Our policies

Read the privacy and cookie policy of Hotel München Palace

Privacy Statement for hotel-muenchen-palace.de

 

I.          Name and address of the Controller

The controller within the meaning of the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the Member States as well as other data protection statutes (hereinafter the "Controller") is:

Roland Kuffler GmbH

Residenzstr. 12

80333 München

Germany

Telephone: ++49 89 290 705-0

Fax: ++49 89 294 076

email: direkt@kuffler.de

website: www.kuffler.de

-          II.         Name and address of the data protection officer

The data protection officer of the Controller is:

Eberhard Mayer

Residenzstr. 12

80333 München

Germany

Telephone: ++49 89 290 705-0

email:  datenschutzbeauftragter@kuffler.de

-          III.        General on data processing

1.         Extent of personal data processing

As a principle, we collect and use the personal data of our users only to the extent required to provide a functioning website, as well as our contents and services. As a rule, we collect and use personal data of users only subject to their consent, except where obtaining such consent before collection of the data is not possible for actual reasons and/or where processing of such data is allowed by virtue of applicable statutory provisions. The corresponding legal bases will be indicated below.

2.         Data processing by "Processors"

In order to ensure an effective visit of our website and use of the features offered, we partly rely on processors (see also art. 4 no. 8 GDPR) that are bound to observe our instructions, such as computer centre operators, mailing service providers and/or other parties involved (hereinafter: “Processors”) in the performance of the contract.

Such external service providers processing on behalf of us (said „Processors“) are carefully selected and strictly bound by contract to observe the requirements of GDPR (see art. 28 et seq. GDPR – processing carried out on behalf of a controller). These Processors process your data in accordance with our instructions, which is ensured by strict contractual provisions stipulating technical and organisational and supplementary control measures.

Your data are only transmitted to such a Processor if you have given your express consent or this is based on statutory provisions.

The data are not transmitted to third-party countries outside the EU/EEA or to international organisations, unless such transmission is subject to reasonable guaranties, including the EU standard contract clauses and the so-called Adequacy Decision of the EU Commission.

The third parties to whom data are disclosed include in particular the host provider of our website, the provider of dispatching services when you subscribe and confirm your subscription to newsletters, and the technical operator of the reservation system (e.g. Preferred, OpenTable, see below in more detail) when you make reservations.

3.         Legal basis for the processing of personal data

To the extent that processing of personal data is subject to the consent of the person concerned, the legal basis for such processing is art. 6 para. 1 lit. a GDPR.

If processing of personal data is required to perform a contract which the person concerned is a party to, the legal basis is art. 6 para. 1 lit. b GDPR. This also applies to processing operations that are required to perform contractual measures.

If processing personal data is required to perform a legal obligation to which our company is subject, the legal basis is art. 6 para. 1 lit. c GDPR.

In the event that processing is necessary in order to protect the vital interests of the person concerned or another natural person, the legal basis is art. 6 para. 1 lit. d GDPR.

If processing is necessary for the purposes of the legitimate interests of our company or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, art. 6 para. 1 lit. f GDPR is the legal basis for processing.

4.         Data erasure and duration of storage

The personal data of the person concerned will be deleted or blocked as soon as the purpose of the storage does not exist any longer. However, data may be stored beyond that point in time if this is provided by European or national legislation in the form of EU Regulations, national laws, or any other statutory provisions to which the Controller is subject. The data will also be blocked or erased if the time-limit provided by said statutory provisions for the storage of data expires, unless further storage of the data is required for the conclusion or performance of a contract, or the person concerned has given his/her consent to such further storage.

 

IV.       Provision of the website and creation of log files

Description and extent of data processing

Every time you visit our website, our system automatically collects data and information from the calling computer system. The following data is collected:

(1)    the IP address of the calling computer;

(2)    information about the type of browser and its version;

(3)    the operating system of the user;

(4)    the country from which our website is accessed;

(5)    date and hour of access;

(6)    any other website from which our Internet site is accessed.

The data are stored by our host provider who is a processor, see above. There is no storage of these data together with any other personal data of the user. IP addresses are anonymized with an 'x' after 7 days from their collection.

