Data protection

General information

The Hotel Rittergut Störmede KG, its managing partner Mr. Hartmuth Bröggelwirth and all employees of the hotel attach great importance to the protection of the privacy of their guests. In the following we would therefore like to inform you in detail which data we collect from you on the one hand within the framework of current business relations and on the other hand during your visit to our website and the use of our offers there and how these are processed or used by us in the following and which rights you are entitled to in this respect.

Your personal data, such as your name, address, e-mail address or telephone number, will only be processed by us on the basis of statutory data protection legislation, i.e. the EU Data Protection Basic Regulation (DSGVO), the Federal Data Protection Act (BDSG-neu) and the Telemedia Act (TMG).

The extent of the data collected and processed by us differs depending on whether you visit our website only to retrieve information or also make use of services offered by us via our website or in writing.

1. definitions

Our data protection declaration uses the terms of the EU data protection basic regulation (DSGVO), which we would like to briefly explain to you for easier understanding. These and other definitions can be found in Art. 4 DSGVO.

a) Personal data

"personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or one or more specific characteristics which express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person, is considered to be identifiable.

(b) Data subject

"data subject" means any identified or identifiable natural person whose personal data are processed by the controller.

(c) Processing
"processing' means any operation or set of operations which is carried out with or without the aid of automated means relating to personal data, such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or association, qualification, erasure or destruction.

(d) Limitation of processing
"Restriction of processing' means the marking of stored personal data with the aim of limiting their future processing.

e) Pseudonymisation
"pseudonymisation' means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the provision of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

f) Person responsible
"controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others decides on the purposes and means of the processing of personal data; where the purposes and means of such processing are laid down by Union law or by the law of the Member States, the controller or the specific criteria for his designation may be laid down in Union law or in the law of the Member States.

(g) Processors
"processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(h) Recipient
"recipient' means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not that person is a third party. However, authorities which may receive personal data in the course of a specific investigation task under Union law or the law of the Member States shall not be considered as recipients; the processing of such data by those authorities shall be carried out in accordance with the applicable data protection rules and in accordance with the purposes of the processing.

(i) Third parties
"third party' means a natural or legal person, public authority, agency or any other body, other than the data subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.

(j) Consent
"consent" of the data subject shall mean any voluntary statement of intention in a particular case, made in an informed and unambiguous manner, in the form of a statement or other unambiguous affirmative act, by which the data subject indicates his or her consent to the processing of his or her personal data.
 

2. type of personal data concerned/purposes of processing

Among the personal data to be processed by us are:

• Name, gender, home and business address, telephone number and e-mail address, title, date and place of birth, nationality, passport and visa information, or other identification documents issued by governmental authorities.
• Information about your stay at our hotel, dates of arrival and departure, goods and services purchased, special requests, information about your service preferences (including preferences for rooms, facilities and holidays, amenities requested, age of children and other services used)
• Dialed telephone numbers, sent / received faxes or received telephone messages when using the telephone services offered by us during your stay.
• Credit and debit card information
• Information on online user accounts, profile or password information and possible memberships in frequent flyer or travel partner programmes.
• Employer's contact details or other relevant information about employees of companies, vendors and other business partners (e.g., travel agencies or meeting and event planners)
• Additional information about you that we obtain through third parties with whom we do business (e.g., travel agents or similar providers)

- that is, all personal information that we require in order to be able to provide our contractual services to you.

The collection of the above personal data takes place as follows:

• About our online services: We collect personal data when you make a reservation or otherwise purchase goods and services from us, communicate with us, inform us of special wishes or preferences, subscribe to a newsletter or participate in surveys, competitions or special promotions.
• About our Offline Services: We collect personal information from you offline when you make a reservation at our hotel by telephone.
•  Through other sources: We may obtain personal information from other sources, such as public databases, joint marketing partners and other third parties. This includes information from travel agencies, airlines, credit card providers, and other partners, as well as social media platforms (including people you are connected to as friends or otherwise). For example, if you sign in to, connect to, or link to our online services using your social media account, certain personally identifiable information from your social media account that may contain personally identifiable information from your profile or the profiles of your friends will be transferred to us.

Failure to communicate the personal data necessary for your order may result in the order not being executable. The data processing is carried out at your request and is required according to Art. 6 para. 1 sentence 1 lit. b DSGVO for the stated purposes for the appropriate processing of your enquiry or order and for the mutual fulfilment of obligations arising from the contract.

