Menu opener
Country and language
Country
Other countries
Language
English
Currency
EUR
Currency
EUR
  1. B&B HOTELS
  2. B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)
BackYour staySelect your dates to see availabilitiesChange datesSelect rooms and travelersClose
Select your dates to see availabilities
Please fill in the destination field
There are no suggestions
Allow geolocation in your browser settings, or type the destination
Please select period of 20 days max
Start date cannot be set in the past.

Please select period of 20 days maxStart date cannot be set in the past.

From
To
Clear dates
Rooms
-+
+ Add another roomValidate
Discount code
Valid Breakfast voucher to be added at checkout
Add a discount code
  • Destination
  • FromTo
    FromTo
  • 1 room, 1 adult
  • 1 room, 1 guest

B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)

PDF Version 
Old PDF Version (February 2026)

Old PDF Version (October 2025)

Privacy Notice 

As of April 2026

Preamble

As part of our business operations, we process personal data from visitors to our websites, users of our app, hotel guests, participants in our loyalty programs, prospective customers, service providers, and other business partners.

This Privacy Policy is intended for users, guests, and prospective guests (hereinafter “you”) in connection with (i) visiting the website https://www.hotel-bb.com/de (hereinafter “Website”) and the B&B HOTELS mobile application (hereinafter “App”), as well as the channels on social media platforms in German, (ii) participation in one of the loyalty programs, and (iii) a stay at a hotel in Germany.

It serves to inform you, in accordance with Regulation No. 2016/679 of the European Parliament and of the Council  of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “General Data Protection Regulation” or “GDPR”), about how your personal data is processed via our website, app, and social media channels, and in particular in connection with your stay at one of our hotels and with our loyalty programs.

The protection of your personal data is a top priority for the companies of the B&B HOTELS Group. Therefore, the companies of the B&B HOTELS Group undertake to process this data in strict compliance with the General Data Protection Regulation and other applicable data protection laws. 

1. Definitions

App: refers to the B&B HOTELS mobile application, available in iOS and Android versions.

Controller: means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Website: refers to the website accessible at the URL https://www.hotel-bb.com/de.

User: refers to any person who accesses the Website and the App, regardless of whether they are a customer, an operator, or a regular internet user with or without an account. 

For the terms used, we also refer to the definitions in Article 4 of the GDPR: 

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, your name, your address and contact details, or your email address. 

Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

2. Controller 

1. The controller within the meaning of the GDPR is the person who determines the purposes and means of the processing of personal data. If several persons jointly determine the purposes and means of the processing, they are jointly responsible for the processing. For some processing operations, the German operating company of the B&B HOTELS Group listed below is solely responsible. For others, the operating companies of the B&B HOTELS Group are jointly responsible for the processing and act in conjunction with other companies.

Sole controller:

B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main (Germany), registered in the Commercial Register of the Wiesbaden Local Court under number HRB 31371,

 is the sole controller for the following processing operations:

(1) Processing of reservations not made via the online booking system;

(2) Management of accommodation contracts;

(3) Exercising the rights of data subjects in accordance with the GDPR;

(4) Processing of insurance claims; 

(5) Management of accommodation registration forms; 

(6) Installation and operation of a video camera system in the hotels we operate ourselves;

(7) Operation and provision of guest Wi-Fi in our own hotels;

(8) Handling of guest complaints and claims; 

(9) Accounting and receivables management in connection with accommodation at company-operated hotels.

The companies of the B&B HOTELS Group operate the online booking system, which serves as the central reservation system for all B&B Hotels. 

2. Companies within the B&B HOTELS Group act as joint controllers for the following processing operations:

(1) Operation of the online booking system and processing of reservations made through it;

(2) Carrying out direct marketing activities; 

(3) Management of loyalty programs.

The companies on the list, which you can access here, are jointly responsible for managing the paid loyalty program B&B HOTELS Club. 

The companies on the list, which you can access here, are jointly responsible for managing the free B&me loyalty program. 

The companieson the list, which you can access here, are jointly responsible for processing data for the purpose of managing direct marketing activities/campaigns for customers and prospects of the B&B HOTELS Group. 

The companieson the list, which you can view here, are jointly responsible for processing data for the purpose of managing online bookings

The companies on the list, which you can access here, are jointly responsible for processing data in the Central Reservation System (CRS), the purpose of which is to centralize booking data. 

