Menu opener
Country and language
Country
Other countries
Language
English
Currency
EUR
  1. B&B HOTELS
  2. B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)
BackYour staySelect your dates to see availabilitiesChange datesSelect rooms and travelersClose
Select your dates to see availabilities
Please fill in the destination field
There are no suggestions
Allow geolocation in your browser settings, or type the destination
Please select period of 20 days max
Start date cannot be set in the past.

Please select period of 20 days maxStart date cannot be set in the past.

From
To
Clear dates
Rooms
-+
+ Add another roomValidate
Discount code
Valid Breakfast voucher to be added at checkout
Add a discount code
  • Destination
  • FromTo
    FromTo
  • 1 room, 1 adult
  • 1 room, 1 guest

B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)

Data Protection Information

Status: October 2025

 

Preamble

In the course of our business activities, we process personal data of visitors to our websites, users of our app, hotel guests, participants in our loyalty programs, prospective customers, service providers, and other business partners.

This Privacy Notice is aimed at users, guests, and future guests (hereinafter "you") in connection with (i) visiting the website https://www.hotel-bb.com/de (hereinafter "Website") and the mobile application B&B HOTELS (hereinafter "App"), as well as channels on social media platforms in German, (ii) participation in one of the loyalty programs, and (iii) a stay at a hotel in Germany.

It serves to inform you, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "General Data Protection Regulation" or "GDPR"), about how your personal data is processed via our Website, App, and social media channels, and particularly in connection with accommodation in one of our hotels and with our loyalty programs.

The protection of your personal data is a priority concern for the companies of the B&B HOTELS Group. Therefore, the companies of the B&B HOTELS Group commit to processing this data in strict compliance with the General Data Protection Regulation and other applicable data protection laws.

 

1. Definitions

App: refers to the B&B HOTELS mobile application, available in IOS and Android versions.

Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.    

Website: is the website accessible at the URL address https://www.hotel-bb.com/de.    

User: refers to any person who accesses the website and the app, regardless of whether they are a customer, an operator or a normal internet user with or without an account.    

Furthermore, we refer to the definitions in Art.  4 GDPR for the terms used:  

Personal data is any information relating to an identified or identifiable natural person.  This includes, for example, your name, your address and communication data or your e-mail address.    

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.    

Data subject is any identified or identifiable natural person whose personal data is processed by the controller.    

 

2. Controllers

  1. The Controller within the meaning of the GDPR is the person who decides on the purposes and means of the processing of personal data. If several persons jointly decide on the purposes and means of processing, they are jointly responsible for the processing. For some processing operations, the German operating company of the B&B HOTELS Group mentioned below is solely responsible. For others, the operating companies of the B&B HOTELS Group are each jointly responsible for the processing and act jointly with other companies.

Sole Controller:

B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main (Germany), registered in the commercial register of the Wiesbaden Local Court under number HRB 31371, is solely responsible for the following processing operations: 

(1) Processing of reservations not made through the online booking system;

(2) Management of accommodation contracts; 

(3) Exercise of data subjects' rights according to the GDPR;

(4) Processing of insurance claims;

(5) Management of registration forms for accommodation;

(6) Establishment and operation of a video camera system in the self-operated hotels;

(7) Operation and provision of guest Wi-Fi in the self-operated hotels;

(8) Processing of guest complaints and claims;

(9) Accounting and receivables management in connection with accommodation in the self-operated hotels.

The companies of the B&B HOTELS Group operate the online booking system, which is the central reservation system for all B&B Hotels.

(1) Operation of the online booking system and processing of reservations made through it; 
(2) Implementation of direct marketing measures; 
(3) Administration of loyalty programs.    

The companies in the list, which you can access here, are jointly responsible for the administration of the paid loyalty program B&B HOTELS Club.

The companies in the list, which you can access here, are jointly responsible for the administration of the free loyalty program B&me.    

The companies on the list, which you can access here, are jointly responsible for processing data for the purpose of managing direct marketing activities/campaigns for customers and prospects of the B&B HOTELS Group.

The companies on the list, which you can access here, are jointly responsible for processing whose purpose is the management of Online Bookings.

