Data protection

With the following privacy policy, we would like to inform you about how we process your personal data in accordance with the European General Data Protection Regulation (GDPR ). The privacy policy applies to all processing of personal data carried out by us when you visit our website: www.sunderlandhotel.de.

1. person responsible

The controller within the meaning of the GDPR is

Halbersbacher Hospitality Group GmbH
Represented by the managing director Arne Mundt
Mollistrasse 10
18209 Bad Doberan

Tel: +49 (0)38203 2139-0
Fax: +49 (0)38203 2139-10
E-mail: info@halbersbacher.de

2. data protection officer

You can contact our data protection officer as follows

SECJUR GmbH
Steinhöft 9
20459 Hamburg

E-mail: dsb@secjur.com

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection and the exercise of your rights.

3. definitions

This privacy policy is based on the terms used in the GDPR. To simplify matters, we would like to explain some important terms in this context:

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

Athird party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process the personal data.

4. data for the provision of the website and the creation of log files

When you access our website in your browser, we collect technically necessary data via server log files, which are automatically transmitted to our server, including

Date and time of access
IP address
Host name of the accessing computer
Websites that were accessed via the website (referrer)
Visited page on our website; amount of data transferred
Information about the browser type and version used
Operating system
Access status (e.g. whether the website could be accessed without any problems or whether you received an error message)
Use of website functions
Access frequency of the individual website
Volume of data transferred
other websites that you visit from this website, either by clicking on a link on this website or by directly entering the domain in the input bar in the same window of your browser

The temporary storage of the data is necessary for the course of a website visit in order to be able to display our website to you. This processing is technically necessary to ensure the functionality of the website and the security of the information technology systems. The legal basis for processing is therefore Art. 6 para. 1 sentence 1 lit. f GDPR in order to guarantee the provision, security and stability of our website.

The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of the provision of the website, this is the case when the respective session has ended. The log files are stored for up to 7 days directly and only accessible to administrators. After that, they are only available indirectly via the reconstruction of backup tapes and are permanently deleted after four weeks.

To provide our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from the server provider DomainFactory GmbH, (c/o WeWork, Neuturmstrasse 5, 80331 Munich, Germany) (web host). We have concluded an order processing contract (AVV) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f. GDPR in order to guarantee the provision, security and stability of our website.

5 Technically necessary cookies

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our website.

Information is stored in the cookie that results in each case in connection with the specific end device used. However, this does not mean that we obtain direct knowledge of your identity.

On the one hand, the use of cookies serves to make the use of our website more pleasant for you. For example, we use session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a specified period of time. If you visit our site again to use our services, it is automatically recognised that you have already visited us and which entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you. These cookies enable us to automatically recognise that you have already visited our website when you visit it again. These cookies are automatically deleted after a defined period of time.

6. contact form

When contacting us (e.g. by contact form, email, telephone or via social media) and in the context of existing user and business relationships, the information of the enquiring persons is processed insofar as this is necessary to answer the contact enquiries and any requested measures. Data such as:

Contact details (email address, telephone number, name)
Company data (company name)
Content data (contact content)
Metadata (IP address, identification numbers, browser data, etc.)

transmitted to us.

If you contact us as part of an existing contractual relationship or contact us in advance for information about our range of services or our other services, the personal data you provide will be processed for the purpose of processing and responding to your contact enquiry in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR. Otherwise to safeguard our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR for the purpose of responding appropriately to customer/contact enquiries.

We delete your personal data as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of contact enquiries, this is generally the case when it is clear from the circumstances that the specific matter in question has been conclusively dealt with. Mandatory statutory provisions, in particular retention periods under commercial or tax law, remain unaffected.

7 Applications

If you apply to us electronically, i.e. by e-mail or via our web form on our recruiting page[https://halbersbacherhospitalitygroup.recruitee.com/] through Recruitee, we collect and process your personal data for the purpose of handling the application process and for the implementation of pre-contractual measures.

By submitting an application, you express your interest in taking up employment with us. In this context, you provide us with personal data that we use and store exclusively for the purpose of your job search/application. In particular, the following data will be collected

Name (first name and surname)
gender
e-mail address
Your address
Salary expectations
Availability
Telephone number
Channel how you became aware of us

You also have the option of uploading informative documents such as a cover letter, your CV, references and an application photo. This may contain further personal data such as date of birth, address, etc.

Only authorised employees from the HR department or employees involved in the application process have access to your data.

In addition, we offer you the opportunity to be included in our "applicant pool". You must agree to this in advance. With your consent, we will store your data for inclusion in our applicant pool for six months after the end of the application process in order to identify any other interesting positions for you. This also applies, for example, to applications for an apprenticeship or internship.

