We are pleased that you are visiting our website. The protection of your privacy and the protection of your personal data when using our website is an important concern for us.
Here you will find information on how we handle your personal data when you visit our website. In order to provide the functions and services of our website, it is necessary for us to collect personal data about you. In the following, we explain what data we collect about you, what this is required for and what rights you have in relation to your data.
If you have any questions regarding data protection, you can also contact our data protection officer at any time at the address given above or by e-mail to firstname.lastname@example.org.
1. Provision of the Website
1.1 Collection of System Data
Each time our website is opened, the following technically-necessary data is automatically collected from the system of the end device being used:
- IP address
- Date and time of the request
- Content of the request
- Access status/HTTP status code
- Browser type
- Language and version of browser software
- Operating system
The collection and temporary storage of the data is technically necessary to be able to provide our website to you. We use the data also to ensure the security and stability of our website. An evaluation of the data for marketing purposes, a comparison with other databases, or an onward transfer to third parties does not take place in this context. The legal basis for processing the data is Article 6(1)(f) GDPR. Our legitimate interest lies in the purposes described.
The data are deleted as soon as the respective browser session is ended.
1.2.1. Technically Necessary Cookies
We use technically necessary cookies to facilitate and improve the use of our website. Cookies are text information that are stored on a terminal when a website is visited via the web browser. They are used for user guidance and recognition of a session, for example when logging in permanently or when booking a room. The technically necessary cookies are not used for analysis or for advertising purposes.
Most web browsers accept cookies automatically. You can delete stored cookies at any time using your web browser settings. You can also adjust your web browser settings to notify you when cookies are placed, or to not store cookies. If you prohibit the setting of technically necessary cookies, our website cannot be displayed properly and not all functions of our website are available. It is not possible to deactivate the technically necessary cookies via our cookie content management.
The legal basis for the use of technically necessary cookies is Art. 6(1)(f) GDPR.
1.2.2. Use of the Google Tag Manager
The Google Tag Manager is used on this website. The Google Tag Manager is a system from Google that manages Java-Script tags and HTML tags used to implement the following services. In particular, the system controls which tags are to be used and when, based on the consent you have provided. The Tag Manager does not set any cookies itself and does not collect any data or other information from you and your device. The services it controls set the cookies required for the services.
1.2.3. Cookies for Usage Analysis
Google Analytics: To the extent you have given us your consent, we use Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter "Google"), on our website. This makes it possible to assign data, sessions, and interactions across multiple devices to a pseudonymous user ID and, thus, analyze the activities of a user across several devices. Google Analytics uses so-called cookies, that is, text files that are stored on your computer and that enable an analysis of your use of the website.
The information generated by the cookies, for example, time, place, and frequency of your website visits, including your IP address, is transferred to Google and stored there. Since this website uses Google Analytics with the extension "_gat._anonymizeIp", your IP address will be truncated by Google within European Union member states or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and be truncated there. The IP address transmitted by your browser within the scope of Google Analytics will, according to its own information, not be merged with other data from Google. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, preparing reports on website activity and providing other services relating to website activity and internet usage to the website operator. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
The legal basis for the use of Google Analytics is your consent (Art. 6(1)(a) GDPR).
The purpose of the data processing is to analyze the behavior of our users anonymously and to improve our website offerings based on these findings.
1.2.4. Cookies to Display Advertising
Facebook Custom Audience: To the extent you have given us your consent, we use Facebook Custom Audience of the social network, Facebook, on our website. This service is offered by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). We cannot exclude, however, the possibility that collected data may also be transferred to Facebook Inc. (1601 Willow Road, Menlo Park, California 94025, USA) (hereinafter collectively "Facebook").
The Facebook Custom Audience feature allows us to measure, optimize, and create target groups for our advertising campaigns. By capturing actions across devices, we can make advertising campaigns even more efficient. In addition, we can create ads that are relevant to the target group.
The above-mentioned data processing applies only to users who have an account with Facebook or who have accessed a partner page of Facebook (through which a cookie has been set).
