Menu opener

Information pursuant to Article 13 and following of the General Data Protection Regulation (GDPR)

Last updated: May 2020

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and with national data protection legislation, as well as all other relevant legislation.

Our website and app offer you as the user (hereinafter the "User") the opportunity to find out about B&B Hotels room options and various hotel locations, to book any rooms that you wish to (subject to availability) and to contact us with enquiries. Please refer to our privacy policy for further information on the method, scope and purpose of the processing of your personal data when you use our online services, the associated website or app. This includes the reservations and bookings at our hotels that can be effected through it. You will find the currently applicable version of the policy at: https://www.hotel-bb.com/de/datenschutzbestimmungen.

These data protection notices also apply to reservations and bookings at our hotels.  

The terms used herein are those defined in Art. 4 of the GDPR.

Personal data means any information concerning an identified or identifiable natural person. This includes, for example name, address and contact information, e-mail address and usage patterns.

Processing means any process, operation or sequence of operations (automated or otherwise) performed in respect of personal data, such as the following: collection, gathering, collation, filing, storage, adjustment or amendment, reading, use, disclosure through transmission, dissemination or any other means of delivery, comparison or linkage, restriction, deletion or erasure.

The affected person is any identified or identifiable natural person whose personal data is processed by the data controller.

The "data controller" is the natural person or legal entity, administration, facility or other organisation which, either single-handedly or in conjunction with others, decides on the purposes and methods of personal data processing.

Users includes all categories of persons affected by data processing. They include our customers and guests and those visiting our Website.

 

1. Name a address of the data controller

The data controller is the party with whom you have entered into a contract

B&B HOTELS GmbH, Altkönigstraße 10, 65239 Hochheim am Main, Tel.: +49 (0) 6146 9090 0, Fax: +49 (0) 6146 9090 111, E-Mail: kontakt@hotelbb.com, represented by Chief Executives Fabrice Collet and Max C. Luscher

Or:

Star Budget Hotel GmbH, Altkönigstraße 10, 65239 Hochheim am Main, Tel.: +49 (0) 6146 9090 0, Fax: +49 (0) 6146 9090 101, E-Mail: kontakt@hotelbb.com, represented by Chief Executive Max C. Luscher

 

The information passed on as part of the booking process, viz. particulars on the party with whom you have entered into an accommodation contract, or on the rights holder of the hotel in question, as named in the booking process or booking confirmation, indicates whether a B&B Hotel is operated by B&B HOTELS GmbH itself or by another of our group’s companies.

For bookings at hotels not operated by B&B HOTELS GmbH, B&B HOTELS GmbH will pass on data to the hotel in question, for example Star Budget Hotel GmbH, which will process personal data concerning you as part of the performance of the accommodation contract, acting as data controller under the terms of the GDPR.

These notices set out data processing procedures for which B&B HOTELS GmbH, or Star Budget Hotel GmbH, a subsidiary of B&B HOTELS GmbH which operates individual B&B Hotels, is deemed data controller under the terms of the GDPR.

 

2. Data Protection Officer

You can contact our Data Protection Officer by e-mail at datenschutz@hotelbb.com or by letter addressed to "The Data Protection Officer".

 

3. Processing of personal data

3.1 Contract performance

When you book a hotel room with us or via a third-party service provider (for example a hotel reservation platform), we collect, process and use your personal data to manage our existing commercial relations with you, including the necessary communications, not least for the provision of services that we are contractually bound to deliver, payment and billing procedures. The legal basis for this is Art. 6, Section 1 (b) of the GDPR. This is permissible provided that the processing is necessary for the performance of a contract to which the affected person is a party, or that it serves to perform precontractual action carried out on request.

3.2. Legitimate interests

Moreover, we process personal data on the basis of Art. 6, Section 1 (f) of the GDPR, provided that this processing is necessary for the pursuit of the affected person’s own legitimate interest or that of a third party, and unless it is overriden by their fundamental rights and freedoms which require protection of personal data. This applies not least to crime prevention, criminal investigations, company strategy, internal communications and miscellaneous administrative purposes.

