At our hotel, we take the protection of data very seriously. Your personal data is collected and processed in compliance with the applicable data protection regulations, in particular the General Data Protection Regulation (GDPR).
1 Data controller
The data controller responsible for the collection, processing and use of your personal data within the meaning of Article 4 (7) GDPR is
Rhön Park Hotel GmbH & Co.KG
Rother Kuppe 2
If you wish to object to the collection, processing or use of your data by us in accordance with these data protection regulations as a whole or for individual measures, you can address your objection to the person responsible.
2 General purpose of processing
We use personal data for the purpose of operating the website and where necessary to provide content and services.
3 Data collection
We primarily collect data that you provide us with.
Our IT systems collect other data automatically when you visit our website. These are mainly technical data (e.g. information about your browser, operating system or the time you accessed our website).
4 What data we use and why
We use hosting services to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this website.
In so doing, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, metadata and communication data of customers, prospective customers or visitors of this website on the basis of our legitimate interests in providing an efficient and secure website in accordance with Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR.
4.2 Access data
We collect information about you when you use this website. We automatically collect information about your usage behaviour and interaction with us and record data about your computer or mobile device. We collect, store and use data about every access to our website (so-called server log files). The access data include:
- Name and URL of the accessed file,
- Date and time of the access
- Amount of data transferred
- Message about successful retrieval (HTTP response code)
- Browser type and browser version
- Operating system
- Referrer URL (i.e. the previously visited website)
- Websites accessed by the user's system via our website
- Internet service provider of the user
- IP address and the requesting provider
- Other similar data and information that may be used in the event an attack on our IT systems.
We use this log data without allocation to your person or other profiling for statistical evaluations for the purpose of operating, security and optimisation of our website, but also for anonymous recording of the number of visitors to our website (traffic) and the extent and type of use of our website and services, as well as for billing purposes in order to measure the number of clicks received from cooperation partners. Based on this information, we can provide personalised and location-based content, analyse traffic, troubleshoot and correct errors, and improve our services.
This also represents our legitimate interest in accordance with Article 6 (1) (f) GDPR.
We reserve the right to check the log data retrospectively, if there is concrete evidence providing reasonable grounds for suspecting illegal use. We store IP addresses in the log files for a limited period of time if this is necessary for security purposes or for the provision or billing of a service, e.g. if you use one of our offers. After the order process has been cancelled or payment has been received, we will delete the IP address if this is no longer required for security purposes. We also store IP addresses if we have a concrete suspicion of a criminal offence in connection with the use of our website. In addition, we store the date of your last visit as part of your account (e.g. when registering, logging in, clicking on links, etc.).
We use so-called session cookies to optimise our website. A session cookie is a small text file that is sent by the respective servers when you visit a website and is temporarily stored on your hard drive. This file contains a so called session ID, which is used to associate various requests sent by your browser to a single session. This allows your computer to be recognised when you return to our website. These cookies are automatically deleted when you close your browser. They are used, for example, to enable you to use the shopping basket function across several pages.
We also use persistent cookies (also small text files that are stored on your terminal device) to a small extent, which remain on your terminal device and enable us to recognise your browser the next time you visit. These cookies are stored on your hard disk and are deleted automatically after the specified time. Their life span is 1 month to 10 years. This enables us to present our services to you in a more user-friendly, effective and secure manner and, for example, to display information on the site that is specifically tailored to your interests.
- Login details
- Language settings
- Entered search terms
- Information about the number of visits to our website and use of individual functions of our website.
When the cookie is activated, it is assigned an identification number and your personal data is not assigned to this identification number. Your name, IP address or similar data that would allow the cookie to be assigned to you will not be placed in the cookie. Thanks to cookie-based technology, we only receive pseudonymised information about e.g. the pages of our store you visited or the products viewed, etc.
You can set your browser to inform you every time before storing cookies and decide on a case-by-case basis, whether to accept them. You can also limit the acceptance of cookies to certain cases or block the acceptance of cookies altogether. This may restrict the functionality of the website.
