Privacy policy

of Wienecke XI. Hotel Hannover GmbH

We are pleased that you are visiting our website and thank you for your interest in our hotel. The protection of personal data is an important concern for us. Therefore, the processing of personal data, such as the name, address, email address, or telephone number of a data subject, is carried out in accordance with the applicable European and national legal provisions.

If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.

You can, of course, revoke your declaration(s) of consent at any time with effect for the future. Please contact the Controller for this purpose. The contact details can be found at the bottom of this Privacy Policy.

In the following, Wienecke XI. Hotel Hannover GmbH (hereinafter referred to as “we”, “us”, etc.) would like to inform the public about the nature, scope, and purpose of the personal data it processes. Furthermore, data subjects are informed about the rights to which they are entitled by means of this Privacy Policy.

Definitions

Our Privacy Policy is based on the terms used by the European legislator when enacting the EU General Data Protection Regulation (hereinafter referred to as “GDPR”). Our Privacy Policy should be easy to read and understand for the general public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance.

Among other things, we use the following terms in this Privacy Policy and on our website:

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject is any identified or identifiable natural person whose personal data is processed by the Controller.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.3

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Controller or party responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Rights of the Data Subject

Right to Confirmation

Every data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself or herself of this right of confirmation, he or she may at any time contact the Controller.

Right of Access

Any person affected by the processing of personal data has the right to obtain at any time from the Controller, free of charge, information about the personal data stored about him or her and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information:

  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and—at least in those cases—meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Furthermore, the data subject has the right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to avail himself or herself of this right of access, he or she may at any time contact the Controller.

Right to Rectification

Any person affected by the processing of personal data has the right to demand the immediate rectification of inaccurate personal data concerning him or her. Furthermore, the data subject has the right, taking into account the purposes of the processing, to have incomplete personal data completed—including by means of a supplementary statement.

If a data subject wishes to exercise this right to rectification, he or she may at any time contact the Controller.

Right to Erasure (Right to be Forgotten)

Any person affected by the processing of personal data has the right to demand from the Controller the immediate erasure of personal data concerning him or her, if one of the following reasons applies and as long as the processing is not necessary:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
  • The personal data have been unlawfully processed.
  • The erasure of the personal data is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If one of the aforementioned reasons applies and a data subject wishes to arrange for the erasure of personal data stored by us, he or she may contact the Controller at any time. The data subject’s request for erasure will then be complied with immediately.

If the personal data have been made public by us and if our company, as the Controller, is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, we shall take reasonable steps, including technical measures, taking account of available technology and the costs of implementation, to inform other controllers which are processing the published personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, insofar as the processing is not required. The Controller will arrange the necessary measures in individual cases.

Right to Restriction of Processing

Any person affected by the processing of personal data has the right to obtain from the Controller restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
  • the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject

If one of the aforementioned conditions is met and a data subject wishes to request the restriction of personal data stored by us, he or she may contact the Controller at any time. The restriction of processing will then be arranged immediately.

Right to Data Portability

Any person affected by the processing of personal data has the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another controller without h10indrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and where this does not adversely affect the rights and freedoms of others.

To assert the right to data portability, the data subject may at any time contact the Controller.

Right to Object

Any person affected by the processing of personal data has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest or public interest (Art. 6(1) lit. e or f GDPR). This also applies to profiling based on these provisions.

In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where we process personal data for direct marketing purposes, the data subject shall have the right to 12object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to us processing for direct marketing purposes, we will no longer process the personal data for these purposes.

Furthermore, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes (Art. 89(1) GDPR), unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may contact the Controller directly. The data subject is also free to exercise his or her right to object by automated means using technical specifications, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

Automated Individual Decision-Making, Including Profiling

Any person affected by the processing of personal data has the right not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning him or her or similarly significantly affects him or her, provided that the decision:

  • is not necessary for entering into, or performance of, a contract between the data subject and a data controller, or
  • is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
  • is based on the data subject’s explicit consent.

If the decision is necessary for entering into, or performance of, a contract between the data subject and the Controller, or is based on the data subject’s explicit consent, we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

If the data subject wishes to assert rights concerning automated decisions, he or she may contact the Controller at any time.

Right to Withdraw Data Protection Consent

Any person affected by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.

If the data subject wishes to exercise his or her right to withdraw consent, he or she may contact the Controller at any time.

