We are pleased that you are visiting our website. The protection of your privacy and the protection of your personal data when using our website is an important concern for us.
Here you will find information on how we handle your personal data when you visit our website. In order to provide the functions and services of our website, it is necessary for us to collect personal data about you. In the following, we explain what data we collect about you, what this is required for and what rights you have in relation to your data.
Responsible for the processing of personal data within the meaning of the Data Protection Basic Regulation (DSGVO) and other data protection regulations (see imprint):
If you have any questions regarding data protection, you can also contact our data protection officer at any time at the address given above or by e-mail to email@example.com.
1. Provision of the Website
1.1 Collection of System Data
Each time our website is opened, the following technically-necessary data is automatically collected from the system of the end device being used:
- IP address
- Date and time of the request
- Content of the request
- Access status/HTTP status code
- Browser type
- Language and version of browser software
- Operating system
The collection and temporary storage of the data is technically necessary to be able to provide our website to you. We use the data also to ensure the security and stability of our website. An evaluation of the data for marketing purposes, a comparison with other databases, or an onward transfer to third parties does not take place in this context. The legal basis for processing the data is Article 6(1)(f) GDPR. Our legitimate interest lies in the purposes described.
The data are deleted as soon as the respective browser session is ended.
1.2.1. Technically Necessary Cookies
We use technically necessary cookies to facilitate and improve the use of our website. Cookies are text information that are stored on a terminal when a website is visited via the web browser. They are used for user guidance and recognition of a session, for example when logging in permanently or when booking a room. The technically necessary cookies are not used for analysis or for advertising purposes.
We use technically necessary cookies for the following functions and data:
Log-in information for access to the user account
Content of a booking request
The following own cookies are used on our website:
Most web browsers accept cookies automatically. You can delete stored cookies at any time using your web browser settings. You can also adjust your web browser settings to notify you when cookies are placed, or to not store cookies. If you prohibit the setting of technically necessary cookies, our website cannot be displayed properly and not all functions of our website are available.
The legal basis for the use of technically necessary cookies is Art. 6(1)(f) GDPR.
1.2.2. Use of the Google Tag Manager
The Google Tag Manager is used on this website. The Google Tag Manager is a system from Google that manages Java-Script tags and HTML tags used to implement the above-mentioned services. In particular, the system controls which tags are to be used and when, based on the consent you have provided. The Tag Manager does not set any cookies itself and does not collect any data or other information from you and your device. The services it controls set the cookies listed above.
1.2.3. Cookies for Usage Analysis
Google Analytics: To the extent you have given us your consent, we use Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter "Google"), on our website. This makes it possible to assign data, sessions, and interactions across multiple devices to a pseudonymous user ID and, thus, analyze the activities of a user across several devices. Google Analytics uses so-called cookies, that is, text files that are stored on your computer and that enable an analysis of your use of the website. This includes the following cookies in detail:
The information generated by the cookies, for example, time, place, and frequency of your website visits, including your IP address, is transferred to Google and stored there. Since this website uses Google Analytics with the extension "_gat._anonymizeIp", your IP address will be truncated by Google within European Union member states or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and be truncated there. The IP address transmitted by your browser within the scope of Google Analytics will, according to its own information, not be merged with other data from Google. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, preparing reports on website activity and providing other services relating to website activity and internet usage to the website operator. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
The legal basis for the use of Google Analytics is your consent (Art. 6(1)(a) GDPR).
The purpose of the data processing is to analyze the behavior of our users anonymously and to improve our website offerings based on these findings.
Hotjar: If you have given us your consent, we use Hotjar on our website, an analysis tool of Hotjar Ltd (Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta). Hotjar uses technology to collect data about the behavior of our users, and about the devices they use, in particular IP address of the device (collected and stored only in anonymous form during website use), screen size, device type (Unique Device Identifiers), information about the browser used, location (country only) to display the preferred language. The data is stored by Hotjar on our behalf in a pseudonymized user profile. A transfer to third parties does not take place.