The companies in the list, which you can access here, are jointly responsible for the processing of data in the central reservation system (CRS) whose purpose is the centralisation of booking data.

The processing of personal data in connection with the storage and reading of cookies on the Website is jointly carried out by the companies in the list, which you can access here. As such, these companies are jointly responsible for the processing of data in connection with the storage and reading of cookies on the Website.

The joint controllers have concluded joint controller agreements for the aforementioned processing operations, in which their respective obligations are defined. The essential content of these agreements is available upon request at the following address: datenschutz@hotelbb.com.

Information on the processing operations carried out in this context is provided in detail below. The data protection officer of B&B Hotels Germany GmbH can be contacted by email at datenschutz@hotelbb.com or by telephone at +49 (0) 6146 9090-0 or via the mentioned postal address with the addition "Der Datenschutzbeauftragte" (The Data Protection Officer).

 

3. General criteria for storage duration

Unless a more specific storage duration is mentioned within this Privacy Notice, your personal data will be kept until the purpose for the data processing ceases to apply. If you assert a legitimate request for erasure or revoke consent to data processing, your data will be erased, provided that we do not have other compelling legitimate grounds for the continued storage of your personal data (e.g., tax or commercial law retention periods) ; in the latter case, the erasure will take place after these grounds cease to exist.

 

4. General Information on the Legal Bases for Data Processing on this Website

If you have consented to the data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR. In the case of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. Consent can be revoked at any time. If your data is required for the conclusion or fulfilment of a contract or for the performance of pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b GDPR. Furthermore, we process your data, if this is necessary for compliance with a legal obligation, on the basis of Art. 6 para. 1 lit. c GDPR. Data processing can also be carried out on the basis of our legitimate interest according to Art. 6 para. 1 lit. f GDPR. We inform about the respective applicable legal bases in the individual case in the following paragraphs of this Privacy Notice.

 

5. General Information on Data Transfer to Third Countries

Some companies of the B&B HOTELS Group are based in a third country outside the European Union and the European Economic Area. For the data transfer with these companies of the B&B HOTELS Group, the EU standard contractual clauses have been concluded, which you will be provided with upon request using the contact details mentioned, e.g., by email to privacy@hotelbb.com. Great Britain and Switzerland have been confirmed to have a level of data protection comparable to that of the EU by adequacy decisions of the EU Commission of 28.06.2021 (Great Britain) and 26.07.2000 (Switzerland).

Subject to your consent, tools are used on the Website and the App, and external content and media are integrated, which are offered by companies based in third countries. If these tools are activated, your personal data can be transferred to these third countries and processed there. We point out that a level of data protection comparable to that of the EU cannot be guaranteed in third countries that are unsafe in terms of data protection law. In these cases, data transfer takes place based on additional safeguards pursuant to Art. 44 et seq. GDPR. The USA is classified by the EU Commission as a safe third country with a level of data protection comparable to that of the EU under certain conditions. A data transfer to the USA is then permissible if the data recipient is certified under the "EU-U.S. Data Privacy Framework" (DPF). Information on transfers to third countries, including the data recipients, can be found in this Privacy Notice as well as in the cookies and other trackers.

 

6. Information on the Processing of Personal Data

6.1. Visiting the Website

When you visit the Website, your browser transmits certain system and browser data for technical reasons. This includes the following data (so-called server log files), which are processed by the joint controllers for the online booking system:

  • IP address    
  • Date and time of the server request    
  • Browser, language and version of the browser software    
  • Operating system used    
  • Hostname of the accessing computer    
  • Website from which the request comes ("referrer URL") 

This data is not stored together with other personal data of the users.

The temporary storage of the user's IP address by the web server is technically necessary to be able to display the Website. For this purpose, the IP address must necessarily remain stored for the duration of the session.

The storage of the data mentioned above in the log files is done to ensure the functionality of the online booking system. This data is also used to ensure the security of the information technology systems (e.g., for attack detection). An evaluation of the data for marketing purposes does not take place in this context.

