In A Nutshell:
In general, our website may be used anonymously. Providing personal data is purely voluntary and you will always be informed if and for what purpose we want to store your data. If you make use of other services, such as booking a stay with us, the processing of personal data may be necessary or even mandatory. Personal data are data that enable us to identify you personally and/or to contact you, such as your name, address or e-mail address.
We evaluate your visit to our website statistically with Google Analytics, to which you can object, see under “Google Analytics”.
Who We Are And How You Can Reach Us
The controller of the processing of personal data on this website is
Schloss Elmau GmbH & Co KG, In Elmau 2, D-82493 Krün, telephone +49(0)8823 18-0, fax +49(0)8823 18-177, e-mail: firstname.lastname@example.org.
Our data protection officer is Dr. Anke Thiedemann, RWT Anwaltskanzlei GmbH, Charlottenstraße 49, D-72764 Reutlingen, email@example.com.
What Data We Do (Not) Process, For What Purpose, For How Long And On What Legal Basis
Anonymous Use Of Our Website
You may use our website anonymously. When you visit our website, your web browser tells our web server your IP address so that communication is possible. Your IP address may be used to identify you. However, we do not store your IP address. You remain completely anonymous to us when visiting our website.
Logging And Evaluation In Case Of Attacks
Error messages – usually caused by attack attempts – are recorded and evaluated for reasons of security. Only the following data that may allow identification are used with respect to the recording of error messages: Your IP address, date and time, exact name (URL) of the requested data file(s), HTTP status code, volume of data transferred, referrer (website from which the file was requested), browser identification string that is sent from your browser (User Agent String). Such data shall be deleted after seven days if they are no longer useful (possibly for evidence).
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are ensuring of the functionality and security of our website as well as defence against attacks and other abuses.
Use Of Google Adwords Conversion Tracking
If you agree, our website uses the Google Ads service of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Ads enables us to draw attention to our attractive offers on external websites with the help of advertising media (so-called Google Ads). This enables us to determine how successful individual advertising measures are. These advertisements are delivered by Google via so-called "Ad Servers". For this purpose, we use ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of the ads or clicks by users. If you access our website via a Google ad, Google Ads will store a cookie on your end device. These cookies usually lose their validity after 30 days and are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie. These cookies enable Google to recognise your internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer will be able to recognise that the user clicked on the ad and was redirected to that page. A different cookie is assigned to each Ads customer. Cookies can therefore not be tracked via the websites of Ads customers.
We ourselves do not collect or process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. These evaluations enable us to recognise which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising tools; in particular, we cannot identify users on the basis of this information. Due to the marketing tools used, your browser automatically establishes a direct connection with Google's server. Information on how Google processes your data can be found at https://policies.google.com/technologies/ads?hl=de.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
Use Of Google Remarketing Services
If you agree, we use the marketing and remarketing services (“Google Marketing Services”) of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA The Google Marketing Services allow us to target ads for our website in order to present users only with ads that potentially match their interests. When you visit a website that uses Google Marketing Services, (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. With their help, an individual “cookie”, i.e. a small text file, will be stored in your web browser (comparable technologies can also be used instead of cookies). By using the cookie, Google will collect information about which websites you have visited, which contents you are interested in and which ads you have clicked on, as well as technical information about the browser and operating system, referring websites, visit times and other information about the use of the website. The above information may also be combined by Google with such information from other sources. If you then visit other websites, the ads tailored to your interests can be displayed.
The information collected by Google Marketing Services about users is transmitted to Google and stored on Google’s servers in the USA.
We use the Google Marketing Service “Google AdWords”. Each AdWords customer is given a different “conversion cookie”. Users can therefore not be tracked across the websites of more than one AdWords customer. The information collected with the help of the cookie is used to generate conversion statistics. We learn the total number of users who clicked on our ads and were redirected to a page with a conversion tracking tag but no information that identifies users.