If an association of the user ID contained in the Facebook cookie can be made to a Facebook user, Facebook assigns this user to a target group on the basis of the regulations set by us, provided that the regulations are relevant. We use the information obtained in this way to present advertising on Facebook (partner) pages. The display of advertising on Facebook (partner) pages based on the target group function does not affect users who are not members of Facebook.
For more information about advertising on Facebook, and how to set which ads are displayed to you, please visit the link https://www.facebook.com/about/basics/advertising. Instructions on how to make settings for advertisements, and how to avoid unwanted advertising, can be found here https://www.facebook.com/about/basics/advertising/ad-preferences. Additional information on data protection at Facebook can be found at https://www.facebook.com/policy.php.
1.2.5. Single Sign-On Procedure
Facebook Connect: To the extent you have given us your consent, we use the social plugin "Facebook Connect" on our website, an offer from Meta Platforms Ireland Limited. If you have a Facebook account, you can log in or register for your user account with us using the social plugin with this account.
When you use our website, your browser establishes a direct connection to Facebook servers. The content of the plugin is transferred by Facebook directly to your browser and integrated into the website. Through this integration, Facebook receives the information that your browser has accessed the corresponding page of our website, even if you have not created a Facebook profile or are not logged in to Facebook. This information also includes your IP address and is transferred directly to Facebook's server in the USA and stored there.
If you log in or register with us using Facebook Connect, we receive - yes, according to your personal privacy settings on Facebook - the general and publicly-accessible information stored in your Facebook profile, such as your user ID, name, profile picture, age and gender. This data is stored and processed by us. Conversely, data about your user behavior on our website may be transmitted to your Facebook profile based on your consent.
If you do not want Facebook to assign the data collected via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. For more information on data protection at Facebook, please visit: https://www.facebook.com/policy.php.
1.2.6 Cookie consent management
By using the tool from Secure Privacy, we comply with our legal obligation to obtain and document your consent to the use of non-functional cookies, Art. 6 para. 1 p. 1 lit. c of the GDPR.
2. Hotel Bookings
You have the possibility to book a stay in one of our hotels through our booking platform. The booking is possible as a registered user or as a guest. For a room booking, we process the data requested via the booking form (e.g. name, contact data (e-mail address, address), credit card payment data (card number, validity period, name of the cardholder), reservation details (period of stay, number of guests, choice of room, other booking conditions), flight data, details in the free text field, creation of a user account and password if applicable, booking of coupons). We use your e-mail address to send you booking confirmations, changes, cancellations and other communications related to your booking.
The data entered in the input mask will be transmitted and stored to us and to our partner TravelClick,Inc, 55 W 46th St 27th floor, New York 10036, USA ("TravelClick"). TravelClick will act on our instructions based on the EU standard contractual clauses.
Alternatively, you can also book a stay via our telephone reservation hotlines. In this case, we collect and store the above data.
In order to comply with our legal registration obligations, some of your data (name, address, date of birth, nationality, period of stay, number of fellow travelers and their nationality, in the case of foreign guests their passport number) will be transmitted to the respective registration office responsible for the hotel in which you are staying after you have checked in at the hotel. You are obliged to provide this data when checking in. Otherwise, accommodation is not possible due to legal requirements and must be refused by us.
For bookings at our hotels in Vienna, we transmit the data to Flemings Hotels GmbH, Neubaugürtel 26-28, 1070 Vienna, Austria. When checking in at one of our hotels in Austria, you will be required to sign a guest sheet in accordance with the registration regulations in force there, stating your name, date and place of birth, nationality and, as a guest from abroad, the type of ID you have, the issuing authority, number and date of issue, and to sign the guest sheet. The guest sheet collection must be kept for three years and presented to the registration authorities upon request.
