The Controller pursuant to the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:
Maritim Hotelgesellschaft mbH
Herforder Strasse 2
32105 Bad Salzuflen
Germany
Phone: +49 (0) 5222 953-0
info.vkd@maritim.de
www.maritim.com
The Controller's Data Protection Officer is:
Sebastian von der Au
EDV-Unternehmensberatung Floß GmbH
Hopfengarten 10
33775 Versmold
Germany
Phone: +49 (0) 5423 964900
datenschutz@maritim.de
Object of Data Security
The object of data protection is personal data.
Personal data pursuant to the German Federal Data Protection Act (BDSG) is any individual information relating to the personal or material circumstances of a specific or identifiable natural person. The GDPR further defines "personal data" as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data or an online identifier.
A Data Subject is any identified or identifiable natural person whose personal data is processed by the Controller responsible for processing.
Processing entails any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Scope of personal data processing
In principle, we only gather and use the personal data of our users to the extent necessary to enable us to provide a functional website and our content and services. We only gather and use the personal data of our users regularly with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for material reasons and the processing of the data is permitted by law.
Legal basis for personal data processing
If we obtain the consent of the data subject for the processing of personal data, Article 6 (1) a) EU General Data Protection Regulation (GDPR) shall serve as the legal basis.
When we process the personal data necessary for the fulfilment of a contract to which the data subject is a party, Article 6 (1) b) GDPR shall serve as the legal basis This also applies to processing operations necessary in order to implement pre-contractual measures.
Insofar as it is necessary to process personal data in order to fulfil a legal obligation pertaining to our company, Article 6 (1) c) GDPR shall serve as the legal basis.
In the event that the vital interests of the Data Subject or any other natural person require the processing of personal data, Article 6 (1) d) GDPR shall serve as the legal basis
If processing is necessary in order to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the Data Subject do not prevail over the primary interest, Article 6 (1) f) GDPR shall serve as the legal basis for processing.
Data deletion and storage period
The personal data belonging to the Data Subject will be deleted or blocked as soon as the reason for storage no longer applies. Further storage may be permitted if this is provided for by the European or national legislators in EU regulations, laws or other rules incumbent on the Controller. The data shall also be blocked or deleted when a storage period prescribed by the standards mentioned expires, unless it is necessary to continue to store the data for the purpose of concluding a contract or fulfilling a contract.
Description and scope of data processing
Each time our website is accessed, our system automatically gathers data and information from the computer system of the calling computer.
The following data is collected:
- Information about the browser type and the version used
- User's operating system
- User's Internet service provider
- User's anonymised IP address
- Date and time of access
- Websites from which the user's system accesses our website
- Websites that the user's system accesses from our website
- Keywords entered
- Information about the device type used
- Language settings
- The frequency with which pages are called
The data is also stored in the log files of our system. This data is not stored together with other personal data belonging to the user.
Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6 (1) f) GDPR.
Purpose of data processing
It is necessary for the IP address to be stored temporarily by the system in order to allow the website to be delivered to the user's computer. For this, the user's anonymised IP address must be stored for the duration of the session.
It is stored in log files to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context. For these purposes, our legitimate interest lies in the processing of data pursuant to Article 6 (1) f) GDPR.
Storage duration
The data will be deleted as soon as it is no longer required for the purpose for which it was gathered. If the data is gathered for the purpose of providing the website, this is the case when the respective session is terminated. When data is stored in log files, this is the case after a maximum of seven days. Longer storage is possible. In this case, the IP addresses of the users are deleted or anonymised, so that they can no longer be linked to the calling client.
Objections and remedies
The gathering of data for the provision of the website and the storage of the data in log files are essential for the operation of the website. There is consequently no possibility for the user to object.
Description and scope of data processing
Our website uses cookies. Cookies are small text files that are saved in the Internet browser or stored by the Internet browser on the user's computer system. When a user visits a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is next reopened.
We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser should be identified even after a change of page.
The following data is stored and transmitted in the cookies:
- Language settings
- Information about the pull-down status of the quick booking screen
- A session cookie (for the duration of the browser session) to temporarily save filter selections or completed forms
In addition, we also use cookies on our website to enable us to analyse our users' browsing behaviour.
The following data can be transmitted in this way:
- Information about the browser type and the version used
- User's operating system
- User's Internet service provider
- User's anonymised IP address
- Date and time of access
- Websites from which the user's system accesses our website
- Websites that the user's system accesses from our website
- Keywords entered
- Information about the device type used
- Language settings
- The frequency with which pages are called
The data belonging to users collected in this way is pseudonymised using technical measures This means it is no longer possible to link data to the calling user. The data is not stored along with other personal data belonging to the user. When they access our website, users will see an info banner informing them of the use of cookies for analysis purposes and referring them to this Data Security Policy. In this context, there is also a note indicating how the user can prevent the storage of cookies in his/her browser settings. In the YourOnlineChoices preference management system you can decline usage-based online advertising from individual companies or all companies.
