(current as of April 2019)
Thank you for visiting our website and your interest in our company. The protection of your personal data is important to us. Pursuant to Articles 12, 13 and 21 of the General Data Protection Regulation (GDPR), this policy explains how your personal data is handled when you use our website http://stellaris-apartment.de/.
Personal data refers to any particulars about the personal or material circumstances of an identified or identifiable person. These include information such as one’s legal name, address, phone number and date of birth.
Realotel Garching Hotelbetriebs GmbH
c/o Stellaris Apartment Hotel
2. Data Protection Officer
The in-house Data Protection Officer at Realotel Garching Hotelbetriebs GmbH can be contacted at the above address, Data Protection Department, or by email to: email@example.com.
3. Purposes and legal grounds for processing data
3.1 Use of the website for informational purposes
You can visit our website without providing any information about yourself. We do not process any personal data if you use our website merely for informational purposes, except for data that is sent by your browser to allow you to visit our website and information that is sent to us by cookies used for statistical analysis of the use of our website.
3.1.1 Technical provision of the website
In order to have technology that provides our website, we, the website operator/provider, are required to process certain information of yours that is sent automatically so that your browser can display our website and so that you can use our website. This information is collected automatically every time you access our website and pertains to the visitor’s computer system. The following information is collected:
Your data that we collect using the above cookies will not be used by us to create user profiles or to analyse your surfing patterns.
We process your personal data for the technical provision of our website on the following legal grounds:
3.1.2 Statistical analysis of website use and increase in reach
We use Google Analytics and the Facebook Pixel, and by extension cookies, which all allow analysis of your surfing behaviour so that we can perform a statistical analysis of how our website is used. By doing this, we can improve the quality of our website and its content. We learn how the website is used and can thus continually optimise our service.
The information obtained in connection with statistical analysis of our website is not combined with any other data of yours collected by the website.
We process your personal data for statistical analysis of your use of our website on the following legal grounds:
Your consent pursuant to Article 6(1)(a) GDPR
Our website uses Google Analytics, a Web analytics service provided by Google Inc. Google Analytics uses ‘cookies’, text files that are stored on your computer and enable analysis of your use of the website. The information generated by cookies about your use of our website is usually transmitted to and saved on a server operated by Google in the United States. However, if IP anonymisation is enabled on this website, Google will truncate your IP address within member states of the European Union or in other countries that are contracting parties to the Agreement on the European Economic Area beforehand. Your full IP address will only be transmitted to a Google server in the United States and truncated there in exceptional cases. Google uses this information on our behalf to analyse your use of the website, compile website activity reports and render for the website operator further services associated with use of our website and the Internet. The IP address transmitted from your browser through Google Analytics will not be combined with other Google data.
We use Google Analytics with the extension ‘anonymizelp()’ on our website. This means that IP addresses are truncated when they are processed further, preventing them from being attributed to an individual directly.
We only use Google Analytics with your consent. You can withdraw the consent you have given by:
More detailed information about terms and conditions of use and data privacy for Google Analytics can be found at http://www.google.com/analytics/terms/en.html or at https://www.google.com/intl/en/policies/
Facebook Connect Pixel
We use the ‘Facebook Pixel’ on our website on the basis of your consent to the analysis, optimisation and economic operation of our website. This feature is provided by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, United States or, if you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Facebook’). Using the Facebook Pixel, Facebook can designate visitors of our Web offering as an audience for the advertising it displays, its ‘Facebook ads’. Accordingly, we use the Facebook Pixel so that the Facebook ads we place are displayed only to Facebook users who themselves have displayed interest in our online offer. This means that we seek to use the Facebook Pixel to ensure that our Facebook ads align with users’ potential interests and are not annoying. Furthermore, we use the Facebook Pixel so that we can measure the effectiveness of our Facebook ads for statistical and market research purposes. We do this by seeing if users are redirected to our website after clicking on a Facebook ad (what is called ‘conversion’ or ‘user interaction’).
The Facebook Pixel is automatically activated by Facebook when you visit our website and may store a cookie, i.e. a small file, on your device. If you then log into Facebook or visit Facebook when logged in, your visit to our online offer will be recorded on your profile. The data collected from you is anonymous for us and therefore cannot be used by us to infer user identities. However, the data is stored and processed by Google, which means that it is possible to match it with the relevant user profile. Consequently, usage profiles might be created for users based on processed data. Facebook processes data within the scope of Facebook’s Data Policy. Accordingly, you can obtain additional information on how the retargeting pixel works and how Facebook ads are displayed from Facebook’s Data Policy at: https://www.facebook.com/policy.
You can prevent the Facebook Pixel from processing your data by:
Google Tag Manager
We use Google Tag Manager, provided by Google, on our website. Google Tag Manager is a solution that marketers can use to manage website tags through one interface. The Google Tag Manager service itself (which implements the tags) is a cookieless domain and does not collect any personal data. The Google Tag Manager service enables other tags to be triggered, and these tags may in some cases collect data. Google Tag Manager does not access this data. If a deactivation has been put into effect at domain or cookie level, it will remain valid for all tracking tags implemented by Google Tag Manager.