You can object to interest-based advertising by Google marketing services by using the setting and opt-out options provided by Google at https://www.google.com/ads/preferences.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
Use Of Google Tag Manager
If you agree, we use on our website the "Google Tag Manager" of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Through this service, website tags can be managed via an interface. Tags are small pieces of code on a website that are used to measure visitor traffic and behavior on our website, track the impact of online advertising and social channels, and test and optimize the website. The Google Tag Manager implements tags and uses a set of trigger rules that determine when these tags should be deployed on a website. When you visit our website, the determined tags are triggered and the corresponding cookies are loaded into their browser. However, Google Tag Manager does not access this data. The use of the Google Tag Manager will make your visit of our website more efficient and faster, as managing the correct tags will speed up our website. If a deactivation of Google Tag Manager has been made at the domain or cookie level, it will remain in place for all tracking tags insofar as they are implemented with Google Tag Manager.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
If you consent, this website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The cookies are stored by Google on your computer for a period of up to two years. The information generated by the cookie about how you use the website will be transmitted to and stored by Google on servers in the United States. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. On this website, we have extended Google Analytics with the code "gat._anonymizeIp();" to ensure that your IP address is not recorded in full length, but only in shortened form (so-called IP masking). Although this makes it more difficult to identify you, it cannot be ruled out that Google may link your IP address to other identifiers and assign them to you.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
If you agree, this website uses the YouTube button of the social network YouTube, which is operated by YouTube LLC with its principal place of business at 901 Cherry Avenue, San Bruno, CA 94066, USA ("YouTube"); parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you call up a web page of our website that contains such a button, your browser establishes a direct connection with the YouTube servers. The content of the YouTube button is transmitted by YouTube directly to your browser, which then integrates it into the website. We therefore have no influence on the scope of the data that YouTube collects with the button. The purpose and scope of the data collection and the further processing and use of the data by YouTube, as well as your rights in this regard and setting options for protecting your privacy, can be found in Google's data protection information: policies.google.com/privacy. The cookies used by YouTube are stored for up to one year.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
We offer you the possibility to watch videos on our internet pages. For this purpose, we use the services of the video platform Vimeo. This is operated by the company Vimeo, LLC with its headquarters at 555 West 18th Street, New York, New York 10011.
When you access a video on our website, a connection is established to the servers of Vimeo and the plugin required for viewing the video is displayed. In addition, various cookies are downloaded to your hardware from Vimeo's servers. Vimeo thereby learns, among other things, which of our websites you have visited. If you have an account with Vimeo and are logged in to it, Vimeo assigns this information to your account. In this case, Vimeo also assigns it to your account if you actually watch the video.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter a GDPR.
Data transfers to a country outside the European Economic Area
If you have agreed, your personal data may be transferred to servers of a third-party provider (e.g. YouTube) whose servers are located in the USA or another third country (i.e. a country outside the European Economic Area (EEA)). We would like to point out that there is no adequate level of data protection in the USA comparable to that in the EU. Therefore, there is a risk for you of government access to this data. This risk may also exist with regard to other third countries. The permissibility of these data transfers to the USA and other third countries concerned follows from Article 49 para. 1 sentence 1 letter a) GDPR.
Data Processing Upon Contact
If you call us or send us a message, for example via the contact form or by e-mail, we need your e-mail address, your postal address or a telephone number if you want us to reply to you. You may also use a pseudonym instead of your name. We will use this data as well as data and time of your contact exclusively to handle your request. Your data will not be passed on to third parties but only internally to the department responsible for your particular request. We will delete your data as soon as it is no longer needed for this purpose, i.e. usually three months after the last contact with you. If you have any further questions, please contact us again within three months. The legal basis for the data processing is Art. 6 para. 1 subpara. 1 letters b and f GDPR. The legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR is to fulfil your request.
Exceptions: We are required to retain business and commercial letters and other tax-relevant documents in order to fulfil our commercial and tax law archiving obligations; we will delete them by 31 March of the seventh calendar year following their creation, and in the case of booking receipts of the eleventh calendar year following their creation. Our accounting department has access to these data. The legal basis for tax law retention is Art. 6 Para. 1 Para. 1 Letter c GDPR in connection with sections 147 AO, 257 HGB.
