Data protection

1. PRELIMINARY REMARKS

We take the protection of your personal data very seriously and want you to be safe when visiting our website. Our data protection practices comply in particular with the provisions of the EU General Data Protection Regulation (EU GDPR), the German Federal Data Protection Act (BDSG-neu) and the German Telemedia Act (TMG). At this point, we would like to inform you about the type, scope and purpose of the processing of your personal data. We would like to point out in advance that this data protection declaration only refers to our websites and does not apply to third-party websites to which we refer in the form of links.

2. OBJECT OF PROTECTION

The object of protection is personal data. This is all information relating to an identified or identifiable natural person (hereinafter "data subject"). This includes, in particular, information that allows conclusions to be drawn about your identity (e.g. details such as name, postal address, e-mail address and telephone number).

3. PURPOSE

Park-Hotel Hagenbeck GmbH is an operator of hotel rooms in Hamburg. In order to offer customers a high standard of service and comfort, we provide individual solutions based on a high degree of digitalization, among other things. The customer's needs are thus mapped in a digital customer journey from booking to departure. Based on years of experience within the hotel industry, we collect the necessary data for this

4. DIGITAL CUSTOMER JOURNEY ("GUEST JOURNEY")

We rely on many digital processes in our hotel so that we can offer our guests a unique hotel service and stay, from booking, check-in and access to our hotel to check-out, which can be organized and designed by our guests via their mobile device according to their needs (hereinafter "Guest Journey"). The following explanations for the website also apply mutatis mutandis to apps and other channels of our hotel with which the Guest Journey is organized.

For the Guest Journey, we use the software-supported hotel management solution and central data management platform likeMagic from likeMagic AG, Memphispark, Wallisellenstrasse 57, 8600 Dübendorf, Switzerland (hereinafter "Platform"), which enables the control, monitoring, processing, analysis and evaluation of accommodation processes in hotel facilities and in which all functions of the reservation, front office and property management areas are combined in one interface.Interfaces connect the platform with other applications and infrastructure for the operation and management of our hotel. Furthermore, the platform also bundles access for us via corresponding interfaces to application programs licensed by us from third parties and thus supports defined services in the area of essential, typical hotel operating processes as part of the guest journey, such as booking, billing, guest entry and guest exit processing, guest communication, guest hospitality, locking system management, cleaning management, etc. We (Park-Hotel Hagenbeck GmbH) are responsible for the data stored in the platform, which is stored by Google on servers in Switzerland.

We have concluded an order processing agreement with likeMagic AG to ensure the protection of your personal data. By agreeing to this privacy policy, you authorize likeMagic AG to use your personal data processed by us for its own research and product development purposes.

5. COLLECTION AND PROCESSING OF PERSONAL DATA

5.1 Categories of personal data

Personal data that we collect from you and other persons (e.g. family members, accompanying persons) in connection with the Guest Journey via our website, apps and other channels is stored and processed in the aforementioned platform (see also section 1.3).

In particular, the following categories of personal data are involved:

  • Data and information disclosed to us when room bookings are made (in particular title, first and last name, address, email address, date of birth, telephone number, language, booking details [date of stay, number of rooms, room category, number of persons recorded by the booking, selected additional packages etc.], credit card information (PCI/DSS compliant encrypted), date and time of booking [time stamp]; expected arrival time, if applicable, desired bed type and/or other preferences, comments)
  • Data and information that is or becomes known to us in connection with your stay in our hotel, in particular for the fulfillment of legal reporting obligations (first and last name, address and canton, date of birth, place of birth, nationality, arrival and departure date; incl. copy of official identification card and signature, room number), in connection with the purchase of additional (chargeable) services such as restaurant, mini-bar, wellness, excursion offers, sports offers, etc. (in particular first and last name, subject of service, time of service purchase/provision, or what you inform us about (e.g. preferences)
  • Data and information that arise in connection with the use of our facilities, the common areas and your room (i.e. dates and times of access)
  • Data and information disclosed to us when using the communication function and in the course of communication with you (in particular first and last name or user name, if applicable; communication channel; communication product/solution; e-mail address and/or telephone number; date and time of communication; status of messages (opened, read, clicked); content of communication)
  • Data provided to us when opening a customer account (in particular first and last name, email address, password [encrypted as hash with salt], date and time of registration [timestamp], status of email verification)
  • Data that is disclosed to us when logging into the customer account, depending on the type of login you choose (email login authentication data [email address, password] or social login authentication data [email address, ID token], date and time of login [timestamp])