2.         Legal basis for the data processing

The legal basis for the temporary storage of data and log files is art. 6 para. 1 lit. f GDPR.

3.         Purpose of data processing

Temporary storage of the IP address by the system is necessary in order to enable delivery of the website to the computer of the user. To this end, the user's IP address must remain stored for the duration of the session.

The storage described herein is aimed at ensuring the functioning of the website.

The above-described purposes justify our interest in the processing of these data pursuant to art. 6 para. 1 lit. f GDPR.

4.         Duration of the storage

The data will be deleted as soon as they are no longer required for achieving the purpose of their collection. If the data are collected to provide the website, this is the case when the respective session is terminated.

Storage of the data in said log files is possible for an additional 7 days from termination of the session, but then only in an anonymized form, see above: in such cases, the IP addresses are modified so as to make their attribution to the calling user no longer possible, see above.

5.         Right to object and eliminate

Collection and processing of personal data is mandatorily required to provide the website and storage of these data in log files (not anonymized, but not longer than 7 days), and is necessary for operation of the website. Therefore, the user cannot object to such collection and processing. However, you have a right to object to any other collection and processing of your personal data.

 

V.        Use of cookies

1.         Description and extent of data processing

Our website uses cookies. Cookies are small text files that are stored by the Internet browser on the computer system of the user. If a user calls a website, a cookie may be stored on the hard disk of the user. This cookie contains a characteristic string array allowing identification of the browser when calling the website again.

We use cookies in order to make our website more user-friendly.

Some elements of our Internet site require that the calling browser can be identified after having called another site. The cookies are used to store and transmit the following data:

(1)       Language settings

(2)       Log-in information

In addition, we use cookies on our website to analyse the surfing behaviour of users. Thereby, the following data may be transmitted:

(1)       Frequency of calls of the site

(2)       Activation of functions of the website

When calling our website, users are informed by an info banner about the use of cookies, asking for their consent to processing their personal data used in this connection, and referring to this Privacy Statement. Users are also informed on how to stop storage of cookies by modifying the browser settings, see below.

2.         Legal basis for data processing

The legal basis for processing personal data by using technically necessary cookies is art. 6 para. 1 lit. f GDPR.

The legal basis for processing personal data by using cookies for analysis purposes, due to the necessary consent of the user, is art. 6 para. 1 lit. a GDPR.

3.         Purpose of data processing

The purpose of using technically necessary cookies is to facilitate navigation in our website. Some functions of our Internet site cannot be implemented without using cookies. To this end, it is required that the user's browser is recognized even after a change of site. We need cookies for the following applications:

(1)          Takeover of language settings

The user data collected by technically necessary cookies are not used to create user profiles.

Analysis cookies are used for the purpose of improving the quality of our website and its contents. Analysis cookies help understand how the website is used and thus enable us to continuously optimize our offers. Such processing of your personal data is in our justified interest pursuant to art. 6 para. 1 lit. f GDPR.

4.         Duration of storage, right to object and have the data deleted

Cookies are stored on the computer of the user and transmitted to our site. So you, as the user, have full control over the using of cookies. You may deactivate or restrict the transmission of cookies by modifying the settings of your Internet browser. Cookies stored in the past may be deleted at any time. This can also be done in an automated manner. If cookies are deactivated for our website, it is possible that not all functions of the website can be used up to their full extent any longer, in particular if the deleted cookies are technically necessary cookies.

VI.       Use of Google Analytics

1.         Description and extent of data processing

We use Google Analytics, a web analysis service of Google Inc. (https://www.google.co.in/about/ ) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google") in order to be able to tailor our websites to the users' needs and optimize them continuously. In  this context, pseudonymized user profiles are compiled and cookies are used (see above). The information about your use of this website as collected by the cookies, such as

  • browser type/version,
  • used operating system,
  • referrer URL (the site visited before),
  • host name of the accessing computer (IP address),
  • time of the server quest,

is transmitted to a Google server in the USA and stored there. The information is used to analyse the use of the website in order to compile reports on website activities, to perform services related to the use of the website and the Internet for market research purposes, and to design this Internet site in a manner tailored to the user's needs. If appropriate and statutorily required, or if third parties process these data by order, this information is also transmitted to third parties. In no case is your IP address combined with other Google data.