Right to Lodge a Complaint with a Supervisory Authority

Every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation, without prejudice to any other administrative or judicial remedy. A list of the State Data Protection Officers and their contact details can be found at the following link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Cooperation with Processors and Third Parties

Insofar as we disclose data to other persons and companies (Processors or Third Parties) within the framework of our processing, transfer it to them or otherwise grant them access to the data, this is only done on the basis of a legal permission (e.g., if a transfer of the data to third parties, such as payment service providers, is required for the performance of the contract, Art. 6(1) lit. b GDPR), you have consented, a legal obligation provides for this, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties with the processing of data on the basis of a so-called “Data Processing Agreement”, this is done on the basis of Article 28 of the GDPR.

Routine Erasure and Blocking of Personal Data

The Controller processes (in this sense also: stores) personal data of the data subject only for the period necessary to achieve the purpose of storage or as far as this is provided for by the European legislator or another legislator in laws or regulations to which the Controller is subject.

If the storage purpose no longer applies or a storage period prescribed by the European legislator or another competent legislator expires, the personal data is routinely blocked or erased in accordance with the statutory provisions.

Data Protection in Applications and the Application Process

The Controller collects and processes the personal data of applicants for the purpose of handling the application process. The processing can also be done electronically. This is particularly the case if an applicant submits corresponding application documents electronically, for example by email, to the Controller. If the Controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no employment contract is concluded with the applicant by the Controller, the application documents will be automatically erased six months after notification of the rejection decision, provided that no other legitimate interests of the Controller conflict with the erasure. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

Security

We take numerous technical and organisational measures to protect your personal data against unintentional or unlawful erasure, alteration or loss and against unauthorised disclosure or unauthorised access.

Nevertheless, internet-based data transfers can generally have security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, e.g., by telephone.

Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as requests you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

When encryption is activated, the data you transmit to us cannot be read by third parties.

Collection of General Data and Information

Our website collects a series of general data and information with every access to the website by a data subject or an automated system. This general data and information is stored in the server’s log files. The following can be recorded:

  • the browser types and versions used
  • the operating system used by the accessing system
  • the website from which an accessing system reaches our website (so-called referrers)
  • the sub-websites which are accessed via an accessing system on our website
  • the date and time of access to the website
  • a web protocol address (IP address)
  • the Internet service provider of the accessing system
  • other similar data and information that serves to avert danger in the event of attacks on our information technology systems

When using these general data and information, we do not draw any conclusions about the data subject. Rather, this information is needed to:

  • deliver the content of our website correctly
  • optimize the content of our website and, if applicable, the advertising for it
  • ensure the long-term functionality of our information technology systems and the technology of our website
  • provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack

These collected data and information are therefore evaluated by us statistically and furthermore with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

This data is not merged with other data sources.

The collection of this data is based on Art. 6(1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website—the server log files must be recorded for this purpose.

Inquiry via Email, Telephone or Fax

If you contact us by email, telephone or fax, your inquiry, including all personal data resulting from it (name, inquiry), will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6(1) lit. b GDPR, if your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1) lit. f GDPR) or on your consent (Art. 6(1) lit. a GDPR) if this has been requested.

The data you send us via contact inquiries remains with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been fully processed). Mandatory legal provisions—in particular statutory retention periods—remain unaffected.

Data Transfer from Forms

The data subject has the opportunity to register on the Controller’s website by providing personal data for a data transfer via forms. Which personal data is transmitted to the Controller is determined by the respective input mask used for the registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the Controller and for his own purposes. The data transfer from forms is generally encrypted.

The Controller may arrange for the transfer to one or more processors (e.g., a parcel service provider), who will also use the personal data exclusively for an internal use attributable to the Controller.

By transferring data on the Controller’s website, the IP address assigned by the data subject’s Internet Service Provider (ISP), the date and time of the transfer are also stored. This data is stored against the background that only in this way can the misuse of our services be prevented, and, if necessary, this data enables the investigation of committed criminal offences and copyright infringements. In this respect, the storage of this data is necessary to secure the Controller. As a matter of principle, this data will not be passed on to third parties unless there is a legal obligation to pass it on or the transfer serves criminal or legal prosecution.

The entries made by the data subject with voluntary provision of personal data serve the Controller to offer the data subject content or services that, due to the nature of the matter, can only be offered to these users.

The processing of this data is based on Art. 6(1) lit. b GDPR, if your inquiry is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6(1) lit. f GDPR) or on your consent (Art. 6(1) lit. a GDPR) if this has been requested.