3.3 Consent

Furthermore, we process personal data on the basis of Art. 6, Section 1 (a) of the GDPR, provided that the party to the contract has granted their consent for the processing of the personal data concerning them for (a) particular purpose(s). Consent is freely given and can be withdrawn at any time.

3.4. Legal obligation

A legal obligation to pass on personal data as per Art. 6, Section 1 (c) of the GDPR may result from legal provisions that apply to us, for example tax legislation, the Reporting Act or miscellaneous public service obligations.

 

4. Data origin

We generally get your personal data from you yourself, or from our contractual partners, service providers or contracting authorities, with whom we have accordingly entered into data protection agreements. In certain setups your personal data may be collected from other parties due to legal provisions.

 

5. Categories of personal data processed

When a booking is made, we process the following personal data or categories of data in particular: Particulars (Title, Forename, Surname, additional names or titles), contact information (e-mail address, street name, number, postcode, town or city, country, telephone number), where applicable nationality, purpose of stay (business/leisure), number of accompanying persons or minors and their age range, telephone number, and billing address (if different).

Where applicable, for quality assurance, security and similar purposes, we also process recordings of telephone calls for quality assurance and training purposes. Furthermore, we process video files from surveillance cameras installed in public areas of our buildings such as hallways and lobbies.

 

6. Categories of recipients of personal data

The recipient of the personal data is B&B HOTELS GmbH in Hochheim am Main, with which the accommodation contract regarding the hotel room in question has been entered into. In cases where a hotel is not operated by B&B HOTELS GmbH itself, B&B HOTELS GmbH acts as a service provider for Star Budget Hotel GmbH (for example for the operation of a hotel management system and in the areas of IT support and accounting/finance).

Only those persons and parties (for example specialised departments) within the data controller’s company who require your personal data in order to provide services and comply with legal provisions shall receive it. Under certain circumstances, certain data sets shall be passed on to affiliated companies, if they complete data processing tasks, for example as part of the centralised provision and operation of booking and IT systems, completion of marketing tasks, etc..

As well as this, the data controller, for the performance of ans compliance with contractual and legal obligations, among others for the technical operation, maintenance and hosting of booking and IT systems or for the performance of the accommodation contract in the hotel of various service providers, with whom – depending on the setup – an agreement on order processing has also been entered into as per the requirements pursuant to Art. 28 and 29 of the GDPR .

In order to get feedback from our guests on their stays, the data controller uses a consumer ratings service offered through TrustYou GmbH, Steinerstraße 181369 München. Those submitting ratings are under no obligation to do so. If a guest would like to make use of this utility, their surname, forename, e-mail address and reference number will be passed on to TrustYou, but shall be neither used by TrustYou itself nor forwarded to third parties. 
You will find further information on TrustYou’s privacy policy at https://www.trustyou.com/de/downloads/privacy-policy-de.

If you use third-party payment services (for example PayPal, Visa, Mastercard, Maestro or American Express), our partners’ business terms and conditions and data protection notices for electronic payment processes (Adyen, Saferpay) apply. They can be accessed via the transaction application.

Furthermore, the data controller may pass your personal data on to other recipients outwith the company, to the extent that it is necessary for the data controller to comply with its legal obligations (for example the Reporting Act, tax and contributions legislation, etc.)

Data shall be processed in the European Union.

 

7. Duration of data storage

The data stored by us shall be deleted as soon as they have served their purpose, are no longer needed and as long as no legal retention obligation stands in the way of their deletion (Art. 17 of the GDPR). Retention obligations result from business and tax legislation in particular. Pursuant to German legal provisions, data is to be retained for six years under § 257 Section 1 HGB (commercial letters, booking confirmations) and 10 years under § 147 Section 1 AO (booking confirmations, invoices, commercial and business letters and taxation-related documents). Moreover, it may be that personal data is retained for a length of time during which claims are filed against the data controller. When it no longer serves any purpose, or once the timeframes have elapsed, the data shall be rendered inaccessible or deleted, as a matter of course, in accordance with legal provisions

 

8. Data security

We take technical, contractual and organisational action on data processing security as technical developments allow. This is how we ensure that we comply with the provisions of data protection legislation, in particular those of the GDPR, and that the data processed by us is protected against erasure, loss, alteration and hacking.

