Privacy Policy

GHOTEL – The GHOTEL Group operates attractive hotels in attractive locations throughout Germany and in Salzburg. The GHOTEL Group operates its current portfolio in the budget, midscale and upscale segments. As well as the brand GHOTEL hotel & living, we also run Nestor Hotels and franchised hotels with international brand names. In addition, at select locations, we work with strong partners, e.g. AccorHotels, InterContinental Hotels Group and Marriott International, which allows us to expand our portfolio of hotel services with well-known brands.

Data protection is of particular importance to the management of GHOTEL Group GmbH.  In the following Privacy Policy, we inform you about how your personal data will be handled when you use our website. Personal data refers to any data with which you could be personally identified.

Controller in accordance with Article 4 (7) of the EU General Data Protection Regulation (GDPR)

GHOTEL Group GmbH
Graurheindorfer Strasse 92
53117 Bonn
Germany

Telephone: +49 228 – 961 098 0
Email: info@ghotel.de
Website: www.ghotel-group.de

 

Data protection officer of the controller

The data protection officer can be contacted at: datenschutz@ghotel-group.de

 

1. Rights of the data subject (Article 15 GDPR)

Below you will find information on your rights as a data subject. You can exercise these rights at any time and contact us directly for this purpose. If you demand these rights from us, we will examine them in detail, taking into account the related legal requirements and provisions. We may ask you for further information. We will explain in detail the results of our audit and our procedure for fulfilling your request. It is possible that we may not be able to fully meet your wishes in the manner you request.  This should not prevent you from claiming your rights from us or asking us about them. We will be happy to answer all your questions about data protection.

a) Right to information (Article 15 GDPR)

You have the right to request information from us at any time as to whether and which of your personal data is processed by us. This also includes information on the purposes of processing, if applicable on recipients to whom we have disclosed data about you, the planned storage period and, if applicable, information on the origin of this data, unless we have collected this data directly from you. In addition, you have the right to a one-time free copy of your personal data stored by us.

b) Right to rectification (Article 16 GDPR)

You have the right to request us to correct any inaccurate information we hold about you. This also includes the right to complete incomplete personal data.

c) Right to erasure (Article 17 GDPR)

You have the right to request us to erase any inaccurate information we hold about you. If we have published data about you, this also includes our obligation, within the framework of the “right to be forgotten” pursuant to Art. 17 (2) GDPR, taking into consideration the available technology and the implementation costs of your erasure request to forward all links to this data as well as copies or replications of these data concerning to further persons responsible for the processing of these published personal data.

d) Right to restriction of processing (Article 18 GDPR)

You have the right to request us to restrict the processing of data which we have stored concerning you. Thereafter, processing of this data is only possible with your consent or for a few, legally defined purposes.

e) The right to object to processing (Article 21 GDPR)

Insofar as we base the processing of your personal data on the balancing of interests, you may object to the processing. This is the case if the processing is not necessary in particular for the performance of a contract with you. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have been doing. In the event of your justified objection, we will examine the situation and either stop or adjust the data processing or point out to you our compelling reasons worthy of protection on the basis of which we will continue processing the data.

You may of course object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us about your advertising objection using the contact channels listed above.

f) Right to revoke consent under data protection law (Article 7 GDPR)

If you have provided your consent to the processing of your data, you may revoke this consent at any time pursuant to Article 7 (3) GDPR. If you exercise this right, it will affect our ability to process your personal data for which you have given your consent to us.

g) Right to data portability (Article 20 GDPR)

You have the right to receive information about yourself that you have provided to us from us in a structured, commonly used and machine-readable format for the purpose of transfer to another controller. At your request and taking into account the available technical possibilities, this also includes the direct transfer from us to the other controller.

h) Right to lodge a complaint with a supervisory authority (Article 13 GDPR)

You have the right to complain at any time to a data protection supervisory authority about our processing of your personal data. The responsible supervisory authority can be contacted at:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia), Postfach 20 04 44, 40102 Düsseldorf, Germany

i) Automated decision-making including profiling (Article 22 GDPR)

You have the right to request information about the existence of automated decision-making processes, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the software involved, as well as the significance and envisaged consequences of such processing for the data subject.