The legal basis is Art. 6 para. 1 p. 1 lit. b GDPR, as your data is required for the establishment and execution of a contract for the stay in one of our hotels. With the notification of our guests to the respective competent registration authority, we comply with a legal obligation, Art. 6 para. 1 p. 1 lit. c in conjunction with. §§ 29, 30 Federal Registration Act (BMG). The credit assessment is in our legitimate interest to secure our claim and is thus based on Art. 6 para. 1 p. 1 lit. f GDPR.
We process your data only as long as it is necessary for processing or fulfillment of legal obligations. The retention periods under commercial and tax law are six or ten years. The registration certificates required by the Bundesmeldegesetz (Federal Registration Act) are stored for one year after registration in accordance with the requirements under Section 30 BMG and destroyed within three months of the expiry of the retention period.
3. REGISTRATION AND ACCESS TO THE FLEMINGS FAMILY USER ACCOUNT
As part of our loyalty program, we offer you the opportunity to register a user account. Via the registration mask, you provide us with your first and last name, your e-mail address, a password and optionally your telephone number. We store this data for the purpose of managing your user account and your access to it. With the exception of the password, which is only displayed in abbreviated form, the data can be viewed via your user account.
Upon completion of the registration process, your IP address and the date and time of registration are also automatically collected and stored.
The legal basis for the data processing is your consent, Art. 6 para. 1 p. 1 lit. a GDPR [SK1]. The registration also serves to facilitate your room bookings, i.e. the establishment and execution of a contract with you, so that additional legal basis for the processing of the data is Art. 6 para. 1 p. 1 lit. b GDPR.
Your data will be deleted as soon as they are no longer necessary to achieve the purpose of their processing. You can have us delete your user account or change your personal data in the user account at any time. If you delete your user account, your data will be deleted immediately, unless it is still used for the processing of a booking or there are legal obligations to retain data, for example from the German Tax Code, that prevent deletion. For the storage of your data for the processing of your room bookings, the above explanations under point 2 apply.
4. Digital Guest Folder
We use a solution from CODE2ORDER GmbH, Schelmenwasenstraße 34, 70567 Stuttgart, through which we provide our guests with information and services of the hotel by way of a digital guest folder. The use of the guest folder is also generally possible without user registration. For the use of various services, however, the provision of personal data is necessary to determine whether you are authorized to request/use a certain service. This includes, in particular, the following data categories: Cookie ID, geodata, room number, transaction data (e.g. modules used and duration of visit to the guest portfolio), booking data (e.g. booking number, arrival and departure dates).
For the use of various functions and services, a system-side transmission of data is necessary. A transmission is made to Mailgun Technologies Inc, 112 E Pecan St. #1135 San Antonio, TX 78205, USA.
Cookies are set on the guest folder pages by CODE2ORDER GmbH, for the use of which your consent is obtained. Information about these cookies is available on the guest portfolio pages.
The guest folder pages are subject to TLS encryption to protect the confidentiality of data.
The data protection information of CODE2ORDER GmbH for its guest service system is available at https://www.code2order.com/privacy-policy/gss.
5. Digital check-in/-out
6. Voucher Shop
You may purchase vouchers for the use of services with us online via our voucher shop. For this purpose, the data requested from you in the shop (title, name, address, email address, payment method, optional: telephone number) as well as the data about the purchased voucher (monetary value, optional: voucher recipient, text), collectively "Order Data", are transmitted to us in encrypted form and processed. In addition, access to the individual order pages, including your IP address, are collected and processed. There is no consolidation of the usage data with the Order Data and no further usage analysis with personal reference.
Processing of the Order Data takes place exclusively, and is necessary, to allow you to purchase the desired online voucher and to send you the voucher by email. The legal basis is the establishment and execution of this purchase contract, Art. 6(1)(b) GDPR. The access data is processed to prevent misuse of the system; this is our legitimate interest, Art. 6(1)(f) GDPR.
We store your data for the validity period of the purchased voucher. Thereafter, the data will be deleted unless the deletion conflicts with legal retention obligations.
