Data security

Privacy policy according to DSGVO

The protection of personal data is an important concern for us. Therefore, the processing of personal data is carried out in accordance with the applicable European and national legal provisions.

You can of course revoke your declaration(s) of consent at any time with effect for the future. To do so, please contact the person responsible in accordance with § 1.

The following declaration provides an overview of the type of data collected, how this data is used and passed on, what security measures we take to protect your data and how you can obtain information about the information given to us.

Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) sentence 1 lit. a) of the EU General Data Protection Regulation (DSGVO) serves as the legal basis. When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) S. lit. b) DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. If processing of personal data is necessary for compliance with a legal obligation to which we are subject, Article 6 (1) sentence 1 lit. c) DSGVO serves as the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) sentence 1 lit. f) DSGVO serves as the legal basis for the processing.

Data deletion and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for the continued storage of the data for the conclusion or fulfilment of a contract.

 

1. The data controller and the data protection officer

(1) Name and address of the data controller
The responsible person within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Sonnenpark Hotel GmbH & Co. KG
Sonnenweg 4a
34508 Willingen (Upland)
Deutschland
Telephone: +49 5632 4080
Fax: 
+49 5632 69599

E-Mail: info@sonnenpark.de
Website: www.sonnenpark.de

(2) Name and address of the data protection officer
The data protection officer of the responsible party is:

Dieter Grohmann
Akwiso Datenschutz & Audit
Beethovenstaße 23
87435 Kempten
Deutschland
Tel.: +49 831 5124-7030
E-Mail: info@akwiso.de
Website: www.akwiso.de 
 

2. Definitions

The data protection declaration is based on the terms used by the European legislator when adopting the EU General Data Protection Regulation (hereinafter: "GDPR"). The data protection declaration is intended to be easy to read and understand. To ensure this, the most important terms are explained below:

(a) Personal data means any information relating to an identified or identifiable natural person (hereinafter: "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(b) Data subject means any identified or identifiable natural person whose personal data are processed by the controller.

(c) Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(d) Profiling shall mean any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location.

(e) Pseudonymisation means the processing of personal data in such a way that personal data can no longer be related to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

(f) Controller or controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

(g) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(h) recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.

(i) third party means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

j) consent shall mean any freely given specific and informed indication of his or her wishes, in the form of a statement or other unambiguous affirmative act, by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

 

3. Provision of the website and creation of log files

(1) In the case of purely informational use of the website, i.e. if you do not register or otherwise transmit information to us, we automatically collect the following data and information from the computer system of the calling computer each time the website is called up:

a) the IP address and host name of the user
b) Time of access
c) Browser used by the visitor
d) operating system used by the visitor
e) link or URL of origin
f) Search engine used including keywords used
g) length of stay
h) number of pages viewed
i) last page opened before leaving the website

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

(2) The legal basis for the temporary storage of the log files is Art. 6 para. 1 p. lit. f) DSGVO.

(3) The temporary storage of the IP address by the system is necessary in order to

a) enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.
b) optimise the content of our website and the advertising for it
c) to ensure the functionality of our information technology systems and the technology of our website
d) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing according to Art. 6 para. 1 p. 1 lit. f) DSGVO.

(4) The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected - in this case at the end of the usage process. In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses are deleted or made anonymous so that it is no longer possible to assign the calling client.

(5) The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website, which is why there is no possibility to object.

4. Use of cookies

(1) This website uses so-called cookies. Cookies are small text files which, as soon as you visit a website, are sent to your browser by a web server and stored locally on your end device (PC, notebook, tablet, smartphone, etc.) and are stored on your computer and provide the user (i.e. us) with certain information. Cookies are used to make the website more customer-friendly and secure, and in particular to collect usage-related information, such as frequency of use and number of users of the pages and behaviour patterns of page use. Cookies do not cause any damage to the computer and do not contain viruses.
This cookie contains a characteristic character string (so-called cookie ID), which enables the browser to be uniquely identified when the website is called up again.


(2) We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change. The following data is stored and transmitted in the cookies:

Adoption of language settings
Articles in the shopping cart
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 p. 1 lit. f) DSGVO.

(3) The purpose of using technically necessary cookies is to simplify the use of websites for you. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. We require cookies for the following applications:

Articles in the shopping cart
Adoption of language settings
Remembering search settings in the booking engine
The user data collected through technically necessary cookies are not used to create user profiles.

