The protection of personal data is an important issue for our company. Therefore, we process personal data in compliance with applicable European and national legislation.

You may withdraw your declaration(s) of consent at any time with prospective effect. Please contact the data controller using the contact details provided in section 1 below.

The following statement provides an overview of the type of data that will be collected, the manner in which these data will be used and disclosed, the security measures we are taking to protect your data and the manner in which you will receive information about the information provided to us.

Legal basis for the processing of personal data
Article 6(1)(a) EU General Data Protection Regulation (GDPR) will provide the legal basis where we obtain the consent of the data subject to carry out procedures for the processing of personal data.
Article 6(1)(b) GDPR will provide the legal basis where the processing of personal data is necessary for the performance of a contract to which the data subject is party. This shall also apply to processing procedures that are necessary for the implementation of pre-contractual measures.
Article 6(1)(c) GDPR will provide the legal basis where the processing of personal data is necessary for compliance with a legal obligation to which we are subject.
Article 6(1)(f) will provide the legal basis where the processing of personal data is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Data erasure and duration of data storage
The personal data of the data subject shall be erased or made unavailable as soon as the purpose of their storage has lapsed. Storage may furthermore take place if this is required by the European or a national legislator by way of Union law, statute or other legislation to which we are subject. Personal data will also be blocked or erased once a storage period prescribed by the standards mentioned expires, unless there is a requirement to continue storing the data for the purposes of the conclusion or the performance of a contract.

1 Data controller and data protection officer

(1) Name and address of data controller
The data controller for the purpose of the General Data Protection Regulation and any other national data protection legislation of the Member States and any other data protection provisions is:
Romantik Hotels & Restaurants AG
Kaiserstr. 53
60329 Frankfurt am Main, Germany
Tel: +49 (0) 69/66 12 34-0
Fax: +49 (0) 69/66 12 34-56
Email: info@romantikhotels.com
Court of registration Frankfurt am Main certificate of registration (HRA) 30092

(2) Name and address of data protection officer
The data protection officer of the data controller is: Dieter Grohmann
Datenschutz & privacy
DPM & Auditor
Beethovenstraße 23 87435 Kempten | Berlin | Hamburg | Cologne
Tel.: +49 (0) 831 / 5209 8680
Fax: +49 (0) 831 / 5124-7031

2 Definitions

This privacy statement is based on the terminology which was used by the European Regulator on enactment of the European General Data Protection Regulation (hereinafter referred to as the ‘GDPR’). The privacy statement should be easily readable and comprehensible. In order to ensure that this is the case, the most important terms are explained below:

a) Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject is any identified or identifiable natural person whose personal data are processed by the data controller.
c) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
e) Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
f) Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.
g) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
h) Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data within the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.
i) Third party means a natural or legal person, public authority, agency or body other than the data subject, data controller, processor and persons who, under the direct authority of the data controller or processor, are authorised to process personal data.
j) Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3 Provision of a website and creation of log files

(1) If our website is used merely for information purposes, that is to say, you do not register or provide us with any other information, we will automatically collect the following data and information from the computer system of the requesting machine each time the website is accessed:
a) The IP address of the user
b) Information about the browser type and version
c) The user’s operating system
d) The internet service provider of the user
e) Date and time of access
f) Websites from which the user’s system accessed our website
g) Websites that were accessed by the user’s system through our website.
h) Content of the query (specific pages)
i) Data quantity transmitted in each case
j) Language and version of the browser software
k) Search machines used
l) Names of downloaded files
Log files contain IP addresses. As part of the hosting function on our servers, the IP address of the website visitor is processed and stored for up to 7 days in the server log files for the purposes of error analysis and ensuring the proper functioning of the web services. There will be no further processing. The log files are excluded from data backup. The websites use services provided by third party providers that may possibly store log files.

(2) Article 6(1)(f) GDPR provides the legal basis for the temporary storage of log files.

(3) It is necessary for the system to temporarily store the IP address in order to
a) enable the delivery of the website to the user’s computer. To this end, the user’s IP address has to continue to be stored for the duration of the session.
b) optimise the content and the advertising of our website
c) ensure the proper functioning of our IT systems and the technology used for our website
d) be able to provide criminal investigation authorities with the necessary information for a prosecution in the event of a cyber attack.
The information is stored in log files in order to ensure the proper
functioning of the website. In addition, we use the data to optimise our website and to ensure the security of our IT systems. There is no assessment of the data, in this sense, for marketing purposes.
Our legitimate interest in data processing in accordance with Article 6(1)(f) GDPR is one in these purposes.

(4) The data will be erased as soon as they are no longer required for the purpose for which they were collected, in this case, at the end of the usage process. In the case of the data stored in log files, this will be at the latest after seven days. Further storage is possible. In that case, the IP addresses are erased or anonymised so that the identification of the requesting client is no longer possible.

(5) The collection of the data in order to provide the website and the storage of data in log files is mandatory for the operation of the website, which is why there is no option for objecting.

4 Cookies

(1) This website uses cookies. Cookies are small text files that are transmitted from a web server to your browser as soon as you visit a website and are stored locally on your device (PC, notebook, tablet, smart phone, etc.) and filed on your computer and which disclose certain information to the user (i.e. us). Cookies are used to make a website more customer-friendly and more secure, and in particular to collect use-related information such as frequency of use and number of users of the pages and information about behaviour when using web pages. Cookies do not damage the computer and do not contain viruses.
This cookie contains a characteristic string (referred to as a cookie ID) that allows for the unequivocal identification of the browser when the website is accessed again.

(2) We use cookies to make our website more user friendly. Some elements of our website require the requesting browser to continue to be identified after a page change.
Furthermore, we use cookies on our website that enable the analysis of your surfing behaviour.
The data collected in this manner are pseudonymised by technical means. As a result, the data can no longer be assigned to the requesting user. The data will not be stored together with other personal data. When you request our website, an info banner will notify you about the use of cookies for analytical purposes and will refer you to this Privacy Statement. This will also include a note on how the storage of cookies may be disabled in your browser settings (see section 4(5)).
  Article 6(1)(f) GDPR will provide the legal basis for the processing of personal data using cookies.

(3) The purpose of using technically required cookies is to simplify the use of websites for you. Some of the functions of our website are not available without the use of cookies. For such functions, it is necessary that the browser can be identified even after moving to another page. The user data that are collected by technically required cookies will not be used to create user profiles.