Important in particular: IP addresses are anonymized immediately, so that attributing your user data to you will no longer be possible with reasonable means (IP masking). This will be done on Google servers in the USA, at the latest, but normally even before that.

Further information on data protection in connection with Google Analytics can be found in Google Analytics Help under the link: https://support.google.com/analytics/answer/6004245? hl=en .&hl=en

2.         Legal basis of data processing

The tracking measures described below which we use are carried out under art. 6 para. 1 phrase 1 lit. f GDPR.

3.         Purpose of data processing

The tracking measures under Google Analytics help us designing our website in a manner fitting users' needs and ensure its ongoing optimization. In addition, we use tracking measures to compile statistics on the use of our website and to optimize our offers for you. These interests are justified within the meaning of the above-mentioned Regulation.

4.         Duration of storage, right to object and have the data deleted

On this issue, we refer to our above explanations on other cookies, which apply in this case as well.

You can prevent collection of the data collected by cookies and relating to your use of the website (including your IP address) as well as processing of these data by Google by downloading and installing the browser add-on to be found under the following link: (https://tools.google.com/dlpage/gaoptout?hl=en).

 

VII.      Google Adwords Conversion Tracking

In order to collect statistical data on the use of our website and analyze them for you, we use Google Conversion Tracking. Google Adwords stores a cookie (see above) on your computer if and when you come to our website via a Google ad.

Such cookies become invalid after 30 days and do not serve personal identification purposes. If users visit specific websites starting from the website of an Adwords customer, and if the cookie has not yet expired, Google and the customer can check that the user clicked on the ad and was forwarded to this specific site.

Each Adwords customer is assigned another cookie. Thus, cookies cannot be tracked through the websites of Adwords customers. The information obtained with the help of conversion cookies is used to compile conversion statistics for Adwords customers who decided to use Conversion Tracking. Adwords customers are informed about the total number of users who clicked on their ad and were forwarded to a site equipped with a conversion tracking tag. However, they do not receive any information allowing to identify users personally.

If you do not wish to participate in the tracking procedure, you may refuse storage of the required cookie on your computer – by choosing the corresponding settings of your browser, either by generally deactivating the automatic setting of cookies, or by blocking cookies for conversion tracking coming from the domain "www.googleadservices.com".

 

VIII.     Online bookings of rooms - Preferred

Our Internet site offers the possibility to book hotel rooms online by entering the dates, number of persons and nights. Such online reservation is carried out by another data controller, Preferred Hotel Group, Inc.,  311 South Wacker Drive, Suite 1900, Chicago, Illinois 60606 USA (link: https://preferredhotels.com/contact-us). The reservation mask operated by Preferred is integrated into our website concerned.

In our opinion, Preferred is a data processor on behalf of us as its controller within the meaning of art. 4 no. 8 GDPR. Therefore, we have entered into a contract according to art 28 et seq. GDPR, for further information as to such contract see above III.2

The data to be entered using our website but via Preferred reservation mask, are the following:

(1)          In the first level of the input mask

  1. a.         date of arrival
  2. b.         date of departure
  3. c.         number of adult persons
  4. d.         number of children
  5. e.         if applicable, query of special and/or discount codes, company codes or travel industry IDs

(2)     After having entered these data by clicking "check availability" and having selected the offered rooms and best available prices, you go to the second level of the input mask and enter the following data:

  1. a.         title
  2. b.         first name
  3. c.         last name
  4. d.         email address
  5. e.         date of birth
  6. f.          address data
  7. g.         phone number
  8. h.         If appropriate, you may be asked to enter optional information and further wishes that you think could be relevant for the contractual relationship in the technically optional field "remarks", or by clicking on additional categories.
  9. i.          Furthermore, payment data such as type of credit card, name of holder, number and validity are to be entered. The security code will not be asked.

Compulsory entries are marked with a small triangle before the respective entry line.

