Status february 2021
B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)
We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and with national data protection legislation, as well as all other relevant legislation.
You will find the currently applicable version of the policy at: https://www.hotel-bb.com/de/datenschutzbestimmungen.
However, these data protection notices also apply to reservations and bookings at our hotels.
The terms used herein are those defined in Art. 4 of the GDPR.
Personal data means any information concerning an identified or identifiable natural person. This includes, for example name, address and contact information, e-mail address and usage patterns.
Processing means any process, operation or sequence of operations (automated or otherwise) performed in respect of personal data, such as the following: collection, gathering, collation, filing, storage, adjustment or amendment, reading, use, disclosure through transmission, dissemination or any other means of delivery, comparison or linkage, restriction, deletion or erasure.
The affected person is any identified or identifiable natural person whose personal data is processed by the data controller.
The "data controller" is the natural person or legal entity, administration, facility or other organisation which, either single-handedly or in conjunction with others, decides on the purposes and methods of personal data processing.
Users includes all categories of persons affected by data processing. They include our customers and guests and those visiting our Website.
1. Name a address of the data controller
The data controller is the party with whom you have entered into a contract
B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main, Tel.: +49 (0) 6146 9090 0, Fax: +49 (0) 6146 9090 111, E-Mail: firstname.lastname@example.org, represented by Chief Executives Fabrice Collet and Max C. Luscher
2. Data Protection Officer
You can contact our Data Protection Officer by e-mail at email@example.com or by letter addressed to "The Data Protection Officer".
3. Processing of personal data
3.1 Contract performance
When you book a hotel room with us or via a third-party service provider (for example a hotel reservation platform), we collect, process and use your personal data to manage our existing commercial relations with you, including the necessary communications, not least for the provision of services that we are contractually bound to deliver, payment and billing procedures. The legal basis for this is Art. 6, Section 1 (b) of the GDPR. This is permissible provided that the processing is necessary for the performance of a contract to which the affected person is a party, or that it serves to perform precontractual action carried out on request.
3.2. Legitimate interests
Moreover, we process personal data on the basis of Art. 6, Section 1 (f) of the GDPR, provided that this processing is necessary for the pursuit of the affected person’s own legitimate interest or that of a third party, and unless it is overriden by their fundamental rights and freedoms which require protection of personal data. This applies not least to crime prevention, criminal investigations, company strategy, internal communications and miscellaneous administrative purposes.
Furthermore, we process personal data on the basis of Art. 6, Section 1 (a) of the GDPR, provided that the party to the contract has granted their consent for the processing of the personal data concerning them for (a) particular purpose(s). Consent is freely given and can be withdrawn at any time.
3.4. Legal obligation
A legal obligation to pass on personal data as per Art. 6, Section 1 (c) of the GDPR may result from legal provisions that apply to us, for example tax legislation, the Reporting Act or miscellaneous public service obligations.
4. Data origin
We generally get your personal data from you yourself, or from our contractual partners, service providers or contracting authorities, with whom we have accordingly entered into data protection agreements. In certain setups your personal data may be collected from other parties due to legal provisions.
5. Categories of personal data processed
When a booking is made, we process the following personal data or categories of data in particular: Particulars (Title, Forename, Surname, additional names or titles), contact information (e-mail address, street name, number, postcode, town or city, country, telephone number), where applicable nationality, purpose of stay (business/leisure), number of accompanying persons or minors and their age range, telephone number, and billing address (if different).
Where applicable, for quality assurance, security and similar purposes, we also process recordings of telephone calls for quality assurance and training purposes. Furthermore, we process video files from surveillance cameras installed in public areas of our buildings such as hallways and lobbies.
6. Categories of recipients of personal data
The recipient of the personal data is B&B Hotels Germany GmbH in Hochheim am Main, with which the accommodation contract regarding the hotel room in question has been entered into. In cases where a hotel is not operated by B&B Hotels Germany GmbH itself, B&B Hotels Germany GmbH acts as a service provider for a managing Hotel GmbH (for example for the operation of a hotel management system and in the areas of IT support and accounting/finance).
