Data Security Information

The Controller pursuant to the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:

Maritim Hotelgesellschaft mbH
Herforder Strasse 2
32105 Bad Salzuflen
Germany
Phone: +49 (0) 5222 953-0
info.vkd@maritim.de
www.maritim.com

The Controller's Data Protection Officer is:

Sebastian von der Au
EDV-Unternehmensberatung Floß GmbH 
Hopfengarten 10 
33775 Versmold 
Germany
Phone: +49 (0) 5423 964900 
datenschutz@maritim.de

Object of Data Security

The object of data protection is personal data.
Personal data pursuant to the German Federal Data Protection Act (BDSG) is any individual information relating to the personal or material circumstances of a specific or identifiable natural person. The GDPR further defines "personal data" as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data or an online identifier.

A Data Subject is any identified or identifiable natural person whose personal data is processed by the Controller responsible for processing.

Processing entails any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Description and scope of data processing

Each time our website is accessed, our system automatically gathers data and information from the computer system of the calling computer.

The following data is collected:

• Information about the browser type and the version used
• User's operating system
• User's Internet service provider
• User's anonymised IP address
• Date and time of access
• Websites from which the user's system accesses our website
• Websites that the user's system accesses from our website
• Keywords entered
• Information about the device type used
• Language settings
• The frequency with which pages are called

The data is also stored in the log files of our system. This data is not stored together with other personal data belonging to the user.

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 (1) f) GDPR.

Purpose of data processing

It is necessary for the IP address to be stored temporarily by the system in order to allow the website to be delivered to the user's computer. For this, the user's anonymised IP address must be stored for the duration of the session.

It is stored in log files to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context. For these purposes, our legitimate interest lies in the processing of data pursuant to Article 6 (1) f) GDPR.

Storage duration

The data will be deleted as soon as it is no longer required for the purpose for which it was gathered. If the data is gathered for the purpose of providing the website, this is the case when the respective session is terminated. When data is stored in log files, this is the case after a maximum of seven days. Longer storage is possible. In this case, the IP addresses of the users are deleted or anonymised, so that they can no longer be linked to the calling client.

Objections and remedies

The gathering of data for the provision of the website and the storage of the data in log files are essential for the operation of the website. There is consequently no possibility for the user to object.

This website uses Google Analytics Universal, web analysis service of Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how you use the site. The information generated by the cookie concerning your use of this website generally will be passed on to a Google server in the USA and saved there. We wish to expressly point out that the website uses Google Analytics with the "anonymizeIp" add-on, which means that IP addresses are only processed in truncated form to prevent any direct reference to a particular person. The full IP address will only be transmitted to a Google server in the US and truncated there in exceptional cases. Acting on behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and Internet usage to the website operator. The IP address provided by your browser as part of Google Analytics will not be merged with other Google data. You may refuse to allow the storage of cookies by selecting the appropriate settings in your browser software, however please note that if you do this you may not be able to use the full functionality of this website. In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following Link. As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent the gathering of data by Google Analytics within this website in the future (the opt-out only applies in the particular browser and only for this domain). This involves placing an opt-out cookie on your device. To delete cookies in the respective browser, you must click this link again.

Sessions generally end after 30 minutes of inactivity, while campaigns end after six months. The time limit for campaigns can be a maximum of two years. For more information on Terms of Use and Data Security see: https://www.google.com/analytics/terms/de.html

Google Tag Manager is used on our websites to manage our website tags by means of an interface. The Tag Manager itself is a cookie-free domain that does not gather personal data. The task of the tool is to trigger other tags, which in turn may capture data under certain circumstances. However, Google Tag Manager does not access this data. Of course it is possible to obtain additional information about this and to disable the service if necessary. Click here to opt-out of tracking by Google Tag Manager.

We use Google Fonts on our website. This enables us to integrate certain fonts into our website. Google Fonts is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The fonts are not loaded from Google, but are installed locally on our web server.

