The controller within the meaning of Article 4 (7) GDPR (General Data Protection Regulation) is the respective company of the VILA VITA Group,

• whose website or online service you are visiting or using (the respective controller is indicated in the imprint of the website or online service) and
• with whom you make an enquiry, a reservation or a booking and have or would like to enter into a contractual relationship for the provision of accommodation and/or catering services. You can find the name of the controller for the service you have used on your invoice, receipt, reservation, booking confirmation, etc.

The companies of the VILA VITA Group work closely together in a variety of activities and services. This also applies to the processing of your personal data. The companies of the VILA VITA Group have therefore concluded an agreement on joint responsibility in accordance with Article 26 GDPR. In it, the parties have agreed who fulfils which obligations under the GDPR. This concerns in particular the fulfilment of the rights of data subjects. Joint responsibility exists on the one hand in the joint processing of customer or guest data to improve our services and on the other, in the areas of guest and customer relations management, for example in the case of bookings or reservations in our hotels and restaurants. Thus, in case of full occupancy, we can offer you alternatives in another hotel or restaurant of the VILA VITA Group or link services, such as joint invoicing. There is also joint responsibility between the parties in the areas of (online) marketing, IT infrastructure and facilities and financial accounting. VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, has been designated by the VILA VITA Group as the primary controller, in particular for the fulfilment of the rights of data subjects. This does not affect the assertion of your rights against the other companies of the VILA VITA Group.

You can also reach our data protection officer at the above addresses – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

2.1.   Relevant legal bases for data processing

If the legal basis is not expressly stated in this Data Protection Notice, the following legal bases apply: 

• If we have obtained your consent for data processing, Article 6 (1) (a) and Article 7 GDPR serve as the legal basis for data processing. If data processing takes place for the fulfilment of our services and the implementation of contractual measures and to respond to enquiries, Article 6 (1) (b) GDPR is the legal basis for the data processing. If data processing serves to fulfil a legal obligation, Article 6 (1) (c) GDPR is the legal basis. Examples of this are the fulfilment of storage periods under commercial law or the fulfilment of tax (archiving) obligations. 
• If the processing of personal data is necessary to protect the legitimate interests of our company or a third party, Article 6 (1) (f) GDPR serves as the legal basis. Legitimate interests particularly include the guaranteeing of IT security and IT operation, the assertion of legal claims and defence in legal disputes, the creation of user statistics, advertising for our own services and products of the companies of the VILA VITA Group, as well as market and opinion research by the aforementioned, provided that direct advertising has not been objected to.
• The companies of the VILA VITA Group are obliged to comply with EU data privacy regulations and to take appropriate measures to ensure data security when exchanging data with each other, as per their Inter-Group Agreement. In addition, the Inter-Group Agreement essentially stipulates that the companies of the VILA VITA Group cooperate and mutually exchange data equally – in particular in the areas of advertising and marketing – in the process adhering to data subjects’ rights (their rights as data subjects, their right to information etc.). It also stipulates that VILA VITA,  with its registered office in Marburg, Germany, is primarily responsible for this.
   

2.2.   Your rights

You have the right

• of access in accordance with Article 15 GDPR, 
• to rectification in accordance with Article 16 GDPR, 
• to erasure in accordance with Article 17 GDPR,
• to restriction of processing in accordance with Article 18 GDPR and
• to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG (the German Federal Data Protection Act) apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.
 

2.3. Duration of storage

Where not otherwise stated in this Data Protection Notice, personal data will only be stored for as long as is necessary to fulfil the relevant purpose, or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These result in particular from the German Handelsgesetzbuch (Commercial Code), the Abgabenordnung (Fiscal Code), the Geldwäschegesetz (Money Laundering Act) and the Meldegesetz (Registration Act). The periods stipulated in these cases may be up to 10 years.

2.4. Transfer of personal data

If we transfer personal data to other persons or companies, this will only be done on the basis of your consent, legal permission, a legal obligation (for example to public bodies and institutions such as supervisory or financial authorities) or an agreement on order processing in accordance with Article 28 GDPR. Further recipient categories can be found in this Data Protection Notice.

2.5.  Transfer of data to third countries

Personal data is only processed outside the European Economic Area if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

2.6.   Automated decision making

Your data is partially automatically processed in order to evaluate certain personal aspects (profiling), for marketing and advertising purposes and to send you personalised advertising by email or post.

Legal and regulatory provisions for combating money laundering, the financing of terrorism and financial crime are also binding for us. Data analyses are also carried out within this context.

3.1. Online services

For the purposes of this Data Protection Notice, “online services” means all 

• websites,
• software applications (apps) and
• social media sites

that are operated by us or for which we are responsible and from which you access this Data Protection Notice.

