Data protection policy


This data protection policy explains to you how, to what extent and what purpose personal data (hereinafter: “data“) is processed within our online activities and any connected websites, functions and contents as well as external online presences, such as our social media profile (hereinafter collectively referred to as: “online services“). With regard to definitions used, such as “personal data“ or their “processing“ we refer to definitions in article 4 of the GDPR (DSGVO).


Responsible party:

Name/Co.: DORMERO Hotel AG
Street, number: Schloßstraße 67
Post code, city, country: 14059 Berlin, Germany
Trade register/number: Handelsgericht Berlin - HRB 80018 B
Authorised representative of the Board: Marcus Maximilian Wöhrl
Telephone number: +49 30 202 13 300
Email address: info(at)dormero.de

Data protection officer:
Name: Tobias Brutsche
Street, no.: Schloßstraße 67
Post code, city, country: 14059 Berlin, Germany
Telephone number: +49 30 202 13 300
Email address: info@dormero.de

Type of processed data:

Basic information (e.g. name, address).
Contact information (e.g. email, telephone number).
Content information (e.g. text entries, photos, videos).
Contract data (e.g. subject of agreement, term, client category).
Payment information (e.g. bank details, payment history).
Usage information (e.g. visited websites, interest in contents, access times). Metacommunication data (e.g. device information, IP-addresses).

Processing special data categories (Art. 9 paragraph 1 GDPR (DSGVO)):

No special data categories are processed.

Categories of people affected by the data processing:

Clients / Potential clients / Suppliers.
Visitors to and users of the online services.
Hereinafter we are referring to the affected people collectively as “users“.

Purpose of the data processing:

To provide access to the website, its contents and functions.
Executing contractual services, client care.
Responding to contact queries and communication with users.
Marketing, advertising and market research.

Status: 23.05.2018

Relevant legal basis


As per the provisions of article 13 DSGVO, we herewith detail the legal grounds of our data processing. If the legal basis of our data processing is not mentioned in the privacy policy, the following applies: the legal basis for obtaining consent is article 6, paragraph 1, point a and article 7 of the DSGVO, the legal basis for processing for the purpose of delivering our services and implementation of contractual measures as well as for responding to queries is article 6, paragraph 1, point b of the DSGVO, the legal basis for processing for the purpose of complying with our legal commitments is article 6, paragraph 1, point c of the DSGVO, and the legal basis for processing for the purpose of protecting our legal interests is article 6 paragraph 1 point f of the DSGVO. If vital interests of the concerned person or those of other natural persons require the processing of personal data, then article 6, paragraph 1, point d of the DSGVO shall be applicable as legal grounds.

Amending and updating the privacy policy

Please check the contents of the privacy policy regularly. We adjust the privacy policy as soon as this is necessary due to any changes implemented in our data processing. We shall inform you as soon as any cooperation action is necessary from you (such as consent) or any other individual notification is necessary due to the changes.

Security measures

We implement measures in accordance with the guidelines in article 32 of the DSGV with consideration to technology, implementation costs, type, scope, conditions and purposes of the processing, as well as taking into account all different likelihood of occurrence, and severity of the risk upon the rights and liberties of natural persons, as well as the appropriate technical and organisational measures, in order to apply the risk-appropriate level of protection. The measures include especially the protection of confidentiality, integrity and availability of data by controlling the physical access to the data, as well as that of any relevant access, input, transmission, securing their availability and separation. We have further implemented processes that provide the consideration of the rights of the affected persons, deletion of data and reaction to threats to the data. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology development, and through data-protection friendly pre-settings (Art. 25 of the DSGVO).

Special part of the safety measures is the encrypted transmission of data between your browser and our server.

Cooperation with external processors and third parties

As long as we disclose data to other persons and companies (external processors and third parties) as part of our data handling, transmit data to them, or otherwise provide them with access to data, this shall only be carried out on the basis of a contractual permission (e.g. if the transmission of data to third parties, such as payment service providers, pursuant to article 6, paragraph 1, point b of the  DSGVO is necessary to the execution of contractual obligations), or if you have consented to this, or if it is a legal requirement or on the basis of our lawful interest (e.g. when using agents, webhosts, etc.).
If we commission third parties to process data on the basis of the so called “external processing agreement”, then this shall be carried out on the basis of article 28 of the DSGVO.