4.4 Data necessary for the performance of a contract
We process personal data that we need to fulfil our contractual obligations, such as name, address, e-mail address, ordered products, billing and payment data. The collection of this data is necessary for the conclusion of the contract.
The data will be deleted after expiry of the warranty periods and statutory retention periods.
The legal basis for the processing of this data is Article 6 (1) (b) because the processing is necessary for the performance of a contract to which you are a party.
To register for newsletters, the data requested in the registration process is required. The registration for the newsletter is logged. After registering, you will receive a message at the email address provided asking you to confirm your registration ("double opt-in"). This is necessary to prevent third parties from registering with your email address.
You can revoke your consent to receive the newsletter at any time and thus cancel the newsletter.
We store the registration data as long as it is required for sending the newsletter. The logging of the application and the shipping address are stored as long as there was an interest shown in the proof of the consent originally given, as a rule, these are the limitation periods for civil claims, thus a maximum of three years.
The legal basis for sending the newsletter is your consent in accordance with Article 6 (1) (a) in conjunction with Article 7 GDPR and Article 7 (2) (3) of the Act against Unfair Competition (UWG). The legal basis for logging the registration is our legitimate interest in proving that the dispatch was carried out with your consent.
You can cancel your subscription at any time without incurring any costs other than the transmission costs according to the basic rates. A written notice to the contact information listed under section 1 (e.g. e-mail, fax, letter) is sufficient for this purpose. Of course, you will also find an unsubscribe link in each newsletter.
The Rhön Park Newsletter will be sent by the service provider CleverReach.
CleverReach GmbH & Co. KG | Mühlenstr. 43 | 26180 Rastede/Germany
4.6 Product recommendations
We will send you regular product recommendations by email. This is independent of the newsletter. In this way, we will provide you with information about products from our offer that you may be interested in based on your recent purchases of goods or services from us. We act strictly in accordance with statutory requirements. You can object to this at any time without incurring any costs other than the transmission costs according to the basic tariffs. A written notice to the contact information listed under section 1 (e.g. e-mail, fax, letter) is sufficient for this purpose. Of course you can also find an unsubscribe link in each e-mail.
The legal basis for this is Article 6 (1) (f) GDPR in conjunction with Article 7 (3) UWG.
4.7 Email contact
If you contact us (e.g. via contact form or e-mail), we will process your details to process your enquiry and in the event that follow-up questions arise.
If the data processing takes place for the purpose of implementing pre-contractual measures taken at your request or if you already are our customer, for the performance the contract, the legal basis for this data processing is Article 6 (1) (b) GDPR.
We only process additional personal data if you give us your consent (Article 6 (1) (a) GDPR) or if we have a legitimate interest in the processing of your data (Article 6 (1) (f) GDPR). For example, there is a legitimate interest in replying to your email.
You have the option to register on the website by providing personal data. The personal data which is transmitted to the data controller is based on the data entered into the input form. The personal data entered by the data subject are collected and stored solely for internal use and purposes by the data controller. The data controller may arrange for the transfer to one or several processors (e.g. a packet service), who will also use the personal data solely for internal purposes in accordance with the instructions from the controller.
By registering on the website, the IP address of the data subject assigned by the internet service provider (ISP), the date and time of registration are also stored. The storage of this data takes place against the background that this is the only way to prevent the misuse of our services and if necessary, to use this data to investigate past crimes and copyright infringements. In this respect, the storage of this data is necessary to protect the data controller. This data will not be passed on to third parties unless required to do so by law or for the purpose of criminal or legal prosecution.
The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject content or services that may only be offered to registered users due to the nature of the matter in question. Registered persons are free to modify the personal data given at registration at any time or to delete it completely from the database of the data controller.
5 Links to other websites
This website contains links to other websites (so-called external links).
