Data Privacy Statement

We, the GCH Hotels GmbH, Hardenbergstraße 12, 1063 Berlin, info@gchhotelgroup.com, would like to inform you of the way we process personal data.
You can contact our Data Protection Officer by email at gch-dsb@daspro.de or by telephone on +49 (0)30 8877 4150, DSB GCH-Gruppe, daspro GmbH, Kurfürstendamm 21, 10719 Berlin.

Below we have compiled the most important information about typical forms of data processing, broken down according to the stakeholder groups involved. For certain forms of data processing that only affect certain groups, information obligations are met separately.

Where the text refers simply to “data”, this is taken to refer solely to personal data as defined by the General Data Protection Regulation (GDPR).
 
1.    Website visitors
2.    Hotel guests
3.    Interested parties, communication partners
4.    Business partners and their employees
5.    Rights of affected persons and other details

 

1. Website visitors

1.1 Server log data
For each query, our server processes a range of data that your browser automatically sends to our web server. This data includes the current IP address of your device, the date and time of your query, the actual page or file accessed, the http status code and the volume of data transferred; it also includes the website from which your query originated, the browser used, the operating system of your device and the language setting. The web server uses this data to present the content of this website on your device the best way possible.

1.2 Analysis of usage behaviour – Google Analytics
This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses cookies, text files that are stored on your device that make it possible to analyse your use of the website. The information created by the cookie about your use of the website is usually transmitted to a Google server in the USA and stored there. IP anonymisation is activated for this website, i.e. your IP address is first truncated within the European Union or in another state party to the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA and truncated there.
As a processor in the sense of Art. 28 GDPR, Google will use this information to analyse your use of the website, to compile reports about website activities and to render to the operator of the website other services related to the use of the website and internet usage. The IP address transmitted as part of the Google Analytics service is not combined with any other Google data.
You can prevent Cookies from being saved by adjusting the relevant setting in your browser software. You can prevent the storage of data created by the cookie and related to your use of the website (incl. your IP address) and Google’s processing of this data by downloading and installing the browser plug-in [https://tools.google.com/dlpage/gaoptout?hl=en-GB]. Alternatively, you can set an “opt-out cookie” which will prevent the capture of your data during future visits of this website.

1.3 Analysis of usage behaviour – SessionCam
We use SessionCam, a web analysis service of SessionCam Ltd, for anonymous analysis of mouse movements, clicks, scrolling behaviour and form entries, although any personal form entries (e.g. name, bank details) are automatically anonymised on collection.
You can prevent the anonymised recording of your usage behaviour at any time by setting an opt-out cookie [https://sessioncam.com/choose-not-to-be-recorded/].

1.4 Google Maps
Some subpages of this website use map materials of the service Google Maps. When accessing subpages in which the Google Maps service is embedded, in technical terms the map material is retrieved using the user’s IP address, i.e. Google’s servers can save and use your IP address and other data automatically sent by your browser (see point 1.1 above, Server log data). The map service is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google) and is solely governed by Google’s Data Protection Terms (Google Privacy Policy). We would like to point out that personal data may be transmitted to the USA and other non-EU countries that may be categorised as insecure countries in data protection terms according to the GDPR. We have no influence on the type and scope of data processing carried out by Google.

1.5 Google reCAPTCHA
In some form entries on this website, the Google reCAPTCHA is used to prevent automated mass entries by malicious software. Here, Google has no access to form entries, it rather analyses the movement pattern of the mouse, as well as the click pattern, to determine whether a human or a machine is at work. When retrieving this form fields, in technical terms they are retrieved using the user’s IP address, i.e. Google’s servers can save and use your IP address and other data automatically sent by your browser (see point 1.1 above, Server log data). reCAPTCHA is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), and is solely governed by Google’s data protection terms (Google Privacy Policy). We would like to point out that personal data may be transmitted to the USA and other non-EU countries that may be categorised as insecure countries in data protection terms according to the GDPR. We have no influence on the type and scope of data processing carried out by Google.

1.6
Data is processed to facilitate the presentation of our company and its goods and services on the internet, as well as exchange with communication partners. When you subscribe to our newsletter, we process your data to enable us to send you the newsletter. Website usage behaviour is evaluated to ensure the site is configured in accordance with the requirements.

1.7
The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest, operation of an internet presence and exchange with communication partners). The legal basis for the processing of newsletter data is Art.6(1)(a) GDRP in conjunction with Art. 7 GDPR (consent). The legal basis for analysis of usage behaviour is Art. 6(1)(f) GDPR (legitimate interest, namely the configuration of the website in accordance with the requirements).

1.8
Logging and communication data are not passed on to third parties unless particular circumstances apply. Data may be passed on to the police and public prosecutors where there is suspicion of a criminal offence or to facilitate investigation procedures.

1.9
IP addresses are anonymised after 24 hours at the latest. Newsletter data is deleted upon unsubscribing from the newsletter. Pseudonymous usage data is deleted after a period of three months.
1.10 The website cannot be used without disclosure of personal data such as your IP address. Communication via the website is not possible without entering data. Entering data is required for the receipt of the newsletter. Without such data the newsletter cannot be sent. It is still possible to use the website if the user rejects pseudonymous usage analysis.