The legal basis for the temporary storage of this data and the log files is Art. 6 para. 1 lit. f GDPR. The legitimate interest consists in the technically error-free presentation and optimisation of the Website – the server log files must be recorded for this purpose.

The data mentioned above will be erased as soon as they are no longer required to achieve the purpose for which they were collected. In the case of data collection for the provision of the Website, this is the case when the respective session is ended. In the case of data stored in the log files, the retention period amounts to up to 3 months. Storage beyond this is possible if this data is required for (e.g., clarification of attacks, abuse, or fraud acts). Data whose further retention is required for evidence purposes are excluded from erasure until the final clarification of the respective incident.

The collection of data for the provision of the Website and their storage in log files is absolutely necessary for the operation of our Website for technical reasons. Consequently, you have no right to object.

6.2. Contact Form on the Website

If you send us inquiries via the contact form on the Website, we collect the data requested in the contact form (e.g., name, email address) as well as information about your request. Mandatory fields are marked accordingly. We process your personal data to answer your inquiry and process your request. We store your data in case of follow-up questions.

If your inquiry is related to the fulfilment of a contract or is necessary for the performance of pre-contractual measures (e.g., an offer), the processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6 para. 1 lit. f GDPR).

The data is used exclusively for the processing of the conversation and the handling of your request. The data you enter in the contact form remains with us until you request us to erase it or the purpose for data storage ceases to apply (e.g., after your request has been fully processed). Mandatory legal provisions – in particular retention periods – remain unaffected. Your personal data will be erased at the end of the calendar year, at the latest three years after the completion of the processing of your request.

6.3. Inquiries by Email or Telephone

If you contact us via the email addresses provided on the Website or by telephone, we store and process your inquiry including all resulting personal data (name data, address data, contact data, inquiry) for the purpose of processing your request.

If your request is related to the fulfilment of a contract or is necessary for the performance of pre-contractual measures (e.g., an offer), the processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6 para. 1 lit. f GDPR).

The data is used exclusively for the processing of the conversation and the handling of your request.

The data transmitted by you via contact inquiries remains with us until you request us to erase it or the purpose for data storage ceases to apply (e.g., after your request has been fully processed). Mandatory legal provisions – in particular retention periods – remain unaffected. Your personal data will be erased at the end of the calendar year, at the latest three years after the completion of the processing of your request.

6.4. Newsletter

You can subscribe to a newsletter on our Website. We only send newsletters with the recipients' consent. We use a double opt-in procedure for this. After registering for the newsletter, you will receive an email in which you must confirm your registration. We use this procedure so that no one can register with a foreign email address. We log registrations for the newsletter to be able to prove the registration process in accordance with legal requirements. This includes the date, time, and IP address at the time of registration. For registration for the newsletter, we collect the name and email address.

We send newsletters for advertising purposes to inform about offers, promotions, and other news about B&B HOTELS.

The processing of the data entered in the newsletter registration form is carried out exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR in conjunction with Section 7 para. 2 no. 2 Act Against Unfair Competition (UWG)). By sending the email in the context of the double opt-in procedure, we fulfil our legal obligation to verify your email address, Art. 6 para. 1 lit. c GDPR. Your data in connection with the newsletter registration and sending will be processed by the marketing department of B&B Hotels Germany GmbH. The companies of the B&B Hotels Group, whose overview is available above, are jointly responsible for the administration and implementation of the direct marketing measure. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, as well as MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France, with the administration and sending of the newsletters. The contractors act on the basis of commissioned processing contracts on the instructions of the joint controllers.

Consent to receive our newsletter can be revoked at any time without giving reasons with effect for the future, for example, via the unsubscribe function in every newsletter. In the event of revocation, your email address will be marked with a block to document that you no longer wish to receive the newsletter in the future. Data that is no longer required will be erased immediately. The block mark and your email address will be erased three years after the end of the calendar year in which the block mark was set. If you do not confirm your consent to receive our newsletter within the double opt-in procedure, we will block your email address and erase it after six months, unless we have to keep it for other reasons and in another context.