The legal basis for the processing of your data is the initiation of a contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, which takes place at your request. If we obtain your consent (e.g. for inclusion in our applicant pool), this constitutes the legal basis for data processing in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. After completion of the application process, the data will be stored for up to six months. Your data will be deleted or anonymised after six months at the latest.

If you receive an offer of employment with us during the application process and accept it, we will store the personal data collected during the application process for at least the duration of the employment relationship.

In the event of a legal obligation, the data will be stored in accordance with the applicable provisions. Longer storage is only possible if we include the personal data in our applicant pool after obtaining your consent as described.

Your data will be passed on to the service provider Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands, to the extent necessary as part of order processing. We have concluded an order processing contract with the provider. This is a contract required by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR.

7.1 Applying via Indeed

We also offer you the opportunity to apply online for job vacancies via Indeed (Indeed Ireland Operations Limited, Block B, Capital Dock, 80 Sir John Rogerson's Quay Grand Canal Dock, Dublin, 2, D02 HE36, Ireland; hereinafter referred to as Indeed).

As part of the application process, we process the following personal data

Master data (e.g. first and last name, address)
Contact details (e.g. email address, telephone number)
Application data (e.g. cover letter, CV, certificates and other supporting documents).

The purpose of the processing is to carry out the application process.

The legal basis for the processing of personal data is the fulfilment of the contract and the implementation of pre-contractual measures in accordance with Art. 6 para. 1 lit. b, Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 Federal Data Protection Act (BDSG).

As well as on the basis of your consent by voluntarily providing data that is not mandatory for the purpose, such as hobbies in your CV. However, this is generally not required for the conclusion of a contract or the continuation of an existing contract. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future.

If an employment relationship is established after completion of the application process, the personal data provided may be processed further. Otherwise, we will generally retain the data for six months after the end of the application process. We then delete all personal data.

Applications received via Indeed are also processed by Recruitee in accordance with section 7 above.

Further information can be found in the privacy policy for Indeed: https://hrtechprivacy.com/de/brands/about-indeed#privacypolicy.

8 Newsletter

If you would like to receive information about our new products and services, you can subscribe to our newsletter. As part of sending the newsletter, we process the following personal data, among others; the only mandatory information for sending the newsletter is your email address.

e-mail address
Gender
First name and surname
Organisation
Preferred language
Your interests
Metadata (e.g. device information, IP address, date and time of registration)

The advertised goods and services are named in the declaration of consent. We use the so-called double opt-in procedure to register for our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address provided in which we ask you to confirm that you are the owner of the e-mail address provided and that you wish to receive the notifications. In addition, we store the IP addresses used and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

The legal basis for sending our newsletter is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent to receive our newsletter at any time by clicking on the unsubscribe link in the emails or by sending your revocation by email to our email address or by post to the contact details given in the legal notice. Your personal data will then be removed from the mailing list.

We use an external provider, rapidmail from Positive Group Deutschland GmbH (Ingeborg-Krummer-Schroth-Straße 18a, 79106 Freiburg im Breisgau Germany), to send our newsletter. This service provider receives your e-mail address and other necessary data in order to send the newsletter on our behalf.

We have concluded an order processing contract with the provider. This is a contract required by data protection law, which ensures that the provider only processes your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

Further information can be found in the privacy policy for rapidmail: https://www.rapidmail.de/datenschutz

8.1 Newsletter tracking

In addition, you can also give your consent for us to evaluate your user behaviour when sending the newsletter. Our newsletters contain so-called tracking links that enable us to analyse the behaviour of newsletter recipients. For example, we can analyse how many recipients have opened the newsletter message and how often which link in the newsletter was clicked on. This enables us to statistically analyse the success or failure of online marketing campaigns. The personal data collected through the tracking links is stored and evaluated by us in order to optimise the newsletter dispatch and to adapt the content of future newsletters even better to your interests.

All statistical data collected in connection with tracking is automatically deleted after three years.

You can object to this tracking at any time by clicking on the separate link provided in every email or by informing us via another contact method as described above and withdrawing your consent. The information will be stored for as long as you have subscribed to the newsletter. After unsubscribing, we may store the data purely statistically and anonymously.

9 Third-party tools

9.1 Consent management via consent management platform Cookiebot

We use the consent management service Cookiebot from Usercentrics A/S, (Havnegade 39, 1058 Copenhagen, Denmark; hereinafter Usercentrics). This enables us to obtain and manage the consent of website users for data processing.

When you visit our website or a sub-website for the first time, you will be shown a "cookie banner". There you will be informed about the individual cookies that we use. You can find out the name of each individual cookie, the provider, the purpose of processing and the storage period.

