We’re delighted that you have visited our website. We’d like to tell you how we handle your data pursuant to Art. 13 of the General Data Protection Regulation (GDPR).
Controller
The entity named in the Legal Notice is responsible for the data processing described in the following.
Usage data
When you visit our website, “temporary usage data” is evaluated on our web server for statistical purposes in the form of a protocol, in order to improve the quality of our website. This data set consists of:
- the name and address of the content requested;
- the date and time of the request
- the amount of data transferred;
- the access status (content transferred, content not found);
- a description of the web browser and operating system used; and
- the referral link, which specifies the page from which you arrived on our website.
The legal basis for processing usage data is Art. 6 Par. 1 (1) (f) GDPR. Processing is done in our legitimate interest of making available the content of the website and optimising it for particular devices and browsers.
Storing the IP address for security purposes
We also store the complete IP address sent by your web browser strictly for specific purposes, for the sake of identifying, limiting and counteracting attacks on our website. This data is currently held for two weeks and then automatically deleted. The legal basis is Art. 6 Par. 1 (1) (f) GDPR.
Data security
We take technical and organisational steps to comprehensively protect your data against unwanted attacks. We use an encryption process on our website. Anything you enter is sent between your computer and our server via the internet using DLS encryption. You can usually recognise this, because the status bar of your browser will contain a closed padlock symbol and the address line will begin with https://.
Consent banner
We use a consent management platform (consent/cookie banner) on our website. Processing in conjunction with the use of a consent management platform and recording the settings you make is done on the basis of Art. 6 Par. 1 (1) (f) GDPR, in order to pursue our legitimate interest of delivering content in accordance with your preferences and being able to demonstrate the consent you have given. The settings you make, the consent you give and some of your usage data are stored in a cookie. This allows the information to be retained for later visits and for your consent to be remembered.
The consent management platform is embedded by Homepage Helden GmbH, which provides the service to us (data processor) strictly under our instructions and in support of the structuring of our website. A data processing agreement has been concluded pursuant to Art. 28 GDPR.
Room booking
If you book a room on our website, we process your personal data marked as mandatory pursuant to Art. 6 Par. 1 (b) GDPR for the purpose of fulfilling the agreement.
If you want to arrive after 6 p.m., we also collect your payment details as a security. The details you provide are used exclusively to deliver our contractual services and are of course treated confidentially.
Where necessary, personal data is handed on to companies involved in the fulfilment of this agreement, such as banks that handle payments.
If you voluntarily submit further data (such as your phone number), we will process it on the basis of your consent, which is revocable at any time, and only in order to complete the room booking and to enable us to contact you if we have questions about it. The legal basis for this processing is Art. 6 Par. 1 (1) (a) GDPR.
Your booking data is usually deleted after 90 days and your credit card details 30 days after the booking is complete. If a statutory storage period applies, then the data required to fulfil the agreement is archived for that duration. The data may be processed after the end of the agreement if this is necessary in order to assert, exercise or defend legal rights.
To fulfil online bookings, we utilise a service provided by HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin, which acts as our data processor strictly under our instructions. A data processing agreement has been concluded.
Table booking
To book a table, we collect the requested date, time, number of people and your personal details (title, first name and surname, email address). We process these details for the purpose of fulfilling the booking pursuant to Art. 6 Par. 1 (b) GDPR. If you voluntarily submit further data (such as your phone number), we will process it on the basis of your consent, which is revocable at any time, and only in order to complete the table booking and to enable us to contact you if we have questions about it. The legal basis for this processing is then Art. 6 Par. 1 (1) (a) GDPR.
Our website incorporates a plugin made by Open Table Inc. (USA), which makes it easy for you to book a table online. To ensure that opening our web pages incorporating embedded booking plugins does not automatically cause content originating from the third-party provider to be loaded, the first step only involves showing a preview image.
Only when you click on the preview image does content from the third-party provider appear. This tells the third-party provider that you have visited our page, and provides the usage data technically required in this regard (in particular your IP address). We have no influence over the way the third-party provider processes your data from that point onwards, and it acts on its own responsibility in regard to data privacy. For further information, please view OpenTable’s privacy policy at https://www.opentable.de/legal/privacy-policy.
