Rights of data subjects

As a data subject, you have the following rights when filing an application:

the right to have confirmation of whether the data concerning you is being processed and if so, the right to information on the data we hold on you as well as further additional information on the purposes of the processing, data categories, data recipients, storage period, the origin of the data, existence of automated decision-making and, in the event that data is transferred outside of the European Union, information regarding the appropriate guarantees as well as a free copy of the stored data (Art. 15 GDPR).
the right to have inaccurate data corrected (Art. 16 GDPR),
the right to have data deleted if there is no legal basis for its continued storage (Art. 17 GDPR),
the right to restrict the processing of data for specific purposes (Art. 18 GDPR),
the right to data portability (Art. 20 GDPR) and
the right to object to the processing of your data (Art. 21 GDPR).

Any data processing is only lawful if there is legal permission for it and the conditions of the law are fulfilled. These are determined by the EU general data protection regulation and, additionally, by national laws. We will inform you of the respective legal basis in the even of a request. We explicitly point out that cases in which processing can be based on several legal bases that apply alongside one another are possible.

If the processing of your data is based on consent, then you have the right to withdraw the consent you have given at any time. The legality of the processing performed on the basis of the consent given until the revocation is not affected by the revocation.

Gesonderte Information über das Widerspruchsrecht nach Artikel 21 DSGVO

In accordance with Art. 21 Para. 1 GDPR, you have the right, for reasons arising from your particular situation, to file an objection at any time against the processing of your personal data, which takes place on the basis of Article 6 Para. 1 Subparagraph f of the GDPR (processing for the protection of the legitimate interests of the responsible authority or of a third party).
Should you file an objection, we will no longer process your personal data unless we can prove compelling and legitimate reasons for the processing which outweigh your interests, rights, and liberties, or the processing is conducive to the assertion, exercise, or defence of legal claims.
If the processing takes place in order to conduct direct advertising, you then have the right, in accordance with Art. 21 Para. 2 GDPR, to file an objection at any time against the processing of your personal data for the purpose of such advertising.
Finally, you have the right to contact our company’s external data protection officer to request support or information at any time free of charge. They are bound to secrecy with regards to your enquiry provided that it concerns the processing of your data and as long as you have not released them from their obligation to secrecy.
In addition, in accordance with Art. 77 GDPR you have the right to file a complaint to a supervisory authority if you are of the opinion that the processing of your data breaches data protection regulations. You can thereby contact the data protection supervisory authority of your home country or, in Germany, you can contact the competent supervisory authority of the federal state in which you live. You can find a current overview of the contact details here:
https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html

However, you can also contact the leading supervisory authority of the head office directly:

Der Landesbeauftragte für Datenschutz
und Informationsfreiheit Mecklenburg-Vorpommern
Schloss Schwerin, Lennéstraße 1,
19053 Schwerin
T: +49 385 59494 0
F: +49 385 59494 58
info@datenschutz-mv.de
www.datenschutz-mv.de; www.informationsfreiheit-mv.de
https://www.datenschutz-mv.de/kontakt/kontaktformular/

Deviating from this, each supervisory authority is responsible for dealing with any complaints filed with it or any breach of the regulation if the subject relates only to an establishment in its member state or if the data subject has been significantly affected in the member state.

arcona Management GmbH has concluded an agreement with the operating companies of its hotels. Together, the parties will assume the responsibility for processing the data of their guests, customers, staff, applicants, and business partners. We would like to inform you of this.
These companies operate jointly under the name:


arcona Management GmbH, August-Bebel-Straße 55, 18055 Rostock
info(at)arcona.de
T: +49 381 873 949 00
F: +49 381 873 949 99

Any data subject can contact the data protection team as a single point of contact free of charge at the e-mail address: dsb-nord(at)ecovis.com for all data protection-related questions and with all requests. However, regardless of this agreement, you can also assert your rights with and against any of the participating companies (see point 2).

All companies have appointed

ECOVIS Keller Rechtsanwälte PartG mbB
Lawyer Axel Keller / Senior Associate Karsten Neumann
Am Campus 1 – 11, 18182 Rostock-Bentwisch
T: 0381 128849 0 | dsb-nord@ecovis.com
www.ecovis.com/datenschutzberater

as data protection officer.

Participating companies
Those participating in the agreement are:
arcona Management GmbH
August-Bebel-Straße 55, 18055 Rostock

AH Elephant Betriebs GmbH
• Hotel Elephant Weimar

arcona Hotelbetriebs GmbH
• Golfclub Schloss Teschow e.V.
• Koopmanns Hotel und Lädchen, Göhren

Wyn by arcona Betriebs GmbH
• Wyn Strandhotel Sylt

arcona Ostseehotels & Appartements GmbH
• Hotel Kaiserhof, Heringsdorf

Vju by arcona Betriebs GmbH
• Hotel Vju, Göhren

Barefoot Hotel Portocolom S.L.U.
• Barefoot Hotel Mallorca, Portocolom, Mallorca, Spanien

arcona 25. Hobelbetriebsgesellschaft mbH
• Hotel SEEZEICHEN, Ahrenshoop

Zur Historischen Mühle Potsdam GmbH
• Gastronomie „Zur Historischen Mühle Potsdam“

Key content of the agreement and processing purposes
As part of their joint data protection responsibility, the aforementioned parties have stipulated who of them will fulfil which obligations in accordance with the GDPR. In particular, this concerns the exercise of the data subjects’ rights and the fulfilment of the information requirements pursuant to Art. 13, 14 GDPR.
Subjects of the joint data protection processes are more particularly:

Marketing
Using appropriate software and service providers, the data of guests and interested parties is used to manage and send newsletters.
Similarly, further marketing measures regarding the upkeep and maintenance of the website, search engine optimisation, social media marketing, website analysis and online reputation are implemented.
Marketing measures are carried out electronically as part of automated processing to attract and retain guests.

Booking
By using various service providers and partners, different distribution channels can be used and offered.
Guests are able to book by phone or email; via our website; through portals; using online travel agents or via tour operators. In the process, there is an exchange of data with the appropriate partners to offer the guest the booked service.

Management of guest data
The management of guest data in all establishments is organised and managed centrally. By means of central software, guest profiles are created across all establishments in order to take a holistic view of the guest and be able to provide appropriate service. Hosting and support are organised centrally with the help of a service provider.
The processing of guests’ data already begins at the booking and is developed through measures and offers during check-in (e.g. registration form), the stay (e.g. restaurant reservation, additional services) and checkout (e.g. billing, satisfaction survey, advertising).

Sales
In the area of sales, contracts with various business and trading partners are agreed and managed. Contracting parties are, for example, travel agencies, travel agents, portals, organisers. The aim is to achieve a broad positioning on the market by offering various booking options.

Application management
To recruit new employees, application management in the area of human resources management is carried out. With involvement of service providers, particular focus is placed on online offers such as group job boards, career portals, and the placement of job advertisements on the website and on social media channels with subsequent management of applicant data.

Finance/Controlling/Payroll accounting
Bookkeeping and payroll accounting processing mainly takes place for the arcona group to fulfil contractual and legal regulations. For this reason, duty planning, the organisation of cash systems, employee benefits, access control, printer system data management, document management, and data media disposal are organised and controlled using various software and data processors. Furthermore, payroll accounting for external companies is also carried out.

IT infrastructure
For the operation, servicing/maintenance and security of the arcona group IT network, a data processor is involved. This processor maintains the entire network including its components by means of remote maintenance, via a support hotline or on site.