(4) Cookies remain stored even if the browser session is terminated and can be called up again when you visit the site again. However, cookies are stored on your computer and transmitted from it to our site. Therefore, you also have full control over the use of cookies. If you do not wish data to be collected via cookies, you can set your browser via the menu under "Settings" so that you are informed about the setting of cookies or generally exclude the setting of cookies or can also delete cookies individually. However, please note that the functionality of this website may be limited if cookies are deactivated. As far as session cookies are concerned, these will be automatically deleted after leaving the website anyway.

5. Disclosure of personal data to third parties

1. integration of YouTube videos
(1) We have integrated YouTube videos into our online offer, which are stored on https://www.YouTube.com and can be played directly from our website. [These are all integrated in "extended data protection mode", i.e. no data about you as a user is transmitted to YouTube if you do not play the videos. Only when you play the videos will the data mentioned in paragraph 2 be transmitted. We have no influence on this data transmission. By visiting the website, YouTube receives the information that you have accessed the corresponding sub-page of our website.

The following data is transmitted

Device-specific information, for example the hardware used; the version of the operating system; unique device identifier and information about the mobile network including your telephone number.
Log data in the form of server logs. This includes, but is not limited to, details of how the services were used, such as search queries; IP address; hardware settings; browser type; browser language; date and time of your request; originating page; cookies that uniquely identify your browser or Google account.
Location-based information. Information about your actual location may be collected by Google. This includes, for example, your IP address, Wi-Fi access points or mobile phone masts.
For more information about the data collected by Google, INC, please visit the following link: https://policies.google.com/privacy?hl=de&gl=de 
This takes place regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account.

(2) The integration of the videos serves to make the website more vivid for the user and to increase the search engine ranking of the website on Google and to refer more specifically to our specially produced videos. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website in line with requirements. Such evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website.

(3) If you do not wish to be associated with your profile on YouTube, you must log out before activating the button.

(4) You have the right to object to the creation of these user profiles, and you must contact YouTube to exercise this right.

(5) Further information on the purpose and scope of data collection and processing by YouTube can be found in the privacy policy. There you will also find further information on your rights and setting options to protect your privacy: https://www.google.de/intl/de/policies/privacy.

2. links to external websites
This website contains links to external sites. We are responsible for our own content. We have no influence on the contents of external links and are therefore not responsible for them, in particular we do not adopt their contents as our own. If you are directed to an external site, the data protection declaration provided there applies. If you notice any illegal activities or content on this site, you are welcome to point this out to us. In this case we will check the content and react accordingly (notice and take down procedure).

3. protection against credit risk
In the event of a credit risk (name, address, e-mail address, details of the company and, if applicable, contract and receivables data), we transmit your data to IHD Gesellschaft für Kredit und Forderungsmanagement mbH, Augustinusstr. 11 B, 50226 Frechen, and, if applicable, to other cooperating credit agencies, for the purpose of credit assessment and to check the deliverability of the specified address and for the purpose of debt collection processing. The legal basis for this transmission is Art 6 I b DSGVO and Art 6 I f DSGVO. Transfers on the basis of Art 6 I f DSGVO may only take place insofar as this is necessary to safeguard the legitimate interests of our company and the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, are not overridden.

Detailed information on our contractual partner, the IHD, within the meaning of Art 14 DSGVO, i.e. the business purpose, the purpose of the data storage there, the legal basis, the data recipients of the IHD, the right to self-disclosure and the right to deletion and correction as well as profiling can be found at www.ihd.de/datenschutz/Artikel14.html.

The information on their contract partners in the area of the credit agency can be found at: www.ihd.de/datenschutz#vertragspartner.

4. other service providers
List of commissioned services (scope, type, purpose of collection, processing, use of data, type of data, group of data subjects)

table

The following opt-out links are available:

Adform: https://site.adform.com/datenschutz-opt-out/​
Facebook: https://de-de.facebook.com/privacy/explanation.php 

 

6. Contact form and e-mail contact

(1) Our website contains contact forms that can be used for electronic contact. 
If you use this option, the data entered in the input mask will be transmitted to us and stored. 

For all forms, this is the following data at the time of submission:

  • IP address of the user
  • Date and time of registration 

In addition, for the contact form in detail

  • Salutation
  • First name/last name
  • Address, if applicable
  • Telephone number, if applicable
  • E-mail address
  • Message

For the processing of the data, your consent is obtained during the submission process and reference is made to this data protection declaration.
Alternatively, it is possible to contact us via the e-mail address provided. In this case, the personal data transmitted with the e-mail will be stored.
Insofar as this involves information on communication channels (e.g. e-mail address, telephone number), you also consent to us contacting you via this communication channel, if necessary, in order to answer your request.
In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.