2.         Legal basis for this data processing via our website

The legal basis for the processing of reservation data as described in this Section VI is art. 6 para. 1 lit. b GDPR, since both a reservation contract is concluded, which means that such processing is needed to perform a contract, and another contract (accommodation contract) is intended and prepared by this reservation.

3.         Purpose of data processing

The above-described data processing serves the purpose of enabling you and us to conclude an effective, reliable and comprehensible reservation agreement for hotel rooms and to perform as you intended, i.e. by entering into an accommodation contract. Our aim thereby is to guarantee that you will enjoy a delightful stay in our hotel, free of complications and fitting the occasion that you (voluntarily) indicated, and being in accordance with your wishes at the reserved time and place.

Processing of these data is thus required both for performing the reservation contract and performing pre-contractual measures (preparation of the desired accommodation contract, to be closed at the concretely reserved point in time). All this is done upon your enquiry, and you are the person concerned within the meaning of GDPR.

4.         Duration of storage

  1. The data will be deleted as soon as they are no longer needed for achieving the purpose of their collection. This is the case if the reservation is cancelled.
  2. If an accommodation contract is concluded, your data will be kept for accounting and other purposes in the follow-up.

Furthermore, we keep your data to respond faster to your future enquiries and, in the event of future reservations in our restaurants, to meet your needs individually and actively.

In high-class hotels – such as ours – this procedure is in the express interest of both the guest and the hotel. The guest expects that his/her personal habits and wishes are not only taken into consideration in future reservations/bookings, but that the hotel can actively rely on corresponding data and transpose them positively and expressly in appropriate recommendations, without having to ask again. This shall be made possible in the interest of both parties.

In the latter case, the legal basis for data storage is art. 6 para. 1 lit. f GDPR.

5.         Right to object to such use and to have the data deleted

The reservation may be cancelled by the user concerned in accordance with the cancellation conditions.

You may object to the processing described under Section 4 b at any time. Since only the reservation itself is carried out via the website, the website cannot offer any stand-alone function for such purpose: in such a case you will have to contact by email and/or telephone the restaurant where you wish to make the reservation via the contact data indicated on the website for reservations/bookings, which are the following:

Email: info@hotel-muenchen-palace.de; telephone +49 / (0) 89 / 419 71 – 0

 

IX.       Online-reservations/bookings in restaurants and bars (OpenTable)

1.         Description and extent of data processing

Our Internet site offers the possibility to make reservations online in our restaurants (Palace Wintergarten and Palace Restaurant) and in our Palace Bar by entering the dates, number of persons, and hour. Such online reservation is carried out by another data controller, OpenTable, Inc., 1 Montgomery St., Suite 700, San Francisco, CA 94104, USA. The external reservation mask operated by OpenTable is integrated into our website under the name of the restaurant concerned.

In our opinion, OpenTable is a data controller within the meaning of art. 4 no. 7 GDPR and accordingly offers its own Privacy Statement on the reservation mask, relating exclusively to the processing of data by OpenTable, to which we refer, for the sake of completeness, under the following link: https://www.opentable.de/legal/privacy-policy

The data to be entered via OpenTable by using our website are the following:

(1)          In the first level of the input mask

a.  number of persons

b.  date

c.  time

d.      when entering these data, you will be automatically assigned to the selected restaurant

(2)     After having entered these data, you get to the second level of the input mask and enter the following data:

  1. a.         first name
  2. b.         last name
  3. c.         email address
  4. d.         telephone number
  5. e.         If appropriate, you may be asked to enter optional information and further wishes that you think could be relevant for the contractual relationship in the technically optional field "remarks".
  6. f.          If desired – technically optional field – you may enter further wishes into the field "remarks" – as under e. above.
  7. g.         If desired – technically optional field – you may enter into a further field – as under e. above – the occasion of your visit by selecting it from a list.

(3)     Automatically, without your direct involvement, the date and time when you made the reservation will be recorded.

When you reserve a table this way, your reservation with the entered data will be automatically stored in our computer-based reservation book for the restaurant selected from the list.