Only those persons and parties (for example specialised departments) within the data controller’s company who require your personal data in order to provide services and comply with legal provisions shall receive it. Under certain circumstances, certain data sets shall be passed on to affiliated companies, if they complete data processing tasks, for example as part of the centralised provision and operation of booking and IT systems, completion of marketing tasks, etc..
As well as this, the data controller, for the performance of any compliance with contractual and legal obligations, among others for the technical operation, maintenance and hosting of booking and IT systems or for the performance of the accommodation contract in the hotel of various service providers, with whom – depending on the setup – an agreement on order processing has also been entered into as per the requirements pursuant to Art. 28 and 29 of the GDPR.
If you use third-party payment services (for example PayPal, Visa, Mastercard, Maestro or American Express), our partners’ business terms and conditions and data protection notices for electronic payment processes (Adyen, Saferpay) apply. They can be accessed via the transaction application.
Furthermore, the data controller may pass your personal data on to other recipients outwith the company, to the extent that it is necessary for the data controller to comply with its legal obligations (for example the Reporting Act, tax and contributions legislation, etc.)
Data shall be processed only within the European Union.
7. Duration of data storage
The data stored by us shall be deleted as soon as they have served their purpose, are no longer needed and as long as no legal retention obligation stands in the way of their deletion (Art. 17 of the GDPR). Retention obligations result from business and tax legislation in particular. Pursuant to German legal provisions, data is to be retained for six years under § 257 Section 1 HGB (commercial letters, booking confirmations) and 10 years under § 147 Section 1 AO (booking confirmations, invoices, commercial and business letters and taxation-related documents). Moreover, it may be that personal data is retained for a length of time during which claims are filed against the data controller. When it no longer serves any purpose, or once the timeframes have elapsed, the data shall be rendered inaccessible or deleted, as a matter of course, in accordance with legal provisions.
8. Data security
We take technical, contractual and organisational action on data processing security as technical developments allow. This is how we ensure that we comply with the provisions of data protection legislation, in particular those of the GDPR, and that the data processed by us is protected against erasure, loss, alteration and hacking.
9. Your rights
When we process your personal data, you are the affected party under the terms of the GDPR and you have the following rights that may be invoked against us in respect of the personal data concerning you:
10. Amendments to the data protection declaration
We reserve the right to amend these data protection notices, in order to bring them into line with changes to the legal position, changes to the service or those affecting data processing. However, this applies only with regards to data processing declarations. If the User’s consent is required, or if parts of the data protection notices contain regulations governing contractual relations with Users, changes may only be made with the User’s agreement.
Please refer to the data protection notices regularly to keep abreast of any changes
Data protection notices on our social media accounts
We want to keep in touch with our guests, and do so using social media as a means of communication that moves with the times. To do so we have a varied online presence on social networks and platforms, in order to communicate with Users and bring our posts, services and initiatives to your attention.
Please be advised that during this process, User data may be processed outside the European Union. Risks to the User may arise from this, because for example the enforcement of the User’s rights could be hampered. Please be advised that US service providers, which are certified under the Privacy Shield programme, hold themselves to the obligation to meet EU data protection standards.
Please be advised that requests for information and enquiries on the exercise of User rights can be addressed the most effectively when raised with the service provider. Only the service providers have access to the User data and can directly take appropriate action and give out information. However, should you need help, you can contact us.
Notice regarding data protection on our Facebook fan page
1. General information
We run a company website ("Fan page") on the social network Facebook, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, in particular for representation, brand development and also for customer communications purposes
Whenever an Internet user visits our fan page, Facebook collects, stores and uses User data (for example IP addresses, preferences and personal interests, usage patterns in respect of Facebook pages, any personal information posted on Facebook, etc.), regardless of whether you have a Facebook account. We stress that Facebook also uses it for its own commercial purposes.
