This data protection policy explains to you how, to what extent and what purpose personal data (hereinafter: “data“) is processed within our online activities and any connected websites, functions and contents as well as external online presences, such as our social media profile (hereinafter collectively referred to as: “online services“). With regard to definitions used, such as “personal data“ or their “processing“ we refer to definitions in article 4 of the GDPR (DSGVO).
Name/Co.: DORMERO Hotel AG
Street, number: Schloßstraße 67
Post code, city, country: 14059 Berlin, Germany
Trade register/number: Handelsgericht Berlin - HRB 80018 B
Authorised representative of the Board: Marcus Maximilian Wöhrl
Telephone number: +49 30 202 13 300
Data protection officer:
Name: Tobias Brutsche
Street, no.: Schloßstraße 67
Post code, city, country: 14059 Berlin, Germany
Telephone number: +49 30 202 13 300
Type of processed data:
Basic information (e.g. name, address).
Contact information (e.g. email, telephone number).
Content information (e.g. text entries, photos, videos).
Contract data (e.g. subject of agreement, term, client category).
Payment information (e.g. bank details, payment history).
Usage information (e.g. visited websites, interest in contents, access times). Metacommunication data (e.g. device information, IP-addresses).
Processing special data categories (Art. 9 paragraph 1 GDPR (DSGVO)):
No special data categories are processed.
Categories of people affected by the data processing:
Clients / Potential clients / Suppliers.
Visitors to and users of the online services.
Hereinafter we are referring to the affected people collectively as “users“.
Purpose of the data processing:
To provide access to the website, its contents and functions.
Executing contractual services, client care.
Responding to contact queries and communication with users.
Marketing, advertising and market research.
Relevant legal basis
We implement measures in accordance with the guidelines in article 32 of the DSGV with consideration to technology, implementation costs, type, scope, conditions and purposes of the processing, as well as taking into account all different likelihood of occurrence, and severity of the risk upon the rights and liberties of natural persons, as well as the appropriate technical and organisational measures, in order to apply the risk-appropriate level of protection. The measures include especially the protection of confidentiality, integrity and availability of data by controlling the physical access to the data, as well as that of any relevant access, input, transmission, securing their availability and separation. We have further implemented processes that provide the consideration of the rights of the affected persons, deletion of data and reaction to threats to the data. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology development, and through data-protection friendly pre-settings (Art. 25 of the DSGVO).
Special part of the safety measures is the encrypted transmission of data between your browser and our server.
Cooperation with external processors and third parties
As long as we disclose data to other persons and companies (external processors and third parties) as part of our data handling, transmit data to them, or otherwise provide them with access to data, this shall only be carried out on the basis of a contractual permission (e.g. if the transmission of data to third parties, such as payment service providers, pursuant to article 6, paragraph 1, point b of the DSGVO is necessary to the execution of contractual obligations), or if you have consented to this, or if it is a legal requirement or on the basis of our lawful interest (e.g. when using agents, webhosts, etc.).
If we commission third parties to process data on the basis of the so called “external processing agreement”, then this shall be carried out on the basis of article 28 of the DSGVO.
Transmission to third countries
If we process data in a third country (i.e. outside the European Union (EU) or outside the European Economic Area (EEA)) or if this is undertaken by using the services of third parties or by disclosing or transmitting data to third parties, this shall only take place if it is undertaken for the compliance with our (pre)contractual obligations, on the basis of your consent, on the basis of a statutory obligation, or on the basis of our lawful interests. Subject to statutory or contractual permissions, we process or commission to process data in a third country only if any special conditions of articles 44 ff. of the DSGVO prevail. This means that processing is carried out for example on the basis of certain guarantees, such as the officially acknowledged setting of one of the EU-compliant data protection levels (such as applying the “Privacy
Shield” in the USA) or by complying with officially acknowledged special contractual obligations (so-called “Standard contractual clauses“).
The rights of the affected persons
You are entitled to request a confirmation about whether relevant data is being processed, and to receive information about this data as well as for further information and a copy of the data, pursuant to article 15 of the DSGVO.