Legal basis for data processing
The legal basis for the processing of personal data using technically necessary cookies is Article 6 (1) f) GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is Article 6 (1) f) GDPR, provided the user has granted the appropriate consent.
Purpose of data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some features of our website cannot be offered without the use of cookies. For these, it is necessary that the browser should be recognised, even after a new page is accessed.
We need cookies for the following applications:
- Shopping basket
- Language settings
- Information about the pull-down status of the quick booking box
- A session cookie (for the duration of the browser session) to temporarily save filter selections or completed forms
The user data collected by means of technically essential cookies will not be used to create user profiles.
Analysis cookies are used for the purpose of improving the quality of our website and its contents. Through the use of analysis cookies, we learn how the website is used and can optimise our offer continuously.
For these purposes, our legitimate interest also lies in the processing of personal data pursuant to Article 6 (1) f) GDPR.
Storage duration, objections and remedies
Cookies are stored on the user's computer and are transmitted by it to our site. This means that you, as a user, have full control over the use of cookies. By changing the settings in your Internet browser, you can disable or restrict the transfer of cookies. Already saved cookies can be deleted at any time. This process can also be automated. If cookies are deactivated for our website, it may not be possible to use all the functions of the website to the full extent.
You can subscribe to a free newsletter on our website. All data protection information can be found on our site "Newsletter data protection".
Description and scope of data processing
Our website contains a contact form that can be used for online contacts. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and saved.
This data includes:
- User's correct form of address
- Subject
- User's first name and last name
- User's full postal address
- User's e-mail address
- User's country
- User's message
- User's title
- User's phone number
- User's company
At the time the message is sent, the following data is also stored:
- User's IP address
- Date and time of registration
- User's correct form of address
- Subject
- User's first name and last name
- User's full postal address
- User's e-mail address
- User's country
- User's message
- User's title – if provided
- User's phone number – if provided
- User's company – if provided
To enable data to be processed, you will be asked for your consent as part of the submission process and referred to the Data Security Policy. Alternatively, it is possible to make contact using the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored. Data stored in this context will not be disclosed to third parties. The data will solely be used to process the conversation.
Legal basis for data processing
The legal basis for the processing of data is Article 6 (1) a) GDPR, provided the user has granted the appropriate consent.
The legal basis for the processing of the data transmitted when an e-mail is sent is Article 6 (1) f) GDPR. If the intention behind the e-mail contact is to conclude a contract, the additional legal basis for the processing of the data is Article 6 (1) b) GDPR.
Purpose of data processing
The personal data provided in the input mask will solely be processed by us to manage contact. When contact is made by e-mail, this also presupposes the necessary legitimate interest in the processing of the data. The other personal data processed during the submission process is intended to prevent misuse of the contact form and to ensure the security of our IT systems.
Storage duration
The data will be deleted as soon as it is no longer required for the purpose for which it was gathered. In the case of the personal data entered in the input screen of the contact form and sent by e-mail, this is when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant matter has been finally clarified.
The additional personal data collected as part of the submission process will be deleted after a period of seven days at the latest.
Objections and remedies
The user can withdraw his consent to the processing of his personal data at any time. If the user contacts us by e-mail, he may decline the storage of his personal data at any time. In such cases, we will not be able to continue the conversation.
In case you wish to decline the processing of your personal data by us, please send an e-mail to widerspruch@maritim.de.
All personal data stored when contact is established will be deleted in this case.
This website uses Google Analytics Universal, web analysis service of Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how you use the site. The information generated by the cookie concerning your use of this website generally will be passed on to a Google server in the USA and saved there. We wish to expressly point out that the website uses Google Analytics with the "anonymizeIp" add-on, which means that IP addresses are only processed in truncated form to prevent any direct reference to a particular person. The full IP address will only be transmitted to a Google server in the US and truncated there in exceptional cases. Acting on behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and Internet usage to the website operator. The IP address provided by your browser as part of Google Analytics will not be merged with other Google data. You may refuse to allow the storage of cookies by selecting the appropriate settings in your browser software, however please note that if you do this you may not be able to use the full functionality of this website. In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following Link. As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent the gathering of data by Google Analytics within this website in the future (the opt-out only applies in the particular browser and only for this domain). This involves placing an opt-out cookie on your device. To delete cookies in the respective browser, you must click this link again.