2. Data collection and storage
As soon as you load our fan page, your browser connects to a Facebook server. During this process your IP address will be passed on and cookies placed on your device, whether or not you have a Facebook account. In addition, Facebook can match up your visit to our site with your user account, if you have and are signed into a Facebook account.
Facebook alone determines how the data is processed. We have no control over the scope, location or duration of data storage, over the extent to which data is linked and analysed or over the forwarding of data. We also have no say in who the recipients may be. Furthermore, we cannot at this point ascertain whether and to what extent Facebook deletion timeframes shall adhered to.
You will find further information on this in the Facebook data policy, which can be accessed at https://www.facebook.com/about/privacy/
You can prevent Facebook from linking up data regarding your visit to our fan page with your stored Facebook account data by logging out of Facebook before visiting our fan page, deleting the cookies left on the device and closing and relaunching your browser. According to Facebook, this will delete information that allows Facebook to identify you.
According to Facebook, cookies serve authentication, security, website and product integrity, advertising, metrics, website functionality and services, performance, analytics and research purposes. You can find details on the cookies used by Facebook (for example the names of cookies, duration of activity, content held within them and their purpose) at https://www.facebook.com/policies/cookies/
At https://www.facebook.com/about/basics/advertising and http://www.youronlinechoices.com you can determine which ads are displayed to you on Facebook and which ones you do not want displayed to you in future.
We generally store personal data only until it has served the purpose for which it was collected. In the context of commercial relations with you, this can last for as long as the commercial relations are ongoing and includes the phases of entering into and terminating the contract. Moreover, we store data to the extent to which we are bound to by legal retention obligations.
In the context of consent granted by you, your personal data shall be stored until such time as you withdraw consent, or at most for the duration of the processing operation or until it has been completed, depending on the deletion timeframes.
3. Facebook Insights
4. Legal bases
The legal basis for data collection, storage and use rests on Art. 6 Section. 1 (f) of the GDPR and serves the purpose of communication with you that moves with the times, targeted representation of our company and of the services that we offer. Furthermore, we do not carry out automated decision-making, including profiling, as per Art. 22 of the GDPR.
5. Forwarding and use of personal data
When you use our fan page on Facebook, Facebook also obviously has access to your data. It cannot be guaranteed that Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA, does not have access to your data. Facebook is based in a non-EU country with a lower level of data protection. However, Facebook is a signatory to the EU-US Privacy Shield agreement, with a view to guaranteeing a level of data protection equivalent to that in place in the EU.
You can access the EU/US Privacy Shield certification at https://www.privacyshield.gov/list. With the European Commision’s implementing decision (EU) 2016/1250 of 12 July 2016, the level of protection provided by the EU/US Privacy Shield thus far was recognised as equal to that in the EU.
6. Your rights
You have the following rights:
If you have granted consent, under Art. 7, Section 3 of the GDPR, you also have the right to lodge a complaint effective in the future.
7. Contact information of the data controller and Data Protection Officer; joint data control pursuant to Art. 26 of the GDPR
Joint data controllers:
B&B Hotels Germany GmbH
65239 Hochheim a.M.
Facebook Ireland Ltd.
4 Grand Canal Square, Grand Canal Harbour,
For the processing of your personal data we are joint data controllers in conjunction with Facebook, in the eyes of the European Court of Justice (ECJ). You will find the ECJ ruling of 05/06/2018 at
Due to joint data control we inform you with regard to Art. 26 of the GDPR as follows, on the basics of the existing joint data control agreement in place between us and Facebook:
Please contact us with any further questions regarding data protection. Should you have any questions regarding the collection, processing or use of your personal data, information, correction, barring or erasure of data or withdrawal of consent for processing, please contact:
B&B Hotels Germany GmbH
65239 Hochheim am Main