data, if necessary the legal department.

For the processing for the purpose of sending the newsletter and for the usage analysis, the legal basis is Art. 6 para. 1 para. 1 letter a GDPR. For processing for the purpose of proof of consent, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with. Art. 5 para. 2 GDPR, Art. 7 para. 1 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 para. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are the promotion of the sale of our products and services, corresponding advertising, and the proof of your consent, i.e. the defence against legal claims.

Data Processing For Bookings, Information And Quotation Requests
When you make a booking or request information or a quotation, we require certain information from you depending on the type of service. The booking or quotation form indicates what information is required and what information is voluntary; if you contact us informally and the necessary information is missing, we will get in touch with you or ask for it. If you want to make a booking online, you will need to create a user account. In addition to your user name – which can also be your e-mail address or a pseudonym – you must also enter a password for this. Your data will not be passed on to third parties. Any exceptions (e.g. if we only arrange third-party services) are clearly communicated at the time of booking. We use your data only for handling your enquiry, processing bookings and complaints, for customer service and to send you advertisements about similar services from us and to prove that we may send you such advertisements. We are also required to store your booking and any related communication and invoice and payment data for tax and commercial law reasons; we will delete this data in the case of business and commercial letters and other tax-relevant documents by 31 March of the seventh calendar year after creation, and in the case of booking receipts of the eleventh calendar year after creation. For the purpose of booking and complaint processing we will delete your data three months after the end of your stay; for the purpose of customer service (including handling your inquiry), as soon as you object or by 31 March of the fifth calendar year following your last booking, request for information or offer or expression of interest; for the purpose of advertising as soon as you object or we finally discontinue advertising activities; for the purpose of proving your booking and the similarity of the advertised services by March 31 of the fourth calendar year following the last advertising campaign. Your data can be accessed by our marketing department, our customer service and our accounting department, and the legal department if required.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter b (for processing and handling your request or booking) and f GDPR. For processing for the purpose of proof of your inquiry or booking, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for tax law retention is Art. 6 para. 1 subpara. 1 letter c GDPR in connection with sections 147 AO, 257 HGB. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are the fulfilment of your request, the promotion of the sale of our services, corresponding advertising, and the establishment or exercise of legal claims or the defence against legal claims.

Data Processing If You Book Via Third Parties
If someone else books for you, for example a fellow traveller or a travel agency, we will exchange information about you with them, insofar as this is necessary to make the booking or reservation.

If your booking is made through a tour operator, a travel agent or a travel agency (“agent”, this can also be a booking platform on the Internet), we will exchange information about you with this agent, insofar as this is necessary for the processing of our contract with the agent. This may include, for example, information that you have cancelled or not used a booked service or information about the services used or the amount of the fee paid by you for the purpose of processing fees or commission payments. Agents are not our processors but process your data on their own responsibility. For their data processing exclusively the privacy policy of the agent as a controller applies.

Many booking platforms are located in countries outside the European Union and the European Economic Area, such as the USA, so that if you book via such a platform, your personal data will be transferred to such a third country. Many third countries have a lower level of data protection. If you do not want your personal data to be transferred to third countries with a lower level of data protection, we recommend that you book directly with us.

The data exchange described above takes place on the one hand for the fulfilment of the existing contract with you with regard to the desired service (legal basis: Art. 6 para. 1 subpara. 1 lit. b GDPR) and on the other hand for the protection of our legitimate interest in transmitting this information for the execution of our contracts with the agents and for the establishment, exercise or defence of legal claims (legal basis: Art. 6 para. 1 subpara. 1 lit. f GDPR).