The following cookies are set:
For additional information about Hotjar functions and the handling of data, please visit: https://help.hotjar.com/hc/en-us/sections/360007966773-Privacy. If you do not want website analysis using Hotjar, you can deactivate it on all websites that use Hotjar by setting a DoNotTrack header in your browser (opt-out): https://www.hotjar.com/privacy/do-not-track/.
The legal basis for data processing via Hotjar is your consent (Art. 6(1)(a) GDPR).
The data is automatically deleted by Hotjar 365 days after it is collected.
1.2.4. Cookies to Display Advertising
Facebook Custom Audience: To the extent you have given us your consent, we use Facebook Custom Audience of the social network, Facebook, on our website. This service is offered by Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). We cannot exclude, however, the possibility that collected data may also be transferred to Facebook Inc. (1601 Willow Road, Menlo Park, California 94025, USA) (hereinafter collectively "Facebook").
The Facebook Custom Audience feature allows us to measure, optimize, and create target groups for our advertising campaigns. By capturing actions across devices, we can make advertising campaigns even more efficient. In addition, we can create ads that are relevant to the target group.
The following pixel is set for this service:
The above-mentioned data processing applies only to users who have an account with Facebook or who have accessed a partner page of Facebook (through which a cookie has been set).
If an association of the user ID contained in the Facebook cookie can be made to a Facebook user, Facebook assigns this user to a target group on the basis of the regulations set by us, provided that the regulations are relevant. We use the information obtained in this way to present advertising on Facebook (partner) pages. The display of advertising on Facebook (partner) pages based on the target group function does not affect users who are not members of Facebook.
For more information about advertising on Facebook, and how to set which ads are displayed to you, please visit the link https://www.facebook.com/about/basics/advertising. Instructions on how to make settings for advertisements, and how to avoid unwanted advertising, can be found here https://www.facebook.com/about/basics/advertising/ad-preferences. Additional information on data protection at Facebook can be found at https://www.facebook.com/policy.php.
1.2.5. Single Sign-On Procedure
Facebook Connect: To the extent you have given us your consent, we use the social plugin "Facebook Connect" on our website, an offer from Facebook Inc. If you have a Facebook account, you can log in or register for your user account with us using the social plugin with this account.
When you use our website, your browser establishes a direct connection to Facebook servers. The content of the plugin is transferred by Facebook directly to your browser and integrated into the website. Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you have not created a Facebook profile or are not logged in to Facebook. This information also includes your IP address and is transferred directly to Facebook's server in the USA and stored there.
If you log in or register with us using Facebook Connect, we receive - yes, according to your personal privacy settings on Facebook - the general and publicly-accessible information stored in your Facebook profile, such as your user ID, name, profile picture, age and gender. This data is stored and processed by us. Conversely, data about your user behavior on our website may be transmitted to your Facebook profile based on your consent.
If you do not want Facebook to assign the data collected via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. For more information on data protection at Facebook, please visit: https://www.facebook.com/policy.php.
2. Hotel Bookings
You have the option to book a stay in one of our hotels via our booking engine ( https://reservations.flemings-hotels.com). The booking is possible either as a registered user or as a guest. For a room booking we process the following data from you: personal data (name, optional: title), contact information (e-mail address, country of residence, optional: street, city, postal code, telephone number), credit card payment data (card number, validity period, name of cardholder), reservation information (period of stay, number of guests, choice of room, other booking conditions), flight data, information in the open text field, creation of a user account and password if necessary, booking coupons.
The booking engine on our website allows our users to make online bookings with Flemings Hotels. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and our software partner TravelClick, 55 W 46th St 27th floor, New York 10036, USA and saved.
Alternatively, you can also book a stay via our telephone reservation hotlines. In this case, we collect and store the above-mentioned data.
