Privacy Policy

Information on data processing - IPO rewards shop

 

1.            We are required by law to inform you about the processing of your personal data (hereinafter “data”) when you use our website. We take the protection of your personal data very seriously. This data protection notice informs you about the details of the processing of your data and about your legal rights in this respect. Terms such as “personal data” or “processing” are used in accordance with their legal definitions according to Article 4 of the GDPR. We reserve the right to amend this data protection declaration with effect for the future, in particular in the event of further development of the website, the use of new technologies or changes to the legal basis or corresponding case law. We recommend you read this data protection declaration from time to time and keep a printout or copy for your records.

 

2.            Controller; contact details

For the website www.h-hotels.com, the controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions related to data protection is:

 

H-Hotels GmbH

Braunser Weg 12

34454 Bad Arolsen

Germany

Tel.: +49 (0) 5691 / 878-0

Email: info@h-hotels.com

 

3.            Data protection officer; contact details

If you have any questions about the processing of your personal data or about your data protection rights, please contact:

 

Stefan Burghardt

RKM Data GmbH

Bertha-von-Suttner-Str. 9

37085 Göttingen

Germany

Tel.: +49 (0) 551 707 280

Email: info@rkm-data.de

 

4.            Processing of your personal data and data protection

In this section, we describe the type, scope, purposes and recipients of, legal basis for and storage period related to automated data processing and whether data may be transferred to third countries.

 

4.1.        Provision of our website/online rewards shop

4.1.1.     Server-based collection of usage data in log files

When you call up our website and internet applications (e.g. reward shops), a request is made to our web server by the web browser on the end device you are using (e.g. PC, tablet or smartphone). The web server creates an event log in text format of the requests or communication between your web browser and our website or the web server (e.g. when an image or HTML file is retrieved from our website); these are called log files. Only the information which your web browser transmits to our web server as part of the request or which must be exchanged for technical reasons, e.g. for network communications (so-called usage data), is logged. The following information in particular is stored in the log files:

-              IP address of the requesting internet connection (anonymised),

-              Date and time of access,

-              Referring web page (referrer URL), i.e. the page from which the request to load the file

                was sent,

-              Requested element or file (e.g. image.jpg) and protocol used (e.g. HTTP/1.1.),

-              Response code,

-              Amount of data transferred in bytes,

-              Browser software used to send the request (e.g. Firefox version 3.6.6),

-              Operating system (e.g. Windows XP).

 

The usage data may, under certain circumstances, lead to the possibility, by means of your IP address and potentially other data stored in the log files, of tracing you as a user via the web browser requests made by your end device. The use of our website thus involves the processing of personal data.

 

The (anonymised) IP address is required in order for your web browser to establish a connection to our website. The collection of further information on use, in particular on the web browser and operating system used, is technically necessary for the following reasons:

•             Ensuring a smooth connection can be made to the website,

•             Ensuring the ease of use of our website,

•             Evaluating system security and stability (e.g. in order to be able to defend ourselves from attempted attacks on our web server).

 

The legal basis for data processing around the use of log files is firstly GDPR Article 6(1)(c), since the usage data is necessary to facilitate utilisation of our online service (telemedia service within the meaning of the Telemedia Act). We also have a legitimate interest in processing the usage data contained in log files in accordance with GDPR Article 6(1)(f), insofar as we are able to present you with a website optimised for your web browser, facilitate secure communications between our web server and your end device and fend off attacks by hackers on our web server.

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

In order to detect attacks, we store non-anonymised IP addresses for a maximum of 12 months, after which they are deleted. Log files that need to be kept for evidence purposes are exempt from deletion until the respective incident has been finally resolved and may be passed on to investigating authorities in individual cases.

 

The recipient of the data is our service provider and server host, commissioned by us under a data processing agreement. The data processing takes place within the EEA/EU.

 

Data is not transferred to third countries.