6.5. Online Booking of Hotel Stays and Check-in

When you book a room via the online booking system on the Website or the App, we process the personal data requested via the booking form (e.g., personal master data, contact data, reservation/booking details, conditions, payment and invoice data) for the purpose of carrying out the booking and concluding an accommodation contract. Your email address is processed to send you reservation/booking confirmations, changes, cancellations, and other communications related to the reservation/booking and the accommodation contract. In addition, you will receive an automatically generated invitation to the online check-in by email before the planned day of arrival. For the online check-in, it is necessary that you register via the link in the email and provide your credit card data (card number, expiry date, security number) for the purpose of payment.

The companies of the B&B Hotels Group, whose overview is available above, are jointly responsible for the data processing via the online booking system on the Website and the App. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, as well as MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France, with the operation and administration of the online reservation system. The contractors act on the basis of commissioned processing contracts on the instructions of the joint controllers.

For the purpose of concluding and fulfilling the accommodation contract, the data from the online booking system may be transmitted to the operator of the hotel for which you have booked your stay.

To comply with legal registration obligations, it may be necessary for some personal data to be transmitted to the registration authority responsible for the hotel in which you are staying, after you have checked in to the hotel. When checking in, you are obliged to provide this data.

In the case of accommodation of an unaccompanied minor, the hotel where the overnight stay takes place collects a declaration from a legal representative stating the name, contact details, and a copy of an identity document. Details on data processing can be found in the corresponding form

The legal basis is Art. 6 para. 1 lit. b GDPR, as the processing of the data is necessary for the conclusion and performance of an accommodation contract in a B&B Hotel. By reporting guest data to the respective competent registration authority, the B&B Hotel fulfils its legal obligation as a hotel business according to Art. 6 para. 1 lit. c in conjunction with Sections 29, 30 Federal Registration Act (BMG).

The data stored by us will be erased as soon as they are no longer required for their intended purpose and no legal retention obligations prevent the erasure. The commercial and tax law retention periods in connection with the accommodation contract are six years (Section 257 para. 1 HGB) or ten years (Section 147 para. 1 AO). The registration forms required according to the Federal Registration Act are kept for one year after registration and destroyed within three months after the expiry of the retention period, in accordance with the provisions under Section 30 BMG.

If you have made a booking with us, we use your email address to send you advertisements for similar goods and services related to your booking. You can object to this use at any time either by clicking the unsubscribe link in the footer of such an advertising email or alternatively by sending us a message via the contact form on our Website with the subject "Feedback on your stay" stating your email address.

The legal basis for this data processing is Art. 6 para. 1 f) GDPR in compliance with the requirements of Section 7 para. 3 UWG. Our legitimate interest lies in promoting customer loyalty

6.6. User Account and Participation in the B&me Loyalty Program

On the Website and the App, there is the possibility to create a personalized user account ("B&me Account") to view bookings, make future reservations faster, and take advantage of the benefits of the B&me loyalty program.

For the creation and maintenance of the B&me Account, the data requested in the registration form (personal master data, contact data, language and country settings, password, communication settings) are processed. Details on bookings and hotel stays, as well as benefits claimed from the B&me loyalty program, are added to the B&me Account and can be accessed there at any time. Registration for the user account and participation in the B&me loyalty program is verified via a double opt-in procedure. Here you receive a confirmation email with the link that you must click to activate the B&me Account. Your email address is stored for this purpose and for further communication in connection with your B&me Account.

The legal basis for the data processing is Art. 1 lit. b GDPR. The processing of the data is necessary for the registration for the user account as well as the conclusion and performance of participation in the B&me loyalty program.

The companies of the B&B Hotels Group, whose overview is available above, are jointly responsible for the data processing in connection with the implementation of the B&me loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, with services in the context of the management of the B&me loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a commissioned processing contract on the instructions of the joint controllers.

The personal data are stored for the duration of the existence of the user account and participation in the B&me loyalty program. You can terminate your B&me Account and your participation in the B&me loyalty program at any time via the user account itself. The data will then be erased at the latest after the expiry of the commercial law retention period of six years in accordance with Section 257 HGB.

6.7. B&me Club Loyalty Program

Via the B&me Account, there is the possibility on the Website and the App to register for the paid participation in the B&me Club loyalty program.

