Status September 2020
We process your personal data in accordance with the provisions of the EU Data Protection Regulation (DSGVO), the national data protection laws, as well as all other relevant laws.
Our website and app offer you as a user (hereinafter referred to as "user") the possibility to inform yourself about the room offers and the different hotel locations of B&B Hotels, to book if you are interested and if there are vacancies and to contact us in case of inquiries. You will receive further information about the type, scope and purpose of processing your personal data when using our online services, the associated website or app, including the reservations and bookings in our hotels that can be made via it, in the currently valid version at: https://www.hotel-bb.com/de/datenschutzbestimmungen.
For reservations and bookings in our hotels, this data protection notice also applies.
For the terms used, we refer to the definitions in Art. 4 DSGVO.
Personal data is all information relating to an identified or identifiable natural person. This includes, for example, your name, address and communication data, e-mail address or user behaviour.
Processing means any operation or set of operations carried out with or without the aid of automated procedures in connection with Personal Data, such as collection, recording, organization, organization, filing, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, alignment or combination, restriction, deletion or destruction.
Data subject means any identified or identifiable natural person whose personal data are processed by the controller.
Controller or "controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
User" includes all categories of persons affected by the processing of personal data, including our customers, guests and visitors to our website.
1. Persons responsible for data processing
Responsible is your respective contract partner
B&B HOTELS Austria GmbH, pA CCFA, Am Heumarkt 10, 1030 Vienna
Phone: +49 (0) 6146 9090 0
Fax: +49 (0) 6146 9090 111
Whether a B&B hotel is operated by B&B HOTELS Austria GmbH itself or by another company in our group of companies is determined by the information provided in the context of the booking, namely the details of the contractual partner of the accommodation contract or the legal entity of the respective hotel named in the booking process or the booking confirmation. When booking hotels not operated by B&B HOTELS Austria GmbH, the data will be transmitted by B&B HOTELS Austria GmbH to the respective hotel, which will process the personal data on your part for the purpose of implementing the accommodation contract as the party responsible within the meaning of the DSGVO. This information describes data processing procedures for which B&B HOTELS Austria GmbH is to be regarded as the party responsible within the meaning of the DSGVO.
2. your rights as a data subject
First of all, we would like to inform you here about your rights as a data subject. These rights are set out in Articles 15 - 22 EU-DS-GVO. This includes:
The right to information (Art. 15 EU-DS-GVO),
The right to deletion (Art. 17 EU-DS-GVO),
The right of rectification (Art. 16 EU-DS-GVO),
The right to data transferability (Art. 20 EU-DSGVO),
The right to restrict data processing (Art. 18 EU-DS-GVO),
The right to object to data processing (Art. 21 EU-DS-GVO).
In order to assert these rights, please contact: email@example.com or contact the data protection officer via our postal address with the addition "the data protection officer". The same applies if you have any questions about data processing in our company. You also have the right of complaint to a data protection supervisory authority.
3. Purposes and legal basis of data processing
3.1 Fulfillment of contract
If you book a hotel room with us or via a third party provider (e.g. a hotel reservation portal), we will collect, process and use your personal data to handle an existing business relationship with you, including the necessary communication, in particular to provide contractually owed services, process payment transactions and accounting. The legal basis is Art. 6 para. 1 lit. b DSGVO. This is permissible insofar as the processing is necessary for the performance of a contract to which the data subject is a party or serves the implementation of pre-contractual measures which are carried out on request.
External services and contents on our website Transfer of data to third parties and contract processors
3.2 Entitled interests
Furthermore, we process personal data on the basis of Art. 6 Par. 1 letter f DSGVO, insofar as this is necessary to protect our own legitimate interests or those of a third party and insofar as the interests or fundamental rights and freedoms of the person concerned do not outweigh the protection of personal data. This applies in particular to the prevention and investigation of criminal offences, for the purposes of corporate management, internal communication and other administrative purposes.
In addition, we process personal data on the basis of Art. 6 para. 1 letter a DSGVO, provided that the contractual partner has given its consent to the processing of the data relating to the persons concerned for one or more specific purposes. The voluntarily given consent can be revoked at any time.
3.4 Legal obligation
A legal obligation to provide personal data in accordance with Art. 6 Para. 1 lit. c DSGVO can result from legal regulations that apply to us, such as tax laws, the reporting law and other public law obligations.
4. Disclosure to third parties
We will only pass on your data to third parties within the framework of the legal regulations or with the appropriate consent. Otherwise, your data will not be passed on to third parties unless we are obliged to do so by mandatory legal provisions (passing on to external bodies such as supervisory authorities or law enforcement agencies).
5. Origin of the data
As a rule, we receive your personal data from you yourself or from our contractual partners, service providers and clients with whom we have concluded appropriate data protection agreements. In certain constellations, your personal data may also be collected by other parties due to legal regulations.
6. Categories of personal data processed
The recipient of the personal data is B&B HOTELS Austria GmbH, with whom the accommodation contract for the corresponding hotel room is concluded. If the hotel is not operated by B&B HOTELS Austria GmbH itself, B&B HOTELS GmbH acts as a service provider (e.g. for the operation of a hotel management system as well as in the areas of IT support and accounting/finance).
Within the company of the person responsible, only those persons and bodies (e.g. specialist departments) receive your personal data that they require to fulfil our services and legal obligations.
Under certain circumstances, certain data may be transferred to other affiliated companies if they perform data processing tasks centrally, e.g. in the context of providing and operating booking and IT systems, marketing tasks, etc. Personal data is not transferred to non-European countries.