(4) The purpose of using cookies that are not required technically is:
To improve the way our web pages work
Cookies enable us to evaluate and improve the way our web pages work so that we can personalise your experience, thereby enabling you to use many of the useful functions. For example, cookies help us to track which page you are requesting when you are moving through each phase of the booking process; they help us to remember your preferences, for example, your most recent searches and the content of your online shopping basket. These purposes include our legitimate interest in the processing of personal data in accordance with Article 6(1)(f) GDPR.
To improve the performance of our websites
Cookies can help us to understand how our websites are used, for example, when you let us know that you have received an error message when using a page, so that we can test the various designs of our websites. Website analysis, including Google Analytics, provides information about the number of visitors to our websites, the most popular areas of our websites and whether there are trends, for example, that a certain page is viewed primarily by people in a certain country. Ultimately, these cookies help us to improve your visit to our website. These purposes include our legitimate interest in the processing of personal data in accordance with Article 6(1)(f) GDPR.
To provide relevant online advertising & marketing activities We use cookies to provide online advertising that we assume is of particular interest to you when visiting our websites and other websites. For example, the cookies help us to suggest products to you that you may like.
These cookies may collect data about your online behaviour, for example, your IP address, the website from which you came to our website and information about your order history or the content of your shopping basket. This means that you will be able to see our advertising on our websites and on the websites of other companies. You can also see advertising for other companies on our websites.
We also connect data that we have collected through the cookies in the browser of your devices with other data collected by us, in order to help us to provide you with relevant online advertising.
To measure the effectiveness of our online advertising and marketing activities
Cookies can tell us if you have seen a specific advertisement and if so, how long ago that was. This information enables us to measure the effectiveness of our online advertising campaigns and to manage the number of times an advertisement is shown to you. This enables us to avoid constantly showing you the same advertisement. We also use cookies to measure the effectiveness of our marketing communication, for example, to check whether you opened a marketing email we sent you.

(5) Cookies will continue to be stored once the browser session has ended and may be requested again at the next visit. However, cookies are stored on your computer and are transmitted from there to us. As a result, you can fully control how cookies are used. If you do not wish to have data collected via cookies, you can change the settings in your browser to inform you about cookies being set or you can generally exclude the setting of cookies or you can delete cookies individually. However, we would like to point out that the proper functioning of this website may be restricted if the use of cookies is disabled. In any event, session cookies will automatically be deleted once you leave the website.

5 Newsletter

(1) With your consent, you may subscribe to our free newsletter in which we notify you of all our current, interesting offers. The advertised goods and services are named in the declaration of consent.
We use what is referred to as the “double opt-in” procedure for subscriptions to our newsletter. This means that when you have registered, we send an email to the email address you have provided, asking you to confirm that you do wish to receive the newsletter. If you do not confirm your registration within [24 hours], your data will be blocked and after one month will be automatically erased. In addition, we store in each case the IP addresses you use and the times of registration and confirmation. The purpose of this procedure is to provide proof of your registration and, if applicable, to be able to resolve any possible misuse of your personal data. The only information you are obliged to disclose to have the newsletter dispatched is your email address. The disclosure of additional information is voluntary and will be used to address you directly.
If you purchase goods or services through our website and store your email address for this purpose, it may be used by us subsequently for sending a newsletter. In such a case, only direct advertising for our own similar goods or services well be transmitted via the newsletter. The data will be used exclusively for sending the newsletter.

(2) Article 6(1)(a) GDPR will provide the legal basis where consent has been given for the processing of data once the user has registered for the newsletter. Article 7(3) of the German Act against Unfair Competition (UWG) provides the legal basis for dispatching the newsletter.

(3) The user email is collected for the purpose of delivering the newsletter. The collection of other personal data within the framework of the registration procedure is for the purpose of preventing a misuse of the services or of the email addresses used.

(4) The data will be deleted as soon as they are no longer required for the purpose for which they were collected. Accordingly, your email address will be stored for as long as you remain subscribed to the newsletter. Any other personal data collected within the framework of the registration procedure will generally be deleted after a period of seven days.

(5) You may unsubscribe from our newsletter at any time and, in so doing, withdraw your consent, by clicking the field “unsubscribe here” in the newsletter ticker or by sending us an email to info@romantikhotels.com or by sending notification by way of the contact details included in the Legal Notice. It is also possible to withdraw consent, in this way, to the storage of personal data that were collected during the registration procedure.

6 E-commerce

(1) If you wish to make a purchase in our web shop, in order to conclude the contract, you have to provide personal data, which we require to carry out your order. The information you are obliged to disclose for the performance of the contracts is marked separately, other information is voluntary. In this case, the data are input into an input screen, transmitted to us and stored. The following data will be collected as part of the web shop:

• Name
• Address (if applicable, different delivery address)
• Email address
• Telephone number
• IP address
• Date and time of order

The information will only be disclosed to third parties if this is necessary in order to carry out your order or for billing purposes or for collecting the remuneration or if you have expressly provided your consent. In this respect, we will only disclose the necessary data in each case. The data recipients are

• The relevant delivery/shipping company (disclosure of name and address) Debt-collection agency, if payment has to be collected (disclosure of name, address, order details)
• Credit bureaus for checking credit rating (disclosure of name, address, date of birth, etc.). In this case, there will only be disclosure in the case of orders in advance performance (e.g. purchase on account)
• The bank for collecting the payment, if payment is by direct debit

(2) Article 6(1)(b) GDPR will provide the legal basis here. With regard to information provided voluntarily, the legal basis is provided by Article 6(1)(a) GDPR.

(3) The mandatory data collected are used for the performance of the contract with the user (for the purpose of delivering the goods and confirming the content of the contract). Therefore, we use the information to reply to your queries, to carry out your order, if necessary to check the credit worthiness or collect receivables and also for the purpose of the technical administration of the web pages. The information provided voluntarily is for the prevention of misuse and, where applicable, for the investigation of criminal offences. We may also process the data provided by you for the purpose of informing you of further interesting products from our portfolio or for sending you emails containing technical information.