2.         Legal basis for this data processing via our website

The legal basis for the processing of reservation data as described in this Section VI is art. 6 para. 1 lit. b GDPR, since both a reservation contract is concluded, which means that such processing is needed to perform a contract, and another contract (entertainment contract) is intended and prepared by this reservation.

Another case subject to the legal basis of art. 6 para. 1 lit. 1 GDPR is described and explained under paragraph 4 b below.

3.         Purpose of data processing

The above-described data processing serves the purpose of enabling you and us to conclude an effective, reliable and comprehensible reservation agreement and to perform as you intended. Our aim thereby is to guarantee that you will enjoy a delightful stay in our restaurant, free of complications and fitting the occasion that you (voluntarily) indicated, and being in accordance with your wishes at the reserved time and place.

Processing of these data is thus required both for performing the reservation contract and performing pre-contractual measures (preparation of the desired entertainment contract, to be closed at the concretely reserved point in time). All this is done upon your enquiry, and you are the person concerned within the meaning of GDPR.

4.         Duration of storage

  1. The data will be deleted as soon as they are no longer needed for achieving the purpose of their collection. This is the case if the reservation is cancelled.
  2. If an entertainment contract is concluded, your data will be kept for accounting and other purposes in the follow-up.

Furthermore, we keep your data to respond faster to your future enquiries and, in the event of future reservations in our restaurants, to meet your needs individually and actively.

In high-class restaurants – such as ours – this procedure is in the express interest of both the guest and the restaurant. The guest expects that his/her personal habits and wishes are not only taken into consideration in future reservations/bookings, but that the restaurant can actively rely on corresponding data and transpose them positively and expressly in appropriate recommendations for the choice of meals and drinks, without having to ask again. This shall be made possible in the interest of both parties.

In the latter case, the legal basis for data storage is art. 6 para. 1 lit. f GDPR.

5.         Right to object and have the data deleted

The reservation may be cancelled by the user concerned at any time.

You may object to the processing described under Section 4 b at any time. Since only the reservation itself is carried out via the website, the website cannot offer any stand-alone function for such purpose: in such a case you will have to contact by email and/or telephone the restaurant where you wish to make the reservation via the contact data indicated on the website for reservations/bookings, which are the following:

Email: restaurant@hotel-muenchen-palace.de;

telephone +49 / (0) 89 / 419 71 – 821.

All contact data can also be found in this website, see under the tab "contact" (link: https://www.kuffler.de/de/kontakt.php), under which you will find:

-        a phrase (with highlighted link) with the following wording:

-        "Here you may order or cancel your table in the individual restaurants by phone". Click on this phrase/link to see the relevant phone numbers of all restaurants in all cities.

-        At the bottom of the page you will find links to the contact data of all restaurants classified according to their locations (Frankfurt, Munich, Wiesbaden).

 

X.        Newsletter

1.         Description and extent of data processing

Our Internet site offers the possibility to subscribe to a free newsletter under http://www.hotel-muenchen-palace.de/en/newsletter.html (corresponding link also at the bottom left on each page of our websites under "Newsletter Sign Up "). If you subscribe to the newsletter, we collect the following data you enter into the corresponding input mask - for our international guests queried in German and English:

(1)          Please enter into the input mask:

  1. a.    Anrede / prefix
  2. b.    Vorname / first name
  3. c.     Nachname / last name
  4. d.    E-Mail-Adresse / email address
  5. e.    Postleitzahl / ZIP
  6. f.      Geburtsdatum / Birthday

(2)     During subscription and, if applicable, upon confirmation of your entry (see below), the following data will be stored automatically, i.e. without your active involvement:

  1. a.         IP address of the calling computer
  2. b.         registration – and
  3. c.         if you confirmed an entry (see below) – date and hour of your confirmation

The data marked with a star "*" in the afore-described input mask are so-called compulsory entries without which, for technical and organisational reasons, we cannot dispatch our newsletters.

As we need your consent for further processing your data, we will be asking for it as well as for your confirmation that you have read this Privacy Statement – the subscription cannot be technically completed without this confirmation.

