Das Steichele KG,
Knorrstraße 2-8, 90402 Nürnberg
Number Traderegister: HRA 16118
Managing Director: Bernhard Steichele
Telephone Number: +49 (0) 911 20 22 80
Last Update: 25.05.2018
1. Basic Information on Data Processing and the Legal Basis thereof
1.1. This data protection policy provides information on the form, scope and purpose of the processing of personal data that occurs in our online content and the websites, the functions and the content associated therewith (hereinafter collectively referred to as "online content" or "website"). This data protection policy applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online content is provided.
1.2. The terms used herein, such as "personal data" or their "processing", refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
1.3. The personal data of users processed within the scope of this online content include personal data (e.g. Name, adress, telephone number, E-mail, payment details), usage data (e.g., visited websites belonging to our online content, interest in our products) and content data (e.g., entries in the contact form).
1.4. The term "user" covers all categories of data subjects. These include our business partners, customers, interested parties and other visitors of our online content. The terms used, such as "user", are to be understood as referring to both genders.
1.5. We only process personal user data in compliance with the relevant data protection provisions. This means that user data will only be processed in cases where there is an applicable statutory authorisation to do so, in particular in cases where data processing is necessary, or required by law, for the provision of our contractual services (e.g. for processing orders) and of our online content, where a user has given their consent, or on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation and security of our online content within the meaning of Art. 6 para. 1 point f. GDPR, in particular for coverage measurement, the creation of profiles for advertising and marketing purposes, the collection of access data and the use of third-party services.)
1.6. Please note that the legal basis for consent is Art. 6 para. 1 point (a) and Art. 7 GDPR; the legal basis for data processing with regard to the fulfilment of our services and the carrying out of contractual measures is Art. 6 para. 1 point (b) GDPR; the legal basis for data processing with regard to the fulfilment of our legal obligations is Art. 6 para. 1 point (c) GDPR; and the legal basis for data processing in order to protect our legitimate interests is Art. 6 para. 1 point (f) GDPR.
2. Security Measures
2.1. We employ state-of-the-art organisational, contractual and technical security measures in order to ensure that the provisions of data protection laws are observed and thus to protect the data we process against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
2.2. These security measures include in particular the encrypted transmission of data between your browser and our server.
3. The Transfer of Data to Third Parties and Third-Party Providers
3.1. Data will only be transferred to third parties within the framework of statutory requirements. We will transfer user data to third parties only if, for example, this is necessary on the basis of Art. 6 para. 1 point (b) GDPR for contractual purposes, or on the basis of legitimate interests pursuant to Art. 6 para. 1 point (f) GDPR relating to the economical and effective operation of our business operations.
3.2. To the extent that we employ subcontractors to provide our services, we will take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.
3.3. To the extent that, in the context of this data protection policy, contents, tools or other means provided by other providers (hereinafter collectively referred to as "third-party providers") are used and the provider’s declared registered office is located in a third country, it is to be assumed that a data transfer occurs to the countries in which the third-party providers have their registered office. Third countries are understood to be countries in which the GDPR is not directly applicable law, i.e. in principle countries outside the EU or the European Economic Area. The transfer of data to third countries occurs in cases where there is an appropriate level of data protection, or where user consent is given, or otherwise where statutory authorisation is available.
4. Provision of Contractual Services
4.1. We process basic data (e.g., names and addresses as well as contact data of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 point (b) GDPR.
4.2. Users can create a user account on our online reservation portals (e.g. room reservations, table reservations), in which, in particular, they can view their reservations. During the registration process, the users will be informed of what information is required. The user accounts are not public and cannot be indexed by search engines. When users have terminated their user account, their data with regard to the user account will be deleted, subject to mandatory storage by reason of commercial law or tax law pursuant to Art. 6 para. 1 point (c) GDPR. Upon notice of termination of the account, it is up to the users to save their data before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.
