Data Privacy Policy

We are pleased that you are visiting our website, and thank you for your interest in our hotel. The protection of personal data is important to us. This is why personal data, for example the name, address, email address or telephone number of a data subject, is processed in agreement with applicable European and national legal provisions.

Where the processing of personal data is required and no legal basis exists for such processing, we generally obtain the consent of the data subject.
Of course, you are able to revoke your declaration(s) of consent at any time with future effect. Please contact the Controller in this respect. You will find the contact details at the bottom of this data protection policy.
This data protection policy applies to Clipper Boardinghouse GmbH & Co. KG and Clipper Hotel Dresden GmbH & Co.KG (hereinafter the ‘Company’).
The aforementioned companies would now like to inform the public about the nature, extent and purpose of personal data processed by it. The rights available to data subjects are also explained to them by means of this data protection policy.

Definitions

The companies’ data protection policy is based on the terms used by European legislators when adopting the EU General Data Protection Regulation (hereinafter: ‘GDPR’). Our data protection policy is intended to be clear and understandable both for the public and our guests and business partners. We would like to explain the terms in advance to guarantee this.

Among others, we use the following terms in this data protection policy and on our website:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject is any identified or identifiable natural person whose personal data is processed by the Controller for processing.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purpose and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Registration

The data subject has the option of registering on the Controller’s website by providing personal data. The personal data provided to the Controller comes from the relevant input screen used for registration. The personal data entered by the data subject is only collected and stored for internal use by the Controller and for in-house purposes. The Controller is able to arrange disclosure to one or more Processors (for example a package service) who also only uses the personal data for internal purposes, assigned to it by the Controller.

Registering on the Controller’s website also stores the IP address, the date and the time of registration provided by the data subject’s Internet Service Provider (ISP). This data is stored against the background that only in this way can our services be prevented from being misused and this data, if required, allows criminal offences and copyright infringements committed to be cleared up. In this respect, storage of this data is required to safeguard that required for the Controller. This data is invariably not disclosed to third parties unless a statutory duty exists, or disclosure serves for criminal or legal prosecution.
Registration of the data subject by voluntarily providing personal data allows the Controller to offer the data subject content or services that can only be offered to registered users due to the nature of the matter. Registered persons are able to have personal data provided on registration completely erased from the Controller’s database.
On request, the Controller will provide each data subject at any time with information about what personal data is stored about the data subject. In addition, the Controller rectifies or erases personal data at the request or instruction of the data subject unless a statutory duty of retention requires otherwise.

Contact

Personal data is also processed by the Companies if communicated by them. This happens, for example, every time you contact us. It goes without saying that we only use personal data communicated in this way for the purpose for which you made it available to us when making contact. This information is only communicated on a voluntarily basis and with your consent. Where information about communication channels (for example email address, telephone number) is involved, you also consent to us contacting you via this communication channel to address your concerns.

 

Security

The companies take numerous technical and organisational measures to protect your personal data against unintentional or unlawful erasure, modification or loss, and against unjustified disclosure or access.

Nevertheless, by way of example internet-based data transfer may present security vulnerabilities, meaning that absolute protection cannot be guaranteed. For this reason, every data subject remains free to send us personal data via alternative methods, for example by telephone.

 

Links to other websites

This website contains links to other websites (so-called external links).

As providers of their own content, the Companies are responsible under applicable European and national legal provisions. Links to content provided by other providers are to be distinguished from in-house content. We have no influence over the operators of other websites complying with applicable European and national statutory provisions. Please refer to the data protection policies provided on the respective websites in this respect. The Companies accept no responsibility for third-party content provided via links and marked separately, and do not make the content its own. The website provider, to whom you are referred, has sole liability for illegal, incorrect, or incomplete content, as well as damage arising due to the use or non-use of information.

 

Cookies

We use cookies to design our online appearance for you in a user friendly manner and to match it ideally to your requirements. Cookies are small text files that are sent by a web server to your browser and stored locally on your device (PC, notebook, tablet, smartphone etc.) as soon as you visit a website.

A range of websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID uniquely identifies the cookie. It consists of a string of characters by which websites and servers can be allocated to the specific web browser in which the cookie was saved. This allows the websites and servers visited to distinguish the data subjects’ individual browsers from other web browsers that contain other cookies. A specific web browser can be recognised and identified via the unique cookie ID. This information serves to recognise you automatically and facilitate browsing for you if you revisit the website with the same device.

