Data Processing for Customers und Guests

The controller is:

MEININGER Shared Services GmbH

Obentrautstrasse 72, 10963 Berlin, Germany

You can reach our data protection officer as follows:

MEININGER Shared Services GmbH

Data Protection Officer

Obentrautstrasse 72, 10963 Berlin, Germany

Email: dataprotection[at]meininger-hotels.com

If you have an enquiry, have us prepare an offer or conclude a contract with us, we will process your personal data. In addition, we process your personal data, among other things, to fulfil legal obligations, to protect a legitimate interest or on the basis of a consent given by you. Depending on the legal basis, the categories of personal data are as follows:

- Name, Surname

- Address

- Communication data (phone number, email address)

- Date of birth

- Nationality

- ID or passport number

- Payment data / account data

- Contract master data (especially contract number, duration, period of notice, type of contract)

- Invoice data / turnover data

- Data on creditworthiness

- Account information (in particular registration and logins)

- Video recordings and photos

We process personal data that we receive from our customers, guests and/or contractual partners (e.g. tour operators, travel agencies, booking portals). We also obtain your data from the following sources:

- Other companies of the MEININGER Group

- Credit agencies

- Publicly accessible sources: commercial or association registers, debtor registers, land registers

We process your personal data in particular in compliance with the General Data Protection Regulation (GDPR) and in Germany with the German Federal Data Protection Act (BDSG) as well as all other relevant laws.

If you have given us your voluntary consent to the collection, processing or transfer of certain personal data, then this consent forms the legal basis for the processing of this data. In the following cases we process your personal data on the basis of your consent:

- Sending a newsletter and personalised newsletter tracking

- Prize games

- Market research (e.g. customer satisfaction surveys)

- Creation of customer profiles

- Publication of a customer reference (name and picture)

We use your personal data for the execution of the contract or for pre-contractual measures. Within this contractual relationship we will process your data in particular to carry out the following activities:

- Proposal preparation

- Customer service

- Contract management

- Receivables management

As a company we are subject to various legal obligations. The processing of personal data may be necessary to fulfil these obligations. Among other things, this may be:

- Control and reporting obligations

- Age and identity checks

- Prevention of criminal acts

In certain cases we process your data to protect our legitimate interests or that of third parties:

- Central customer data management within the MEININGER Group

- Market and opinion research

- Security measures, e.g. video surveillance

- Consultation and data exchange with credit agencies for the determination of creditworthiness or default risks

In order to fulfil our contractual and legal obligations, we will pass on your data to different public and internal offices, as well as external service providers.

Other companies of the MEININGER Group:

The MEININGER Group maintains a centralised customer data management that employees of all affiliated companies can access in order to be able to offer you the entire spectrum of our services from a single source. The companies of the MEININGER Group can be accessed via this link.

External service providers:

We work with selected external service providers to fulfill our contractual and legal obligations:

- Payment service providers

- Service providers for Marketing or Sales

- Service providers for document and data destruction

- Credit agencies

- IT service providers (e.g. maintenance and hosting service providers)

- Auditors

Public sector entities:

Furthermore, we may also be obliged to transfer you data to other recipients, such as public authorities (e.g. financial, police and customs authorities, registry offices) to fulfil legal notification obligations.

Countries outside the European Union (and the European Economic Area "EEA") handle the protection of personal data differently from countries within the European Union. We also use service providers located in third countries outside the European Union to process your data. There is currently no decision by the EU Commission that these third countries generally offer an adequate level of protection.

We have therefore taken special measures to ensure that your data are processed in third countries as securely as within the European Union. We conclude the standard data protection clauses provided by the Commission of the European Union with service providers in third countries. These clauses provide appropriate guarantees for the protection of your data with service providers in third countries.

If you wish to review the existing warranties, you can contact us at dataprotection[at]meininger-hotels.com.

We store your personal data for as long as necessary to fulfil legal and contractual obligations. If the storage of you data is no longer necessary to fulfil the legal or contractual obligations. The storage periods are up to 10 years.

Every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. In Germany, the restrictions according to §§ 34 and 35 BDSG apply to the right of access and the right of erasure.

You can object to the use of your data for advertising purposes at any time without incurring any costs other than the transmission costs according to the basic rates.

What right do you have in the event of data processing for legitimate or public interest?

Pursuant to Art. 21 para. 1 GDPR, you have the right to object at any time to the processing of personal data concerning you on the basis of Art. 6 para.1 lit. e GDPR (data processing in the public interest) or Article 6 para.1 lit. f GDPR (data processing to protect a legitimate interest), this also applies to profiling based on this provision.

In the event of your objection, we will no longer process your personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

What right do you have in the event of data processing for direct marketing?

If we process your personal data for direct marketing purposes, you have the right pursuant to Art. 21 para. 2 GDPR to object at any time to the processing of personal data concerning you for the purpose of such advertising, this also applies to profiling insofar as it is associated with such direct marketing.

In the event of your objection to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

You can revoke your consent to the processing of your personal data at any time. Please note that the revocation is only valid for the future.

You may request information as to whether we have stored personal data about you. If you wish, we will inform you of the data concerned, the purposes for which the data is processed, to whom this data is disclosed, how long the data is stored and what further rights you are entitled to with regard to this data.

In addition, you have the right to have your data corrected or deleted. If there is no reason for further storage, we will delete your data, otherwise we will restrict processing. You may also request that we provide all personal information that you have provided to us in a structured, current and machine-readable format either to you or to a person or company of your choice. In addition, there is a right to lodge a complaint to the responsible data protection supervisory authority (Art. 77 GDPR, in Germany in conjunction with § 19 BDSG).

To exercise your rights, you can contact the controller or the data protection officer using the contact details provided. We will process your enquiries immediately and in accordance with legal requirements and inform you of the measures we have taken.

In order to enter into a business relationship, you must provide us with the personal data that is necessary for the execution of the contractual relationship or that we are required to collect by law (e.g. registration laws). If you do not provide us with this data, it is not possible for us to carry out and process the contractual relationship.

If the purpose or manner of processing your personal data changes significantly, we will update this information in time and inform you about the changes.

Effective: June 2018