 

2. Hotel guests

2.1
When accommodation is booked, the purpose of processing your data is the conclusion of a contract and the execution of the contractual relationship, as well as fulfilment of statutory requirements. Should the booking service of the hotel be tasked with booking tickets and other services, the purpose of processing is to carry out the desired booking. We also process your contact data and the time and duration of your visit for the purpose of tracing risks for infections with the coronavirus (SARS-CoV-2) and thereby to prevent the spread of infections to protect our visitors, employees and business partners, as well as to inform you about possible risks of infection. Should video monitoring be installed in the publicly accessible areas of the hotel, the purpose of the video monitoring is to maintain order in the building and to reveal and prosecute criminal offences, as well as to enforce claims under civil law.

2.2
The legal basis for the processing of contracts with natural persons is Art. 6 (1)(b) GDPR (preparation and performance of the contract); for contracts with legal entities it is Art. 6(1)(c) GDPR (legal obligations, particularly reporting obligations, as well as fiscal and commercial provisions). The legal basis for the processing of your data for the purpose of preventing the spread of the coronavirus is Art. 6 (1)(c) GDPR (legal obligations, if required by national law) or Art. 6(1)(f) GDPR (legitimate interest in preventing the spread of infections with the coronavirus and protection of our employees, visitors and business partners).
The legal basis for video monitoring is Art. 6.(1)(f) GDPR (legitimate interest, namely maintenance of order in the building, revelation and prosecution of criminal offences, enforcement of claims under civil law).

2.3
Recipients of data may be franchisors of the respective hotel brand, as well as banks, for the processing of payments. When booking further services through the booking service, data is passed on to the relevant service provider. In the event of a possible infection with the coronavirus and upon request by the authorities, we will forward your contact details and information about possible contact persons during the time of your stay to the relevant authorities, as far as we are entitled or obliged to transfer data. Where we are obliged or entitled to transfer data, recipients may include authorities and agencies within the scope of their duties. On suspicion of a criminal act or in investigation procedures, data from video monitoring may be passed on to the police and public prosecutors. We also use service providers in our order processing, particularly for the provision, maintenance and servicing of IT systems.

2.4
In accordance with fiscal and commercial retention terms, all data related to contracts and bookings is retained for a period of ten calendar years following the end of the contract. Data collected by us solely for the purpose of preventing a spread of the coronavirus will be deleted four weeks after your visit, unless there is the possibility that you were exposed to a risk of infection. In this event, we will store your data for as long as it is necessary to trace contacts and prevent a spread of the infection. Recordings from video monitoring systems are generally deleted after three days at the latest.

2.5
Hotel guests are both legally and contractually obliged to provide data. Without provision of data, there is no foundation for the contractual relationship and the contract cannot be enacted. Recording by video monitoring systems occurs automatically. There is no option for entering monitored areas without being recorded.

2.6
Where bookings are received via third-party operated booking portals or booking hotlines, the latter transfer contractually relevant data such as contact and billing data, booking period and room category to the operator of the hotel for the purpose of initiating and enacting the contract.

 

3. Interested parties, communication partners

3.1
We process data from interested parties and communication partners for the purpose of communication with the stakeholders involved.

3.2
The legal basis for the processing of data from interested parties and other communication partners is Art. 6(1)(f) GDPR (legitimate interest, namely communication with interested parties and communication partners).
3.3
We pass queries on internally to the employee responsible. We also use service providers in our order processing, particularly for the provision, maintenance and servicing of IT systems.

3.4
Queries and communications are automatically deleted after ten calendar years.

3.5
Interested parties and communication partners are required to provide data. Without such data communication is not possible.


4. Business partners and their employees

4.1
The purpose of processing is the preparation and performance of contracts, as well as communication with the employees of business partners.

4.2
The legal basis for the processing of contracts with natural persons is Art. 6(1)(b) GDPR (preparation and performance of the contract); for contracts with legal entities it is Art. 6(1)(f) GDPR (legitimate  interest, namely communication with contact persons relevant to the contract); as well as Art. 6(1)(c) GDPR (legal obligations, particularly fiscal and commercial provisions).

4.3
For the processing of payments, recipients of data may include banks. Where we are obliged or entitled to transfer data, recipients may include authorities and agencies within the scope of their duties. We also use service providers in our order processing, particularly for the provision, maintenance and servicing of IT systems.

4.4
In accordance with fiscal and commercial retention terms, all data related to contracts and bookings is retained for a period of ten calendar years following the end of the contract.

4.5
Business partners and the employees of business partners are both legally and contractually obliged to provide data. Without provision of data, there is no foundation for the business relationship, and it cannot be carried out.

 

5. Rights of affected persons and other details

5.1
There is no transferral of data to non-EU countries.

5.2
We do not use procedures for automated case-by-case decisions.

5.3
You have the right to demand at any time information about all personal data relating to you that we process.

5.4
Should your personal data be incorrect or incomplete, you have the right to obtain correction and completion.

5.5
You can demand the deletion of your personal data at any time, as long as we are not legally obliged or entitled to process your data further.

5.6
If the legal conditions apply, you may demand a restriction on the processing of your personal data.

5.7
You have the right to raise an objection to the processing where data processing is carried out for the purpose of direct marketing or profiling.

5.8
Should the processing be carried out on the basis of balancing interests, you may object to the processing on presentation of grounds that relate to your particular situation.

5.9
Should the data processing take place on the basis of your consent or in the fulfilment of a contract, you have the right to portability of the data provided by you, as long as this does not adversely affect the rights and liberties of other persons.

5.10
Where we process data on the basis of a declaration of consent, you have the right to revoke this consent at any time, with effect for the future. Processing carried out prior to the revocation remains unaffected by the revocation.

5.11
You also have the right at any time to lodge a complaint with the supervisory authorities responsible for data protection if you are of the opinion that data processing is being carried out in violation of applicable law.

 

Last updated: June 5, 2020