You can consent to or reject cookies, including for web tracking, via your web browser’s settings. You can configure your browser in such a way that the acceptance of cookies is always rejected, or you are informed in advance if a cookie is to be saved. In this case, the website’s functionality may be affected (for example when ordering). Your browser offers a function for deleting cookies (for example via ‘clear browser information’). This is possible in all common web browsers. You can find further information in the operating instructions, or in your browser settings as well.

 

Recording general data and information

Every time the website is accessed by a data subject or automated system, the Companies’ websites record a series of general data and information. This general data and information is saved in the server’s log files. The following can be recorded:

· the browser types and versions used
· the operating system used by the accessing system
· the website from which an accessing system reaches our website (so-called referrer)
· subsites that redirect to our website via an accessing system
· the date and time of accessing the website
· a web protocol address (IP address)
· the accessing system’s Internet Service Provider
· other similar data and information serving to avert danger in the event of attacks on our IT systems

The Companies draw no conclusions about the data subject when using this general data and information. On the contrary, this information is required for:
· delivering the content of our website
· optimising the content of our website and for promoting it
· guaranteeing the functionality of our IT systems and the technology of our website
· providing law enforcement authorities with the information required for prosecution in the event of a cyber attackThis anonymously collected data and information is therefore collected by the Companies, on the one hand, for statistical purposes, and on the other evaluated for the purpose of increasing data protection and data security in our companies, and finally for ensuring an optimum level of protection for the personal data processed by us. The anonymous data in the log files is separated from all personal data stored and provided by a data subject.

Routine erasure and blocking of personal data

The data subject’s personal data is only processed by the Controller (in this sense stored as well) for the period required for achieving the purpose of storage, or where this was envisaged by the European Directive and Regulation legislator or other legislator in laws or requirements to which the Controller is subject.

Where the purpose of storage ceases to apply, or a storage period prescribed by a European or other competent legislator expires, personal data is routinely blocked or deleted in accordance with statutory provisions.

 

Rights of the data subject

Right to confirmation: Every data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed. Where a data subject would like to avail him- or herself of this right of confirmation, he/she can contact the Controller at any time.

Right to information: Everyone subject to the processing of personal data has the right to receive at any time free information from the Controller about personal data stored about his or her identity as well as a copy of this information. In addition, European legislators have granted data subjects information about the following information:

· the purpose of processing
· the categories of personal data processed
· the recipients or categories of recipients to whom personal data is disclosed or not disclosed, in particular with recipients in third countries or with international organisations
· if possible, the planned duration for storing the data or, where this is not possible, the criteria for setting this duration
· the existence of a right to rectification or erasure of personal data concerning him or her, or to restriction of processing by the Controller, or a right to object to processing
· the right to lodge a complaint with a supervisory authority
· if the personal data was not collected from the data subject: All information about the data’s origin
· the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

In addition, the data subject is entitled to a right to be informed as to whether personal data is passed to a third country or an international organisation. Where this is the case, the data subject is also entitled to receive information about suitable guarantees in connection with the transmission.

Where a data subject would like to avail him- or herself of this right to information, he/she can contact the Controller at any time.

Right to rectification: Every data subject has the right to demand the immediate rectification of incorrect personal data about them. In addition and in consideration of the purpose of processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Where a data subject would like to avail him- or herself of this right of rectification, he/she can contact the Controller at any time.

Right to erasure (‘right to be forgotten’): Every data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies and where the processing is still required:

· The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
· The data subject revokes his/her consent on which the processing is based in accordance with Article 6 (1) GDPR, or Article 9(2, a) GDPR, and where there is no other basis for the processing.
· The data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.
· The personal data has been unlawfully processed.
· The personal data has to be erased for compliance with a legal obligation in a Union or Member State law to which the Controller is subject.
· The personal data has been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

Where one of the stated reasons applies and a data subject would like to arrange the erasure of personal data stored with the Companies, he/she can contact the Controller at any time. The requests by the data subject for erasure are then to be complied with without delay.

Where the personal data was disclosed by the Companies and they are obliged as a Controller in accordance with Article 17 (1) DGPR to erase the personal data, the Companies will take appropriate measures, including of a technical nature, in consideration of the available technology and the implementation costs to make other controllers processing personal data aware that the data subject has requested the other controller to erase all links to this personal data, or copies or reproduction of this personal data where processing is not required. The Controller will then arrange as necessary in the individual case.

Right to restriction of processing: Any data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

· The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
· The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
· The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
· The data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where one of the stated requirements is in place and a data subject would like to demand the restriction of personal data stored with the Companies, he/she can contact the Controller at any time, they can contact the controller in this respect at any time. This restriction to processing is then arranged without delay.