As providers, we are responsible for our own content in accordance with the applicable European and national legislation. A distinction should be made between our own content and the content provided by other providers. We have no influence over whether the operators of other websites comply with the applicable European and national legal provisions. Please refer to the privacy policies provided on the relevant websites. We do not accept any responsibility for the content of third-party websites linked to this website, which is specifically marked, and we do not endorse this content. The providers of the linked websites are solely responsible for illegal, incorrect or incomplete content and for damage resulting from the use or non-use of information.
6 Confidentiality of applications and data protection during the recruitment process
The responsible person collects and processes the personal data of applicants for the purpose of processing the application procedure. The processing can also be done by electronic means. This is particularly the case if an applicant sends the relevant application documents to the controller by electronic means, for example, by email. If the data controller enters into an employment agreement with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If no employment agreement is concluded with the applicant, the application documents will be automatically deleted six months after the rejection letter was sent to the applicant, provided that no other legitimate interests of the controller stand in the way of erasure. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Act on Equal Treatment (AGG).
7 Storage duration
Unless specifically stated, we only store personal data for as long as is necessary to fulfil the purposes pursued.
In some cases, the legislator provides for the storage of personal data, for example in tax or commercial law. In these cases, the data will only be stored by us for these legal purposes, but will not be processed in any other way and deleted after expiry of the legal retention period.
8 Your rights as data subject
According to the applicable laws, you have various rights regarding your personal data. If you wish to assert these rights, please send your request by email or by post to the address specified in Section 1, clearly identifying yourself.
Below you will find an overview of your rights.
8.1 Right of confirmation and access
You have the right to receive free information about the personal data we store on you.
You have the right to obtain from us confirmation as to whether or not personal data concerning you are being processed. If this is the case, you have the right to request from us free of charge information about the personal data stored about you together with a copy of this data. Furthermore, there is a right to the following information:
1. processing purpose;
2. categories of personal data processed;
3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data are not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
8.2 Right to rectification
You have the right to request the correction of your personal data without undue delay.
You have the right to request the correction of your personal data without undue delay. Taking into account the purpose of the data processing, you also have the right to demand the completion of your incomplete personal data – also by means of a supplementary declaration.
8.3 Right to erasure (‘right to be forgotten’)
In a number of cases we are obliged to delete personal data concerning you.
In accordance with Article 17 (1) GDPR you have the right to obtain from us the erasure of personal data concerning him or her without undue delay and we have the obligation to erase personal data without undue delay where one of the following grounds applies:
1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. You withdraw consent on which the processing is based in accordance with Article 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing.
3. You object to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2) GDPR.
4. The personal data have been unlawfully processed.
5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject
6. The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
Where we have made the personal data public and is obliged pursuant to Article 17 (1) GDPR to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
8.4 Right to restriction of processing
In a number of cases you are entitled to request us to restrict the processing of your personal data.
You have the right to obtain from us a restriction of processing where one of the following applies:
1. you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data.
2. the processing is unlawful, and the user opposes the erasure of the personal data and requests the restriction of their use instead;
3. we no longer need the personal data for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims, or
4. you have objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of our company override your interests.
8.5 Right to data portability
You have the right to receive, transmit or have us transmit personal data concerning you in machine-readable form.
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without any hindrance from us.
1. the processing is based on consent pursuant to Article 6 (1) (a), or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR, and
2. the processing is carried out by automated means.
In exercising your right to data portability pursuant to paragraph 1, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.6 Right to object
You have the right to object to the lawful processing of your personal data by us if this is justified by your particular situation and if our interests in the processing do not outweigh ours.
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions. We shall then no longer process your personal data, unless we can demonstrate compelling reasons for the processing worth protecting, which prevail over your interests, rights and freedoms, or the processing serves to enforce, exercise or defend legal claims.
Where personal data are processed for direct marketing purposes, you will have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1), you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
8.7 Automated decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This does not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the data controller,
(2) is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
8.8 Right to withdraw consent to data processing
You have the right to withdraw your consent to the processing of your personal data at any time
8.9 Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.
9 Data security
We make every effort to ensure the security of your data in accordance with the applicable data protection laws and technical possibilities.