The processing of personal data related to the management of the placement and reading of cookies on the website is carried out jointly by the companies on the list, which you can view here. As such, these companies are jointly responsible for the processing of data related to the placement and reading of cookies on the website.

The joint controllers have entered into joint liability agreements regarding the aforementioned processing operations, which define their respective obligations. The key provisions of these agreements are available upon request at the following address: datenschutz@hotelbb.com

Information regarding the processing operations carried out in this context is provided in detail below. The Data Protection Officer of B&B Hotels Germany GmbH can be contacted by email at datenschutz@hotelbb.com , by phone at +49 (0) 6146 9090-0, or via the aforementioned postal address with the addition “Data Protection Officer.” 

3. General Criteria for Retention Periods

Unless a more specific retention period is stated in this privacy notice, your personal data will be retained until the purpose for data processing no longer applies. If you submit a valid request for deletion or revoke your consent to data processing, your data will be deleted unless we have other compelling reasons to continue storing your personal data (e.g., retention periods under tax or commercial law); in the latter case, deletion will occur once these reasons no longer apply. 

4. General Information on the Legal Basis for Data Processing on This Website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR. In the event of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49(1)(a) GDPR. Consent may be revoked at any time. If your data is necessary for the conclusion or performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Article 6(1)(b) of the GDPR. Furthermore, we process your data, insofar as this is necessary to fulfill a legal obligation, on the basis of Article 6(1)(c) of the GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR. We provide information on the relevant legal bases in each individual case in the following sections of this privacy notice.

5. General Information on Data Transfer to Third Countries 

Some companies within the B&B HOTELS Group are based in a third country outside the European Union and the European Economic Area. For data transfers with these companies within the B&B HOTELS Group, the EU Standard Contractual Clauses have been concluded, which you can obtain upon request via the contact details provided, e.g., by email to privacy@hotelbb.com. The United Kingdom and Switzerland have been confirmed  by adequacy decisions of the European Commission dated June 28, 2021 (United Kingdom) and July 26, 2000 (Switzerland) as having a level of data protection comparable to that of the EU. 

Subject to your consent, tools are used on the website and in the app, and external content and media provided by companies based in third countries are integrated. If these tools are activated, your personal data may be transferred to these third countries and processed there. Please note that in third countries with uncertain data protection standards, a level of data protection comparable to that of the EU cannot be guaranteed. In such cases, data transfers are made on the basis of additional safeguards pursuant to Art. 44 et seq. of the GDPR. Under certain conditions, the EU Commission classifies the United States as a safe third country with a level of data protection comparable to that of the EU. Data transfers to the U.S. are therefore permitted if the data recipient is certified under the “EU-U.S. Data Privacy Framework” (DPF). Information on transfers to third countries, including the data recipients, can be found in this privacy policy as well as in the information on cookies and other trackers at 

https://www.hotel-bb.com/en/cookies-policy

6. Information on the Processing of Personal Data

6.1 Visiting the Website

When you visit the website, your browser transmits certain system and browser data for technical reasons. This data (so-called server log files) is processed by the companies jointly responsible for the online booking system:

  • IP address
  • Date and time of the server request 
  • Browser, language, and version of the browser software
  • Operating system used
  • Hostname of the accessing computer
  • Website from which the request originates (“referrer URL”)

This data is not stored together with other personal data of the users. 

The temporary storage of the user’s IP address by the web server is technically necessary to display the website. For this purpose, the IP address must necessarily be stored for the duration of the session.

The storage of the aforementioned data in the log files is carried out to ensure the functionality of the online booking system. This data also serves to ensure the security of the IT systems (e.g., for attack detection). An evaluation of the data for marketing purposes does not take place in this context.

The legal basis for the temporary storage of this data and the log files is Article 6(1)(f) of the GDPR. The legitimate interest lies in the technically error-free display and optimization of the website—for this purpose, the server log files must be recorded.

The aforementioned data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session ends. In the case of data stored in the log files, the retention period is up to 3 months. Storage beyond this period is possible if such data is required (e.g., for investigating attacks, misuse, or fraudulent activities). Data whose continued retention is necessary for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.

The collection of data for the provision of the website and its storage in log files is technically necessary for the operation of our website. You therefore have no right to object.

6.2 Contact Form on the Website 

When you send us inquiries via the contact form on the website, we collect the data requested in the contact form (e.g., name, email address) as well as the details of your inquiry. Required fields are marked accordingly. We process your personal data to respond to your inquiry and handle your request. We store your data in case of follow-up questions.