4.3. In the context of room reservations as well as online table reservations, we store the IP address and the time of the user activity in question. The data is stored on the basis of our legitimate interests as well as in the interest of the user for protection against misuse and other unauthorized use. In principle, this data is not transferred to third parties, unless it is necessary for the pursuance of our claims or there is a legal obligation to do so pursuant to Art. 6 para. 1 point (c) GDPR.
5. Contacting Us
5.1. When we are contacted (via contact form or e-mail), the user's details will be processed in order to handle and carry out the contact request in accordance with Art. 6 para. 1 point (b) GDPR.
5.2. User information may be stored in our Customer Relationship Management System ("protel Hotelsoftware„) or in a comparable form of request organisation.
5.3. On the basis of our legitimate interests (efficient and prompt processing of user enquiries), we use the hotel system of the provider protel hotelsoftware GmbH, Europaplatz 8, 44269 Dortmund, Germany. For this purpose, we have concluded a contract with protel hotelsoftware GmbH containing what are known as standard contract clauses in which protel hotelsoftware GmbH undertakes to process user data only in accordance with our instructions and in compliance with the EU data protection levels.
6. Collection of Access Data and Log Files
6.1. On the basis of our legitimate interests within the meaning of Art. 6 para. 1 point (f) GDPR, we collect data on every access to the server on which this service is located (known as "server log files"). Access data includes the name of the accessed website, the accessed file, the date and time of access, the transferred data volume, the notification of successful access, the browser type and version, the user's operating system, the referer URL (the previously visited page), the IP address and the requesting provider.
6.2. Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of seven days and is then deleted. Data that requires further storage for evidentiary purposes are excluded from deletion until the respective incident is definitively resolved.
7. Cookies & Coverage Measurement
7.1. Cookies are information that is transferred from our web server or from third-party web servers to the user's web browser and stored there for later retrieval. Cookies can be small files or other types of information storage.
7.2. We use "session cookies", which are stored on our website only for the duration of your current visit (e.g. to enable the storage of your login status or of the shopping basket function and thus to enable the use of our online content in the first place). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and its storage period. These cookies cannot store any other data. Session cookies are deleted once you have finished using our online content and, for example, you log out or close your browser.
7.4. In case users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser settings. Stored cookies can be deleted in the browser settings. The deactivation of cookies may lead to limited functionality of this online content
8. Google Analytics
8.2. Google is certified under the Privacy Shield Agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
8.3. Google will use this information on our behalf in order to evaluate the use of our online content by users, to compile reports on the activities within this online content and to provide us with further services related to the use of this online content and the Internet. Pseudonymous use profiles of the users may be created using the processed data.
8.4. We use Google Analytics to only display ads placed by Google's and its partners' advertising services to those users who have also shown interest in our online content or who exhibit particular features (e.g. interest in certain topics or products that is determined on the basis of the websites visited) that we transmit to Google (known as "remarketing audiences" or "Google Analytics audiences"). Using remarketing audiences, we would also like to ensure that our ads correspond to potential interest in the users and do not have act as a nuisance.
8.5. We only use Google Analytics with IP anonymisation enabled. This means that Google will shorten the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
8.6. The IP address transmitted by the user's browser is not combined with other Google data. Users can prevent the storage of cookies by using such a setting in their browser software; furthermore, users can prevent Google from collecting the data generated by the cookie which relates to their use of the online content as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
8.7. Further information on data use by Google, settings and opt-out options can be found on Google’s websites: https://policies.google.com/technologies/partner-sites?hl=en ("Data use by Google when using our partners' websites or apps"), https://policies.google.com/technologies/ads?hl=en ("Data use for advertising purposes"), http://www.google.de/settings/ads ("Manage information that Google uses to show you advertising").