Our cookie banner informs you about the specific cookies we use. In addition, we give you the opportunity to decide whether you want to consent to the setting of non-essential cookies. The following are processed

the IP address of the connection you are using (in anonymised form)
the description of the web browser and operating system used
the language used by your browser and operating system
the address of the website on which you give your consent
the date and time of your consent
the country from which you make your request,
a pseudonym used to distinguish different users,
your consent status with regard to the cookies and similar technologies used by us or with regard to the services used, which serves as proof of your consent

If we use cookies and similar technologies as part of the integration of the service or if data is stored on your end device or read from there by the service, this is done in accordance with Section 25 (2) TDDDG. Subsequent data processing takes place on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. We have an overriding legitimate interest in using the cookie banner, which enables us to obtain the legally required consent for the use of non-essential cookies and to fulfil our duty to provide information regarding cookies.

The cookie banner saves the preferences until you reset or change them. Otherwise, the key and the consent status are stored in the browser for 12 months using the "CookieConsent" cookie.

Usercentrics is the recipient of your personal data and acts as a processor for us. The processing takes place in the European Union. Further information on objection and removal options vis-à-vis Usercentrics can be found at: https://www.cookiebot.com/de/privacy-policy/

9.2 Google Ads & Conversion Tracking

Our website uses Google Ads (formerly Google AdWords) from Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA; hereinafter Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as Google).

Google Ads enables us to draw attention to our offers with the help of advertising material on external websites and to determine how successful individual advertising measures are. This helps us to show you adverts that are of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs.

As part of Google Ads, we use what is known as conversion tracking. The advertising material is delivered by Google via so-called "AdServers". For this purpose, we use so-called AdServer cookies, through which certain parameters for measuring success, such as the display of adverts or clicks by users, can be measured. When you click on an advert placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the user's computer. These cookies lose their validity after 30 days and are not used to personally identify the user. These cookies enable Google to recognise your web browser. If you visit certain pages of our website when the cookie has not yet expired, Google and we can recognise that you have clicked on the specific ad and have been redirected to this page.

Each Google Ads customer receives a different cookie. The cookies can therefore not be tracked via the websites of Ads customers. The following information is usually stored as analysis values for the cookie: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), opt-out information (marking that the user no longer wishes to be addressed). The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have opted for conversion tracking. Ads customers are told the total number of users who clicked on their advert and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. If you do not wish to participate in tracking, you can object to this use by easily deactivating the Google Conversion Tracking cookie via your Internet browser under user settings. You will then not be included in the conversion tracking statistics.

The legal basis for the use of Google Ads & Conversion Tracking is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.

By integrating the services on our websites, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to fulfil the stated purposes.

We have concluded an order processing contract with the provider. This is a contract prescribed by data protection law, which ensures that the provider processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organisations based in the USA that are certified accordingly are permitted. Google is certified under the EU-U.S. Data Privacy Framework. Google is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/technologies/ads?hl=de.

9.3 Google Ads Remarketing

Our website uses Google Ads Remarketing from Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA; hereinafter Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as Google).

With Google Ads Remarketing, we can assign people who interact with our online offer to specific target groups in order to subsequently display interest-based advertising in the Google advertising network (remarketing or retargeting).

Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google's cross-device functions. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one device (e.g. mobile phone) can also be displayed on another of your devices (e.g. tablet or PC).

If you have given your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages can be displayed on every device on which you sign in with your Google account.

To support this function, Google collects authenticated user IDs that are temporarily linked to our Google Ads data in order to define and create target groups for cross-device advertising.

The legal basis for the use of Google Ads Remarketing is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the appropriate changes or adjustments in your cookie settings.

9.4 Google Adsense

Our website uses Google AdSense, a service for integrating adverts from Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA; hereinafter referred to as Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as Google).

Google AdSense uses so-called "cookies", i.e. text files that are stored on your computer and are used to display adverts on our website that match our content and your interests. Google AdSense also uses so-called web beacons (invisible graphics). These web beacons allow information about visitor traffic on our pages to be statistically analysed for online marketing purposes.

The information generated by cookies and web beacons about the use of our website (including your IP address) and the delivery of advertising formats is transmitted to a Google server in the USA and stored there. This information may be passed on to third parties by Google. However, Google will not merge your IP address with other data that Google may have stored about you.

The legal basis for the use of the service is Art. 6 para. 1 sentence 1 lit. a GDPR, i.e. the integration only takes place with your consent. You can revoke your consent at any time with effect for the future.