If your inquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures (e.g., a quote), processing is based on Article 6(1)(b) of the GDPR. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries directed to us (Article 6(1)(f) of the GDPR).

The data is used exclusively for the purpose of handling the conversation and processing your inquiry. The data you enter in the contact form will remain with us until you request its deletion or the purpose for data storage no longer applies (e.g., after your inquiry has been fully processed). Mandatory legal provisions—in particular retention periods—remain unaffected. Your personal data will be deleted no later than three years after the completion of processing your inquiry, at the end of the calendar year. 

6.3 Inquiries via Email or Phone 

If you contact us via the email addresses provided on the website or by phone, we will store and process your inquiry, including all personal data contained therein (name, address, contact information, inquiry), for the purpose of handling your request.

If your inquiry relates to the performance of a contract or is necessary for the implementation of pre-contractual measures (e.g., a quote), the processing is based on Article 6(1)(b) of the GDPR. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries directed to us (Article 6(1)(f) of the GDPR).

The data is used exclusively for the purpose of handling the conversation and processing your inquiry.

The data you provide via contact requests will remain with us until you request its deletion or the purpose for data storage no longer applies (e.g., after your inquiry has been fully processed). Mandatory legal provisions—in particular retention periods—remain unaffected. Your personal data will be deleted no later than three years after the completion of processing your request, at the end of the calendar year. 

6.4 Newsletter

You can subscribe to a newsletter on our website at . We send newsletters only with the recipient’s consent. For this purpose, we use a double opt-in procedure. After subscribing to the newsletter, you will receive an email in which you must confirm your subscription. We use this procedure to ensure that no one can subscribe using someone else’s email address. We log newsletter subscriptions to be able to verify the registration process in accordance with legal requirements. This includes the date, time, and IP address at the time of registration. To subscribe to the newsletter, we collect your name and email address.

We send newsletters for promotional purposes to inform you about offers, promotions, and other news regarding B&B HOTELS.

The processing of the data entered in the newsletter registration form is based exclusively on your consent (Art. 6(1)(a) GDPR in conjunction with § 7(2)(2) of the German Unfair Competition Act (UWG)). By sending the email as part of the double opt-in process, we fulfill our legal obligation to verify your email address, Art. 6(1)(c) GDPR. Your data related to newsletter registration and delivery is processed by the marketing department of B&B Hotels Germany GmbH. The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for the administration and implementation of the direct marketing campaign. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, and MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France, with the management and distribution of the newsletters. The contractors act on the instructions of the joint controllers based on data processing agreements. 

You may revoke your consent to receive our newsletter at any time without providing a reason, effective for the future, for example via the unsubscribe link in each newsletter. In the event of revocation, your email address will be marked with a flag to document that you no longer wish to receive the newsletter in the future. Data that is no longer required will be deleted immediately. The blocking flag and your email address will be deleted three years after the end of the calendar year in which the blocking flag was set. If you do not confirm your consent to receive our newsletter as part of the double opt-in process, we will block your email address and delete it after six months, unless we are required to retain it for other reasons or in another context. 

6.5 Online Booking of Hotel Stays and Check-In

When you book a room via the online booking system on the website or the app, we process the personal data requested via the booking form (e.g., personal master data, contact details, reservation/booking information, terms and conditions, payment and billing data) to complete the booking and establish an accommodation contract. Your email address is processed to send you reservation/booking confirmations, changes, cancellations, and other communications related to the reservation/booking and the accommodation contract. Additionally, you will receive an automatically generated invitation to check in online via email prior to your scheduled arrival date. To complete online check-in, you must register via the link in the email and provide your credit card details (card number, expiration date, security code) for payment purposes. 

The companies of the B&B Hotels Group, a list of which is available above, are jointly responsible for data processing via the online booking system on the website and the app. The joint controllers have entrusted the operation and management of the online reservation system to B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, and MOVE ON B&B HOTELS, 271, rue du Général Paulet, 29200 Brest, France. The contractors act on the instructions of the joint controllers based on data processing agreements. 

For the purpose of establishing and fulfilling the accommodation contract, data from the online booking system may be transmitted to the operator of the hotel where you have booked your stay. 

To comply with legal reporting requirements, it may be necessary to transmit certain personal data to the registration authority responsible for the hotel where you are staying after you have checked in. You are required to provide this information upon check-in. 