(2) The legal basis for the processing of the data is Art. 6 para. 1 p. lit. a) DSGVO if the user has given his consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 p. 1 lit. f) DSGVO. If the e-mail contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1S. 1 lit. b) DSGVO.

(3) The processing of the personal data from the input mask serves us solely to process the contact. We will, of course, use the data from your e-mail enquiries exclusively for the purpose for which you provided them when contacting us. In the case of contacting us by e-mail, we also have the necessary legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

(4) The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.  The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

(5) You have the option to revoke your consent to the processing of personal data at any time. If you contact us by e-mail, you can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. Regarding the revocation of consent/opposition to storage, we ask you to contact the person responsible or the data protection officer as per § 1 via e-mail or by post. All personal data stored in the course of contacting us will be deleted in this case.

7. Web analysis through Google Analytics (with pseudonymisation)

(1) We use the service of Google LLC (Google LLC, 1600 Amphitheatre Parkway Monutain View, CA 94043, USA) on our website to analyse the surfing behaviour of our users. The software sets a cookie on your computer (for cookies see §4). If individual pages of our website are called up, the following data is stored:

a) Two bytes of the IP address of the user's calling system.
b) The web page called up
c) Entry pages, exit pages,
d) The time spent on the website and the abort rate
e) The frequency of access to the website
f) country of origin and regional origin, language, browser, operating system, screen resolution, use of Flash or Java
g) Search engines used and search terms used.

The information generated by the cookie about the use of this website by users is generally transmitted to a Google server in the USA and stored there. This website uses Google Analytics with the extension "_anonymizeIp()". The software is set so that the IP addresses are not stored in full, but only in shortened form. In this way, it is no longer possible to assign the shortened IP address to the calling computer. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. However, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

(2) On our behalf, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes are also our legitimate interest in processing the data in accordance with Art. 6 Para. 1 lit. a) DSGVO. The anonymisation of the IP address sufficiently takes into account the interest of users in the protection of their personal data.

(3) The data is deleted as soon as it is no longer required for our recording purposes. In our case, this is the case after 18 months.

(4) The cookies used are stored on your computer and transmitted from it to our site. If you do not agree to the collection and evaluation of usage data, you can prevent this by deactivating or restricting the use of cookies by making the appropriate settings in your browser software. Cookies that have already been stored can be deleted at any time. However, in this case you may not be able to use all the functions of this website to their full extent. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link. The current link is: https://tools.google.com/dlpage/gaoptout?hl=de. You have the option to revoke your consent to the processing of personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. Regarding the revocation of consent/opposition to storage, we ask you to contact the person responsible according to § 1 via e-mail or by post.

If you visit our website with your mobile device, you can also object to the use here by deactivating GoogleAnalytics by clicking on the following link: <a href="javascript:gaOptout()">Disable Google Analytics</a>. In this case, a cookie will be set in your browser, which tells Google to stop tracking. This only applies to the app, as no consent solution is currently technically feasible. However, it must be continuously checked whether there are any technical innovations in this regard.

(5) The responsible party is Google Ireland Ltd, Gordon House, 4 Barrow Street, Dublin, Ireland, Fax: +353 (1) 436 1001. Further information can be found in the user conditions at https://www.google.com/analytics/terms/de.html, in the overview of data protection at https://www.google.com/intl/de/analytics/learn/privacy.html and in the data protection declaration at  https://www.google.de/intl/de/policies/privacy.  

 

8. Use of Google Web Fonts

(1) This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly. When you visit our website, your browser sends requests to the Google server. Google logs the following data in the process:

a.    IP address
b.    Browser information (name, version)
c.    Website
d.    Operating system of the user
e.    Screen resolution of the user
f.     Language settings of the user's browser or operating system
g.    Font file

This is done regardless of whether Google provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 (1) sentence 1 lit. f DSGVO.

(2) Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website in line with requirements. Such an evaluation is carried out in particular (even for users who are not logged in) for the provision of needs-based advertising and to obtain information about your activities on our website.

(3) You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right.