Google Maps, a service provided by Google Inc., is integrated into our website.
Your browser loads the required map images when you visit a page. For this purpose, your browser must connect to Google’s servers. Through this process, Google learns that our website is being accessed from your IP address.
We process your personal data on the following legal grounds:
Based on our legitimate interest pursuant to Article 6(1)(f) GDPR. Our legitimate interest is in having the design of our website meet user needs and in offering simple navigation to our hotel.
3.1.3 Social links
A link to the Facebook service is integrated into our website. If you click on a link, you will be redirected to the website of the provider – in other words, user information will not be transferred to the relevant provider until this point in time. For details of how your data is handled when you use Facebook’s websites, please refer to this provider’s Data Policy (https://facebook.com/policy.php).
3.2 Active use of the website
In addition to using our website for purely informational purposes, you can also actively use our website. In this case, we also use additional personal data of yours alongside the personal data of yours processed as above when you use the website purely for informational purposes.
3.2.1 Room bookings
When you book a room, we process the personal data that you provide to us for this purpose. This data includes your name, home address, contact options and payment method.
We process your personal data for room bookings on the following legal grounds:
To perform a contract or to take steps prior to entering into a contract pursuant to Article 6(1)(b) GDPR
3.2.2 Guest enquiries
In order to process and respond to your enquiries, for example, those we receive via the contact form or email, we process the personal data provided by you when you send your enquiry. This will in any case include your name and email address so that we can send you a reply as well as other information you provide us as part of your message.
We process your personal data to respond to guest enquiries on the following legal grounds:
For the purposes of our legitimate interests pursuant to Article 6(1)(f), of the GDPR; our legitimate interest is in providing an appropriate response to guest enquiries
We engage a payment services provider in order to process payment for your reservation.
We process your personal data to fulfil orders placed on our website on the following legal grounds:
To perform a contract or to take steps prior to entering into a contract pursuant to Article 6(1)(b) GDPR
Compliance with legal requirements
We also process your personal data to comply with other legal obligations that we incur in connection with the fulfilment of your order. These include retention periods mandated under commercial, trade and tax laws.
We will process your personal data in this case on the following legal grounds:
For compliance with a legal obligation to which we are subject under Article 6(1)(c) GDPR in conjunction with commercial, trade or tax legislation, provided we are required to record and retain your data
Enforcement of rights
We also process your personal data so that we can establish our rights and enforce our legal claims. Similarly, we also process your personal data so that we can defend ourselves against legal claims. Moreover, we also process your personal data where it is required for the prevention or prosecution of criminal offences.
We process your personal data for these purposes on the following legal grounds:
For the purposes of our legitimate interests pursuant to Article 6(1)(f) GDPR if we are establishing legal claims, defending ourselves in legal disputes or preventing or investigating criminal offences
3.2.3 Sending an application
We will process your personal data as part of your application for employment so far as you provide this data to us. Application documents may include special categories of personal data.
Processing of personal data
Applicant details generally include the following: first name and surname, academic title, if applicable; date and place of birth, contact details (address, email, landline and/or mobile number), application documents (cover letter, CV, references), language proficiency and other skills. We also process data that you send us by email when you contact us.
We use the personal data provided by you as permitted under statutory provisions to provide a basis for our decisions during the application process. We use your professional qualifications, for example, to decide whether to shortlist you or invite you for an interview so that we can gain a personal impression of you and decide whether to offer you the position for which you have applied.
We will process your personal data in this case on the following legal grounds:
Data processing to decide on recruitment, Article 88(1) GDPR in conjunction with Article 26(1) German Data Protection Act (Bundesdatenschutzgesetz, BDSG) as amended
Processing of special categories of personal data
According to Article 9 GDPR, special categories of personal data refer to personal data revealing racial or ethnic origin, political opinions, religious (for example, details on one’s religious denomination) or philosophical beliefs or trade union membership and/or the processing of biometric data for the purpose of uniquely identifying a natural person (for example, photos), data concerning health (for example, details of level of disability) or data concerning a natural person’s sex life or sexual orientation. If your CV includes special categories of personal data, we do not collect these intentionally. Please do not send us such data.
If, as part of your application documents, you send us special categories of personal data in accordance with Article 9(1) GDPR, voluntarily and contrary to our explicit request (your photo or details of your religious denomination, for example), we will store this data on the basis of your consent in accordance with Article 88(1) GDPR in conjunction with Article 26(3) BDSG as amended. This will also apply if you provide us with further special personal data as the application process continues. By sending this information voluntarily, you agree to this special personal data being stored as part of the application process.
Normally we do not consider such special personal data when making recruitment decisions unless compelled by legal obligations to consider such special personal data. It may be the case with some job vacancies, for example, that persons with disabilities are afforded preferential treatment in accordance with applicable legislation. In such cases, information is always voluntary and provided based on the explicit consent you give us by sending this information voluntarily.
We will process your special personal data on the following legal grounds:
In accordance with Article 9(1) GDPR, based on your consent pursuant to Article 88(1) GDPR in conjunction with Article 26(3) BDSG as amended
Some sections of our website contain links to the websites of third-party providers. These websites are subject to their own data privacy policies. We are not responsible for their operation, including their handling of data. If you send information to or via such third-party sites, you should check the privacy policies of these sites before sending information that can be attributed to you personally.