If your request is for a special purpose (e.g. ordering, quotation request, newsletter order), only the explanations in the respective section for that special purpose apply to data processing in this context.
Data Processing For Newsletter Subscription
If you subscribe to one or more of our newsletters, we need your e-mail address, otherwise we cannot send you the newsletter. All other information is voluntary. Your data will not be passed on to third parties, and we use it only for sending our newsletter. You will first receive an email with a link you must click to confirm that you want to receive the newsletter (“Double-Opt-In”). This will prevent others from subscribing to the newsletter in your name. We will analyze which links you click on in order to tailor the newsletter to your specific preferences and when you read the newsletter so that we can send it to you at your favourite time. In addition, we store your registration for the newsletter, your consent to the usage analysis and your confirmation to be able to prove that you have registered and agreed. For the purpose of sending the newsletter and analyzing its use, we will store your data until you revoke your consent or until the newsletter is permanently discontinued; for the purpose of customer service, we will delete your data as soon as you object or by 31 March of the fifth calendar year following your last order or enquiry or expression of interest; for the purpose of proof of consent by 31 March of the fourth calendar year following the last newsletter dispatch. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Please confirm your registration (“Double-Opt-In”) within 24 hours, otherwise you have to register again. Our marketing department and our customer service have access to your data, if necessary the legal department.
For the processing for the purpose of sending the newsletter and for the usage analysis, the legal basis is Art. 6 para. 1 para. 1 letter a GDPR. For processing for the purpose of proof of consent, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with. Art. 5 para. 2 GDPR, Art. 7 para. 1 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 para. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are the promotion of the sale of our products and services, corresponding advertising, and the proof of your consent, i.e. the defence against legal claims.
Data Processing For Bookings, Information And Quotation Requests
When you make a booking or request information or a quotation, we require certain information from you depending on the type of service. The booking or quotation form indicates what information is required and what information is voluntary; if you contact us informally and the necessary information is missing, we will get in touch with you or ask for it. If you want to make a booking online, you will need to create a user account. In addition to your user name – which can also be your e-mail address or a pseudonym – you must also enter a password for this. Your data will not be passed on to third parties. Any exceptions (e.g. if we only arrange third-party services) are clearly communicated at the time of booking. We use your data only for handling your enquiry, processing bookings and complaints, for customer service and to send you advertisements about similar services from us and to prove that we may send you such advertisements. We are also required to store your booking and any related communication and invoice and payment data for tax and commercial law reasons; we will delete this data in the case of business and commercial letters and other tax-relevant documents by 31 March of the seventh calendar year after creation, and in the case of booking receipts of the eleventh calendar year after creation. For the purpose of booking and complaint processing we will delete your data three months after the end of your stay; for the purpose of customer service (including handling your inquiry), as soon as you object or by 31 March of the fifth calendar year following your last booking, request for information or offer or expression of interest; for the purpose of advertising as soon as you object or we finally discontinue advertising activities; for the purpose of proving your booking and the similarity of the advertised services by March 31 of the fourth calendar year following the last advertising campaign. Your data can be accessed by our marketing department, our customer service and our accounting department, and the legal department if required.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter b (for processing and handling your request or booking) and f GDPR. For processing for the purpose of proof of your inquiry or booking, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for tax law retention is Art. 6 para. 1 subpara. 1 letter c GDPR in connection with sections 147 AO, 257 HGB. The legitimate interests in processing on the basis of Art. 6 para. 1 para. 1 letter f GDPR are the fulfilment of your request, the promotion of the sale of our services, corresponding advertising, and the establishment or exercise of legal claims or the defence against legal claims.
Data Processing If You Book Via Third Parties
If someone else books for you, for example a fellow traveller or a travel agency, we will exchange information about you with them, insofar as this is necessary to make the booking or reservation.
Many booking platforms are located in countries outside the European Union and the European Economic Area, such as the USA, so that if you book via such a platform, your personal data will be transferred to such a third country. Many third countries have a lower level of data protection. If you do not want your personal data to be transferred to third countries with a lower level of data protection, we recommend that you book directly with us.