Pursuant to article 16 of the DSGVO you have the right to request the completion of information relevant to you and the correction of incorrect data, that is relevant to you.
In accordance with article 17 of the DSGVO you have the right to request that the data concerned should be immediately deleted, or, alternatively, pursuant to the stipulations in article 18 of the DSGVO, you are entitled to request that the processing of the data is limited.
You are entitled to request to receive any data relevant to you that you have provided us with, as well as to request that the data is transmitted to other officials, pursuant to Article 20 of the DSGVO.
You also have the right pursuant to article 77 of the DSGVO, to submit a complaint to the responsible supervisory authority.
Right to revoke
You have the right to revoke your consent pursuant to article 7, paragraph 3 of the DSGVO with effect for the future.
Right to object
You are entitled to object any time to future processing of data relating to you, in accordance with the guidelines of article 21 of the DSGVO. The objection can be especially against the processing of data for the purpose of direct marketing.
Cookies and the right to object to direct marketing
Germany: In accordance with legal provisions data is retained for 6 years pursuant to article 257, paragraph 1 of the HGB (accounts, inventories, opening balances, annual accounts, commercial letters, booking confirmations, etc.) and for 10 years pursuant to article 147, paragraph 1, AO (books, notes, status reports, booking confirmations, commercial and business letters, for documents relevant for tax purposes, etc.).
Providing contractual services
We process basic information (e.g. names and addresses, as well as contact details of users), contractual information (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and provide our services, in accordance with article 6, paragraph 1, point b of the DSGVO. Entries noted as obligatory in online forms are necessary for the conclusion of the agreement.
User can open a user account as an option, where they can have insight into their settings. As part of the registration, necessary obligatory information of the users is provided. User accounts are not public and cannot be indexed by search engines. If the user cancels the user account, then any data regarding the user account is deleted, unless their retention is necessary for trade and taxation reasons, pursuant to article 6 of paragraph 1 of point c of the DSGVO. It is a duty of the users to secure their data in case of cancellation, before the end of the contract. We are entitled to delete all user data saved during the term of the contract.
As part of the registration and renewed registration as well as during the use of our online-services, we save the IP-address and the time of each user action. Saving is undertaken on the basis of our legitimate interests, as well as those of the users for the protection against abuse and other unauthorised use. Such data is categorically not transmitted, unless this is necessary for the pursuance of our claims or statutory obligations exist in this respect, pursuant to article 6, point c of the DSGVO.
Deletion is undertaken after the expiry of statutory guarantees or comparable obligations, the necessity of retaining any data shall be reviewed every three years; in case of the statutory archiving duties deletion is undertaken upon their expiry (at the end of retention requirements pursuant to commercial (6 years) and fiscal (10years) legal regulations); data within the client account remains until the deletion of the account.
When contacting us (via the contact page or by email) user information is processed for processing the contact request and its execution pursuant to article 6 of paragraph 1 of point b) of the DSGVO.
User data can be saved in our Customer-Relationship-Management System ("CRM System") or comparable organisation.
We are using the CRM-system “Helpdesk“ of the provider Help Scout Inc., (131 Tremont St, Boston, MA 02111-1338, USA) on the basis of our lawful, efficient and fast processing of user queries. For this purpose, we concluded a contract with Help Scout with so-called standard contractual clauses, wherein Help Scout undertakes to only process user data in accordance with our guidelines, and by adhering to the EU data protection levels. Help Scout is further certified under the Privacy-Shield-Agreement and therefore offers additional guarantees to comply with the European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000KzX1AAK&status=Active).
We delete requests if they are no longer necessary. We review their necessity every two years: enquiries from clients with an account are saved permanently, and we refer to the deletion of the data in the client account. If statutory archiving obligations apply, then deletion is undertaken upon their expiry (at the end of the retaining obligations set out by commercial law (6 years) and fiscal law (10 years)).