5. Categories of recipients
Only our employees receive your personal data initially. In addition, we also share your personal data with other recipients that provide services in connection with our website where this is permitted or required by law. We restrict the disclosure of your personal data to only what is necessary, including to be able to fulfil your order. Some of our service providers receive your personal data in their capacity as processors and, in this case, are strictly bound by our instructions when handling your personal data. In some cases, the recipients act independently with the data of yours that we send to them.
The types of entities receiving your personal data are indicated below:
6. Transfer to a third (non-EU) country
We transfer your data to entities that are based in countries outside of the European Union (EU) and European Economic Area (EEA) (i.e. to ‘third’ countries) and contracted by us to work as processors (e.g. IT contractors or data centres). We transfer your truncated IP address to the United States as part of our use of Google Analytics.
Where the European Commission has not issued a decision on whether the relevant country ensures an adequate level of data protection, we enter into agreements that ensure your rights and freedoms are adequately protected and safeguarded. Alternatively, data may be transferred based on Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection afforded by the EU-US Privacy Shield. We are happy to provide the corresponding information in detail on request.
Apart from the above, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations
7. Duration of storage
7.1 Use of the website for informational purposes
When you use our website for purely informational purposes, we store your personal data on our servers only for the duration of your visit to our website. Your personal data is deleted without undue delay as soon as you leave our website.
Cookies set by us are generally also deleted after you leave our website. However, this does not apply to the cookie storing the chosen travel date. This cookie will be stored for a period of 30 days. The Google Analytics cookie is stored alongside this cookie, though for a period of 26 months. You also have the option of deleting stored cookies at any time by yourself.
7.2 Active use of the website
When you use our website actively, we initially store your personal data for the period required to respond to your enquiry or for the duration of our business relationship. This includes the initiation of a contract (legal relationship prior to entering into a contract) and the performance of a contract.
In addition, we store your personal data following this until the expiry of limitation periods for any legal claims arising from our relationship with you, in case we need to use the data as evidence. Limitation periods are generally between 12 and 36 months, though may last up to 30 years.
We delete your personal data once limitation periods expire unless there is a statutory retention period, for example one under the German Commercial Code (Sections 238, 257(4) Handelsgesetzbuch, HGB) or German Tax Code (Section 147(3), (4) Abgabenordnung, AO). Such retention obligations may last between two and ten years.
8. Your rights as a data subject
The law provides you, the data subject, the following rights which you may exercise against us:
Right of access: Article 15 GDPR gives you the right to obtain from us at any time confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, Article 15 GDPR further entitles you to access to the personal data and certain other information (including the purposes of the processing, categories of personal data, categories of recipient, envisaged period of storage, source of the data, use of automated decision-making and, where transferred to a third country, appropriate safeguards); you also have the right to obtain a copy of your personal data.
Right to rectification: Article 16 GDPR gives you the right to obtain from us the rectification of inaccurate or erroneous personal data concerning you that we have stored.
Right to erasure: Article 17 GDPR gives you the right to obtain from us the erasure of personal data concerning you without undue delay. You will not have the right to erasure if processing of the personal data is necessary for (i) exercising the right of freedom of expression and information, (ii) compliance with a legal obligation to which we are subject (for example, statutory retention obligations), or (iii) the establishment, exercise or defence of legal claims.
Right to restriction of processing: Article 18 GDPR gives you the right to obtain from us the restriction of processing of your personal data.
Right to data portability: given certain conditions, Article 20 GDPR gives you the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
Right to withdraw consent: you have the right to withdraw your consent to the processing of personal data at any time with future effect.
Right to object: given certain conditions, Article 21 GDPR gives you the right to object to the processing of your personal data, which will consequently force us to cease processing your personal data. Your right to object is subject to the limits provided in Article 21 GDPR. Furthermore, our interests may oppose ceasing processing, meaning that we may remain entitled to continue processing your personal data despite your objection.
Right to lodge a complaint with a supervisory authority: given certain conditions, Article 77 GDPR gives you the right to lodge a complaint with a supervisory authority, in particular, one in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.
The competent supervisory authority in our case is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
(Hessian Commissioner for Data Protection and Freedom of Information)
65021 Wiesbaden, Germany
Phone: +49 (0)611 140 80
Fax: +49 (0)611 1408 611
However, we recommend that you always send your complaint to our Data Protection Officer first before you contact the above office.
Where possible, you should send requests to exercise your rights in writing to the above address or directly to our Data Protection Officer.
9. Extent to which you are required to provide data
Generally, you are not obliged to provide us with your personal data. However, if you do not do so, we will not be able to make our website available to you, respond to your enquiries or enter into a contract with you. Personal data not absolutely necessary for the processing purposes listed above can be identified as voluntary based on the wording ‘if/where appropriate/necessary’ or another symbol.
10. Automated decision-making/profiling
We do not use automated decision-making or profiling (automated analysis of your personal situation).
Last revised in April 2019