This personal data is generally collected from our guests themselves. However, it can also be collected via third parties, e.g. if a guest provides us with personal data of other persons / accompanying persons (e.g. family members) or if, for example, a booking is initiated by a third party. If you provide us with personal data of other persons (e.g. family members, accompanying persons), we ask you to ensure that these persons are aware of this data protection declaration and only provide us with their personal data if you are permitted to do so and this personal data is correct.

We then receive certain data from you via interfaces that connect the platform with application programs licensed from third parties in connection with the guest journey in the area of essential, typical hotel operating processes such as booking, billing, guest entry and guest exit processing, guest communication, guest hospitality, locking system management, cleaning management, etc., as well as with the other applications and infrastructure of our hotel.

If a booking or check-in is made using a customer account, the data already stored in the customer account and required for the booking or check-in, such as title, first and last name, address, e-mail address, date of birth, telephone number, language and registration form data, will be used for this purpose.

If you make your bookings for your stay in our hotel via a third-party platform, we receive various personal data and information from you from the respective platform operator, which we store and process in the platform we use. This is essentially data and information that we also collect when a booking is made without a third-party platform, i.e. title, first and last name, address, email address, date of birth, telephone number, language, booking details (date of stay, number of rooms, room category, number of people included in the booking, selected additional packages, etc., date and time of booking [time stamp]; expected arrival time, bed type and/or other preferences, comments, if applicable).

5.2 Central storage and linking of your data

The data and information mentioned above in section 5.1, which we collect in particular in connection with the Guest Journey, are systematically recorded and linked by us in order to process your bookings and handle the contractual services. As mentioned above, we use the software-supported hotel management solution and central data management platform likeMagic from likeMagic AG, Dübendorf, Switzerland, for this purpose. Your personal data is transferred to the platform via interfaces that connect the platform with application programs licensed from third parties in connection with the guest journey in the area of essential, typical hotel operating processes such as booking, billing, guest entry and guest exit processing, guest communication, guest hospitality, locking system management, cleaning management, etc., as well as with the other applications and infrastructure of our hotel.

In order to store and link the personal data of our guests, a separate guest ID is created for each guest for the respective hotel or hotel group. Accordingly, we also try to identify the guest in our database for each booking. If we have previously welcomed you to our hotel or hotel group (hotels and apartments operated by Hospitality Xpeterience GmbH; The Zipper Hotel & Apartments, Düsseldorf; Park-Hotel Hagenbeck, Hamburg) and we are authorized to do so, we will also make a comparison with any personal data you may have stored in order to keep our customer data up to date, in particular to enable you to check in efficiently and to provide you with a stay tailored to your needs.

We base this processing on our legitimate interest in the efficient management and control of our hotel and in customer-friendly and efficient customer data management.

We would also like to point out that, with your consent by agreeing to this privacy policy, we can also use the personal data and information from you mentioned above in section 1.2, which we store and link in the platform, with the help of the software-supported hotel management solution we use, to analyze certain personal aspects such as personal preferences, interests, etc.. We can use the knowledge gained from this to enable a stay tailored to your needs or to make you offers tailored to your personal interests and preferences. Furthermore, such data generally helps us to increase the efficiency of our operational processes and to constantly improve our offer for our guests.

5.3 Disclosure of personal data

The personal data collected from you as part of the Guest Journey will, if necessary, be passed on to internal departments or, via appropriate interfaces, to external service providers in Switzerland and abroad, namely as part of the processing and handling of your bookings and as part of your stay. External service providers to whom your personal data may be forwarded or who have or may have access to it are, in addition to the aforementioned likeMagic AG, Dübendorf, Switzerland, other order processors and service providers (including IT service providers, services for processing reservation data [property management] or in the area of CRM, payment processing, digital key solutions, etc.). An overview of the processors and service providers used in connection with the platform can be found on the likeMagic AG website at www.likemagic.tech.