Fulfilment of data subject rights
The General Data Protection Regulation gives rise to various rights and obligations for the fulfilment of data protection requirements. In particular, data subject rights and the issuance of information by the controller to the data subjects must be fulfilled and breaches of data protection must be processed once they become known. A joint data protection officer has been appointed to fulfil all requirements in accordance with the General Data Protection Regulation.
Each party must ensure the fulfilment of the information requirements in accordance with Art. 13 and 14 GDPR. arcona Management GmbH is responsible for the processing and answering of applications on the exercise of other existing rights of data subjects in accordance with Art. 15 et seq. GDPR. All enquiries are to be forwarded to them. Before any data deletion, arcona Management GmbH is to be informed in advance; they may object to the deletion for a legitimate reason, for example if they have a legal obligation to retain data.
In the aforementioned processes, personal data is processed in various stages and systems which are operated by the participating parties under their own responsibility.
All participating companies have committed to only involve data processors in the data processing who have a registered office within the European Union and after review of compliance with the data protection requirements, to not forwarding any personal data to third parties unauthorised, to take all required technical and organisational protective measures and maintain them at all times, to immediately report any protection violation, to comply with the information requirements and other transparency requirements, to support each other and to forward all enquiries between each other immediately.

Transfer and foreign element
arcona Management GmbH uses data processors within the meaning of Art. 4 No. 10 GDPR in compliance with the legal provisions for the processing of personal data in certain areas. Forwarding and processing of data by them does not, therefore, constitute a transfer within the meaning of Art. 4 No. 2 GDPR.
Any other transfer to third parties will only take place for the purposes provided by law.
With the data processors operating under arcona Management GmbH, a data processing agreement has been concluded which complies with the requirements of Art. 28 GDPR.

Cookies
We use cookies. Cookies are text files which are filed and stored on a computer system via an internet browser.
Many cookies contain what is known as a cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which websites and servers can be assigned to the specific internet browser that the cookie has been stored in. This allows the websites and servers visited to differentiate between your individual browsers from other internet browsers that contain other cookies. A specific internet browser can be recognised and identified via the unique cookie ID.
Through the use of cookies, we can provide the users of this website with more user-friendly services. Information and offers on our website in the interests of the user are optimised, for example by recognising the website user. This means that access data does not need to be re-entered every time the website is visited, as this is taken care of by the website and the cookie stored on the user's computer system. However, a distinction must be made in the use of cookies with regard to different earmarkings. Insofar as these small files are absolutely necessary to display the website properly, there is no voluntary aspect in their use. The legal basis for the integration of cookies in this case is Art. 6 (1) lit. f GDPR.
Furthermore, however, cookies are also used for the purpose of analysing user behaviour or for marketing purposes. However, this use only occurs if you have given us your consent when you first visit the website. You can, however, prevent the use of cookies through our website at any time by selecting the appropriate setting in the used internet browser and thus permanently object to the use of cookies.
You can prevent the use of cookies through our website at any time by selecting the appropriate setting in the used internet browser and thus permanently object to the use of cookies. In addition, cookies that have already been set can be deleted at any time via an internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates the use of cookies in the internet browser used, it is possible that not all functions of our website will be fully usable.

Server-Log-Files
Our website provider automatically gathers and stores information in what are known as server log files, which are transferred to us automatically from your browser. The following can be collected:
(1)used browser types and versions,
(2)the operating system used by the accessing system,
(3)the website from which an accessing system reaches our website (called a referrer),
(4)subpages that are accessed via an accessing system on our website,
(5)the date and time that a website is accessed,
(6) an internet protocol address (IP address),
(7)the internet service provider of the accessing system and
(8)other similar data and information that serves to avert danger in the event of attacks on our information technology systems.
We do not draw any conclusions about you in the use of this general data and information. On the contrary, this information is required to
(1)correctly deliver our website content,
(2)to optimise the content of our website as well as the advertising for this,
(3)to ensure the lasting functionality of our information technology systems and the technology our website as well as
(4)to provide law enforcement authorities with information necessary for the prosecution in the event of a cyberattack.
This data and information is therefore evaluated by us statistically, with the goal of also increasing the data protection and data security in our company, ultimately to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files is stored separately from all of your personal data specified. This data is not merged with other data sources. However, if there are indications of illegal usage of our internet offer, it is possible for us to check this data retrospectively.

Customers can register with us
You have the option of registering as a customer on our website by providing personal data. Which personal data is transmitted to us here arises as a result of the respective input mask used for the registration. The personal data entered by you is gathered and stored exclusively for the creation of a customer account as well as for the processing of possible bookings. However, we can initiate the transfer to one or several data processors, for example a parcel service, which then also uses the personal data exclusively for an internal use.
Through a registration on our website, the IP address assigned to you, as well as the date and time of the registration, are also stored.
The storage of this data occurs in view of the fact that the misuse of our services can only be prevented in this way and, if necessary, this data makes it possible to clarify crimes that have been committed. In this respect, the storage of this data is necessary for our protection. In principle, this data is only transferred to third parties if there is a legal obligation to transfer it or if transferring is conducive to criminal prosecution.
For data processing in the context of customer accounts, we use the external service provider INCERT eTourismus Gmbh & Co KG,
Leonfeldner Straße 328,  4040 Linz, Austria, with whom we have concluded a data processing agreement in accordance with Art. 28 GDPR. We and the data processor are both obliged to comply with the technical organisational measures in accordance with Art. 32 GDPR and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions.
Your registration takes place by voluntarily specifying personal data and it helps us to provide you with content or services which, due to the nature of the issue, can only be offered to registered users. In principle, registered persons are free to alter personal data specified during the registration at any time or to have it completely deleted from our database, unless the right to deletion is restricted by law.

Analysis tools
Google Analytics (with anonymisation function)

We have integrated the Google Analytics component (with anonymisation function) on our website.

The data processing takes place with your prior consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time.
The provider of this service is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland. The data collected may also be transferred to the USA and other third countries. The parent company Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA is certified in the Data Privacy Framework List. According to the decision of the EU Commission, an appropriate level of data protection can therefore be assumed.
Google Analytics is a web analytics service. Web analysis is the collection, collation and evaluation of data about the behaviour of visitors to websites. Among other things, a web analysis service collects data about the website from which a person concerned came to a website (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed.

The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information obtained, among other things, to analyse the use of our website, to compile online reports for us that show the activities on our website, and to provide other services related to the use of our website.
Google Analytics sets a cookie in your system. Each time you access one of the individual pages of this website on which a Google Analytics component has been integrated, your Internet browser is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. The cookie is used to store personal information, such as the access time, the location from which access was made and the frequency of your visits to our website, preferred language and browser. Each time you visit our website, this personal data, including the IP address you use, is transmitted to Google. This personal data is stored by Google.
With IP anonymisation, your IP address is shortened by Google. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
You can prevent the setting of cookies at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies.    
The applicable data protection provisions can be found at https://policies.google.com/privacy.

Google Signals
We have integrated Google Signals components on our website.
We use Google Signals to better understand the use of our website and to improve our offers in a targeted manner. Google Signals enhances Google Analytics with additional information from the Google accounts of users who have activated personalised advertising. Among other things, this involves linking devices and analysing user behaviour across different devices.
The following categories of personal data are processed as part of Google Signals User behaviour on the website (e.g. pages viewed, time spent on the site), device information (e.g. device type, operating system), location data (if activated and enabled), information from the Google account (e.g. age group, gender).
The provider of the component is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.
Your personal data will be transferred to the USA. Google LLC is currently certified under the EU-US Privacy Shield, which means that a level of data protection comparable to that in the EU can be assumed.
The data collected by Google Signals is stored for a period of 26 months and then automatically deleted.
The data processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. We obtain your consent via our cookie banner. You have the right to withdraw your consent to the use of Google Signals at any time with effect for the future. To do so, use the corresponding settings in our cookie banner or contact us using the contact details provided above.
The provision of your personal data is neither legally nor contractually required. However, it is necessary in order to be able to use the functions of Google Signals. Without your data, personalised analysis and optimisation of our website is not possible.

