B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)

PDF Version

Old PDF Version (October 2025)

Privacy policy 

As of Ferbruary 2026

Preamble

As part of our business activities, we process personal data from visitors to our websites, users of our app, hotel guests, participants in our loyalty programs, interested parties, service providers, and other business partners.

This privacy policy is intended for users, guests, and future guests (hereinafter referred to as "you") in connection with (i) visiting the website https://www.hotel-bb.com/de (hereinafter referred to as "website") and the B&B HOTELS mobile application (hereinafter referred to as "app") as well as the channels on social media platforms in German, (ii) participation in one of the loyalty programs, and (iii) a stay at a hotel in Germany.

It serves to inform you, in accordance with Regulation No. 2016-679 of the European Parliament and of the Council  of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "General Data Protection Regulation" or "GDPR"), how your personal data is processed via our website, app, and social media channels, and in particular in connection with your stay at one of our hotels and our loyalty programs.

The protection of your personal data is a priority for the companies of the B&B HOTELS Group. Therefore, the companies of the B&B HOTELS Group undertake to process this data in strict compliance with the General Data Protection Regulation and other applicable data protection laws. 

1. Definitions

App: refers to the B&B HOTELS mobile application, which is available in iOS and Android versions.

Controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Website: refers to the website accessible at the URL address https://www.hotel-bb.com/de.

User: refers to any person who accesses the website and the app, whether they are a customer, an operator, or a normal internet user with or without an account. 

For the rest, we refer to the definitions in Art. 4 GDPR for the terms used: 

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, your name, your address and communication data, or your email address. 

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, distribution, or any other form of provision, comparison, or linking, restriction, deletion, or destruction.

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

2. Controller 

1. The controller within the meaning of the GDPR is the person who decides on the purposes and means of processing personal data. If several persons jointly decide on the purposes and means of processing, they are jointly responsible for the processing. For some processing operations, the German operating company of the B&B HOTELS Group mentioned below is solely responsible. For others, the operating companies of the B&B HOTELS Group are jointly responsible for the processing and act together with other companies.

Sole controller:

B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main (Germany), registered in the commercial register of the Wiesbaden Local Court under number HRB 31371,

 is solely responsible for the following processing operations:

(1) Processing of reservations not made via the online booking system;

(2) Management of accommodation contracts;

(3) Exercising the rights of data subjects in accordance with the GDPR;

(4) Processing of insurance claims; 

(5) Administration of registration forms for accommodation; 

(6) Setting up and operating a video camera system in the hotels operated by the company itself;

(7) Operation and provision of guest Wi-Fi in the hotels operated by the company itself;

(8) Processing of guest complaints and claims; 

(9) Accounting and receivables management in connection with accommodation in the hotels operated by the company itself.

The companies of the B&B HOTELS Group operate the online booking system, which is the central reservation system for all B&B Hotels. 

2. Companies in the B&B HOTELS Group act as joint controllers for the following processing operations:

(1) Operation of the online booking system and processing of reservations made through it;

(2) Carrying out direct marketing measures; 

(3) Administration of loyalty programs.

The companies on the list, which you can access here, are jointly responsible for managing the B&B HOTELS Club paid loyalty program. 

The companies on the list , which you can access here, are jointly responsible for managing the free B&me loyalty program. 

The companies on the list , which you can access here, are jointly responsible for processing data for the purpose of managing direct marketing activities/campaigns for customers and prospects of the B&B HOTELS Group. 

The companies in the list , which you can access here, are jointly responsible for processing data for the purpose of managing online bookings.

The companies in the list , which you can access here, are jointly responsible for processing data in the central reservation system (CRS) for the purpose of centralizing booking data. 

The processing of personal data in connection with the management of the storage and reading of cookies on the website is carried out jointly by the companies of the list , which you can access here. As such, these companies are jointly responsible for the processing of data in connection with the storage and reading of cookies on the website.

The joint controllers have entered into joint responsibility agreements for the aforementioned processing operations, setting out their respective obligations. The main content of these agreements is available on request at the following address: datenschutz@hotelbb.com. 