3.2. Cookies

Our online services make use of cookies, which are small text files that are stored on the user’s terminal device. In addition to so-called session cookies, which are automatically deleted as soon as you log out or close the browser, so-called permanent cookies that recognise a returning user are also used. These cookies are automatically deleted after a specified period of time.
It is always possible to object to the storage of cookies by making the appropriate setting changes in your internet browser. You can delete cookies that have already been stored at any time. If you deactivate cookies, you may not be able to use all the functions of our website fully. Some cookies are necessary for the operation of a website, for example, for shopping baskets in the online shop or to save logins or user settings. Some cookies are also used for security purposes. The legal basis for storing these so-called essential or absolutely necessary cookies is the protection of the aforementioned legitimate interests in accordance with Article 6 (1) (f) GDPR. 
In addition, there are statistics, marketing and personalisation cookies. These are used, for example, to measure reach or to display personalised content that corresponds to the potential interests of a user. If we use statistical, marketing and personalisation cookies, we will inform you about this when you access our website and in this Data Protection Notice. The legal basis is your consent in accordance with Article 6 (1) (a) GDPR. 
 

3.3. Collection of general data and creation of log data

When our online services are accessed, general data and information are automatically collected and stored in a server log. The following data may be collected:

• Information on the browser type and version
• Information on the user’s operating system
• Information on the user’s service provider
• The internet protocol (IP) address of the user or the calling system
• Date and time of access
• The site you reached us from (referrer URL)
• Websites accessed by the user’s system via our website

The processing of this data is used for the provision of our website, to ensure the functionality of our information technology systems and to optimise our website. We statistically evaluate this data and information, which is always collected anonymously, with the aim of ensuring data protection and data security. The data of the log files is always stored separately from other personal data that may be collected and is generally not disclosed to third parties. The erasure of the data takes place automatically after the expiry of the deadline. The legal basis for the temporary processing of the data is the protection of the aforementioned legitimate interests pursuant to Article 6 (1) (f) GDPR.
 

3.4. Contact form and email contact

Some of our websites provide a contact form and an e-mail address that enables you to contact us electronically. If you use one of these options to contact us, the personal data you send us will be automatically stored. The storage and further processing of this data is solely for the purpose of processing your contact request and subsequently contacting you. Data will never be disclosed to third parties outside the VILA VITA Group. The data forwarded by you will be erased after completion of the process, provided that its erasure is not subject to any contractual or legal storage periods. In such a case, the data for which storage is required will be erased after expiry of the storage period. The legal basis for the processing of this data is Article 6 (1) (f) GDPR.

3.5. Newsletter and email advertising

Our newsletter provides information about current products, offers, events and news of the VILA VITA Group (VILA VITA Hotel & Touristik GmbH, VILA VITA Marburg GmbH, Congresszentrum Marburg GmbH & Co. KG). To subscribe, it is generally sufficient to enter your email address. Providing further data is voluntary. If you have subscribed to our newsletter, we will use your email address and, where appropriate, any other data you have voluntarily provided to send the newsletter. If you successfully subscribe to the newsletter, we store the date of your registration and, in the case of registration via a website, also your IP address. This storage serves as proof in the event that a third party makes fraudulent use of an email address and subscribes to the newsletter without the knowledge of the authorised person. The newsletter is sent on the basis of your consent in accordance with Article 6 (1) (a) GDPR. If consent is not required to advertise our own similar goods or services, this is done on the basis of legitimate interests in accordance with Article 6 (1) (f) GDPR in advertising our goods and services, provided that this is legally permitted – for example in the case of advertising to existing customers – and you have not objected to this. We also store the data collected in the subscription process on the basis of legitimate interests in order to, where appropriate, be able to prove your consent if necessary. You can cancel your newsletter subscription at any time by clicking on the unsubscribe link found in each newsletter. Alternatively, you can also contact us directly at the above-mentioned postal or email address. Upon termination, we may store the unsubscribed email addresses for up to three years in order to be able to prove any consent previously given. 

In order to continuously optimise our newsletter and to be able to offer you a user-oriented and secure newsletter, we evaluate individual user activities. We measure how often the newsletter is opened and which links users click on. For this purpose, the newsletter contains a so-called “web beacon”; a file that is retrieved from our server once the newsletter has been opened. This initially collects technical information (for example browser type, operating system, time of retrieval). Whether and when a newsletter was opened and which links were clicked on can also be determined. This information helps us to recognise the usage and reading habits as well as interests of our subscribers in order to adapt content and improve the user experience. The evaluation is based on your consent as well as on our legitimate interests in providing a user-friendly and informative newsletter. 