 

4.1.2.     Client-based collection of usage data via cookies and services relying on them

In addition to server-side log file, we also use so-called cookies at various points within our website. These allow us to process usage data directly via the web browser on the end device you are using (e.g. PC, tablet, smartphone). Cookies are small text files that are either sent from the web server to the web browser with the help of your internet browser or generated in the web browser by a script (e.g. JavaScript) and then, when you visit the website again using the same end device, they are either sent back to the website that generated them (provider cookies/first party cookies) or sent to another website or to the external provider of online services (e.g. via a plug-in) to which it belongs (third-party cookies ). This way, the website automatically recognises that it has communicated with this browser before and identifies the web browser used.

 

Some cookies are technically necessary or useful, since they enable or optimise the use of our website. Other cookies are not absolutely necessary, but improve certain functionality or assist you the next time you visit our website by saving browser settings for websites you have already visited several times when you return to those websites (so-called performance cookies). Statistics cookies show us your browsing behaviour and enable us to provide you with offers of relevant products and/or services that correspond to your personal interests and needs, which thus supports us in designing suitable advertising for our products or the products of other providers.

The procedures we use can be divided into the following categories:

•             Necessary cookies,

•             Performance/analytics cookies

•             Functional cookies

 

We use our own cookies and cookies from third-party providers. You can find more detailed information (for example, on Google services) in this privacy policy.

 

4.1.2.1. Configuration and disabling of cookies in your end device’s web browser

You can configure cookie settings yourself on your end device at any time. You can limit or completely disable cookies in your browser settings. You can also set cookies to be automatically deleted when you close the browser window.

 

Furthermore, you can configure the settings for the cookies used on our website (with the exception of the technically necessary cookies) via our website (“Cookie settings”). You can find out more about this below under 3.1.2.2 (Configuration of cookies) and 3.1.2.3 (Categories of cookies).

 

Note: Any settings you adjust on your end device only apply to the web browser and end device you are using.

 

4.1.2.2. Configuration and disabling of cookies via cookie settings on our website

With the exception of technically necessary cookies, you can decide for yourself which cookies you allow. To this end, you will be informed about our cookie categories via a cookie overlay/banner on our websites and asked whether you want to give us your consent for the use of performance cookies.

 

You have the following selection options: If you click on “Only necessary cookies”, only technically necessary cookies will be stored. If you click on the “Accept all cookies” symbol, all the cookies we use will be stored. You can also individually select the cookies requiring your consent by clicking the “Customise cookie settings” icon. After selecting the individual cookies, you can give your consent individually by clicking on the “Save settings” button.

 

By doing so, you consent to the use of the selected cookies and the associated data processing.

 

You can change your cookie settings on our website at any time under “Cookie settings”. You can also revoke consent altogether by restricting your cookie selection accordingly.

 

For further details on the cookies used, please see the sections below.

 

4.1.2.3. Categories of cookies

We distinguish between the following

 

Technical cookies: The use of technically necessary cookies is required to ensure the proper and secure operation of our website and its functionalities and to make our full website available. These cookies are used, for example, to enable basic website functionality, store your privacy preferences, provide secure authentication allowing you to log in to your customer account and to enable forms to be completed.

The legal basis for this data processing is GDPR Article 6(1)(b).

 

Use of the data is also based on our legitimate interest under GDPR Article 6(1)(f). Our legitimate interest stems from the purposes that the respective cookies are used for as well as from ensuring our website’s technical operation with certain basic functionalities. These cookies are automatically put in place when our website or certain specific functionality is accessed. The cookies have a certain functional duration and are then deleted from the browser.

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

Performance/analytics cookies: Cookies for analysing our services or performance enable us to assess website usage. These cookies are sometimes issued by third-party providers such as Google (third-party cookies, see below under 3.1.4). By using them, we are able to identify which parts of our website are the most popular, which are the least used and how visitors move around our website. This allows us to determine the overall performance of our website and to improve it and optimise content. We use these cookies to track which content is relevant to users, for example, to continuously improve the quality of our website and optimise the user experience, to measure and improve the performance of our website and to adapt content to the needs of users.