For more information on Terms of Use and Data Protection see: https://www.google.com/policies/privacy/

Personal data will be transferred to locations in third countries if

• this is necessary in order to complete the website user's booking and manage the guest's stay at the hotel
• it is required by law
• or it has been approved by the user

As already mentioned elsewhere in this Privacy Policy, for certain tasks our company cooperates with service providers whose corporate headquarters are located in third countries, whose parent company is located in third countries or which themselves cooperate with companies located in third countries. Such cooperation is permissible if it has been determined by the European Commission that an adequate level of protection exists in the third countries in question (called an Adequacy Decision in Art. 45 GDPR). If this is not the case, it is ensured at all times that, in the case of service providers with a third-country connection without an adequacy decision, the special requirements of the General Data Protection Regulation for third-country transfers (Art. 44 and 46 et seqq. GDPR) are met.

The standard case here is the conclusion of EU standard contractual clauses as part of commissioned data processing (Art. 46 (2) (c) GDPR) in order to contractually bind the respective service providers. In such clauses, the service providers commit to protectingg the data of our users, processing said data in accordance with its data protection provisions on our behalf and, in particular, refraining from disclosing this data to third parties. To minimise the risks for data subjects, supplementary safeguards are established, such as encryption or other contractual, technical or organisational safeguards. We will not perform any further transfer of personal data beyond the described type of cooperation.

Personal data will only be stored by Maritim Hotelgesellschaft mbH for the period required in order to achieve the purpose of storage, or insofar as required by European regulators or other legislators in laws or regulations incumbent on the Controller.

When the purpose of storage no longer applies or when a storage period prescribed by the European regulator or any other relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

External service providers, such as the mail service or mailing companies that process personal data on behalf of Maritim Hotelgesellschaft mbH are subject to the statutory data protection regulations and may only process the data provided for the specific purpose in hand.

External links

To offer you the best possible information, you will find links on our pages that refer to third-party websites. If such links are not obviously apparent, we point out that these are external links. Maritim Hotelgesellschaft mbH has no influence on the content and design of these websites and the data protection practices of third parties. We cannot accept any responsibility for this. The details of our Data Security Policy do not apply there. Thus, if you click on an advertisement or a third-party link, you should be aware that you are leaving the Maritim Hotelgesellschaft mbH service and that any personal data you provide will no longer be covered by this Data Security Policy. Please read the data protection statements of the other website owners to find out how your personal information is gathered and processed on these websites.

Declaration of consent by the user

By using our websites and online offers, you agree that the data voluntarily provided and transmitted by you may be stored by us and used and processed in compliance with this Data Security Policy.

If you process personal data, you are a Data Subject under the terms of the GDPR and you have the following rights in relation to the Controller:

1. Right to information

You may ask the Controller to confirm whether personal data relating to you is processed by us.

If such processing is taking place, you can request information from the Controller about the following:

1. the purposes for which personal data is being processed;
2. the categories of personal data being processed;
3. the recipients or categories of recipients to whom the personal data relating to you has been disclosed or is still being disclosed;
4. the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
5. the existence of a right to the correction or deletion of personal data concerning you, a right to restrict processing by the Controller or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. all available information on the origin of the data if the personal data is not gathered from the Data Subject;
8. the existence of automated decision-making, including profiling, under Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the Data Subject.

You have the right to request information about whether your personal data is transferred to a third country or an international organisation. In this context, you can request the appropriate guarantees pursuant to Article 46 GDPR in connection with the transfer.

2. Right of correction

You have a right to correction and/or completion in relation to the Controller, if the processed personal data relating to you is incorrect or incomplete. The Controller must carry out the correction without delay.