 

3.6. Analysis and targeting tools, optimisation of our online services and online marketing

3.6.1. Google Analytics (GA4)

We use Google Analytics 4 (GA4), a user analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google Ireland). The user analysis is carried out using a pseudonymous user identification number. This is used to assign information to an end device. The information collected helps us to evaluate visitor flows and to better understand how visitors use the website. In this way, we can design and improve our website to meet the needs of our visitors. To this end, GA4 collects information on what content you have accessed, how long the visit lasted, from where you came to us, and what search terms you may have used or which sources link to our site. We can also recognise a renewed visit to our website in this way. The IP address is shortened by the last two digits by default and is not logged. In addition to the above information, GA4 may also collect geo-information, e.g. on the user's location, from where our online services were used or accessed (city, including latitude and longitude, country, continent). Even if Google processes the user data on servers within the EU, processing of the data in third countries, in particular the USA, cannot be completely ruled out, as data from Google Ireland may be passed on to the parent company, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Processing of data for the purpose of user analysis only takes place with your consent. The legal basis is therefore Art. 6 para. 1 lit. a DSGVO. If no consent is obtained, the processing is based on the legitimate interests described above in accordance with Art. 6 (1) lit. f DSGVO. The order processing agreed upon with Google as well as standard contractual clauses to ensure the level of data protection in the case of processing in third countries, can be viewed at https://business.safety.google/adsprocessorterms/. Additional information on the types of processing and the data processed can be found here: https://privacy.google.com/businesses/adsservices. Google's terms of use and privacy notices for Google Analytics can be found at https://policies.google.com/terms?hl=en and https://policies.google.com/privacy. Further information on Google Analytics can also be found at https://marketingplatform.google.com/intl/en_uk/about/analytics/. You can find an objection option here: https://tools.google.com/dlpage/gaoptout?hl=en.

3.6.2. Google marketing services

We use marketing and remarketing services provided by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google’s marketing services (including Google Adwords, Google Conversion Tracking, Google Optimize and Google Double Click) allow us to display more targeted ads, for example to show users on our website or on other websites with only those advertisements that potentially match their interests. 
If you access an online service that uses Google’s marketing services, a cookie will be stored on your terminal device, through which cookies from various domains can be set (including google.com, doubleclick.net, etc.). The stored cookie saves which websites you have visited, which content you were interested in and which offers you clicked on. In addition, technical details about the browser and operating system, referring websites, the duration of the visit and other details about the use of the online offer are collected. Your IP address will also be collected, but will be truncated within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will it be transferred in full to a Google server in the USA and truncated there. The IP address will not be merged with other data from other Google services. Google may combine the aforementioned information with such information from other sources. If you subsequently visit other websites, ads tailored to your interests may be displayed in this way. User data is processed in pseudonymised form as part of Google’s marketing services, i.e. without storing and processing the name or email address of the user. This does not apply if a user has expressly allowed Google to process the data without pseudonymisation. The information collected about users by Google’s marketing services is transmitted to Google and stored on Google’s servers in the USA.  
The Google marketing services we use include, among other things, the online advertising programme Google AdWords. Every AdWords customer receives a so-called conversion cookie. The information obtained with the help of the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are informed of the total number of users who have clicked on their ad and have been redirected to a site equipped with a conversion tracking tag. However, they do not receive any information with which users can be personally identified. 
The legal basis for data processing is your consent in accordance with Article 6 (1) (a) GDPR. If consent is not obtained, processing is based on the legitimate interests described above in accordance with Article 6 (1) (f) GDPR.

The applicable terms of service and terms of use of Google Marketing Services can be found at policies.google.com/technologies/ads.

You can prevent the storage of cookies by our site at any time by making the appropriate setting changes in your internet browser, in doing so permanently objecting to the storage of cookies. In addition, cookies already placed by Google can be deleted at any time via an internet browser or other software programmes. 
If you wish to object to targeted advertising by Google’s marketing services, you can use the options provided by Google at https://myadcenter.google.com/?hl=de&sasb=true.

3.6.3 Microsoft Clarity

We use Microsoft Clarity on our online services. This is a web analytics service provided by Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, hereinafter referred to as ‘Microsoft’. We use Microsoft Clarity to analyse user behaviour and thereby improve our website. This involves collecting data on mouse movements, clicks, scrolling behaviour and other interactions as well as usage and user-related information, such as IP address, location, time or frequency of visits to our website. The legal basis for the processing is Art. 6 para. 1 lit. a GDPR (consent). The data may be stored for up to one year. The data collected is also passed on to Microsoft, which acts as a processor for us. A corresponding order processing contract in accordance with Art. 28 GDPR has been concluded. A transfer of the data to the USA cannot be ruled out. We have therefore also agreed on EU standard contractual clauses (SCCs) with Microsoft and implemented additional protective measures to ensure an appropriate level of data protection. Furthermore, Microsoft has committed to complying with the data processing principles of the Data Pricacy Framework (DPF). Further information on the data protection provisions of Microsoft Clarity can be found at https://clarity.microsoft.com/terms and https://privacy.microsoft.com/en-us.