(4) The data will be deleted as soon as they are no longer required for the purpose for which they were collected. We are obliged by trade and tax legislation to store data relating to your address, payments and orders for the duration of ten years after the performance of the contract. However, after a period of [two years] we restrict the data, i.e. your data are only used for the purpose of statutory compliance. In the event that there is a continuing obligation between us and the user, we will store the data for the entire term of the contract and for a subsequent period of ten years (see above). With regard to the data provided voluntarily, we will delete them after a period of [two] years after the performance of the contract, provided no additional contract is concluded with the user during this period of time; in that case, the data will be deleted on the expiry of a period of [two] years after the performance of the final contract.

(5) If the data are required for the performance of a contract or for carrying out pre-contractual measures, the data may only be deleted ahead of schedule provided such deletion is not precluded by contractual or statutory obligations.
Otherwise, you are free to have any personal data that was disclosed when registering fully removed from the data pool of the data controller. On request, the data controller will provide you with information about which of your personal data have been stored. Furthermore, on request by or following an indication by the data subject, the data controller will rectify or delete personal data, provided this is not precluded by statutory requirements for retention. You may write to the data controller or the data protection officer at any time, as provided for in section 1, by email or by post and request the erasure/change to your personal data.

7 Disclosure of personal data to third parties

1. Incorporation of YouTube videos

a. We have incorporated YouTube videos into our online content, they are stored at http://www.YouTube.com and can be played directly on our website. They are all embedded in “expanded data protection mode”, i.e. none of your personal data will be transmitted to YouTube if you do not play the videos. The data mentioned in paragraph 2 will only be transmitted if you play the videos. We have no influence over this data transmission. As a result of visiting the website, YouTube will receive the information that you have requested a particular sub-page of our website.

The following data will be transmitted in this case

• Device-specific information, for example, the hardware used; the version of the operating system; the precise device identification and information about the mobile phone network including your telephone number.
• Log data in the form of server logs. They contain, among other things, details about the manner in which the services were used, for example, search queries; IP address; hardware settings; browser type; browser language; date and time of your request; original page; cookies through which your browser or your Google account can be clearly identified.
• Location-related information. Information about your actual location may be collected by Google. This includes, for example, your IP address, your Wi-Fi access points or mobile phone masts.
• Additional information about the data collected by Google Inc. can be accessed through the following link. https://policies.google.com/privacy?hl=de&gl=de

This is regardless of whether YouTube provides a user account which you have logged into or there is no user account. If you are logged into Google, your data will be assigned directly to your account.

b. Article 6(1)(f) GDPR provides the legal basis for processing the personal data of the user. 

c. The purpose of embedding the videos is to make the website clearer for the user and to improve the search engine ranking of the website on Google (if custom videos are embedded: also to provide a more targeted reference to our custom videos). YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even in the case of users who have not logged in) for providing needs-based advertising and in order to inform other users in the social network about your activities on our website.

d. If you do not wish to have your profile assigned by YouTube, you have to log out before clicking the button.

e. You have the right to object to the creation of these user profiles, however, you have to contact YouTube directly in order to exercise this right.

f. Please see the privacy statement for additional information on the purpose and extent of the collection and processing of data by YouTube. You will also find additional information there on your rights and the settings options for the protection of your personal privacy: https://www.google.de/intl/de/policies/privacy.

2. Links to external websites

This website contains links to external pages. We are responsible for our own content. We have no influence over the content of external websites and are therefore not responsible for them, and, in particular, we do not take ownership of such content. If you are guided to an external page, the privacy statement on that page will apply. If you notice any unlawful activities or content on that page, please let us know. In this case, we will examine the content and react accordingly (notice and take-down procedure).

3. Adobe Typekit

We use Adobe Typekit for the visual design of our website. Typekit is a service of Adobe Systems Software Ireland Ltd. that grants us access to a font directory. In order to embed the fonts used by us, your browser has to set up a connection to an Adobe server in the USA and download the font needed for our website. In this case, Adobe receives the information that our website has been requested by your IP address. For further information on Adobe Typekit, please see the adobe data protection notices accessible through the following link: www.adobe.com/privacy/typekit.html

4. Google Maps

This website uses the Google Maps API in order to visually present geographical information. When using Google Maps, Google collects, processes and uses data about the use of the map functions by the visitors. For further information about data processing by Google, please see the Google data protection notices. You can also change your personal data settings in the data protection centre there.
Please see the following for detailed instructions about administering your own data in connection with Google products.

5. Google AdWords

Our website uses Google Conversion Tracking. If you came to our website via an advertisement placed by Google, Google AdWords will place a cookie on your computer. The cookie for conversion tracking will be placed once a user clicks an advertisement placed by Google. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages on our website and the cookie has not yet expired, we and Google will recognise that the user has clicked the advertisement and was directed to this page. Each Google AdWords customer receives a different cookie. Therefore, cookies cannot be retraced through the websites of AdWords customers. The information gathered using conversion cookies is used to create conversion statistics for AdWords customers who have decided to use conversion tracking. The customers are given the information about the total number of users who have clicked their advertisement and who were forwarded to another page with a conversion tracking tag. However, the customers do not receive any information that could personally identify the users.
If you do not wish to take part in tracking, you may refuse to set cookies, which is required for tracking, for example, via your browser settings which generally disables automatic cookie setting or you can adjust your browser settings so that cookies from the domain “googleleadservices.com” will be blocked.
Please note that you may not delete opt-out cookies if you wish to prevent measurement data being recorded. If you have deleted all the cookies in your browser, you will have to re-set the relevant opt-out cookie.

6. Google Remarketing

This website uses the Google Inc. remarketing function. The purpose of this function is to present advertisements to website visitors within the Google advertising network that are related to their interests. A cookie is stored in the website visitor’s browser which enables it to recognise the visitor again when s/he requests web pages that are within the Google advertising network. On these web pages, advertisements can be presented to the visitor that relate to content that the visitor previously accessed on websites that use the Google remarketing function.
According to Google, it does not collect personal data during this procedure. If you nonetheless do not want the Google remarketing function, you may generally disable it by changing the relevant settings at http://www.google.com/settings/ads . Alternatively, you may disable the use of cookies for advertising related to user interests by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp .

7. Criteo Remarketing

On the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online content within the meaning of Article 6(1)(f) GDPR), we use the online marketing services of Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany.
The services of Criteo enable us to display advertisements for and on our website in a more targeted manner, so that users will only be shown advertisements that potentially correspond to their interests. We refer to “remarketing” when, for example, a user is shown products that he has shown an interest in on other websites. A Criteo code is carried out directly by Criteo for such purposes, when our website or other websites on which Criteo is enabled, is requested, and (re)marketing tags (invisible graphics or code, also called “Web Beacons”) are embedded in the website. Using these tags, an individual cookie, i.e. a small file, is stored on the user’s computer (comparable technologies can also be used instead of cookies). This file contains information about which websites the user has visited, the content the user showed an interest in and which products or services the user clicked, in addition to technical information about the browser and operating system, referring websites, duration of visit and other information about the use of the online content. The above-mentioned information may be combined by Criteo with similar information from other sources. If the user subsequently visits other websites, they may be shown advertisements that have been chosen to correspond to their interests.
The user data are processed pseudonymously, i.e. plain data about the user (such as names) will not be processed and the user IP addresses will be truncated. Processing is carried out only on the basis of online identification, a technical ID. Any IDs disclosed to Criteo (for example, from a customer management system) or email addresses will be encrypted as hash values and stored as a series of characters that do not permit identification.
For further information and options for opting out of the Criteo collection, please see the Criteo data protection provisions: https://www.criteo.com/de/privacy/.

8. Alexa Internet Inc.

It is possible that Alexa collects information about your website visits, your interaction with this website and the products and services offered by us, our partners and our suppliers. The collection and use of information by third parties is subject to their own data protection guidelines. If you do not wish to display information from Alexa Metrics, please visit the following website: https://support.alexa.com/hc/en-us/articles/200685410-Opting-Out-of-Alexa-Measurement-Pixel.

9. Google Tag Manager

Google Tag Manager is a solution that enables us to administer website tags via an interface (and, therefore, for example, incorporate Google Analytics and other Google marketing services in our online content). The tag manager itself (which implements the tags) does not process the personal data of the users. With regard to processing the personal data of the users, reference is made to the following information in relation to Google services: Usage guidelines https://www.google.com/intl/de/tagmanager/use-policy.html.

10. Google DoubleClick

In accordance with our legitimate interests (i.e. our interest in the analysis, optimisation and efficient operation of our online content within the meaning of Article 6(1)(f) GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

We use the online marketing procedure, Google DoubleClick, to place advertisements in the Google display network (e.g. in search results, in videos, on websites, etc.). DoubleClick is characterised by the fact that advertisements are displayed in real time based on the assumed interests of users. This enables us to display advertisements for and within our online content in a more targeted manner, so that users will only be shown advertisements that potentially correspond to their interests. We refer to “remarketing” when, for example, a user is shown products that they have shown an interest in on other websites. A Google code is carried out directly by Google for such purposes, when our website or other websites on which the Google display network is enabled, is requested, and (re)marketing tags (invisible graphics or code, also called “Web Beacons”) are embedded in the website. Using these tags, an individual cookie, i.e. a small file, is stored on the user’s computer (comparable technologies can also be used instead of cookies). This file contains information about which websites the user has visited, the content the user showed an interest in and which products or services the user clicked, in addition to technical information about the browser and operating system, referring websites, duration of visit and other information about the use of the online content.
In addition, the user IP address is collected, and is truncated within the Member States of the European Union and in other contracting States to the Agreement on the European Economic Area and only in exceptional circumstances will it be transmitted in full length to a Google server in the USA and truncated there. The above-mentioned information may be combined by Google with similar information from other sources. If the user subsequently visits other websites, they may be shown advertisements that have been tailored to suit their interests, based on their user profile.
User data will be processed pseudonymously within the framework of the Google advertising network. This means that Google does not store or process, for example, the name or email address of the users, but processes the relevant data cookie-related within pseudonymised user profiles. This means that, from the point of view of Google, advertisements will not be administered and displayed for a specific, identified person but for the cookie holder, regardless of who the cookie holder is. This does not apply where the user has expressly given consent to Google to process the data without pseudonymisation. The information collected about the users by Google marketing services will be transmitted to Google and stored on Google servers in the USA.
For additional information on the use of data by Google and on options for settings and objection, please see the Google privacy statement (https://policies.google.com/technologies/ads) and the settings for the presentation of advertising inserts by Google (https://adssettings.google.com/authenticated).

11. Facebook Pixels, Custom Audiences and Facebook Conversion

In accordance with our legitimate interest in the analysis, optimisation and efficient operation of our online content and for these purposes, we use the “Facebook pixel” for our online content, provided by the social network Facebook and operated by Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Meta Platforms, Inc., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").

Using the Facebook pixel, Facebook can, on the one hand, identify the visitors to our website as a target group for presenting advertisements (referred to as “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have shown an interest in our online content or who have displayed the specific characteristics (e.g. an interest in certain topics or products that are determined based on the web pages visited), which we transmit to Facebook (referred to as “Custom Audiences”). Using the Facebook pixel we also want to ensure that the Facebook ads reflect the potential interest of the users and are not bothersome. Furthermore, using the Facebook pixel we can record the effectiveness of the Facebook advertisements for statistical and market research purposes by seeing whether the users were directed to our website after clicking a Facebook advertisement (“Conversion”) after clicking a Facebook advertisement.
Data processing by Facebook is carried out within the framework of the Facebook data policy. Please see the Facebook data policy for some general information on the presentation of Facebook Ads: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0. Special information and details of the Facebook pixel and the way it works are accessible through the Facebook help feature: https://www.facebook.com/business/help/651294705016616.
You may object to the collection of data by the Facebook pixel and to the use of your data for presenting Facebook Ads. In order to determine the type of advertisements that will be displayed to you within Facebook, you can request the page set up by Facebook and follow the instructions on the settings for online behavioural advertising (OBA): https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they will be applied to all devices such as a desktop computer or mobile devices.
You may further object to the use of cookies for range measurement and advertising purposes via the disabling page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and, in addition, the US American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

12. Online booking tool DIRS21 by TourOnline AG

In order to facilitate the online booking of accommodation and other travel-related services and for processing enquiries, our website uses the online booking tool DIRS21 (hereinafter the “OBT”) of the company TourOnline AG, Borsigstraße 26, 73249 Wernau, Germany (www.dirs21.de, hereinafter “TOAG”).
As part of the OBT, TOAG processes data as the data controller. Please see the TOAG privacy statement regarding the OBT for notes and provisions on data protection, accessible at any time in the OBT or at www.dirs21.de/datenschutz.