 

The legal basis for data processing is GDPR Article 6(1)(a) (consent). If you give us your consent for this, analytics cookies will be stored when you access our website or when you access a service provided via it. You have the option of extending your consent either to individual cookies or to all cookies in this category. (see below: Configuration of cookies). You can revoke your consent at any time with effect for the future.

Right to object

 

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

Functional cookies: These cookies enable the website to save inputted information, such as user name or language selection, and to offer the user improved and personalised functionality based on this information. These cookies are sometimes issued by third-party providers such as HubSpot (third-party cookies, see below under 3.1.4.).

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

 

4.1.3.     Cookies issued by us (provider cookies)

As described under 3.2.2 above, we also use technically necessary cookies. These enable our website to be navigated. Basic rewards shop functionality, such as product display and selection, adding items to the shopping basket or logging in can only happen via these cookies.

 

Data processing via technically required cookies takes place – insofar as there is a corresponding contractual relationship – on the basis of GDPR Article 6(1)(b) or on the basis of Article 6(1)(c) – where necessary for the fulfilment of a legal obligation – and otherwise on the basis of our legitimate interest under Article 6(1)(f). Our legitimate interest stems from the purposes that the respective cookies are used for as well as from ensuring our website’s technical operation with certain basic functionalities. These cookies are automatically stored when you access our website or certain specific functionality unless you have disabled cookies via the settings for your end device and/or internet browser. The cookies have a certain functional duration and are then deleted from the browser.

 

The recipient is our service provider and server host, commissioned by us under a data processing agreement. The data processing takes place within the EEA/EU.

 

Data is not transferred to third countries.

 

4.1.4.     Cookies issued by third parties (third-party cookies)

Our website uses various services provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. As per Google, the data processing takes place in the EEA/EU.

 

4.1.4.1. Google Tag Manager

Google Tag Manager provides cookies that store information about the use of our website. Google Tag Manager is a service that can be used to integrate additional Google analysis services (e.g. Google Analytics) into our website. Google Tag Manager implements these tags or “triggers” the embedded tags. Google Tag Manager does not collect any personal data itself, but ensures that other tags are triggered, which in turn may collect data. The following personal data in particular is affected:

 

•             Online identifiers (including cookie identifiers),

•             IP address of the requesting end device.

 

The legal basis for the data processing associated with Google Tag Manager is GDPR Article 6(1)(a), i.e. the consent you have provided.

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(a). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

If you have a Google account, click here to object for all of the processing company’s domains: https://safety.google/privacy/privacy-controls/.

 

These cookies have a functional duration of 30 days and are then automatically deleted from the browser. User and event data are stored for 14 months by default and then deleted.

 

Click here to read Google's privacy policy: https://policies.google.com/pri- vacy?hl=en.

 

Information on Google's privacy settings can be found at https://privacy.google.com/take- control.html?categories_activeEl=sign-in.

 

4.1.4.2. Google Analytics

Google Analytics is a web analytics service. It issues performance cookies that collect information about your user behaviour in order to improve the website’s user-friendliness. We have implemented the “anonymizeIp” configuration parameter for Google Analytics. This code means that your IP address is only recorded in abbreviated form. We therefore process the personal usage data that we receive in a pseudonymised form within Google Analytics. It is thus not possible for us to identify you personally. The following data is processed in particular:

 

•             IP address of the requesting end device,

•             Browser type/version,

•             Operating system,

•             Website from which the shop is accessed (the so-called origin or referrer URL),

•             Date and time of the request,

•             Cookie ID,

•             Usage data,

•             JavaScript support,

•             Downloads,

•             Flash version,

•             Location information,

•             Purchasing activity.

 

The legal basis for the data processing is GDPR Article 6(1)(a), i.e. the consent you have provided.

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(a). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

If you have a Google account, click here to object for all of the processing company’s domains: https://safety.google/privacy/privacy-controls/.

 

The anonymised event data obtained via cookies is stored for 14 months by default and then deleted.