7. Contact Form
You can use a contact form on our website to ask us questions or to send us other requests. If you use the contact form, we collect and store the data that you enter in the input mask (title, name, email address, specification of the Fleming’s Hotel that is to process your contact request, content of your contact request, optional: company and telephone). When you send your contact request, your IP address and the date and time of sending are also automatically recorded and stored.
The legal basis for the processing is our legitimate interest resulting from the processing of your contact request to us, Art. 6(1)(f) GDPR. The processing of your IP address and date/time of your request serve is for maintaining the functionality of our website. If your request is to prepare for the conclusion of a contract, then Art. 6(1)(b) GDPR is an additional legal basis.
We use the data from the contact form exclusively to process your request. The automatically collected transaction data is processed to prevent misuse of our services and to ensure the security of our IT system.
We delete your data when your request has been conclusively resolved and an appropriate retention period has expired. Automatic deletion takes place after three years. The period begins at the end of the year in which we last processed your request. The data automatically collected during the sending process will be deleted after a period of seven days at the latest.
You have the option on our website to contact us in real time via a chat function. To start the chat, your name and e-mail will be collected. The chat function is provided to us by 3CX GmbH, Walter-Gieseking-Straße 22, 30159 Hannover (a company of 3CX Ltd., Cyprus) via our telephone system. 3CX GmbH is acting on our behalf on the basis of a contract processing agreement. Once you have started the chat, your input will be stored.
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest is to provide you with a quick and efficient way to contact us via our website and to process your request. This is also the purpose of the data processing.
The data is kept for 30 days and then deleted.
9. Contact Regarding Advertising
We may use your e-mail address and postal address, which we receive in connection with the sale of a good or service, for advertising our own similar goods and/or services. You may object to this use at any time without incurring any costs other than transmission costs according to the prime rates. We will also point this out to you each time your e-mail address is used for this purpose. We will obtain your separate consent for the sending of additional information and advertising by e-mail.
For the sending of advertising by e-mail, we use the services of our partner TravelClick, Inc. TravelClick processes opening and click rates to find out whether the e-mails are received, can be opened and what actions are carried out after opening the e-mails.
The legal basis for this data processing is our legitimate interest to conduct direct marketing, Art. 6 para. 1 p. 1 lit. f GDPR in conjunction with. § Section 7 (3) of the Unfair Competition Act. If we obtain your consent to receive advertising measures, Art. 6 para. 1 p. 1 lit. a GDPR is the legal basis for the associated data processing.
We will delete your data for the purpose of advertising without delay if you have objected to this or, if applicable, revoked your consent. Please note that even after an objection or revocation, you may still receive advertising from us during an implementation period of about one week. Outside of the storage of your data for the purpose of advertising, your data is subject to the legal retention periods outlined above, for example in connection with a room booking or registration for a user account. If you object to receiving advertising from us or if you have revoked your consent, we will block your data accordingly.
10. Our social media profiles
We maintain a company profile on several social media platforms. When you visit our profile on one of the social media platforms, the respective social media platform provider processes data from you in order to create usage profiles and to operate and improve its own services. Furthermore, some providers of the social media platforms provide us with reports on the use of our company profile in anonymised form. Some of the data processing takes place regardless of whether you yourself are registered on the social media platform or not. The evaluations usually contain the following information:
- Reach measurements regarding profile, posts and other functions, i.e. total number of people who have visited/used profile, posts and other functions;
- Aggregate data on age, gender and place of residence (country, region/city) of people visiting profile;
- Time of use for videos and other features;
- Time and location of uses;
- Devices, operating systems and software used;
- Interactions related to posts, e.g. click-through rates, shares, comments.
With regard to the data processing operations for the purposes of the above mentioned analyses, we are jointly responsible with the respective providers of the social media platforms within the meaning of the GDPR and have concluded corresponding agreements on joint responsibility.