You can prevent the installation of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/technologies/ads?hl=de.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organisations based in the USA that are certified accordingly are permitted. Google is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https: //www.dataprivacyframework.gov/s/participant-search

9.5 Google Analytics

Our website uses functions of the web analysis service Google Analytics from Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, USA; hereinafter referred to as Google). In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as Google ). With the help of Google Analytics, we analyse your user behaviour in order to make decisions regarding product and marketing optimisation based on the results. Through Google Analytics, we process the following personal data, among others

Time of the enquiry
IP addresses
Online identifiers
Device identifiers
Technical characteristics of users (e.g. browser type and version, device type, operating system)
Measurement of user behaviour (e.g. views of individual pages / content, views of content from different areas, session duration / dwell time, bounce rate)
Use of individual functionalities of the website (e.g. search queries, downloads)
eCommerce activity (e.g. products purchased, sales)
Referral URL (the previously visited page)

The legal basis for the use of Google Analytics is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the appropriate changes or adjustments in your cookie settings.

Personal data will be anonymised by Google 14 months after your last activity, unless there is a legal obligation to retain it.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/?hl=de.

9.6 Google Tag Manager

We use Google Tag Manager to control the use of code snippets ("tags"), such as tracking code on our website. In the European Union (EU) and the European Economic Area (EEA), the services are provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter referred to as Google).

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. Google Tag Manager enables us to quickly and easily exchange code on our website via a web interface without having to intervene in the source code. Among other things, we process the following personal data through the Google Tag Manager

IP address
Device data, such as operating system, browser version, screen resolution

The legal basis for the use of Google Tag Manager is your voluntary and revocable consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.

Data in standard HTTP request logs and diagnostic data will be deleted within 14 days of receipt.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/?hl=de.

9.7 Google Maps

On our website, we use the map service Google Maps from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter referred to as Google). This allows us to show you interactive maps directly on the website and enables you to use the map function conveniently.

By using Google Maps, information about the use of this website, including your IP address and the (start) address entered as part of the route planner function, is collected. When you access a web page on our website that contains Google Maps, your browser establishes a direct connection with Google's servers. The map content is transmitted by Google directly to your browser, which integrates it into the website. We have no influence on the scope of the data collected by Google in this way. To the best of our knowledge, this is at least the following data

Date and time of the visit to the website in question
Internet address or URL of the website accessed
IP address, (start) address entered as part of route planning

Data is transmitted regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your Google user account, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or customising its website. Such an analysis is carried out in particular (even for users who are not logged in) to provide customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

The legal basis for the use of Google Maps is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the appropriate changes or adjustments in your cookie settings.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/?hl=de.

9.8 Meta Pixel

We use the so-called "Meta Pixel" from Meta Platforms Ireland Limited (Merrion Road, Dublin 4, D04 X2K5, Ireland; hereinafter Meta) - formerly Facebook Ireland Limited - on our websites under joint responsibility.

The controller within the meaning of Art. 26 GDPR is

Meta Platforms Ireland Limited
Merrion Road, Dublin 4, D04 X2K5, Ireland

The agreement on joint responsibility pursuant to Art. 26 para. 1 sentence 2 GDPR is available at: https://www.facebook.com/legal/controller_addendum

We use Meta Pixel for marketing and optimisation purposes, in particular to place relevant and interesting ads for you on Facebook and thus improve our offer, make it more interesting for you as a user and avoid annoying ads. All information collected by the cookie is forwarded to Meta and allows Meta to draw conclusions about your user behaviour. If you are registered on a Meta platform/service, Meta can associate this visit with you. Even if you are not registered on a Meta platform/service or are not logged in, there is a possibility that Meta will receive your IP address and other identifying features and store them in an assignable manner.

When you access our website via your browser, the built-in Meta pixel initiates cookie storage in your system if you have given your consent. The legal basis for this is Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.

We only receive non-personal data from Meta that is used for the purpose of optimising and measuring the success of interest-based advertisements and events. Further information regarding the data processing for which Meta is responsible can be found, for example, in the following sources of information:

Meta Terms of Use: https://www.facebook.com/legal/terms/update

Data policy: https://de-de.facebook.com/privacy/explanation

By integrating the services on our websites, data is transmitted to the above-mentioned recipients and processed there for as long as is necessary to achieve the stated purposes.

Since personal data may be transferred by Meta to affiliated companies and sub-service providers in countries outside the EU and the EEA, further protective mechanisms are required to ensure the level of data protection required by the GDPR. For the USA, there is an adequacy decision of the EU Commission pursuant to Art. 45 para. 1 GDPR with regard to companies with certification under the EU-U.S. Data Privacy Framework. Meta Platforms, Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search.

9.9. incert

We use the system of the company INCERT eTourismus GmbH & Co KG (Leonfeldner Strasse 328, A-4040 Linz, Austria; hereinafter referred to as incert) to process orders for vouchers. It enables the automated online sale of vouchers as well as the individual personalisation of vouchers with greetings, personal images and videos.

The following information is required to process orders:

Salutation
First name and surname
postal address
e-mail address
Partial telephone number
Company name
VAT no.