3.6.4 Meta pixel

We use the Facebook/Meta meta pixel to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
With the help of the meta pixel, we can present our website visitors with targeted advertising on the social networks of Meta Platforms (e.g. Facebook, Instagram) and also measure and analyze the effectiveness of the advertisements placed there. When using the meta pixel, a transfer of data to the USA or other third countries cannot be ruled out. If data is transferred to the USA or other third countries, this is done on the basis of the EU Commission's standard contractual clauses. Further details can be found at: https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381?cms_id=566994660333381. The data collected by the meta pixel remains anonymous to us. We cannot draw any conclusions about the identity of a user. However, Facebook stores and processes this data, which enables a connection to your Facebook profile. Facebook may use the data for its own advertising purposes in accordance with its privacy policy (https://www.facebook.com/privacy/policy/), e.g. to display personalized ads on Facebook and on websites outside of Facebook. As the website operator, we have no influence on this use of data. We do not use the “extended comparison” offered by Meta. Insofar as the Meta pixel collects personal data on our website and transmits it to Meta / Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). This joint responsibility relates exclusively to the collection and transfer of data to Meta / Facebook. The details of the joint responsibility are set out in the following agreement pursuant to Art. 26 GDPR: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the data protection information and for implementing the Facebook tool on our website in compliance with data protection regulations, while Facebook guarantees the data security of the processed data. Data subject rights, such as requests for information, can be asserted directly with Facebook. If you assert your data subject rights with us, we will forward them to Facebook. The meta pixel is used on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 TDDSG. Further information can also be found in the Meta and Facebook privacy policies at https://www.facebook.com/privacy/policy/. You can also deactivate the remarketing function “Custom Audiences” in the advertising settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in on Facebook.

3.7. Plugins and embedded functions and content from third-party providers

Some of our online services use services and content from third-party providers. This applies in particular to so-called “social plugins”, videos or fonts. This content is obtained directly from the server of the respective third-party provider either when you access our online service or pending your consent (for example by separately activating a plug-in). Your IP address is also transmitted in the process. If this doesn’t happen, the third-party provider cannot deliver the content to your browser or offer the desired function. 

If we ask for your consent to activate embedded functions and content, the legal basis is your consent in accordance with Article 6 (1) (a) GDPR. Otherwise, the data is processed on the basis of our legitimate interests in providing and disseminating our content and a user-friendly as well as optimal user experience in accordance with Article 6 (1) (f) GDPR. We may, where appropriate, use the following services or service providers with embedded functions and content:

• In order to store your cookie preferences, consent or other settings regarding cookies and individual embedded contents, our online services use the consent tool “Cookiebot”, a service of Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Your browser may, where appropriate, transmit personal data to Cookiebot within this context. For further information on the handling of the transmitted data, please refer to the privacy policy of Cookiebot at https://www.cookiebot.com/en/privacy-policy/
• Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA; https://en-gb.facebook.com/policy.php  
• LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA; https://www.linkedin.com/legal/privacy-policy and https://www.linkedin.com/legal/cookie-policy
• XING SE, Dammtorstrasse 30, 20354 Hamburg, Germany;  https://www.xing.com/privacy and https://www.xing.com/app/share?op=data_protection
• Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; https://twitter.com/en/privacy and https://about.twitter.com/de/resources/buttons.
• Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA; https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy
• Pinterest Inc., 808 Brannan Street San Francisco, CA 94103-490, USA; https://policy.pinterest.com/en-gb/privacy-policy
• Crqlar GmbH, Haller Straße 65, 6020 Innsbruck, https://www.iubenda.com/privacy-policy/96241115/legal
• YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (YouTube). YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA; https://policies.google.com/privacy?hl=en-US
• Videos from the platform Vimeo may be integrated into our website. They are offered by Vimeo Inc, Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Privacy policy: https://vimeo.com/privacy.
• Some of our websites make use of the map service “Google Maps” as well as the fonts of the “Google Webfonts” service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use the Google Maps API to visually display and integrate geographical information on individual websites. When Google Maps is used, Google also processes data about the use of the map functions. In addition, we use font libraries of Google Webfonts. During this process, font libraries are transferred to your browser’s cache. If your browser settings do not permit this or if your browser does not support the fonts, font content is displayed in a standard font. In order to transfer the font libraries to your cache, a connection to the service provider is automatically established. Further information on data processing by Google can be found here: https://www.google.com/policies/privacy/
• We use the Elfsight service of Elfsight LLC, Paronyana str. 19/3, 201, Yerevan 0015, Armenia, to integrate content, such as reviews, from social networks or review portals on our website. This may also result in data being transferred to a third country (Armenia). Further information on data processing by Elfsight can be found in the provider's privacy policy: https://elfsight.com/privacy-policy/. The legal bases are Art. 6 para. 1 lit a, 49 para. 1 lit a GDPR.