(4) For more information on the purpose and scope of data collection and its processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: https://www.google.de/intl/de/policies/privacy

9. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. right to information,
2. right to rectification
3. right to restriction of processing,
4. right to erasure
5. right to information
6. right to data portability.
7. right to object to processing
8. right to withdraw consent under data protection law
9. right not to have an automated decision made.
10. right to complain to a supervisory authority

1. right to information
(1) You may request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you may at any time request from the controller free of charge information about the personal data stored about you and about the following information:

(a) the purposes for which the personal data are processed;
b) the categories of personal data which are processed;
c) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
d) the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage period;
(e) the existence of a right to obtain the rectification or erasure of personal data concerning you, a right to obtain the restriction of processing by the controller or a right to object to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) any available information on the origin of the data where the personal data are not collected from the data subject;
(h) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

(2) You have the right to request information as to whether personal data concerning you are transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. right to rectification
You have the right to obtain rectification and/or completion from the controller without undue delay if the personal data processed concerning you is inaccurate or incomplete.

3. right to restriction of processing
(1) You may request the controller to restrict the processing of personal data concerning you without undue delay under the following conditions:
(a) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
(c) the controller no longer needs the personal data for the purposes of the processing but you need it for the establishment, exercise or defence of legal claims; or
(d) if you have objected to the processing pursuant to Article 21(1) DSGVO and it is not yet clear whether the legitimate grounds of the controller override your grounds.

(2. Where the processing of personal data concerning you has been restricted, such data may be processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State. If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. right to erasure
(1) You may request the controller to erase the personal data concerning you without undue delay, provided that one of the following reasons applies:
(a) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
b) You revoke your consent on which the processing was based pursuant to Art. 6 (1) a or Art. 9 (2) a DSGVO and there is no other legal basis for the processing.
c) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
d) The personal data concerning you have been processed unlawfully.
e) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
(f) the personal data concerning you has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

(2) If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers processing the personal data that you, as the data subject, have requested them to erase all links to, or copies or replications of, those personal data.

(3. The right to erasure shall not apply insofar as the processing is necessary for
(a) for the exercise of the right to freedom of expression and information;
(b) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in section (a) is likely to make impossible or seriously prejudice the achievement of the purposes of such processing; or
e) for the assertion, exercise or defence of legal claims.

5. right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification/erasure/restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients by the controller.

 (6) Right to data portability
(1) You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that
a) the processing is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and
b) the processing is carried out with the aid of automated procedures.
(2) In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.
(3. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4. To assert the right to data portability, the data subject may at any time contact the controller.

(7) Right to object
(1) You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions.
(2) The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
(3) If the personal data concerning you are processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
(4) You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
(5. To exercise the right to object, the data subject may contact the controller directly.

8. right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can contact the data controller for this purpose.

9 Automated decision in individual cases including profiling
(1) You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects vis-à-vis you or similarly significantly affects you. This does not apply if the decision
a) is necessary for the conclusion or performance of a contract between you and the controller,
b) is permissible on the basis of legal provisions of the Union or the Member States to which the controller is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
(c) is made with your express consent.
(2) However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
(3) With regard to the cases mentioned in (1) and (3), the controller shall take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, which include at least the right to obtain the intervention of a data subject on the part of the controller, to express his or her point of view and to contest the decision.
(4. If the data subject wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact the controller.

(10) Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

10.Changes to the privacy policy

We reserve the right to change our privacy practices and this policy to comply with changes in relevant laws or regulations or to better meet your needs. Possible changes to our privacy practices will be posted here accordingly. Please note the current version date of the privacy policy.


Privacy policy for the online application

Thank you for your interest in our online job advertisement. The protection of your personal data is very important to us. Therefore, we inform you below about the collection, processing and use of your data in the context of the online application, in accordance with the relevant data protection regulations.

1. Data collection

In the course of your online application, we will collect and process the following personal application data from you:

Salutation
Surname, first name
Address, if applicable
Telephone number
E-mail
Date of birth, if applicable
Application information (skills, desired field, employment relationship)
Message if applicable

2. Purpose of data collection / disclosure

Your personal application data is collected and processed exclusively for the purpose of filling vacancies within our company. Your data will only be forwarded to the internal departments and specialist departments of our company responsible for the specific application procedure. Your personal application data will not be passed on to other companies without your prior express consent. Your application data will not be used or passed on to third parties beyond this.

3. Retention period of the application data

Your personal application data will be deleted automatically six months after the application process has been completed. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

4. Storage for future job postings

If we are unable to offer you a current vacancy, but based on your profile we believe that your application may be of interest for future vacancies, we will store your personal application data for twelve months, provided that you expressly consent to such storage and use.