In the case of accommodation for a minor traveling alone, the hotel where the stay takes place will collect a declaration from a legal representative stating the name, contact details, and a copy of an identification document. Details regarding data processing can be found in the corresponding form at https://bb-website-prod-bucket.s3.eu-central-1.amazonaws.com/public/prod/2025-05/Declaration%20of%20consent%20from%20parents%20of%20minors_de_EN.pdf

The legal basis is Art. 6(1)(b) GDPR, as the processing of the data is necessary for the conclusion and performance of an accommodation contract at a B&B Hotel. By reporting guest data to the relevant registration authority, the B&B Hotel fulfills its legal obligation as a hotel operator pursuant to Art. 6(1)(c) in conjunction with Sections 29 and 30 of the Federal Registration Act (BMG).

The data stored by us will be deleted as soon as it is no longer necessary for its intended purpose and no statutory retention obligations prevent its deletion. The retention periods under commercial and tax law in connection with the accommodation contract are six years (Section 257(1) of the German Commercial Code (HGB)) and ten years (Section 147(1) of the German Fiscal Code (AO)), respectively. The registration forms required under the Federal Registration Act are retained for one year after registration in accordance with the provisions of § 30 BMG and destroyed within three months after the retention period expires. 

If you have made a booking with us, we use your email address to send you advertisements for similar goods and services related to your booking. You may object to this use at any time by either clicking the unsubscribe link in the footer of such a promotional email or, alternatively, by sending us a message via the contact form on our website with the subject line “Feedback on Your Stay,” including your email address.

The legal basis for this data processing is Art. 6(1)(f) GDPR in compliance with the provisions of § 7(3) UWG. Our legitimate interest lies in promoting customer loyalty.

6.6 Bookings via Airbnb

When you make a booking via the Airbnb platform, we receive the personal data necessary for the performance of the accommodation contract from Airbnb Ireland UC, 8 Hanover Quay, Dublin 2, Ireland (“Airbnb”).
In this context, we process in particular your name, contact details (e.g., email address, phone number), booking details (e.g., length of stay and services booked), as well as the content of communications related to the booking. This processing is carried out to execute the accommodation contract and for communication related to your booking based on Article 6(1)(b) of the GDPR; where necessary, it is also carried out to fulfill legal obligations (e.g., registration requirements) based on Article 6(1)(c) of the GDPR.
The data is transmitted to us by Airbnb and shared within our company exclusively with the departments involved in the execution of your stay; disclosure to third parties occurs only to the extent necessary for the fulfillment of the contract or where a legal obligation exists. Storage occurs only for the duration of the contract’s execution and within the scope of statutory retention obligations.

6.7 User Account and Participation in the B&me Loyalty Program

On the website and in the app, you have the option to create a personalized user account (“B&me Account”) to view bookings, make future reservations more quickly, and take advantage of the B&me Loyalty Program. 

To create and maintain the B&me Account, the data requested in the registration form (personal master data, contact information, language and country settings, password, communication preferences) is processed. Details regarding bookings and hotel stays, as well as benefits claimed through the B&me Loyalty Program, are stored in the B&me Account and can be accessed there at any time. Registration for the user account and participation in the B&me loyalty program are verified via a double opt-in process. You will receive a confirmation email containing a link that you must click to activate your B&me account. Your email address is stored for this purpose and for further communication regarding your B&me account.

The legal basis for data processing is Art. 1(b) of the GDPR. The processing of data is necessary for registering for the user account as well as for establishing and carrying out participation in the B&me loyalty program. 

The companies of the B&B Hotels Group, an overview of which is available above, are jointly responsible for data processing in connection with the operation of the B&me loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, to provide services related to the administration of the B&me loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a data processing agreement in accordance with the instructions of the joint controllers. 

Personal data is stored for the duration of the user account and participation in the B&me loyalty program. You can terminate your B&me account and your participation in the B&me loyalty program at any time via your user account. The data will then be deleted no later than upon expiration of the six-year retention period under commercial law pursuant to Section 257 of the German Commercial Code (HGB). 

6.8 B&me Club Loyalty Program

Through the B&me account, you can register on the website and the app for paid participation in the B&me Club Loyalty Program.