 

3.8. Presence in social networks

Some companies of the VILA VITA Group use social networks to make direct contact with customers. The possibility of also getting in contact with customers via social networks and providing a corresponding platform for this purpose is a legitimate interest in accordance with Article 6 (1) (f) GDPR. If you visit our sites, your data will also be processed by the respective social network, where appropriate also outside the European Union, for example in the USA. The respective social network is responsible for this processing and for the processing operations that go beyond it, such as the analysis of user behaviour by social networks. The companies of the VILA VITA Group have no influence on this. The VILA VITA companies are represented on the following social networks:

• Facebook: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; https://en-gb.facebook.com/policy.php. Information on joint responsibility in accordance with Article 26 GDPR: https://www.facebook.com/legal/terms/page_controller_addendum
• Instagram: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; https://www.instagram.com/about/legal/privacy
• Pinterest: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; https://policy.pinterest.com/en-gb/privacy-policy
• Twitter: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; https://twitter.com/en/privacy
• Xing: XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany; https://privacy.xing.com/en/privacy-policy
• LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; https://www.linkedin.com/legal/privacy-policy
• YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; https://policies.google.com/privacy 
   

3.9. Booking rooms online

We offer you the possibility to book rooms online. For this purpose, the data required for the reservation as well as for the further initiation and conclusion of the contract are collected, in particular your name, the names of any accompanying persons, address, telephone number and e-mail address, booking or travel dates, as well as details of the selected payment method. The data required for your booking are marked accordingly. All other data is voluntary. Your online booking is made via online reservation systems of third-party providers. We may use the following providers: 
TravelClick, a service of TravelClick, Inc, address: 7 Times Square, 38th Floor, New York, USA. All booking data entered by you is transmitted in encrypted form. For more information on the processing of your data by TravelClick, please visit: https://www.travelclick.com/legal/privacy-policy/. 
Booking Engine 360, a service of Profitroom GmbH, Potsdamer Platz 10/2, 10785 Berlin. Further information can be found at https://www.profitroom.com/de/. 
After completing the booking, you will receive a booking confirmation to the e-mail address you provided. The legal basis for the processing of your data is Art. 6 para. 1 lit. b DSGVO. We store your address, payment and booking data for a period of ten years due to the commercial and tax law regulations for which we are responsible.

3.10. Online restaurant and bar reservations

If you would like to reserve a table online in one of our restaurants or bars, we require details from you on the date, time, number of persons as well as your name and, if applicable, your email address or telephone number. For this purpose, we use the online reservation system Reservision, a service provided by RESERViSiON GmbH, Seestr. 29, 64354 Reinheim, Germany. If you book an appointment in our SPA online, we use the booking system of Crqlar GmbH, Haller Straße 65, 6020 Innsbruck. Your details will be stored and processed for the purpose of processing your enquiry or reservation. The legal basis is Art. 6 para. 1 lit. a and b GDPR. Your reservation data will be erased upon cancellation of the reservation or on the day following the reservation, unless we still need your data for billing and other questions in the follow-up to your reservation. In order to be able to respond to future enquiries from you – or in the case of future reservations, to your individual requests – we store certain data about your visit or your requests, provided you have given your consent. The legal basis for data processing is your consent in accordance with Article 6 (1) (a) GDPR. If consent is not obtained, processing is based on the legitimate interests described above in accordance with Article 6 (1) (f) GDPR.

3.11. Online and voucher shop

If you use our online or voucher shop, we process the data you provide for the purpose of processing your order, its payment and delivery. We use your data to update you on the delivery status or in case of problems with the delivery. If necessary, we use service providers, in particular postal and shipping companies, for order processing and delivery. We also use your data to process complaints and product warranty claims and, if necessary for an order, to determine whether you are of legal minimum age to make the purchase. We use various online services from banks and payment service providers to process payments. The data required for the order processing, delivery and payment processing is marked accordingly. The legal basis is the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR. 