Processing Of Guest Data
In addition to the data we process when you make a booking or request information or an offer or create a user account in our online booking system, we will process personal data about our guests, i.e. also accompanying persons. In addition to the data on services booked or used (“services data”), this includes names, contact data, date of birth, vehicle registration number (together “master data”), invoice and payment data. In addition, we process other data to provide you with the best possible service (“customer care data”), including professional position and company, photos or links to photos on the Internet, occasion of your stay, preferences (e.g. regarding pillows, mini-bar), intolerances, allergies and other restrictions, concierge specials such as wedding anniversary, as well as conflicts, complaints and guest requests. We will receive information about your professional position and company as well as photos either from you, the person booking or an accompanying person, or we will research them in public information on the Internet or – if you have allowed us to access your data through the respective settings in your profile – in social networks. For this purpose, your name will be transmitted to the operator of the search engine or social network used when using the search function, which may involve a transmission to the USA. However, we only use US providers that are certified under the Privacy Shield and therefore guarantee an appropriate level of data protection as decided by the EU Commission. All other services data will be received either from you, the person making the booking, other guests or employees. Insofar as services data contain special categories of personal data as defined in Art. 9 GDPR (in particular health data), we will not process them without your express consent. If someone else books for you, such as a fellow traveller or a travel agency, we may receive this information from the person booking for you. We also process feedback data, i.e. information you provide about Schloss Elmau and your experience with our services. We receive feedback data either directly from you or via the operator of the evaluation/feedback service you use, or we find it ourselves on the publicly accessible Internet or, if you allow us to access it through the respective settings, on social networks.

We will process service, master, invoice and payment data to fulfil the contract, to handle complaints, for customer service and to send you advertising and to prove that we may send you this advertising. We will process customer care data exclusively for the purpose of fulfilling the contract and to offer you the best possible service and to adapt our services to your wishes and needs, for example to take allergies into account when preparing your meals and to protect your health. In particular, we will not use services data for advertising purposes. We will use feedback data to evaluate and improve our services and for customer care purposes. We are required to retain invoice and payment data for tax and commercial law reasons; we delete this data in the case of business and commercial letters and other tax-relevant documents by 31 March of the seventh calendar year after creation, and in the case of booking receipts of the eleventh calendar year after creation. For the purpose of fulfilling the contract and handling complaints, we will delete your data three months after the end of your stay; for the purpose of evaluating and improving our services within one year after the end of your stay; for the purpose of customer service, as soon as you object or by 31 March of the fifth calendar year after your last booking, request for information or quotation or expression of interest; for the purpose of direct marketing, as soon as you object or we finally stop direct marketing; for the purpose of proving the permission for direct marketing by 31 March of the fourth calendar year following the last dispatch of a direct marketing message. We will delete your health data after revocation of your consent, but at the latest when we delete the general guest data. We will process your consent to the processing of your health data for the purpose of demonstrating your consent and delete it by 31 March of the fourth calendar year following the deletion of your health data. Your data (except for health data) can be accessed by our marketing department, our customer service and our accounting department, if required by the legal department, as well as the respective department providing the service. Your health data is available to employees of those departments that need to know the respective health date, e.g. the Food & Beverage department for food allergies/intolerances, the Housekeeping department for house staff mite allergies and the Spa department for booked treatments.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter b (for processing for the purposes of contract fulfilment, if you are a contracting party) and f GDPR. For the purpose of processing to demonstrate our permission to send you advertising, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with. Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for tax law retention is Art. 6 para. 1 subpara. 1 letter c GDPR in connection with sections 147 AO, 257 HGB. The legitimate interests in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR are the performance of the contract whose services you make use of, the provision of the best possible service, as is to be expected from a luxury hotel, the adaptation of our services to your wishes and needs, the promotion of the sale of our services, corresponding advertising, and the establishment or exercise of legal claims or the defence against legal claims.

Processing Of Registration Data
In accordance with sections 29, 30 of the Federal Registration Act (BMG) and Art. 4 para. 1 BayAGBMG, we will process personal data as required by law in the form of a registration form to fulfil your and our statutory reporting obligations. Legal basis is Art. 6 para. 1 subpara. 1 letter c GDPR in conjunction with sections 29, 30 BMG and Art. 4 para. 1 BayAGBMG. The registration form must be presented to the authorities named in section 30 para. 4 sentence 1 BMG on request and will be destroyed within 15 months after arrival. The registration forms are kept safe with us after collection by reception. Generally we will not access them.