Sessions generally end after 30 minutes of inactivity, while campaigns end after six months. The time limit for campaigns can be a maximum of two years. For more information on Terms of Use and Data Security see: https://www.google.com/analytics/terms/de.html
Google Tag Manager is used on our websites to manage our website tags by means of an interface. The Tag Manager itself is a cookie-free domain that does not gather personal data. The task of the tool is to trigger other tags, which in turn may capture data under certain circumstances. However, Google Tag Manager does not access this data. Of course it is possible to obtain additional information about this and to disable the service if necessary. Click here to opt-out of tracking by Google Tag Manager.
We use Google Fonts on our website. This enables us to integrate certain fonts into our website. Google Fonts is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The fonts are not loaded from Google, but are installed locally on our web server.
For more information on Terms of Use and Data Protection see: https://www.google.com/policies/privacy/
Personal data will be transferred to locations in third countries if
- this is necessary in order to complete the website user's booking and manage the guest's stay at the hotel
- it is required by law
- or it has been approved by the user
As already mentioned elsewhere in this Privacy Policy, for certain tasks our company cooperates with service providers whose corporate headquarters are located in third countries, whose parent company is located in third countries or which themselves cooperate with companies located in third countries. Such cooperation is permissible if it has been determined by the European Commission that an adequate level of protection exists in the third countries in question (called an Adequacy Decision in Art. 45 GDPR). If this is not the case, it is ensured at all times that, in the case of service providers with a third-country connection without an adequacy decision, the special requirements of the General Data Protection Regulation for third-country transfers (Art. 44 and 46 et seqq. GDPR) are met.
The standard case here is the conclusion of EU standard contractual clauses as part of commissioned data processing (Art. 46 (2) (c) GDPR) in order to contractually bind the respective service providers. In such clauses, the service providers commit to protectingg the data of our users, processing said data in accordance with its data protection provisions on our behalf and, in particular, refraining from disclosing this data to third parties. To minimise the risks for data subjects, supplementary safeguards are established, such as encryption or other contractual, technical or organisational safeguards. We will not perform any further transfer of personal data beyond the described type of cooperation.
Personal data will only be stored by Maritim Hotelgesellschaft mbH for the period required in order to achieve the purpose of storage, or insofar as required by European regulators or other legislators in laws or regulations incumbent on the Controller.
When the purpose of storage no longer applies or when a storage period prescribed by the European regulator or any other relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
External service providers, such as the mail service or mailing companies that process personal data on behalf of Maritim Hotelgesellschaft mbH are subject to the statutory data protection regulations and may only process the data provided for the specific purpose in hand.
External links
To offer you the best possible information, you will find links on our pages that refer to third-party websites. If such links are not obviously apparent, we point out that these are external links. Maritim Hotelgesellschaft mbH has no influence on the content and design of these websites and the data protection practices of third parties. We cannot accept any responsibility for this. The details of our Data Security Policy do not apply there. Thus, if you click on an advertisement or a third-party link, you should be aware that you are leaving the Maritim Hotelgesellschaft mbH service and that any personal data you provide will no longer be covered by this Data Security Policy. Please read the data protection statements of the other website owners to find out how your personal information is gathered and processed on these websites.
Declaration of consent by the user
By using our websites and online offers, you agree that the data voluntarily provided and transmitted by you may be stored by us and used and processed in compliance with this Data Security Policy.
If you process personal data, you are a Data Subject under the terms of the GDPR and you have the following rights in relation to the Controller:
1. Right to information
You may ask the Controller to confirm whether personal data relating to you is processed by us.
If such processing is taking place, you can request information from the Controller about the following:
- the purposes for which personal data is being processed;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data relating to you has been disclosed or is still being disclosed;
- the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
- the existence of a right to the correction or deletion of personal data concerning you, a right to restrict processing by the Controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information on the origin of the data if the personal data is not gathered from the Data Subject;
- the existence of automated decision-making, including profiling, under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the Data Subject.
You have the right to request information about whether your personal data is transferred to a third country or an international organisation. In this context, you can request the appropriate guarantees pursuant to Article 46 GDPR in connection with the transfer.
2. Right of correction
You have a right to correction and/or completion in relation to the Controller, if the processed personal data relating to you is incorrect or incomplete. The Controller must carry out the correction without delay.
3. Right to restrict processing
You may demand that the processing of your personal data should be restricted under the following conditions:
- if you contest the accuracy of the personal data relating to you for a period of time that enables the Controller to verify the accuracy of your personal data;
- processing is unlawful and you refuse to allow the personal data to be deleted and instead request restriction of the use of the personal data;
- the Controller no longer requires personal data for the purposes of processing, but you need this data to assert, exercise or defend legal claims, or
- if you objected to processing pursuant to Article 21 (1) GDPR and it is not yet certain whether the justified grounds of the Controller take precedence over your grounds.
If the processing of personal data relating to you has been restricted, apart from storage this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of important public interest for the European Union or a Member State.