3.12. Chatbot and chat functions

On some of our pages we use a chatbot from DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This is software that answers your questions or provides you with useful tips or information while you are using our websites. If you use the chat function, the chatbot processes the information you enter. In addition, we store the content of your communication. If you complete registration processes, submit declarations of consent or other declarations via the chatbot, we log these in order to be able to prove them later. Furthermore, the chatbot stores a cookie with an identification number in order to recognise you as a user. This cookie is stored for 90 days from the last use of the chatbot. You can deactivate the storage of the cookie in your browser settings or delete the cookie. However, the chat functions cannot be used without the cookie. The disclosure of personal data such as your name, e-mail address, etc. is voluntary. In addition to the data you enter, data on user behaviour may also be collected for the purpose of statistical analysis and optimisation of the service. The legal basis for data processing is Art. 6 para. 1 lit. a DSGVO and Art. 6 para. 1 lit. f DSGVO. The particular interest lies in effective customer support and customer communication. Further information on the processing of personal data by the chatbot can be found here: https://www.dialogshift.com/de/dsvgo.

3.13. Online Magazine display service

This website uses an iFrame with a website provided by CALAMEO SAS for an online magazine display service. When you access the page with the online magazine display, your browser loads the website data from the website provided by CALAMEO SAS in order to display online magazines correctly. To this end, the browser you use must establish a connection to the servers of CALAMEO SAS. This informs CALAMEO SAS that our website has been accessed from your IP address. We use the online magazine display service provided by CALAMEO SAS in order to present our online services in a consistent and appealing form and to make them easy to use. This constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR. The operator of this website points out that data entry and processing on the website displayed in the iFrame is outside its sphere of influence. Responsibility for compliance with the regulations of the GDPR therefore lies with the operator of the embedded website.You can find more information on CALAMEO SAS and its Privacy Policy at: calameo.com/privacy.

 

4.1.    Processing purposes and legal bases

In the context of your stay in one of our hotels or the provision of our services, we process your data for the following purposes: 

• Booking and guest registration – the legal basis being the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR – with the booking guest and, where appropriate, any other accompanying persons.
• Accommodation and related on-site services, such as check-in and check-out, personalised services including consultation on these, bookings/reservations on behalf of the guest with third parties (tours, excursions, reservations, taxi and shuttle services, etc.), room service (for example intolerances communicated by the guest, etc.), housekeeping (for example expressed preferences regarding amenities such as requested pillows, duvets, etc.) and the handling of complaints, requests and enquiries. The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular the fulfilment of guest requests and preferences.
• The provision of information and entertainment systems in the hotel and in the guest room (for example Wi-Fi, TV, infotainment systems, AppleTV, game consoles). The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR and legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular ensuring the functionality of our information technology systems, secure processing and IT security and the prevention and investigation of criminal offences
• Providing consultation about and implementing the spa and wellness offers you may have booked (such as the making of appointments and the recording of restrictions and intolerances for a safe and customer-oriented service provision or treatment), creating treatment documentation, providing defence in legal disputes, providing personalised consultation and offer preparation, and processing complaints, requests and enquiries. The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR (in particular in customer-oriented consultation and treatment and for defence in legal disputes) as well as the consent of the guest in accordance with Article 6 (1) (a) GDPR and, insofar as special categories of data are processed, in accordance with Article 9 (2) (a) GDPR. 
• Marketing campaigns, customer relationship management and bonus programmes and comparable campaigns of the VILA VITA Group, for example sending information about products, offers and services of the VILA VITA Group that may be of interest to the guest, including personalised advertising, personalised services and benefits based on the preferences communicated by the guest. The legal basis is consent in accordance with Article 6 (1) (a) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular in a customer-oriented service.
• The planning and implementation of events and conferences – in particular support in the organisation, coordination, invitation, communication and accommodation of guests or attendees and the processing of enquiries and complaints – the provision, organisation and coordination of media technology and invoicing. Legal bases are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, insofar as the data of guests/attendees must be processed within the scope of legal obligations, Article 6 (1) (c) GDPR, and legitimate interests in accordance with Article 6 (1) (f) GDPR – in particular in a safe and customer-oriented event/event implementation. 
• the fulfilment of legal requirements pursuant to Art. 6 (1) lit. c DSGVO, such as in particular the fulfilment of reporting obligations pursuant to the Federal Reporting Act (§§ 29, 30 BMG); the fulfilment of contractual or legal storage obligations, for example pursuant to the German Commercial Code or the German Fiscal Code (§ 257 HGB, § 147 AO). In order to fulfil the above reporting obligations, we also offer the collection of the data required for this purpose in electronic form. This means that you can submit your registration data before your arrival. For this purpose, we use an online service provided by straiv GmbH, Eichwiesenring 4f, 70567 Stuttgart. There is no obligation to use the electronic form. You can continue to provide the registration data as usual when you arrive.
• If you provided your e-mail address when booking, you will receive an e-mail from us before your arrival with information about your stay. After your check-in, you will receive another e-mail with information about your booking and information about our hotel and our offers. On the day of your departure, you will also receive an e-mail with the option to check out online. If applicable, you will also receive the option to check out with this email. After your stay, you will be given the opportunity to send us feedback and rate your stay. If applicable, you will also receive an invoice in electronic form. In each e-mail you have the option to object to the sending of further e-mails. The legal basis is Art. 6 para. 1 lit. f DSGVO. We use an online service from straiv GmbH, Eichwiesenring 4f, 70567 Stuttgart, Germany, to send the emails.