We do not carry out automated decision-making (in particular profiling).

We may pass on the data to our partners if we use their services to fulfill our contractual obligations to you, such as suppliers, payment processors, data hosts, software providers (hotel software / POS software / communication software) and the like. The passed on data may be used by the third parties exclusively for the named purposes.

The personal data processed by us within the scope of the contractual relationship will be stored until the proper performance of the contract, including the statutory periods for warranty against defects, and deleted thereafter, unless we are obligated under Article 6 para. 1 sentence 1 lit. c DSGVO due to tax and commercial law or other statutory duties of storage and documentation (such as from the Reporting Act, HGB, StGB or AO) to longer storage or you have consented to storage going beyond Art. 6 para. 1 sentence 1 lit. a DSGVO in accordance with Art. 6 para. 1 sentence 1 a DSGVO.

3. the name and address of the person responsible for processing personal data

The person responsible within the meaning of the Basic Data Protection Regulation is:

Rittergut Störmede KG,– www.rittergut-stoermede.de –
Albert-Brand-Straße 3, 59590 Geseke, Germany

Represented by Hartmut Bröggelwirth
Phone: +49 (0) 2942 / 9 88 08 0
Fax: +49 (0) 2942 / 9 88 08 20
email: post@rittergut-stoermede.de

4. the name and address of the Data Protection Officer

The data protection officer of the controller is:

Mr Oliver Pikolleck
attorney-at-law
external data protection officer (TÜV-cert.)
pikolleck@hiLevDATA.de
HiLevDATA GmbH & Co. KG

Every person concerned can contact our data protection officer directly at any time with all questions and suggestions regarding the subject of data protection.

5. special regulations regarding our website www.rittergut-stoermede.de

Server data

If you only use the website for informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data which is technically necessary for us to display our website to you and to guarantee stability and security (legal basis is Art. 6 Para. 1 S. 1 lit. b, f DS-GVO):

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Contents of the request (concrete page)
• Access status/HTTP status code
• Amount of data transferred in each case
• Website from which the request originates
• Browser
• Operating system and its interface
• Language and version of the browser software.

Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive assigned to the browser you are using and through which certain information flows to the location that sets the cookie (here by us). Cookies cannot execute programs or transmit viruses to your computer. They serve to make the website more user-friendly and effective.

This website uses the following types of cookies, the scope and function of which are explained below:

• Transient Cookies
• Persistent Cookies.

Transient cookies are automatically deleted when you close your browser. These include in particular session cookies. They store a so-called session ID, which can be used to assign various requests from your browser to the shared session. This enables your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close your browser.

Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.

You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. We would like to point out that you may not be able to use all the functions of this website.

We may use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you will have to log in again for each visit.

The Flash cookies used are not recorded by your browser, but by your Flash plug-in. We also use HTML5 storage objects, which are stored on your end device. These objects store the required data regardless of the browser you are using and do not have an automatic expiration date. If you do not wish the Flash cookies to be processed, you must install an appropriate add-on, e.g. "Better Privacy" for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using private mode in your browser. We also recommend that you regularly delete your cookies and browser history manually.

Google Analytics with anonymization function

This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. However, if IP anonymisation is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA where it will be shortened. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator.

The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and Google from processing this data by downloading and installing the browser plug-in available under the following link: tools.google.com/dlpage/gaoptout.

This website uses Google Analytics with the extension "_anonymizeIp()". This means that IP addresses are shortened for further processing, which excludes the possibility of personal references. If the data collected about you is related to a person, this is excluded immediately and the personal data is deleted immediately.

We use Google Analytics to analyse and regularly improve the use of our website. The statistics obtained allow us to improve our services and make them more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield, https://www.dataprivacyframework.gov/s/.

The legal basis for the use of Google Analytics is Art. 6 Para. 1 S. 1 lit. f DS-GVO.

Third Party Information: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of Use:

www.google.com/analytics/terms/de.html, Overview of data protection: www.google.com/intl/de/analytics/learn/privacy.html, and the privacy policy: www.google.de/intl/de/policies/privacy.

This website may also use Google Analytics to perform a cross-device analysis of visitor flows using a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My data", "Personal data".

Use of a contact option/booking option

On our website we offer you the possibility to contact us via a contact form or via email. In addition, we offer an online booking option. If you use these contact options, the information you provide will be processed for the purpose of processing your enquiry. They will not be passed on to third parties.