Some of the providers of the social media platforms are based outside the territory of the EU and the European Economic Area (EEA) (so-called "third countries"), in particular in the USA, and that these third countries sometimes do not have an adequate level of data protection. In some third countries, for example in the USA, government agencies have far-reaching access rights to data of companies with headquarters in these third countries. We cannot exclude the possibility that even if the providers have their headquarters in the EU, data may also be stored to the group companies in the USA or in another third country.
Further information on the individual providers of the social media platforms on which we operate a profile:
- Facebook and Instagram: The service provider is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, "Meta"). Further information on data protection can be found at https://facebook.com/policy.php and in relation to Instagram at https://help.instagram.com/519522125107875. Information on the cookies used by Meta when you visit our Facebook page or our channel on Instagram can be found at https://www.facebook.com/policies/cookies. For the processing operations where we are jointly responsible with Meta, the following joint responsibility agreement applies: https://www.facebook.com/legal/controller_addendum.
- XING: Service provider is New Work SE (Am Strandkai 1, 20457 Hamburg). Further information on data protection can be found at https://privacy.xing.com/de.
11. Recipients of Data
For processing, we use persons to assist us, in particular in the area of IT. They process your data for us as so-called order processors and are required to handle the data with care. Such commissioned processing exists, for example, when we store data in an external data center. We use such service providers in the areas of:
- sales and distribution
When transferring data to external persons in third countries, i.e. outside the EU or the EEA, we ensure that these persons handle your personal data with the same care as within the EU or EEA. We transfer personal data to third countries only where the EU Commission has confirmed an adequate level of protection or if we ensure the proper handling of personal data through contractual agreements or other suitable guarantees.
12. Your Rights
You have the following legal rights vis-à-vis us regarding the personal data concerning you:
12.1. Right of Access to Information: In accordance with Article 15 GDPR, you have the right to request confirmation as to whether we are processing personal data relating to you. If this is the case, you have the right to obtain information about this personal data as well as additional information, e.g. the purposes of processing, the recipients and the planned duration of storage or the criteria for determining the duration.
12.2. Right to Rectification: In accordance with Art. 16 GDPR, you have the right to request the rectification or completion of your data stored by us without delay.
12.3. Right to Erasure: Pursuant to Art. 17 GDPR, you have the right to request the erasure of the data stored by us, insofar as the processing is not (no longer) necessary. This is the case, for example, if your data is no longer necessary for its original purposes, you have revoked your declaration of consent under the data protection law, or the data was processed unlawfully. Further processing may be necessary to comply with a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims or to exercise the right to freedom of expression.
12.4. Right to Restrict Processing: Pursuant to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data, insofar as you dispute the accuracy of the data, the processing is unlawful but you object to its erasure, or we no longer need the data but you need it to assert, exercise, or defend legal claims or you have objected to the processing pursuant to Art. 21 GDPR.
12.5. Right to Data Portability: In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common, and machine-readable format or to request that it be transferred to another controller.
12.6. Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of certain personal data concerning you that is performed on the basis of Art. 6(1)(e) or (f) GDPR.
In the event of direct marketing, you, as the data subject, have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
12.7. Right to Revoke Your Consent under Data Protection Law: You may revoke your consent to the processing of your personal data at any time with effect for the future. However, the lawfulness of the processing performed until the revocation is not affected by this.
12.8. Right to Complain: You can also lodge a complaint with a data protection supervisory authority at any time, for example, if you believe that the data processing is not in compliance with data protection regulations. For this purpose, you may contact the supervisory authority of your usual place of residence, or workplace, or our registered office. The supervisory authority responsible for us is: Hessische Datenschutzbeauftragter, Postfach 3163, 65021 Wiesbaden, email: Poststelle@datenschutz.hessen.de.
13. Data Security
Our website complies with the typical encryption requirements. We use the disseminated SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support this encryption, we use 128 bit v3 technology. You can recognize the encryption of our website by the lock or key symbol in the address line or in the lower status bar.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. All our employees who may have access to personal data are required, in writing, to comply with data protection regulations and have been trained on the legal requirements.
Status: August 2022