 

Click here to read Google's privacy policy: https://policies.google.com/pri- vacy?hl=en

 

Information on Google's privacy settings can be found at https://privacy.google.com/take- control.html?categories_activeEl=sign-in.

 

4.1.4.3. Google Web Fonts (script libraries)

We use external fonts on our website. When Google Web Fonts are used, the following data is processed:

 

•             Browser type/version,

•             Operating system,

•             Website from which the shop is accessed (so-called origin or referrer URL),

•             Date and time of the request,

•             Cookie ID,

•             User’s screen resolution,

•             Language settings of the browser or the end device’s operating system.

 

The legal basis for the use of Google Web Fonts is GDPR Article 6(1)(f). We have a legitimate interest in the associated data processing, because this technology enables the display of the fonts we use. When you access our web pages, your browser loads the required Web Fonts into the browser cache in order to display text and fonts correctly. If your browser does not support Web Fonts, your computer uses a standard font.

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

The anonymised event data obtained via cookies is stored for 14 months by default and then deleted.

 

Click here to read Google's privacy policy: https://policies.google.com/pri- vacy?hl=en.

 

Information on Google's privacy settings can be found at https://privacy.google.com/take- control.html?categories_activeEl=sign-in.

 

4.2.        Collection of data when you contact us (any means)

You have the option of contacting us or our service providers by post, telephone or email using the contact details given in point 1. Data shared this way includes the following information in particular:

 

•             First name, last name,

•             Street, place of residence, postcode,

•             Email,

•             Telephone number (optional),

•             Subject, content of the conversation or contact request (optional).

 

When submitting the online contact form, mandatory data is collected (first and last name and email address). The following data is also stored:

•             Your IP address,

•             Date and time of sending.

You can moreover add further data as voluntary information (e.g. messages).

 

The purpose of processing the personal data – mandatory and voluntary data – is to process the contact request and to be able to contact you for the purposes of your request. The other personal data processed during submission (IP address, date and time of submission) serve to prevent misuse of our contact form.

 

The legal basis for processing the personal data provided by you when using our contact form is GDPR Article 6(1)(b), insofar as you approach us in a pre-contractual context, or our legitimate interest pursuant to GDPR Article 6(1)(f). Our legitimate interest is to prevent or be able to prove misuse of our contact form and, if necessary, to resolve other questions with you in relation to your enquiry or contact. Furthermore, data processing only takes place with your consent in accordance with GDPR Article 6(1)(a).

 

Right to object

You have the right to object to data processing in accordance with GDPR Article 6(1)(f). You can communicate or inform us of your objection at any time using the contact details listed in Section 2 above.

 

The personal data collected in the course of your contact enquiry will generally only be stored for as long as is necessary to process your enquiry. In all other cases, we will delete your personal data insofar as the deletion does not conflict with any statutory retention/storage obligations.

 

The recipient of the data is our service provider and server host, commissioned by us in relation to your enquiry under a data processing agreement. Data processing takes place in the EEA/EU.

 

Data is not transferred to third countries.

 

4.3.        Recording of data when ordering in the rewards shop (without customer account)

If you place a (rewards) order as part of your membership of our rewards programme, we process the data necessary for the conclusion, performance or termination of a contract. The following information is collected for this purpose in particular:

 

•             IP address of the user

•             Date and time of the order,

•             User ID (if available),

•             Customer number (if available),

•             The account/delivery address or alternative delivery address displayed/entered, telephone number and email address,

•             Reward(s) ordered,

•             Points accounting with purpose, amount, new points account balance and time stamp.

 

Payment data is passed to an external payment service provider when using the part-payment function (see 4.6.2 Data transfer to external payment service providers).

 

The legal basis is contract fulfilment as per GDPR Article 6(1)(c), insofar as you provide us with the data on the basis of the respective contractual relationship (e.g. management of your customer/user account, processing of an order). In order to process your email address, we are obliged, due to statutory provisions of the German Civil Code (BGB) among other things, to send an electronic order confirmation, hence Article 6(1)(c) of the GDPR also constitutes the legal basis for data processing. Furthermore, data processing only takes place with your consent in accordance with GDPR Article 6(1)(a).