To comply with our legal registration obligations, some of your data (name, address, date of birth, nationality, period of stay, number of fellow travelers and their nationality, and in the case of foreign guests, their passport number) will be transferred to the respective registration authority responsible for the hotel in which you are staying after you have checked in at the hotel. You are required to provide this data when checking in. An accommodation is otherwise not possible due to legal requirements and must be refused by us.
When booking at our hotels in Vienna, we transfer the data to Flemings Hotels GmbH, Kenyongasse 17, 1070 Vienna, Austria. When checking in at one of our hotels in Austria, you will be required to sign a guest sheet in accordance with the registration regulations in force there, stating your name, date and place of birth, your nationality and, as a guest from a foreign country, the type of ID card, the issuing authority, number and date of issue, and to sign the guest sheet. The guest sheets must be maintained for three years and be presented to the registration authorities upon request.
The legal basis is Art. 6(1)(b) GDPR, as your data are required for to establish and process a contract regarding the stay in one of our hotels. With the notification of our guests to the respective competent registration authority, we observe with a legal obligation pursuant to Art. 6(1)(c) in conjunction with §§ 29, 30 Federal Registration Act (BMG). The credit assessment is in our legitimate interest to secure our claim and is, thus, based on Art. 6(1)(f) GDPR.
We process your data only as long as it is necessary to process or fulfil legal obligations. The retention periods under commercial and tax law are six or ten years. The registration certificates required by the Federal Registration Act are stored in accordance with the requirements under Section 30 BMG for one year after the notification, and is destroyed within three months after the expiration of the retention period.
3. Registration and Access to User Account
As part of our booking process, we offer you the opportunity to register a user account. The user account allows you to process your room bookings more conveniently and to view your data stored with us as well as your active bookings and booking history. Via the registration mask, you provide us with your first and last name, your e-mail address, a password and, optionally, your telephone number. We store this data for the purpose of managing your user account and your access to it. With the exception of the password, which is displayed only in truncated form, the data can be viewed via your user account.
Upon completion of the registration process, your IP address and the date and time of registration are also automatically collected and stored.
The legal basis for the data processing is your consent, Art. 6(1)(a) GDPR. The registration also serves to facilitate your room bookings, i.e. the establishment and processing of a contract with you, so that an additional legal basis for the processing of the data is Art. 6(1)(b) GDPR.
The registration enables the faster processing of room bookings, because we can access your stored data in the booking process. In addition, the user account gives you the opportunity to view your prospective and past bookings online.
Your data will be deleted as soon as they are no longer required to achieve the purpose of their processing. You can delete your user account yourself or have it deleted by us at any time or change your personal data in the user account. If you delete your user account, your data will be deleted immediately, unless it is still used to process a booking or there are legal requirements to retain data, for example, under the Tax Code that prohibits deletion. For the storage of your data for the processing of your room bookings, the above explanations under point 2 apply.
4. Digital Guest Folder
We use a solution from CODE2ORDER GmbH, Schelmenwasenstraße 34, 70567 Stuttgart, through which we provide our guests with information and services of the hotel by way of a digital guest folder. The use of the guest folder is also generally possible without user registration. For the use of various services, however, the provision of personal data is necessary to determine whether you are authorized to request/use a certain service. This includes, in particular, the following data categories: Cookie ID, geodata, room number, transaction data (e.g. modules used and duration of visit to the guest portfolio), booking data (e.g. booking number, arrival and departure dates).
For the use of various functions and services, a system-side transmission of data is necessary. A transmission is made to Mailgun Technologies Inc, 112 E Pecan St. #1135 San Antonio, TX 78205, USA.
Cookies are set on the guest folder pages by CODE2ORDER GmbH, for the use of which your consent is obtained. Information about these cookies is available on the guest portfolio pages.
The guest folder pages are subject to TLS encryption to protect the confidentiality of data.
The data protection information of CODE2ORDER GmbH for its guest service system is available at https://www.code2order.com/privacy-policy/gss.