Collecting access data and logfiles
On the basis of our lawful interests pursuant to article 6, paragraph 1, point f of the DSGVO, we collect data about every access to the server, where this service is located (so called server log files). Access data is such as the name of the accessed website or file, date and time of accessing it, the transmitted data quantity, report about successful access, browser type and version, the operating system of the user, referrer URL (the previously visited site), IP-address and the inquiring provider.
Logfile-information is saved for up to seven days for security reasons (e.g. to clarify abusive or fraudulent actions) and then they are deleted. Data that is necessary to retain for longer for evidentiary purposes, are exempt from deletion until the conclusive clarification of the relevant incident.
Online presence in social media
Cookies & Measurement of reach
Cookies are information transmitted by our webserver or third-party webservers to the web browser of users and saved there for later retrieval. Cookies can be small files or other types of information storage.
Should the user not want that cookies are saved onto their computer, then they are requested to deactivate the relevant option in the system settings. Saved cookies can be deleted in the system settings of the browser. Rejection of cookies may result in limited functioning of the online services.
Google is certified under the Privacy-Shield-Agreement and therefore guarantees, that the European data protection act is complied with: (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf, in order to evaluate the use of our online services by the user, to compile reports for us about the activities within the online services and to provide further services in connection with the use of our online services and internet use. During this process, it is possible to compile pseudonym user profiles of the user from the processed data.
We only use Google Analytics with activated IP-anonymisation. This means that the IP-address of the users shall be abbreviated by Google within the member states of the European Union, or in other contracted countries to the agreement about the European Economic Area. Only in exceptional cases shall the full IP-address be transmitted by Google in the USA and abbreviated there.
The IP address transmitted by the browser to the user is not connected to other data from Google. Users are able to prevent cookies from being saved through the relevant setting of their browser software; users can in addition prevent that the information collected by the cookie and linked to use of the website should be sent to Google and that this data should be further processed by Google by downloading and installing the available browser plugin under the following link: tools.google.com/dlpage/gaoptout.
As an alternative to the browser add-on or within the browsers in portable devices please click this link to prevent future collection by Google Analytics within the website. For this an opt-out cookie is saved on your device. If you delete your cookies, you will have to click this link again.
For further information about data use by Google, any settings and objections options please see Google’s web pages: www.google.com/intl/de/policies/privacy/partners (“Data use by Google during your use of websites or apps of our partners: policies.google.com/technologies/ads (“Data use for advertising purposes“), adssettings.google.com/authenticated (“Managing information used by Google for inserting advertising for you“).
Personal data is actually anonymised or deleted after the expiry of 14 months.
For further information please consult the user guidelines of Google and Google’s data protection guidelines for this product.
Inclusion of third party services and contents
We are using within our website third-party content and service offers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website in terms of article 6 paragraph 1, point f of the GDPR), in order to include their contents and services, such as videos or fonts (hereinafter jointly referred to as “contents”). This always implies that the third-party providers of these contents acknowledge the IP-address of the users, since they could not send the contents to their browser without the IP-address. Therefore, the IP-address is necessary for the presentation of these contents. We endeavour to use contents whose respective provider uses the IP-address only to deliver the contents. Third parties can further use so-called pixel-tags (invisible graphics, also called "Web Beacons") for statistics or marketing purposes. Via these "Pixel-Tags" information, such as visitor traffic, can be evaluated on the pages of this website. This pseudonym information can also be saved in cookies on the device of the user and contain amongst others technical information about the browser and operating system, linking websites, visit time and other information about the use of our website, and these can also be linked to such information from other sources.
The following illustration offers an overview of third parties and their contents, together with links to data privacy policies, containing further references regarding the processing of data and any possibilities for objection that have already been partially mentioned here, (so-called Opt-Out):
Maps of the “Google Maps“ service provided by third party Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: www.google.com/policies/privacy, Opt-Out: www.google.com/settings/ads.
Videos of the platform “YouTube” of third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection: policies.google.com/privacy, Opt-Out: adssettings.google.com/authenticated.