 

 2. Legal basis for the processing of personal data (Article 6 GDPR)

(1) Insofar as we obtain the data subject’s consent for the processing of personal data, this takes place on the legal basis of Article 6 (1) a) of the EU General Data Protection Regulation (GDPR).

(2) In the processing of personal data required for the performance of a contract to which the data subject is a party, Art. 6 (1) b) GDPR serves as the legal basis. This also applies to processing necessary to implement pre-contractual measures.

(3) Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 (1) c) GDPR serves as the legal basis.

(4) In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) d) GDPR applies as the legal basis.

(5) If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) f) GDPR serves as the legal basis for processing.

 

 3. Information about the collection of personal data

(1) Below we provide information on the collection of personal data when using our website. Personal data is all data personally attributable to you, e.g. name, address, email addresses, user behavior.

(2) When you contact us via email or via a contact form, the data you provide (your email address, and if applicable your name and your telephone number) will be stored by us in order to answer your questions. We will delete the data collected within this context as soon as processing is no longer necessary, or alternatively, if any obligation of statutory retention exists, processing will be limited.

(3) If we employ contracted service providers for individual functions of our offer, or would like to use your data for advertising purposes, we will inform you in detail about the respective processes. We will also specify the defined criteria for the storage period.

a) Personal data collection when visiting our website

If you use the website for simple information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to guarantee stability and security (the legal basis for this is Article 6 (1) f) GDPR):

  • IP address
  • Host name
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Request status/HTTP status code
  • Respective volume of data transferred
  • Website from which the request comes (referrer)
  • The specific pages you have visited on our website
  • Browser: Type, version and set language
  • Operating system: Type and version
  • If JavaScript is also activated:
  • Display resolution
  • Color depth
  • Size of the browser window
  • Installed browser plugins

 

 4. Data erasure and storage duration

(1) Your personal data will be deleted or blocked as soon as the purpose for its storage no longer applies.

(2) In addition, the data may be stored if this has been provided for by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject.

(3) Data will also be blocked or erased if a storage period prescribed by the aforementioned regulations has elapsed, unless further storage of the data is necessary for the conclusion or fulfilment of a contract.

 

 5. Data protection for applications and application processes

(1) You provide us with personal data within the framework of the application. It is particularly important to us to handle your personal data in a trustworthy manner from the application process onwards. Therefore, it goes without saying that all the personal information with which you entrust us is handled as strictly confidential and in a responsible manner in compliance with all the valid statutory data protection provisions. In connection with this, we use technical and organizational security measures to protect your personal data against accidental or deliberate manipulation, loss, destruction or access by unauthorized persons.
The legal basis for the processing of personal data with which you provide us within the framework of your application in principle constitutes the implementation of pre-contractual measures initiated by your application pursuant to Article 6 (1) b) GDPR. Insofar as you the data you transmit for the purposes of the application also contains particularly sensitive data belonging to a special category pursuant to Article 9 (1) GDPR, the processing of such data by us takes place on the legal basis of your consent pursuant to Article 6 (1) a), which we are required to obtain from you, as set out in more detail in (3).

(2) If you wish to apply for a job or a training position online, this requires you to enter certain personal data marked with mandatory fields on the respective online application form, e.g. your first names and surnames, email address and telephone number. In order to allow us to gain a better understanding of your application goals, you also have the option of providing us with more data and files on a voluntary basis, e.g. details of your professional qualifications and experience and files containing your application documents, such as your personal covering letter, your CV, your application photo, your certificates etc.
Please note that CVs, certificates or additional data transmitted by you for the purposes of the application, in party to a contract, may also contain particularly sensitive data, such as information concerning race or ethnic origin, political beliefs, religious or philosophical beliefs, membership of trade unions or political parties, physical or mental health or sex life. We therefore recommend, where possible, that you do not provide any information relating to such sensitive data belonging to a special category.

(3) It also cannot be excluded, and in some cases may also be necessary, for you to provide us with data belonging to a special category, as set out in (2), within the framework of your application. We are prohibited by law from processing such data without your consent. For this reason, you may only send your application to us via the online form after you have selected the appropriate check box on the online form. Unfortunately, it is not possible for you to transmit your documents without providing your consent here.