Online advertising
Google Remarketing

We have integrated components of Google Remarketing on our website.
Google Remarketing is a function of Google Ads that enables a company to display advertisements to internet users who have previously visited the company's website. The integration of Google Remarketing thus allows a company to create user-related advertising and the website user can consequently be shown advertisements relevant to their interests.
The operating company is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
The aim of Google Remarketing is the insertion of advertising relevant to interests. Google Remarketing enables us to display advertisements via the Google advertising network or to have them displayed on other websites which are tailored to the individual needs and interests of internet users.
Google Remarketing puts a cookie in your system. As a result, the visitors to our website can be recognised if they then visit websites which are also members of the Google advertising network. Each time a website is visited on which the Google Remarketing service has been integrated, your internet browser automatically identifies itself to Google. Through a cookie, personal information, such as the websites you have visited, is stored. Each time you visit our website - provided that you have given us your consent to store information on your terminal device (pursuant to Section 25 TTDSG - Teleservices Data Protection Act) and to display interest-relevant advertising pursuant to Art. 6 (1)a GDPR - personal data, including your IP address, is transferred to Google. This personal data is stored by Google. In some circumstances, Google passes this personal data collected via the technical process onto third parties.
You can prevent the use of cookies at any time by selecting the appropriate settings in the used internet browser and thus permanently object to the use of cookies.
According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 04.06.2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses. Google has appointed us a representative in Ireland. We have concluded contracts which regulate data processing within the EU. If Google does not store your data within the EU, Google Ireland Ltd. is responsible concluding standard contractual clauses with the respective partner.
Furthermore, the data subject has the option to object to interest-based advertising by Google. To do this, please use the following link: www.google.de/settings/ads.
You can get more information and Google's applicable privacy policy at https://www.google.de/intl/de/policies/privacy/.

Online Marketing
DoubleClick

We have integrated components of DoubleClick by Google on our website. DoubleClick is a Google brand under which special online marketing solutions are primarily marketed to advertising agencies and publishers.

The operating company is Google LLC; 1600 Amphitheatre Parkway; Mountain View, CA 94043; USA, represented in the EU by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.
DoubleClick by Google transmits data to the DoubleClick server with every impression as well as with clicks or other activities. Each of these data transfers triggers a cookie request to your browser. If the browser accepts this request, DoubleClick sets a cookie in your system. The purpose of the cookie is to optimise and display advertising. Among other things, the cookie is used to place and display user-relevant adverts and to create reports on advertising campaigns or to improve them. The cookie is also used to avoid multiple displays of the same adverts.
DoubleClick uses a cookie ID that is required for the technical process. The cookie ID is required, for example, to display an advert in a browser. DoubleClick can also use the cookie ID to record which adverts have already been displayed in a browser in order to avoid duplication. The cookie ID also enables DoubleClick to record conversions. Conversions are recorded, for example, if a user has previously been shown a DoubleClick advert and subsequently makes a purchase on the advertiser's website using the same internet browser.
The cookie script records the number of page views, the user's surfing behaviour on the page, the user's IP address, previously visited pages and the keywords used for the search. Each time you access one of the individual pages of our website on which a DoubleClick component has been integrated, your Internet browser is automatically prompted by the respective DoubleClick component to transmit data to Google for the purpose of online advertising and billing of commissions. As part of this technical process, Google obtains knowledge of data that Google also uses to create commission statements. Among other things, Google can track that you have clicked on certain links on our website.
The use of this component is based on Art. 6 para. 1 lit. a) GDPR.
Processing is only lawful on the basis of your consent. We obtain this consent by means of a so-called consent banner, which appears immediately after accessing our website. You can revoke your consent at any time. You can prevent the setting of cookies at any time by means of a corresponding setting of the Internet browser used and thus permanently object to the setting of cookies. In addition, cookies already set by Google can be deleted at any time via an internet browser or other software programmes.
We have concluded a contract with Google Ireland Ltd. that regulates data processing in the EU. If data is transmitted by Google Ireland Ltd. to the parent company Google LLC in the USA, Google Ireland Ltd. is responsible for the transmission. Google LLC is currently certified in the Data Privacy Framework List. According to the decision of the EU Commission, an adequate level of data protection can therefore be assumed.  
Further information and the applicable data protection provisions of DoubleClick by Google can be found at www.google.com/intl/de/policies/.

Interessenbezogene Werbung – Sojern

The provider of this component is Sojern INC. 225 California Street, 94111 San Francisco. Sojern has also appointed a representative in the EU: Sojern International Ltd, 34-37 Clarendon Street, Dublin 2, Ireland. Sojern is certified in the Data Privacy Framework List. According to the decision of the EU Commission, an adequate level of data protection can therefore be assumed.

This advertising service used pixel tags (web beacons), cookies, and other tracking technologies in order to collect and store non-personal information about your visit to our website. When you visit our website using your mobile device, an advertising service can also collect the unique identifier or location of your device and try to synchronise your visit to a mobile website with other website visits.
Sojern INC. puts a cookie in your system. The cookie placed does not tell Sojern who you are as a person and where you live. The information in cookies is used to tailor online advertisements to individuals who share certain interests or preferences with members of a pooled group, for reports and analyses or services and more.
Through Sojern, personal data and information is processed, which can be information associated with a unique online identifier such as a cookie ID, mobile device ID, hashed email address, advertising ID, and customer ID numbers assigned by companies, information associated with an individual's device, such as IP address, device type, browser type, date and time stamp of clicks and web visits, visited URLs and other technical information; information associated with an individual's travel, such as number and type of travellers, currency/tariffs/prices/fees, search and booking information (e.g. departure and arrival dates and destination country or city), information on rewards or loyalty programme and accommodation or service preferences (e.g. room, aircraft seat, or car type as well as preferences for facilities and amenities).
If you are provided with a relevant advertisement on another website based on the data collected on our site, this is called an “interest-based” advertisement and has a blue “AdChoices” icon in the top right corner. If you click on this icon, you will discover more about the interest-based advertising service and the option to deactivate interest-based advertisements.
We do not have access to these advertising services nor any control over how these cookies are used in placing interest-based advertisements. However, you can reject the use of this information by clicking here: https://www.aboutads.info/choices
Please note that if you deactivate this you will continue to see advertisements, but they may not be geared towards your travel interests.  
The use of this component is based on Art. 6 (1) a GDPR. The processing is only legally possible on the basis of consent granted by you. We obtain this consent by means of what is known as a consent banner, which appears immediately after you access our website. You can prevent the use of cookies at any time by selecting the appropriate setting in the used internet browser and thus permanently object to the use of cookies.
You can revoke your consent at any time with effect for the future without the previous data processing becoming unlawful.
For data processing, we use the external service provider Sojern INC. According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are currently based on standard contractual clauses. We have agreed the standard contractual clauses with the provider of the component.
The services of Sojern INC. are explained in more detail at https://www.sojern.com/privacy/product-privacy-policy/

Plugins
Flickr
We use plugins from the photo service Flickr on our website. This is a service by Flickr Inc., 67 E Evelyn Ave #200, Mountain View, CA 94041, USA. Flickr images are loaded by our server from Flickr. By clicking on an image, the Flickr website opens; Flickr can then record and use your IP address as well as information about the end device used. It also cannot be ruled out that Flickr tries to store cookies on the end devices used. As a result, Flickr can be informed about the visit to certain sites on the internet. Users who are simultaneously registered with Flickr can be identified by Flickr. According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses, see here https://www.flickr.com/help/dpa.