If, in connection with the involvement of external service providers, it is necessary to transfer personal data to a country whose level of data protection does not correspond to that of Switzerland or Europe, we ensure the protection of your personal data by contract (e.g. by using the EU standard contractual clauses for the transfer of personal data).

Otherwise, your personal data will only be passed on if you have expressly consented to this, if this is necessary for the initiation or execution of the contract, if there is a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship or other rights, or if the processing is carried out to protect a legitimate interest on our part or that of third parties. In rare cases, it may be necessary to disclose personal data in order to protect the vital interests of the data subject or another natural person.

5.4 Retention period

Without your consent, we will only store your personal data in the platform beyond your stay to the extent and for as long as is necessary to comply with our legal obligations or for as long as we have a legitimate interest in doing so (such as an interest in evidence in the event of claims, documentation of compliance with legal or other requirements, or an interest in non-personal evaluations). In particular, we store contract data in accordance with the statutory retention obligations. Retention obligations that oblige us to retain data result from regulations on reporting law, accounting and tax law. According to these regulations, business communication (including e-mails), concluded contracts and accounting documents must be stored for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

Insofar as we are permitted to process your personal data beyond the initiation and execution of the contract with your consent, we generally process this data without a specific time limit. We will retain it for as long as is necessary to achieve the purposes of the processing or for as long as you ask us to stop such processing (and for a short period thereafter so that we can comply with your request), unless we have other legally permissible reasons for continuing to retain your personal data. We will also record the fact that you have asked us to stop processing your data so that we can continue to comply with your request. You can revoke your consent to storage at any time, with effect for the future, by sending an e-mail to [info@parkhotel-hagenbeck.de].

If you have a customer account, the data stored in or linked to your customer account will be stored by us until you delete your customer account, unless and insofar as this conflicts with any statutory retention obligations or legitimate interests on our part.

5.5 Website

Technical requirements

To enable you to connect to our website, your browser transmits certain data to the web server of our website. This is a technical necessity so that the information you have called up can be made available by the website. To make this possible, your IP address, the date and time of your request and the type of operating system you are using are stored and used for a maximum of 30 days. We reserve the right to store this data for a limited period of time to safeguard our legitimate interests in order to initiate a derivation of personal data in the event of unauthorized access or an attempt to deliberately harm us in this way (Art. 6 para. 1 f GDPR). The data will only be stored or forwarded by us for these and no other purposes without us informing you in advance and asking for your permission.

Cookies

Cookies are small text files that are stored on your computer or mobile device via your browser, e.g. to recognize whether you visit websites repeatedly from the same device or browser. In general, we use cookies to analyze interest in our website and to improve the user-friendliness of our website. In principle, however, you can also access our website without cookies. Cookies can generally be deactivated or removed with the help of tools that are available in most commercial browsers. The settings must be defined separately and set individually for each browser you use. The various browsers offer different functions and options for this purpose. In order to be able to use our website fully and conveniently, you should accept those cookies that enable the use of certain functions or make use more convenient.

Customize cookie settings

Use of our contact forms

There are contact forms on our website that you can use to contact us for various purposes. To ensure that your data is transmitted securely, we use a state-of-the-art encrypted connection with an SSL certificate during transmission. By clicking the "Submit Form" button, you consent to the transmission of the data entered in the input mask to us. We store your name and e-mail address and any other information you provide so that we can contact you and respond to your request in the best possible way. On the one hand, this enables us to offer you the service you expect from us and, on the other hand, it gives us the opportunity to continuously improve (Art. 6 para. 1 f GDPR). There are also forms on our website that can be used to send us your application. In addition to the above-mentioned information, further information is required here that is necessary to carry out the measures required for the request (Art. 6 para. 1 f GDPR).

This includes, among other things:

  • Contact details
  • Personal details (e.g. date of birth)
  • Data on your professional background and references
  • Data on your skills

Your data will be saved for the purpose of placement and for the purpose of further placement.

Tracking tools

Our website uses functions of various web analysis services from other companies such as Google Inc. We will explain in more detail below which services are involved and which data is analyzed.