To establish and manage your participation in the B&me Club Loyalty Program, the data requested in the B&me Account registration form (personal master data, contact information, language and country settings, password, communication preferences) is processed. Details regarding bookings and hotel stays, as well as benefits redeemed through the B&me Loyalty Program and the B&me Club Loyalty Program, are stored in the B&me Account and can be accessed there at any time. An identification number is also stored for each member. Participation in the B&me Club Loyalty Program is confirmed via a message sent to the email address provided during registration. The email address is used for further communication regarding the B&me Club loyalty program. The legal basis for data processing is Article 1(b) of the GDPR. The processing of data is necessary for registering the user account as well as for establishing and implementing participation in the B&me Club loyalty program. 

The companies of the B&B Hotels Group, a list of which is available above, are jointly responsible for data processing in connection with the operation of the B&me Club loyalty program. The joint controllers have commissioned B&B HOTELS DIGITAL SERVICES, 9 boulevard Romain Polland, 75014 Paris, France, to provide services related to the administration of the B&me Club loyalty program. B&B HOTELS DIGITAL SERVICES processes the personal data on the basis of a data processing agreement in accordance with the instructions of the joint controllers.

Personal data is stored for the duration of participation in the B&me Club loyalty program. Upon termination of participation in the B&me Club loyalty program, the data will be deleted no later than upon expiration of the six-year retention period under commercial law pursuant to Section 257 of the German Commercial Code (HGB). 

6.9 Gift Certificate Shop

On the website, you can purchase gift certificates for stays at a B&B Hotel. Information regarding the processing of personal data in connection with this gift certificate shop is available directly in the shop section under “Privacy Policy.”

6.10 Payment Service Providers 

If you use third-party payment services (e.g., PayPal, Visa, Mastercard, Maestro, American Express), the companies of the B&B HOTELS Group work with the payment service provider Adyen N.V. (hereinafter “Adyen”), Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam, Netherlands.

Adyen is a full-service payment provider that handles payment processing, among other things. The data required for the respective payment method is transmitted to Adyen, unless it is collected directly by the respective payment service (e.g., PayPal) itself. 

The bank card number, expiration date, and security code are processed exclusively by Adyen, which merely provides us with a token for the guarantee and payment of the transactions. 

The purpose of the transfer is identity verification, the desired payment processing, the performance of any credit checks, and fraud prevention. To the extent necessary to fulfill contractual obligations, Adyen also transfers the personal data to service providers or subcontractors. 

The legal basis for the processing is Art. 6(1)(b), (c), and (f) of the GDPR. By transmitting data for identity verification, we fulfill legal obligations regarding customer authentication pursuant to Art. 6(1)(c) GDPR in conjunction with the Payment Services Directive and the Payment Services Supervision Act. The legitimate interest in data transmission arises from the purposes outlined above. 

The terms and conditions and privacy policy of our partner for electronic payment processing apply. For more information on data protection, please visit https://www.adyen.com/de_DE/richtlinien-und-haftungsausschluss/privacy-policy.

6.11 Guest Reviews

To obtain feedback from our guests regarding their stay, we use a review service provided by TrustYou GmbH, Schmellerstraße 9, 80337 Munich, www.trustyou.com. If you have consented to receive the newsletter, after staying at a B&B Hotel in Germany, you will receive an email from B&B Hotels Germany GmbH containing a link through which you can submit a review of your most recent stay. If you choose to submit a review, your name, email address, and/or phone number, IP address, your review result and details of the review, other data you have entered, as well as system data (browser type and version, device used, date and time the review was submitted, referring URL) will be transmitted to TrustYou GmbH and evaluated by TrustYou and B&B Hotels Germany GmbH. The rating result, details of your review, your first name, the first letter of your last name, and the date of the review may be made publicly available on the website and the app. 

Collecting and analyzing reviews helps us improve our quality. 

The legal basis for data processing is your consent to receive the newsletter (Art. 6(1)(a) GDPR) as well as the legitimate interest of B&B Hotels Germany GmbH in operating a review system and evaluating reviews following guests’ voluntary use of the review system (Art. 6(1)(f) GDPR). 

Submitting a review is voluntary. You can opt out of receiving further invitations to review the hotel via email at any time by clicking the link provided in each email. 