13. Concardis GmbH card payment

In the area of payment by card (direct debit/debit card/credit cards), we collaborate with Concardis GmbH (Concardis), Helfmann Park 7, 65760 Eschborn, Germany, represented by their executives Mark Freese, Jens Mahlke and Luca Zanotti.
Within this framework, card data will be transmitted to the above-mentioned company, in addition to the purchase amount and the date.
All payment data and any data relating to possible return debits will only be stored for as long as is necessary for payment to be processed (including the processing of possible return debits and debt collection) and for anti-abuse action. As a rule, data will be deleted 13 months after they have been collected.
Furthermore, the data may continue to be stored if and for as long as this is required to comply with the statutory period of retention or to investigate a specific case of abuse. Article 6(1)(f) GDPR is the legal basis for data processing.
You may request information and, if applicable, rectification or erasure and also the restriction of processing of your data and/or, if applicable, you may object to the processing of your data. If you have queries relating to data processing by Concardis or you wish to exercise the above-mentioned rights, please contact the Concardis data controller at the address listed below or by email to Datenschutzbeauftragter@concardis.com.
Furthermore, you have the right to lodge a complaint with a supervisory authority (in Germany, this is with a state commissioner for data protection). We would like to point out that the provision of payment data is not required by statute or by contract. If you do not wish to provide your payment data, you may use a different payment procedure (e.g. payment by cash).

8 Contact form & email contact

(1) There is a contact form on our website that can be used for getting in contact electronically. If you make use of this option, the data input into the form will be transmitted to us and stored. These data are:

• IP address, etc., as part of the above-mentioned log in
• Date and time

If contact forms are used on the websites (forwarded as an email) on our servers, the email addresses of the contacting persons will be stored in the mail server logs for up to 7 days for the purpose of error analysis and to ensure the proper functioning of the email services. There will be no further processing. The log files are excluded from data backup. Your consent to the data processing will be obtained as part of the sending process and reference will be made to this Privacy Statement. Alternatively, contact may be made using the email address provided. In this case, the personal data transmitted in the email will be stored. If these details refer to communication channels (for example, email address, telephone number), you consent to us also contacting you through that communication channel, in order to deal with your enquiry. In this case, there will be no disclosure of data to third parties. The data will be used only for the purpose of processing the conversation.

(2) Article 6(1)(a) GDPR will provide the legal basis for the processing of data where the consent of the user has been obtained. Article 6(1)(f) GDPR will provide the legal basis for the processing of data that have been transmitted during the sending of an email. If the purpose of the email contact is to conclude a contract, then Article 6(1)(b) GDPR will provide an additional legal basis.

(3) Processing personal data from the input screen is solely for the purpose of processing the establishment of contact. It goes without saying that we will use the data from your email query exclusively for the purpose for which you made them available when you contacted us. In the case of contact via e-mail, replying to it also involves the necessary legitimate interest in the processing of the data. Any other personal data processed during the sending process are used for the purpose of preventing a misuse of the contact form and for ensuring the security of our IT systems.

(4) The data will be deleted as soon as they are no longer required for the purpose for which they were collected. In relation to the personal data from the input screen of the contact form and those data that were transmitted by email, this is the case once the specific conversation with the user has come to an end. The conversation is deemed to be ended once it is clear from the circumstances that the matter concerned has been definitively clarified. Any other personal data that were also collected during the dispatching process will be deleted at the latest after a period of seven days.

(5) You may at any time withdraw your consent for the processing of your personal data. If you contact us by email, you may object to the storage of your personal data at any time. In such a case, the conversation cannot be continued. With regard to the withdrawal of consent/objection to storage, please contact the data controller or the data protection officer as provided for in section 1 above, either by email or by post. In this case, all personal data that were stored in the course of making contact will be erased.

9 Web analysis using Google Analytics (with pseudonymisation)

(1) We use the services of Google Inc. (Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) on this website for analysing the surfing behaviour of our users. The software places a cookie on your computer (see above for information about cookies). If individual pages of our website are requested, the following data will be stored:
a) Two bytes of the IP address of the requesting user system
b) The requested website
c) Entry pages, exit pages
d) The duration of a visit to the website and the cancellation rate
e) The frequency with which the website is requested
f) Country of origin and region of origin, language, browser, operating system, screen resolution, use of flash or java
g) Search engines and search terms used
The information generated by the cookie about the use of this website by the user is generally transmitted to a Google server in the USA and is stored there.
This website uses Google Analytics with the extension “_anonymizeIp()”. The software is set to store IP addresses in truncated form and not in full length. As a result, it is no longer possible for the truncated IP address to be assigned to the requesting computer. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. However, the IP address transmitted from your browser as part of Google Analytics will not be associated with other Google data.

(2) Article 6(1)(f) GDPR will provide the legal basis for the processing of personal data. 

(3) Google will use this information on our behalf to evaluate your use of our website and to prepare reports about such website activity. The evaluation of the data acquired enables us to compile information about the use of individual elements of our website. This helps us to constantly improve our website and its user friendliness. These purposes include our legitimate interest in data processing in accordance with Article 6(1)(f) GDPR. The anonymisation of the IP addresses allows for sufficient account to be taken of the legitimate interest of the users as regards the protection of their personal data.

(4) The data will be deleted as soon as they are no longer required for our recording purposes. In this case, this will be after 50 months.

(5) The cookies used will be stored on your computer and transmitted from there to us. If you do not agree to the collection and evaluation of data about usage you may prevent this by disabling or restricting the use of cookies via the settings in your browser software. Stored cookies may be deleted at any time. However, in that case you may no longer be able to use all the functions of this website in full. In addition, you may prevent the recording of the data generated by the cookie and relating to your use of the website (incl. your IP address) for Google and the processing of such data by Google by downloading and installing the browser add-on available at the following link. The current link is: "http://tools.google.com/dlpage/gaoptout?hl=de.“

(6) The third party provider is Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. For further information, please see the terms & conditions of use at http://www.google.com/analytics/terms/de.html, in the overview of data protection at http://www.google.com/intl/de/analytics/learn/privacy.html and in the privacy statement at http://www.google.de/intl/de/policies/privacy.

