Privacy Policy
Controller
For data collection and processing within the meaning of the General Data Protection Regulation, the
DO & CO Hotel München GmbH
Parkring 35
85748 Garching
Phone: +49 (0) 89 693 13 780
Internet: https://www.docohotel.com/munich
E-Mail: hotelmunich@doco.com
is responsible.
Contact details of our data protection officer
Hans-Peter Toft
BDO Rechtsanwaltsgesellschaft mbH
Fuhlentwiete 12
20355 Hamburg
E-Mail: doco@dsb.bdolegal.de
Introduction and general information on data processing
The protection of your personal data is extremely important to us. We therefore treat your personal data confidentially and comply with the statutory provisions on data protection, in particular the European General Data Protection Regulation (hereinafter: "GDPR") and the German Federal Data Protection Act (hereinafter: “BDSG”).
This Privacy Policy is intended to inform you about the type, scope and purpose of the collection and use of your personal data by us as the above-mentioned controller.
In the following, you will first find definitions of the terms used (A.) as well as general information on the processing of your personal data (B.). We then go on to specifically address data processing when you use our website (C.) and other data processing that we carry out as the controller under data protection law (D.). Finally, we inform you about your rights as a data subject (E.).
A. Definitions
In accordance with Art. 4 GDPR, this Privacy Policy is based on the following definitions:
1. Personal data
According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person (data subject). A person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
Identifiability can also be provided by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
2. Processing
According to Art. 4 No. 2 GDPR, processing is any operation which involves handling personal data, whether or not by automated means (i.e. using technical procedures). This includes, in particular, the collection (i.e. procurement), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.
3. Controller
According to Art. 4 No. 7 GDPR, the controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
4. Third party
According to Art. 4 No. 10 GDPR, a third party is any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data; this also includes other legal entities belonging to the DO & CO-Group.
5. Processors
According to Art. 4 No. 8 GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is not a third party.
6. Consent
According to Art. 4 No. 11 GDPR, consent means any freely given, specific, informed and unambiguous indication of the data subject's wish by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
B. General information on data processing
1. Scope of the processing of personal data
As a matter of principle, we only collect data whose processing is either required by law, contractually agreed, necessary for the conclusion and performance of a contract or voluntarily provided to us on the basis of consent.
We collect, store and use personal data from you as a visitor to our website only insofar as this is necessary to provide a functional website and to present our content and services. In addition, the collection and use of your personal data only takes place regularly with your consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
2. Legal bases for the processing of personal data
a. Data processing for contract fulfillment
When processing personal data that is necessary for the performance of a contract to which you are a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
b. Data processing on the basis of consent
Insofar as we obtain your consent for the processing of personal data, Art. 6 (1) (a) GDPR serves as the legal basis for data processing. We only base the processing of your personal data on consent if a processing is not already permitted for other legal reasons.
We also ask for your consent if we wish to provide information about our own products and services and events and it is not possible to process your data in order to protect legitimate interests or if we ask you to take part in a survey.
c. Data processing for the protection of legitimate interests
We only process your personal data in accordance with Art. 6 (1) (f) GDPR to safeguard legitimate interests if the further requirements of Art. 6 (1) (f) GDPR are met, i.e. if our interests in data processing or the interests of a third party outweigh your interests or fundamental rights and freedoms in individual cases.
Furthermore, we use your personal data if and insofar as this is necessary to protect our legitimate interests, e.g. for the defense and enforcement of legal claims. In this respect, data processing is also based on Art. 6 (1) (f) GDPR.
d. Data processing for the fulfillment of legal obligations
If and to the extent necessary, we process your personal data in order to comply with any statutory documentation obligations, e.g. vis-à-vis tax offices and supervisory authorities. In this case, data processing is carried out on the basis of Art. 6 (1) (c) GDPR. A legal obligation arises in particular from Section 147 German Fiscal Code (AO).
Furthermore, we process your personal data in accordance with Art. 6 (1) (c) GDPR for the purpose of a detailed check as to whether an order may be accepted. The same applies to the statutory obligation imposed on us to identify our business partners and the other obligations under the provisions of the Money Laundering Act.
e. Processing of personal data for the protection of vital interests
In the event that your vital interests or those of another natural person require the processing of your personal data, Art. 6 (1) (d) GDPR serves as the legal basis.