TrustYou GmbH acts on behalf of B&B Hotels Germany GmbH based on a data processing agreement. For more information on how TrustYou handles data, please refer to TrustYou’s privacy policy at: https://www.trustyou.com/downloads/privacy-policy.pdf

Reviews are made publicly available on the website and the app for a maximum period of 24 months from the date of submission. The data collected in connection with a review is stored and analyzed for a maximum period of five years from the date of submission. TrustYou GmbH is authorized to anonymize the data thereafter and to store and use it for analytical purposes without any time or geographical restrictions. 

6.12 Conducting Sweepstakes 

We occasionally host sweepstakes or other contests in which guests and other interested parties can participate, e.g., in connection with submitting a guest review. For this purpose, we process the data required for participation, such as names, email addresses, and answers to sweepstakes and contest questions. If a prize is won, address information may be requested afterward so that the prize can be shipped. 

Processing is carried out solely for the purpose of conducting the sweepstakes or contest, i.e., to determine and notify winners and to send out prizes. 

For sweepstakes and other contests in connection with the submission of a guest review, we utilize the services of TrustYou GmbH, Schmellerstraße 9, 80337 Munich, which acts on our instructions based on a data processing agreement. 

To the extent that we obtain your consent in connection with a sweepstakes or contest, this constitutes the legal basis for data processing (Art. 6(1)(a) GDPR). Otherwise, Art. 6(1)(b) GDPR serves as the legal basis, as data processing is necessary for participation in the sweepstakes or contest. 

The data will be deleted after the prize draw or competition has been conducted, unless you have given consent to the further processing of your data or a longer retention period is required in connection with the redemption or use of a prize. 

6.13 Video Surveillance in Hotels 

Video surveillance may be used in certain areas of hotels and their associated premises, particularly parking lots. In this context, images of guests may be recorded and evaluated on a case-by-case basis. 

Video surveillance is generally conducted within the limits of the law. The legal basis is the legitimate interest in the safety of our guests and hotel property pursuant to Art. 6(1)(f) GDPR. 

Detailed information on the use of video cameras and data processing in this context can be found on-site at the respective hotels. 

6.14 Guest Wi-Fi in Hotels 

In the hotels operated by B&B Hotels Germany GmbH in Germany, access to guest Wi-Fi is provided. 

When using the guest Wi-Fi, the following data may be processed, some of which is stored through the use of cookies and some of which you may optionally provide: MAC or IP address of the device used, email address, username, name, room number, check-in date. 

B&B Hotels Germany GmbH has commissioned m3connect GmbH, Friedlandstraße 18, 52064 Aachen, to provide and operate the guest Wi-Fi system. m3connect GmbH processes your data in accordance with our instructions based on a data processing agreement. 

The legal basis for data processing is Article 6(1)(b) of the GDPR, insofar as the data is necessary for the intended use of the guest Wi-Fi. In the case of storing information in cookies, we also base the processing on our legitimate interests pursuant to Article 6(1)(f) of the GDPR. The cookies are technically necessary to ensure the functionality of the Wi-Fi system. This also constitutes our legitimate interest. 

The data is processed for authentication and to ensure the error-free operation of the guest Wi-Fi. 

The data is deleted after 10 weeks at the latest, unless deletion is precluded by statutory retention obligations. The technically necessary cookies are session cookies that have a maximum duration of one day. 

Further details can be found in the information provided during on-site registration for the guest Wi-Fi. 

6.15 Central Telephone Reservation Center 

As part of our services, the B&B HOTELS Group operates a central telephone reservation center, which is also available to the hotels of B&B HOTELS GmbH in Germany. Through this reservation center, you can make telephone bookings and obtain information about your stay. The purpose of processing is to handle and manage reservations received by phone through the central reservation center; to centrally consolidate and manage reservation data; and to ensure quality and improve our booking service. 

Individual calls may be recorded for quality control and employee training purposes. The recordings are used exclusively for internal purposes, are not shared with third parties, and are deleted after 30 days at the latest. The legal basis for this is Article 6(1)(f) of the GDPR (legitimate interest in optimizing our customer service). You will be informed of this before a recording begins and may object to it.

The legal basis for the remaining processing is Article 6(1)(b) of the GDPR (processing necessary for the performance of a contract or for taking steps at the request of the data subject prior to entering into a contract) as well as Article 6(1)(f) of the GDPR (legitimate interest in the efficient processing of reservations and the optimization of our service offerings). 

The following categories of personal data are processed for this purpose: name, title; address, email address, phone number; booking and travel details (hotel, length of stay, booked services, special requests); payment details (if necessary to secure the booking); and communication content (e.g., content of phone inquiries  or audio recordings, if a recording is made).