Processing is carried out for the purpose of providing contractual services or for the fulfilment of pre-contractual services on the legal basis of Art. 6 (1) lit. b GDPR (ordering vouchers) and Art. 6 (1) lit. c GDPR (legally required retention periods for accounting documents). The corresponding software is used on the legal basis of our legitimate interest. Our legitimate interest lies in being able to provide you with vouchers quickly and without being tied to a specific location.

We would like to point out that the webshop operator stores the pseudonymised IP data and behavioural analysis of the connection owner in the form of cookies for the purpose of simplifying the purchasing process (ticket purchases) and for subsequent contract processing. You can also personalise your vouchers by adding notes, photos or videos. The legal basis for the processing of this data is your voluntary and revocable consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.

You are under no obligation to enter your personal data. The only consequence of not entering it is that your order for vouchers in the online shop cannot be processed.

By integrating the service on our website, the data is transmitted to the above-mentioned recipient and processed there for as long as is necessary to fulfil the stated purposes.

We have concluded an order processing contract with the provider for its use. This is a contract prescribed by data protection law, which ensures that the provider processes your personal data only in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

9.10. Payment service providers Nexi and PayPal

For the purpose of payment processing, we use the services of Nexi Germany GmbH, (Helfmann-Park 7, 65760 Eschborn; hereinafter referred to as Nexi) for PayPal and credit card payments.

PayPal and Nexi act as separate controllers within the meaning of the GDPR as part of the payment process. The payment service providers only process the data relevant to the invoice. This includes your master data, such as your name and address, your bank details (such as your account number or credit card number) and also information about your order, i.e. the invoice amount. The data is processed exclusively by the payment service providers. We do not process your above-mentioned data. We only receive the information as to whether the payment was successful or not. Under certain circumstances, the data may also be transmitted by the payment service providers to credit agencies for the purpose of identity and credit checks. The data processing serves the fulfilment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.

In the case of PayPal, you will be forwarded directly to PayPal of the payment service provider PayPal (Europe) S.à r.l. et Cie, S.C.A., (22-24 Boulevard Royal, L-2449 Luxembourg; hereinafter PayPal) at the end of the order process.

Please also note that PayPal may transfer data to countries outside the EU or the EEA. You can find information on the basis of data transfers and further data protection information in PayPal's privacy policy at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

We also want to make credit card payments secure and smooth. To this end, we use procedures that comply with the globally applicable standards of the card networks (Visa, MasterCard, JCB, Diners, AMEX, etc.). It is therefore necessary to send the corresponding data elements to the card-issuing bank of the card to be used for payment.

This serves several purposes: On the one hand, the data processing serves to fulfil the contract. If the credit card payment method has been selected, authentication is required. This means that it must be ensured that the authorised credit card holder has initiated the payment. This requires the transmission of certain data. The legal basis is therefore Art. 6 para. 1 lit. b GDPR. The procedure therefore also serves to carry out strong customer authentication in accordance with Directive EU 2015/2366 (PSD 2) and the Payment Services Supervision Act (ZAG). The legal basis is therefore also Art. 6 para. 1 lit. c GDPR in conjunction with the corresponding provisions of Directive EU 2015/2366 and the ZAG. In addition, the procedure serves fraud prevention and user-friendliness, i.e. the common interest in secure and smooth purchasing. The legal basis would therefore also be Art. 6 para. 1 lit. f GDPR.

For this purpose, the following data is transmitted to the card network you use

Payment amount, currency, website accessed and whether it was successfully accessed, credit card number, expiry date, name of the cardholder, information about your internet browser (e.g. IP address, Java activated, language, colour depth, screen size, time zone), customer account information (date of creation of customer account and credit card, time of last change of address or payment data), information on the invoice recipient and shipping address (name, title, e-mail address, addresses), other risk factors (download orders, delivery deadline, pre-order, match of billing and delivery address).

The data was generated as part of the transaction. An automated authentication or risk check takes place. This can potentially mean that authentication is not successful and the selected payment method cannot be used in the specific case.

Data may only be transferred to third countries outside the EU if the banks involved are based in third countries.

For more information about data processing at Nexi, please refer to Nexi's privacy policy at: https://www.nexi.de/de/legal-footer/datenschutzerklaerung.

9.11. Cloudflare

We use the Cloudflare CDN from Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA; hereinafter Cloudflare) on this website to improve the speed and security of our website. Cloudflare offers services such as a content delivery network (CDN) and various security functions. With the Content Delivery Network, our content is mirrored on different servers to ensure optimal accessibility worldwide. User data is processed in the process.

Cloudflare operates a network of globally distributed servers that store copies of our website. When you visit our site, the content is delivered from the nearest server, which reduces the loading time. This speeds up the display, especially for users outside our hosting region, and increases security by protecting against DDoS attacks and a web application firewall.