5. Data security

We have taken various technical and organisational precautions to protect the data collected as part of your application from manipulation and unauthorised access. In particular, the transmission of your online application is encrypted in accordance with the currently recognised state of the art.

6. Right of information and revocation

If you have any questions about the collection, processing or use of your personal data, or in cases of information, correction or deletion of data, as well as revocation of consent granted, please contact our above-mentioned data protection officer.

7. General data protection information

Please also refer to our general data protection information for further information regarding the use of our website.


 

Privacy policy social networks

 

We maintain online presences on various social networks and platforms. In the following, we would like to inform you about the data collected by these and by us, about their purposes, the legal basis, recipients and your rights.

§ 1 Responsible persons and data protection officers

Jointly responsible persons within the meaning of Art. 26 of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations for our social platforms are

Sonnenpark Hotel GmbH & Co. KG
Sonnenweg 4a
34508 Willingen
05632/4080
info@sonnenpark.de
www.sonnenpark.de

 

The data protection officer is Dieter Grohmann, 0831/5124-7030, info@akwiso.de

as well as the companies named below for the respective network

a) Facebook: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The supervisory authority is the Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois, https://www.dataprotection.ie/docs/Contact-us/b/11.htm. More information on data protection at https://www.facebook.com/policy.php.
b) Instagram: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland. The supervisory authority is the Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois; for more information on data protection, see https://instagram.com/about/legal/privacy/.
c) Pinterest: Pinterest Europe Ltd., Palmerston Hpuse, 2nd Floor, Fenian Street, Dublin 2, IRELAND; Supervisory Authority is the Data Protection Commission, Canal House, Station Road, Portarlington, R32 AP23 Co. Laois, https://www.dataprotection.ie/docs/Contact-us/b/11.htm. More information on data protection at https://policy.pinterest.com/de/privacy-policy

§ 2 Data collected by us in general

2.1 Facebook / Instagram

(1) We ourselves use the respective statistical evaluations that the social network makes available to us. We are currently unable to turn this off or modify it. We collect the following data as a result:

a) Demographic data (gender, age, country, place of residence, language): We collect this data as part of our paid promotional campaigns, as part of advertised events and as part of the statistical evaluation on our fans, subscribers and people reached.
b) Statistical figures on the number of subscribers, reactions to our posts, reach of our posts, fans (people who like our page), access times (days, times), page views, actions on the page (comments, partial actions, clicks, negative feedback), on the performance of our posts and on different types of posts (photo, video, etc.), events (tickets sold, people reached, interactions), on entertainments and on any stories posted.

We receive the evaluations anonymously in each case.

The legal basis for the collection of the above-mentioned data is Art. 6 Para. 1 lit. f) DSGVO, so that we can provide our interested parties with interesting events, information etc. tailored to their needs and so that we know which measures are worthwhile on our part. This enables us to optimise our content. We believe that the interests of our fans, subscribers, etc. are protected by the fact that these evaluations are carried out anonymously by us and can only be used by the social network in a personalised manner (within the framework of their terms of use).

(2) Furthermore, we collect data in the context of our fans (likes) or those persons who have commented or shared something. For this purpose, we learn the name (if applicable, the user name of the account), the profile picture and, in turn, the information publicly provided by the persons. Through the comments, we also learn something about the opinion or the person themselves.

The legal basis for the collection of the aforementioned data is Art. 6 para. 1 lit. a) DSGVO. Subscribers, fans, contributors and commentators give their consent to the collection by accepting the terms of use of the respective social network and the contributions based on these (like-clicks, share-clicks, comments).

(3) Furthermore, you can send us messages via the social network. In this case, the personal data transmitted with the message (name/user name; profile picture) will be stored. In this case, you agree that we may also contact you via this communication channel in order to answer your request. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation.

The legal basis for processing the data transmitted in the course of sending a message is Art. 6 para. 1 p.1 lit. f) DSGVO. The legitimate interest lies in the processing of your enquiry. If the message/contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 p. 1lit. b) DSGVO.

(4) The statistical and demographic data according to para. (1) and the messages according to para. (3) are collected and processed by us. In addition, this data is processed by the social network and its associated partners/companies, etc. (for this, see § 4). The data pursuant to paragraph (2) can be viewed not only by us and the social network and their associated partners/companies, but also by all subscribers, fans, contributors, commentators and other persons who click on our page or surf on pages of our subscribers, fans, contributors and commentators.