For the conclusion and performance of participation in the B&me Club loyalty program, the data requested in the registration form for the B&me Account (personal master data, contact data, language and country settings, password, communication settings) are processed. Details on bookings and hotel stays, as well as benefits claimed from the B&me loyalty program and the B&me Club loyalty program, are added to the B&me Account and can be accessed there at any time. An identification number is also stored for each member. Participation in the B&me Club loyalty program is confirmed with a message to the email address provided during registration. The email address is used for further communication regarding the B&me Club loyalty program. The legal basis for the data processing is Art. 1 lit. b GDPR. The processing of the data is necessary for the registration for the user account as well as the conclusion and performance of participation in the B&me Club loyalty program.

The companies of the B&B Hotels Group, whose overview is available above, are jointly responsible for the data processing in connection with the implementation of the B&me Club loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, with services in the context of the management of the B&me Club loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a commissioned processing contract on the instructions of the joint controllers.

The personal data are stored for the duration of participation in the B&me Club loyalty program. After termination of participation in the B&me Club loyalty program, the data will be erased at the latest after the expiry of the commercial law retention period of six years in accordance with Section 257 HGB.

5.8. Voucher shop

On the Website, there is the possibility to purchase value vouchers for stays in a B&B Hotel. Information on the processing of personal data in connection with this voucher shop is available directly in the shop area under "Datenschutzerklärung" (Privacy Policy).

6.9. Payment Service Provider

If you use third-party payment services (e.g., PayPal, Visa, Mastercard, Maestro, American Express), the companies of the B&B HOTELS Group work with the payment service provider Adyen N.V. (hereinafter "Adyen"), Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, Netherlands,.

Adyen is a Full Payment Service Provider who, among other things, handles payment processing. The data necessary for the respective payment method are transmitted to Adyen, unless they are collected directly by the respective payment service (e.g., PayPal) itself.

The bank card number, expiry date, and cryptogram are processed exclusively by Adyen, who only provides us with a token for the guarantee and payment of the bookings.

The purpose of the transfer is identity verification, the desired payment processing, the performance of any credit check, and fraud prevention. Adyen also passes on the personal data to service providers or subcontractors insofar as this is necessary to fulfil the contractual obligations.

The legal basis for the processing is Art. 6 para. 1 lit. b, lit. c, lit. f GDPR. With the transfer for identity verification, we fulfil legal obligations for customer authentication pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with the Payment Services Directive and the Payment Services Supervision Act. The legitimate interest in the data transfer follows from the purposes outlined above.

The terms and conditions and the privacy policy of our partner for electronic payment processing apply. Further information on data protection can be found at https://www.adyen.com/privacy-policy

6.10. Guest Reviews

To get feedback from our guests about their stay, we use a review service offered via TrustYou GmbH, Schmellerstraße 9, 80337 Munich, www.trustyou.com. If you have consented to receive the newsletter, B&B Hotels Germany GmbH will send you an email after a stay in a B&B Hotel in Germany with a link via which a review of your last stay can be submitted. If you make use of the option to submit a review, name, email address and/or telephone number, IP address, your review score and details of the review, other data entered, as well as system data (browser type and version, device used, date and time of submission of the review, referring URL) are transmitted to TrustYou GmbH and evaluated by TrustYou and B&B Hotels Germany GmbH. The review score, details of your review, your first name, the first letter of your last name, and the date of the review can be made publicly accessible on the Website and the App.

Collecting and analyzing reviews helps us to improve our quality.

The legal basis for the data processing is your consent to receive the newsletter (Art. 6 para. 1 lit. a GDPR) as well as the legitimate interest of B&B Hotels Germany GmbH in operating a review system and evaluating reviews after the voluntary use of the review system by guests (Art. 6 para. 1 lit. f GDPR).

Submitting a review is voluntary. You can object to the continued receipt of invitations to review the hotel by email at any time via the corresponding link in every email.

TrustYou GmbH acts on the basis of a commissioned processing contract on the instructions of B&B Hotels Germany GmbH. More information on the handling of data at TrustYou can be found in TrustYou's privacy policy at: https://www.trustyou.com/downloads/privacy-policy.pdf.