Vimeo
On some of our webpages we use plugins from the provider Vimeo, through which we can display videos to you directly on our website. When you visit the webpages of our internet presence provided with such a plugin, a connection to the Vimeo servers is established. Through this, your personal data is transmitted to the Vimeo server: IP address, browser type, operating system, websites visited, device information, session duration, bounce rate.
Vimeo is a video platform operated by Vimeo, LLC with headquarters in 555 West 18th Street, New York, New York 10011.
Data processing by Vimeo on our website takes place with your consent pursuant to Art. 6 Para. 1 lit. a GDPR. You can withdraw your consent at any time.
According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses.
If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When using the plugin, e.g. clicking on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the respective Vimeo cookies.
You can find more information on data processing and information on data protection by Vimeo here: https://vimeo.com/privacy, https://vimeo.com/cookie_policy, https://vimeo.com/privacy#international_data_transfers_and_certain_user_rights.

Payment options
Klarna
We have integrated components of the company Klarna on our website.
Klarna is an online payment service provider which enables purchase on account or flexible instalments. Furthermore, additional services such as buyer protection or an identity or credit check are offered.
The operating company of Klarna is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden.
If you select either “purchase on account” or “instalment purchase” as a payment option during the ordering process in our online shop, your data will be automatically transmitted to Klarna. By selecting one of these payment options, you consent to the transmission of personal data required for the processing of the purchase on account or instalment purchase or for the identity and credit check.
The personal data transmitted to Klarna is generally forename, surname, address, date of birth, gender, email address, IP address, telephone number, mobile number, as well as other information which is necessary for the processing of a purchase on account or instalment purchase. Personal data associated with the respective order is also necessary for the processing of the purchase contract. In particular, there may be a mutual exchange of payment information such as bank details, card number, expiry date and CVC code, number of articles, information on goods and services, price and tax information, information on previous buying behaviour or other information concerning your financial situation.
The aim of the data transmission is, in particular, to verify identity, payment administration and fraud prevention. We will transfer personal data to Klarna in particular if there is a legitimate interest for the transfer. The personal data exchanged between Klarna and us is transmitted by Klarna to credit agencies. The purpose of this transmission is to verify identity and credit.
Klarna also passes on the personal data to affiliated companies (Klarna Group) and service providers or subcontractors, provided that this is necessary for the fulfilment of contractual obligations,  or the data is to be processed on behalf of Klarna.
In order to decide on the establishment, implementation, or termination of a contractual relationship, Klarna collects and uses data and information about your previous payment behaviour as well as probability values for your future behaviour (known as scoring). The scoring is calculated on the basis of scientifically recognised mathematical-statistical methods.
You have the option to revoke consent for the handling of personal data at any time vis-à-vis Klarna. A revocation does not affect personal data that has to be processed, used or transmitted for (contractual) payment processing.
The applicable data privacy policy of Klarna can be found at https://www.klarna.com/de/datenschutz/.

Sofortüberweisung
We have integrated components of the company Sofortüberweisung on our website.
Sofortüberweisung is a payment service which enables a cashless payment of products and services on the internet. Sofortüberweisung represents a technical procedure through which the online retailer immediately receives payment confirmation.  This allows the retailer to deliver goods, services, or downloads to the customer immediately after the order has been placed.
The operating company of Sofortüberweisung is SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany.
If you select “Sofortüberweisung” (Pay Now) as a payment option during the ordering process in our online shop, your data will be automatically transmitted to Sofortüberweisung. By selecting this payment option, you consent to the transmission of personal data required for the processing of payment.
For the purchase transaction via Sofortüberweisung, the buyer transmits the PIN and TAN to Sofort GmbH. Sofortüberweisung then performs a transfer to the online retailer after technical verification of the account balance and retrieval of further data to check the account coverage. The online retailer is then automatically notified of the execution of the financial transaction.
The personal data exchanged with Sofortüberweisung includes forename, surname, address, email address, IP address, telephone number, mobile number, or other information which is necessary for the processing of the payment.  The aim of the data transmission is payment processing and fraud prevention. The controller will also then transmit other personal data to Sofortüberweisung if there is a legitimate interest for the transmission.  The personal data exchanged between the controller and Sofortüberweisung may be transmitted by Sofortüberweisung to credit agencies in some circumstances. The purpose of this transmission is to verify identity and credit.
If necessary, Sofortüberweisung passes on the personal data to affiliated companies and service providers or subcontractors, provided that this is necessary for the fulfilment of contractual obligations or the data is to be processed on behalf of Sofortüberweisung.
You have the option to revoke consent for the handling of personal data at any time vis-à-vis Sofortüberweisung. A revocation does not affect personal data that has to be processed, used or transmitted for (contractual) payment processing.
The applicable data privacy policy of Sofortüberweisung can be found at https://www.sofort.com/de/datenschutzhinweise/abgerufen.

We collect your person data within the framework of the customer loyalty programme as listed below in contact with you for the following purposes:

We process your data if this is necessary for the fulfilment of a membership contract that you have concluded with us (pursuant to Art. 6 (1) b 1. Alt. GDPR) or if the data processing is necessary for the implementation of a pre-contractual measure (pursuant to Art. 6 (1) b 2. Alt. GDPR).

This concerns the following purposes:

• Processing of your enquiries and providing information
• Fulfilment and processing of membership contract according to the terms and conditions of participation, including communication and, if applicable, processing of monetary transactions, accounting, and the fulfilment of the contractual obligations between us
• Sending newsletters and other advertising information
• Sending birthday wishes

In this regard, the following data is processed:
Form of address, name, date of birth, address information, contact details (e.g. email, telephone number), membership number, gender, payment information, booking information (place, arrival and departure, booking duration), amount of turnover, login details, preferences and interests.
If you do not provide us with the data, we cannot offer you a membership nor fulfil the contract.

In individual cases we are legally obliged to carry out data processing. In this case we process your data pursuant to Art. 6 (1) c GDPR.

• A legal obligation can:
  arise from a contract which you have concluded with us and for the fulfilment of which the data collection serves
• arise from the legal regulations relevant to us, or - pursuant to Art. 6 Para. 2 and 3 GDPR - the right of the European Union or the right of the member states of the European Union

If applicable, the data processing occurs in our legitimate interest pursuant to Art. 6 Abs. 1 lit. f GDPR.
Insofar as permitted by law, your personal data is stored if it is necessary for the assertion of or defence against legal claims.
In addition, our legitimate interest for data processing includes:

• Fraud prevention;
• Measures for the warranty and improvement of the security of IT systems;
• Measures for the protection of our company against illegal activities;
• Assertion of claims for damages
• Ensuring uniform quality standards within the group of companies
• Internal administrative purposes

Your individual guest profile

As part of your membership, we send you information which clearly corresponds to your preferences and interests. In our internal CRM system, your guest profile is enriched and stored on the basis of the bookings made with us. Based on the visitor behaviour on our hotel websites, we also obtain a better picture of your interests and can individually serve these.