Processing When Using Our App
The app is provided and maintained by "Hotel MSSNGR", a communication platform for hotels operated by the German provider Hotel MSSNGR GmbH, Tölzer Straße 17, 83677 Reichersbeuern. Hotel MSSNGR GmbH is strictly bound by an order processing contract and may only process personal data generated in connection with the use of our app in accordance with our instructions.

In principle, it is possible to use our app anonymously without entering personal data. The app only stores a user token (comparable to a website cookie) to identify returning users and display their settings. The anonymized data will also be used to analyze user behavior and improve the products.

When you use our app, the app tells the hotel MSSNGR web server your IP address to allow communication. Your IP address may be used to identify you. However, your IP address is only shortened by the last four digits and is therefore stored anonymously. Only in the case of errors (which usually indicate attacks) and detected attacks against the servers, the non-anonymized IP addresses will be stored for 24 hours in order to ward off attacks and abuse.

The legal basis for data processing the IP addresses is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing are ensuring of the functionality and security of the app as well as defence against attacks and other abuses.

The app requests permission to send push notifications so that users can be informed about offers during their stay. This sharing is purely voluntary and can be revoked at any time in the operating system settings.

For certain functions, the app requests permission to use the user's location. The permission is voluntary. This location data is forwarded to the servers of Hotel MSSNGR. These data will be used anonymously in order to improve the user experience of the app and the stay on site. These data will not be passed on to third parties. The permission to use locating data can be revoked at any time by withdrawing access to the locating data from the app in the operating system settings. The legal basis for data processing is Art. 6 para. 1 subpara. 1 lit. a GDPR.

For further information on data protection at Hotel MSSNGR, please visit http://hotel-mssngr.com/privacy

Google Analytics In Our App
Our app uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The app uses a cookie-like token to recognize the device at Google Analytics and to enable an analysis of your usage behavior. The information about app usage gathered by means of this token is sent to Google's servers in the USA. The IP address used during the use of the app is shortened before leaving the EU or the EEA and thus made anonymous. Only in exceptional cases will Google transfer the full IP address to a Google server in the USA, and will shorten it there. The IP address transferred by the app within the framework of Google Analytics will not be combined by Google with other data. Google will use this data to analyze app usage on behalf of Hotel MSSNGR and compile reports for Hotel MSSNGR, which in turn acts on our behalf. These reports include, for example, the frequency of use, the place of use and the content viewed. With the help of these reports, we and Hotel MSSNGR intend to improve the product quality. This also is the legitimate interest in data processing. The legal basis for the use of Google Analytics is Art. 6 para. 1 subpara. 1 lit. f GDPR.

Apart from the anonymized IP address, the app does not send any personal data to Google, so that cross-device tracking is not possible, even if the app uses the “Universal Analytics” operating mode.

You can opt-out of the analysis of your user data at any time by deactivating the “Tracking” function in the settings of the app. This prevents the future collection of your data (including the anonymised IP address) and sending it to Google. You will need to disable this setting on all devices on which you use OUR APP. Also if you delete the app on a device and reinstall it, you must disable tracking again.

Further information and Google’s current privacy policy can be found at https://www.google.com/policies/privacy/ and https://www.google.com/analytics/terms/ More detailed information about Google Analytics is available at https://www.google.com/analytics/.

Google is certified under the Privacy Shield and thus offers an adequate level of data protection as decided by the EU Commission in an adequacy decision:
https://www.privacyshield.gov/participant?id=a2zt00000000001L5AAI&status=Active

Bookings In Our App
Within the app you can make bookings for certain leisure activities for your stay at Schloss Elmau. All data requested is required to carry out the booking – includeing to identify the person making the booking and thus to prevent misuse – so that although you are not obliged to provide your data, you cannot make a booking without entering these data.

The data are stored for 14 days after the end of the booked leisure activities in order to enable a transfer to the accounting systems and are deleted after this period has expired. The legal basis for this storage is Art. 6 para. 1 subpara. 1 lit. b GDPR. The anonymized data of the bookings will continue to be used to analyze the booking behavior and to further develop the functionality. The further handling of your booking data is governed by the rules for other bookings to which reference is made.