The data exchange described above takes place on the one hand for the fulfilment of the existing contract with you with regard to the desired service (legal basis: Art. 6 para. 1 subpara. 1 lit. b GDPR) and on the other hand for the protection of our legitimate interest in transmitting this information for the execution of our contracts with the agents and for the establishment, exercise or defence of legal claims (legal basis: Art. 6 para. 1 subpara. 1 lit. f GDPR).
Processing Of Guest Data
In addition to the data we process when you make a booking or request information or an offer or create a user account in our online booking system, we will process personal data about our guests, i.e. also accompanying persons. In addition to the data on services booked or used (“services data”), this includes names, contact data, date of birth, vehicle registration number (together “master data”), invoice and payment data. In addition, we process other data to provide you with the best possible service (“customer care data”), including professional position and company, photos or links to photos on the Internet, occasion of your stay, preferences (e.g. regarding pillows, mini-bar), intolerances, allergies and other restrictions, concierge specials such as wedding anniversary, as well as conflicts, complaints and guest requests. We will receive information about your professional position and company as well as photos either from you, the person booking or an accompanying person, or we will research them in public information on the Internet or – if you have allowed us to access your data through the respective settings in your profile – in social networks. For this purpose, your name will be transmitted to the operator of the search engine or social network used when using the search function, which may involve a transmission to the USA. All other services data will be received either from you, the person making the booking, other guests or employees. Insofar as services data contain special categories of personal data as defined in Art. 9 GDPR (in particular health data), we will not process them without your express consent. If someone else books for you, such as a fellow traveller or a travel agency, we may receive this information from the person booking for you. We also process feedback data, i.e. information you provide about Schloss Elmau and your experience with our services. We receive feedback data either directly from you or via the operator of the evaluation/feedback service you use, or we find it ourselves on the publicly accessible Internet or, if you allow us to access it through the respective settings, on social networks.
We will process service, master, invoice and payment data to fulfil the contract, to handle complaints, for customer service and to send you advertising and to prove that we may send you this advertising. We will process customer care data exclusively for the purpose of fulfilling the contract and to offer you the best possible service and to adapt our services to your wishes and needs, for example to take allergies into account when preparing your meals and to protect your health. In particular, we will not use services data for advertising purposes. We will use feedback data to evaluate and improve our services and for customer care purposes. We are required to retain invoice and payment data for tax and commercial law reasons; we delete this data in the case of business and commercial letters and other tax-relevant documents by 31 March of the seventh calendar year after creation, and in the case of booking receipts of the eleventh calendar year after creation. For the purpose of fulfilling the contract and handling complaints, we will delete your data three months after the end of your stay; for the purpose of evaluating and improving our services within one year after the end of your stay; for the purpose of customer service, as soon as you object or by 31 March of the fifth calendar year after your last booking, request for information or quotation or expression of interest; for the purpose of direct marketing, as soon as you object or we finally stop direct marketing; for the purpose of proving the permission for direct marketing by 31 March of the fourth calendar year following the last dispatch of a direct marketing message. We will delete your health data after revocation of your consent, but at the latest when we delete the general guest data. We will process your consent to the processing of your health data for the purpose of demonstrating your consent and delete it by 31 March of the fourth calendar year following the deletion of your health data. Your data (except for health data) can be accessed by our marketing department, our customer service and our accounting department, if required by the legal department, as well as the respective department providing the service. Your health data is available to employees of those departments that need to know the respective health date, e.g. the Food & Beverage department for food allergies/intolerances, the Housekeeping department for house staff mite allergies and the Spa department for booked treatments.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter b (for processing for the purposes of contract fulfilment, if you are a contracting party) and f GDPR. For the purpose of processing to demonstrate our permission to send you advertising, the legal basis is Art. 6 para. 1 subpara. 1 letter c in connection with. Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR as well as Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for tax law retention is Art. 6 para. 1 subpara. 1 letter c GDPR in connection with sections 147 AO, 257 HGB. The legitimate interests in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR are the performance of the contract whose services you make use of, the provision of the best possible service, as is to be expected from a luxury hotel, the adaptation of our services to your wishes and needs, the promotion of the sale of our services, corresponding advertising, and the establishment or exercise of legal claims or the defence against legal claims.