(5) Through our fan page on Facebook, you will also be redirected to our website where you can make purchases. For the data collected and processed there, we refer to our data protection declaration at www.sonnenpark.de. Facebook itself only receives the information that a redirection has taken place. We will not forward any data about the purchase to Facebook.

The legal basis for the collection of data by us regarding the Facebook Shop is Art. 6 para. 1 p. 1 lit. b) DSGVO, insofar as it concerns contract negotiations or a contract is concluded.

(6) We regularly post company events. Provided you have liked our fan page, we can invite you to events. You as a user can further like and share and comment on the events, participate in it or be interested in it. The information may be provided by the host of the event, i.e. us, as well as

a) in the context of public events, by all persons on and outside Facebook
b) in the context of private events, by all invited persons.

be seen. The legal basis for the collection of this data is Art. 6 para. 1 p. 1 lit. a) DSGVO as well as Art. 6 para. 1 p. 1 lit. f) DSGVO, insofar as it concerns the notification of participation or interest in an event to us, as this enables us to better plan the event or to evaluate the interest in the topic of the event etc. in order to align our event marketing with this in the future. This is also our legitimate interest.

(7) If we have posted offers or discounts, both Facebook and we may collect information about the person who saved the offer or discount as interesting. You will then receive a notification from Facebook before the offer expires. The legal basis for the collection of this data is Art. 6 para. 1 p. 1 lit. a) DSGVO.

(8) Information on our job advertisements:

a) We publish job advertisements on our fan page. You can apply accordingly by e-mail or via the website www.mycrew-sonnenpark.de. If you apply via the website www.mycrew-sonnenpark.de, we refer to the data protection declaration mentioned there.
b) If you apply to us, we process the information that we receive from you as part of the application process, i.e. information from your

Cover letter
Curriculum vitae
Photo
Certificates
Correspondence
If you apply by e-mail, we also process the following data

E-mail address
If applicable, further information which is transmitted via e-mail.
We do not carry out any research about you on the Internet (so-called background checks).
c) If you send us a photo of yourself, information on your racial or ethnic origin may be derived from it. We would like to point out that we do not explicitly examine the photos for such information, nor for biometric data, nor for health data, but that sometimes indications arise merely from looking at the picture.
d) Your data will initially be processed exclusively for the purpose of carrying out the application procedure. If your application is successful, the data will become part of your personnel file and may be used to implement and terminate your employment. If we are currently unable to offer you employment, we will process your data in order to defend ourselves against any legal claims, in particular for alleged discrimination in the application process. The legal basis for the data processing is therefore Art. 6 para. 1 lit. b) DSGVO, insofar as the data processing serves the decision on the establishment of an employment relationship and insofar as the data is then included in the employment relationship. If the storage serves to secure claims, the legal basis is Art. 6 para. 1 lit. f) DSGVO. The legitimate interest here is the receipt of evidence documents for possible defence. We process information and documents that are not required for the aforementioned purposes on the basis of your implied consent pursuant to Art. 6 Para. 1 lit. a) DSGVO, which you have given us by sending us the information.

(9) The statistical data according to paragraph (1) will be deleted after 7 days (actions on the page, page views) or after 2 months. The other data according to paragraph (2) will be irrevocably removed upon deletion of our site or temporarily removed upon deactivation. The data from the message according to paragraph (3) will be deleted when the respective conversation has ended. However, if the conversation is aimed at concluding a contract, the data will be deleted in accordance with the statutory retention periods; this is usually 10 years.

We store the data required for the successful application and for the employment relationship until the end of the employment relationship and for up to 3 years thereafter. We continue to process the data relating to an application in respect of which we had to decide to reject the application for a period of 6 months after sending the rejection in order to safeguard our legitimate interests. If we are called upon within the scope of a lawsuit, we store the data until its conclusion. This also applies accordingly to data received voluntarily. 

(10) As already communicated, the statistical data is collected without us currently having the option of opting out. For this reason, we cannot comply with your right of objection for technical reasons. We therefore ask you to contact the social network directly at the addresses mentioned in § 1. There is a revocation option with regard to the messages in accordance with paragraph (3), insofar as the message does not serve the preparation or execution of a contract. Please note that in this case the request may not be processed. Incidentally, you can delete your connections to us by deactivating the Like buttons again. If we receive a revocation and have the option of deleting your data (e.g. comments on our pinboard, application documents, etc.), we will take the necessary steps to do so. The revocation does not affect the lawfulness of the processing of your data based on your consent until a possible revocation. 