The data you send us via contact inquiries remains with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been fully processed). Mandatory legal provisions—in particular statutory retention periods—remain unaffected.

LinkedIn Ads, LinkedIn Analytics and LinkedIn Marketing Solutions

We use services from LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”) on this website.

Within the scope of these services, LinkedIn collects and stores usage data in pseudonymous profiles to enable statistical evaluations of website usage and the success of advertisements, as well as interest-based advertising on our website and on LinkedIn and LinkedIn partner sites. If you are a LinkedIn user, LinkedIn may also combine the data with your user account if necessary. With LinkedIn Marketing Solutions, LinkedIn transmits personal data to us with your consent using a form (so-called LinkedIn Lead Gen Forms).

The legal basis for this processing of your personal data is your consent in accordance with Art. 6(1) lit. a GDPR. You can revoke this consent at any time with effect for the future.

If you have given us consent to contact you via email using a contact form, every email receives an unsubscribe link. Lead Gen Forms are forms pre-filled with LinkedIn profile data that allow members to submit their data, which is publicly visible on the network, with just a few clicks. The inquiries generated via the forms are transferred directly to a Lead Management or CRM tool.

Further information on data protection in the context of LinkedIn services can be found at: www.linkedin.com/legal/privacy-policy

Links to other websites

This website contains links to other websites (so-called external links).

As a provider, we are responsible for our own content in accordance with applicable European and national legal provisions. Links to content provided by other providers are to be distinguished from this own content. We have no influence on whether the operators of other websites comply with the applicable European and national legal provisions. Please inform yourself about the privacy policies provided on the respective website.

Cookies

To make our website user-friendly for you and to optimally tailor it to your needs, we use cookies. Cookies are small text files that are sent by a web server to your browser and stored locally on your end device (PC, notebook, tablet, smartphone, etc.) as soon as you visit a website.

Numerous websites and servers use cookies. Many cookies contain a so-called Cookie ID. A Cookie ID is a unique identifier of the cookie. It consists of a string of characters through which websites and servers can be assigned to the specific web browser in which the cookie was stored. This enables the visited websites and servers to distinguish the individual browser of the data subject from other web browsers that contain other cookies. A specific web browser can be recognised and identified via the unique Cookie ID. This information serves to automatically recognise you and to facilitate navigation when you visit the website again with the same end device.

You can also make the consent or rejection of cookies—including for web tracking—via your web browser settings. You can configure your browser so that the acceptance of cookies is generally refused or you are informed in advance when a cookie is to be stored. In this case, however, the functionality of the website may be impaired (e.g., when placing orders). Your browser also offers a function to delete cookies (e.g., via “Delete browser data”). This is possible in all common web browsers. Further information on this can be found in the operating instructions or in the settings of your browser.

First-Party Cookies: First-party cookies are permanent cookies that are stored on the computer and only lose their validity when the expiration date assigned to them has passed. The word “party” refers to the domain from which the cookie originates. Unlike third-party cookies, first-party cookies usually originate from the website operator itself. They are therefore not accessible across domains by browsers. For example, website A assigns a cookie A, which is not recognised by website B, but can only be recognised by website A. Data cannot be passed on to third parties in this way.

Third-Party Cookies: With a third-party cookie, the cookie is set and recorded by a third party. These cookies are mostly used by advertisers who use their advertisements on other websites to collect information about the website visitor with the cookies. These are data records that are stored in the user’s web browser when they visit a page with the advertisement. If they visit a page with advertising from the same provider again, they are recognised.

Booking System

We use an online booking system on this website for room reservations. Clicking on the corresponding button opens an input mask with which you can make a room reservation.

If you would like to book a room with us, it is necessary for the conclusion of the contract that you provide your personal data that we require for the processing of your booking. Mandatory information necessary for the execution of the contracts is specially marked, further information is voluntary. The data is entered into an input mask and transmitted to us and stored.

Data is also passed on to the corresponding payment service providers. Data is only passed on to third parties if the transfer is necessary for the purpose of contract processing or for billing purposes or for collecting the payment, or if you have expressly consented. In this regard, we only pass on the respectively required data.

The legal basis is Art. 6(1) lit. b GDPR. With regard to voluntary data, the legal basis for the processing of the data is Art. 6(1) lit. a GDPR.