Information about the processing operations carried out in this context is provided in detail below. The data protection officer of B&B Hotels Germany GmbH can be contacted by email atdatenschutz@hotelbb.com , by phone at +49 (0) 6146 9090-0, or by mail at the above address with the addition "The Data Protection Officer."

3. General criteria for storage duration

Unless a more specific storage period is specified in this privacy policy, your personal data will be stored until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke your consent to data processing, your data will be deleted unless we have other compelling reasons for further storage of your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will take place after these reasons no longer apply. 

4. General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1) lit. a GDPR. In the case of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 (1) lit. a GDPR. Consent can be revoked at any time. If your data is necessary for the establishment or fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6 (1) lit. b GDPR. Furthermore, we process your data if this is necessary to fulfill a legal obligation on the basis of Art. 6 (1) lit. c GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. We provide information on the relevant legal basis in each individual case in the following paragraphs of this privacy policy.

5. General information on data transfer to third countries 

Some companies in the B&B HOTELS Group are based in a third country outside the European Union and the European Economic Area. For data transfers with these companies in the B&B HOTELS Group, the EU standard contractual clauses have been concluded, which you can obtain on request via the contact details provided, e.g. by emailing privacy@hotelbb.com. The United Kingdom and Switzerland have been confirmed as having a level of data protection comparable to that of the EU by adequacy decisions of the EU Commission dated June 28, 2021 (United Kingdom) and July 26, 2000 (Switzerland). 

Subject to your consent, tools are used on the website and in the app and external content and media are integrated that are offered by companies based in third countries. If these tools are activated, your personal data may be transferred to these third countries and processed there. We would like to point out that a level of data protection comparable to that in the EU cannot be guaranteed in third countries where data protection laws are uncertain. In these cases, data is transferred on the basis of additional safeguards in accordance with Art. 44 ff. GDPR. Under certain conditions, the US is classified by the EU Commission as a safe third country with a level of data protection comparable to that in the EU. Data transfer to the USA is therefore permitted if the data recipient is certified under the "EU-U.S. Data Privacy Framework" (DPF). Information on transfers to third countries, including data recipients, can be found in this privacy policy and in the information on cookies and other trackers .

6. Information on the processing of personal data

6.1 Visiting the website

When you visit the website, your browser transmits certain system and browser data for technical reasons. This includes the following data (known as server log files), which is processed by the companies jointly responsible for the online booking system:

• IP address
• Date and time of the server request 
• Browser, language, and version of the browser software
• Operating system used
• Host name of the accessing computer
• Website from which the request originates ("referrer URL")

This data is not stored together with other personal data of the users. 

The temporary storage of the user's IP address by the web server is technically necessary in order to display the website. For this purpose, the IP address must necessarily remain stored for the duration of the session.

The above data is stored in log files to ensure the functionality of the online booking system. This data is also used to ensure the security of the information technology systems (e.g., for attack detection). The data is not evaluated for marketing purposes in this context.

The legal basis for the temporary storage of this data and the log files is Art. 6 (1) lit. f GDPR. The legitimate interest lies in the technically error-free presentation and optimization of the website – for this purpose, the server log files must be recorded.

The above-mentioned data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session has ended. In the case of data stored in log files, the retention period is up to 3 months. Further storage is possible if this data is required for other purposes (e.g., investigation of attacks, misuse, or fraud). Data that must be retained for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

The collection of data for the provision of the website and its storage in log files is essential for the operation of our website for technical reasons. You therefore have no option to object.

6.2 Contact form on the website 

If you send us inquiries via the contact form on the website, we collect the data requested in the contact form (e.g., name, email address) as well as the details of your request. Mandatory fields are marked accordingly. We process your personal data in order to respond to your inquiry and process your request. We store your data in case of follow-up questions.

If your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures (e.g., an offer), processing is carried out on the basis of Art. 6 (1) lit. b GDPR. In all other cases, processing is based on our legitimate interest in the effective processing of inquiries addressed to us (Art. 6 (1) lit. f GDPR).