9. Google (Re)Marketing Services
9.1. On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online content within the meaning of Art. 6 para. 1 point (f) GDPR), we make use of the marketing and remarketing services (hereinafter "Google Marketing Services") of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
9.2. Google is certified under the Privacy Shield Agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
9.3. Google Marketing Services enable us to display ads that are more targeted for and on our site, in order to only present users with ads that potentially match their interests. In the case a user is presented, for example, ads for products in which they have shown interest on other websites, this is referred to as "remarketing". For these purposes, when our website or other websites on which Google Marketing Services are active are accessed, Google directly implements code from Google and (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (instead of cookies, comparable technologies may also be used). Cookies may be placed by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites the user visits, which contents he or she is interested in and which offers he or she has clicked on. It also contains technical information relating to the browser and operating system, referring websites, time of visit, as well as further information on the use of the online content. Users’ IP addresses are also recorded, whereby we specify under the heading Google Analytics that the IP address is shortened within Member States of the European Union or in other states party to the European Economic Area Agreement, and only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. The IP address is not combined with the user's data from other Google services. Google may also link the above information to corresponding information from other sources. When the user subsequently visits other websites, ads tailored to his or her interests may be displayed.
9.4. In the context of Google Marketing Services, user data are processed pseudonymously. This means that Google does not store and process, for example, the names or e-mail addresses of users, but rather it processes the relevant data in relation to a cookie within pseudonymous user profiles. This means that from Google's standpoint, the ads are not managed and displayed with regard to a specifically identified person, but rather with regard to the cookie holder, regardless of who this is. This does not apply where a user has expressly permitted Google to process the data without such pseudonymous user profiles. The information on users collected by Google Marketing Services is transmitted to Google and stored on Google's servers in the USA.
9.5. One of the Google Marketing Services we use is the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies therefore cannot be traced via the websites of AdWords customers. The information collected by the cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are shown the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. The AdWords customers, however, do not receive any information that would allow them to personally identify users.
9.7. In addition, we may also use "Google Tag Manager" to integrate and manage the analytical and marketing services provided by Google on our website.
9.8. Further information on Google’s use of data for marketing purposes can be found on the overview page: https://www.google.com/policies/technologies/ads, Google's data protection declaration is available under https://www.google.com/policies/privacy.
9.9. If you wish to opt out of interest-based advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: http://www.google.com/ads/preferences.
10. Facebook Social Plugins
10.1. On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online content within the meaning of Art. 6 para. 1 point (f) GDPR), we use Social Plugins ("plugins") provided by the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins may present elements of interaction or content (e.g. videos, graphics or texts) and are identified by one of the Facebook logos (white "f" on a blue icon, the terms "Like", "Gefällt mir" or a "thumbs up" logo) or by the additional label "Facebook Social Plugin". The list and appearance of Facebook Social Plugins may be viewed here: https://developers.facebook.com/docs/plugins/?locale=en_US.
10.2. Facebook is certified under the Privacy Shield Agreement and thus guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
10.3. When a user uses a function in the online content that contains such a plugin, their device establishes a direct connection with Facebook’s servers. The content of the plugin is transferred by Facebook directly to the user’s device and this integrates it into the online content. Use profiles of the users may be created using the processed data. We thus have no influence on the amount of data Facebook collects by means of this plugin and therefore inform users according to our level of knowledge.
10.4. By means of the integration of plugins, Facebook receives information that a user has accessed the relevant page of the online content. If the user is logged in to Facebook, Facebook can link the visit to the user’s Facebook account. When users interact with the plugins, for example by clicking the “Like” button or by posting a comment, the information is sent directly from their device to Facebook and stored there. If a user does not have a Facebook account, it is still possible for Facebook to obtain and store their IP address. According to Facebook, in Germany it only stores an anonymized IP address.
10.5. On the purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as on the relevant rights and settings options relating to the protection of the users’ privacy, users can consult Facebook's data protection notice: https://www.facebook.com/about/privacy/.