5. Digital check-in/-out
6. Voucher Shop
You may purchase vouchers for the use of services with us online via our voucher shop. For this purpose, the data requested from you in the shop (title, name, address, email address, payment method, optional: telephone number) as well as the data about the purchased voucher (monetary value, optional: voucher recipient, text), collectively "Order Data", are transmitted to us in encrypted form and processed. In addition, access to the individual order pages, including your IP address, are collected and processed. There is no consolidation of the usage data with the Order Data and no further usage analysis with personal reference.
Processing of the Order Data takes place exclusively, and is necessary, to allow you to purchase the desired online voucher and to send you the voucher by email. The legal basis is the establishment and execution of this purchase contract, Art. 6(1)(b) GDPR. The access data is processed to prevent misuse of the system; this is our legitimate interest, Art. 6(1)(f) GDPR.
We store your data for the validity period of the purchased voucher. Thereafter, the data will be deleted unless the deletion conflicts with legal retention obligations.
7. Contact Form
You can use a contact form on our website to ask us questions or to send us other requests. If you use the contact form, we collect and store the data that you enter in the input mask (title, name, email address, specification of the Fleming’s Hotel that is to process your contact request, content of your contact request, optional: company and telephone). When you send your contact request, your IP address and the date and time of sending are also automatically recorded and stored.
The legal basis for the processing is our legitimate interest resulting from the processing of your contact request to us, Art. 6(1)(f) GDPR. The processing of your IP address and date/time of your request serve is for maintaining the functionality of our website. If your request is to prepare for the conclusion of a contract, then Art. 6(1)(b) GDPR is an additional legal basis.
We use the data from the contact form exclusively to process your request. The automatically collected transaction data is processed to prevent misuse of our services and to ensure the security of our IT system.
We delete your data when your request has been conclusively resolved and an appropriate retention period has expired. Automatic deletion takes place after three years. The period begins at the end of the year in which we last processed your request. The data automatically collected during the sending process will be deleted after a period of seven days at the latest.
8. Our social media profiles
We maintain a company profile on several social media platforms. When you visit our profile on one of the social media platforms, the respective social media platform provider processes data from you in order to create usage profiles and to operate and improve its own services. Furthermore, some providers of the social media platforms provide us with reports on the use of our company profile in anonymised form. Some of the data processing takes place regardless of whether you yourself are registered on the social media platform or not. The evaluations usually contain the following information:
- Reach measurements regarding profile, posts and other functions, i.e. total number of people who have visited/used profile, posts and other functions;
- Aggregate data on age, gender and place of residence (country, region/city) of people visiting profile;
- Time of use for videos and other features;
- Time and location of uses;
- Devices, operating systems and software used;
- Interactions related to posts, e.g. click-through rates, shares, comments.
With regard to the data processing operations for the purposes of the above mentioned analyses, we are jointly responsible with the respective providers of the social media platforms within the meaning of the GDPR and have concluded corresponding agreements on joint responsibility.
Some of the providers of the social media platforms are based outside the territory of the EU and the European Economic Area (EEA) (so-called "third countries"), in particular in the USA, and that these third countries sometimes do not have an adequate level of data protection. In some third countries, for example in the USA, government agencies have far-reaching access rights to data of companies with headquarters in these third countries. We cannot exclude the possibility that even if the providers have their headquarters in the EU, data may also be stored to the group companies in the USA or in another third country.
Further information on the individual providers of the social media platforms on which we operate a profile:
- Facebook and Instagram: The service provider is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, "Meta"). Further information on data protection can be found at https://facebook.com/policy.php and in relation to Instagram at https://help.instagram.com/519522125107875. Information on the cookies used by Meta when you visit our Facebook page or our channel on Instagram can be found at https://www.facebook.com/policies/cookies. For the processing operations where we are jointly responsible with Meta, the following joint responsibility agreement applies: https://www.facebook.com/legal/controller_addendum.
- XING: Service provider is New Work SE (Am Strandkai 1, 20457 Hamburg). Further information on data protection can be found at https://privacy.xing.com/de.