The data will be used exclusively for processing the conversation and handling your request. The data you enter in the contact form will remain with us until you request us to delete it or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions—in particular retention periods—remain unaffected. Your personal data will be deleted at the latest three years after completion of the processing of your request at the end of the calendar year. 

6.3 Inquiries by email or telephone 

If you contact us via the email addresses provided on the website or by telephone, we will store and process your request, including all resulting personal data (name, address, contact details, request), for the purpose of processing your request.

If your request is related to the fulfillment of a contract or is necessary for the implementation of pre-contractual measures (e.g., an offer), processing is carried out on the basis of Art. 6 (1) lit. b GDPR. In all other cases, processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 (1) lit. f GDPR).

The data will be used exclusively for processing the conversation and handling your request.

The data you provide via contact requests will remain with us until you request us to delete it or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions—in particular retention periods—remain unaffected. Your personal data will be deleted at the latest three years after completion of the processing of your request at the end of the calendar year. 

6.4 Newsletter

You can subscribe to a newsletter on our website . We only send newsletters with the consent of the recipients. For this purpose, we use a double opt-in procedure. After registering for the newsletter, you will receive an email in which you must confirm your registration. We use this procedure so that no one can register with someone else's email address. We log newsletter registrations in order to be able to verify the registration process in accordance with legal requirements. This includes the date, time, and IP address at the time of registration. We collect your name and email address when you register for the newsletter.

We send newsletters for advertising purposes to provide information about offers, promotions, and other news about B&B HOTELS.

The data entered in the newsletter registration form is processed exclusively on the basis of your consent (Art. 6 (1) (a) GDPR in conjunction with § 7 (2) (2) of the German Unfair Competition Act (UWG)). By sending the email as part of the double opt-in procedure, we fulfill our legal obligation to verify your email address, Art. 6 (1) (c) GDPR. Your data in connection with the newsletter registration and dispatch is processed by the marketing department of B&B Hotels Germany GmbH. The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for the administration and implementation of the direct marketing measure. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, and MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France, with the administration and dispatch of the newsletter. The contractors act on the instructions of the joint controllers on the basis of data processing agreements. 

Consent to receive our newsletter can be revoked at any time without giving reasons with effect for the future, for example via the unsubscribe function in each newsletter. In the event of revocation, your email address will be marked with a blocking note to document that you no longer wish to receive the newsletter in the future. Data that is no longer required will be deleted immediately. The blocking note and your email address will be deleted three years after the end of the calendar year in which the blocking note was set. If you do not confirm your consent to receive our newsletter as part of the double opt-in procedure, we will block your email address and delete it after six months, unless we need to retain it for other reasons and in other contexts. 

6.5 Online booking of hotel stays and check-in

If you book a room via the online booking system on the website or app, we process the personal data requested on the booking form (e.g., personal master data, contact details, reservation/booking details, terms and conditions, payment and billing data) in order to carry out the booking and establish an accommodation contract. Your email address will be processed in order to send you reservation/booking confirmations, changes, cancellations, and other communications related to the reservation/booking and the accommodation contract. In addition, you will receive an automatically generated invitation to check in online by email before your scheduled arrival date. To check in online, you must register via the link in the email and provide your credit card details (card number, expiration date, verification number) for payment purposes. 

The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for data processing via the online booking system on the website and the app. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, and MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France, with the operation and administration of the online reservation system. The contractors act on the instructions of the joint controllers on the basis of data processing agreements. 

For the purpose of establishing and executing the accommodation contract, the data from the online booking system may be transferred to the operator of the hotel where you have booked your stay. 

In order to comply with legal reporting requirements, it may be necessary to transfer some personal data to the registration authority responsible for the hotel where you are staying after you have checked in at the hotel. You are required to provide this data when you check in. 

In the case of accommodation for a minor traveling alone, the hotel where the overnight stay takes place will collect a statement from a legal representative, including their name, contact details, and a copy of an identity document. Details on data processing can be found in the corresponding form . 