Use of Google Analytics with anonymization function

We use Google Analytics on our website, a web analysis service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as "Google". Google Analytics uses cookies that enable your use of the website to be analyzed. The information generated by the cookies about the use of our website (e.g. when, where and how often you access our website, including your IP address) is generally transmitted to a Google server in the USA and stored there. To ensure that your IP address is not personally identifiable, it is shortened immediately after collection (e.g. by deleting the last 8 bits) and thus anonymized. IP anonymization also applies to all member states of the European Union or in other contracting states of the European Economic Area. Further information on IP anonymization and the use of data by Google can be found at: support.google.com/analytics/answer/2763052 - If you want to decide for yourself which data Google collects about the websites you visit, you can download a deactivation add-on for your Internet browser. However, this add-on does not prevent data from being transmitted to us or other web analysis services we use. Further information on the use and installation of the add-on can be found at: https: //tools.google.com/dlpage/gaoptout?hl=de

Subscription to our e-mail newsletter

On our website, users are given the opportunity to subscribe to a newsletter for marketing purposes. By entering the data, the data subject consents to data processing in accordance with the following provisions; the legal basis for processing is therefore Art. 6 para. 1 lit. a GDPR. The data subject has all the rights listed below, in particular the right to withdraw consent under data protection law, whereby the assertion of such rights may result in you being excluded from subscribing to our newsletter.

Which personal data is transmitted to the data controller when you subscribe to the newsletter can be seen from the input mask used for this purpose. We inform our customers and business partners at regular intervals by means of a newsletter about offers from the company and its hotel partners. Our company's newsletter can only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject registers to receive the newsletter. For legal reasons, a confirmation e-mail is sent to the e-mail address entered by a data subject for the first time for the newsletter mailing using the double opt-in procedure. This confirmation email is used to check whether the owner of the email address as the data subject has authorized the receipt of the newsletter.

When registering for the newsletter, we also store the IP address assigned by the Internet service provider (ISP) of the computer system used by the data subject at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of a data subject's e-mail address at a later date and therefore serves as legal protection for the controller.

The personal data collected when subscribing to the newsletter is used exclusively to send our newsletter and the customer journey described above in order to personalize the customer experience. Furthermore, subscribers to the newsletter may be informed by e-mail if this is necessary for the operation of the newsletter service or a registration in this regard, as could be the case in the event of changes to the newsletter offer or changes to the technical circumstances. We have commissioned the newsletter dispatch service provider Serenata IntraWare GmbH for the registration and dispatch of the newsletter.

The subscription to our newsletter can be canceled by the data subject at any time. The consent to the storage of personal data, which the data subject has given us for the newsletter dispatch, can be revoked at any time. There is a corresponding link in every newsletter for the purpose of revoking consent. It is also possible to unsubscribe from the newsletter at any time directly on the controller's website or to inform the controller of this in another way.

The newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in e-mails that are sent in HTML format to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns to be carried out. The embedded pixel-code can be used to recognize whether and when an e-mail was opened by a data subject and which links in the e-mail were accessed by the data subject.

Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the controller in order to optimize the newsletter dispatch and to adapt the content of future newsletters even better to the interests of the data subject. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure in accordance with Art. 6 para. 1 lit. a GDPR/§ 25 para. 1 TDDDG. Here we work together with the newsletter dispatch service provider Serenata IntraWare GmbH. Detailed information on the newsletter dispatch service provider Serenata IntraWare GmbH and data collection and data processing can be found under the following links to the service provider:

https://www.cendyn.com/cendyn_customer_dpa

https://www.cendyn.com/processing_details

6. FURTHER GENERAL INFORMATION

6.1 Amendment of this privacy policy

We review the privacy policy at regular intervals for conformity with statutory provisions, case law, the statements of the supervisory authorities as well as for alignment with emerging trends and the development of technical standards. In this respect, we reserve the right to make changes to the privacy policy in order to adapt it to new legal provisions on data protection and other changes in the factual or legal situation. Therefore, please always inform yourself about the data protection declaration applicable at that time when you start using our website.