Processing Of Registration Data
In accordance with sections 29, 30 of the Federal Registration Act (BMG) and Art. 4 para. 1 BayAGBMG, we will process personal data as required by law in the form of a registration form to fulfil your and our statutory reporting obligations. Legal basis is Art. 6 para. 1 subpara. 1 letter c GDPR in conjunction with sections 29, 30 BMG and Art. 4 para. 1 BayAGBMG. The registration form must be presented to the authorities named in section 30 para. 4 sentence 1 BMG on request and will be destroyed within 15 months after arrival. The registration forms are kept safe with us after collection by reception. Generally we will not access them.
Processing When Using Our App
The app is provided and maintained by "Hotel MSSNGR", a communication platform for hotels operated by the German provider Hotel MSSNGR GmbH, Tölzer Straße 17, 83677 Reichersbeuern. Hotel MSSNGR GmbH is strictly bound by an order processing contract and may only process personal data generated in connection with the use of our app in accordance with our instructions.
In principle, it is possible to use our app anonymously without entering personal data. The app only stores a user token (comparable to a website cookie) to identify returning users and display their settings. The anonymized data will also be used to analyze user behavior and improve the products.
When you use our app, the app tells the hotel MSSNGR web server your IP address to allow communication. Your IP address may be used to identify you. However, your IP address is only shortened by the last four digits and is therefore stored anonymously. Only in the case of errors (which usually indicate attacks) and detected attacks against the servers, the non-anonymized IP addresses will be stored for 24 hours in order to ward off attacks and abuse.
The legal basis for data processing the IP addresses is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing are ensuring of the functionality and security of the app as well as defence against attacks and other abuses.
The app requests permission to send push notifications so that users can be informed about offers during their stay. This sharing is purely voluntary and can be revoked at any time in the operating system settings.
For certain functions, the app requests permission to use the user's location. The permission is voluntary. This location data is forwarded to the servers of Hotel MSSNGR. These data will be used anonymously in order to improve the user experience of the app and the stay on site. These data will not be passed on to third parties. The permission to use locating data can be revoked at any time by withdrawing access to the locating data from the app in the operating system settings. The legal basis for data processing is Art. 6 para. 1 subpara. 1 lit. a GDPR.
For further information on data protection at Hotel MSSNGR, please visit http://hotel-mssngr.com/privacy
Google Analytics In Our App
If you consent, our app uses Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
The app uses a cookie-like token to recognize the device at Google Analytics and to enable an analysis of your usage behavior. The information about app usage gathered by means of this token is sent to Google's servers in the USA. Google will use this data to analyze app usage on behalf of Hotel MSSNGR and compile reports for Hotel MSSNGR, which in turn acts on our behalf. These reports include, for example, the frequency of use, the place of use and the content viewed. With the help of these reports, we and Hotel MSSNGR intend to improve the product quality. The legal basis for the use of Google Analytics is Art. 6 para. 1 subpara. 1 lit. a GDPR.
Bookings In Our App
Within the app you can make bookings for certain leisure activities for your stay at Schloss Elmau. All data requested is required to carry out the booking – includeing to identify the person making the booking and thus to prevent misuse – so that although you are not obliged to provide your data, you cannot make a booking without entering these data.
The data are stored for 14 days after the end of the booked leisure activities in order to enable a transfer to the accounting systems and are deleted after this period has expired. The legal basis for this storage is Art. 6 para. 1 subpara. 1 lit. b GDPR. The anonymized data of the bookings will continue to be used to analyze the booking behavior and to further develop the functionality. The further handling of your booking data is governed by the rules for other bookings to which reference is made.
Safety-relevant areas of our premises and grounds may be video-monitored. Cameras are installed open. Video-monitored areas are marked with visible signs at least at the entrance. Recordings are made which are deleted after 72 hours unless they are further needed due to an incident. Recordings can only be viewed by employees responsible for corporate security. Every access to the recordings is logged to prevent misuse.