The mandatory information collected is necessary for the performance of the contract with the user (for the purpose of providing the goods or services and confirming the content of the contract). We therefore use the data to answer your inquiries, to process your booking, if necessary to check creditworthiness or collect a claim, and for the purpose of technical administration of the websites. The voluntary information is provided to prevent misuse and, if necessary, to investigate criminal offences.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. We are obliged due to commercial and tax law requirements to store your address, payment and order data for a period of ten years after the contract has been carried out. However, we restrict processing after 6 years, i.e. your data is only used to comply with legal obligations. If there is a long-term contractual relationship between us and the user, we store the data for the entire contract duration and for a period of 10 years thereafter (see above). With regard to the voluntarily provided data, we will delete the data after 6 years after the contract is carried out, unless another contract is concluded with the user during this time; in this case, the data will be deleted after 6 years after the performance of the last contract.

If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible if contractual or statutory obligations do not conflict with a deletion. Otherwise, you are free to have the personal data provided during registration completely deleted from the Controller’s database. With regard to the voluntary data, you can declare the revocation to the Controller at any time. In this case, the voluntary data will be deleted immediately.

DialogShift Chatbot

DialogShift Chat Application on our Website

Our website uses the chat application of DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This application processes (and in this sense also: stores) data for the purpose of web analysis, operating the chat application, and answering inquiries.

For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set—this serves to recognise you as a customer.

A cookie is a small text file that is stored locally in the cache on your device. With the help of this cookie, our application recognises the device and can retrieve past chat logs. This cookie is stored for 90 days from last use. You can deactivate the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be executed.

The possible disclosure of, for example, names, email addresses or a telephone number is voluntary and with the consent to temporarily use and store this data for the purpose of contact until the end of the contact. This personal data is deleted after 90 days.

The legal basis for data processing is Art. 6(1) lit. f GDPR based on our legitimate interest in effective customer care, statistical analysis of user behaviour, and optimisation purposes of our offers.

DialogShift offers further information on the processing (in this sense also collection and use) of the data as well as on your rights and options for protecting your privacy at https://www.dialogshift.com/datenschutz.

Payment Services

Concardis

For payment processing, we use the payment service provider ConCardis of ConCardis GmbH, Helfmann-Park 7, 65760 Eschborn (hereinafter “ConCardis”). ConCardis is certified according to the “Payment Card Industry Data Security Standard (PCI DSS)” of the credit card companies to ensure the data security of credit card data.

We integrate the credit card payment method via ConCardis. When you submit a payment request on our website, ConCardis forwards the payment information you provided to your credit card provider.

Further information on data protection in connection with credit card payments and ConCardis can be found in the data protection conditions of your credit card provider and here:

Klarna

On our website, we offer, among other things, payment with the services of Klarna. The provider is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter “Klarna”).

Klarna offers various payment options (e.g., instalment purchase). If you choose to pay with Klarna, Klarna will collect various personal data from you.

Klarna uses cookies to optimise the use of the Klarna checkout solution. The optimisation of the checkout solution represents a legitimate interest within the meaning of Art. 6(1) lit. f GDPR.

The transfer of your data to Klarna is based on Art. 6(1) lit. a GDPR (consent) and Art. 6(1) lit. b GDPR (processing for the fulfilment of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the effectiveness of data processing operations in the past.

Further information can be read in Klarna’s privacy policy under the following link:

https://www.klarna.com/de/datenschutz

PayPal

On our website, we offer, among other things, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).

If you select payment via PayPal, the payment data you entered will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6(1) lit. a GDPR and Art. 6(1) lit. b GDPR. You have the option to revoke your consent to data processing at any time. A revocation does not affect the effectiveness of data processing operations in the past.

Further information on PayPal and the applicable data protection regulations can be found under the following link:

https://www.paypal.com/webapps/mpp/ua/privacy-full

LIVERATE

This website uses the Liverate Widget. The provider is LiveRate GmbH, Metzstraße 12, 81667 Munich, Germany. When you call up a page, your browser loads the required scripts into its browser cache to correctly display the price information widget. For this purpose, the browser you use must connect to the servers of LiveRate GmbH. LiveRate GmbH thus gains knowledge that our website was called up via your IP address.

The use of Liverate is in the interest of achieving the most favourable booking conclusion for our guests. This represents a legitimate interest within the meaning of Art. 6(1) lit. f GDPR.