3. Data erasure and storage duration
Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject.
Your personal data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage for the conclusion or fulfillment of a contract.
4. Security through the use of TLS/SSL
If you transmit your personal data to us via our website, we use the latest secure technologies, in particular the so-called "Transport Layer Security" (TLS) transmission (previously also known as "Secure Socket Layer" (SSL) transmission). All information and data transmitted using these secure methods is encrypted before it is sent to us. This applies in particular to all personal data of our (hotel-)guests, such as credit card information, name and address. To protect you and us from misuse, the IP address of your device is transmitted to us. We would like to point out that encryption using these technical methods only works if the corresponding technical default settings have also been initiated on your side.
5. Data recipients
Your personal data may be passed on by us to third parties. We only transfer your personal data to third parties if we are authorized to do so under data protection law. The transfer of data to third parties is based either on the fulfillment of legal obligations, on legitimate interests, on the necessity of fulfilling a contract or on the basis of any consent given. If external service providers act as processors, the data transfer takes place within the framework of a data processing agreement. If it is necessary to transfer data to processors in countries outside the European Economic Area, this is done either on the basis of approved EU standard contractual clauses or on the basis of an adequacy decision issued by the EU Commission.
C. Data processing in the context of using the website
1. Storage of cookies
We use so-called cookies to make visiting our website attractive and to enable the use of certain functions. Cookies are small text files that are automatically stored on your device. Some of the cookies we use are deleted again at the end of the browser session, i.e. after closing the browser (so-called session cookies). Other cookies remain on your device and enable us to recognize your browser on your next visit (persistent cookies). The duration of storage can be found in the overview in the cookie settings of the web browser.
We also differentiate between cookies that are technically necessary for the operation of the website, cookies that are used for analysis purposes and cookies that are set by third-party providers. When you visit our website for the first time, a GDPR-compliant notice (hereinafter: "Consent Banner") appears and you can select which cookies are stored. There you can also see which cookies are stored in detail and for which processing purposes.
You can also adjust your browser so that you are informed about the setting of cookies and decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings.
We expressly point out that the functionality of our website may be restricted if cookies are not accepted.
If personal data is also processed by implemented cookies, which are technically necessary for the operation of our website, the processing is carried out in accordance with Art. 6 (1) (f) GDPR to protect our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.
If personal data is also processed by implemented cookies that are used for analysis purposes, the processing is carried out in accordance with Art. 6 (1) (a) GDPR on the basis of your consent, which you give us by making the corresponding selection decision in the Consent Banner. The same applies with regard to your selection decision on third-party cookies. Your consent can be revoked at any time. You can call up our Consent Banner in the footer again at any time and adjust your settings.
2. Provision of the website and creation of log files
Each time our website is accessed, our system automatically collects data and information from the system of the accessing device.
The following data is collected:
- IP address
- Browser type and browser version
- Operating system
- Date and time of the visit to the website
- Access status / Http status code
- GMT time zone difference
- Amount of data transferred
- Website visited
- Website/source/reference from which the website was accessed
This data is not stored together with your other personal data.
Temporary storage of the IP address by the system is necessary to enable delivery of the website to your device. For this purpose, your IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The data is not analyzed for other purposes in this context.
This is also our legitimate interest in data processing within the meaning of Art. 6 (1) (f) GDPR, which serves as the legal basis for the processing of your personal data in the context of the collection of log files.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In case of log files, this is the case after 7 days at the latest. Storage beyond this period is possible. In this case, your IP address is deleted or anonymized so that it is no longer possible to identify the accessing client.
3. Use of Google Tag Manager
We use the service called Google Tag Manager from Google. Google is a group of companies and consists of Google Ireland Ltd (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as well as other affiliated companies of Google LLC (hereinafter: "Google").
