Insofar as this privacy statement refers to We or Us, this is always AccorInvest Germany GmbH as the responsible controller.
For you to feel safe when visiting our website, we strictly comply with the legal requirements for the processing of your personal data and hereby wish to inform you about how we collect and use data.
We undertake to comply with the GDPR and with national data protection laws that apply. For us, the protection of data and your privacy has a high priority throughout the entire company and we only
co-operate with partners that can equally provide a respective level of data protection in the context of their processing activities. We process your data only if you provided your express consent for
this to us; if this refers to services and work under a contract or pre-contractual measures; or insofar as the relevant laws permit or possibly even oblige us to process data.
The following privacy notice covers both the currently applicable national legal frame as well as the requirements under the GDPR that are valid throughout all of Europe starting 25 May 2018. In no event
will we sell your data or pass these to unauthorized third parties.
The following privacy statement has been prepared to explain to you which data our website collects and which data we process and use.
IV. Provision of Website and Creation of Log Files
1. Description and scope of data processing
Each time our internet site is called up our system automatically records data and information from the calling computer system.
The following data are collected:
• information regarding the browser type and the version used;
• the user’s operating system;
• the user’s internet service provider and it’s version;
• truncated IP addresses;
• the date, time, and duration of access;
• websites from which the user’s system accesses our internet site (referrer URL);
• websites which are called up by the user’s system via our website
• called data file
• quantity of transmitted data
The data are also saved in the log files of our system. These data are not stored together with other personal data of the user.
2. Legal basis data processing data
Article 6 (1) lit. f GDPR constitutes the legal basis for the temporary storing of data and log files.
3. Purpose of data processing
The temporary storing of the IP address by the system is required to allow the delivery of the website to the user’s computer. For this, the user’s IP address must be stored for the duration of
the session.
Log files are stored so as to ensure the website’s functionality. In addition, the data serve to help us optimize the website and to safeguard the security of our information technology systems.
An analysis of the data for marketing purposes does not take place in this context.
These purposes also constitute our legitimate interests in the processing of data pursuant to Article 6 (1) lit. f GDPR.
The data are erased as soon as they are no longer required to achieve the purpose for which they were collected. In the event that the data were collected to provide the website, this applies as
soon as the respective session has ended.
In the event that the data are stored in log files, this applies after seven days the latest. Storing beyond this is possible. In this case the users’ IP addresses are erased or alienated so that
it is no longer possible to identify the calling client.
To run the internet site, it is stringently required to record the data to provide the website and save the data in log files. Therefore, it is not possible for the user to object.
V. Contact Form and Email Contact
1. Description and scope of data processing
Our website contains a contact form which can be used to contact us electronically. If a user seizes this option, the data entered in the input screen are transmitted to us and stored.
These data are:
• salutation
• first name
• last name
• Company
• address
• telephone
• email address
• Eventdate
• number of participants
• seating
• kind of event
• number of rooms required
• Details of the request
At the time of sending the message, the following data are also saved:
• date and time of making contact.
In order to process the data, your consent is obtained during the sending process and reference is made to this privacy statement.
Alternatively, making contact via the email address provided is also possible. In this case, the personal data of the user provided in the email that was sent are saved.
In that regard, the data are not forwarded to third parties. The data are used exclusively to process the conversation.
2. Legal basis for processing data
Article 6 (1) lit. a GDPR constitutes the legal basis for processing the data if the user has given prior consent.
Article 6 (1) lit. f GDPR constitutes the legal basis for processing the data transferred in the context of sending an email. If the email contact targets the conclusion of a contract, the
additional legal basis for processing it is defined in Article 6 (1) lit. b GDPR.
3. Purpose of data processing
Processing the personal data from the input screen serves the exclusive purpose of handling the contact request. If contact was made by email, this also constitutes the legitimate interest in the
processing of the data.
Any other personal data processed while sending serve to prevent any misuse of the contact form and to safeguard the security of our information technology systems.
The data are erased as soon as they are no longer required to achieve the purpose for which they were collected. This applies to the personal data from the input screen of the contact form and
those forwarded by email if the respective conversation with the user has ended. The conversation has ended if the circumstances indicate that the issue concerned has been closed.
Any other personal data collected during the sending process are erased after a seven-day period at the latest.
The user may withdraw any consent to the processing of personal data at any time. If users contact us by email, they may object to their personal data being stored at any time. In this case the
conversation cannot be continued. It is possible to have the profile deleted by sending an email to rolf(at)lauser-nhk.de. Any and all personal data saved in connection with making contact will be
erased in this case. Moreover, enquiries are completely erased from our system at monthly intervals.
VI. Transfer of Your Data to Third Parties
To create an as pleasant as possible website experience for you as the user we occasionally use the services of partners (third-party providers). Below you have the opportunity to obtain
information about the data protection regulations regarding the services and functionalities applied and used so as to, where appropriate, exercise your rights even with these service partners.