The recipients of the data are B&B HOTELS Germany GmbH, the hotels of the B&B HOTELS Group in Germany where a reservation is made, as well as agents and IT and service providers (within the scope of data processing on behalf of the controller).

Personal data is stored for the duration of the reservation processing and the stay. After complete processing and the expiration of statutory retention periods, the data is deleted.

In addition, we would like to point out that, in the context of calls to the central reservation center, an automated evaluation of call content is performed using AI-supported software (Amazon Connect). This serves exclusively for quality assurance and the optimization of our service processes, in particular for assessing the course of conversations, identifying sentiment indicators (so-called sentiment analysis), and improving call handling.

The legal basis for this is Article 6(1)(f) of the GDPR (legitimate interest in quality assurance and the improvement of our services). The processing is not carried out for the purpose of automated decision-making within the meaning of Article 22 of the GDPR.

If the conversation is recorded, data subjects are informed in advance and have the option to object to this processing by making the appropriate selection during the telephone announcement.

The AI-supported analysis is carried out exclusively within the framework of commissioned processing pursuant to Art. 28 GDPR by Amazon Web Services EMEA SARL. An adequate level of data protection is ensured by the conclusion of the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

6.16 Direct Mail

We process your name and mailing address to send you selected offers and information about our services by mail. If you are a member of our B&me program or have made a previous booking with us, we may also use information about your booking history or usage status to send you relevant offers.

The legal basis is our legitimate interest in direct marketing to existing customers pursuant to Art. 6(1)(f) GDPR. For technical processing, we engage carefully selected service providers as data processors pursuant to Art. 28 GDPR, who are permitted to use your data exclusively for the purpose of carrying out the mailing.

You may object to the use of your data for direct marketing purposes at any time (Art. 21(2) GDPR) at no cost to you.

7. Cookies 

Our website uses so-called “cookies” and other tracking tools. Details on this and your settings options are provided in our information on cookies and other trackers at https://www.hotel-bb.com/en/cookies-policy

8. Our Presence on Social Media Channels 

B&B Hotels Germany GmbH maintains its own channel on several social media platforms. When you visit our profile on one of these social media platforms, the respective social media platform provider processes your data to create user profiles and to operate and improve its own services. Furthermore, some social media platform providers provide us with analyses of the use of our profile in anonymized form. Data processing takes place in part regardless of whether you are registered on the social media platform yourself or not. The analytics typically include the following information:

  • Reach metrics regarding the profile, posts, and other features, i.e., the total number of people who have visited or used the profile, posts, and other features;
  • Aggregated data on the age, gender, and location (country, region/city) of the people who visit the profile;
  • Duration of use for videos and other features;
  • Time and location of usage;
  • Devices, operating systems, and software used;
  • Interactions related to posts, e.g., click-through rates, shares, comments.

With regard to data processing operations for the purposes of the aforementioned analyses, B&B Hotel Germany GmbH is jointly responsible with the respective providers of the social media platforms within the meaning of the GDPR and has entered into corresponding agreements regarding joint responsibility.

We have no influence over whether and to what extent the providers collect personal data on their social media platforms. Nor are we aware of the scope, purpose, and retention period of the data collection. It must be assumed that at least the IP address and device-related information are collected and used. It is also possible that the providers use cookies and similar technologies on their platforms to track and analyze user behavior on the platforms and other services offered by the providers. 

Some of the providers of social media platforms are based outside the territory of the European Union (EU) and the European Economic Area (EEA) (so-called “third countries”), particularly in the United States. Some of these third countries do not have a level of data protection equivalent to that of the EU, or recognition of an adequate level of data protection is subject to further conditions—such as, in the case of U.S. companies, certification under the EU-U.S. Data Framework Agreement. In some third countries, for example in the U.S., government agencies have extensive access rights to data held by companies headquartered in those third countries. We cannot rule out the possibility that, even if the providers are based in the EU, data may also be transferred to group companies in the U.S. or another third country.

Further information on the individual providers of the social media platforms on which we maintain a profile:

9. Automated Decision-Making, Profiling 

No automated decision-making within the meaning of Art. 22 GDPR is used to establish or carry out business relationships.