(4) The data and files you transmit are exclusively used for purposes which are connected to the recording and processing of your interest in employment or training with us and the processing of your online application, including contact with you which is necessary for this purpose. Your application will be handled confidentially and only disclosed to authorized employees of the GHOTEL Group. If your application is successful, the data and files you have transmitted may be further used within the framework of the employment relationship with you. If your application for a job vacancy is unsuccessful, we store the data and files you have transmitted in our applicant database for 6 months in order to be able to respond to any queries in connection with your application. On expiry of this period, the data and files will be automatically erased.

(5) The data and files you have transmitted within the framework of the online application will not be passed on to third parties unless you have provided your express consent to this or an official order applies.

(6) You have the option of withdrawing your application in part or in full at any time. Also, you can at any time request that all or some of your transmitted data and files are deleted or modified in our applicant database. You also have the right to revoke your consent to the processing of personal data and files transmitted by you within the framework of the online application at any time with future effect. For this purpose, it is sufficient to send an email to datenschutz@ghotel-group.de. However, certain data on your application must be stored for a limited period of 3 months to comply with legal requirements, especially the obligation to provide evidence from the General Equal Treatment Act (AGG). With regard to your fundamental rights, we would like to make reference to Section 1 of this Privacy Policy here.

 

6. Use of cookies

Cookies are small files which are allocated and stored on your hard disk in association with the browser you are using and through which the site which sets the cookie transmits certain information. Cookies cannot run programs or transfer viruses to your computer. They serve to make our website more user-friendly and effective overall.

The storage of cookies which are not technically necessary or the use of comparable technical functions takes place on the legal basis of consent pursuant to Article 6 (1) a) GDPR in connection with Section 25 (1) Teleservices Data Protection Act.

The storage of technically necessary cookies takes place on the legal basis of Article 6 (1) f) GDPR in connection with Section 25 (2) Teleservices Data Protection Act.

Technically essential cookies

Cookie name Provider Purpose Duration
__cf_bm Monotype This cookie is used to distinguish between humans and bots. This is beneficial for the website for creating valid reports about the website use. 1 day
_GRECAPTCHA Google This cookie is used to distinguish between humans and bots. This is beneficial for the website for creating valid reports about the website use. 179 days
CookieConsent [x3] Cookiebot Saves the user’s consent status for cookies to the current domain. 1 year
rc::a Google This cookie is used to distinguish between humans and bots. This is beneficial for the website for creating valid reports about the website use. Persistent
rc::b Google This cookie is used to distinguish between humans and bots. Session
rc::c Google This cookie is used to distinguish between humans and bots. Session
Test_cookie Doubleclick.net Checks whether the browser supports cookies. 1 day
wc_cart_hash_# www.ghotel-group.de Pending Persistent
wc_fragments_# www.ghotel-group.de Pending Session
wp_woocommerce_session_# www.ghotel-group.de Pending 1 day

 

Preferences

Cookie name Provider Purpose Duration
CookieConsentBulkSetting-# Cookiebot Activates consent to cookie use for multiple websites. Persistent
pll_language www.ghotel-group.de Enables cookies via multiple websites. Persistent
pll_language www.ghotel-group.de Sets the user’s preferred language. Enables the website to define the user’s preferred language when they revisit the site. 1 year

 

Statistics

Cookie name Provider Purpose Duration
_ga Google Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 2 years
_gat Google Used by Google Analytics to reduce the query rate. 1 day
_gid Google Registers a unique ID that is used to generate statistical data on how the visitor uses the website. 1 day

 

Marketing

Cookie name Provider Purpose Duration
_fbp Meta Platforms, Inc. Used by Facebook to display a range of advertising products, e.g. real-time bidding by third-party advertisers. 3 months
_gcl_au Google Used by Google AdSense to experiment with advertising efficiency on websites which use its services. 3 months
fr Facebook.com Used by Facebook to deliver a series of advertising products such as real-time bidding from third party advertisers. 3 months
IDE Google Used by Google DoubleClick to register and report the user’s actions on the website after viewing or clicking on any of the provider’s ads for the purpose of measuring the effectiveness of an advertisement and displaying targeted advertising to the user. 1 year
pagead/1p-user-list/# Google Used to track whether the visitor has shown interest in certain products or events on multiple websites and how the visitor navigates between the websites. This is used to measure advertising expenditure and simplifies the payment of recommendation fees between websites. Session
pagead/landing Doubleclick.net Collects data on visitor behavior from multiple websites in order to provide more relevant advertising.