To protect your data interests, the following additional steps are necessary for the subscription becoming effective:

After having received your data as described above, we will send an email to the email address indicated in the subscription (confirmation mail), in which you are asked to click on a confirmation link. Not before you clicked on this link will you be listed in our files as a subscriber to the desired newsletter(s).

In connection with data processing for newsletter subscriptions, your data will not be disclosed to other third parties which are not processors as described above (see Section III.2 above). Together with such processors, we use these data exclusively for selecting the requested newsletters, dispatching them, and analysing your reading behaviour. Results of such analyses are stored in a completely anonymized form.

2.         Legal basis for data processing

The legal basis for the processing of the data after subscription to newsletters by the user is art. 6 para. 1 lit. a GDPR, if the user has given his/her consent to such processing. The described analysis is based on art. 6 para. 1 lit. f GDPR.

3.         Purpose of data processing

Collection of the user's email address serves the purpose of dispatching the newsletter.

Confirmation of the email is necessary to prevent third-parties from using your email address.

Your subscription to, and confirmation of, the newsletter is laid down in a protocol to evidence the subscription process in accordance with legal requirements.

Furthermore, our newsletters contain information about our offers and news about our hotel.

The analysis of your reading behaviour serves our justified interest of selecting and designing the information offered in the newsletter in an as attractive as possible manner; we assume that this is also in your interest and is at least not overridden by other opposing interests – anyway, you may object to such analysis at any time, see below.

4.         Duration of storage

The data will be deleted as soon as they are no longer needed for achieving the purpose of their collection. Thus, the email address of the user, prefix, last name and first name, and the confirmation via confirmation mail, are stored as long as the newsletter subscription is active.

5.         Right to object and have the data deleted

Subscription to newsletters may be terminated at any time by the user concerned. To this end, a corresponding link can be found at the bottom of every newsletter. Another link can be found on the website of the subscription mask, directly before the beginning.

This allows you to revoke your consent to the storage of personal data collected during subscription; however, any processing of data carried out so far is not affected by the revocation and remains rightful.

 

XI.       Contact form and email contact

1.         Description and extent of data processing

Our Internet site features a general contact form "CONTACT", which may be used for electronic contacting.

During your registration, we collect the following data entered by you in the input mask:

(1)          Please enter into the input mask:

  1. a.         title
  2. b.         first name
  3. c.         last name
  4. d.         email address
  5. e.         telephone number
  6. f.          two additional address lines
  7. g.         city
  8. h.         country / province
  9. i.          ZIP code
  10. j.          country

(2)     During registration and, if applicable, upon confirmation of your entry (see below) the following data will be stored automatically, without your active involvement:

a.  IP address of the calling computer

b.  registration – and

c.      if you confirmed an entry (see below) – date and hour of your confirmation

The data marked with a star "*" in the afore-described input mask are so-called compulsory entries without which, for technical and organisational reasons, we cannot dispatch our newsletters.

As we need your consent for further processing your data, we will be asking for it as well as for your confirmation that you have read this Privacy Statement – the registration cannot be technically completed without this confirmation.

Furthermore, you can contact us by the email address mentioned under the tab "contact" (info@hotel-muenchen-palace.de). In such a case, the personal data explicitly transmitted with the email of the user are stored.

In both cases, your data are merely retransmitted to us through the email generated by you (see "contact") or generated automatically (contact form). In neither case will data be disclosed to third parties. The data will be exclusively used for processing the respective conversation.

2.         Legal basis for data processing

The legal basis for processing the data transmitted by email is art. 6 para. 1 lit. f GDPR. If the email contact is aimed at preparing and/or concluding a contract, as for booking a hotel room, the additional legal basis for processing is art. 6 para. 1 lit. b GDPR.

3.         Purpose of data processing

The personal data entered into the input mask are solely processed for the purposes of the contact procedure. If the contact is established by email, the required justified interest in processing the data lies in the received email.

In our opinion, when this is done for the purposes of managing a high-class hotel like ours, such explicit contacts are useful and in our justified interest, since a more intense and durable communication helps prepare your stay.

4.         Duration of storage

The data will be deleted as soon as they are no longer needed for achieving the purpose of their collection.