Video Surveillance
Safety-relevant areas of our premises and grounds may be video-monitored. Cameras are installed open. Video-monitored areas are marked with visible signs at least at the entrance. Recordings are made which are deleted after 72 hours unless they are further needed due to an incident. Recordings can only be viewed by employees responsible for corporate security. Every access to the recordings is logged to prevent misuse.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Legitimate interests are the exercise of our domestic authority, the avoidance or prosecution of abusive conduct, the clarification of cases of damage and the establishment or exercise of legal claims or the defence against legal claims. Video recordings will not be used for any other purposes.

Special Services And Situations
If you make use of special services or special situations arise, this may involve the processing of further personal data. In these cases, you will be informed separately and asked for your consent if necessary.

Data Processing Upon Job Applications
We are aware that job applications contain sensitive personal data. We therefore ask you not to send applications to our general postal or e-mail address, but always to the contact person named in each case. Please also note that data transmission on the Internet is generally insecure if it is not encrypted. Our servers support transport encryption (STARTTLS) so that the emails transmitted between your email provider and us are protected if your email provider uses transport encryption. Your e-mail provider can, however, read, copy and modify all your e-mails. If you are not sure that your e-mail provider uses transport encryption, we recommend that you apply to us by post.

Despite all security measures, we ask you to refrain from providing information in your application that is not required for the specific position. For example, we will only judge you on your suitability for the position in question so that you do not have to send us a photo or provide any information about your family situation, etc.

When you apply for a job with us, we will process the information we receive from you during the application process, e.g. by letter of application, CV, references, correspondence, telephone or verbal information. In addition to your contact details, your education, work experience and skills are of particular relevance to us.

Your data will initially be processed exclusively for the purpose of the application procedure. If your application is successful, it will be used in your personnel file and for the execution and termination of the employment relationship and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after the notification of rejection in order to defend ourselves against possible legal claims, in particular due to alleged discrimination in the application process. If you receive cost reimbursements or other tax-relevant transactions (e.g. invitation to a meal), the corresponding accounting documents will be kept until March 31 of the eleventh calendar year after payment at the latest, in the case of commercial and business letters and other tax-relevant documents of the seventh calendar year after their creation in order to fulfil the commercial and tax retention obligations. Your data can initially be accessed by our human resources department, but if required also by the department of the position to which you applied, the legal department and the accounting department.

The legal basis for data processing in the application procedure and as part of the personnel file are Section 26 para. 1 sentence 1 BDSG and Art. 6 para. 1 subpara. 1 letter b GDPR and, if you have given your consent, for example by sending information not necessary for the application procedure, Art. 6 para. 1 subpara. 1 letter a GDPR. The legal basis for data processing after a refusal is Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for the retention under commercial and tax law is Art. 6 para. 1 subpara. 1 lit. c GDPR in connection with Sections 147 AO, 257 HGB. The legitimate interest in processing on the basis of Art. 6 para. 1 para. 1 subpara. 1 letter f GDPR is the defence against legal claims.

In general, we do not need to have any special categories of personal data within the meaning of Art. 9 DSGVO for the application process. We ask you not to send us any such information from the outset. If such information exceptionally is relevant to the application process, we will process it together with your other applicant data. This may include, for example, information about a severe disability which you may voluntarily provide us with and which we must then process in order to fulfil our special obligations with regard to severely disabled persons. In these cases, processing serves the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection. The legal basis for data processing is then Art. 9 para. 2 lit. b GDPR, Sections 26 para. 3 BDSG, 164 SGB IX.

Voluntary Provision Of Your Data
As a rule, you are not obliged to provide us with personal data. Exception: the information on the registration form (see “Processing Of Registration Data”). If you do not provide us with certain information that we need to handle your request (for example a way to contact you if you want an answer from us), we may not be able to do so. In the context of special procedures (e.g. when you make a booking or register for our newsletter) it may be necessary for you to provide us with certain information because otherwise we will not be able to process your order or send you the newsletter. However, we will always point this out to you in the specific situation.