10 Social Media Plugins

1. AddToAny

On the romantikhotels.com website, you have the option of sharing content in social media/social networks through the AddToAny service. AddToAny fields are provided on the romantikhotels.com website, where you may set bookmarks and share and jointly use website content in social media/social networks. Cookies are used when using AddToAny. The data generated in this way are transmitted to www.addtoany.com . By using the AddToAny field, you consent to data processing by AddToAny and to the transmission of the data to AddToAny. For details of the extent to which data are collected and used/processed, please see the website www.addtoany.com . According to its own privacy statement, AddToAny does not store personal data. You may only use the service AddToAny if you have a social media/social network user account and are logged in with your access data. In this case, we are not responsible for the use of the AddToAny service and any data published by it, because the creation of a user account, that is to say, membership in one of the social media services, requires in each case your consent to the relevant data protection provisions. Therefore, data will only be collected by AddToAny if these services are requested by you and you have the requisite user accounts. The service AddToAny is, therefore, used on the basis of the data protection provisions of the individual social medium/social network in which you are logged in at the time of using the service. Romantik Hotels & Restaurants AG does not collect any data itself when using the AddToAny service and does not receive any data from AddToAny that is generated through the use of the share button. AddToAny merely provides an opt-out option for a large number of advertising networks. You may also opt out directly via this link.
You may object to the use of your data by using an opt-out cookie. Please see the following website for more details: www.addtoany.com .

2. Facebook

(1) We use social plugins from the social network, Facebook (Meta Platforms, Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA) on these webpages. This plugin enables you to set bookmarks on these pages and to share them with other social network participants. You will recognise this plugin by the Facebook logo or the typical “like” button. For an overview of Facebook plugins, please see http://developers.facebook.com/docs/plugins/.

(2) In this case, we use the double-click solution. This means that when you visit our website, generally no personal data will be transmitted to Facebook initially. We give you the opportunity to communicate directly with Facebook using the button. Facebook will only be notified that you have requested a specific website in our online content when you click the marked field and therefore activate it.
The data will be transmitted regardless of whether you have an account with Facebook and are logged into it or not.
a) If you click the Facebook “like” button while you are logged in to your Facebook account, the content of these pages may be linked to your Facebook profile. In this case, Facebook may also assign your visit to these pages to your user account. When you click the activation button and, for example, link the page, Facebook will also store this information in your user account and publicly share it with your contacts. We recommend that once you have finished using a social network you regularly log out of it, in particular, however, before activating the button, as this will allow you to prevent the assignment of data to your profile.
b) If you are not a member of Facebook or you have logged out of Facebook before visiting this page, there is still the possibility that Facebook will collect and store your IP address. If you do not wish Facebook to assign your visit to our pages to your Facebook user account, you have to log out of Facebook before visiting our website and/or simply not activate the plugin.
The following data will generally be transmitted to Facebook in this case:

• Browser-related data such as IP address, browser type, operating system, time and date of request, website visited.
• User ID (in the case of a registered Facebook account)

According to Facebook, in Germany IP addresses are anonymised immediately on collection. By activating the plugin, therefore, personal data are transmitted from you to Facebook and stored in the USA. Given that Facebook collects data in particular through cookies, we recommend that, prior to clicking the greyed-out box, you delete all cookies via the security settings in your browser.

(3) We have no influence over the collected data and data processing procedures and we are also unaware of the full extent of the data collection, the purpose of the processing or the storage periods. We also have no information about the deletion of collected data by Facebook.

(4) Facebook stores the data they have collected about you as usage profiles and uses this for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for presenting needs-based advertising and in order to inform other users in the social network about your activities on our website. We offer you the opportunity to interact with the social networks and other users through the plugins, so that we can improve our content and make it more interesting for you as a user.

(5) Article 6(1)(a) GDPR provides the legal basis for the use of plugins.

(6) You have the right to object to the creation of such a user profile, however, you have to contact Facebook in order to exercise this right.

(7) For settings and objecting to the use of data for advertising purposes, please see the Facebook profile settings at https://www.facebook.com/settings?tap=ads. For further information on the purpose and extent of the collection of data and on their processing and on your rights through and vis-à-vis Facebook, please see
http://www.facebook.com/policy.php,
http://www.facebook.com/help/186325668085084,
http://www.facebook.com/about/privacy/your-info-on-other#applications
and http://www.facebook.com/about/privacy/your-info#everyoneinfo.

3. Google+1

(1) We use Google+1 social plugins from Google Inc. (Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) on these pages. This plugin enables you to set bookmarks on these pages and to share them with other social network participants. You will recognise the plugin by the “+1” symbol. For an overview of Google plugins and their appearance, please see: https://developers.google.com/+/web/.

(2) In this case, we use the double-click solution. This means that when you visit our website, generally no personal data will be transmitted to Google initially. We give you the opportunity to communicate directly with Google using the button. Google will only be notified that you have requested the specific website in our online content when you click the marked field and therefore activate it.
If you click the “+1” button while you are logged in to your Google account, the content of these pages may be linked to your Google profile. In this case, Google may also assign your visit to these pages to your user account. When you click the activation button and, for example, link the page, Google will also store this information in your user account and publicly share it with your contacts. We recommend that once you have finished using a social network you regularly log out of it, in particular, however, before activating the button, as this will allow you to prevent the assignment of data to your profile.
The following data will generally be transmitted to Google in this case:

• Device-specific information, for example, the hardware used; the version of the operating system; the precise device identification and information about the mobile phone network including your telephone number.
• Log data in the form of server logs. They contain, among other things, details about the manner in which the services were used, for example, search queries; IP address; hardware settings; browser type; browser language; date and time of your request; original page; cookies through which your browser or your Google account can be clearly identified.
• Location-related information. Information about your actual location may be collected by Google. This includes, for example, your IP address, your Wi-Fi access points or mobile phone masts.
• Additional information about the data collected by Google Inc. can be accessed through the following link. https://policies.google.com/privacy?hl=de&gl=de

By activating the plugin, therefore, personal data are transmitted from you to Google and stored in the USA. Given that Google collects data in particular through cookies, we recommend that, prior to clicking the greyed-out box, you delete all cookies via the security settings in your browser.

(3) We have no influence over the collected data and data processing procedures and we are also unaware of the full extent of the data collection, the purpose of the processing or the storage periods. We also have no information about the deletion of collected data by Google.

(4) Google stores the data they have collected about you as usage profiles and uses this for the purposes of advertising, market research and/or the needs-based design of its website and, where applicable, for disclosure to partner companies. Such an evaluation is carried out in particular (also for users who are not logged in) for presenting needs-based advertising and in order to inform other users in the social network about your activities on our website. We offer you the opportunity to interact with the social networks and other users through the plugins, so that we can improve our content and make it more interesting for you as a user.