The legal basis is Art. 6 (1) (b) GDPR, as the processing of the data is necessary for the establishment and performance of an accommodation contract in a B&B Hotel. By reporting guest data to the relevant registration authority, B&B Hotel fulfills its legal obligation as a hotel business in accordance with Art. 6 (1) (c) in conjunction with §§ 29, 30 of the Federal Registration Act (BMG).

The data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no legal retention obligations that prevent deletion. The retention periods under commercial and tax law in connection with the accommodation contract are six years (Section 257 (1) HGB) and ten years (Section 147 (1) AO) respectively. The registration forms required under the Federal Registration Act are retained for one year after registration in accordance with the provisions of Section 30 BMG and destroyed within three months after the retention period has expired. 

If you have made a booking with us, we will use your email address to send you advertising for similar goods and services in connection with your booking. You can object to this use at any time by either clicking on the unsubscribe link in the footer of such promotional emails or, alternatively, by sending us a message via the contact form on our website with the subject line "Feedback on your stay" and your email address.

The legal basis for this data processing is Art. 6 (1) f) GDPR in compliance with the provisions of § 7 (3) UWG (German Unfair Competition Act). Our legitimate interest lies in promoting customer loyalty.

6.7 User account and participation in the B&me loyalty program

On the website and in the app, you have the option of creating a personalized user account ("B&me account") so that you can view bookings, make future reservations more quickly, and take advantage of the B&me loyalty program. 

The data requested in the registration form (personal master data, contact details, language and country settings, password, communication settings) is processed for the creation and maintenance of the B&me Account. Details of bookings and hotel stays as well as benefits taken advantage of from the B&me loyalty program are stored in the B&me Account and can be accessed at any time. Registration for the user account and participation in the B&me loyalty program is verified via a double opt-in procedure. You will receive a confirmation email with a link that you must click to activate your B&me account. Your email address will be stored for this purpose and for further communication in connection with your B&me account.

The legal basis for data processing is Art. 1 lit. b GDPR. The processing of data is necessary for registering for the user account and for establishing and implementing participation in the B&me loyalty program. 

The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for data processing in connection with the implementation of the B&me loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, to provide services in connection with the administration of the B&me loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a data processing agreement on the instructions of the joint controllers. 

Personal data will be stored for the duration of the user account and participation in the B&me loyalty program. You can terminate your B&me account and your participation in the B&me loyalty program at any time via the user account itself. The data will then be deleted at the latest after the expiry of the commercial law retention period of six years in accordance with § 257 HGB (German Commercial Code). 

6.8 B&me Club loyalty program

The B&me account on the website and in the app allows you to register for paid participation in the B&me Club loyalty program.

The data requested in the registration form for the B&me account (personal master data, contact details, language and country settings, password, communication settings) is processed for the purpose of establishing and implementing participation in the B&me Club loyalty program. Details of bookings and hotel stays, as well as benefits taken advantage of from the B&me loyalty program and the B&me Club loyalty program, are stored in the B&me account and can be accessed there at any time. An identification number is also stored for each member. Participation in the B&me Club loyalty program is confirmed by a message sent to the email address provided during registration. The email address is used for further communication regarding the B&me Club loyalty program. The legal basis for data processing is Art. 1 lit. b GDPR. The processing of data is necessary for the registration of the user account and the establishment and implementation of participation in the B&me Club loyalty program. 

The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for data processing in connection with the implementation of the B&me Club loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, to provide services in connection with the administration of the B&me Club loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a data processing agreement on the instructions of the joint controllers. 

The personal data will be stored for the duration of participation in the B&me Club loyalty program. After termination of participation in the B&me Club loyalty program, the data will be deleted at the latest after expiry of the commercial law retention period of six years in accordance with § 257 HGB (German Commercial Code). 

6.9       Voucher shop

The website offers the option of purchasing vouchers for stays at a B&B Hotel. Information on the processing of personal data in connection with this voucher shop is available directly in the shop area under "Privacy Policy."

6.10     Payment service providers 

If you use third-party payment services (e.g., PayPal, Visa, Mastercard, Maestro, American Express), the companies of the B&B HOTELS Group work with the payment service provider Adyen N.V. (hereinafter "Adyen"), Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, Netherlands.