Duration of the data retention
The data collected by us as part of the membership is kept for the duration of the membership contract. After your cancellation, all discounts will automatically expire. We will delete your personal data from the membership programme 3 years after the end of the calendar year in which the cancellation occurred.
Furthermore, your collected personal data is stored until the legal retention obligation expires, after which it is deleted, particularly if, in accordance with Article 6 Para. 1 Sentence 1 lit. c GDPR on the basis of tax and commercial retention and documentation obligations (e.g. from HGB, StGB or AO), there is an obligation to store the data for a longer period or you have consented to further storage in accordance with Art. 6 Abs. 1 S. 1 lit. a GDPR.
Subject to legal retention periods, we will delete your data when the purpose for the data collection has ceased.

Transfer and foreign element

Recipients or categories of recipients of personal data
The data collected by us is also passed on to other recipients and third parties in compliance with the legal provisions. These are depending on the circumstances:

• If applicable, booking platforms, insofar as you actively make a booking via link
• If applicable, Engrande S.L. Barcelona - provider of the online booking platform “Travelclick” - agreement on joint responsibility
• External data processors pursuant to Art. 4 No. 8 GDPR
  o    If applicable, IT service providers
  o    If applicable, web service providers
  o    If applicable, service provider guest management platform “Opera” (Oracle Deutschland B.V.  Co. KG)
  o    Technical service providers – provision of the member portal – “dailypoint”
• If applicable, insurance companies
• Own legal representatives, if applicable

Transmission of your personal data to a third country
Our service providers are based in the EU. Data processing occurs primarily in the European Union (EU), as we have limited our storage location to data centres in the European Union. We have concluded contracts with the service providers on the data processing or joint responsibility. This should ensure that personal data which leaves the European Economic Area is transferred in compliance with the European data protection laws and fulfils the requirements of the EU data protection guidelines.

On the basis of statutory provisions, our website contains information which enables contact with our company to be quickly established electronically, and also enables direct communication with us, which also includes a general electronic mail address (email address).
If you contact us via email or via a contact form, the personal data transmitted by you will be automatically stored. Such personal data transmitted voluntarily is stored for processing purposes or for the purpose of establishing contact with you. This personal data is not passed on to third parties.
Provided that the processing is necessary for the fulfilment of a contract or for the purposes of the implementation of a pre-contractual measure, the data processing takes place pursuant to Art. 6 Para. 1 lit. b) GDPR.

For processing bookings via our website, the personal data necessary for carrying out the booking is collected. This personal data is generally forename, surname, address, date of birth, gender, email address, IP address, telephone number, mobile number, as well as other information which is necessary for the processing of the booking. Personal data associated with the respective booking is also necessary for the processing of the booking. In particular, there may be a mutual exchange of payment information such as bank details, card number, expiry date and CVC code, price and tax information, information on previous buying behaviour or other information concerning your financial situation.
The aim of the data transmission is, in particular, to verify identity, payment administration and fraud prevention. The purpose of the data collection is thus the fulfilment of (pre-)contractual obligations pursuant to Art. 6 Para. 1 lit. b GDPR.

Purposes and legal bases of data processing, data processors, transmission to third parties in third countries
We only use the personal data you have entrusted to us for the purposes it is intended. Legal bases for the processing of your data can, in particular, be contract initiation and processing, advertising, quality assurance, fraud prevention or keeping statistics.
A further legal basis for the processing of your data is consent granted by you regarding the use and transmission of your personal data. You can informally withdraw your consent at any time.
Transmission of personal data to government institutions and authorities takes place solely on the basis of mandatory national legislation. The persons commissioned by us with the processing of data are bound to secrecy and lawful processing of the data. In the event of further processing of your personal data for a purpose other than the original one, we will communicate this accordingly.
We are supported by external service providers (data processors) for specific technical processes relating to data analysis, data processing and/or data retention.
We and the data processor are both obliged to comply with the technical organisational measures in accordance with Art. 32 GDPR and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions. Any processing of your personal data beyond this commissioned data processing will only occur with your explicit consent or in cases ordered by law and by official or judicial authorities.
Transmission of data to third countries (states outside of the European Economic Area - EEA) only takes place if this is necessary for the fulfilment of the contract, is a legal requirement, or you have given us your consent. We will inform you separately regarding particulars, if required by law.

Duration of the data retention
We store your personal data collected from the time of collection. This collected data is stored by us for the duration of our business relationship, which, among other things, also includes the initiation and processing of a contract.  Furthermore, we are subject to various retention and documentation obligations which arise, among other things, from the German Commercial Code (HGB) or the German Tax Code (AO). The retention periods prescribed there are up to ten years. Finally, the storage period with regard to the possibility of defending against legal claims is also assessed in accordance with the statutory limitation periods which, for example, according to Sections 195 et seq. of the German Civil Code is generally 3 years, however, in certain cases it can be up to 30 years.

Transmission of your personal data to a third country
Our service providers are based in the EU. Data processing occurs primarily in the European Union (EU), as we have limited our storage location to data centres in the European Union. However, we cannot rule out that the routing of data takes place via internet servers located outside of the EU. This affects data processing via Microsoft, Travelclick and Opera, for example. We have concluded contracts with the service providers on the data processing or joint responsibility. This should ensure that personal data which leaves the European Economic Area is transferred in compliance with the European data protection laws and fulfils the requirements of the EU data protection guidelines.

Newsletter subscription
You have the option to subscribe to our newsletter. By subscribing, you consent to newsletters being sent via email pursuant to Art. 6 Para 1. lit. a GDPR and to the tracking associated with this. In this newsletter, we will regularly inform of about offers and news regarding our arcona group hotels.
For the subscription to the newsletter we collect the data solely in direct contact with you. For sending the newsletter we process your email address as personal data from you. Our company’s newsletter can only be received by you if
• You have a valid email address and
• You have subscribed to receive the newsletter.
The personal data collected as part of subscribing to the newsletter is used exclusively for sending our newsletter. In addition, those subscribed to the newsletter could be informed via email if this is necessary for the operation of the newsletter service or a related registration, for example in the case of changes to the newsletter offer or in the event of changes to the technical conditions.
To send the newsletter, we use the service provider Toedt, Dr. Selk & Coll. GmbH, Augustenstraße 79, 80333 Munich, which provides us with the “dailypoint” solution. We have concluded a data processing agreement with this service provider.
You can cancel the subscription to our newsletter at any time. The consent to the storage of personal data which you have granted us for sending the newsletter can be revoked at any time with effect for the future without the data processing up until this point becoming unlawful. For the purpose of revoking consent, you can contact us at any time using the contact details provided on this page or use the unsubscribe function in any newsletter.

Newsletter tracking
For analysis purposes our emails contain a “tracking pixel” which connects with the dailypoint servers when the email is opened. This is how it can be determined whether a newsletter communication has been opened. Furthermore, with the help of dailypoint we can ascertain whether and which links in the newsletter communication are clicked. All links in the email are tracking links, with which your links can be counted. You can learn more about the analysis functions of dailypoint using the following link https://www.dailypoint.com/privacypolicy/.
The use of this component is based on Art. 6 (1) a GDPR.
You can revoke the separate consent given regarding this via the double opt-in procedure at any time with effect for the future without the data processing up until this point becoming unlawful.
We deem unsubscribing from receiving the newsletter to be revocation of consent.
For this, we use the service provider Toedt, Dr. Selk & Coll. GmbH, Augustenstraße 79, 80333 Munich and have concluded a data processing agreement with this service provider.