  

9. Your rights

When we process your personal data, you are the affected party under the terms of the GDPR and you have the following rights that may be invoked against us in respect of the personal data concerning you:

  • The right to access information (Art. 15 of the GDPR)
  • The right to rectification (Art. 16 of the GDPR)
  • The right to erasure (Art. 17 of the GDPR)
  • The right to restriction of processing (Art. 18 of the GDPR),
  • The right to data portability (Art. 20 of the GDPR)
  • The right to object to processing (Art. 21 of the GDPR)
  • The right to lodge a complaint with a data protection supervisory authority (Art. 77 of the GDPR)

 

10. Amendments to the data protection declaration

We reserve the right to amend these data protection notices, in order to bring them into line with changes to the legal position, changes to the service or those affecting data processing. However, this applies only with regards to data processing declarations. If the User’s consent is required, or if parts of the data protection notices contain regulations governing contractual relations with Users, changes may only be made with the User’s agreement.

Please refer to the data protection notices regularly to keep abreast of any changes

 

Data protection notices on our social media accounts

We want to keep in touch with our guests, and do so using social media as a means of communication that moves with the times.  To do so we have a varied online presence on social networks and platforms, in order to communicate with Users and bring our posts, services and initiatives to your attention.  

Please be advised that during this process, User data may be processed outside the European Union. Risks to the User may arise from this, because for example the enforcement of the User’s rights could be hampered. Please be advised that US service providers, which are certified under the Privacy Shield programme, hold themselves to the obligation to meet EU data protection standards.  

For detailed information on the different ways in which the personal data may be processed, privacy policy and objection procedures, please refer to the following service provider links.  

Please be advised that requests for information and enquiries on the exercise of User rights can be addressed the most effectively when raised with the service provider. Only the service providers have access to the User data and can directly take appropriate action and give out information. However, should you need help, you can contact us.

Instagram

We use Instagram - Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. You will find further information on its privacy policy at http://instagram.com/about/legal/privacy/

Twitter

We also use Twitter - Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You will find further information on its privacy policy at https://twitter.com/de/privacy

 

 

Notice regarding data protection on our Facebook fan page

1. General information

We run a company website ("Fan page") on the social network Facebook, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, in particular for representation, brand development and also for customer communications purposes

Whenever an Internet user visits our fan page, Facebook collects, stores and uses User data (for example IP addresses, preferences and personal interests, usage patterns in respect of Facebook pages, any personal information posted on Facebook, etc.), regardless of whether you have a Facebook account. We stress that Facebook also uses it for its own commercial purposes.

 

2. Data collection and storage

As soon as you load our fan page, your browser connects to a Facebook server. During this process your IP address will be passed on and cookies placed on your device, whether or not you have a Facebook account. In addition, Facebook can match up your visit to our site with your user account, if you have and are signed into a Facebook account.

Facebook alone determines how the data is processed. We have no control over the scope, location or duration of data storage, over the extent to which data is linked and analysed or over the forwarding of data. We also have no say in who the recipients may be. Furthermore, we cannot at this point ascertain whether and to what extent Facebook deletion timeframes shall adhered to.

You will find further information on this in the Facebook data policy, which can be accessed at https://www.facebook.com/about/privacy/

You can prevent Facebook from linking up data regarding your visit to our fan page with your stored Facebook account data by logging out of Facebook before visiting our fan page, deleting the cookies left on the device and closing and relaunching your browser. According to Facebook, this will delete information that allows Facebook to identify you.

Facebook itself states that it uses cookies, meaning both session cookies, which are deleted when the browser is closed, and persistent cookies, which remain on the terminal until they expire or are deleted by the User. A cookie is a tiny text file that allows a website to recognise a browser as one that it has encountered previously. Cookies are left on a computer when a website is first loaded and subsequently reloaded and read the next time the page is loaded by the web server. Via your browser settings you can decide for yourself whether to allow cookies, which cookies to allow and which ones you would like to allow, block or delete. Alternatively you can install an ad blocker.