Reviews are made publicly accessible on the Website and the App for a maximum period of 24 months from submission. The data collected in connection with a review is stored and evaluated for a maximum period of five years from the submission of the review. TrustYou GmbH is authorised to anonymise the data thereafter and to store and use it for analysis purposes without temporal and spatial restriction.

6.11. Implementation of Sweepstakes

We occasionally organise sweepstakes or other competitions in which guests and other interested parties can participate, e.g., in connection with submitting a guest review. For this purpose, we process the data required for participation, such as names, email addresses, and answers to sweepstake and competition questions. Subsequently, in the event of a win, address data may be requested to send a prize.

The processing is carried out solely for the purpose of implementing the sweepstake or competition, i.e., for determining and notifying winners, as well as for sending prizes.

For sweepstakes and other competitions in connection with submitting a guest review, we use the support of TrustYou GmbH, Schmellerstraße 9, 80337 Munich, who acts on the basis of a commissioned processing contract on our instructions.

Insofar as we obtain your consent in the context of a sweepstake or competition, this is the legal basis for the data processing (Art. 6 para. 1 lit. a GDPR). Otherwise, Art. 6 para. 1 lit. b GDPR is the legal basis, as the data processing is necessary for participation in the sweepstake or competition.

The data will be erased after the sweepstake or competition has been carried out, unless you have given consent to the further processing of your data or a longer retention period must be taken into account in connection with the redemption or use of a prize.

6.12. Video Surveillance in Hotels

Video surveillance may be used in individual areas of hotels and the associated premises, particularly parking lots. In this context, images of guests can be recorded and evaluated on a case-by-case basis.

Video surveillance is generally carried out within the legal limits. The legal basis is the legitimate interest in the safety of our guests and hotel property pursuant to Art. 6 para. 1 lit. f GDPR.

Detailed information on the use of video cameras and data processing in this context can be found on site in the hotels.

6.13. Guest Wi-Fi in Hotels

Access to guest Wi-Fi is provided in the hotels operated by B&B Hotels Germany GmbH in Germany.

In the context of using the guest Wi-Fi, the following data may be processed, some of which is stored via the use of cookies and some of which can optionally be provided by you: MAC or IP address of the end device used, email address, username, name, room number, login date.

For the provision and operation of the guest Wi-Fi system, B&B Hotels Germany GmbH has commissioned m3connect GmbH, Friedlandstraße 18, 52064 Aachen. M3connect GmbH processes your data on instruction on the basis of a commissioned processing contract.

The legal basis for the data processing is Art. 6 para. 1 lit. b GDPR, insofar as the data is required for the desired use of the guest Wi-Fi. In the case of storing information in cookies, we also base the processing on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. The cookies are technically necessary to ensure the functionality of the Wi-Fi system. This is also our legitimate interest.

The data is processed for authentication and ensuring the error-free operation of the guest Wi-Fi.

The data will be erased after 10 weeks at the latest, unless legal retention obligations prevent the erasure. The technically necessary cookies are session cookies that have a maximum functional duration of one day.

Further details can be found in the notices on site when registering for the guest Wi-Fi.

6.14. Central Telephone Reservation Centre

As part of our services, the B&B HOTELS Group operates a central telephone reservation centre, which is also available to the hotels of B&B HOTELS GmbH in Germany. You can make telephone bookings and receive information about your stay via this reservation centre. The purpose of the processing is the handling and administration of reservations received by telephone via the central reservation centre; the central consolidation and administration of reservation data as well as quality assurance and improvement of our booking service.

Individual conversations can be recorded for quality control and employee training. The recordings serve exclusively internal purposes, are not passed on to third parties and are erased after 30 days at the latest. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interest in optimising our customer service). You will be informed about a recording before it begins and can object to it.

The legal basis for the remaining processing is Art. 6 para. 1 lit. b GDPR (processing for the fulfilment of a contract or for the performance of pre-contractual measures at the request of the data subject) as well as Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient processing of reservations and optimisation of our service offering).