Facebook
We have integrated components of the company Facebook as a link on our website.
Facebook is a social network. A social network is a social meeting point on the internet, i.e. an online community which generally enables users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences or it can allow the internet community to provide personal or business-related information. Facebook enables users of the social network, among other things, to create private profiles, upload photos and network via friend requests. A voluntary click on the icon redirects to Facebook, over which we have no control.
The operating company of Facebook is Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. The controller of personal data processing when a data subject lives outside of the USA or Canada is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
If you do not want Facebook to process your data, please do not click on the link.
The privacy policy published by Facebook, accessible at https://www.facebook.com/privacy/policy, provides information on the collection, processing, and use of personal data by Facebook.  In addition, it explains which setting options Facebook provides to protect your privacy.

Facebook - Insight data analysis
The Federal and State Conference of Independent Data Protection Authorities (Data Protection Conference) indicated that Facebook is obliged to obtain effective consent to data usage from all visitors to Facebook. By contrast, the operators of a Facebook fan page is obliged to obtain the required information on data usage from Facebook.
When users visit our fan page, Facebook collects personal data of the users within the framework and scope of its responsibility. This type of data collection by Facebook can also occur with visitors of this page who are not logged into Facebook or registered as members. You can find information on the data collection and further processing by Facebook as well as information on implementing your rights and decision-making options in Facebook's data privacy statement.
Through use of the Facebook platform, we do not assume any responsibility for the processing of personal data and its transfer outside of the European Union, and in particular, we do not assume any responsibility for the implementation of data subject rights and the effectiveness of consent. We do have no influence on the extent and no full access to the data collected or your profile information. You decide what information we receive as part of Facebook's sole responsibility with your Facebook settings or your browser settings when visiting a publicly accessible page. Furthermore, in your Facebook settings you have to option to actively hide your “likes” or to no longer follow the fan page. Then your profile will no longer appear in the list of fans of this fan page.
We receive anonymous statistics from Facebook on the application and use of the fan page. The following information is provided here, for example (known as insight data):
•    Followers: Number of people who follow our fan page – including gains and development over a defined time frame
•    Reach: Number of people who see a specific post on our fan page and the number of interactions on a post
•    Advertisement performance: Number of people who have seen an advertisement
•    Demographics: Average age of visitors, gender, location, language

We use these statistics, from which we cannot draw any conclusions on individual users, to constantly improve our online offer on Facebook and to better respond to the interests of our users. We cannot link the statistical data with the profile data of our fans. Via your Facebook settings, you can decide in which form targeted advertising is displayed to you.
We have entered into a joint controller agreement with Facebook regarding the processing of personal data pursuant to Article 26 GDPR.
As a result, Facebook is the sole controller in regard to the processing of insight data. In this respect, Facebook takes responsibility for the fulfilment of information requirements pursuant to Articles 12 and 13 GDPR, for exercising data subject rights pursuant to Articles 15 to 22 GDPR, for data security and also for the responsibility to report data protection breaches (Articles 32 to 34 GDPR). Furthermore, Facebook remains the sole controller for the processing of other personal data.
We receive personal data via Facebook if you actively inform us of this via a personal message on Facebook or if you use a form to transmit the data to use and actively send the data to us by clicking on a button. We use the data you have disclosed (e.g. first name, surname) to respond to your request, if this is necessary.

Instagram
We have integrated components of the service Instagram as a link on our website. Instagram is a service that qualifies as an audiovisual platform and that enables the users to share photos and videos and also to redistribute this data on other social networks.  Data processing by Instagram on our website takes place with your consent pursuant to Art. 6 Para. 1 lit. a GDPR. You can withdraw your consent at any time. By voluntarily clicking on the link you will be forwarded to Instagram directly. We have no influence on the data processing by Instagram. If you do not approve of the data processing by Instagram, please do not click the link.
The operating company of the services of Instagram is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA. Instagram is a subsidiary of Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, represented in the EU by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
If you are logged in to Instagram at the same time, Instagram recognises which specific subpage you are visiting every time you visit our website and the entire duration of your respective stay on our website. This information is gathered by the Instagram component and assigned to your Instagram account by Instagram. If you click on one of the Instagram buttons integrated on our website, the data and information transmitted as a result will be assigned to your personal Instagram user account and stored and processed by Instagram.
Instagram always receives information via the Instagram component that you have visited our website if you are logged into Instagram at the same time as visiting our website; this occurs regardless of whether you have clicked on the Instagram component or not.
If you do not want this information to be transmitted to Instagram, you can prevent it being transmitted by logging out of your Instagram account before visiting our website.
You can get more information and Instagram’s applicable privacy policy at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

YouTube
We have integrated components of the service YouTube as a link on our website. As soon as you click the link, YouTube will start processing data. If you do not want this data processing to occur, you can prevent the transmission by not clicking the link.
The data processing takes place with your prior consent only after clicking the link in accordance with Art. 6 Para. 1 lit. a GDPR. You can withdraw your consent at any time.
YouTube is an internet video portal that allows video publishers to post video clips free of charge and allows other users to view, rate, and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete films and TV shows, but also music videos, trailers, or videos made by users themselves can be accessed via the internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA, represented in the EU by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland.
According to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, data transfers to the USA are based on standard contractual clauses, see https://business.safety.google/gdprcontrollerterms/  and https://business.safety.google/gdprcontrollerterms/sccs/.
When you visit one of our websites in which a video from Youtube is embedded, a connection is immediately established with the servers of Google LLC or the subsidiary YouTube LLC.
YouTube and Google always receive information via the YouTube component that you have visited our website if you are logged into YouTube at the same time as visiting our website; this occurs regardless of whether you have clicked on the YouTube component or not.
If you do not want this information to be transmitted to YouTube and Google, you can prevent it being transmitted by logging out of your YouTube account before visiting our website.
You can get more information and Instagram's applicable privacy policy at https://www.google.de/intl/de/policies/privacy/.

Pinterest
We have integrated components of the service Pinterest Inc. as a link on our website. Pinterest is a social network. A social network is a social meeting point on the internet, i.e. an online community which generally enables users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences or it can allow the internet community to provide personal or business-related information. Among other things, Pinterest enables users of social networks to publish collections of pictures and single images as well as descriptions on virtual pinboards (known as pinning), which then in turn can be shared (known as repinning) or commented on by other users.
The operating company of Pinterest is Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA. The controller for the data processing of inhabitants in the EU is Pinterest Europe Ltd. - an Irish company which is registered in Dublin at the following address: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. The legal basis for the transmission of data to Pinterest is your consent pursuant to Art. 6 (1) a GDPR by clicking on the link. In this case, data forwarding to Pinterest occurs. If you do not want this data processing to occur, you can prevent the transmission by not clicking the link.
You can get more information and Pinterest's applicable privacy policy at https://policy.pinterest.com/en/privacy-policy.

LinkedIn
We have integrated components of the service LinkedIn as a link on our website.
LinkedIn is an internet-based social network which enables users to connect with existing business contacts as well as to establish new business contacts.
The operating company of LinkedIn is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. For privacy matters outside of the USA, LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible.
You can get more information and LinkedIn's applicable privacy policy at https://www.linkedin.com/legal/privacy-policy.

Xing
We have integrated components of the service Xing as a link on our website.

Xing is an internet-based social network which enables users to connect with existing business contacts as well as to establish new business contacts. Individual users can create themselves a personal profile on Xing. Companies, for example, can create a company profile or publish job offers on Xing.

The operating company of Xing is XING AG, Dammtorstraße 30, 20354 Hamburg, Germany.

If you do not want this information to be transmitted to Xing, you can prevent it being transmitted by logging out of your Xing account before visiting our website.
You can get more information and Xing's applicable privacy policy at [https://www.xing.com/privacy].