4.2. Type of data

We process different types of personal data to fulfil the respective purposes. In particular: 

• Personal master data
• Data on accompanying persons/family members
• Address and contact details
• Details on guest preferences and requests
• Credit and debit card numbers, bank account details and other payment data
• Passport, identity card and other identification data
• Booking and reservation data
• Travel data and data on itineraries and activities
• Treatment information and documentation in the spa & wellness area
• Contract master data/contract billing data and payment data
• Photographs and video data

4.3.    Data transfer to payment service providers 

In connection with the processing of orders and bookings, we transfer personal data to service providers who support us with this processing. This applies in particular to providers of credit card billing services, insofar as the transfer of data is necessary to process the payment. In this respect, we collaborate with the company SIX Payment Services (Germany) GmbH, Global Data Protection Support, Langenhorner Chaussee 92-94, 22415 Hamburg, Germany. You can view the company’s privacy statement at https://www.six-payment-services.com/en/home.html. Where applicable, individual online services offer the possibility of using the online payment service of PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. If you choose PayPal as your payment method, the data required for the payment process will automatically be transferred to PayPal. Under certain circumstances, PayPal may transfer data to credit agencies for the purpose of checking your identity and creditworthiness. Further information on data processing by PayPal can be found here: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full. If you use Apple Pay, Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment is made via the “Apple Pay” function of your iOS terminal device (for example iOS, watchOS, macOS) and by charging the payment card deposited with Apple Pay. For the purpose of payment processing, the information you provide during the payment or ordering process, including information about your order, is disclosed to Apple in encrypted form. Further information on data processing by Apple and data protection can be found at: https://support.apple.com/en-gb/HT203027
The legal basis for the above processing activities is Article 6 (1) (b) GDPR.

4.4. Disclosure of personal data

In certain cases, we also disclose personal data to third parties, but only if you have consented, if there is a legal basis for the disclosure or if we are legally obliged to do so. Recipients may in particular be other companies within the VILA VITA Group, for example in order to make bookings and reservations, to plan and hold events, to process enquiries and complaints or to invoice services provided by us. Furthermore, we also pass on personal data to external service providers, in particular in the context of the provision of IT systems and services, payment and order processing or event organisation. To the extent that we are legally required or in the context of law enforcement, we also disclose personal data to public authorities. 
 

The VILA VITA Group, 

• VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Strasse 24, 60329 Frankfurt am Main, Germany,
• VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, and
• Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg, Germany,
  is pleased that you are interested in a position with one of our companies. We would like to inform you below about the processing of your personal data in connection with your application.  

5.1. Controller 

The controller within the meaning of Article 4 (7) GDPR is the respective company of the VILA VITA Group, which is indicated in the respective job advertisement. 

You can also reach our data protection officer at the address given in the job advertisement – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

5.2. Processing purposes and legal bases

The data you provide as part of your application will be processed solely for the purpose of selecting job applicants or for the application process. This is particularly true in the case of checking your suitability for the advertised position or, if applicable, for other vacancies within the company or the VILA VITA Group. We use the data you have provided us with for this purpose. This may also include information that you make available in professional online networks or job boards. 

We will only disclose your job applicant data to other companies in the VILA VITA Group if you have expressly consented to this.

The legal basis for data processing is Article 6 (1) (b) GDPR and section 26 of the German Bundesdatenschutzgesetz (Federal Data Protection Act, BDSG). Should data be required for legal defence after completion of the application process, this data processing is based on legitimate interests in accordance with Article 6 (1) (f) GDPR. Our legitimate interest in the further processing is then the assertion of or defence against claims.

5.3. Type of data

We only process the data you provide us with, usually:

• Personal master data
• Address and contact details
• CV, professional background and other details from the application
• Training and qualification data
• Photographs and video data

In the course of the application process, further data may be added, for example from interviews or from generally accessible sources such as professional online networks or former employers. In certain cases, for example for management positions, we may conduct assessments or potential analyses. 