Transmission to third countries

If we process data in a third country (i.e. outside the European Union (EU) or outside the European Economic Area (EEA)) or if this is undertaken by using the services of third parties or by disclosing or transmitting data to third parties, this shall only take place if it is undertaken for the compliance with our (pre)contractual obligations, on the basis of your consent, on the basis of a statutory obligation, or on the basis of our lawful interests. Subject to statutory or contractual permissions, we process or commission to process data in a third country only if any special conditions of articles 44 ff. of the DSGVO prevail. This means that processing is carried out for example on the basis of certain guarantees, such as the officially acknowledged setting of one of the EU-compliant data protection levels (such as applying the “Privacy
Shield” in the USA) or by complying with officially acknowledged special contractual obligations (so-called “Standard contractual clauses“).

The rights of the affected persons

You are entitled to request a confirmation about whether relevant data is being processed, and to receive information about this data as well as for further information and a copy of the data, pursuant to article 15 of the DSGVO.

Pursuant to article 16 of the DSGVO you have the right to request the completion of information relevant to you and the correction of incorrect data, that is relevant to you.

In accordance with article 17 of the DSGVO you have the right to request that the data concerned should be immediately deleted, or, alternatively, pursuant to the stipulations in article 18 of the DSGVO, you are entitled to request that the processing of the data is limited.

You are entitled to request to receive any data relevant to you that you have provided us with, as well as to request that the data is transmitted to other officials, pursuant to Article 20 of the DSGVO.

You also have the right pursuant to article 77 of the DSGVO, to submit a complaint to the responsible supervisory authority.

Right to revoke

You have the right to revoke your consent pursuant to article 7, paragraph 3 of the DSGVO with effect for the future.

Right to object

You are entitled to object any time to future processing of data relating to you, in accordance with the guidelines of article 21 of the DSGVO. The objection can be especially against the processing of data for the purpose of direct marketing.

Cookies and the right to object to direct marketing

We apply temporary and permanent cookies, i.e. small files, that are saved to the device of the user (for explanation regarding the term and the function, please see the last chapter of this privacy policy). To a certain extent cookies are necessary to secure the operation of our online services (e.g. for the presentation of the website) or to save the user decisions when confirming the cookie banner. In addition, we and our technology partners use cookies to measure reach and for marketing purposes, of which the users are informed in the process of the data protection declaration.

General objection against the use of cookies for online marketing purposes can be declared in regard to many different services, mainly in the case of tracking, via the USA site www.aboutads.info/choices/ or the EU site www.youronlinechoices.com. Furthermore, the saving of cookies can be switched off via the browser settings. Please note that potentially not all functions of the online services will be usable.

Deleting data

Any data processed by us shall be deleted or their processing limited in accordance with the guidelines in articles 17 and 18 of the DSGVO. Unless expressly specified as part of this privacy policy, any data saved by us shall be deleted as soon as they are no longer needed for their intended purpose and there are no legal obligations to retain them. If the data is not deleted because they are needed for other and legally permissible purposes, their processing shall be limited. This means that data shall be barred and not processed for any other purpose. This applies for example to data that must be retained for trading or fiscal law reasons.

Germany: In accordance with legal provisions data is retained for 6 years pursuant to article 257, paragraph 1 of the HGB (accounts, inventories, opening balances, annual accounts, commercial letters, booking confirmations, etc.) and for 10 years pursuant to article 147, paragraph 1, AO (books, notes, status reports, booking confirmations, commercial and business letters, for documents relevant for tax purposes, etc.).

Providing contractual services

We process basic information (e.g. names and addresses, as well as contact details of users), contractual information (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and provide our services, in accordance with article 6, paragraph 1, point b of the DSGVO. Entries noted as obligatory in online forms are necessary for the conclusion of the agreement.