Further information on Liverate and the handling of user data can be found at:

https://www.liverate.de/company/datenschutz

Content Delivery Networks (CDN)

DigitalOcean Spaces

On our website, we use a so-called Content Delivery Network (“CDN”) of the technology service provider DigitalOcean LLC, 101 Ave of the Americas, 10th Floor, New York 10013, USA (“DigitalOcean”). A Content Delivery Network is an online service with the help of which particularly large media files (such as graphics, page content or scripts) are delivered via a network of regionally distributed servers connected via the Internet. The use of the Content Delivery Network from DigitalOcean helps us to optimise the loading speeds of our website.

The processing is carried out in accordance with Art. 6(1) lit. f GDPR based on our legitimate interest in secure and efficient provision, as well as improvement of the stability and functionality of our website.

Further information can be found in the privacy policy of DigitalOcean at: https://www.digitalocean.com/legal/privacy

Fastly

On our website, we use a Content Delivery Network (“CDN”) of the technology service provider Fastly Inc., 475 Brannan St. #300, San Francisco, CA 94107, USA (“Fastly”).

A Content Delivery Network is an online service with the help of which particularly large media files (such as graphics, page content or scripts) are delivered via a network of regionally distributed servers connected via the Internet. The use of CDN Fastly is in the interest of higher operational reliability, increased protection against data loss, and better loading speed of the website.

The processing is carried out in accordance with Art. 6(1) lit. f GDPR based on our legitimate interest in secure and efficient provision, as well as improvement of the stability and functionality of our website.

Fastly, based in the USA, is certified for the US-European data protection agreement “Privacy Shield”, which ensures compliance with the level of data protection applicable in the EU.

Further information can be found in the privacy policy of Fastly at: https://www.fastly.com/privacy

Google Cloud CDN

We use the Google Cloud CDN Content Delivery Network. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google offers a globally distributed Content Delivery Network. Technically, the information transfer between your browser and our website is routed via Google’s network. This allows us to increase the global accessibility and performance of our website.

The use of Google Cloud CDN is based on our legitimate interest in a service that is as error-free and secure as possible, in accordance with Art. 6(1) lit. f GDPR.

The data transfer to the USA is supported by the EU Commission’s standard contractual clauses. Details can be found here:

https://cloud.google.com/terms/eu-model-contract-clause.

Further information on Google Cloud CDN can be found here:

https://cloud.google.com/cdn/docs/overview?hl=de

Google Services

Gstatic

A web service from the company Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland (hereinafter: Gstatic) is reloaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to Gstatic.

The legal basis for the use of this web service is your consent in accordance with Art. 6(1) lit. a GDPR.

The data will be deleted as soon as the purpose of its collection has been fulfilled. Further information on the handling of the transmitted data can be found in Google’s privacy policy: https://policies.google.com/privacy

Google Fonts

Google Fonts (https://fonts.google.com/) are used for the visually improved presentation of various information on this website. The web fonts are transferred to the browser’s cache when the page is called up so that they can be used for display.

No cookies are stored on the website visitor’s computer when the page is called up. Data transmitted in connection with the page view is sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. They are not associated with data that may be collected or used in connection with the parallel use of authenticated Google services such as Gmail.

You can prevent the collection and processing of your data by this web service by refusing your consent when entering the website, deactivating the execution in your browser or installing a script blocker in your browser. If your browser does not support Google Fonts or you prevent access to the Google servers, the text will be displayed in the system’s standard font.

The legal basis for the use of this web service is your consent in accordance with Art. 6(1) lit. a GDPR.

Information on the data protection conditions of Google Fonts can be obtained at: https://developers.google.com/fonts/faq#Privacy

General information on data protection is available in the Google Privacy Center at: https://policies.google.com/privacy

Google Analytics 4

Insofar as you have given your consent, Google Analytics 4, a web analysis service of Google LLC, is used on this website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Type and purpose of the processing

Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

We use Google Signals. This collects additional information in Google Analytics about users who have activated personalised ads (interests and demographic data) and ads can be delivered to these users in cross-device remarketing campaigns.