The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Legitimate interests are the exercise of our domestic authority, the avoidance or prosecution of abusive conduct, the clarification of cases of damage and the establishment or exercise of legal claims or the defence against legal claims. Video recordings will not be used for any other purposes.
Special Services And Situations
If you make use of special services or special situations arise, this may involve the processing of further personal data. In these cases, you will be informed separately and asked for your consent if necessary.
Data Processing Upon Job Applications
We are aware that job applications contain sensitive personal data. We therefore ask you not to send applications to our general postal or e-mail address, but always to the contact person named in each case. Please also note that data transmission on the Internet is generally insecure if it is not encrypted. Our servers support transport encryption (STARTTLS) so that the emails transmitted between your email provider and us are protected if your email provider uses transport encryption. Your e-mail provider can, however, read, copy and modify all your e-mails. If you are not sure that your e-mail provider uses transport encryption, we recommend that you apply to us by post.
Despite all security measures, we ask you to refrain from providing information in your application that is not required for the specific position. For example, we will only judge you on your suitability for the position in question so that you do not have to send us a photo or provide any information about your family situation, etc.
When you apply for a job with us, we will process the information we receive from you during the application process, e.g. by letter of application, CV, references, correspondence, telephone or verbal information. In addition to your contact details, your education, work experience and skills are of particular relevance to us.
Your data will initially be processed exclusively for the purpose of the application procedure. If your application is successful, it will be used in your personnel file and for the execution and termination of the employment relationship and deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after the notification of rejection in order to defend ourselves against possible legal claims, in particular due to alleged discrimination in the application process. If you receive cost reimbursements or other tax-relevant transactions (e.g. invitation to a meal), the corresponding accounting documents will be kept until March 31 of the eleventh calendar year after payment at the latest, in the case of commercial and business letters and other tax-relevant documents of the seventh calendar year after their creation in order to fulfil the commercial and tax retention obligations. Your data can initially be accessed by our human resources department, but if required also by the department of the position to which you applied, the legal department and the accounting department.
The legal basis for data processing in the application procedure and as part of the personnel file are Section 26 para. 1 sentence 1 BDSG and Art. 6 para. 1 subpara. 1 letter b GDPR and, if you have given your consent, for example by sending information not necessary for the application procedure, Art. 6 para. 1 subpara. 1 letter a GDPR. The legal basis for data processing after a refusal is Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for the retention under commercial and tax law is Art. 6 para. 1 subpara. 1 lit. c GDPR in connection with Sections 147 AO, 257 HGB. The legitimate interest in processing on the basis of Art. 6 para. 1 para. 1 subpara. 1 letter f GDPR is the defence against legal claims.
In general, we do not need to have any special categories of personal data within the meaning of Art. 9 DSGVO for the application process. We ask you not to send us any such information from the outset. If such information exceptionally is relevant to the application process, we will process it together with your other applicant data. This may include, for example, information about a severe disability which you may voluntarily provide us with and which we must then process in order to fulfil our special obligations with regard to severely disabled persons. In these cases, processing serves the exercise of rights or the fulfilment of legal obligations under labour law, social security law and social protection. The legal basis for data processing is then Art. 9 para. 2 lit. b GDPR, Sections 26 para. 3 BDSG, 164 SGB IX.
Voluntary Provision Of Your Data
As a rule, you are not obliged to provide us with personal data. Exception: the information on the registration form (see “Processing Of Registration Data”). If you do not provide us with certain information that we need to handle your request (for example a way to contact you if you want an answer from us), we may not be able to do so. In the context of special procedures (e.g. when you make a booking or register for our newsletter) it may be necessary for you to provide us with certain information because otherwise we will not be able to process your order or send you the newsletter. However, we will always point this out to you in the specific situation.