 

You have the option of having your customer account deleted at any time. If the data is required to fulfill a contract or to carry out pre-contractual measures, the data can only be deleted prematurely if there are no contractual or legal obligations to the contrary - in particular tax and commercial retention periods. In this case, your data will be archived to clarify any billing-related questions and within the framework of the statutory retention periods.

 

The recipient of the data is our service provider and server host, commissioned by us in relation to your enquiry under a data processing agreement. The data processing takes place within the EEA/EU.

 

Data is not transferred to third countries.

 

4.4.        Data processing during registration for the portal (creation of a customer account)

An internet connection is required for registration. When accessing the respective website, the following personal data is processed:

 

•             IP address of the requesting end device,

•             Name and URL of the file retrieved,

•             Website from which the shop is accessed (referrer URL),

•             Browser used and, where applicable, the operating system of your computer as well as the name of your access provider,

•             Date and time of connection establishment and login,

•             Language and version of the browser software used,

•             User’s internet service provider.

 

After entering your email address you will receive an email from us asking you to confirm the address. This way we can ensure that you have access to the stated mailbox. The password is not stored in plain text format, but as a so-called “hash”.

 

User registration/opening a customer account is necessary for your identification and a prerequisite for using our services in connection with the rewards programme. It thus enables taking steps prior to entering into a contract as well as the performance and implementation of a contract to which you as the user are a party.

 

The legal basis for the processing of data when creating a customer account is GDPR Article6(1)(b), i.e. you provide us with the data based on the agreement regarding the use of our free customer account (fulfilment of contract). After setting up a customer account, no new data entry is required. You can also view the data stored on you at any time in your customer account.

 

Data can only be amended within your HotMiles customer account.

 

The legal basis for this further data processing, should it occur, is also GDPR Article 6(1)(b) and, if applicable, GDPR Article 6(1)(f), insofar as we have a legitimate interest in the data processing. Furthermore, data processing only takes place with your consent in accordance with GDPR Article 6(1)(a).

 

You have the option of having your customer account deleted at any time. If the data is required for the fulfilment of a contract or for taking pre-contractual steps, premature deletion of the data is only possible insofar as contractual or legal obligations – in particular retention periods under tax and commercial law – do not prevent deletion. In this case, your data will be archived for the resolution of any billing-related questions and within the framework of the statutory retention periods.

 

The recipient of the data is our service provider and server host, commissioned by us in relation to your enquiry under a data processing agreement. The data processing takes place within the EEA/EU.

 

Data is not transferred to third countries.

 

4.5.        Data processing when shopping in the rewards shop (within customer account)

In addition to the data collected under 3.4 during the course of registration, the following personal data in particular will be processed regarding the user when registering:

 

•             Surname, first name, full company address, telephone number(s), fax, email address,

•             Alternative delivery address, if applicable,

•             Customer number,

•             Communications data,

•             Orders,

•             Purpose of points usage,

•             Member user name/user ID,

•             Contract billing and payment data.

 

The legal basis for processing the data is GDPR Article 6(1)(b) (contract performance). In the context of an order, we use your data exclusively for processing the order, displaying order history and for contract fulfilment.

 

You have the option of having your customer account deleted at any time. If the data are required for the fulfilment of a contract or for taking pre-contractual steps, premature deletion of the data is only possible insofar as contractual or legal obligations – in particular retention periods under tax and commercial law – do not prevent deletion. In this case, your data will be archived for the resolution of billing-related questions and within the framework of the statutory retention periods.

The recipient of the data is our service provider and server host, commissioned by us in relation to your enquiry under a data processing agreement. The data processing takes place within the EEA/EU.

 

Data is not transferred to third countries.

 

4.6.        Recipients of personal data

In this section, we once again describe how data transfer is handled and give you an overview of the processing operations for which we use service providers.