Right to data portability: Every data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He/she also has the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided where the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR, and the processing is carried out by automated means, provided the processing is not required for performance of a task carried out in the public interest or in exercise of official authority vested in the Controller.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall also have the right under Article 20 (1) to have the personal data transmitted directly from one controller to another, where technically feasible and provided that the rights and freedoms or other people are not adversely affected.

The data subject is entitled to contact the Controller to assert the right of data portability at any time.

Right to object: Every data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. This includes profiling based on these provisions.

The Companies shall no longer process the personal data in the event of an objection unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where the Companies process personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This also includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to the Companies to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In addition, where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning you, unless the processing is necessary for such performance of a task carried out for reasons of public interest.

The data subject is entitled to contact the Controller to exercise the right to object at any time. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Automated individual decision-making, including profiling: Every data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, where the decision:

· is not required for entering into or performing a contract between the data subject and the controller, or is permitted based on the legal provisions of the EU or Member States, to which the controller is subject, and these legal provisions contain appropriate measures for safeguarding rights and freedoms as well as the justified interests of the data subject, or
· is with the express consent of the data subject.

Where the decision to enter into or perform a contract between the data subject and the controller is required or occurs with the express consent of the data subject, the Companies take the appropriate measures to safeguard the rights and freedoms as well as justified interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Where the data subject would like to assert rights with regard to automated decisions, he/she can contact the Controller at any time.

Right to withdraw consent under data protection legislation: Every data subject has the right to withdraw his or her consent to processing of personal data at any time.

Where the data subject would like to assert his or her right to withdraw consent, he/she can contact the Controller at any time.

 

Data protection with applications and in the application procedure

The controller collects and processes the personal data of applicants for the purpose of processing the application. Processing can also be electronically. This is particularly the case if an applicant transmits corresponding application documents electronically, for example by email, to the controller. Where the controller enters into an employment contract with the applicant, the data transmitted is stored for processing the employment relationship in consideration of statutory provisions. Where no employment contract is entered into by the controller with the applicant, the application documents are erased six months after notification of the rejection decision provided that erasure does not contradict other justified interests of the controller. An example of justified interests in this respect is an onus of proof in proceedings in accordance with the General Equality Act (AGG).

 

Use of Google Analytics (with anonymisation function)

This website uses Google Analytics, a web analysis service of Google Inc. (‘Google’). Google Analytics uses Cookies, text files stored on your computer that allow analysis of how you use the website. The information generated by the cookie about your usage of this website (including your IP address) is generally passed to and stored on a Google server in the USA. In the event of IP anonymisation activated on this website, your IP address is abbreviated within Member States of the European Union or in other Signatory States to the Agreement on the European Economic Area beforehand. The full IP address is only forwarded to and abbreviated on a Google server in the USA in exceptional cases. Google will use this information on behalf of the website’s operator to evaluate your use of the website, compile reports about website activity for the website operator, and to provide the website operator with services associated with use of the website and internet. The IP address provided from your browser by Google Analytics is not combined with other data from Google. You can prevent the storage of cookies by setting your browser software appropriately. However, we would like to point out that in this case, not all functions of this website may work to their full extent. You can also prevent the collection of data generated by the cookie and referring to the use on your website (including your IP address) by Google and also the processing of this data by downloading and installing the browser plugin available via the following link http://tools.google.com/dlpage/gaoptout?hl=de.

You can prevent collection by Google Analytics by clicking on the link below. This installs an ‘opt-out’ cookie on your browser preventing your data from being collected when you visit the website in the future.

Disable Google Analytics
You will find more detailed information about conditions of use and data protection at http://www.google.com/analytics/terms/de.html or, as may apply, under https://www.google.de/intl/de/policies/

In light of the discussion around using analysis tool with complete IP addresses, the Companies would like to point out that in order to rule out identification or the ability to identify a natural person, IP addresses are only processed on this website in a restricted manner as we use Google Analytics with the extension _anonymizelp().

 

 

Social plugins

As an additional service, our website offers you so-called social plugins allowing interaction with the social media Facebook, Google+ and Twitter. Please log out beforehand from these services to prevent the accidental transfer of user data.

 

Using Facebook social plugins

So-called social plugins (‘plugins’) of the social network Facebook are used on our website, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’). The plugins are identified with a Facebook logo or by adding ‘Social plugin from Facebook’ or, as may apply. ‘Facebook Social Plugin’. You will find an overview of Facebook plugins here: https://developers.facebook.com/docs/plugins

If you call up a page of our website containing a social plugin, your browser establishes a direct link to the Facebook server. The content of the plugin is sent directly to your browser by Facebook and integrated in the page. This integration provides Facebook with the information that your browser has accessed the corresponding page of our website, even if you have no Facebook profile or are not currently logged into Facebook. This information (including your IP address) is sent directly to a Facebook server in the USA and stored there.