We want to provide you with the best possible experience by optimising the speed and security of our website. Cloudflare helps us do this by improving web performance and blocking threats. In addition, by storing our website in local data centres, bandwidth usage is reduced by up to 60%. Other features such as the "I'm Under Attack Mode" provide additional protection against attacks by requiring a short challenge (e.g. JavaScript task) to be solved before access to the site is granted.

Cloudflare processes data on our behalf, such as IP addresses, security fingerprints and performance data. This information is used to ensure the security of our website and is processed in accordance with applicable law, including the GDPR.

The legal basis for the provision of these services is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR to ensure the provision, security and stability of our website.

Cloudflare stores data mainly in the USA and the European Economic Area (EEA). User data for most domains is stored for less than 24 hours. For Enterprise customers, logs may be retained for up to 7 days if enabled. Exceptions exist when security alerts are triggered.

We have concluded a data processing agreement for the use of Cloudflare. This is a contract required by data protection law, which guarantees that your personal data will only be processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

The personal data may also be transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organisations based in the USA that are certified accordingly are permitted. Cloudflare is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information about processing by Cloudflare can be found at: https://developers.cloudflare.com/fundamentals/.

9.12. Sentry

We use Sentry from Functional Software, Inc. (45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA; hereinafter referred to as Sentry) to continuously maintain the operational security of our offer. Sentry helps us to identify and analyse errors and problems within our website in real time. This enables us to react quickly to crashes, performance problems or other irregularities and thus ensure the stability and reliability of the website.

When using Sentry, we process the following data, taking into account data protection-friendly default settings:

Error details: information about the error itself, including the nature of the error and the error message, as well as the context in which the error occurred.
System information: Browser version, device type, operating system and other relevant information about the system on which the error occurred.
Usage data: Information about how the application was being used at the time of the error, including specific user actions that may have led to the error. Personal data is anonymised or masked where possible.
Network information: IP address (in anonymised form where possible), as well as request details that may clarify the context of the error.

The primary purpose of using Sentry is to analyse errors. By collecting error reports and performance data, we can understand the causes of problems and take targeted action to resolve them. This contributes significantly to security by quickly addressing security vulnerabilities and increasing the efficiency of our services.

The processing of personal data in the context of error analysis with Sentry is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in ensuring the security and functionality of the website, which is also in the interest of our users.

The data collected as part of the error analysis with Sentry is only stored for as long as is necessary to analyse and resolve the recorded problems. The data is then deleted or anonymised so that it can no longer be traced back to a specific or identifiable person. The maximum storage period is usually 90 days.

We have concluded an order processing contract for the use of Sentry. This is a contract prescribed by data protection law, which guarantees that your personal data will only be processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organisations based in the USA that are certified accordingly are permitted. Sentry is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information on data use by Sentry can be found at: https://sentry.io/privacy.

9.13. The Hotels Network

On our website we use services of the provider The Hotels Network, S.L.P, (Avenida Diagonal, 439, 3º-1ª, E-08036 Barcelona). We use The Hotels Network service to improve the online booking experience for our guests and increase direct bookings. The tool offers a range of integrated functions to personalise and optimise the hotel website.

The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) within the EU. The Hotels Network collects anonymised data about user behaviour on hotel websites, including pages visited, searches, prices displayed and bookings made. This data is used to create personalised offers and content for each visitor. The tool uses artificial intelligence and machine learning to predict user behaviour and adapt the website accordingly. Key features include price comparisons, review summaries and personalised messaging options. The Hotels Network also uses predictive personalisation to automatically tailor messages and offers to each user. The Hotels Network's BenchDirect tool also provides hotels with competitive data on the performance of their direct sales channel.

Data is collected via JavaScript and cookies implemented on the hotel website and utilises the browser's local storage. As all analysis and processing is always anonymised, it is impossible to identify the user personally.

Should it nevertheless become necessary to process personal data, this is done exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. You can withdraw your consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing carried out until the revocation.

The data will be deleted as soon as the purpose for which it was collected no longer applies and there are no statutory retention obligations to the contrary.

We have concluded an order processing contract with the provider. This is a contract prescribed by data protection law, which guarantees that the provider will only process your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

Further information can be found at: https://thehotelsnetwork.com/en/privacy-policy.

9.14. jsDelivr CDN

We use the jsDelivr CDN service provided by Volentio JSD Limited, (Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB) on our website. With the jsDelivr CDN, our content is mirrored on different servers to ensure optimum accessibility worldwide.

When you access this content, you establish a connection to jsDelivr servers, whereby your IP address and possibly browser data such as your user agent are transmitted. This data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of jsDelivr CDN.

The use of jsDelivr CDN is based on our legitimate interests, i.e. interest in the secure and efficient provision and optimisation of our online offer in accordance with Art. 6 para. 1 lit. f. GDPR. GDPR.