6.2 Responsibility

Park-Hotel Hagenbeck GmbH is responsible for data processing on our website. You can find the contact details in the legal notice (see below). You can reach our data protection officer at the following address

Hospitality Xpeterience GmbH in the name and on behalf of Park-Hotel Hagenbeck GmbH
Company: Hsopitality Xpeterience GmbH

Registered office of the company: Düsseldorf
Managing directors: Otto K. Lindner, Tobias S. Oberdieck
HRB: 97455
Register court: Düsseldorf Local Court

Company: Parkhotel Hagenbeck GmbH
Registered office: Hamburg
Managing Director: Joachim Weinlig-Hagenbeck
HRB: 94473
Register court: Hamburg Local Court

6.3 Who receives your personal data? (Art. 13 para. 1 e, f GDPR)

We treat your personal data confidentially and do not pass it on to third parties unless you have given your consent or the provision is based on a legal or contractual obligation. In individual cases, we commission processors to process your personal data. This is done in accordance with Art. 28 GDPR and on the basis of a contract data processing agreement. By using the contact form, you also make your data available to these affiliated companies. If you wish to restrict the use of your data for them, you can inform our data protection officer in writing by e-mail.

6.4 How long will the data be stored? (Art. 13 para. 2 a GDPR)

The legislator has issued various retention obligations and periods. In principle, we only store your data for as long as required by law. After these periods have expired, the corresponding data is routinely deleted if it is no longer required to fulfill the contract. We store data that we process on the basis of your consent until you withdraw your consent or for as long as the data is required. We store data that we process on the basis of a legitimate interest for as long as the legitimate interest exists. Commercial or financial data from a completed financial year will be deleted after a further ten years in accordance with legal regulations, unless longer retention periods are prescribed or required for legitimate reasons. If data is not subject to specific retention periods, it will be deleted when the purposes for which it is processed cease to apply.

6.5 For what purposes and on what legal basis do we process your personal data? (Art. 13 para. 1 c, d GDPR)

We have already explained the purposes and legal bases of data processing. In addition, the following generally applies: If necessary, we process your data to protect our legitimate interests or those of third parties in accordance with Art. 6 para. 1f GDPR, for example for the assertion of legal claims and defense in legal disputes or to ensure IT operations and security. If we have a legitimate interest or have received written consent from you to process your personal data, we process your data for the purposes of external communication and marketing on the basis of Art. 6 para. 1 a or f GDPR. You have the right to withdraw your consent at any time. For the fulfillment of legal requirements, we may or must, if necessary, process your data and pass it on to third parties (in accordance with Art. 6 para. 1c). We do not use your data in any way for automated decision-making or profiling. We also use cookies to offer you an improved service when using our website and to make it easier for you to use this website (Art. 6 para. 1 f GDPR)

6.6 What rights and obligations do you have? (Art. 13 para. 2 b, c, d, e GDPR)

Every data subject has the following rights:

  • Art. 15 GDPR, you have the right to information. This means that you can request confirmation from us as to whether personal data concerning you is being processed by us.
  • In accordance with Art. 16 GDPR, you have the right to rectification. This means that you can request that we rectify any inaccurate personal data concerning you.
  • In accordance with Art. 17 GDPR, you have the right to erasure ("right to be forgotten"). This means that you can demand that we delete personal data concerning you immediately - unless we cannot delete your data because, for example, we have to comply with statutory retention obligations.
  • In accordance with Art. 18 GDPR, you have the right to restrict processing. This means that we may no longer process your personal data - apart from storing it.
  • In accordance with Art. 20 GDPR, you have the right to data portability. This means that you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller.
  • In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent at any time for the future.
  • Pursuant to Art. 13 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

You also have the right to object, which we explain in more detail at the end of this data protection information.

If you wish to exercise your rights, please contact the data protection officer (see above for contact details).

6.7 Responsible supervisory authority

State Commissioner for Data Protection
Hamburg
House address: Ludwig-Erhard-Str. 22, 20459 Hamburg
Phone: +49 40 / 428 54 - 4040 (Hamburg telephone service)
Email address: mailbox(at)datenschutz.hamburg.de

6.8 Information on your right to object pursuant to Art. 21 of the General Data Protection Regulation (GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(f) GDPR (data processing on the basis of a balancing of interests); this also applies to any profiling based on this provision within the meaning of Article 4(4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. Please send your objection in writing (by email or post) to our data protection officer (see above for contact details)