If you are logged in to Facebook, Facebook is able to directly assign our website to your Facebook profile. If you interact with the plugins, for example by pressing ‘Like’ or adding a comment, this information is also sent directly to a Facebook server and stored there. The information is also posted on your Facebook profile and displayed to your Facebook friends.

Please refer to the Facebook data protection policy for the scope and purpose of data collection, the further processing and use of data by Facebook, as well as the setting options for protecting your privacy: http://www.facebook.com/policy.php

If you do not want Facebook to directly assign data collected via our website to your Facebook profile, you need to log out of Facebook before visiting our website. You can also completely prevent the loading of Facebook plugins with add-ons for your browser, e.g. with the ‘Facebook Blocker’ (http://webgraph.com/resources/facebookblocker/).

 

Use of Google+ plugins (e.g. ‘+1’-Button)

So-called social plugins (‘plugins’) of the social network Google+ are used on our website, which is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’). For example, plugins are identifiable with buttons with the character ‘+1’ on a white or coloured background. An overview of Google plugins and their appearance can be found here: https://developers.google.com/+/plugins

If you call up a page of our website containing such a plugin, your browser establishes a direct connection to the Google servers. The content of the plugin is sent directly to your browser by Google and integrated in the page. This integration provides Google with the information that your browser has accessed the corresponding page of our website, even if you have no profile with Google+ or are not currently logged into Google+. This information (including your IP address) is sent directly to a Google server in the USA and stored there.

If you are logged in to Google+, Google+ is able to directly assign our website to your Google+ profile. If you interact with the plugins, for example by pressing ‘+1’ button, the corresponding information is also sent directly to a Google server and stored there. The information is also published on Google+ and shown to your contacts.

Please refer to the Google+ data protection policy for the scope and purpose of data collection and the further processing and use of data by Google, as well as the setting options for protecting your privacy: http://www.google.com/intl/de/+/policy/+1button.html

If you do not want Google to directly assign data collected via our website to your profile on Google+, you need to log out of Google+ before visiting our website. You can also completely prevent the loading of Google plugins with add-ons for your browser, e.g. with the ‘NoScript’ script blocker (http://noscript.net/).

 

Use of Twitter plugins (e.g. ‘Twitter’ button)

So-called social plugins (‘plugins’) of the microblogging service Twitter are used on our website, which is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (‘Twitter’). By way of example, the plugins are identified with a Twitter logo in the form of a blue ‘Twitter bird’. An overview of Twitter plugins and their appearance can be found here: https://twitter.com/about/resources/buttons

If you call up a page of our website containing such a plugin, your browser establishes a direct connection to the Twitter servers. The content of the plugin is sent directly to your browser by Twitter and integrated in the page. This integration provides Twitter with the information that your browser has accessed the corresponding page of our website, even if you have no profile with Twitter or are not currently logged into Twitter. This information (including your IP address) is sent directly to a Twitter server in the USA and stored there.

If you are logged in to Twitter, Twitter is able to directly assign our website to your Twitter account. If you interact with the plugins, for example by pressing ‘Twitter’ button, the corresponding information is also sent directly to a Twitter server and stored there. The information is also published on your Twitter account and shown to your contacts.   Please see Twitter’s privacy policy for the purpose and scope of data collection and the further processing and use of data by Twitter, as well as your associated rights and setting options for protecting your privacy: https://twitter.com/privacy

If you do not want Twitter to directly assign data collected about our website to your Twitter account, you need to log out of Twitter before visiting our website.. You can also completely prevent the loading of Twitter plugins with add-ons for your browser, e.g. with the ‘NoScript’ script blocker (http://noscript.net/).

 

Name and address of the Controller

Verwaltung Clipper Hotel & Boardinghouse GmbH
Große Elbstraße 47
22767 Hamburg
Tel.: +49 40 3766 0
Email: info(at)hotel-elbflorenz.de
Manager:
Nathalie Büll-Testorp

 

Name and address of the Data Protection Officer

Please post your enquiry to:
B&L Gruppe
Große Elbstraße 47
22767 Hamburg
Email: datenschutz(at)bl-gruppe.de.
Instead of using the post, please email @. The writing style used by us serves to protect against spam.

Changed to the data protection policyWe reserve the right to amend our data protection policy and these guidelines in order to adjust to any changes to any relevant laws or, as may apply, regulations or better meet your requirements. Potential changes to our data protection practices are notified accordingly here. In this respect, please take note of the up-to-date version date of the data protection policy.

Hamburg, February 2018