For this purpose, the following categories of personal data are processed: name, salutation; address, email address, telephone number; booking and travel data (hotel, length of stay, services booked, special requests); payment data (if required for booking security) as well as communication content (e.g., content of telephone inquiries or audio recordings, if a recording is made).

Recipients of the data are B&B HOTELS Germany GmbH as well as the hotels of the B&B HOTELS Group in Germany where a reservation is made, as well as agents and IT and service providers (in the context of commissioned processing).

The personal data are stored for the duration of the processing of the reservation and the stay. The data will be erased after full processing and expiry of legal retention periods.

In addition, we point out that an automated evaluation of the conversation content is carried out within the framework of calls to the central reservation centre by AI-supported software (Amazon Connect). This serves exclusively for quality assurance and optimisation of our service processes, in particular for assessing conversation flows, recognizing mood indicators (so-called sentiment analysis) as well as for improving conversation management.

The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interest in quality assurance and improvement of our services). The processing is not carried out for automated decision-making within the meaning of Art. 22 GDPR.

If the conversation is recorded, the data subjects are informed in advance and have the option to object to this processing through a corresponding selection in the telephone announcement.

The AI-supported analysis is carried out exclusively within the framework of commissioned processing pursuant to Art. 28 GDPR by Amazon Web Services EMEA SARL. An adequate level of data protection is ensured by the conclusion of the EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.

 

7. Cookies

Our website uses so-called "cookies" and other tracking tools. Details on this and your setting options are presented in our notices on cookies and other trackers.

 

8. Our Presences on Social Media Channels

B&B Hotels Germany GmbH maintains its own channel on several social media platforms. When you visit our profile on one of the social media platforms, the respective provider of the social media platform processes data about you to create usage profiles and to operate and improve its own services. Furthermore, some providers of the social media platforms provide us with evaluations of the use of our profile in anonymised form. The data processing takes place partly independently of whether you are registered on the social media platform yourself or not. The evaluations usually include the following information:

  • Reach measurements regarding profile, posts and other functions, i.e. total number of people who have visited/used the profile, posts and other functions;
  • aggregated data on age, gender and place of residence (country, region/city) of people who visit the profile;
  • Usage time for videos and other functions;
  • Time and location of use;
  • Devices, operating systems and software used;
  • Interactions in connection with posts, e.g. click rates, shares, comments.

With regard to the data processing operations for the purposes of the aforementioned evaluations, B&B Hotel Germany GmbH is jointly responsible with the respective providers of the social media platforms within the meaning of the GDPR and has concluded corresponding joint controller agreements.

We have no influence on whether and to what extent the providers collect personal data on their social media platforms. We are also not aware of the scope, purpose and storage period of the data collection. It must be assumed that at least the IP address and device-related information are recorded and used. It is also possible that the providers use cookies and comparable technologies on their platforms, with which the usage behaviour on the platforms and other services of the providers can be tracked and evaluated.

The providers of the social media platforms are partly based outside the territory of the European Union (EU) and the European Economic Area (EEA) (so-called "third countries"), in particular in the USA. These third countries partly do not have a level of data protection corresponding to that of the EU or the recognition of the adequate level of data protection is dependent on further prerequisites, such as certification under the EU-U.S. Data Framework Agreement for US companies. In some third countries, for example in the USA, government agencies have far-reaching access rights to data of companies with headquarters in these third countries. We cannot rule out that even if the providers are based in the EU, data may also be transferred to the group companies in the USA or in another third country.

Further information on the individual providers of the social media platforms where we operate a profile:

  • Facebook and Instagram: The provider for the European region is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, “Meta”). Further information on data protection can be found at https://facebook.com/policy.php and in relation to Instagram at https://help.instagram.com/519522125107875. Information on the cookies used by Meta when you visit our Facebook page or our Instagram channel can be found at https://www.facebook.com/policies/cookies. For the processing operations where we are joint controllers with Meta, the following joint controllership agreement applies: https://www.facebook.com/legal/controller_addendum. The group headquarters Meta Platforms Inc, Menlo Park, California, USA, is certified under the EU-U.S. Data Privacy Framework.
  • LinkedIn: The provider for the European region is LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). Further information on data protection can be found in LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy and in the cookie policy at https://www.linkedin.com/legal/cookie-policy. For the processing operations for which we are jointly responsible with LinkedIn, the following joint responsibility agreement applies: https://legal.linkedin.com/pages-joint-controller-addendum. The corporate headquarters LinkedIn Corporation, Sunnyvale, California, USA, is certified under the EU-U.S. Data Privacy Framework.  
  • YouTube: The provider for the European region is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Further information on data protection can be found in Google's privacy policy at https://policies.google.com/privacy?hl=de. The corporate headquarters Google LLC, Mountain View, California, USA is certified in accordance with the EU-U.S. Data Privacy Framework.
  • TikTok: The provider for the European region is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Further information on data protection can be found in the privacy policy at https://www.tiktok.com/legal/privacy-policy-eea?lang=de.

 

9. Automated Individual Decision-Making, Profiling

No automated individual decision-making is carried out for the establishment and performance of business relationships and no profiling takes place. Should these procedures be used in individual cases, separate information will be provided if legally required.

 

10. Obligation to Provide Data

For the establishment, performance, and termination of a business relationship (e.g., booking, accommodation contract, participation in a loyalty program, receipt of a newsletter), it is necessary or partly legally required that you provide us with personal data. Without this data, a business relationship will usually not be able to come about or will have to be terminated. In forms, this data is regularly marked as mandatory information.

 

11. Data Security

We attach particular importance to the security of personal data. We implement technical and organisational measures that are appropriate to the degree of sensitivity of the personal data to ensure the integrity and confidentiality of the data and to protect it against malicious intrusion, loss, alteration, or disclosure to unauthorised third parties. These security measures include, for example, the encrypted transmission of data between your browser and our servers. Please note that SSL encryption is only activated for transmissions carried out over the Internet if the key symbol appears in your browser window and the address begins with https://. TLS (Transport Socket Layer) protects data transmission with encryption technology against illegal data access by third parties. If this option is not available, you can also decide not to send certain data over the Internet.

 

12. Your Rights

Right of access (Art. 15 GDPR): You have the right to request access to the personal data processed about you. This right also includes a copy of the corresponding data.

Right to rectification (Art. 16 GDPR): You have the right to demand the immediate rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

Right to erasure (Art. 17 GDPR): You have the right to demand that the personal data concerning you be erased without undue delay, provided that one of the reasons mentioned there applies.

Right to restriction of processing (Art. 18 GDPR): You have the right to demand the restriction of the processing of your personal data, provided that one of the reasons mentioned there applies.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance under certain circumstances.

Right to object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to the processing of your data, insofar as the data processing is based on a balancing of interests pursuant to Art. 6 para. 1 lit. f GDPR. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, your personal data will no longer be processed, unless there are demonstrably compelling legitimate grounds for the processing that outweigh your interests, or the processing serves the establishment, exercise, or defence of legal claims.

Withdrawal of consent (Art. 7 para. 3 GDPR): Pursuant to Art. 7 para. 3 GDPR, you have the right to withdraw any consent you have given to the processing of personal data at any time without giving reasons with effect for the future.

The restrictions under Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure.

You can exercise your rights:

  • at the following e-mail address: datenschutz@hotelbb.com;
  • or via the postal address: B&B HOTELS Legal Department/Data Protection, Altkönigstraße 10, 65239 Hochheim am Main.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG) if you believe that the processing of your personal data is not lawful. This can be done, for example, with the supervisory authority responsible for B&B Hotels Germany GmbH: Der Hessische Datenschutzbeauftragte, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de.

 

13. Changes to the Privacy Notice

We reserve the right to change the Privacy Policy to adapt it to changed legal situations or in the event of changes to the service as well as data processing. However, this only applies with regard to declarations on data processing. Insofar as the consent of the users is required or parts of the Privacy Policy contain provisions of the contractual relationship with the users, the changes will only take place with the users' consent.

Please inform yourself regularly about the content of the Privacy Policy.

  • Print
    this page
  1. B&B HOTELS
  2. B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)