Other providers
If there is a link to websites of other providers beyond the information included here, this privacy policy does not apply to their contents. The collection of data by operators of the respective sites is beyond our knowledge and range of influence. Please take note of the data protection notice of the respective site.

We collect your personal data when you make a direct booking in our hotels as listed below in contact with you. If you use booking portals of another provider (e.g. Booking, HRS, etc.), or have entered into a contract with a tour operator, we may receive your data from these providers.
Depending on the circumstances, we process your data for the following purposes:
We process your data if this is necessary for the fulfilment of a contract that you have concluded with us pursuant to Art. 6 (1) b 1. Alt. GDPR or if the data processing is necessary for the implementation of a pre-contractual measure pursuant to Art. 6 (1) b 2. Alt. GDPR.
This concerns the following purposes:

• Processing of your enquiries and providing information
• Processing of a possible online booking
• Fulfilment of the accommodation contract, including the communication between us, in particular for the processing of monetary transactions, accounting, and the fulfilment of the contractual obligations between us
• Table reservations
• Voucher orders
• Offer of guest WIFI

In this regard, the following data is processed:
Form of address, name, date of birth, address information, contact details (e.g. email, telephone number), number of fellow travellers, credit card details, bank details, payment information, booking details (place, arrival and departure, booking duration).
If you do not provide us with the data, we may not answer your enquiry or fulfil the contract.
In individual cases and depending on the service and as far as you inform us, we will process the following information from you:
Additional services/special requests, preferences, complaints/incidents, information about possible allergies, IP address, transmitted data volume, usage times, location,
In individual cases we are legally obliged to carry out data processing. In this case we process your data pursuant to Art. 6 (1) c GDPR.
A legal obligation is:

• Fulfilment of legal reporting obligations
• arise from a contract which you have concluded with us and for the fulfilment of which the data collection serves
• arise from the legal regulations relevant to us, or - pursuant to Art. 6 Para. 2 and 3 GDPR - the right of the European Union or the right of the member states of the European Union

Some data processing takes place because you have given us your consent pursuant to Art. 6 (1) a GDPR.
This concerns the following purposes

• Sending newsletters

You can give consent voluntarily. You can revoke consent with effect for the future at any time, without having to be apprehensive of disadvantages. The processing is lawful until your revocation. With regard to a revocation, notify your hotel directly or use the arcona Management GmbH contact details.
If applicable, the data processing occurs in our legitimate interest pursuant to Art. 6 Abs. 1 lit. f GDPR.
Insofar as permitted by law, your personal data is stored if it is necessary for the assertion of or defence against legal claims.

In addition, our legitimate interest for data processing includes:

• Marketing measures (e.g sending direct advertising)
• Booking history
• Fraud prevention
• Measures for the warranty and improvement of the security of IT systems
• Measures for the protection of our company against illegal activities
• Assertion of claims for damages
• Public relations work
• Creation of booking statistics
• Ensuring uniform quality standards within the group of companies
• Internal administrative purposes

Your individual guest profile
As part of the newsletter subscription based on your consent and tracking associated with it, we will send you a separate email that asks your preferences and interests. In our internal CRM system, your guest profile is enriched and stored as a result. Based on the visitor behaviour on our hotel websites, we also obtain a better picture of your interests and can individually serve these. You receive a service tailored to you and we can send you specific offers.

Duration of the data retention
The personal data collected by us is stored until the legal retention obligation expires, after which it is deleted, particularly if, in accordance with Article 6 Para. 1 Sentence 1 lit. c GDPR on the basis of tax and commercial retention and documentation obligations (e.g. from HGB, StGB or AO (= German Commercial Code, German Criminal Code, or German Tax Code)), there is an obligation to store the data for a longer period or you have consented to further storage in accordance with Art. 6 Abs. 1 S. 1 lit. a GDPR.

Subject to legal retention periods, we will delete your data when the purpose for the data collection has ceased.

 

Transfer and foreign element
Recipients or categories of recipients of personal data
The data collected by us is also passed on to other recipients and third parties in compliance with the legal provisions. More specifically, these are:

• Financial management
• Insurance companies
• Own legal representatives
• Reporting offices
• Parent company arcona Management GmbH - agreement on joint responsibilities
• Engrande S.L. Barcelona - provider of the online booking platform “Travelclick” - agreement on joint responsibility
• External data processors pursuant to Art. 4 No. 8 GDPR
  o    IT service providers
  o    Web service providers
  o    Service provider guest management platform “Opera” (Oracle Deutschland B.V.  Co. KG)
  o    Service provider rating portals (e.g. Trust You)
  o    Service provider for sending newsletters
  o    Service provider for the implementation of direct marketing
  o    Service provider for the processing of online table reservations
  o    Service provider for sending voucher orders and handling the online shop
  o    Provider of financial accounting software
  o    Document destruction companies

Transmission of your personal data to a third country
Our service providers are based in the EU. Data processing occurs primarily in the European Union (EU), as we have limited our storage location to data centres in the European Union. However, we cannot rule out that the routing of data takes place via internet servers located outside of the EU. This affects data processing via Microsoft, Travelclick and Opera, for example. We have concluded contracts with the service providers on the data processing or joint responsibility. This should ensure that personal data which leaves the European Economic Area is transferred in compliance with the European data protection laws and fulfils the requirements of the EU data protection guidelines.

As part of our business relationship and dependent on the specific purpose for which we collect your data, we also regularly process personal data if you are a legal entity. This is the case, for example, if we collect data from people from the management team or personal contacts of your company.
Generally, we collect your data in direct contact with the data subject. However, it is also conceivable that you transmit data to us from people who are responsible for us in your company.
We process your data if this is necessary for the fulfilment of a contract that you have concluded with us pursuant to Art. 6 (1) b 1. Alt. GDPR or if the data processing is necessary for the implementation of a pre-contractual measure pursuant to Art. 6 (1) b 2. Alt. GDPR.
This concerns the following purposes:

• Handling of our business relationship (transactions, accounting, fulfilment of the contractual obligations between us)
• Communication
• Appointment management

In this regard, the following data categories may be processed in these contexts: Company, name, business address information, function in the company, lifelong physician's number if applicable, signature, professional activity, complaints/incidents
The data collected by us is generally absolutely necessary for establishing and processing a business relationship, including the fulfilment of the resulting obligations. There is no other obligation to provide the data regularly.
In individual cases we are legally obliged to carry out data processing. In this case we process your data pursuant to Art. 6 (1) c GDPR.
A legal obligation can:

• arise from a contract which you have concluded with us and for the fulfilment of which the data collection serves
• arise from the legal regulations relevant to us, or - pursuant to Art. 6 Para. 2 and 3 GDPR - the right of the European Union or the right of the member states of the European Union
• arise from general obligations to provide assistance or contractual ancillary obligations which are not specifically tailored to data collection, such as the regulations on failure to render assistance in Section 323c StGB

Should a life-threatening emergency occur and you require medical attention, we will then base the processing of your data on Art. 6 (1) lit. d GDPR to protect your vital interests.
If applicable, the data processing occurs in our legitimate interest pursuant to Art. 6 Abs. 1 lit. f GDPR.
Insofar as permitted by law, your personal data is stored if it is necessary for the assertion of or defence against legal claims.