Our job advertisements

If you apply for one of our jobs via our website, your data will be processed by us for the purpose of handling the application process. The legal basis in this respect is Art. 6 Para. 1 S. 1 lit. b) DSGVO.

If an employment contract is concluded as a result of the application procedure, the data transmitted will be used for the regular administration of your employment relationship. The data will then be processed in accordance with the relevant legal provisions in your personnel file.

If your application is rejected, your data will automatically be deleted four months after rejection. This does not happen if a longer storage is necessary due to legal requirements or if you have expressly agreed to a longer storage of your application in our applicant database.
 

Use of Social Media Plugins

We currently use the following social media plug-ins: currently only Facebook.

We use the so-called two-click solution. This means that when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the mark on the box above his initial letter or the logo. We offer you the possibility to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it will the plug-in provider receive the information that you have called up the corresponding website of our online service. In addition, the data mentioned under point V. (server data) of this declaration will be transmitted. In the case of Facebook, the IP address is anonymized immediately after collection, according to information provided by the provider in Germany. By activating the plug-in, personal data is transferred from you to the respective plug-in provider and stored there (in the case of US providers in the USA). Since the plug-in provider collects data in particular via cookies, we recommend that you delete all cookies via your browser's security settings before clicking on the grayed-out box.

We have no influence on the collected data and data processing procedures, nor are we aware of the full scope of data collection, the purposes of processing, the storage periods. We also do not have any information on the deletion of the collected data by the plug-in provider.

The plug-in provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation takes place in particular (also for users who are not logged in) in order to display demand-oriented advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. Through the plug-ins, we offer you the opportunity to interact with social networks and other users so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 Para. 1 S. 1 lit. f DS-GVO.

The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, your data collected by us will be assigned directly to your existing account with the plug-in provider. If you press the activated button and, for example, link the page, the plug-in provider also stores this information in your user account and communicates it publicly to your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this allows you to avoid being assigned to your profile by the plug-in provider.

Further information on the purpose and scope of data collection and processing by the plug-in provider Facebook can be found in the following data protection declarations of these providers. There you will also find further information about your rights in this regard and setting options to protect your privacy: Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA;
http://www.facebook.com/policy.php;

further information on data collection: www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other sowie http://www.facebook.com/about/privacy/your-info#everyoneinfo.

Facebook has submitted to the EU-US Privacy Shield,

https://www.privacyshield.gov/ps/participant?id=a2zt0000000GnywAAC&status=Active

6. rights of the data subject

a) Right of access, Art. 15 DSGVO

Any data subject involved in the processing of personal data shall have the right, conferred by the basic Regulation on data protection, to obtain at any time from the controller, free of charge, access to the personal data relating to that data subject and a copy thereof. The data subject also has the right to be informed of the following information:

• The processing purposes
• The categories of personal data processed
• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
• If possible, the planned duration for which the personal data will be stored or, if that is not possible, the criteria for determining that duration
• The existence of a right to the rectification or erasure of personal data concerning him or her or to the limitation of the processing carried out by the controller or of a right to object to such processing
• the existence of a right of appeal to a supervisory authority
• If the personal data are not collected from the data subject: All available information on the origin of the data
• The existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the DS Block Exemption Regulation and, at least in these cases, meaningful information on the logic involved, the scope and the intended effects of such processing on the data subject

The data subject also has the right to know whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject shall also have the right to obtain information on the appropriate safeguards in connection with the transfer.

If a data subject wishes to exercise this right of access, he or she may contact us at any time using the contact details of the controller referred to in Paragraph I.2.

b) Right to rectification, Art. 16 DSGVO

Any person data subject to the processing of personal data has the right, granted by the basic Regulation on data protection, to request the rectification without delay of inaccurate personal data concerning him or her. Furthermore, the data subject shall have the right, having regard to the purposes of the processing, to request the completion of incomplete personal data, including by means of a supplementary statement.

If a data subject wishes to exercise this right of rectification, he or she may contact us at any time for this purpose at the contact details of the controller referred to in paragraph I.2.

c) Right to cancellation (right to be forgotten), Art. 17 DSGVO

Any person data subject to the processing of personal data shall have the right, granted by the basic Regulation on data protection, to require the controller to erase the personal data concerning him without delay if one of the following reasons applies and if the processing is not necessary:

• The personal data have been collected for such purposes or processed in any other way for which they are no longer necessary.
• The data subject withdraws his consent on which the processing was based pursuant to Art. 6 para. 1 letter a DSGVO or Art. 9 para. 2 letter a DSGVO and there is no other legal basis for the processing.
• The data subject objects to the processing pursuant to Art. 21 para. 1 DSGVO and there are no overriding legitimate reasons for the processing or the data subject objects to the processing pursuant to Art. 21 para. 2 DSGVO.
• The personal data have been processed unlawfully.
• The deletion of the personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 DSGVO.