With Google Analytics 4, the anonymisation of IP addresses is activated by default. Due to IP anonymisation, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your website visit, your user behaviour is recorded in the form of “events”. Events can be:

  • Page views
  • First visit to the website
  • Start of the session
  • Visited websites
  • Your “click path”, interaction with the website
  • Scrolls (whenever a user scrolls to the end of the page (90%))
  • Clicks on external links
  • Internal search queries
  • Interaction with videos
  • File downloads
  • Advertisements viewed/clicked
  • Language setting

The following is also recorded:

  • Your approximate location (region)
  • Date and time of the visit
  • Your IP address (in abbreviated form)
  • Technical information about your browser and the end devices you use (e.g., language setting, screen resolution)
  • Your Internet service provider
  • The referrer URL (via which website/via which advertising material you came to this website)

Purposes of the processing

On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activities. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.

Recipient

Recipients of the data are/can be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a processor according to Art. 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

Third country transfer

The European Commission adopted its adequacy decision for the USA on July 10, 2023. Google LLC is certified under the EU-US Privacy Framework. Since Google servers are distributed worldwide and a transfer to third countries (e.g., to Singapore) cannot be completely ruled out, we have also concluded the EU standard contractual clauses with the provider.

Storage duration

The data sent by us and linked to cookies will be automatically deleted after 2 months. The maximum lifespan of the Google Analytics cookies is 2 years. Data whose retention period has been reached is automatically deleted once a month.

Legal basis

The legal basis for this data processing is your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG.

Revocation

You can revoke your consent at any time with effect for the future by calling up the cookie settings and changing your selection there. The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.

You can also prevent the storage of cookies from the outset by a corresponding setting in your browser software. If you configure your browser so that all cookies are rejected, this may lead to restrictions in functionality on this and other websites. In addition, you can prevent the collection of the data generated by the cookie and related to your use of the website (incl. your IP address) to Google as well as the processing of this data by Google by:

Further information on the terms of use of Google Analytics and data protection at Google can be found at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de.

Google Ads

We use “Google Ads” (formerly Google AdWords), a service of Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as “Google”), on our website. Google Ads allows us to draw attention to our attractive offers with the help of advertising materials on external websites. This allows us to determine how successful individual advertising measures are. These advertising materials are delivered by Google via so-called “AdServers”. We use so-called AdServer cookies for this, through which certain parameters for measuring success, such as the display of the advertisements or clicks by the users, can be measured. If you reach our website via a Google advertisement, a Google Ads cookie will be stored on your PC. These cookies usually lose their validity after 30 days. They are not intended to identify you personally. The following information is usually stored as analysis values for this cookie: Unique cookie ID, number of ad impressions 37per placement (frequency), last impression (relevant for post-view conversions), opt-out information (marking that the user no longer wishes to be addressed). These cookies enable Google to recognise your web browser. If a user visits certain pages of an Ads customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user clicked on the ad and was redirected to this page. A different cookie is assigned to each Ads customer. Cookies can thus not be tracked across the websites of Ads customers. We ourselves do not collect or process any personal data in the advertising measures mentioned. We only receive statistical evaluations from Google. Based on these evaluations, we can recognise which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising materials, in particular we cannot identify the users on the basis of this information. Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data coll38ected by Google through the use of Google Ads. To the best of our knowledge, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you have a user account with Google and are registered, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, it is possible that Google will find out and sto39re your IP address.

We use Google Ads for marketing and optimisation purposes, in particular to display relevant and interesting advertisements for you, to improve the campaign performance reports and to achieve a fair calculation of advertising costs. The legal basis for the use of Google Ads is your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG.

The collected data is stored and processed in the USA, a third country for which there is no adequacy decision by the European Commission.

However, Google supports the data transfer to the USA on the EU-U.S. Data Privacy Framework of the European Commission.

You can prevent the installation of these cookies by refusing your consent to the storage of these cookies when entering the website, deleting existing cookies or deactivating the storage of cookies in the settings of your web browser. We point out that in this case you may not be able to use all the functions of our website to their full extent. The storage of cookies can also be prevented by setting your web browser so that cookies from the domain “www.googleadservices.com” are blocked (https://www.google.de/settings/ads). We point out that this setting will be deleted if you delete your cookies. In addition, you can deactivate interest-based ads via the link http://optout.aboutads.info. We point out that this setting will also be deleted if you delete your cookies.

Information of the third-party provider: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland

Further information on data usage by Google, setting and objection options, as well as data protection can be found on the following Google websites:

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The Google Tag Manager is a tool with the help of which we can integrate tracking or statistics tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies and does not carry out any independent analyses. It only serves to manage and deploy the tools integrated via it. However, the Google Tag Manager collects your IP address, which can also be transferred to Google’s parent company in the United States.