 

The only internal recipients are only those which require the data for the purposes stated. We only pass on your data to external recipients if this is necessary for the processing or handling of your request or for the fulfilment of the underlying contract, if another legal permission exists or if we have your consent for this. We have already informed you about this under section 3 above on the individual data processing procedures. Below you will find another overview of potential external recipients.

 

4.6.1.     Processor

We work with the service provider IPO PrämienServices to implement and operate our website and rewards programme and to process your orders. We have carefully selected this service provider and concluded a data processing agreement in accordance with GDPR Article 28(3) in order to protect your data.

 

4.6.2.     Service provider for payment processing

We use payment service providers to process payments. Depending on which payment method you select during the ordering process, we pass on the data collected for processing the payments (e.g. bank details or credit card data) to the credit institution you have chosen for payment or to payment service providers commissioned by us or our service provider who are responsible for the processing of the payment information under data protection law.

 

The legal basis for data processing is GDPR Article 6(1)(b) (contract processing) as well as Article 6(1)(f), insofar as the payment is necessary to fulfil the contract and/or the data transfer is justified due to our legitimate interest in the payment processing.

 

We currently use the following payment service providers:

PayPal

When paying via PayPal, your payment data will be forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as part of the payment processing. PayPal reserves the right to conduct a credit check for the credit card via PayPal, direct debit via PayPal or – where offered – “purchase on account” via PayPal payment methods. The credit check provides PayPal with information regarding the statistical probability of non-payment so it can decide whether to offer the respective payment method. The credit report may contain probability values (so-called credit scores). Where credit scores are included in the credit report, they have their basis in a scientifically recognised statistical mathematical procedure. Address details form one of the elements used to calculate your credit score.

For further information on data protection, including information on the credit agencies used, please refer to PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy- full

 

4.6.3.     Service provider for goods shipment

In order to fulfil your order, we commission logistics and transport companies to deliver your rewards. In some cases, manufacturers and suppliers also deliver directly to you. We may pass on the information necessary for delivery (e.g. first name, surname, postal address, email address, telephone number for delivery notifications) to these companies, which are responsible for processing the data under data protection law.

 

The legal basis for data processing is GDPR Article 6(1)(b) (fulfilment of contract) or Article 6(1)(f) insofar as the payment is necessary for the fulfilment of the contract and/or the data transfer is justified due to our legitimate interest in the delivery of the goods by service providers.

 

4.6.4.     Public bodies

Authorities and state institutions, such as tax authorities, public prosecutors or courts, to which we (must) transfer personal data for legally compelling reasons or to protect legitimate interests. The transfer in this case is made on the basis of GDPR Article 6(1)(c) (compliance with a legal obligation) and/or (f), insofar as we are entitled to transfer data on the basis of a legitimate interest.

 

5.            Transfer to recipients outside the EEA/third countries

If data is transferred to bodies whose registered office or place of data processing is not located in a member state of the European Union or in another member state of the European Economic Area, we will ensure prior to the transfer that, outside of exceptional cases permitted by law, either an adequate level of data protection is in place on the side of the recipient (e.g. by an adequacy decision of the European Commission, by appropriate guarantees or agreement with the recipient of so-called EU standard contractual clauses of the European Union) or you give your consent to the data transfer (cf. also GDPR Article 44 ff.).

 

6.            Deletion and storage period

Insofar as the description of personal data processing given above under 4 (Processing of personal data) related to providing our website or the online rewards shop does not include any information on the specific storage period or deletion of the data, the following applies:

 

We store your personal data only for as long as is necessary to fulfil the intended purposes or – in the case of consent – as long as you have not revoked your consent. Should you object to processing, we will delete your personal data unless its further processing is permitted under the relevant legal provisions. We also delete your personal data if we are obliged to do so for other legal reasons.

 

Applying these general principles, we will normally delete your personal data without undue delay

•             after the legal basis ceases to apply and provided that no other legal basis (e.g. retention periods under commercial and tax legislation) applies. If the latter applies, we will delete the data after the other legal basis no longer applies.