This service allows website tags to be managed via an interface. The service does not set any cookies and does not collect any personal data itself. Google Tag Manager ensures that other components are loaded, which in turn may collect data, but do not access this data. You can find more information about Google Tag Manager in Google's privacy policy at
https://support.google.com/tagmanager/answer/9323295?hl=de
The Google Tag Manager used on our website executes the tags according to your selection decision in the Consent Banner. If you decide against the storage of cookies for purposes other than those required for the operation of the website, the Consent Banner ensures that only tags are executed via the Google Tag Manager, as a result of which technically necessary cookies are set.
In this case, the legal basis for the processing of your personal data by the Google Tag Manager is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the optimization of our website.
If you accept cookies in the Consent Banner that are not only technically necessary for the operation of the website, your personal data will be processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.
Your consent can be revoked at any time with effect for the future. You can call up our Consent Banner in the footer again at any time and adjust your settings.
4. Use of Google Analytics
Our website uses Google Analytics, a web analysis service from Google. Google Analytics uses cookies to help the website analyze how users use the site. The information generated by the cookies about your use of our website (including IP address, which is anonymized using the anonymizeIp() method so that it can no longer be assigned to a connection) is transmitted to a Google server and stored there.
Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google may associate your IP address with other data held by Google.
You can prevent the installation of cookies by selecting the appropriate settings in your browser software. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some Internet browsers. You can also prevent the collection of data generated by Google Analytics and related to your use of the website (including IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=de
However, we would like to point out that you may not be able to use all functions of our website to their full extent if you take appropriate measures to prevent this.
Your personal data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR, which you give us by making your selection decision in the Consent Banner. The transfer of your personal data to the USA takes place in accordance with Art. 45 GDPR on the basis of the adequacy decision issued for the USA, with which the EU Commission has determined a level of data protection in the USA comparable to that in the EU. Google has certified itself for the EU-US Data Privacy Framework on which the adequacy decision is based (https://www.dataprivacyframework.gov/s/participant-search).
Your consent can be revoked at any time with effect for the future. You can call up our Consent Banner in the footer again at any time and adjust your settings.
5. Use of Google Maps
We use Google Maps from Google on our website. Google Maps is a web service for displaying interactive (land) maps in order to visualize geographical information. By using this service, you can see our location and it is easier for you to find us.
When you access the subpage(s) of our website in which the map of Google Maps is integrated, information about your use of the website (e.g. IP address) is transmitted to Google servers and stored there. This takes place regardless of whether Google provides a user account through which you are logged in or whether a user account exists. If you are logged in to Google, your data will be assigned directly to your account.
If you do not wish to be associated with your Google profile, you must log out before activating the button. Even if you are not registered with Google or have not logged in, it is still possible for Google to find out your IP address and store it. If you do not agree to the future transmission of your data to Google when using Google Maps, it is also possible to completely deactivate the Google Maps web service by deactivating the JavaScript application in your browser. Google Maps and thus also the map display on our website can then not be used.
Further information on data protection in connection with the use of Google Maps can be found at:
https://www.google.de/intl/de/policies/privacy
Your personal data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR, which you give us by making your selection decision in the Consent Banner. The transfer of your personal data to the USA takes place in accordance with Art. 45 GDPR on the basis of the adequacy decision issued for the USA, with which the EU Commission has determined a level of data protection in the USA comparable to that in the EU. Google has certified itself for the EU-US Data Privacy Framework on which the adequacy decision is based (https://www.dataprivacyframework.gov/s/participant-search).
Your consent can be revoked at any time with effect for the future. You can call up our Consent Banner in the footer again at any time and adjust your settings.
6. Use of YouTube
We use YouTube on our website. YouTube is a streaming platform and is operated by Google.
From time to time, we embed videos stored on YouTube directly on some subpages of our website. During this integration, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only called up by clicking on them separately. This technique is also known as "framing". If you call up a corresponding subpage of our website on which YouTube videos are integrated in this form, a connection to the YouTube servers is established and the content is displayed on the website by notifying your browser.
The integration of YouTube content only takes place in "extended data protection mode". Google provides this itself and ensures that no cookies are initially stored on your device. However, when the corresponding subpage is accessed, the IP address and the other data mentioned in number C, 2 of this Privacy Policy are transmitted and thus, in particular, which of our subpages you have visited. However, this information cannot be assigned to you unless you have logged in to YouTube or another Google service (e.g. Google+) before accessing the page or are permanently logged in.