Personal data are encrypted before transmission. This applies to your orders and also to the customer login. While we use the SSL (Secure Socket Layer), we would like to point out in this context that any transfer of data over the internet (for example, when communicating by email) can pose a security risk. It is impossible to provide blanket protection against unauthorised third-party access.
To secure your data, we maintain technical and organisational security measures in accordance with Art. 32 GDPR, which we constantly adapt to the state of the art.
Furthermore, we do not guarantee that our offer will be available at certain times; disruptions, interruptions or failures cannot be ruled out. The servers we use are regularly and carefully secured.
10 Disclosure of data to third parties, no data transfer to non-EU countries
In principle, we only use your personal data within our company.
If and to the extent that we involve third parties in the performance of contracts (such as logistics service providers), this personal data is only received to the extent to which the transfer is necessary for the corresponding service.
In the event that we outsource certain parts of data processing ("order processing"), we contractually oblige contractors to use personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the data subject.
Data transmission to places or persons outside the EU outside the case mentioned in this declaration in paragraph 12 does not take place and is not planned.
The Rhön Park Hotel GmbH & Co.KG has engaged Bookassist to provide us with their booking system.
Thawte security certificate
Bookassist is verified as a service provider by the VeriSign Certification Authority. To find out more, please click on the following link:
Credit card security ID
The credit card details page of Bookassist is protected by the Secure Socket Layer (SSL) encryption technology. SSL encrypts your name, credit card number and expiry date before the data is transmitted over the internet. This makes doing business over the internet as secure as buying something over the telephone. This ensures that your credit card details will remain completely confidential while in transit. The SSL safe connection and secure transaction technology has so far effectively protected more than hundred thousand Bookassist customers who have transmitted their credit card numbers online and used Bookassist to make their reservations since Bookassist has launched its online services in 1999.
In addition, credit card use is verified whenever the card is charged using a secure and direct connection to the banking system. This ensures that known stolen cards cannot be used and fraudulent transactions are minimised for consumer and hotel benefit.
Why do we collect data?
- Collecting information provides specific benefits to you, our website visitor
- Information is collected in order to facilitate the reservation process between you the customer and the accommodation provider, to facilitate the purchase of e-vouchers, to offer additional services to you where you consent to such offers and/or to help us improve this process for your future use.
For what purpose do we collect data?
- To complete or support activities such as the reservation process or the purchase of vouchers
- Voluntary customer registration process
- For the statistical use of applications
- Information is not collected for any other purpose, and more specifically, information is never shared with any third party without your consent
Who has access to the data we collect?
- Bookassist, its departments and branches
- Persons who can access it by law.
What access do we grant our visitors to the information we collect concerning them?
- Access will be granted to all information collected from this customer on request.
If you believe that our websites or systems have collected incorrect information or if you would like to dispute any information, please contact us.
To contact Bookassist, please refer to the contact details at Bookassist.org/contact.jsp
To contact our hotel, please refer to the contact details on our website.
11.3 Cookies policy
We respect your right to privacy. Any personal information which you volunteer on this website will be treated with appropriate standards of security and confidentiality and in accordance with the Irish Data Protection Acts, 1988 (as amended).
What are cookies?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit our website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device. There are a number of different types of cookies, each having a different purpose.
What types of cookies may be used on this website?
Strictly necessary cookies
These cookies are essential in order to enable you to move around the website and use its features. We use these cookies to enable the services which you have specifically asked for.
Examples of strictly necessary cookies that may be used on this site
Bookassist session cookie: maintains the user session.
Performance cookies are cookies which collect information on how visitors use a website, i.e. which pages visitors go to most. We use these cookies to collect information anonymously on the pages which you have visited.
Examples of performance cookies that may be used on this site:
Bookassist Conversion Tracking Cookie: tracks the conversion statistics.
Functional cookies are cookies which allow the website to remember choices made by the user (name, address, language). We use these cookies to keep track of our users' choices and to provide a better service.
Examples of functional cookies that may be used on this site.
Expression Engine Cookie: maintains user preferences such as language.