5.4. Duration of storage

Applicant data will be erased six months after completion of the application process, unless there is a legal reason for erasure or you have expressly consented to longer storage. 

If we conclude an employment contract with you, we will store your application documents in your personnel file or in our personnel information system for the purpose of implementing the employment relationship on the basis of Article 6 (1) (b) GDPR and section 26 BDSG.  

5.5. Disclosure of personal data

As a matter of principle, only persons who need this data to carry out the application process will have access to your data. This includes employees of the HR department. They will view and process your application as soon as they receive it. In addition, department heads for the vacant position will have access to your application data.

5.6. Location of data processing

Application data is generally processed in data centres within the Federal Republic of Germany or the European Economic Area (EEA). Should data be processed outside the EEA, this will only be done if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

5.7. Your rights

You have the right

• of access in accordance with Article 15 GDPR, 
• to rectification in accordance with Article 16 GDPR, 
• to erasure in accordance with Article 17 GDPR,
• to restriction of processing in accordance with Article 18 GDPR and
• to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.

5.8. Automated decision making

An automated individual case decision will be not be made in connection with your application. 
 

With the following Data Protection Notice, we would like to inform you about the processing of your personal data pursuant to Article 13 of the General Data Protection Regulation if you are a service provider or supplier in a business relationship with a company of the VILA VITA Group

• VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Strasse 24, 60329 Frankfurt am Main, Germany,
• VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany,
• Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg, Germany

6.1. Controller

The controller within the meaning of Article 4 (7) GDPR is the respective company of the VILA VITA Group, 

• whose website or online service you are visiting or using. The respective controller is indicated in the imprint of the respective website or online service. 
• with whom you have or would like to enter into a contractual relationship. The name of the controller can be found on the invitation to tender, the order or order confirmation, the contract documents or the invoice.

The companies of the VILA VITA Group work closely together in purchasing and procurement. This applies to the processing of personal data in these areas as well as in financial accounting or bookkeeping and the joint IT infrastructure and IT facilities. The companies of the VILA VITA Group have therefore concluded an agreement on joint responsibility in accordance with Article 26 GDPR. In it, the parties have agreed who fulfils which obligations under the GDPR. This concerns in particular the fulfilment of the rights of the data subjects. VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, has been designated by the VILA VITA Group as the controller, in particular for the fulfilment of the rights of data subjects. This does not affect the assertion of your rights against the other companies of the VILA VITA Group.

You can also reach our data protection officer at the above addresses – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

6.2. Processing purposes and legal bases

The processing of personal data is carried out for the fulfilment of our obligations arising from the respective contract or for the implementation of pre-contractual measures such as, in particular, the request for individual offers for work, services or the delivery of products, calculating fees, contractual correspondence and complaints. The legal basis is Article 6 (1) (b) GDPR. Furthermore, we process personal data on the basis of legitimate interests in accordance with Article 6 (1) (f) GDPR. This includes, in particular, obtaining creditworthiness information and exchanging data with credit agencies, asserting legal claims and defending ourselves in legal disputes, ensuring IT security and IT operations, preventing and investigating criminal offences and measures to ensure house rules. In addition, we process your data if this is necessary for the fulfilment of legal obligations, in particular for compliance with commercial and tax law in accordance with section 257 HGB and section 147 AO. 

6.3. Type of data

We usually collect the following data:

• Personal master data
• Address and contact details
• Payment and invoice data
• Order and performance data
• Information from third parties

6.4. Duration of storage

Where not otherwise stated in this Data Protection Notice, personal data will only be stored for as long as is necessary to fulfil the relevant purpose, or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These result in particular from the German Handelsgesetzbuch (Commercial Code), the Abgabenordnung (Fiscal Code) and the Geldwäschegesetz (Money Laundering Act). The periods stipulated in these cases may be up to 10 years.

6.5. Disclosure of personal data

If we transfer personal data to other persons or companies, this will only be done on the basis of your consent, legal permission, a legal obligation (for example to public bodies and institutions such as supervisory or financial authorities) or an agreement on order processing in accordance with Article 28 GDPR. Further recipient categories can be found in this Data Protection Notice.

6.6. Location of data processing

Your data will generally be processed at locations within the Federal Republic of Germany or the European Economic Area (EEA). Should data be processed outside the EEA, this will only be done if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

6.7. Your rights

You have the right

• of access in accordance with Article 15 GDPR, 
• to rectification in accordance with Article 16 GDPR, 
• to erasure in accordance with Article 17 GDPR,
• to restriction of processing in accordance with Article 18 GDPR and
• to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.