 

•             if they are no longer required for the purposes of preparation and execution of a contract or legitimate interests and where no other legal basis (e.g. retention periods under commercial and tax legislation) applies. If the latter applies, we will delete the data after the other legal basis no longer applies.

 

•             if the purpose for which we collected the data no longer applies and there is no other legal basis (e.g. retention periods under commercial and tax legislation). If the latter applies, we will delete the data after the other legal basis no longer applies.

 

7.            Rights of the data subject

You have the following rights in relation to us and your personal data:

•             Right of access: In accordance with GDPR Article 15, you can request information about the personal data belonging to you that is processed by us.

•             Right to rectification: If the information concerning you is not (or is no longer) accurate, you can request rectification in accordance with Article 16 of the GDPR. If your data is incomplete, you can request that it be completed.

•             Right to erasure: You can request the erasure of your personal data in accordance with Article 17 of the GDPR.

•             Right to restriction of processing: You have the right to request the restriction of your personal data in accordance with Article 18 of the GDPR.

•             Right to object to processing: In accordance with GDPR Article 21(1), you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of GDPR Article 6(1)(e) or (f). In this case, we will not continue processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting and exercising legal claims or defending against legal claims (Article 21(1) of the GDPR). You also have the right, in accordance with Article 21(2) of the GDPR, to object at any time to the processing of your personal data for the purposes of direct marketing; this also applies to any profiling insofar as it is connected with such direct marketing. We would like to draw your attention to the right to object in this data protection declaration as it relates to the respective processing.

•             Right to withdraw your consent: If you have given your consent for processing, you have a right of withdrawal in accordance with Article 7(3) of the GDPR.

•             Right to data portability: You have the right to receive the personal data that you have provided to us concerning you in a structured, commonly used and machine-readable format (“data portability”) as well as the right to have this data transferred to another controller if the prerequisites of GDPR Article 20 (1)(a) and (b) are met (GDPR Article 20).

You can exercise your rights using the contact details listed under point 2 (data controller) or the data protection officer appointed by us (point 3). If you consider that the processing of your personal data violates data protection law, you also have the right to lodge a complaint with a data protection supervisory authority of your choice in accordance with GDPR Article 77.

You also have the right to lodge a complaint with the supervisory authority to which we are responsible:

Hesse Data Protection Commissioner

Gustav-Stresemann-Ring 1

65189 Wiesbaden

Tel. 0611/1408-0

Fax 0611/1408-900 or -901

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy as per GDPR Article 78.

 

8.            Links to third party services

The websites and services of other providers linked to from our website are and were designed and provided by third parties. We have no influence over the design, content and functionality of these third-party services. We expressly distance ourselves from all content contained within all linked third-party services. Please note that the third-party services linked to from our website may install their own cookies on your end device or collect personal data. We have no influence over this. Please consult the providers of these linked third-party services yourself directly.

 

The respective provider and controller can in particular be identified via the legal/imprint notice and respective data protection information on the corresponding websites.

 

9.            Data security

For data transmission via our online contact form we use an encrypted connection following the TLS protocol. End-to-end data transmission ensures your data are transmitted to us confidentially, accurately and in a manner that protects their integrity. As a rule, this involves 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can see whether an individual page on our website is transmitted in encrypted form by looking for the key or closed lock symbol in your browser’s lower status bar.

 

We also use appropriate technical and organisational security measures to protect your data, in particular from accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.

 

When contacting you by email and to protect your personal data, we send emails using transport-level encryption, provided your mail server supports this. To ensure the security of your data during transmission, we use state-of-the-art encryption procedures (e.g. SSL) via HTTPS.

 

10.          Data protection declaration validity and amendment

As a result of the further development of our website/online rewards shop and the expansion and/or restriction of our offers, or due to changes in legal or official requirements, it may become necessary to amend this data protection declaration. You should therefore review this data protection information from time to time to keep up to date with how we protect your data.

 

This privacy policy is currently valid as of June 2022.