Google supports the data transfer to the USA on the EU-U.S. Data Privacy Framework of the European Commission.

The use of the Google Tag Manager is based on Art. 6(1) lit. f GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and management of various tools on its website. If corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1) lit. a GDPR and § 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time with effect for the future.

Further information on Google Tag Manager and Google’s privacy policy can be found at the following link: https://policies.google.com/privacy

Microsoft Advertising (formerly Bing Ads)

Our website uses the conversion tracking of Microsoft (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA). Microsoft Advertising sets a cookie on your computer if you have reached our website via a Microsoft Advertising ad. In this way, Microsoft Advertising and we can recognise that someone clicked on an ad, was redirected to our website and reached a previously defined target page (conversion page). We only learn the total number of users who, for example, clicked on a Bing ad and were then redirected to the conversion page. No personal information about the identity of the user is disclosed. If you do not want to participate in the tracking procedure, you can also refuse the setting of a cookie required for this—for example, via a browser setting that generally deactivates the automatic setting of cookies.

The legal basis for the use of Microsoft Advertising is your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG.

The collected data is stored and processed in the USA, a third country for which there is no adequacy decision by the European Commission.

However, Microsoft supports the data transfer to the USA on the EU-U.S. Data Privacy Framework of the European Commission.

Further information on data protection and the cookies used by Microsoft Bing can be found on the Microsoft website:

https://privacy.microsoft.com/de-de/privacystatement

LinkedIn Services

LinkedIn Analytics

We use “LinkedIn Analytics”, a service of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as: “LinkedIn”), on our website. LinkedIn Analytics stores and processes information about your user behaviour on our website. LinkedIn Analytics uses, among other things, cookies for this, i.e. small text files that are stored locally in the cache of your web browser on your end device and that enable an analysis of your use of our website.

We use LinkedIn Analytics for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. Through the statistical evaluation of user behaviour, we can improve our offer and make it more interesting for you as a user. The legal basis for the use of LinkedIn Analytics is your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We point out that in this case you may not be able to fully use all functions of our website.

The data transfer to the USA is based on the Standard Data Protection Clauses of the EU Commission (“SCC”). Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs

You can object to the analysis of user behaviour and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Further information from the third-party provider on data protection can be found on the following website: https://www.linkedin.com/legal/privacy-policy

LinkedIn Insight

This website uses the Insight Tag from LinkedIn. The provider of this service is the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”).

With the help of the LinkedIn Insight Tag, we receive information about the visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyse the professional key data (e.g., career level, company size, country, location, industry, and job title) of our website visitors and thus better align our site with the respective target groups. Furthermore, with the help of LinkedIn Insight Tags, we can measure whether visitors to our websites make a purchase or another action (conversion measurement). Conversion measurement can also take place across devices (e.g., from PC to tablet). LinkedIn Insight Tag also offers a retargeting function, with the help of which we can display targeted advertising to visitors of our website outside the website, whereby, according to LinkedIn, the advertising recipient is not identified.

LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device and browser properties and time of access). The IP addresses are shortened or (if they are used to reach LinkedIn members across devices) hashed (pseudonymised).

The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days.

The data collected by LinkedIn cannot be assigned to specific individual persons by us as the website operator. LinkedIn will store the collected personal data of the website visitors on its servers in the USA and use it in the context of its own advertising measures.

The use of LinkedIn Insight is exclusively based on your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG. Consent can be revoked at any time with effect for the future.

The data transfer to the USA is based on the Standard Data Protection Clauses of the EU Commission (“SCC”). Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs

You can object to the analysis of user behaviour and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Furthermore, LinkedIn members can control the use of their personal data for advertising purposes in the account settings. To avoid a link between data collected on our website by LinkedIn and your LinkedIn account, you must log out of your LinkedIn account before visiting our website.

Further information on data protection at LinkedIn can be found in their privacy policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig (in English)

LinkedIn Marketing Solutions

We use “Marketing Solutions (formerly LinkedIn Ads)”, a service of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter referred to as “Marketing Solutions”), on our website. Marketing Solutions stores and processes information about your user behaviour on our website.

Marketing Solutions uses, among other things, cookies for this, i.e. small text files that are stored locally in the cache of your web browser on your end device and that enable an analysis of your use of our website.