If one of the above reasons applies and a person concerned wishes to have personal data stored by us deleted, he or she can contact us at any time using the contact data of the person responsible for processing referred to in paragraph I.2. We will immediately comply with your justified request for deletion.

If we have made the personal data public and if our company, as the person responsible, is obliged to delete the personal data pursuant to Art. 17 (1) DSGVO, our company shall take appropriate measures, including technical measures, taking into account the available technology and implementation costs, to inform other persons responsible for data processing who process the published personal data that the person concerned has requested the deletion of all links to this personal data or copies or replications of this personal data from these other persons responsible for data processing, insofar as the processing is not permitted.

d) Right to limitation of processing, Art. 18 DSGVO

Any person data subject to the processing of personal data shall have the right, granted by the basic Regulation on data protection, to request the controller to limit the processing if one of the following conditions is met:

• The accuracy of the personal data is contested by the data subject for a period of time which enables the data controller to verify the accuracy of the personal data.
• The processing is unlawful, the data subject refuses to erase the personal data and instead requests the restriction of the use of the personal data.
• The controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the assertion, exercise or defence of legal rights.
• The data subject has lodged an objection to the processing pursuant to Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate reasons of the data controller outweigh those of the data subject.

If one of the above conditions is met and a person concerned wishes to request the restriction of personal data held by us, he or she can contact us at any time using the contact details of the data controller mentioned in paragraph I.2.

e) Right to data transferability, Art. 20 DSGVO

Any person concerned by the processing of personal data shall have the right under the Basic Data Protection Regulation to obtain personal data concerning him which he has provided to a controller in a structured, common and machine-readable format and shall have the right to communicate such data to another controller without being hampered by the controller to whom the personal data have been provided, provided that

• the processing is based on a consent pursuant to Article 6(1)(a) DSGVO or Article 9(2)(a) DSGVO or on a contract pursuant to Article 6(1)(b) DSGVO, and
• processing is carried out using automated procedures.

Furthermore, when exercising his right to data transferability pursuant to Art. 20 para. 1 DSGVO, the data subject shall have the right to obtain that the personal data be transferred directly from one responsible person to another responsible person, insofar as this is technically feasible and insofar as this does not impair the rights and freedoms of other persons.

In order to assert the right to data transferability, the data subject may contact us at any time at the contact details of the data controller mentioned in paragraph I.2.

f) Right of objection, Art. 21 DSGVO

Any person data subject to the processing of personal data has the right under the Basic Data Protection Regulation to object at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning him/her carried out pursuant to Article 6(1)(e) or (f) of the DSGVO. This also applies to profiling based on these provisions.

In the event of an objection, we as the person responsible will no longer process the personal data unless we can prove compelling grounds for processing worthy of protection which outweigh the interests, rights and freedoms of the person concerned, or the processing serves to assert, exercise or defend legal claims.

If we process personal data for the purpose of direct advertising, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling as far as it is connected with such direct advertising. If the data subject objects to our processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, the data subject has the right to object to the processing of personal data relating to him or her by us as the data controller for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 DSGVO for reasons arising from his or her particular situation, unless such processing is necessary for the performance of a task in the public interest.

In order to exercise the right to object, the data subject may contact us at any time at the contact details of the data controller mentioned in paragraph I.2.

g) Right to revoke consent under data protection law

Any person data subject to the processing of personal data has the right under the Basic Data Protection Regulation to withdraw consent to the processing of personal data at any time.

If the data subject wishes to exercise his or her right to withdraw consent, he or she may contact us at any time using the contact details of the controller referred to in paragraph I.2.

h) Right of appeal; Art. 77 DSGVO

Any person data subject to the processing of personal data shall have the right to complain to a supervisory authority as provided for in the basic Regulation on data protection. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at our company headquarters.
 

7 Changes to this Privacy Policy

We reserve the right to change this Privacy Policy at any time with effect for the future. A current version is available on the website. Please visit the website regularly and inform yourself about the applicable data protection regulations.

Status: 08.05.2019