Adyen is a full payment service provider that handles payment processing, among other things. The data required for the respective payment method is transmitted to Adyen, unless it is collected directly by the respective payment service (e.g., PayPal) itself. 

The bank card number, expiration date, and cryptogram are processed exclusively by Adyen, which only provides us with a token for the guarantee and payment of the bookings. 

The purpose of the transfer is to verify identity, process the desired payment, carry out any credit checks, and prevent fraud. Insofar as this is necessary to fulfill contractual obligations, Adyen also passes on personal data to service providers or subcontractors. 

The legal basis for processing is Art. 6 (1) (b), (c), (f) GDPR. By transferring data for identity verification, we comply with legal obligations for customer authentication in accordance with Art. 6 (1) (c) GDPR in conjunction with the Payment Services Directive and the Payment Services Supervision Act. The legitimate interest in data transfer follows from the purposes described above. 

The terms and conditions and privacy policy of our partner for electronic payment processing apply. Further information on data protection can be found at https://www.adyen.com/de_DE/richtlinien-und-haftungsausschluss/privacy-policy. 

6.11     Guest reviews

In order to receive feedback from our guests about their stay, we use a review service provided by TrustYou GmbH, Schmellerstraße 9, 80337 Munich, www.trustyou.com. If you have agreed to receive the newsletter, after staying at a B&B Hotel in Germany, you will receive an email from B&B Hotels Germany GmbH with a link where you can submit a review of your last stay. If you make use of the option to submit a review, your name, email address and/or telephone number, IP address, your rating result and details of the rating, other data entered, and system data (browser type and version, device used, date and time of submission of the rating, referring URL) will be transmitted to TrustYou GmbH and evaluated by TrustYou and B&B Hotels Germany GmbH. The review result, details of your review, your first name, the first letter of your last name, and the date of the review may be made publicly available on the website and in the app. 

Collecting and analyzing reviews helps us to improve our quality. 

The legal basis for data processing is your consent to receive the newsletter (Art. 6 (1) (a) GDPR) and the legitimate interest of B&B Hotels Germany GmbH in operating a review system and evaluating reviews after guests have voluntarily used the review system (Art. 6 (1) (f) GDPR). 

Submitting a review is voluntary. You can opt out of receiving further invitations to review hotels by email at any time by clicking on the link provided in each email. 

TrustYou GmbH acts on the instructions of B&B Hotels Germany GmbH on the basis of a data processing agreement. For more information on how TrustYou handles data, please refer to TrustYou's privacy policy at: https://www.trustyou.com/downloads/privacy-policy.pdf. 

Reviews are made publicly available on the website and app for a maximum period of 24 months from the date of submission. The data collected in connection with a review is stored and evaluated for a maximum period of five years from the date of submission. TrustYou GmbH is authorized to anonymize the data after this period and to store and use it for analysis purposes without any restrictions in terms of time or location. 

6.12 Conducting competitions 

We occasionally organize prize draws or other competitions in which guests and other interested parties can participate, e.g., in connection with the submission of a guest review. For this purpose, we process the data required for participation, such as names, email addresses, and answers to prize draw and competition questions. Subsequently, in the event of a win, address data may be requested in order to send a prize. 

The processing is carried out solely for the purpose of conducting the prize draw or competition, i.e. to determine and notify winners and to send prizes. 

For prize draws and other competitions in connection with the submission of a guest review, we use the support of TrustYou GmbH, Schmellerstraße 9, 80337 Munich, which acts on our instructions on the basis of a data processing agreement. 

If we obtain your consent in the context of a prize draw or competition, this is the legal basis for data processing (Art. 6 (1) (a) GDPR). Otherwise, Art. 6 (1) (b) GDPR is the legal basis, as data processing is necessary for participation in the prize draw or competition. 

The data will be deleted after the prize draw or competition has been carried out, unless you have given your consent to the further processing of your data or a longer retention period is required in connection with the redemption or use of a prize. 