The specific storage period of the processed data cannot be influenced by us, but is determined by jsDelivr.

The personal data is also transferred to the United Kingdom. The European Commission has issued an adequacy decision for the United Kingdom pursuant to Art. 45 (3) GDPR. On the basis of this decision, data transfers to bodies in the United Kingdom are permitted.

Further information on the handling of the transferred data can be found in the privacy policy of jsDelivr: https://www.jsdelivr.com/terms/privacy-policy.

9.15. Spotify

We use the podcast hosting service Spotify from the provider Spotify (Spotify AB Regeringsgatan 19, SE-111 53 Stockholm, Sweden) to play certain audio and podcast content. For this purpose, we have embedded a Spotify widget on our website that enables audio content to be played through the Spotify player.

The podcasts are downloaded from Spotify or transmitted via Spotify. Spotify processes various data to enable podcast downloads/playbacks and to determine statistical data, such as the number of downloads. If you are logged into your user account during playback, Spotify assigns this data to your user account.

The following data is collected:

Usage data:

o Interactions with the embedded player, e.g. play/pause actions, volume controls and track selection.

o Dwell time and click behaviour on the embedded Spotify content.

Technical data:

o IP addresses, browser information and device information to optimise the playback and functionality of the Spotify player.

Cookies:

o Spotify uses cookies to analyse user behaviour, in particular to track user interactions with the player.

Personal data (for logged-in users):

o If a user is logged in to your website and uses the Spotify player, additional personal data such as listening habits and playlists could be processed.

The legal basis for this use is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your settings.

We have concluded a data processing agreement for the use of Spotify. This is a contract required by data protection law, which ensures that your personal data is only processed in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

Further information on data processing by Spotify AB can be found at: https://www.spotify.com/de/legal/privacy-policy/

9.16. customice booking module

Our website uses a customice booking module from customice GmbH, (Welfenstr. 22, 81541 Munich Germany; customice). You can use the customice booking module to reserve rooms in our hotel online via a call-off contingent.

When you visit one of our pages that is equipped with a customice booking module, a connection is established to the operator's servers. Your IP address is transmitted and the operator's server is informed which of our pages you have visited. If technically necessary, the booking module sets a cookie to temporarily store your entries. The data you enter in the booking module is temporarily stored on the provider's server until it can be transferred to our system. In addition to the technical metadata collected via your browser, the following personal data may be collected based on the information you provide:

Salutation
First name and surname
your address
e-mail address
telephone number
Company details
VAT no.
Purpose of booking

The booking module is used in the interest of simplifying booking options and optimising our business operations. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

9.17. DialogShift

On our website we use the AI chat service of DialogShift GmbH, (Torstr. 201, 10115 Berlin Germany; hereinafter DialogShift). The chat widget offers you the opportunity to communicate directly with KI. Please note that personal data is collected when you use the chat.

When you visit our website, the chat widget is loaded as a JavaScript file. This widget contains the source code that is executed on your device and enables the chat function. Cookies are stored in your browser so that the DialogShift chat widget can function properly. These cookies are technically necessary and are only filled with data when the chat is used. Before that, it has a purely technical function to enable the service chat to be offered. This application uses GPT models from Open AI and processes.

In addition, a technically required cookie with a unique ID is set. The cookie is used to recognise you as a customer and to call up past chat logs. This cookie is stored for 90 days since it was last used.

The possible disclosure of names, e-mail addresses or telephone numbers is voluntary and with your consent to temporarily use and store this data for the purpose of establishing contact until the end of the contact.

We store the history of live chats to improve our service and for quality assurance purposes. This helps us to process recurring enquiries more efficiently, as information that has already been shared does not have to be entered again. In addition, we store the chat history for a period of 90 days.

If you wish to delete your chat history, you can inform us at any time using the contact details below. In this case, the saved chats will be deleted immediately.

The legal basis for the use of the service is the voluntary and revocable consent given by you in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by making the corresponding changes or adjustments in your cookie settings.

We have concluded an order processing contract with the provider. This is a contract prescribed by data protection law, which ensures that the provider only processes your personal data in accordance with our instructions and in compliance with the GDPR. In cases where there is no adequacy decision by the European Commission, we have agreed other suitable guarantees with the data recipients within the meaning of Art. 44 et seq. GDPR have been agreed. Unless otherwise stated, these are standard contractual clauses (SCCs) of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021.

Further information on the handling of your data can be found in DialogShift's privacy policy at: https://www.dialogshift.com/datenschutz.