This also enables to website to limit the number of access instances to the same ad.

Session
pagead/landing Google Collects data on visitor behavior on multiple websites in order to present more relevant adverts. This also enables the website to limit the number of times the same advert is displayed. Session
tr Meta Platforms, Inc. Used by Facebook to display a range of advertising products, e.g. real-time bidding by third-party advertisers. Session

 

Unclassified

Cookie name Provider Purpose Duration
QQqfCJWN2rEBEO-fo9IC,undefined www.ghotel-group.de Unclassified Persistent
QQqfCJWN2rEBEO-fo9IC,undefined_expiresAt www.ghotel-group.de Unclassified Persistent

 

7. Additional functions of our company website

(1) In addition to the purely informative use of our website, we offer various services that you can use if you are interested. For this purpose, you must provide further personal data, which we will use to provide the respective service and to which the aforementioned data processing principles apply.

(2) When you contact the service provider by email, your address and, if you specify this, your name, your telephone number and […] will be stored by us in order to answer your questions.

(3) In some cases, we use external service providers to process your data. They have been carefully selected and commissioned by us, and they are bound by our instructions and checked regularly.

(4) If our service providers or partners are located in a country outside the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offer.

a) Contact form

(1) Personal data is collected when contacting us (e.g. via the contact form or email). We make it clear which data is being collected on the respective contact form.

(2) This data is stored and used exclusively for the purpose of answering your request or for contacting you and the corresponding technical administration service.

(3) The legal basis for the data processing is our legitimate interest in responding to your enquiry in accordance with Art. 6 (1) f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Article 6 (1) b) GDPR.

(4) Your data will be deleted after your request has been processed. This is the case if it is clear from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.

b) Registration and booking

On our website, we offer users the opportunity to register, during which you will be asked to provide personal information, in connection with online booking. This data is entered into an input screen and transmitted to us. The data is processed and stored by our service provider Quality Reservations Deutschland GmbH and their partner SHS Sabre Hospitality. The company provides contractually confirmed guarantees that appropriate technical and organizational measures are carried out in such a way that the processing is carried out in accordance with the GDPR and ensures the protection of the rights of the data subject. This data shall not be passed on to third parties.

The following data is collected during the registration process:

Mandatory information:

  1. Title
  2. First name
  3. Surname
  4. Email address
  5. Password
  6. Security question/answer
  7. Telephone number for questions

Optional fields:

  1. Company
  2. Country
  3. Billing address
  4. City
  5. Zip code
  6. State/Province

The following data will be stored at the point in time of registration:

Date and time of registration

Legal basis for data processing

The registration serves the fulfilment of a contract to which the data subject is the user or for implementation of pre-contractual measures. The legal basis for the data processing is Article 6 (1) b) GDPR.

Purpose of data processing

User registration is required for the provision of certain content and services on our website or the performance of a contract.

The user has the option of creating a customer account before or during a booking. Creating a customer account makes the booking process easier for the user in the event they make another booking in the future as the booking screen is pre-populated with the data they have saved after they log in. Users also have the option of viewing their current bookings by logging in with their email and password.

When making an online booking, users are required to enter their email address, title, form of address, first name, surname and telephone number. The processing and storage of the data is necessary for processing the booking, including for clarifying any questions about the booking.

Storage period

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. This is the case for data collected during the registration process for fulfilment of a contract or implementation of pre-contractual measures, if the data is no longer necessary for fulfilment of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contractual partner in order to fulfil contractual or legal obligations.

Revocation and erasure

You may cancel the registration or have the data concerning you that is stored amended at any time. Please send us an email to datenschutz@ghotel-group.de. If the data is required to fulfil or establish a contractual relationship with you, premature erasure of data is only possible insofar as contractual or legal obligations do not preclude erasure.

Beyond the online booking with our abovementioned service provider Quality Reservations and the partner SHS Sabre Hospitality, there is also the option of online booking for our franchised partner hotels via their websites, to which links are provided on the GHOTEL Group homepage.