As soon as you start playing an embedded YouTube video by clicking the play button, Google will only store cookies on your device that do not contain any personally identifiable data due to the extended data protection mode, unless you are currently logged in to a Google service. The storage of these cookies can be prevented by making the appropriate browser settings.
Further information on data protection in connection with the use of YouTube can be found at
https://policies.google.com/privacy
Your personal data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR, which you give us by making your selection decision in the Consent Banner.
The transfer of your personal data to the USA takes place in accordance with Art. 45 GDPR on the basis of the adequacy decision issued for the USA, with which the EU Commission has determined a level of data protection in the USA comparable to that in the EU. Google has certified itself for the EU-US Data Privacy Framework on which the adequacy decision is based (https://www.dataprivacyframework.gov/s/participant-search).
Your consent can be revoked at any time with effect for the future. You can call up our Consent Banner in the footer again at any time and adjust your settings.
7. External links
We maintain online presences on social networks and career platforms in order to exchange information with the users registered there, to get in touch easily and to make our company better known. You will therefore find link buttons to our company profiles on Instagram, Facebook and LinkedIn on our website.
We do not use any social plugins from these networks, but only link to our accounts on our website. You will therefore only be redirected to our accounts on the websites of the individual networks. This means that no data is transmitted to the servers of these networks when you visit our website. Your data will only be forwarded to their servers when you are on the network pages via a link.
Please log out of your respective accounts beforehand if you do not want your visit to our website to be assigned to your personal account on the respective third-party site of its operators.
Clicking on the link buttons opens the login screen of the respective third-party site. If you are already logged in there at this time, you will be taken directly to our stored profile.
In principle, the operators of the networks are responsible for the processing of your personal data on these external websites. However, we would like to draw your attention to the following:
a. Instagram and Facebook
Clicking on the Instagram link button will take you to our company profile on Instagram and clicking on the Facebook link button will take you to our company profile on Facebook.
Instagram is a social media platform and is operated by Instagram LLC, which since 2012 has been a subsidiary of Meta Platforms Inc, 1601 Willow Road, Menlo Park, CA 94025, USA, and Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter: "Meta"). Facebook is also a social media platform and is also operated by Meta.
We would like to point out that you use Instagram and Facebook and their functions at your own risk. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating). Alternatively, you can also access parts of the information offered via these pages on our website.
When you visit our company profiles on Instagram and Facebook, Meta collects, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as the operator of the Instagram or Facebook profile, with statistical information about the use of the company profile. Meta provides more information on this under the following links:
http://de-de.facebook.com/help/pages/insights
https://help.instagram.com/1896641480634370?ref=ig
The data collected about you in this context will be processed by Meta and may be transferred to countries outside the European Union. What information Meta receives and how it is used is described by Meta in general terms in its data usage guidelines. There you will also find information on how to contact Meta and on the setting options for advertisements. The data usage guidelines are available at the following link:
http://de-de.facebook.com/about/privacy
The complete privacy policies of Instagram and Facebook can be found at
https://de-de.facebook.com/full_data-use_policy
https://help.instagram.com/519522125107875
Meta does not clearly state how it uses the data from visits to Instagram and Facebook pages for its own purposes, to what extent activities on Instagram and Facebook pages are assigned to individual users, how long Meta stores this data and whether data from a visit to Instagram and Facebook pages is passed on to third parties, and we are not aware of this.
When you access the Instagram and Facebook pages, the IP address assigned to your device is transmitted to Meta. According to Meta, this IP address is anonymized (for "German" IP addresses). Meta also stores information about the devices of its users (e.g. as part of the "login notification" function); Meta may thus be able to assign IP addresses to individual users.
If you are currently logged in to Instagram or Facebook as a user, a cookie with your Instagram or Facebook ID is stored on your device. This enables Meta to track that you have visited these pages. This also applies to all other Instagram and Facebook pages. Instagram and Facebook buttons integrated into websites enable Meta to record your visits to these websites and assign them to your Instagram or Facebook profile. This data can be used to offer content or advertising tailored to you.