9.18. Gastronovi

On our website we use services of Gastronovi GmbH, (Mittenstraße 11, 26122 Oldenburg, Germany, hereinafter Gastronovi). Gastronovi provides a cloud-based catering system that offers functions such as online reservations, ordering systems and cash register systems. When you make a table reservation or pick up food using the corresponding forms on our website, the following data is processed depending on the input:

Metadata such as IP address etc.
Title, first name, surname
E-mail address (double entry for confirmation)
Telephone number
Voluntary comments
Payment details (depending on the selected payment method: PayPal, credit card, Giropay or Google Pay)
Optional: Company details (if "Continue as business customer" is selected)

The embedding of the service and the associated processing of the technical data are carried out in the interest of a simple booking option and to optimise our business operations. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR, insofar as the data is necessary for the fulfilment of a contract or pre-contractual measures, or on the basis of our legitimate interest in an efficient and secure ordering and reservation process.

Voluntary data is processed on the basis of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by contacting us.

Your personal data will be stored as long as this is necessary to fulfil the stated purposes and statutory and/or contractual retention obligations are relevant. After the end of the contractual relationship, the data will be deleted in accordance with the relevant retention periods.

Further information on data protection at Gastronovi can be found at: https://www.gastronovi.com/datenschutz.

9.19. Upstash

We integrate the functions of Upstash on our website. This service is offered by Upstash Inc, 6202 via de Adrianna, San Jose, CA 95120, USA. Upstash offers security functions such as encryption of data at rest and in transit as well as access controls to protect data from unauthorised access.

Upstash is a serverless data platform that specialises in database management, particularly NoSQL database storage. These have fast and flexible data storage performance.

When you visit our website, some data is transferred to Upstash. This includes usage data, which may contain information about interaction with the website. In addition, the IP address may be transmitted in order to authenticate and track requests to the website. Information about the device and browser used is also transmitted to ensure compatibility and performance. Depending on the configuration and requirements of the website, Upstash may also transmit location data in order to provide geographical restrictions or personalised content.

The legal basis for data processing by Upstash is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in supplementing our website with a serverless data platform in order to improve the efficiency and scalability of data processing.

The personal data is also transferred to the USA. The European Commission has issued an adequacy decision pursuant to Art. 45 (3) GDPR for the EU-U.S. Data Privacy Framework. On the basis of this decision, data transfers to organisations based in the USA that are certified accordingly are permitted. Google is certified under the EU-U.S. Data Privacy Framework. Upstash Inc. is certified under the EU-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards.

Further information on data protection at Upstash can be found at: https://upstash.com/trust/privacy.pdf.

9.20. MARA

We use the MARA service from MARA Solutions GmbH (Tullastraße 15, 68161 Mannheim, Germany; hereinafter referred to as MARA) as a review management platform for the automated analysis and evaluation of online reviews and customer feedback. The aim is to continuously improve the quality of our services and customer satisfaction.

MARA Solutions processes publicly accessible information, in particular customer reviews on platforms such as Google, Trustpilot or other review portals. The processing takes place exclusively for the structured evaluation and presentation of feedback trends. MARA Solutions may also process personal data (e.g. names or content of reviews) if these are publicly visible.

Please note that data processing on the respective review portals is subject to the data protection guidelines of the respective portal. We have no influence on the processing or the guidelines set by the portals themselves.

In order to provide the widget on our website, we process the following data of website visitors when they use MARA:

IP address
Date and time of access
User agent (browser)
Region

The data is anonymised at the start of collection so that it can no longer be traced back to a specific or identifiable person. This technical data is stored for 90 days.

Processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the optimisation of our offer and the customer-oriented further development of our products and services.

10. transmission of personal data

As part of our processing of personal data, personal data may be transferred to other recipients or disclosed to them. The recipients of this personal data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your personal data that serve to protect your personal data.

11 Deletion of data

The personal data processed by us will be deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other authorisations cease to apply (e.g. if the purpose of processing this personal data no longer applies or it is not required for the purpose).

Our data protection notices also contain further information on the retention and erasure of personal data, which take priority for the respective processing operations.

12 Your rights as a data subject

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR. If you wish to exercise any of your rights, please contact us using the contact addresses given above or our data protection officer.

12.1 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

12.2 Right to information

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and access to this personal data as well as further information and a copy of the personal data in accordance with the legal requirements.

12.3 Right to rectification

In accordance with the statutory provisions, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

12.4 Right to erasure and restriction of processing

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds provided by law applies and insofar as the processing or storage is not necessary.

12.5 Restriction of processing

You have the right to demand that we restrict processing if one of the legal requirements is met.

13.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.

12.7 Right to withdraw consent

You have the right to withdraw your consent at any time.

12.8 Complaint to the supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

13 Amendment and updating of the privacy policy

We will amend the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we further develop our website and our offers or if legal or official requirements change, it may be necessary to amend this data protection notice. You can access the current data protection information here at any time.

Status: December 2025