Our web presence uses social plug-ins (‘Plug-ins‘) from different social media networks. These Plug-ins help you, for example, to share content or recommend products. Plug-ins are deactivated on
our websites by default and therefore do not send any data. Press ‘Activate Social Media’ to activate the Plug-ins. Naturally, Plug-ins can be deactivated again by a click of the button.
If these Plug-ins are activated, your browser will directly connect to the servers of the respective social media networks as soon as you call up a website of our online presence. The social media
network will transmit the Plug-in content directly to your browser which integrates the information into the website.
By integrating the Plug-ins, the social media network receives information that you called up the respective page of our online presence. If you logged on to the social media network, it can
associate the visit to your account. If you interact with the Plug-ins, for example by using Facebook’s ‘Like’ button or posting a comment, your browser sends the respective information directly
to the social media network where it is saved.
For more information about the purpose and scope of data collection and the further use and processing of the data by social media networks as well as your rights and setting options to protect
your privacy, please refer to the respective networks or web pages. The links for them have been listed further below.
Even if you do not have any social media accounts, websites with active social plug-ins may send data to the networks. If the plug-in has been activated, an identifier cookie is set every time the
website is called up. As your browser sends this cookie by default for each connection with a network server, the network could (in theory) create a profile about which websites the user
associated with the identifier called. It would also be entirely possible to associate this identifier - for example, when logging on later to the social media network - to a person again.
We use the following plug-ins on our websites:
• Facebook
• Instagram
If you do not wish for social media networks to collect data through activated plug-ins, you may simply deactivate the social media plug-ins with a click on our websites or by selecting ‘Block
Cookies from Third-party Partners’ in your browser settings. In this case, the browser does not send the embedded content of other partners to the server. However, when using this setting, it is
possible that except for the plug-ins, other site-wide functionalities are no longer available.
We use plug-ins by the social media network facebook.com, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (Facebook). Click on this link to be redirected to
Facebook’s privacy statement:
Facebook Privacy Notice.
We use plug-ins of the social media network instagram.com, which is operated by Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025 USA (Instagram). Click on this link to be redirected to
Instagram’s privacy statement:
Instagram Privacy Notice.
IX. Rights of Data Subject
Article 15 GDPR in conjunction with Section 34 of the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) provide for the unrestricted right to free access of information regarding
the data that we store on you, and pursuant to Section 35 BSDG, the right to the erasure or blocking of inadmissible data or the right to rectification of inaccurate data.
On request, we are happy to communicate to you in writing whether and which personal data we have stored about you. Insofar as it is possible, we will take appropriate measures to update or
rectify data that we have stored about you at short notice. Please address all information requests, information enquiries or inconsistencies regarding the processing of data by email, stating
your full postal address, directly to our Data Protection Officer.
If we process personal data on you, you are the data subject in the meaning of the GDPR and you have the following rights in relation to the controller:
1. Right of access to information
You may request a confirmation from the controller as to whether we processed personal data that regard you.
If such processing did take place, you may request that the controller provides information about the following
• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data that regard you were disclosed or are yet to be disclosed;
• the intended storage period for the personal data that regard you or, if specific details are not possible in this regard, criteria on establishing the storage period;
• the existence of the right to the rectification or erasure of personal data that regard you, a right to restricting the processing of personal data by the controller or a right to object to such
processing;
• the existence of the right to lodge a complaint with a supervisory authority;
• any and all available information regarding the origin of the data if personal data are not collected from the data subject;
• the existence of automated decision-making, including profiling pursuant to Article 22 (1) and 4 GDPR and - at least in these cases - meaningful information about the logic involved and the
scope and impact targeted by such processing for the data subject.
You have the right to demand information on whether the personal data that regard you are transmitted to a third country or to an international organisation. In this context you may request to be
informed about suitable safeguards pursuant to Article 46 GDPR in conjunction with the transmission.
2. Right to rectification
You have the right to the rectification and/or completion by the controller provided that the personal data that regard you are incorrect or incomplete. The controller must immediately rectify the
information.
3. Right to restrict the data processing
Subject to the following requirements you may request that the processing of personal data that regard you be restricted:
• if you contest the accuracy of the personal data that regard you for a period which enables the controller to verify the accuracy of the personal data;
• the processing is unlawful, and you reject the erasure of personal data and instead request that use of the personal data be restricted;
• the controller no longer requires the personal data for the purposes of processing, however you require these to assert, exercise, or defend legal claims; or
• if you objected to the processing in accordance with Article 21 (1) GDPR and it has yet to be established whether the justified reasons of the controller override your grounds for objection.
If the processing of personal data that regard you has been restricted, these data - apart from being stored - may only be processed with your consent, or to assert, exercise, or defend legal
claims or to protect the rights of another natural or legal person or for reasons grounded in a crucial public interest of the European Union or of a member state.