User can open a user account as an option, where they can have insight into their settings. As part of the registration, necessary obligatory information of the users is provided. User accounts are not public and cannot be indexed by search engines. If the user cancels the user account, then any data regarding the user account is deleted, unless their retention is necessary for trade and taxation reasons, pursuant to article 6 of paragraph 1 of point c of the DSGVO. It is a duty of the users to secure their data in case of cancellation, before the end of the contract. We are entitled to delete all user data saved during the term of the contract.

As part of the registration and renewed registration as well as during the use of our online-services, we save the IP-address and the time of each user action. Saving is undertaken on the basis of our legitimate interests, as well as those of the users for the protection against abuse and other unauthorised use. Such data is categorically not transmitted, unless this is necessary for the pursuance of our claims or statutory obligations exist in this respect, pursuant to article 6, point c of the DSGVO.

Deletion is undertaken after the expiry of statutory guarantees or comparable obligations, the necessity of retaining any data shall be reviewed every three years; in case of the statutory archiving duties deletion is undertaken upon their expiry (at the end of retention requirements pursuant to commercial (6 years) and fiscal (10years) legal regulations); data within the client account remains until the deletion of the account.

Contact

When contacting us (via the contact page or by email) user information is processed for processing the contact request and its execution pursuant to article 6 of paragraph 1 of point b) of the DSGVO.

User data can be saved in our Customer-Relationship-Management System ("CRM System") or comparable organisation.

We are using the CRM-system “Helpdesk“ of the provider Help Scout Inc., (131 Tremont St, Boston, MA 02111-1338, USA) on the basis of our lawful, efficient and fast processing of user queries. For this purpose, we concluded a contract with Help Scout with so-called standard contractual clauses, wherein Help Scout undertakes to only process user data in accordance with our guidelines, and by adhering to the EU data protection levels. Help Scout is further certified under the Privacy-Shield-Agreement and therefore offers additional guarantees to comply with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000KzX1AAK&status=Active).

We delete requests if they are no longer necessary. We review their necessity every two years: enquiries from clients with an account are saved permanently, and we refer to the deletion of the data in the client account. If statutory archiving obligations apply, then deletion is undertaken upon their expiry (at the end of the retaining obligations set out by commercial law (6 years) and fiscal law (10 years)).

Collecting access data and logfiles

On the basis of our lawful interests pursuant to article 6, paragraph 1, point f of the DSGVO, we collect data about every access to the server, where this service is located (so called server log files). Access data is such as the name of the accessed website or file, date and time of accessing it, the transmitted data quantity, report about successful access, browser type and version, the operating system of the user, referrer URL (the previously visited site), IP-address and the inquiring provider.

Logfile-information is saved for up to seven days for security reasons (e.g. to clarify abusive or fraudulent actions) and then they are deleted. Data that is necessary to retain for longer for evidentiary purposes, are exempt from deletion until the conclusive clarification of the relevant incident.

Online presence in social media

We maintain online presence on the basis of our lawful interests in terms of article 6, paragraph 1, point f of the DSGVO, within the social networks and platforms, in order to communicate with clients, interested parties and users, active in those areas, so that we are able to inform them about our services there. When the relevant networks and platforms are opened, the terms and conditions and the privacy policy of the relevant operator apply.

Unless otherwise specified within the privacy policy, we process user data if they communicate with us within social networks and platforms, e.g. they compose contributions on our online presences or if they send us messages.

Cookies & Measurement of reach


Cookies are information transmitted by our webserver or third-party webservers to the web browser of users and saved there for later retrieval. Cookies can be small files or other types of information storage.

Users are informed about the use of cookies as part of the pseudonym measurement of reach within this privacy policy.

Should the user not want that cookies are saved onto their computer, then they are requested to deactivate the relevant option in the system settings. Saved cookies can be deleted in the system settings of the browser. Rejection of cookies may result in limited functioning of the online services.

You can reject the use of cookies that serve the purpose of measuring reach and of advertising, via the deactivation page of the network advertising initiative (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European Website (http://www.youronlinechoices.com/uk/your-ad-choices/).

Google Analytics

We are using Google Analytics, a web analysing service of Google LLC (“Google”) based on our lawful interests (i.e. our interest in the analysis, optimisation and economic management of our online offer in terms of article 6, paragraph 1, point f of the DSGVO). Google uses cookies. Information generated by the cookies regarding the use of a website by the user, are usually transmitted to one of Google’s servers in the USA and stored there.