Embedding is done on the basis of your revocable consent, provided you have given your consent by clicking on the preview image. If data is sent to the USA, an appropriate data protection level is ensured by the provider’s certification under the adequacy decision (EU–U.S. Data Privacy Framework).
If you do not want to book online, you can reserve instead by phone or email at any time using the contact details provided in the Legal Notice. We also use OpenTable services to organise bookings received by phone or email. In this context, Open Table Inc. supports us as a data processor strictly under our instructions. A data processing agreement has been concluded.
Your booking details will usually be deleted 30 days after the completion of the booking. If a statutory storage period applies, then the data required to fulfil the agreement is archived for that duration.
Contact form
You can get in touch with us using our contact form. To use our contact form, we require the details marked as mandatory.
We use this data on the basis of Art. 6 Par. 1 (1) (f) GDPR in order to respond to your enquiry.
Apart from that, you can decide for yourself whether to give us more information. This information is provided voluntarily and is not essential for getting in touch. We process your voluntary information on the basis of your consent.
Your details will be processed only to respond to your enquiry. We will delete your data once it is no longer needed and provided there is no statutory reason to keep it. Generally speaking, this means 30 days after processing your enquiry.
If we process the data sent by you using the content form on the basis of Art. 6 Par. 1 (1) (f) GDPR, you can state at any time that you do not wish this to happen. You can also revoke your consent to the processing of voluntary details at any time. To do so, please use the email address provided in the Legal Notice.
Google Analytics
We use the Google Analytics tool to deliver our website in accordance with users’ needs. Google Analytics creates usage profiles on the basis of pseudonyms. To do this, permanent cookies are stored on your device and provide us with data. This allows us to recognise returning visitors and count them as such.
The Google Analytics service is provided by Google Ireland Limited as the data processor pursuant to Art. 28 GDPR. Data processing may be done by Google outside of the EU/EEA (in particular in the USA). When it comes to Google, an appropriate data protection level is ensured by the adequacy decision (EU–U.S. Data Privacy Framework). Google also undertakes to conclude standard contractual clauses with other subcontracting processors.
Data processing is done on the basis of your consent, provided you have given your consent using our banner. You can revoke your consent at any time. To do this, please use this link and make the necessary settings on our banner.
Google Maps
Our website incorporates maps made by Google, which are not stored on our servers. To ensure that opening our web pages incorporating embedded map services does not automatically cause content originating from Google to be loaded, the first step only involves showing locally saved preview images of maps. This does not send Google any information.
Only when you click on the preview image does content from Google appear. This means Google is told that you have visited our site and have provided with your usage data technically required in that context. We have no influence over the way Google processes your data from that point onwards. By clicking on the preview image, you give your consent for Google content to be loaded. If you do not wish this to happen on other pages, please do not click the preview images.
Embedding is done on the basis of your consent, provided you have given your consent beforehand by clicking on the preview image.
Please note that the embedding of certain map services means that your data will be processed outside of the EU/EEA (in particular in the USA). If data is sent to the USA, an appropriate data protection level is ensured by Google’s certification under the adequacy decision (EU–U.S. Data Privacy Framework).
Quick application
You are very welcome to apply for any jobs we advertise. When you apply, we need the details that are marked as mandatory in the application form. The legal basis for processing this data is Section 26 Par. 1 (1) of the German Federal Data Protection Act (BDSG), since the data is needed to decide about establishing an employment relationship. Data is not processed for any other reason.
Aside from that, you yourself can decide whether you want to provide us with any more information that is not marked as mandatory in the application form. Supplying that data is voluntary and not essential for the application. If you do provide us with data voluntarily, we will process it on the basis of your consent, which can be revoked at any time pursuant to Art. 6 Par. 1 (1) (a) GDPR in conjunction with Section 26 Par. 2 BDSG. You can revoke your consent at any time with effect for the future. To do so, please contact the address listed in the Legal Notice.
Your details will be treated confidentially at our establishment. We employ a service provider called Head College GmbH, Lademannbogen 127 in 22339 Hamburg, who acts under our strict instructions as a data processor for application management, and with whom we had concluded an agreement pursuant to Art. 28 GDPR. Apart from that, your details are not passed on to anyone else. If an employment contract is concluded after the application process, we will save the data from your application which is needed for your employment relationship. The legal basis for this processing is Section 26 Par. 1 (1) BDSG. If your application is unsuccessful, your documentation will usually be deleted no later than six months after the application process is complete or after it was sent. The legal basis for this processing is Art. 6 Par. 1 (1) (f) GDPR. It will be processed up until its erasure in pursuit of our legitimate interest of defending ourselves against any complaints relating to the application. We only process that personal data which is provided to us as part of the application process.