9. Contact Regarding Advertising
We may use your email address and postal address, which we receive in connection with the sale of a product or service, to advertise our own similar goods and / or services. You may object to this use at any time without incurring any costs other than transmission costs according to the basic costs. We will also inform you of this each time your email address is used for this purpose. For other advertising, for example by email and the sending of our newsletter, we will obtain your separate consent.
The legal basis for this data processing is our legitimate interest in conducting direct marketing, Art. 6(1)(f) GDPR.
Upon request, we will delete your data for the purpose of contacting you regarding advertising without delay. Please note that even after an objection from you, you may continue to receive advertising from us while implementing your objection. Other than the storage of your data for the purpose of contacting you regarding advertising, your data is subject to the legal retention periods set forth above, for example, in connection with a room booking or registration for a user account. If you have objected to receiving advertising from us, we will block your data accordingly.
10. Recipients of Data
For processing, we use persons to assist us, in particular in the area of IT. They process your data for us as so-called order processors and are required to handle the data with care. Such commissioned processing exists, for example, when we store data in an external data center. We use such service providers in the areas of:
- sales and distribution
When transferring data to external persons in third countries, i.e. outside the EU or the EEA, we ensure that these persons handle your personal data with the same care as within the EU or EEA. We transfer personal data to third countries only where the EU Commission has confirmed an adequate level of protection or if we ensure the proper handling of personal data through contractual agreements or other suitable guarantees.
11. Your Rights
You have the following legal rights vis-à-vis us regarding the personal data concerning you:
11.1. Right of Access to Information: In accordance with Article 15 GDPR, you have the right to request confirmation as to whether we are processing personal data relating to you. If this is the case, you have the right to obtain information about this personal data as well as additional information, e.g. the purposes of processing, the recipients and the planned duration of storage or the criteria for determining the duration.
11.2. Right to Rectification: In accordance with Art. 16 GDPR, you have the right to request the rectification or completion of your data stored by us without delay.
11.3. Right to Erasure: Pursuant to Art. 17 GDPR, you have the right to request the erasure of the data stored by us, insofar as the processing is not (no longer) necessary. This is the case, for example, if your data is no longer necessary for its original purposes, you have revoked your declaration of consent under the data protection law, or the data was processed unlawfully. Further processing may be necessary to comply with a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims or to exercise the right to freedom of expression.
11.4. Right to Restrict Processing: Pursuant to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data, insofar as you dispute the accuracy of the data, the processing is unlawful but you object to its erasure, or we no longer need the data but you need it to assert, exercise, or defend legal claims or you have objected to the processing pursuant to Art. 21 GDPR.
11.5. Right to Data Portability: In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common, and machine-readable format or to request that it be transferred to another controller.
11.6. Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of certain personal data concerning you that is performed on the basis of Art. 6(1)(e) or (f) GDPR.
In the event of direct marketing, you, as the data subject, have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
11.7. Right to Revoke Your Consent under Data Protection Law: You may revoke your consent to the processing of your personal data at any time with effect for the future. However, the lawfulness of the processing performed until the revocation is not affected by this.
11.8. Right to Complain: You can also lodge a complaint with a data protection supervisory authority at any time, for example, if you believe that the data processing is not in compliance with data protection regulations. For this purpose, you may contact the supervisory authority of your usual place of residence, or workplace, or our registered office. The supervisory authority responsible for us is: Hessische Datenschutzbeauftragter, Postfach 3163, 65021 Wiesbaden, email: Poststelle@datenschutz.hessen.de.
12. Data Security
Our website complies with the typical encryption requirements. We use the disseminated SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support this encryption, we use 128 bit v3 technology. You can recognize the encryption of our website by the lock or key symbol in the address line or in the lower status bar.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. All our employees who may have access to personal data are required, in writing, to comply with data protection regulations and have been trained on the legal requirements.
Status: February 2021