According to Facebook, cookies serve authentication, security, website and product integrity, advertising, metrics, website functionality and services, performance, analytics and research purposes. You can find details on the cookies used by Facebook (for example the names of cookies, duration of activity, content held within them and their purpose) at https://www.facebook.com/policies/cookies/

At https://www.facebook.com/about/basics/advertising and http://www.youronlinechoices.com you can determine which ads are displayed to you on Facebook and which ones you do not want displayed to you in future.

We generally store personal data only until it has served the purpose for which it was collected. In the context of commercial relations with you, this can last for as long as the commercial relations are ongoing and includes the phases of entering into and terminating the contract. Moreover, we store data to the extent to which we are bound to by legal retention obligations.

In the context of consent granted by you, your personal data shall be stored until such time as you withdraw consent, or at most for the duration of the processing operation or until it has been completed, depending on the deletion timeframes.

 

3. Facebook Insights

We use the Facebook Insights functionality for statistics analysis purposes. In connection with this we receive anonymised data on the users of our Facebook fan page. We cannot draw inferences about you personally from it. For further information please refer to the Facebook Cookie policy.

 

4. Legal bases

The legal basis for data collection, storage and use rests on Art. 6 Section. 1 (f) of the GDPR and serves the purpose of communication with you that moves with the times, targeted representation of our company and of the services that we offer.  Furthermore, we do not carry out automated decision-making, including profiling, as per Art. 22 of the GDPR.

 

5. Forwarding and use of personal data

When you use our fan page on Facebook, Facebook also obviously has access to your data. It cannot be guaranteed that Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA, does not have access to your data. Facebook is based in a non-EU country with a lower level of data protection. However, Facebook is a signatory to the EU-US Privacy Shield agreement, with a view to guaranteeing a level of data protection equivalent to that in place in the EU.

You can access the EU/US Privacy Shield certification at https://www.privacyshield.gov/list. With the European Commision’s implementing decision (EU) 2016/1250 of 12 July 2016, the level of protection provided by the EU/US Privacy Shield thus far was recognised as equal to that in the EU.

 

6. Your rights

You have the following rights:

  • The right to access information on your stored data: Art. 15 of the GDPR
  • The right to rectification of your stored data: Art. 16 of the GDPR
  • The right to erasure of your stored data: Art. 17 of the GDPR
  • Barring /Restriction of processing of your stored data: Art. 18 of the GDPR
  • Objection to the processing of your data: Art. 21 of the GDPR
  • The right to data portability: Art. 20 of the GDPR
  • The right to lodge a complaint with the competent supervisory authority: Art. 77 of the GDPR

If you have granted consent, under Art. 7, Section 3 of the GDPR, you also have the right to lodge a complaint effective in the future.

 

7. Contact information of the data controller and Data Protection Officer; joint data control pursuant to Art. 26 of the GDPR

Joint data controllers:

B&B HOTELS GmbH

Altkönigstrasse10
65239 Hochheim a.M.
Germany
E-mail: kontakt@hotelbb.de

and

Facebook Ireland Ltd.

4 Grand Canal Square, Grand Canal Harbour,
D2 Dublin
Ireland

For the processing of your personal data we are joint data controllers in conjunction with Facebook, in the eyes of the European Court of Justice (ECJ). You will find the ECJ ruling of 05/06/2018 at

http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398.

Due to joint data control we inform you with regard to Art. 26 of the GDPR as follows, on the basics of the existing joint data control agreement in place between us and Facebook:

https://www.facebook.com/legal/terms/page_controller_addendum

Please contact us with any further questions regarding data protection. Should you have any questions regarding the collection, processing or use of your personal data, information, correction, barring or erasure of data or withdrawal of consent for processing, please contact:

B&B HOTELS GmbH
Altkönigstrasse 10
65239 Hochheim am Main
Germany
E-mail: datenschutz@hotelbb.com