If the restriction of data processing was limited in accordance with the above requirements, you will be informed by the controller prior to the restriction being lifted.
4. Right to have data erased
a. Duty to erase data
You may request that the controller immediately erases the personal data that regard you. The controller is obliged to erase these data immediately provided that one of the following reasons
applies:
The personal data that regard you are no longer required for the purposes for which they were collected or processed in any other form or manner.
You revoke your consent which the processing relied on in accordance with Article 6 (1) lit. a or Article 9 (2) lit. a GDPR and there are no other legal grounds for processing.
In accordance with Article 21 (1) GDPR, you object to the processing and there are no justified grounds with a higher priority for processing or, in accordance with Article 21 (2) GDPR, you object
to the processing.
The personal data that regard you were processed unlawfully.
The erasure of personal data that regard you is required to fulfil the legal obligation according to EU law or the law of the member state which governs the controller.
The personal data that regard you were collected in relation to information society services in accordance with Article 8 (1) GDPR.
b. Information to third parties
If the controller disclosed the personal data that regard you and if the controller is obliged to erase them in accordance with Article 17 (1) GDPR, it shall pursue reasonable measures by taking
into consideration available technology and implementation costs, even of technical nature, so as to inform the data controller responsible for the personal data that you as the data subject
requested the erasure of all links to these personal data or of copies or replicas of said personal data.
c. Exceptions
You do not have the right to have data erased if processing is required
• to exercise the right to the freedom of speech and information;
• to fulfil a legal obligation which requires the processing under EU law or the law of member states that govern the controller, or to exercise a task which is in the interest of the public or
which follows the exercise of official authority which was transferred to the controller;
• in the interest of the public within the domain of public health pursuant to Article 9 (2) lit. h and lit. i as well as Article 9 (3) GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR insofar as the right named under
paragraph a) presumably renders the implementation of the goals under this processing impossible or seriously impairs it; or
• to assert, exercise, or defend legal claims.
If you have asserted the right to the rectification, erasure or restriction of data processing towards the controller, the controller is obliged to communicate this rectification or erasure of
data or restriction of processing to all recipients to whom the personal data that regard you were disclosed unless this proves to be impossible or requires unreasonable effort.
You have the right towards the controller to be informed of these recipients.
6. Right to data portability
You have the right to receive the personal data that regard you which you provided to the controller in a structured, commonly-used and machine-readable format. Moreover, you have the right to
transmit these data to another controller without being impaired by the controller to whom the personal data were provided, provided that
• processing was based on a consent in accordance with Article 6 (1) lit. a GDPR or Article 9 (2) lit. a GDPR or on a contract in accordance with Article 6 (1) lit. b GDPR, and
• processing was performed with the help of automated procedures.
In exercising this right, you also have the right to request that the personal data that regard you are transmitted directly from one controller to another controller insofar as is technically
feasible. The freedoms and rights of other persons must not be impaired by this.
The right to data portability does not apply to the processing of personal data which is required to exercise a task which is in the public interest or which follows the exercise of official
authority which was transferred to the controller.
You have the right to object for reasons resulting from your specific situation at any time to the processing of personal data that regard you, which is executed on the grounds of Article 6 (1),
lit. e or f GDPR; this applies also to any profiling based on this provision.
The controller no longer processes the personal data that regard you unless the controller can provide proof of compelling legitimate grounds for such processing which override your interests,
rights and freedoms, or such processing serves to assert, exercise or defend legal claims.
If the personal data that regard you are processed for direct marketing purposes, you have the right to object to the processing of the personal data that regard you for the purposes of such
marketing at any time.
If you object to the processing for purposes of direct marketing, the personal data that regard you will no longer be processed for these purposes.
8. Right to withdraw consent to the processing of data
You have the right to withdraw your consent to the processing of your data at any time. Your withdrawal of the consent does not affect the lawfulness of any processing carried out by virtue of a
consent that was issued prior to such withdrawal.
9. Right to lodge a complaint with a supervisory authority
Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, especially in the member state of your habitual residence, your
place of work or the location of the alleged infringement if you are of the opinion that the processing of personal data that regard you breaches the GDPR.
The supervisory authority where the complaint was submitted will inform the complainant of the status and the outcome of the complaint including the possibility of any judicial remedy in
accordance with Article 78 GDPR.
Additional information and contacts
If you have any further questions on the issue of Data Protection for the Data Controller, please address the Data Protection Officer of AccorInvest. You may enquire about which data of yours we
store. Moreover, you may send your requests for information on, the erasure of and the rectification of your data and even suggestions by letter or email to the following address:
Prof. Dr. Rolf Lauser
Data Protection Officer
Dr. Gerhard-Hanke-Weg 31
D-85221 Dachau
Email: rolf(at)lauser-nhk.de
As of May 2018