6.13 Video surveillance in hotels 

Video surveillance may be used in certain areas of hotels and their premises, in particular parking lots. In this context, images of guests may be recorded and evaluated on a case-by-case basis. 

Video surveillance is generally carried out within the limits of the law. The legal basis is the legitimate interest in the safety of our guests and hotel property in accordance with Art. 6 (1) lit. f GDPR. 

Detailed information on the use of video cameras and data processing in this context can be found on site in the hotels. 

6.14 Guest Wi-Fi in hotels 

Guest Wi-Fi is provided in the hotels operated by B&B Hotels Germany GmbH in Germany. 

When using guest Wi-Fi, the following data may be processed, some of which is stored through the use of cookies and some of which you can optionally provide: MAC or IP address of the device used, email address, username, name, room number, date of registration. 

B&B Hotels Germany GmbH has commissioned m3connect GmbH, Friedlandstraße 18, 52064 Aachen, to provide and operate the guest Wi-Fi system. m3connect GmbH processes your data on the basis of a data processing agreement and in accordance with your instructions. 

The legal basis for data processing is Art. 6 (1) lit. b GDPR, insofar as the data is necessary for the desired use of the guest Wi-Fi. In the case of storing information in cookies, we also base the processing on our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. The cookies are technically necessary to ensure the functionality of the Wi-Fi system. This is also our legitimate interest. 

The data is processed for authentication and to ensure the error-free operation of the guest Wi-Fi. 

The data will be deleted after 10 weeks at the latest, unless statutory retention obligations prevent deletion. The technically necessary cookies are session cookies, which have a maximum functional duration of one day. 

Further details can be found in the information provided when registering for the guest Wi-Fi on site. 

6.15 Central telephone reservation center 

As part of our service, the B&B HOTELS Group operates a central telephone reservation center, which is also available to B&B HOTELS GmbH hotels in Germany. You can use this reservation center to make telephone bookings and obtain information about your stay. The purpose of processing is to handle and manage reservations received by telephone via the central reservation center; to centrally consolidate and manage reservation data; and to ensure quality assurance and improve our booking service. 

Individual calls may be recorded for quality control and employee training purposes. The recordings are used exclusively for internal purposes, are not passed on to third parties, and are deleted after 30 days at the latest. The legal basis for this is Art. 6 (1) lit. f GDPR (legitimate interest in optimizing our customer service). You will be informed of this before a recording begins and can object to it.

The legal basis for the remaining processing is Art. 6 (1) (b) GDPR (processing for the performance of a contract or for the implementation of pre-contractual measures at the request of the data subject) and Art. 6 (1) (f) GDPR (legitimate interest in the efficient processing of reservations and optimization of our service offering). 

The following categories of personal data are processed for this purpose: name, title; address, email address, telephone number; booking and travel data (hotel, length of stay, services booked, special requests); payment data (if necessary to secure the booking) and communication content (e.g., content of telephone inquiries  or audio recordings, if recorded).

The recipients of the data are B&B HOTELS Germany GmbH and the hotels of the B&B HOTELS Group in Germany where a reservation is made, as well as agents and IT and service providers (within the scope of order processing).

Personal data is stored for the duration of the reservation and stay. The data is deleted after complete processing and expiry of the statutory retention periods.

In addition, we would like to point out that calls to the central reservation center are automatically evaluated by AI-supported software (Amazon Connect). This is used exclusively for quality assurance and optimization of our service processes, in particular for assessing the course of conversations, recognizing mood indicators (so-called sentiment analysis), and improving conversation skills.

The legal basis for this is Art. 6 (1) (f) GDPR (legitimate interest in quality assurance and improvement of our services). The processing is not carried out for automated decision-making within the meaning of Art. 22 GDPR.

If a conversation is recorded, the persons concerned are informed in advance and have the opportunity to object to this processing by selecting the appropriate option in the telephone announcement.

The AI-supported analysis is carried out exclusively within the framework of order processing in accordance with Art. 28 GDPR by Amazon Web Services EMEA SARL. An adequate level of data protection is ensured by the conclusion of the EU standard contractual clauses in accordance with Art. 46 (2) (c) GDPR.