Bookassist booking reference: stores user settings.
Advertising cookies are cookies which are used to deliver adverts more relevant to a user's interests. They remember that a user has viewed a website before. They are often linked to the functionality of the site. We use these cookies to collect information about your browsing habits in order to make advertising relevant to you and your interests.
If you have cookies enabled on your machine, we will present you with advertisements relevant to our website. Google and third-party vendors show our advertisements across different internet sites. If you have cookies enabled you may see advertisements for this website on other websites. If you prefer to opt out from personalised advertising, please visit the Network Advertising Initiative opt-out page at http://www.networkadvertising.org/choices/
We may install third party cookies on our website. Third party cookies are cookies that are set by a domain other than the website that is being visited by the user. If a user visits a website and another entity sets a cookie through that website, then this is a third party cookie.
Examples of third party cookies that may be used on this website:
Adobe Omniture: collects statistical information about how visitors use the website.
Google Adwords: collects statistical information about use and conversion.
Google remarketing: allows advertisers to engage with users who previously visited the website.
Facebook: social media sharing.
The cookies we use enable us to improve our website and provide a more personalised service to you. If, after you disclose your personal data, you require a copy of it or you wish to discuss, rectify or erase the data, whether in whole or in part, please contact us. To contact Bookassist, please refer to the contact details at Bookassist.org/contact.jsp
12 Use of social plugins
Our website uses so-called social plugins ("plugins") from the social networks Facebook and Google+, the micro-blogging site Twitter and Instagram. These services are offered by the companies Facebook Inc., Google Inc., Twitter Inc. and Instagram LLC. ("Providers").
Facebook is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook"). You can find an overview of the Facebook buttons and their appearance here: https://developers.facebook.com/docs/plugins
Instagram is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). You can find an overview of the Instagram buttons and their appearance here: blog.instagram.com/post/36222022872/introducing-instagram-badges
If you access a page on our website that contains this social plugin, your browser establishes a direct connection with Facebook. Google, Twitter and Instagram servers. The content of the plugin is then transmitted by the relevant provider directly to your browser and integrated into the page. By integrating the plugin, the providers receive the information that your browser has accessed a particular page on our website, even if you do not have a profile with the respective provider or are currently not logged in. This information (including your IP address) is transmitted directly from your browser to a server of the respective supplier in the United States and stored there.
If you are logged into one of the social networks, the respective provider can link the visit to our website directly to your profile on Facebook, Google+, Twitter or Instagram. If you interact using the plugins, for example, by pressing the "Like" button or the "+1" button, the "tweet" button or the "Instagram" button, the relevant information is also transmitted directly to a server of the respective provider and stored there. The information will also be published on the social network or your Twitter or Instagram account and displayed to your contacts there.
For more information on the purpose and scope of collection, further processing and use of data by the providers as well as your rights and options available to protect your privacy, please refer to the respective privacy policies of the providers.
If you do not want Google, Facebook, Twitter or Instagram to associate the data collected on our website directly with your profile with the respective provider, you must log out from the service before enabling the plugin. You can also prevent the loading of plugins completely with browser add-ons, e.g. by using the "NoScript" script blocker (http://noscript.net/).
12.1 Use of HolidayCheck.de plugins
12.2 Use of Google Maps
12.3 Use of YouTube components
Our website uses plugins (videos) provided by YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA, a subsidiary of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA. We use the privacy-enhanced mode provided by YouTube. When you visit a page on our website that contains an embedded video, a connection is made to YouTube's servers which then instruct your browser to display the content on that webpage. According to the information provided by YouTube, when the "privacy-enhanced mode" is turned on, YouTube will not store information about your visit to our website unless you play the video. If you are logged into YouTube at the same time, this information will be linked to your YouTube user account. You can prevent this by logging out of your user account before visiting our website.
13 Data protection officer
If you have any questions regarding data protection, please contact our data protection officer:
datenschutz süd GmbH
Dr. Christian Borchers
Hausen-Roth, October 2018