10.6. If a user has a Facebook account and does not want Facebook to collect, via this online content, data relating to him or her and to link it to his or her account data stored by Facebook, he or she must log out of Facebook before using our online content and delete his or her cookies. Further settings and options for opting out of the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the European website http://www.youronlinechoices.com/. The settings apply regardless of platform, i.e. they apply for all devices, such as desktop computers or mobile devices.
11. The Integration of Third-Party Services and Content
11.1. In our online content, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online content within the meaning of Art. 6 para. 1 point f. GDPR) we use the contents or services provided by third parties, in order to incorporate their content and services, such as videos or fonts (hereinafter collectively referred to as "contents"). This always necessitates the third-party providers of these contents detecting a user’s IP address, as without the IP address they could not send the content to the user’s browser. The IP address is thus required for the display of these contents. We make every effort to use only those contents the respective providers of which use the IP address only for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Information, such as visitor traffic on the pages of this website can be evaluated by means of "pixel tags". The pseudonymous information may also be stored in cookies on the user's device and may include, among other things, technical information on the browser and operating system, referring websites, time of access and other information about the use of our online content, and may also be linked with such information from other sources.
11.2. The following provides an overview of third-party providers and their contents, together with links to their data protection policies, which contain further information on the processing of data and, as already mentioned here in some cases, opt-out options:
- In case our customers use the payment services of third parties (e.g. PayPal or Sofortüberweisung), the terms and conditions as well as the data protection notices of the respective third party providers, which can be accessed on their respective websites or transaction applications, apply.
- For carrying out room bookings via our Internet presence, we work together with HOTEL SPIDER, Route de Champ-Colin, 18 CH-1260 Nyon, SWITZERLAND. For this, the transmission of your data is encrypted. For online bookings in our gastronomic areas of activity, we cooperate with OpenTable GmbH, Zeil 109, Frankfurt 60313, (https://www.opentable.com/legal/privacy-policy). We have also concluded data protection agreements with these companies to ensure the protection of your personal data.
- Functions of the Instagram service are integrated into our online content. These functions are provided by Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the contents of our pages to your Instagram profile by clicking the Instagram button. In doing so, Instagram can match the visit to our pages with your user account. Please note that, as the provider of these pages, we are not aware of the content of the data transmitted or how it is used by Instagram. Date Protection Policy: https://help.instagram.com/155833707900388.
12. User Rights
12.1. Users have the right, upon request and free of charge, to obtain information on the personal data pertaining to them that we have stored.
12.2. In addition, users have the right to correct inaccurate data, to limit processing and to have their personal data deleted, and, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to file a complaint with the competent supervisory authority.
12.3. Users may also revoke their consent, generally with effect for the future.
13. The Deletion of Data
13.1. The data stored with us will be deleted as soon as it is no longer required for its intended purpose and there are no legal storage obligations preventing deletion. To the extent that the user's data are not deleted because they are necessary for other and legally permissible purposes, their processing is restricted. In other words, the data is blocked and not processed for other purposes. This applies, for example, to user data that must be retained by reason of commercial or tax law.
13.2. In accordance with statutory requirements, storage shall be for 6 years in accordance with § 257 (1) of the German Commercial Code (Handelsgesetzbuch - HGB) (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, receipts, etc.) and for 10 years in accordance with § 147 (1) of the German Fiscal Code (Abgabenordnung - AO) (account books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).
14. The Right to Object
In accordance with the statutory requirements, users may object to the future processing of their personal data at any time. In particular, the objection may be directed against processing for the purposes of direct marketing.
15. Changes to the Data Protection Policy
15.1. We reserve the right to change the data protection policy in order to adapt it to changed legal situations, or to changes in service and changes in data processing. However, this only applies with regard to declarations on the processing of data. Insofar as user consent is required or parts of the data protection policy contain provisions within the remit of the contractual relationship with the users, changes can only be made with the user’s consent.
15.2. Users are requested to regularly inform themselves on the content of the data protection policy.