If you want to avoid this, you should log out of Instagram or Facebook or deactivate the "stay logged in" function, delete the cookies on your device and close and restart your browser. In this way, information that can be used to directly identify you will be deleted. This allows you to use our Instagram or Facebook page without revealing your Instagram or Facebook ID. If you access interactive functions on the page (like, comment, share, message, etc.), an Instagram or Facebook login screen will appear. After logging in, you will again be recognizable to Meta as a specific user.
Information on how to manage or delete information about you can be found on the following Facebook support page:
https://de-de.facebook.com/about/privacy#
b. LinkedIn
If you click the LinkedIn button on our website, you will be redirected to our LinkedIn account. LinkedIn is operated by the LinkedIn Corporation, 1000 West Maude Avenue Sunnyvale, CA 94085, USA, or, as the controller in terms of data protection for users from Germany, by LinkedIn Ireland Unlimited Company, 70 Sir John Rogerson's Quay, Dublin 2, Dublin, D02r296, Ireland (hereinafter: "LinkedIn").
LinkedIn is an internet-based social network for connecting users with existing business contacts and for generating new business contacts. Companies can create profiles or post job offers on LinkedIn.
We would like to point out that you use LinkedIn and its functions at your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating). Alternatively, you can also access parts of the information offered via this page on our website.
When you visit our LinkedIn page, LinkedIn collects, among other things, your IP address and other information that is stored on your device in the form of cookies. This information is used to provide us, as the operator of the LinkedIn page, with statistical information about the use of the LinkedIn page. LinkedIn provides more information on this under the following link:
https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
The data collected about you in this context is processed by LinkedIn and may be transferred to countries outside the European Union. LinkedIn describes in general terms what information LinkedIn receives and how it is used in its data usage guidelines. There you will also find information on how to contact LinkedIn and on the setting options for advertisements. LinkedIn's data usage guidelines are available at the following link:
https://www.linkedin.com/legal/privacy-policy
LinkedIn does not conclusively and clearly state how it uses the data from visits to LinkedIn pages for its own purposes, to what extent activities on the LinkedIn page are assigned to individual users, how long LinkedIn stores this data and whether data from a visit to the LinkedIn page is passed on to third parties, and we are not aware of this.
When you access a LinkedIn page, the IP address assigned to your device is transmitted to LinkedIn. According to LinkedIn, this IP address is anonymized (for "German" IP addresses) and deleted after 90 days. LinkedIn also stores information about the devices of its users (e.g. as part of the "login notification" function); LinkedIn may thus be able to assign IP addresses to individual users.
If you are currently logged in to LinkedIn, a cookie with your LinkedIn ID is stored on your device. This enables LinkedIn to track that you have visited this website and how you have used it. This also applies to all other LinkedIn pages. LinkedIn buttons integrated into websites enable LinkedIn to record your visits to these websites and assign them to your LinkedIn profile. This data can be used to tailor content or advertising to you.
If you want to avoid this, you should log out of LinkedIn or deactivate the "stay logged in" function, delete the cookies on your device and close and restart your browser. In this way, LinkedIn information that can be used to directly identify you will be deleted. This allows you to use our LinkedIn page without revealing your LinkedIn identifier. If you access interactive functions on the page (like, comment, share, message, etc.), a LinkedIn login screen will appear. After logging in, you will again be recognizable to LinkedIn as a specific user.
You can find information on how to manage or delete information about you on the following LinkedIn support page:
D. Other data processing
1. Contact by e-mail
If you contact us by e-mail, your e-mail address will be stored so that we can send you a reply. In addition, the personal data you send us with your e-mail will be stored.
The processing of your personal data is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give us by contacting us by e-mail. If your e-mail is aimed at the conclusion of a contract with us, the data processing is based on Art. 6 (1) (b) GDPR.
Subject to statutory retention periods, your personal data will be deleted as soon as we have finally processed your request. If you do not receive a response from us within a period of ten days, your personal data will also be deleted.