7. Cookies 

Our website uses so-called "cookies" and other tracking tools. Details on this and your setting options are provided in our information on cookies and other trackers.

8. Our presence on social media channels 

B&B Hotels Germany GmbH maintains its own channel on several social media platforms. When you visit our profile on one of the social media platforms, the respective provider of the social media platform processes your data in order to create usage profiles and to operate and improve its own services. Furthermore, some providers of social media platforms provide us with anonymized evaluations of the use of our profile. Some of the data processing takes place regardless of whether you are registered on the social media platform yourself or not. The evaluations usually contain the following information:

• Reach measurements regarding profile, posts, and other functions, i.e., the total number of people who have visited/used the profile, posts, and other functions;
• Aggregated data on the age, gender, and location (country, region/city) of the persons who visit the profile;
• Duration of use for videos and other functions;
• Time and location of use;
• Devices, operating systems, and software used;
• Interactions related to posts, e.g., click rates, shares, comments.

With regard to data processing operations for the purposes of the aforementioned evaluations, B&B Hotel Germany GmbH is jointly responsible with the respective providers of the social media platforms within the meaning of the GDPR and has concluded corresponding agreements on joint responsibility.

We have no influence on whether and to what extent the providers collect personal data on their social media platforms. We are also unaware of the scope, purpose, and storage period of the data collection. It must be assumed that at least the IP address and device-related information are collected and used. It is also possible that the providers use cookies and similar technologies on their platforms to track and evaluate user behavior on the platforms and other services of the providers. 

Some of the providers of social media platforms are based outside the European Union (EU) and the European Economic Area (EEA) (so-called "third countries"), in particular in the USA. Some of these third countries do not have a level of data protection equivalent to that of the EU, or recognition of an adequate level of data protection is subject to further conditions, such as certification under the EU-U.S. Data Framework Agreement in the case of U.S. companies. In some third countries, such as the United States, government agencies have extensive access rights to data from companies headquartered in those third countries. We cannot rule out the possibility that, even if the providers are based in the EU, data may also be transferred to group companies in the US or another third country.

Further information on the individual providers of the social media platforms on which we operate a profile:

• Facebook and Instagram: The provider for the European region is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, "Meta"). Further information on data protection can be found at https://facebook.com/policy.php and, with regard to Instagram, at https://help.instagram.com/519522125107875. Information about the cookies used by Meta when you visit our Facebook page or our Instagram channel can be found at https://www.facebook.com/policies/cookies. The following joint controller agreement applies to the processing operations for which we are jointly responsible with Meta: https://www.facebook.com/legal/controller_addendum. The corporate headquarters Meta Platforms Inc, Menlo Park, California, USA, is certified under the EU-U.S. Data Privacy Framework.
• LinkedIn: The provider for the European region is LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). For more information on data protection, please refer to LinkedIn's privacy policy at https://www.linkedin.com/legal/privacy-policy and its cookie policy at https://www.linkedin.com/legal/cookie-policy. The following joint controller agreement applies to the processing operations for which we are jointly responsible with LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum. The corporate headquarters LinkedIn Corporation, Sunnyvale, California, USA, is certified under the EU-U.S. Data Privacy Framework.
• YouTube: The provider for the European region is Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). For more information on data protection, please refer to Google's privacy policy at https://policies.google.com/privacy?hl=de. The corporate headquarters of Google LLC, Mountain View, California, USA, is certified under the EU-U.S. Data Privacy Framework.
• TikTok: The provider for the European region is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. For more information on data protection, please refer to the privacy policy at https://www.tiktok.com/legal/privacy-policy-eea?lang=de.

9. Automated decision-making, profiling 

No automated decision-making within the meaning of Art. 22 GDPR is used to establish and conduct business relationships.