For more information on data protection by our franchise partners, please see:

https://www.ihg.com/content/de/de/customer-care/privacy_statement

https://www.accorhotels.com/security-certificate/index.de.shtml

https://www.marriott.de/about/privacy.mi

https://www.hanseatischer-hof.de/de/datenschutz/

 

8. Other third-party services and web analysis

(1) The legal basis for the use of local web analysis tools is Article 6 (1) f) of the GDPR, i.e. the protection of our legitimate interests in consideration of the interests of our website visitors. We are interested in analyzing the use of our website by our website visitors in order to improve our service and make it more interesting for you as a user. If the analysis tool which is used also serves other purposes or we use it for other interests of ours, we will inform you directly in the explanations for the respective analysis tool.

(2) The legal basis for the use of third-party providers for the implementation of web analysis takes place on the basis of Article 6 (1) a).

a) Google Maps

(1) On this website we use the services of Google Maps to show you interactive maps directly in the website and to enable you to use the map function in a convenient manner. The legal basis for the use of the plug-in is Article 6 (1) a) GDPR. Consent is provided via your selection in the cookie banner.

(2) When you visit this website, Google is notified that you have accessed the corresponding sub-page of our website. This takes place regardless of whether Google provides a user account through which you are logged in, or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish to be associated with your Google profile, you must log out before clicking the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or requirements-oriented design of its website. This type of evaluation is carried out (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right.

(3) For more information about the purpose and scope of data collection and their processing by the plug-in provider, please refer to the provider’s privacy policies. You will also find further information there on your rights and settings options for protecting your privacy: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; http://www.google.de/intl/de/policies/privacy.

b) YouTube

(1) We have included YouTube videos in our online service, which are stored on http://www.youtube.com and are playable directly from our website.

(2) The legal basis for the use of the plug-in is your consent according to Article 6 (1) a) GDPR. Consent is provided via your selection in the cookie banner.

(3) When you visit this website, YouTube is notified that you have accessed the corresponding sub-page of our website. This takes place regardless of whether YouTube provides a user account via which you are logged in or no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not wish to be associated with your profile when using YouTube, you must first log out before clicking the play button. YouTube stores your data as usage profiles and uses it for the purposes of advertising, market research and/or requirements-oriented design of its website. This type of evaluation is carried out (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles. You must contact YouTube if you wish to exercise this right.

(4) For more information on the purpose and scope of data collection and processing by YouTube, please refer to the privacy policy.

(5) There you will also find further information about your rights and setting options to protect your privacy: YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; https://policies.google.com/privacy.

 

9. Terminology according to GDPR

a) Personal data

“Personal data” refers to all information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable if he/she can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online ID or with one or several special features reflecting the physical, physiological, genetic, psychic, economic, cultural or social identity of that natural person.

b) Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

c) Restriction of processing

The marking of stored personal data with the aim of limiting their future processing.

d) Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

e) Pseudonymization

The processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data are not an identified or an identifiable natural person.

f) Controller

The natural or legal person, public authority, agency or other body, which either alone or with others, determines purposes and means of processing of personal data; where purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

g) Order processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

h) Third party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

i) Consent 

Any statement of intent voluntarily and unambiguously given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous confirming act that indicates to the data subject that they have consented to the processing of their personal data.

Last updated: 05.05.2022

 

DialogShift chat application on our website

Our website uses the chat application of DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This application processes and stores data for the purpose of web analysis, to operate the chat application and to answer queries.

For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set – this is used to recognise you as a customer.

A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, our application recognises the device and can retrieve past chat logs. This cookie is stored for 90 days since last use. You can disable the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be performed.

The possible disclosure of e.g. name, e-mail address or a telephone number is voluntary and with the consent to temporarily use and store this data for the purpose of contacting you until the end of the contact. This personal data is deleted after 90 days.

The legal basis for data processing is Article 6 (1) lit. F DS-GVO based on our legitimate interest in effective customer support, for statistical analysis of user behaviour and for optimisation purposes of our offers.

DialogShift offers at https://www.dialogshift.com/de/dsvgo for further information on the collection and use of data and on your rights and options for protecting your privacy.

Last updated: 16.02.2021