Your consent can be revoked at any time with effect for the future. To do so, please send us an e-mail to hotelmunich@doco.com. However, we would like to point out that your request cannot be processed further in the event of revocation.
2. Table reservation
a. Online reservation
For table reservations in our bistro and restaurant, we use the reservation system of OpenTable GmbH, Schumannstraße 27, 60325 Frankfurt am Main, Germany (hereinafter: "OpenTable"). OpenTable is headquartered at 1 Montgomery St., Suite 700, San Francisco, CA 94014, USA, and is part of the Booking Holdings Inc. Group, which includes Booking.com, KAYAK, Priceline, Agoda and Rentalcars.
If you click on the "Reserve Now" button, an OpenTable widget will be loaded on our website. A widget is an element integrated into a separate window system that can be used interactively. Technically, at this point you are no longer on our website, but on the OpenTable site. In addition, another consent banner opens and you can select again which cookies should be stored. To ensure that cookies are only stored in accordance with your selection decision, a cookie is set by OpenTable.
A booking mask will then open and you will be asked to enter your first and last name, your telephone number and your e-mail address. Optionally, you can select an occasion and specify any special requests. This data and the table you have selected, as well as the date and time of your visit, will be processed by OpenTable to make the reservation. You can also choose to receive notifications about your online reservation by SMS and register for the OpenTable newsletter.
Further information on data protection in connection with the use of OpenTable can be found at:
https://www.opentable.de/legal/privacy-policy
OpenTable is responsible for the processing of your personal data in the booking mask and as part of the booking process.
The processing of your personal data by OpenTable is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give by making your selection in the consent banner. For us, the legitimate interest pursuant to Art. 6 (1) (f) GDPR for the use of OpenTable is the provision of a user-friendly booking process.
The personal data will be stored by us for the duration of the reservation. If your reservation is canceled or after the end of your visit, the data will be deleted. Please note, however, that we are legally obliged to retain the data contained in the booking voucher once the hospitality contract has been concluded.
b. Reservation by telephone or e-mail
As an alternative to making an online reservation via OpenTable, you have the option of contacting us directly at the telephone number or e-mail address provided on our website to reserve a table. In this case, we also store the data required for the reservation (first and last name, telephone or mobile phone number, e-mail address) and any additional data that you provide to us during the reservation process (occasion, special requests).
The processing of the data required for the reservation is carried out for the purpose of initiating the hospitality contract with you and is based on Art. 6 (1) (b) GDPR.
The processing of the personal data optionally provided by you is based on your consent in accordance with Art. 6 (1) (a) GDPR, which you give us by providing this data. You can revoke your consent at any time with effect for the future. To do so, please send us an email to hotelmunich@doco.com.
The personal data will be stored by us for the duration of the reservation. If your reservation is canceled or after the end of your visit, the data will be deleted. Please note, however, that we are legally obliged to retain the data contained in the booking voucher once the hospitality contract has been concluded.
3. (Online-)Booking
On our website you have the possibility to book or request rooms online. If you click on the "Book Now" button, you will be guided through the booking or inquiry process. Another website will open and you can enter the date of arrival and departure and select one or more available rooms and additional services (e.g. breakfast package).
Technically, you are then no longer on our website, but on a website of the company websLINE Internet- & Marketing GmbH, Sägewerkstrasse 24, 83395 Freilassing, Germany (hereinafter: "websLINE").
We have concluded a data processing agreement with websLINE in accordance with Art. 28 GDPR, which ensures that the below-mentioned personal data is only used on our express instructions and within the scope of the processing purpose specified by us. All booking and inquiry data entered by you will also be transmitted to websLINE in encrypted form. WebsLINE has committed itself to handling the transmitted data in accordance with data protection regulations and takes organizational and technical measures to protect the data.
Depending on whether you want to book the room directly or enquire about it first, you can click on the "Book" button or the "Enquire" button. After summarizing your request, an input mask will open in which you will be asked to enter the following personal data:
- Company
- Form of address
- Title
- First name
- Last name
- Address
- Country
- Zip code
- Location
- E-mail address
- Phone number
The data marked with an asterisk is mandatory information, which differs depending on whether you wish to book the room directly or send us an inquiry first.