Our legitimate interest for data processing includes:

• Contact data processing of the contact persons
• The existence of a legal relationship between us;
• Fraud prevention;
• Measures for the warranty and improvement of the security of IT systems;
• Measures for the protection of our company against illegal activities and
• Assertion of claims for damages
• Internal administrative purposes, in particular the exchange of data within our group of companies

The failure to provide personal data of the people working for your company would generally only result in the communication between us is being considerably hindered or - for example in the area of communication via email - becoming impossible.

No automatic monitoring or assessment systems are used in the data processing in our company.

Duration of the data retention
The personal data collected by us is stored until the legal retention obligation expires, after which it is deleted, particularly if, in accordance with Article 6 Para. 1 S. 1 lit. c GDPR on the basis of tax and commercial retention and documentation obligations (e.g. from HGB, StGB, or AO), there is an obligation to store the data for a longer period or you have consented to further storage in accordance with Art. 6 Abs. 1 S. 1 lit. a GDPR.

Subject to such retention obligations, data is deleted if the purpose for which it was collected has ceased.

Insofar as permitted by law, data is also stored if it is necessary for the assertion of or defence against legal claims.
Transfer and foreign element
Recipients or categories of recipients of personal data
The data collected by us may be passed on to recipients or third parties in compliance with the legal provisions.  These recipients can be:

• Tax consultants
• Financial management
• Insurance companies
• Own legal representatives
• External data processors pursuant to Art. 4 No. 8 GDPR
  o    IT service providers
  o    Software providers
  o    Document destruction companies
  

Transmission of your personal data to a third country
Our service providers are based in the EU. Data processing occurs primarily in the European Union (EU), as we have limited our storage location to data centres in the European Union. However, we cannot rule out that the routing of data takes place via internet servers located outside of the EU. This affects data processing via Microsoft, for example. We have concluded contracts with the service providers on the data processing or joint responsibility. This should ensure that personal data which leaves the European Economic Area is transferred in compliance with the European data protection laws and fulfils the requirements of the EU data protection guidelines.

In principle, we collect your personal data as listed below in direct contact with you. In addition and provided that it is necessary for the assessment of your application, we may process data permissibly received from other places and from other third parties or publicly accessible sources for the following purposes:

We process your data if it is necessary for the implementation of a pre-contractual measure pursuant to Art. 6 (1) b GDPR in conjunction with Section 26 BDSG (Federal Data Protection Act).
This concerns the following pre-contractual purposes:

• Review and assessment of your suitability for the position to be filled,
• Performance and behavioural assessment to the extent permitted by law,
• If applicable registration and authentication for the application via our website,
• If applicable preparation of the employment contract,
• Verifiability of transactions,
• Travel and event management, travel booking and travel expense accounting, authorisation and ID card management,
• Cost recording and controlling,
• Contract-related communication (including appointments) with you

    
In this regard, the data that you yourself provide us with in the letter of application is processed. In assessing the suitability for the role to be filled we regularly process: Form of address/gender, address information, personal details, home address, professional activities, current job, nationality, professional qualification, professional experience, commencement/termination of an employment relationship, professional development, parent property, date of birth.
The data is required for the proper conduct of the selection process. If you do not provide us with the information, we may not be able to consider your application. There is no legal obligation to provide the data.

We process your data if you have given us consent pursuant to Art. 6 (1) a GDPR or pursuant to Art. 9 (2) a GDPR.
You can give consent for:

• Obtaining references from previous employers
• Consent to store your applicant in an applicant pool for a longer period of time for future vacancies

We may collect obtain your consent for data processing separately. You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent up until the revocation.
Should a life-threatening emergency occur and you require medical attention, we will base the processing of your data on Art. 6 (1) lit. d GDPR to protect your vital interests.
In particular, this includes passing on relevant data to paramedics, doctors, or other emergency personnel.

If applicable, the data processing occurs in our legitimate interest pursuant to Art. 6 Abs. 1 lit. f GDPR.
Our legitimate interests for data processing are:

• Fraud prevention;
• Measures for the warranty and improvement of the security of IT systems;
• Measures for the protection of our company against illegal activities;
• Assertion of claims for damages;
• A burden of proof in procedures in accordance with the Equal Treatment Act.
• Internal administrative purposes, in particular the exchange within our company;
• Assertion of legal claims and defence in the event of legal disputes - if applicable, passing on to legal representatives working for us;
• Ensuring uniform applicant management and uniform quality standards within our company

No automatic assessment systems are used in the data processing in our company.

Duration of the data retention
We store the data collected for the application until the expiration of the period of 6 months after the conclusion of the application process. After this period, the data collected for the application is deleted or, if deletion is not possible, it will be inaccessible. In the event that you have agreed to further stage of personal data, we will transfer your data to our applicant pool. There, the data will be deleted after two years. If contact with us was made via an agency or consultant, we will store your master data until the expiration of the contract with the agent for verifying commission claims. If you are awarded a position as part of the application process, the data from the applicant data system is transferred to our human resources information system and used to create the employment contract.

The processing can also take place electronically. This is the case in particular if an applicant submits corresponding application documents to us electronically, for example via email or via a web form located on our website.
The job portal on our website is supplied by the provider d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg. We have concluded a data processing agreement with the service provider mentioned (data processor) pursuant to Art. 28 GDPR. The service provider is subject to our instructions and is sworn to secrecy.
Our websites also use “iFrame” technology for an appealing presentation. This involves the integration of third party content without resulting in recognisable differences in presentation.
When the job portal on our website is used, the following information is automatically transmitted to the service provider:  Browser type and browser version, operating system used, referrer URL, host name of the accessing computer, time of the server request, IP address. This data is not merged with other data sources. Applicant data is forwarded to the designated data processor.
d.vinci-HR-Systems GmbH is obliged to process the data exclusively in a member state of the European Union or in another contracting state of the agreement on the European Economic Area.

Transfer and foreign element
The data collected by us is passed on to possible recipients in compliance with the legal provisions:

• Management/managing partners  
• Department heads/employees
• Own legal representatives, if applicable –
• External data processors –
  o    d.vinci-HR-Systems GmbH
  o    If applicable, service providers in the area of maintenance and servicing of EDP systems
  o    If applicable, service provider company website, marketing
  o    File and data carrier destruction

These are generally data processors within the meaning of Art. 4 No. 10 GDPR, and so the processing of data by them does not constitute a transfer within the meaning of Art. 4 No. 2 GDPR.

You have the option of registering for our Online Academy and registering on our website by providing personal data.  The personal data entered by you is gathered and stored exclusively for the onboarding process of new employees, as well as for implementation of further training.
By registering on our website, your username, your email address, your IP address, the date as well as the time of registration and logging are stored.  In addition, as an employer, we can track which courses have already been completed.  
The data processing of your business email is conducted in accordance with Art. 6 (1) b GDPR as part of the fulfilment of the employment contract concluded with you. Furthermore, it is in our legitimate interest that our employees are continuously trained and that we also must be able to prove this in individual cases. In this sense, information regarding which courses have been completed at what time is stored.
If you use your private email address, this is voluntary and the data processing takes place on the basis of the consent which you give us by registering.
At your request, you can leave ratings of the tool. These ratings are visible to other registered users.  
In principle, your data is only transferred to third parties if there is a legal obligation to transfer it or if transferring is conducive to criminal prosecution.
For the data processing of the Online Academy, we use the external service provider Voss-Seminare, Zum Bahnhof 24, 19055 Schwerin, with which we have concluded a data processing agreement pursuant to Art. 28 GDPR. We and the data processor are both obliged to comply with the technical organisational measures in accordance with Art. 32 GDPR and the external service provider is also obliged to maintain confidentiality. Processing is carried out exclusively on our behalf and on our instructions.