3. Right to restrict processing

You may demand that the processing of your personal data should be restricted under the following conditions:

1. if you contest the accuracy of the personal data relating to you for a period of time that enables the Controller to verify the accuracy of your personal data;
2. processing is unlawful and you refuse to allow the personal data to be deleted and instead request restriction of the use of the personal data;
3. the Controller no longer requires personal data for the purposes of processing, but you need this data to assert, exercise or defend legal claims, or
4. if you objected to processing pursuant to Article 21 (1) GDPR and it is not yet certain whether the justified grounds of the Controller take precedence over your grounds.

If the processing of personal data relating to you has been restricted, apart from storage this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of important public interest for the European Union or a Member State.

If the restriction on processing is limited according to the aforementioned conditions, you will be informed by the Controller before the restriction is lifted.

4. Right of deletion

a) Duty of deletion
You may require the Controller to delete your personal data without delay, and the Controller is required to delete that information immediately if one of the following grounds applies:

1. Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You revoke your consent to processing pursuant to Article 6 (1) a) or Article 9 (2) a) GDPR and there is no other legal basis for processing.
3. You object to processing pursuant to Article 21 (1) GDPR and there are no overriding justifiable reasons for processing, or you object to processing pursuant to Article 21 (2) GDPR.
4. The personal data relating to you has been processed illegally.
5. It is necessary to delete personal data relating to you in order to fulfil a legal obligation under European Union law or the law of the Member States incumbent on the Controller.
6. The personal data relating to you was gathered in relation to an information society service pursuant to Article 8 (1) GDPR.

b) Information to third parties

If the Controller has made the personal data relating to you public and if he is obliged to delete it pursuant to Article 17 (1) of the GDPR, it shall take the appropriate steps, including technical measures, taking into account available technology and implementation costs, to inform Controllers responsible for data processing who process the personal data that you, as a Data Subject, have demanded the deletion of all links to such personal data or copies or duplicates of such personal data.

c) Exceptions

The right of deletion does not exist if processing is necessary

1. in order to exercise the right to freedom of expression and information;
2. to fulfil a legal obligation required by the law of the European Union or of the Member States incumbent on the Controller, or to implement a task in the public interest or in the exercise of the official authority conferred on the Controller;
3. for reasons of public interest in the area of public health pursuant to Article 9 (2) h) and Article 9 (3) GDPR;
4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
5. to assert, exercise or defend legal claims.

Right to information

If you have the right of correction, deletion or restriction of processing in relation to the Controller, the latter is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of data or restriction of processing, unless this proves to be impossible or requires disproportionate effort.

You are entitled to require the Controller to reveal the identity of these recipients to you.

Right to data transferability

You have the right to receive the personal data that you have supplied to the Controller in a structured, current, machine-readable format. In addition, you have the right to transfer this data to another Controller without hindrance from the Controller to whom the personal data was supplied, provided that

1. processing is based on consent pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR or on a contract pursuant to Article 6 (1) b) GDPR and
2. processing involves an automated procedure.

In exercising this right, you are also entitled to require that the personal data relating to you should be transmitted directly from one Controller to another Controller, insofar as this is technically feasible. This must not impair the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for to implement a task in the public interest or in the exercise of the official authority conferred on the Controller.

Right of objection

You have the right to object to processing of your personal data at any time, for reasons that arise from your particular situation pursuant to Article 6 (1) e) or f) GDPR; this also applies to profiling based on these provisions.

The Controller will no longer process personal data relating to you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or processing is for the purpose of enforcing, exercising or defending legal claims.

If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Directive 2002/58/EC notwithstanding, you have the option, in the context of the use of information society services, of exercising your right to object through automated procedures that use technical specifications.

Questions/right of appeal to a supervisory authority

If you have further questions regarding the protection of your personal data, this Data Security Policy, declarations of consent and the processing of your personal data or complaints about data protection, you can contact our Data Protection Officer at the following e-mail address: datenschutz@maritim.de

Without prejudice to other administrative or judicial remedies, you shall have the right of appeal to a supervisory authority, in particular in the Member State of your place of residence, employment or the place of the alleged breach, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority is the Data Protection Authority for North Rhine-Westphalia in Dusseldorf.