2.2 Pinterest

(1) We ourselves use the respective statistical evaluations that the social network makes available to us. We are currently unable to turn this off or modify it. We collect the following data as a result:

Number of impressions, in each case related to pins and the profile.
Number of viewers, in each case related to pins and the profile
Number of bookmarked pins
Number of clicks
Regarding my target group: information on country, area, language, gender, interests, brands
We receive the evaluations anonymized in each case. The legal basis for the collection of the above data is Art. 6 para. 1 lit. f) DSGVO, so that we know which pins are worthwhile on our part in turn. This allows us to optimize our content. We believe that the interests of our users are protected by the fact that these evaluations are carried out anonymously by us and can only be used by the social network in a personalized manner (within the scope of their terms of use).

(2) Furthermore, we collect data from people who comment on something, share something or follow our profile. For this purpose, we learn the name (or user name) and can access the profile of the person with all associated data. Furthermore, via the comments we learn something about the opinion or the person himself. The legal basis for the collection of the aforementioned data is Art. 6 para. 1 lit. a) DSGVO. The followers, contributors and commentators give their consent to the collection by accepting the terms of use of the respective social network and the contributions based on them.

(3) Furthermore, you can send us messages via the social network. In this case, the personal data transmitted with the message (name/user name) will be stored. In this case, you agree that we may also contact you via this communication channel in order to answer your request. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation. The legal basis for the processing of data transmitted in the course of sending a message is Art. 6 para. 1 p.1 lit. f) DSGVO. The legitimate interest lies in the processing of your request. If the message/contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 p. 1lit. b) DSGVO.

(4) If we operate a secret bulletin board together with users, the activities of all participating users on this secret bulletin board are processed by us. The legal basis for the collection of the aforementioned data is Art. 6 (1) a) DSGVO. The followers, contributors and commentators give their consent to the collection by accepting the terms of use of the respective social network and the contributions of these based on them.

(5) The statistical data according to paragraphs (1), (4) and the messages according to paragraph (3) are collected and processed by us. In addition, these data are processed by the social network and associated partners / companies, etc. (for this see § 4) The data according to para (2) are not only visible by us and the social network and their associated partners / companies, but also by all followers, contributors, commentators and other persons who click on our site or surf on pages of our followers, contributors and commentators.

(6) The statistical data according to paragraph (1) will be deleted after 30 days. The data according to par. (2), (4) will be removed with deletion of the pin. The data from the message according to paragraph (3) will be deleted when the respective conversation is finished. However, if the conversation aims at the conclusion of a contract, the data will be deleted according to the legal retention periods; this is usually 10 years.

(7) As already communicated, the statistical data is collected without there currently being an opt-out option by us. For this reason, we are unable to honor your right of objection for technical reasons. We therefore ask you to contact the social network directly at the addresses listed in § 1. There is a revocation option with regard to the messages according to para. (3), insofar as the message does not serve the preparation or execution of a contract. Please note that in this case the request may not be processed. The revocation does not affect the legality of the processing of your data based on your consent until a possible revocation. 

§ 3 Rights of the data subject towards us

(1) In the following, we would like to inform you of your rights. Please note that we can unfortunately only provide limited information, because the data collected by the social network is received anonymously, i.e. we only collect anonymized data. Therefore, we can also not assign a request to a person. However, the social network has not yet taken any implementation measures, so that we can currently only advise you to assert the following rights against the social network.Facebook Ireland Ltd. has assumed primary responsibility for the processing of Insights data pursuant to Section 2 (1) and has assured to fulfill all obligations regarding the processing of the data, in particular the data subject rights. However, we can assign your identity and guarantee your rights to the extent that we collect your data directly, e.g. based on a request, a Like, etc.

(2) You have the right to request information about the personal data stored about you (Art. 15 DS-GVO) at any time. This also concerns the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. In addition, you have the right to demand correction under the conditions of Art. 16 DS-GVO and/or deletion under the conditions of Art. 17 DS-GVO and/or restriction of processing under the conditions of Art. 18 DS-GVO. Furthermore, you may request data transfer at any time under the conditions of Art. 20 DS-GVO. For more detailed information, please refer to the full text of the DS-GVO.