In addition, in order to fulfil his contractual and legal obligations, the person responsible also uses, among other things, different service providers for the technical operation, maintenance and hosting of booking and IT systems or for the execution of the accommodation contract in the hotel, with whom - depending on the constellation - an agreement on order processing has also been concluded in accordance with the requirements of Art. 28, 29 DSGVO.
In addition, the responsible party may transfer your personal data to other recipients outside the company, insofar as this is necessary to fulfill legal obligations as the responsible party (e.g. reporting law, tax and duty laws, etc.).
The data processing takes place in the European Union.
7. Duration of data storage
We store your data as long as they are needed for the respective processing purpose. Please note that numerous retention periods require that data is (must be) still stored. This applies in particular to the Hotel and Accommodation Act or tax law obligations to retain data. If there are no further storage obligations, the data will be routinely deleted once the purpose has been achieved.
In addition, we may retain data if you have given us permission to do so or if legal disputes arise and we use evidence within the scope of legal limitation periods, which can be up to thirty years; the regular limitation period is three years.
8. Social media
We want to stay in touch with our guests and use social media as a contemporary form of communication. To this end, we maintain various online presences within social networks and platforms to communicate with users and to point out our contributions, services and actions.
We point out that user data may be processed outside the European Union. This can result in risks for the users, because the enforcement of the users' rights could be made more difficult. With regard to US providers that are certified under the Privacy Shield, we would like to point out that by doing so, they undertake to comply with the data protection standards of the EU.
For a detailed presentation of the respective processing of personal data, the data protection regulations and the possibilities of objection, we refer to the following linked information of the providers.
Also in the case of requests for information and the assertion of user rights, we would like to point out that these can most effectively be asserted with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. Should you nevertheless require assistance, please contact us.
We use Instagram, Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA. For more information about privacy, please visit http://instagram.com/about/legal/privacy/.
We also use Twitter, Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Further information on data protection can be found at https://twitter.com/de/privacy.
8.2 Information on data protection on our Facebook fan page
8.2.1 General Information
B&B HOTELS Austria GmbH uses a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA.
Whenever you visit our fan page, Facebook collects, stores and uses data (e.g. IP address, preferences and personal interests, behavior on Facebook pages, any personal information stored on Facebook, etc.) from users, regardless of whether you are a member of Facebook. We expressly point out that Facebook also uses for its own business purposes.
8.2.2 Data collection and storage
As soon as you access our fan page, your browser connects to a Facebook server. In doing so, whether you are registered with Facebook or not, your IP address is transmitted and cookies are set. In addition, Facebook can assign your visit to our site to your user account if you are a Facebook member and logged into your Facebook user account.
Facebook has sole control over the processing of the data. We have no influence on the extent to which, where and for how long the data is stored, to what extent the data is linked and evaluated, and to whom the data is passed on. Furthermore, it is currently not comprehensible to us whether and to what extent Facebook complies with deletion deadlines.
You can prevent Facebook from linking data about your visit to our fan page with your membership data stored on Facebook if you log out of Facebook before visiting our fan page, delete the cookies on your device, close your browser and restart it. According to the information provided by Facebook, this will delete information that makes you identifiable to Facebook.
According to Facebook, cookies are used for authentication, security, website and product integrity, advertising and measurements, website functions and services, performance, and analysis and research. Details of the cookies used by Facebook (e.g. names of the cookies, duration of function, recorded content and purpose) can be found at https://www.facebook.com/policies/cookies/.
We operate a company website ("fan page") on the social media network Facebook, in particular for self-promotion, branding but also for the purpose of customer communication
As a matter of principle, we only store personal data until the respective purpose for which the data was collected has been achieved. This can take place within the framework of a business relationship with you for as long as the business relationship lasts and includes both the initiation and processing of the contract. In addition, we store the data as far as we are subject to legal retention obligations.
Within the scope of a consent granted by you, your personal data will be stored until revoked or at the latest for the duration of the processing procedure or after its completion, taking into account the statute of limitations.
8.2.3 Facebook Insights
8.2.4 Legal basis
The legal basis for the collection, storage and use of data is based on Art. 6 para. 1 lit. F) DSGVO and serves the purpose of up-to-date communication with you as well as a target group-oriented presentation of our company and our services. An automated decision-making process including profiling in accordance with Art. 22 DSGVO does not take place beyond this.
If you use our fan page on Facebook, Facebook will naturally also have access to your data. It cannot be ruled out that Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA, has access to your data. Facebook is located in a third country where the level of data protection is lower. However, Facebook has signed the EU-U.S. Privacy Shield to ensure an adequate level of data protection according to European standards.
The existing EU/US Privacy Shield certification for Facebook can be viewed at https://www.privacyshield.gov/list. With the EU Commission's implementing decision (EU) 2016/1250 of July 12, 2016, the level of protection of the EU/US Privacy Shield is now recognized as equivalent to the level of protection in the EU.
8.2.6 Contact details of the data controller and data protection officer; joint responsibility in accordance with Art. 26 DSGVO
Joint controllers: B&B HOTELS Ltd.
65239 Hochheim a.M. Germany
Facebook Ireland Ltd.
4 Grand Canal Square , Grand Canal Harbour , D2 Dublin
According to the European Court of Justice (ECJ), we are jointly responsible with Facebook for processing your personal data. The decision of the ECJ of 05.06.2018 can be found at
Through the joint responsibility, we inform you with regard to Art. 26 DS-GVO about the essentials of the existing agreement between us and Facebook on joint responsibility:
If you have any further questions about data protection, please contact us. If you have any questions about the collection, processing or use of your personal data, about information, correction, blocking or deletion of data as well as revocation of consents granted, please contact: firstname.lastname@example.org