Recipients Of The Data
Your personal data will remain in our area of responsibility, except in special exceptional cases (e.g. if we only act as intermediaries for third-party services), in which we expressly inform you, however, to whom your data will be sent. Our administrators have the possibility to access data processed by IT. Furthermore, our website uses fonts from The Hoefler Type Foundry, Inc. d/b/a Hoefler & Co. (“Hoefler”). If your browser is configured accordingly, your browser establishes a direct connection to Hoefler when you visit our website, so that Hoefler is technically required to know your IP address and other data about your browser, which it automatically sends along. You can normally deactivate the loading of web fonts in your browser; then your browser will not establish a connection to Hoefler. The legal basis for processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Our and your legitimate interest is a visually appealing presentation of our website. More information about Hoefler's processing of personal data can be found at https://www.typography.com/home/privacy.php. We list further recipients of your data in the notes on the respective data processing. In certain cases, we may need to disclose your personal data to third parties or exchange it with them so that you can obtain the desired service, in particular to vicarious agents such as banks and other payment service providers as well as postal and parcel service providers or forwarding companies.
In certain areas, such as web hosting, e-mail hosting and our online reservation system. These are strictly bound to our instructions by an agreement on commissioned data processing and may not process the data for their own purposes.
Processing by us or our processors takes place only in the European Union, except for Google Analytics (also USA) and if you use the support chat of our app (use of services of Help Scout Inc. and Slack Technologies, Inc., USA). Google, Help Scout and Slack Technologies are certified under the Privacy Shield and thus offer an adequate level of data protection as decided by the EU Commission in an adequacy decision: https://www.privacyshield.gov
However, your personal data may be transferred to third countries outside the EU or the EEA if you use an agent or payment service provider in a third country, e.g. reporting to your agent that you have cancelled your booking or reporting your payment to your credit card company. Depending on which agent or payment service provider you use, the transfer to a third country is either permitted under Art. 45 GDPR if an adequacy decision of the EU Commission is available, or under Art. 49 para. 1 subpara. 1 letter b GDPR (transfer for the fulfilment of a contract or for the implementation of pre-contractual measures), Art. 49 para. 1 subpara. 1 letter c DSGVO (transmission for the fulfilment of a contract concluded in the interest of the data subject) and Art. 49 para. 1 subpara. 1 lit. e DSGVO (transmission for the establishment, exercise or defence of legal claims). Adequacy decisions of the EU Commission are currently available for Andorra, Argentina, Canada (restricted), Switzerland, Faroe Islands, Guernsey, Israel (restricted), Isle of Man, Jersey, New Zealand and Uruguay as well as for the USA within the framework of the “Privacy Shield”, insofar as the recipient is certified accordingly.
Automated Decision Making, Profiling
Automated decision making does not take place.
You have a right of access, to rectification or erasure, restriction of processing, to object to processing and to data portability under the respective statutory preconditions with regard to the personal data concerning you. In particular, you have the right to object to the processing of your data for advertising purposes at any time without incurring costs other than the transmission costs according to the basic rates of your provider (e.g. the costs of an e-mail = usually none). This applies, for example, if you were our guest and do not want to receive offers for similar stays. If the data processing is based on a consent, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until the withdrawal or of the processing on another legal basis. If you want to exercise these rights, you can simply write to firstname.lastname@example.org or click on the unsubscribe link in any email to unsubscribe. If we call you, you can of course also tell us directly in the conversation.
You also have the right to complain to a data protection supervisory authority about our processing of your personal data, for example to the supervisory authority responsible for us: Bayerisches Landesamt für Datenschutzaufsicht, Promenade 27, D-91522 Ansbach, Telefon +49(0)981 53 1300, Fax +49(0)981 53 98 1300, E-Mail email@example.com. If you have any questions or requests regarding data protection, please feel free to contact us at any time: Your contact is firstname.lastname@example.org
Your Right To Object To Processing
To the extent that processing of your personal data is based on Art. 6 para. 1 subpara. 1 lit. e or f GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. If your objection is made for reasons arising from your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of or for the establishment, exercise or defence of legal claims. If your objection is directed against direct marketing, including profiling, insofar as it is connected with such direct marketing, we will no longer process your personal data for these purposes.