In the area of marketing, we use profiling methods to provide our guests with targeted and relevant information. This takes into account, among other things, past bookings, memberships, or interactions with our website to, for example, send personalized newsletters, reminder emails for canceled bookings, or individual advertisements (retargeting). Processing is based on consent pursuant to Art. 6(1)(a) GDPR or on our legitimate interest pursuant to Art. 6(1)(f) GDPR; in the case of email advertising to existing customers, § 7(3) UWG also applies.

10. Obligation to Provide Data 

For the establishment, execution, and termination of a business relationship (e.g., booking, accommodation contract, participation in a loyalty program, receipt of a newsletter), it is necessary or, in some cases, legally required that you provide us with personal data. Without this data, a business relationship will generally not be able to be established or will have to be terminated. In forms, this data is regularly marked as required information. 

During your stay, we are obligated under applicable municipal statutes, state law, or relevant regulations to disclose certain data regarding guests to the competent authorities or tourism organizations. This applies in particular to the collection and remittance of fees such as the visitor’s tax, the overnight stay tax (also known as the bed tax), or similar municipal special taxes.

The data transmitted may include, in particular, the following information: name, address, travel dates (arrival and departure dates), number of traveling companions, and, if applicable, whether an exemption or reduction from the relevant tax applies.

The processing and disclosure of this data is based on Article 6(1)(c) of the GDPR (legal obligation) in conjunction with the respective municipal statutes or applicable state law.

The recipients of the data are the respective competent municipal authorities (e.g., spa administration, city administration, municipal administration, or tourism organization). No further disclosure takes place.

11. Data Security 

We place particular importance on the security of personal data. We implement technical and organizational measures appropriate to the sensitivity of the personal data to ensure its integrity and confidentiality and to protect it from unauthorized access, loss, alteration, or disclosure to unauthorized third parties. These security measures include, for example, the encrypted transmission of data between your browser and our servers. Please note that SSL encryption is only enabled for transmissions over the Internet if the lock icon appears in your browser window and the address begins with https://. TLS (Transport Layer Security) protects data transmission from unauthorized access by third parties using encryption technology. If this option is not available, you may also choose not to send certain data over the Internet.

12. Your Rights

When we process your personal data, you have the following rights: 

Right of access (Art. 15 GDPR): You have the right to request information about the personal data processed concerning you. This right also includes the right to receive a copy of the relevant data.

Right to rectification (Art. 16 GDPR): You have the right to request the immediate rectification of personal data concerning you if it is inaccurate. Taking into account the purposes of the processing, you have the right to request the completion of personal data concerning you if it is incomplete.

Right to erasure (Art. 17 GDPR): You have the right to request that personal data concerning you be erased without undue delay, provided that one of the grounds listed therein applies.

Right to restriction of processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your personal data if one of the grounds listed therein applies.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and under certain circumstances, you have the right to transmit this data to another controller without hindrance.

Right to Object (Art. 21 GDPR): You have the right to object at any time to the processing of your data on grounds relating to your particular situation, provided that the data processing is based on a balancing of interests pursuant to Art. 6(1)(f) GDPR. This also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR. If you object, your personal data will no longer be processed, unless there are demonstrably compelling legitimate grounds for the processing that override your interests, or the processing serves to assert, exercise, or defend legal claims.

Withdrawal of Consent (Art. 7(3) GDPR): Pursuant to Art. 7(3) GDPR, you have the right at any time to withdraw your consent to the processing of personal data without providing reasons, with effect for the future. 

With regard to the right of access and the right to erasure, the restrictions under Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply.

You can exercise your rights: 

  • at the following email address: datenschutz@hotelbb.com;
  • or via the postal address: B&B HOTELS Legal Department/Data Protection, Altkönigstraße 10, 65239 Hochheim am Main.

In addition, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG) if you believe that the processing of your personal data is not lawful. This can be done, for example, with the supervisory authority responsible for B&B Hotels Germany GmbH: The Hessian Data Protection Commissioner, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, https://datenschutz.hessen.de.

13. Changes to the Privacy Policy

We reserve the right to amend the Privacy Policy to adapt it to changes in the legal landscape or to changes in the service and data processing. However, this applies only with regard to statements regarding data processing. If user consent is required or if parts of the Privacy Policy contain provisions governing the contractual relationship with users, changes will only be made with the users’ consent.

Please review the content of the Privacy Policy regularly.

  • Print
    this page
  1. B&B HOTELS
  2. B&B HOTELS Germany: Information according to Article 13 ff. of the General Data Protection Regulation (GDPR)