Sometimes, certain data may be kept for longer (such as when calculating travelling expenses). The duration for which this is stored depends on statutory storage obligations, which can originate in the German Fiscal Code or the German Commercial code and may be six to ten years. We are also allowed to keep your data for longer if it is necessary to continue to process it after weighing up our interests in asserting, exercising or defending legal rights.
If you do not end up being given a job, but your application remains of interest to us nevertheless, we will ask you whether we may keep your application for future positions. This longer storage period is based on your revocable consent pursuant to Art. 6 Par. 1 (1) (a), Art. 7 GDPR in conjunction with Section 26 Par. 2 BDSG.
Storage duration
If we have not informed you in detail about the storage duration, we will delete personal data if it is no longer needed for the aforementioned processing purposes and if no other legitimate interests or other reasons to keep it, legal or otherwise, prevent its erasure.
Other data processors
We pass your data on to service providers who help us to run our website and its associated processes, as part of order processing pursuant to Art. 28 GDPR. These can include hosting providers. Our service providers act strictly under our instructions and are contractually bound accordingly.
Below we name the data processors with whom we work, unless we have already done so in the Data Privacy Statement above. If data is processed outside of the EU/EEA in this context, we will tell you about it in the following table:
| Data processors | Purpose | Appropriate data protection level |
|---|---|---|
| haj.tech GmbH | Web hosting and support | Processing exclusively inside the EU/EEA |
| Block Marketing GmbH | Website design and marketing activities | Processing exclusively inside the EU/EEA |
Your rights as a data subject
The GDPR provides you as a data subject with certain rights when your personal data is processed.
Right of access (Art. 15 GDPR)
You have the right to be told whether personal data about you is being processed. If it is, you have a right to access this personal data and the information detailed in Art. 15 GDPR.
Right to rectification (Art. 16 GDPR)
You have the right to demand the immediate rectification of any incorrect personal data relating to you and to have incomplete data completed.
Right to erasure (Art. 17 GDPR)
You have the right to demand that personal data about you is immediately deleted, if one of the reasons listed in Art. 17 GDPR applies.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, such as if you have objected to processing, for as long as it takes the responsible party to make an assessment.
Right to data portability (Art. 20 GDPR)
In certain cases detailed in Art. 20 GDPR, you have the right to request the personal data relating to you in a structured, commonly used and machine-readable format, and to ask for this data to be sent to a third party.
Right to revoke (Art. 7 GDPR)
If data is processed on the basis of your consent, you are entitled under Art. 7 Par. 3 GDPR to revoke your consent to the use of your personal data. Please note that revocation shall only have effect for the future. Processing done before revocation is not affected.
Right to object (Art. 21 GDPR)
If data is collected on the basis of Art. 6 Par. 1 (1) (f) GDPR (data processing to protect legitimate interests) on the basis of Art. 6 Par. 1 (1) (e) GDPR or (data processing to protect public interests or in the exercise of official authority), you have the right to object to processing for reasons applicable to your particular situation. We will then no longer process your personal data – unless, that is, there are demonstrably compelling reasons worthy of protection to continue processing, which outweigh your interests, rights and freedoms, or if processing serves to assert, exercise or defend legal rights.
Right to complain to a supervisory authority (Art. 77 GDPR)
According to Art. 77 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of data relating to you contravenes data privacy regulations. This right to complain can be asserted in particular with a supervisory authority in the member state in which you habitually reside, in which you work, or in which you think the contravention has taken place.
Asserting your rights
Unless something else is stated above, please contact the address provided in the Legal Notice if you want to assert your rights as a data subject.
How to contact the data protection officer
Our external data protection officer will gladly assist you in matters relating to data protection and can be contacted as follows:
datenschutz nord GmbH
Sechslingspforte 2
22087 Hamburg
Website: https://www.dsn-group.de/
Email: office@datenschutz-nord.de
If you contact our data protection officer, please specify the relevant office stated in the Legal Notice.