In the area of marketing, we use profiling techniques to provide our guests with targeted and relevant information. Among other things, past bookings, memberships, or interactions with our website are taken into account in order to send personalized newsletters, reminder emails for canceled bookings, or individual advertisements (retargeting), for example. Processing is based on consent in accordance with Art. 6 (1) (a) GDPR or on our legitimate interest in accordance with Art. 6 (1) (f) GDPR; in the case of email advertising to existing customers, § 7 (3) UWG (German Unfair Competition Act) also applies.

10. Obligation to provide data 

For the establishment, execution, and termination of a business relationship (e.g., booking, accommodation contract, participation in a loyalty program, receipt of a newsletter), it is necessary or, in some cases, legally required that you provide us with personal data. Without this data, it will generally not be possible to establish a business relationship or it will have to be terminated. This data is regularly marked as mandatory in forms. 

During your stay, we are obliged under the applicable municipal statutes, state law, or corresponding regulations to pass on certain data of the persons accommodated to the competent authorities or tourism organizations. This applies in particular to the collection and payment of taxes such as the spa tax, the accommodation tax (also known as the bed tax), or similar municipal special taxes.

The data transmitted may include, in particular, the following information: name, address, travel dates (arrival and departure dates), number of accompanying persons, and, if applicable, information on whether there is an exemption or reduction from the relevant tax.

The processing and transfer of this data is based on Art. 6 (1) c GDPR (legal obligation) in conjunction with the respective municipal statutes or relevant state law.

The recipients of the data are the respective competent municipal authorities (e.g., spa administration, city administration, municipal administration, or tourism organization). No further transfer of data takes place.

11. Data security 

We attach particular importance to the security of personal data. We implement technical and organizational measures appropriate to the sensitivity of the personal data in order to ensure the integrity and confidentiality of the data and to protect it from malicious intrusion, loss, alteration, or disclosure to unauthorized third parties. These security measures include, for example, the encrypted transmission of data between your browser and our servers. Please note that SSL encryption is only activated for transmissions carried out via the Internet if the key symbol appears in your browser window and the address begins with https://. TLS (Transport Socket Layer) protects data transmission from illegal access by third parties using encryption technology. If this option is not available, you can also choose not to send certain data over the Internet.

12. Your rights

When we process your personal data, you have the following rights: 

Right of access (Art. 15 GDPR): You have the right to request information about the personal data processed about you. This right also includes a copy of the relevant data.

Right to rectification (Art. 16 GDPR): You have the right to request the immediate rectification of personal data concerning you if it is inaccurate. Taking into account the purposes of the processing, you have the right to request the completion of personal data concerning you if it is incomplete.

Right to erasure (Art. 17 GDPR): You have the right to request that personal data concerning you be erased without delay, provided that one of the reasons specified therein applies.

Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if one of the reasons specified therein applies.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and, under certain circumstances, you have the right to transmit those data to another controller without hindrance.

Right to object (Art. 21 GDPR): You have the right to object to the processing of your data at any time for reasons arising from your particular situation, provided that the data processing is based on a balancing of interests in accordance with Art. 6 (1) lit. f GDPR. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, your personal data will no longer be processed unless there are demonstrably compelling legitimate grounds for the processing that outweigh your interests or the processing serves to assert, exercise, or defend legal claims.

Revocation of consent (Art. 7 para. 3 GDPR): In accordance with Art. 7 para. 3 GDPR, you have the right to revoke your consent to the processing of personal data at any time without giving reasons with effect for the future. 

The restrictions under Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure.

You can exercise your rights: 

• at the following email address: datenschutz@hotelbb.com;
• or via the postal address: B&B HOTELS Legal Department/Data Protection, Altkönigstraße 10, 65239 Hochheim am Main, Germany.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG) if you believe that the processing of your personal data is not lawful. This can be done, for example, at the supervisory authority responsible for B&B Hotels Germany GmbH: The Hessian Data Protection Officer, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de.

13. Changes to the privacy policy

We reserve the right to change the privacy policy in order to adapt it to changed legal situations or in the event of changes to the service and data processing. However, this only applies to statements regarding data processing. If the consent of users is required or if parts of the privacy policy contain provisions of the contractual relationship with users, changes will only be made with the consent of the users.

Please check the content of the privacy policy regularly.