(5) Article 6(1)(f) GDPR provides the legal basis for the use of plugins. 

(6) You have the right to object to the creation of these user profiles, however, you have to contact Google directly in order to exercise this right.

(7) For further information on the purpose and extent of the collection of data and on their processing and on your rights through and vis-à-vis Google, please see https://www.google.com/policies/privacy/partners/?hl=de.

4. Twitter

(1) We use the functions provided by the Twitter service (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) on these pages. By using Twitter and the user interface “re-tweet”, you may follow a contribution or a page on Twitter or you may connect the websites you visited with your Twitter account and share them with other users. You will recognise the plugin by the “re-tweet” user interface or the typical blue bird. For an overview of the Twitter buttons and their appearance, please see: https://twitter.com/about/resources/buttons.

(2) In this case, we use the double-click solution. This means that when you visit our website, generally no personal data will be transmitted to Twitter initially. We give you the opportunity to communicate directly with Twitter using the button. Twitter will only be notified that you have requested the specific website in our online content when you click the marked field and therefore activate it.
If you click the Twitter button while you are logged in to your Twitter account, the content of these pages may also be linked to your Twitter profile. In this case, Twitter may also assign your visit to these pages to your user account. When you click the activation button and, for example, link the page, Twitter will also store this information in your user account and publicly share it with your contacts. We recommend that once you have finished using a social network you regularly log out of it, in particular, however, before activating the button, as this will allow you to prevent the assignment of data to your profile.
The following data will generally be transmitted to Twitter in this case:

• IP address, browser type, date and time of request, original page, operating system, screen resolution
• These data will be linked to your account data with the social media provider

By activating the plugin, therefore, personal data are transmitted from you to Twitter and stored in the USA.

(3) We have no influence over the collected data and data processing procedures and we are also unaware of the full extent of the data collection, the purpose of the processing or the storage periods. We also have no information about the deletion of collected data by Twitter.

(4) Twitter stores the data that they have collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular for presenting needs-based advertising and in order to inform other users in the social network about your activities. We offer you the opportunity to interact with the social networks and other users through the plugins, so that we can improve our content and make it more interesting for you as a user.

(5) Article 6(1)(a) GDPR provides the legal basis for the use of plugins. 

(6) You have the right to object to the creation of these user profiles, however, you have to contact Twitter directly in order to exercise this right.

(7) For further information on the purpose and extent of the collection of data and on their processing and on your rights through and vis-à-vis Twitter, please see https://twitter.com/privacy. You may change your data protection settings in Twitter at any time at http://twitter.com/account/settings.

5. Instagram

(1) We use social plugins from the social network Instagram (Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) on this website. This plugin enables you to set bookmarks on these pages and to share them with other social network participants. You will recognise the plugin by the square camera and also by the “Instagram” logo.

(2) In this case, we use the double-click solution. This means that when you visit our website, generally no personal data will be transmitted to Instagram initially. We give you the opportunity to communicate directly with Instagram using the button. Instagram will only be notified that you have requested the specific website in our online content when you click the marked field and therefore activate it.
The data will be transmitted regardless of whether you have an account with Instagram and are logged in or not.
a) If you click the Instagram button while you are logged in to your Instagram account, the contents of these pages may also be linked to your Instagram profile. In this case, Instagram may assign the visit to these pages to your user account. When you click the activation button and, for example, link the page, Instagram will also store this information in your user account and publicly share it with your contacts. We recommend that once you have finished using a social network you regularly log out of it, in particular, however, before activating the button, as this will allow you to prevent the assignment of data to your profile.
b) If you are not a member of Instagram or you have logged out of Instagram before visiting this page, there is still a possibility that Instagram will collect and store your IP address. If you do not want Instagram to assign your visit to our pages to your Instagram user account, you have to log out of your Instagram account before visiting our website and/or simply not activate the plugin.
The following data will generally be transmitted to Instagram in this case:

• IP address, browser type, date and time of request, original page, operating system, screen resolution
• These data will be linked to your account data with the social media provider

By activating the plugin, therefore, personal data are transmitted from you to Instagram and stored in the USA.

(3) We have no influence over the collected data and data processing procedures and we are also unaware of the full extent of the data collection, the purpose of the processing or the storage periods. We also have no information about the deletion of collected data by Instagram.

(4) Instagram stores the data they have collected about you as usage profiles and uses this for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for presenting needs-based advertising and in order to inform other users in the social network about your activities on our website. We offer you the opportunity to interact with the social networks and other users through the plugins, so that we can improve our content and make it more interesting for you as a user.

(5) Article 6(1)(a) GDPR provides the legal basis for the use of plugins.

(6) You have the right to object to the creation of these user profiles, however, you have to contact Instagram directly in order to exercise this right.

(7) For further information on the purpose and extent of the collection of data and their processing and on your rights through and vis-à-vis Instagram, please see http://instagram.com/about/legal/privacy/.

6. Privacy statement for the use of Pinterest

There is an option on the romantikhotels.com website to attach photo albums with descriptions to a virtual pinboard via the social network Pinterest. This is a service provided by the US American company Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA. The “Pin-it” button is embedded for this purpose in the pages of the romantikhotels.com website. When the “Pin-it” button is clicked, data are transmitted directly to Pinterest. By using the “Pin-it” button, you consent to data processing by Pinterest and to the transmission of the data to Pinterest. For details of the extent to which data are collected and used/processed, please see the website www.pinterest.com. Please see https://about.pinterest.com/de/privacy-policy for a declaration by Pinterest as to which data are stored when you use the “Pin-it” button. You can only use the Pinterest service if you have a user account there and are logged in through Pinterest. In that case, we are no longer responsible for the use of the Pinterest service or for the data that are approved or published by it. By logging in to Pinterest, you accept the data protection provisions of the company Pinterest. Therefore, the use of the Pinterest service on the romantikhotels.com website is on the basis of the data protection provisions of Pinterest. Romantik Hotels & Restaurants AG does not collect any data itself when you are using the Pinterest service or using the “Pin-it” button and does not receive any data from Pinterest that is generated through the use of the “Pin-it” button. We would like to point out that Romantik Hotels & Restaurant AG has no influence over the data that are collected and stored by Pinterest. We are also unaware of the content of the data transmitted to Pinterest and of their use by Pinterest.