Recipients Of The Data
Your personal data will remain in our area of responsibility, except in special exceptional cases (e.g. if we only act as intermediaries for third-party services), in which we expressly inform you, however, to whom your data will be sent. Our administrators have the possibility to access data processed by IT. Furthermore, our website uses fonts from The Hoefler Type Foundry, Inc. d/b/a Hoefler & Co. (“Hoefler”). If your browser is configured accordingly, your browser establishes a direct connection to Hoefler when you visit our website, so that Hoefler is technically required to know your IP address and other data about your browser, which it automatically sends along. You can normally deactivate the loading of web fonts in your browser; then your browser will not establish a connection to Hoefler. The legal basis for processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Our and your legitimate interest is a visually appealing presentation of our website. More information about Hoefler's processing of personal data can be found at https://www.typography.com/home/privacy.php. We list further recipients of your data in the notes on the respective data processing. In certain cases, we may need to disclose your personal data to third parties or exchange it with them so that you can obtain the desired service, in particular to vicarious agents such as banks and other payment service providers as well as postal and parcel service providers or forwarding companies.

In certain areas, such as web hosting, e-mail hosting and our online reservation system. These are strictly bound to our instructions by an agreement on commissioned data processing and may not process the data for their own purposes.

Processing by us or our processors takes place only in the European Union, except for Google Analytics (also USA) and if you use the support chat of our app (use of services of Help Scout Inc. and Slack Technologies, Inc., USA). Google, Help Scout and Slack Technologies are certified under the Privacy Shield and thus offer an adequate level of data protection as decided by the EU Commission in an adequacy decision: https://www.privacyshield.gov

However, your personal data may be transferred to third countries outside the EU or the EEA if you use an agent or payment service provider in a third country, e.g. reporting to your agent that you have cancelled your booking or reporting your payment to your credit card company. Depending on which agent or payment service provider you use, the transfer to a third country is either permitted under Art. 45 GDPR if an adequacy decision of the EU Commission is available, or under Art. 49 para. 1 subpara. 1 letter b GDPR (transfer for the fulfilment of a contract or for the implementation of pre-contractual measures), Art. 49 para. 1 subpara. 1 letter c DSGVO (transmission for the fulfilment of a contract concluded in the interest of the data subject) and Art. 49 para. 1 subpara. 1 lit. e DSGVO (transmission for the establishment, exercise or defence of legal claims). Adequacy decisions of the EU Commission are currently available for Andorra, Argentina, Canada (restricted), Switzerland, Faroe Islands, Guernsey, Israel (restricted), Isle of Man, Jersey, New Zealand and Uruguay as well as for the USA within the framework of the “Privacy Shield”, insofar as the recipient is certified accordingly.

Automated Decision Making, Profiling
Automated decision making does not take place.

Your Rights
You have a right of access, to rectification or erasure, restriction of processing, to object to processing and to data portability under the respective statutory preconditions with regard to the personal data concerning you. In particular, you have the right to object to the processing of your data for advertising purposes at any time without incurring costs other than the transmission costs according to the basic rates of your provider (e.g. the costs of an e-mail = usually none). This applies, for example, if you were our guest and do not want to receive offers for similar stays. If the data processing is based on a consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until the withdrawal or of the processing on another legal basis. If you want to exercise these rights, you can simply write to datenschutz@schloss-elmau.de or click on the unsubscribe link in any email to unsubscribe. If we call you, you can of course also tell us directly in the conversation.

You also have the right to complain to a data protection supervisory authority about our processing of your personal data, for example to the supervisory authority responsible for us: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 27, D-91522 Ansbach, Telefon +49(0)981 53 1300, Fax +49(0)981 53 98 1300, E-Mail poststelle@lda.bayern.de. If you have any questions or requests regarding data protection, please feel free to contact us at any time: Your contact is datenschutz@schloss-elmau.de

Your Right To Object To Processing
To the extent that processing of your personal data is based on Art. 6 para. 1 subpara. 1 lit. e or f GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. If your objection is made for reasons arising from your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of or for the establishment, exercise or defence of legal claims. If your objection is directed against direct marketing, including profiling, insofar as it is connected with such direct marketing, we will no longer process your personal data for these purposes.