If you would first like to request a room booking, you must enter the following personal data in the booking form:
- Form of address
- Last name
- E-mail address
- Phone number
We need your contact details (e-mail address, telephone number) in order to be able to contact you in the event of queries or booking changes, even at short notice if necessary. All other data that you voluntarily provide to us as part of your request is not required, but makes it easier for us to contact you, for example.
When booking directly, the following personal data must also be provided:
- Form of address
- First name
- Last name
- Address
- Country
- Zip code
- Location
- Credit card information (provider, credit card number, expiry date, CVC)
The provision of this data is necessary in order to clearly identify you as our contractual partner, to issue you with a proper invoice, to complete the booking and to process payment transactions.
The legal basis for the processing of the data marked as mandatory and the credit card information is Art. 6 (1) (b) GDPR. The data processing is necessary in the case of an inquiry addressed to us for the initiation of the accommodation contract and in the case of a direct booking for the execution of the accommodation contract.
Insofar as personal data not marked as mandatory information is provided, it is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent to the processing of personal data that is not mandatory at any time with effect for the future. To do so, please send us an email to hotelmunich@doco.com.
If a contractual relationship is established with us, the data will be deleted after expiry of the statutory retention periods applicable to us. If, on the other hand, it remains an inquiry and your data is not already stored for other reasons (e.g. because you have already been our guest), the data will be deleted after 7 days.
4. Vouchers
On our website we offer various vouchers that can be redeemed for our hotel, restaurant or bistro.
In the input mask, you can enter the title and name of the person to whom the voucher is to be issued, leave a personal message and select the value of the voucher. After you have placed the voucher in the shopping cart, a further input screen will appear in which the following personal data will be requested:
- Company
- Form of address
- Title
- First name
- Last name
- Address
- Telephone or mobile phone number
- E-mail address
For data marked with an asterisk are mandatory fields.
You can also select the payment method (per credit card, per instant bank transfer, on account). Your payment details (e.g. bank, IBAN, credit card number, expiry date, CVC) are not stored. Only whether a payment has been made is recorded.
Providing the data marked as mandatory is necessary in order to clearly identify you as our contractual partner, to issue you with a proper invoice and to be able to send you this invoice and the voucher. We need your telephone or mobile phone number so that we can contact you in the event of queries or changes to your order - even at short notice if necessary. All other data that you provide to us voluntarily as part of your request is not required, but makes it easier for us to contact you, for example.
The legal basis for the processing of the data marked as mandatory is Art. 6 (1) (b) GDPR. In the case of a voucher order, data processing is necessary for the execution of the purchase contract.
Insofar as personal data not marked as mandatory information is provided, it is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent in the processing of personal data that is not mandatory at any time with effect for the future. To do so, please send us an email to hotelmunich@doco.com.
The ordering system is provided by websLINE. We have concluded a data processing agreement with websLINE in accordance with Art. 28 GDPR, which ensures that the above-mentioned personal data is only used on our express instructions and within the scope of the processing purpose specified by us. All booking and inquiry data entered by you will also be transmitted to websLINE in encrypted form. WebsLINE has committed itself to handling the transmitted data in accordance with data protection regulations and takes organizational and technical measures to protect the data.
If no contractual relationship is established with us, the data will be automatically deleted after the website is closed. Your data will also be deleted immediately if you subsequently cancel your order. Otherwise, your personal data will be deleted after expiry of the statutory retention periods applicable to us.
5. Video surveillance
The hotel and restaurant operated by us are under video surveillance. This involves the processing of personal data of guests, visitors, suppliers and employees as well as other persons who are or were in the monitored areas.
Video surveillance is primarily carried out for preventive reasons, i.e. to avert danger to the building and to our visitors and guests as well as to our employees and suppliers. In addition, surveillance is also intended to preserve evidence in the prosecution of criminal offenses and in the defense of legal claims. The individual purposes of video surveillance are
- Protection against vandalism and damage to property
- Protection from physical assault
- Deterrence of crime
- Increasing the sense of security
- Access control for publicly accessible areas
- Access control of operating areas
- Preservation of evidence for criminal prosecution
- Preservation of evidence for legal defense
The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest in monitoring is to achieve the aforementioned purposes.