If the restriction on processing is limited according to the aforementioned conditions, you will be informed by the Controller before the restriction is lifted.
4. Right of deletion
a) Duty of deletion
You may require the Controller to delete your personal data without delay, and the Controller is required to delete that information immediately if one of the following grounds applies:
- Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke your consent to processing pursuant to Article 6 (1) a) or Article 9 (2) a) GDPR and there is no other legal basis for processing.
- You object to processing pursuant to Article 21 (1) GDPR and there are no overriding justifiable reasons for processing, or you object to processing pursuant to Article 21 (2) GDPR.
- The personal data relating to you has been processed illegally.
- It is necessary to delete personal data relating to you in order to fulfil a legal obligation under European Union law or the law of the Member States incumbent on the Controller.
- The personal data relating to you was gathered in relation to an information society service pursuant to Article 8 (1) GDPR.
b) Information to third parties
If the Controller has made the personal data relating to you public and if he is obliged to delete it pursuant to Article 17 (1) of the GDPR, it shall take the appropriate steps, including technical measures, taking into account available technology and implementation costs, to inform Controllers responsible for data processing who process the personal data that you, as a Data Subject, have demanded the deletion of all links to such personal data or copies or duplicates of such personal data.
c) Exceptions
The right of deletion does not exist if processing is necessary
- in order to exercise the right to freedom of expression and information;
- to fulfil a legal obligation required by the law of the European Union or of the Member States incumbent on the Controller, or to implement a task in the public interest or in the exercise of the official authority conferred on the Controller;
- for reasons of public interest in the area of public health pursuant to Article 9 (2) h) and Article 9 (3) GDPR;
- for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
- to assert, exercise or defend legal claims.
Right to information
If you have the right of correction, deletion or restriction of processing in relation to the Controller, the latter is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of data or restriction of processing, unless this proves to be impossible or requires disproportionate effort.
You are entitled to require the Controller to reveal the identity of these recipients to you.
Right to data transferability
You have the right to receive the personal data that you have supplied to the Controller in a structured, current, machine-readable format. In addition, you have the right to transfer this data to another Controller without hindrance from the Controller to whom the personal data was supplied, provided that
- processing is based on consent pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR or on a contract pursuant to Article 6 (1) b) GDPR and
- processing involves an automated procedure.
In exercising this right, you are also entitled to require that the personal data relating to you should be transmitted directly from one Controller to another Controller, insofar as this is technically feasible. This must not impair the freedoms and rights of other persons.
The right to data portability does not apply to the processing of personal data necessary for to implement a task in the public interest or in the exercise of the official authority conferred on the Controller.
Right of objection
You have the right to object to processing of your personal data at any time, for reasons that arise from your particular situation pursuant to Article 6 (1) e) or f) GDPR; this also applies to profiling based on these provisions.
The Controller will no longer process personal data relating to you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or processing is for the purpose of enforcing, exercising or defending legal claims.
If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
Directive 2002/58/EC notwithstanding, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.
Questions/right of appeal to a supervisory authority
If you have further questions regarding the protection of your personal data, this Data Security Policy, declarations of consent and the processing of your personal data or complaints about data protection, you can contact our Data Protection Officer at the following e-mail address: datenschutz@maritim.de
Without prejudice to other administrative or judicial remedies, you shall have the right of appeal to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged breach, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority is the Data Protection Authority for North Rhine-Westphalia in Dusseldorf.
We take corporate data protection very seriously. We use modern data storage and security techniques to ensure your data gets the best possible protection. Naturally, our security measures are constantly being improved in line with technological developments. Our employees and subcontractors engaged by us (service providers) have been contractually bound by us to confidentiality and compliance with the IT/security regulations and the applicable data protection regulations.
Both we and our contracting partners protect your personal data from unauthorised access, loss, use or disclosure, and ensure that your personal data is kept in a controlled secure environment that complies with legal requirements and that prevents unauthorised access, loss or disclosure.
Technical and organisational measures have been taken in our company to meet the legal requirements of the BDSG and the GDPR and to protect your data against damage, destruction, falsification, manipulation and unauthorised access. Your data is transferred in encrypted form and then stored in a database. All systems in which your personal data is stored are protected against access and are only accessible to a specific group of persons responsible for personnel.
In order to avoid unnecessary amounts of data, we only gather, process and use your personal data insofar as this is necessary within the scope of our service offer.
Data is collected by Maritim Hotelgesellschaft mbH as well as by subcontractors engaged by it.
Amendments to the Data Security Policy
Please note that data protection regulations and data protection practices are subject to constant change and the contents of this Data Security Policy may need to be amended. If so, we will explain the changes to you in a transparent manner. It is also advisable to familiarise yourself with any changes in the legal provisions and practices of our company.
Date 24th of August 2023