We use Marketing Solutions for marketing and optimisation purposes, in particular to analyse the use of our website and to continuously improve individual functions and offers as well as the user experience. Through the statistical evaluation of user behaviour, we can improve our offer and make it more interesting for you as a user. The legal basis for the use of LinkedIn Marketing Solution is your consent in accordance with Art. 6(1) lit. a GDPR and § 25(1) TTDSG.

You can prevent the installation of cookies by deleting existing cookies and deactivating the storage of cookies in the settings of your web browser. We point out that in this case you may not be able to fully use all functions of our website.

The data transfer to the USA is based on the Standard Data Protection Clauses of the EU Commission (“SCC”). Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs

Further information from the third-party provider on data protection can be found on the following website: https://www.linkedin.com/legal/privacy-policy

Interactive Map

This website uses an interactive map from Dr. DSGVO. The map is operated locally. This solution is data protection friendly. No personal data is passed on to third parties when the map is called up and operated. Furthermore, no personal data other than that which is technically necessary is collected by us for the retrieval and operation of the map. The map does not use cookies.

Our Social Media Presences

Data processing by social networks

We maintain publicly accessible profiles on social networks. The specific social networks we use can be found below.

Social networks such as Facebook, Twitter, etc. can usually comprehensively analyse your user behaviour if you visit their website or a website with integrated social media content (e.g., like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. This way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please also note that we cannot understand all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

Our social media presences are intended to ensure the most comprehensive presence possible on the Internet. This is a legitimate interest within the meaning of Art. 6(1) lit. f GDPR. The analysis processes initiated by the social networks may be based on deviating legal bases, which must be specified by the operators of the social networks (e.g., consent within the meaning of Art. 6(1) lit. a GDPR).

Controller and assertion of rights

If you visit one of our social media presences (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by this visit. You can generally assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal (e.g., against Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely governed by the company policy of the respective provider.

Storage duration

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for their storage ceases, you request us to delete them, you revoke your consent to storage or the purpose for data storage ceases. Stored cookies remain on your end device until you delete them. Mandatory legal provisions — in particular retention periods — remain unaffected.

We have no influence on the storage period of your data that is stored by the operators of the social networks for their own purposes. For details on this, please inform yourself directly with the operators of the social networks (e.g., in their privacy policy, see below).

Facebook

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (hereinafter referred to as “Facebook”). According to Facebook, the collected data is also transferred to the USA and other third countries.

We have concluded an agreement on joint processing (Controller Addendum) with Facebook.

This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link:

https://www.facebook.com/legal/terms/page_controller_addendum

You can adjust your advertising settings independently in your user account. To do this, click on the following link and log in:

https://www.facebook.com/settings?tab=ads

Details can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/

Instagram

We have a profile on Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. Details on how they handle your personal data can be found in Instagram’s privacy policy: https://help.instagram.com/519522125107875

Name and Address of the Controller

Controller in the sense of the EU General Data Protection Regulation (GDPR), other data protection laws applicable in the member states of the European Union and other provisions with a data protection character is:

Wienecke XI. Hotel Hannover GmbH

Hildesheimer Straße 380
30519 Hannover

Phone: +49 511 – 12 611-0
Fax: +49 511 – 12 611-511

Website: www.wienecke.de
Email: reservierung@wienecke.de

Managing Director:
Andreas Wienecke

Name and Address of the Data Protection Officer

SHIELD GmbH
Martin Vogel
Ohlrattweg 5
25497 Prisdorf

Phone: +49 (0) 4101 / 80 50 600
Email: info@shield-datenschutz.de


Hannover, February 2022

Amendments to the Privacy Policy

We reserve the right to amend our data protection practices and this Privacy Policy, if necessary, to adapt them to changes in relevant laws or regulations or to better meet your needs. Possible changes to our data protection practices will be announced at this point accordingly. Please note the current version date of the Privacy Policy in this regard.

You can prevent the collection and processing of your data by Gstatic by refusing your consent when entering the website, deactivating the execution of script code in your browser or installing a script blocker in your browser.

The data will be deleted as soon as the purpose of its collection has been fulfilled. Further information on the handling of the transmitted data can be found in Google’s privacy policy: https://policies.google.com/privacy

Google

A web service from the company Google Ireland Limited, Gordon House, Barrow Street, 4 Dublin, Ireland is reloaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to Google.

You can prevent the collection and processing of your data by this web service by refusing your consent when entering the website, deactivating the execution of script code in your browser or installing a script blocker in your browser.

The legal basis for the use of this web service is your consent in accordance with Art. 6(1) lit. a GDPR.