The maximum storage period is 7 days. After this period, the recordings are automatically overwritten. If a relevant incident occurs, this recording may be stored separately. If a recording is required to prosecute a criminal offense or to defend against legal claims for evidence purposes, the duration of data storage is based on the relevant limitation periods.
6. Application
You can apply for vacancies with us and with companies associated with us in the DO & CO Group.
If you click on the “Apply now” button, which you can access by clicking on the “Jobs” section in the footer of our website, you will be redirected to the website https://doco.hcm4all.de/, which is operated jointly with the DO & CO Group companies mentioned there. The processing of your personal data on this website and in connection with the application process is governed by the Privacy Policy set out at
E. Your rights as a data subject
If your personal data is processed by us, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as the controller:
1. Right to information
You can request confirmation from us as to whether your personal data is being processed by us. If such processing is taking place, you can request the following information from us in accordance with Art. 15 GDPR:
- the purposes for which the personal data are processed
- the categories of personal data that are processed
- the recipients or categories of recipients to whom your personal data have been or will be disclosed
- the planned duration of the storage of your personal data or, if specific information on this is not possible, criteria for determining the storage period
- the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by us or a right to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority
- all available information about the origin of the data if the personal data is not collected from you
- the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on you
You also have the right to request information about whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
2. Right to rectification
In accordance with Art. 16 GDPR, you have a right to rectification and/or completion vis-à-vis us if your personal data is incorrect and/or incomplete. We must make the correction immediately.
3. Right to restriction of processing
Under the following conditions, you can request the restriction of the processing of your personal data in accordance with Art. 18 GDPR:
- if you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
- if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether our legitimate reasons outweigh your reasons
If the processing of your personal data has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You will be informed by us before the restriction is lifted.
4. Right to erasure
a. Obligation to delete
In accordance with Art. 17 GDPR, you can demand that we delete your personal data immediately. We are obliged to delete this data immediately if one of the following reasons applies:
- your personal data are no longer necessary for the purposes for which they were collected or otherwise processed
- your consent, on which the processing was based pursuant to Art. 6 (1) (a) GDPR, is revoked by you and there is no other legal basis for the processing
- you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing
- you object to the processing in accordance with Art. 21 (2) GDPR
- your personal data has been processed unlawfully
- the deletion of your personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which we are subject
- your personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR
b. Information to third parties
If we have made your personal data public and we are obliged to delete it in accordance with Art. 17 (1) GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data.
c. Exceptions to the right to erasure
The right to erasure does not exist if the processing is necessary:
- to exercise the right to freedom of expression and information
- for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
- for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) GDPR and Art. 9 (3) GDPR
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the right referred to in Section 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
- for the assertion, exercise or defense of legal claims
5. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged under Art. 19 GDPR to notify all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.
6. Right to data portability
In accordance with Art. 20 GDPR, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller to whom the personal data has been provided without hindrance from us, provided that
- the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
- the processing is carried out using automated procedures
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
7. Right of objection
Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions. The objection must be justified.
If we receive an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
Notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object in connection with the use of information society services by means of automated procedures using technical specifications.
8. Right to revoke the declaration of consent under data protection law
In accordance with Art. 7 (3) GDPR, you have the right to revoke your declaration of consent under data protection law at any time - even before the GDPR came into force (May 25, 2018). The revocation of consent does not affect the lawfulness of processing based on consent before its withdrawal. The revocation of consent can be declared by e-mail, letter or telephone to our contact details above.
In addition, you can revoke the consent given in our Consent Banner at any time. To do this, call up our Consent Banner in the footer again and adjust your settings.
9. Automated decision-making in individual cases including profiling
In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and us, or
- is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- with your express consent
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
We take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on our side, to express your own point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
The supervisory authority responsible for us is
Bayerische Landesbeauftragte für den Datenschutz
Postfach 22 12 19
80502 München
Phone: +49 (0) 89 212672-0
Fax: +49 (0) 89 212672-50
E-mail: poststelle@datenschutz-bayern.de
Status: June 2024