(3) In the case of processing of personal data for the performance of tasks in the public interest (Art. 6 para. 1 sentence 1 lit. e DS-GVO) or for the performance of legitimate interests (Art. 6 para. 1 sentence 1 lit. f DS-GVO), you may object to the processing of the personal data concerning you at any time with effect for the future. In the event of an objection, any further processing of your data for the aforementioned purposes must be refrained from, unless,

a) there are compelling legitimate grounds for processing which override your interests, rights and freedoms, or
(b) the processing is necessary for the assertion, exercise or defense of legal claims.

(4) Please direct all requests for information, information requests, revocations or objections to data processing by e-mail to our data protection officer at gem. 1 para. 2 or to the address given at gem. 1 para. 1. Furthermore, you have the option of complaining to the competent supervisory authority about matters relating to data protection law. The authority responsible for us is the Hessian Commissioner for Data Protection and Freedom of Information, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, www.datenschutz-hessen.de.

(5) Regarding Facebook, we will forward your request with the name and email address of the requesting person to Facebook Ireland Ltd. which will assist us in answering or implementing the request.

§  4 Processing of data by the social network

(1) The social network collects various information from you, which we cannot present below. We therefore refer you to the privacy policy of the respective network with regard to the data and the purposes for which the data is collected, as well as with regard to the recipients of this data.

a) Facebook: More detailed information on data protection at https://www.facebook.com/policy.php.
b) Instagram: More detailed information on data protection at https://instagram.com/about/legal/privacy/.
c) Pinterest: More detailed information on data protection at https://policy.pinterest.com/de/privacy-policy.

(2) The transfer of data also takes place to partners and companies in third countries.

(3) The user's data will be stored until the account is deleted or as needed to provide the services of the social network - whichever comes first. However, only the content posted and transacted by the user himself/herself will be deleted, not the content provided by others about the user. Insofar as data is the subject of an inquiry or a legal obligation, official investigation, etc., the data may be stored for a longer period of time, but at most until it is completed. To prevent abuse, the social network also stores information about accounts that have been deactivated due to violations of the terms of use for at least 1 year.

If the data serves the fulfillment of a contract, the data will be stored due to tax, commercial or other retention obligations in accordance with the legal requirements (at least 10 years). Data from user address uploads used for the purpose of inviting non-users will be deleted as soon as the non-user declines the invitation.

(4) You can revoke or object to the processing of certain data in the social networks in each case by making the appropriate settings. For this purpose, however, we refer you to the corresponding providers:

(a) Facebook: Settings and objections to data use for advertising purposes are possible within the profile settings at https://www.facebook.com/settings?tap=ads.
b) Instagram: Settings and objections to data use for advertising purposes are possible within the profile settings at https://help.instagram.com/116024195217477/?helpref=hc_fnav&bc[0]=36839.....
c) Pinterest: Settings and objections to data use for advertising purposes are possible within the profile settings at https://www.pinterest.com/settings/.

§ 5 Rights of the data subject vis-à-vis the social network

(1) You have the right to request information about the personal data stored about you (Art. 15 DS-GVO) at any time. This also concerns the recipients or categories of recipients to whom this data is passed on and the purpose of the storage. In addition, you have the right to demand correction under the conditions of Art. 16 DS-GVO and/or deletion under the conditions of Art. 17 DS-GVO and/or restriction of processing under the conditions of Art. 18 DS-GVO. Furthermore, you may request data transfer at any time under the conditions of Art. 20 DS-GVO. For more detailed information, please refer to the full text of the DS-GVO.

(2) In the case of processing of personal data for the performance of tasks in the public interest (Art. 6 para. 1 sentence 1 lit. e DS-GVO) or for the performance of legitimate interests (Art. 6 para. 1 sentence 1 lit. f DS-GVO), you may object to the processing of the personal data concerning you at any time with effect for the future. In the event of an objection, any further processing of your data for the aforementioned purposes must be refrained from, unless,

a) there are compelling legitimate grounds for processing which override your interests, rights and freedoms, or
b) processing is necessary for the assertion, exercise or defense of legal claims.

(3) Please address all requests for information, information requests, revocations or objections to data processing by e-mail to the addresses listed under § 1. Furthermore, you have the option of complaining to the responsible supervisory authority about data protection issues. These are also named - as far as known - under § 1.

§ 6 Changes to the Privacy Policy

We reserve the right to modify our privacy practices and this policy to conform to changes in relevant laws or regulations or to better meet your needs. Possible changes to our privacy practices will be announced here accordingly. Please note the current version date of the Privacy Policy.