11 CRM System (Customer Relationship Management System)

We use the CRM system of the provider salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, which enables us to process user enquiries faster and more efficiently (legitimate interest pursuant to Article 6(1)(f) GDPR).

salesforce uses the user data only for the technical processing of enquiries and does not disclose them to third parties. In order to use salesforce, at least one correct email address has to be supplied. Pseudonymous use is possible. During the processing of service enquiries, it may become necessary for additional data to be collected (name, address). The use of Zendesk is optional and it is used to improve and expedite our customer and user service.
If users do not consent to the data collection by and data storage in an external system at salesforce, we offer alternative ways of contacting us in order to submit service enquiries per email, telephone, telefax or post.
The user will find additional information in the salesforce privacy statement: https://www.salesforce.com/de/company/privacy/.

12 Rights of the data subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:
1. Right of access
2. Right to rectification
3. Right to restriction of processing
4. Right to erasure
5. Right to notification
6. Right to data portability
7. Right to object to processing
8. Right to withdraw consent to data processing
9. Right to the non-use of automated decision-making
10. Right to lodge a complaint with a supervisory authority

1. Right of access

(1) You may request confirmation from the data controller as to whether personal data concerning you are processed by us. If it is the case that we are processing data about you, you may request, from the data controller, information about the stored personal data concerning you and about the following information, free of charge and at any time: a) The purpose of the processing of the personal data; b) The categories of personal data concerned; c) The recipients and/or the categories of recipients to whom the personal data concerning you have been or will be disclosed; d) The planned duration of the storage of the personal data concerning you or, if such precise information is not possible, the criteria used to determine this storage period; e) The existence of the right to rectification or erasure of the personal data concerning you, the right to restriction of processing by the data controller or the right to object to such processing; f) The existence of a right to object at a supervisory authority; g) All available information about the origin of the data, if the personal data were not collected directly from the data subject; h) The existence of automated decision-making including profiling pursuant to Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(2) You have the right to request information as to whether the personal data concerned have been transmitted to a third country or to an international organisation. In this regard, you may request notification about the suitable guaranties pursuant to Article 46 GDPR in connection with transmission.

2. Right to rectification

You have the right vis-à-vis the data controller, without undue delay, to rectification and/or completion, if the processed personal data concerning you are inaccurate or incomplete.

3. Right to restriction of processing

(1) Under the following conditions, you may request the data controller to restrict, without undue delay, the processing of the personal data concerning you.
a) If you are disputing the personal data concerned for a period that allows the data controller to check the accuracy of the personal data;
b) The processing is unlawful and you reject the erasure of the personal data and instead request the restriction of the use of the personal data;
c) The data controller no longer requires the personal data for processing, but you require them for the purpose of the establishment, exercise or defence of legal claims, or
d) if you have lodged an objection to data processing pursuant to Article 21(1) GDPR and it has not yet been verified whether the legitimate grounds of the data controller override your grounds.

(2) If the processing of your personal data has been restricted, these data, with the exception of their storage, may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the processing of your data has been restricted under the above-mentioned conditions, you will be informed by the data controller before this restriction of processing has been lifted.

4. Right to erasure

(1) You may request the data controller to erase the personal data concerning you without undue delay, where one of the following grounds applies:
a) Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) You withdraw consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing;
c) You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
d) Your personal data have been unlawfully processed;
e) Your personal data have to be erased in order to ensure compliance with a legal obligation under Union law or the law of a Member State, to which the data controller is subject;
f) Your personal data were collected in relation to services offered by the information society pursuant to Article 8(1) GDPR.

(2) Where the data controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the data controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers who are processing the personal data that you, as the data subject, have requested the erasure by such data controllers of any links to, or copy or replication of those personal data.

(3) The right to erasure does not exist if processing is necessary
a) to exercise the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing under Union law or the law of a Member State to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
c) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) GDPR;
d) for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, in so far as the right referred to in sub-section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.

5. Right to notification

Where you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the data controller, the latter is obliged to notify all recipients, to whom personal data concerning you have been disclosed, of such rectification/erasure/restriction of processing, unless this proves to be impossible or involves disproportionate effort. You have the right vis-à-vis the data controller to be notified about these recipients.

6. Right to data portability

(1) You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where a) the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b); and b) processing is carried out by automated means.

(2) In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one data controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

(3) The right to data portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

(4) In exercising the right to data portability, the data subject may contact the data controller at any time.

7. Right to object

(1) You have the right to object at any time, on grounds relating to your own particular situation, to the processing of personal data concerning you that is based on Article 6(1)(e) or (f) GDPR; including profiling based on those provisions.

(2) The data controller shall no longer process the personal data concerning you unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or where the processing is for the purpose of the establishment, exercise or defence of legal claims.

(3) Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

(4) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means for which technical specifications are used.

(5) In order to exercise the right to object, the data subject may contact the data controller directly.

8. Right to withdraw the declaration of consent to data processing

You have the right to withdraw your declaration of consent at any time. The lawfulness of the processing that was carried out on the basis of consent up to the time of withdrawal of consent will be not affected by the withdrawal of consent. You may contact the data controller in this matter.

9. Automated decision-making in an individual case including profiling

(1) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
a) is necessary for entering into, or for the performance of a contract between you and the data controller,
b) is permissible under Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) it is carried out with your express consent.

(2) However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) GDPR, provided Article 9(2)(a) or (g) GDPR does not apply and suitable measures have been taken for the protection of rights and freedoms and of your legitimate interests.

(3) With regard to cases referred to in sub-sections (1) and (3), the data controller will carry out suitable measures to safeguard the rights and freedoms of the data subject and the legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express his or her point of view and to contest the decision.

(4) If the data subject wishes to establish claims in relation to automated decisions, they may contact the data controller at any time in this matter.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to other administrative or judicial appeals, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are domiciled, have your place of work or in which the alleged infringement occurred, if you are of the opinion that the processing of personal data concerning you is contrary to the GDPR. The supervisory authority at which the complaint was lodged, instructs the complainant regarding the status and the results of the complaint including the possibility of a judicial appeal under Article 78 GDPR.

13 Changes to the data protection policy

We retain the right to amend our data protection practices and this policy in order to adapt it to changes in the relevant legislation or provisions or in order to better fulfil your needs. Any changes to our data protection practices will be notified here. Therefore, please note the current version date of the privacy statement.