Google is certified under the Privacy-Shield-Agreement and therefore guarantees, that the European data protection act is complied with: (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google uses this information on our behalf, in order to evaluate the use of our online services by the user, to compile reports for us about the activities within the online services and to provide further services in connection with the use of our online services and internet use. During this process, it is possible to compile pseudonym user profiles of the user from the processed data.
We only use Google Analytics with activated IP-anonymisation. This means that the IP-address of the users shall be abbreviated by Google within the member states of the European Union, or in other contracted countries to the agreement about the European Economic Area. Only in exceptional cases shall the full IP-address be transmitted by Google in the USA and abbreviated there.
The IP address transmitted by the browser to the user is not connected to other data from Google. Users are able to prevent cookies from being saved through the relevant setting of their browser software; users can in addition prevent that the information collected by the cookie and linked to use of the website should be sent to Google and that this data should be further processed by Google by downloading and installing the available browser plugin under the following link: tools.google.com/dlpage/gaoptout.

As an alternative to the browser add-on or within the browsers in portable devices please click this link to prevent future collection by Google Analytics within the website. For this an opt-out cookie is saved on your device. If you delete your cookies, you will have to click this link again.

For further information about data use by Google, any settings and objections options please see Google’s web pages: www.google.com/intl/de/policies/privacy/partners (“Data use by Google during your use of websites or apps of our partners: policies.google.com/technologies/ads (“Data use for advertising purposes“), adssettings.google.com/authenticated (“Managing information used by Google for inserting advertising for you“).
Personal data is actually anonymised or deleted after the expiry of 14 months.

Google-Tag Manager

With the Google Tag Manager advertisers are able to manage Website-Tags via an interface. The Manager itself, that inserts the tags functions on the other hand, without cookies, and does not collect personal information. The function of the tag manager is to trigger other tags, that themselves collect data occasionally. You will find the relevant explanations about the respective third parties in this privacy policy. The Google Tag Manager, however, does not use this. If you have set the deactivation of cookies, or dealt with it otherwise, this will be complied with for all Tracking-Tags, used with the Google Tag Manager, this means that the tool does not change your cookie settings.

For further information please consult the user guidelines of Google and Google’s data protection guidelines for this product.

https://www.google.com/intl/de/tagmanager/use-policy.html

Inclusion of third party services and contents

We are using within our website third-party content and service offers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website in terms of article 6 paragraph 1, point f of the GDPR), in order to include their contents and services, such as videos or fonts (hereinafter jointly referred to as “contents”). This always implies that the third-party providers of these contents acknowledge the IP-address of the users, since they could not send the contents to their browser without the IP-address. Therefore, the IP-address is necessary for the presentation of these contents. We endeavour to use contents whose respective provider uses the IP-address only to deliver the contents. Third parties can further use so-called pixel-tags (invisible graphics, also called "Web Beacons") for statistics or marketing purposes. Via these "Pixel-Tags" information, such as visitor traffic, can be evaluated on the pages of this website. This pseudonym information can also be saved in cookies on the device of the user and contain amongst others technical information about the browser and operating system, linking websites, visit time and other information about the use of our website, and these can also be linked to such information from other sources.

The following illustration offers an overview of third parties and their contents, together with links to data privacy policies, containing further references regarding the processing of data and any possibilities for objection that have already been partially mentioned here, (so-called Opt-Out):

External fonts of Google, LLC., www.google.com/fonts (“Google Fonts“). The inclusion of the Google Fonts occurs through a server called by Google (usually in the USA). Privacy policy: policies.google.com/privacy, Opt-Out: adssettings.google.com/authenticated.

Maps of the “Google Maps“ service provided by third party Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: www.google.com/policies/privacy/, Opt-Out: www.google.com/settings/ads/.

Videos of the platform “YouTube” of third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection: policies.google.com/privacy, Opt-Out: adssettings.google.com/authenticated.

Extranormal code of the JavaScript-Framework “jQuery”, provided by the third-party jQuery Foundation, jquery.org.