This is the case for the personal data transmitted by email for general contacting purposes when the respective conversation with the user has ended. The conversation has ended when the circumstances suggest that the subject of such conversation has been finalized.

The contact data entered under the above mentioned "CONTACT", see above, are kept as long as necessary with respect to the contents of the contact and its further development. Furthermore, we keep the corresponding data so that we can respond faster to your future enquiries and comply with your needs individually and proactively in future projects. In high-class hotels – such as ours – this procedure is in the express interest of both the guest and the hotel. The guest expects that his/her personal habits and wishes are not only taken into consideration in future reservations/bookings, but that the hotel can actively rely on corresponding data and transpose them positively and expressly in appropriate recommendations, without having to ask again. This shall be made possible in the interest of both parties. In the latter case, the legal basis for data storage is art. 6 para. 1 lit. f GDPR, see above.

5.         Right to object and have the data deleted

You may object to the storage of your personal data at any time.

The conversation cannot be continued in the case of a general but not yet terminated enquiry.

When booking / planning future stays, the guest/customer can no longer expect us to rely on past experience with his/her wishes.

Please address your objection to the email address direkt@kuffler.de or to the data indicated in this Privacy Statement under Section 1, or to the email address info@hotel-muenchen-palace.de.

In this case, all personal data stored during establishment of the contact will be deleted.

 

XII.    Gift vouchers

1.         Description and extent of data processing

Our Internet site offers the possibility to buy Hotel München Palace gift vouchers as a gift for every occasion under http://www.hotel-muenchen-palace.de/en/gift-voucher.html (corresponding link also at the bottom of every websites under "gift voucher").

In the course of your "request" in the enquiry form, we collect your data that you enter into the corresponding input mask. These are the following data:

(1)          To be entered by you into the input mask:

  1. a.         how shall we contact you – by email, telephone, fax;
  2. b.         first name;
  3. c.         last name;
  4. d.         address;
  5. e.         company name;
  6. f.          business;
  7. g.         further address line;
  8. h.         email address;
  9. i.          telephone number;
  10. j.          city;
  11. k.         country / province;
  12. l.          ZIP code;
  13. m.       country;
  14. n.         if desired, you may enter further "requirements / wishes" into a free field for remarks – technically optional field.

(2)     During registration and, if applicable, upon confirmation of your entry (see below) the following data will be stored automatically, without your active involvement:

  1. a.         IP address of the calling computer
  2. b.         registration – and

c.      if you confirmed an entry (see below) – date and hour of confirmation

The data marked with a star "*" in the afore-described input mask are so-called compulsory entries without which, for technical and organisational reasons, we cannot answer to any request for gift vouchers.

As we need your consent for further processing your data, we will be asking for it as well as for your confirmation that you have read this Privacy Statement – the registration cannot be technically completed without this confirmation.

In both cases, your data are merely retransmitted to us through the email generated by you (see "contact") or generated automatically (contact form). In neither case will data be disclosed to third parties. The data will be exclusively used for processing the respective conversation.

          2.         Legal basis for data processing

The legal basis for processing data transmitted by email is art. 6 para. 1 lit. f GDPR. If the email contact is aimed at preparing and/or concluding a contract, as for booking a hotel room, the additional legal basis for processing is art. 6 para. 1 lit. b GDPR.

3.         Purpose of data processing

The personal data entered into the input mask are solely processed for the purposes of the contact procedure. If the contact is established by email, the required justified interest in processing the data lies in the received email.

In our opinion, when this is done for the purposes of managing a high-class hotel like ours, such explicit contacts are useful and in our justified interest, since a more intense and durable communication helps prepare your stay.

4.         Duration of storage

The data will be deleted as soon as they are no longer needed for achieving the purpose of their collection.

This is the case for personal data transmitted by email for general contacting purposes when the respective conversation with the user has ended. The conversation has ended when the circumstances suggest that the subject of such conversation has been finalized.

The contact data entered under "request" are kept as long as necessary with respect to the contents of the contact and its further development.

5.         Right to object and have the data deleted

You may object to the storage of your personal data at any time or revoke your consent (when you request gift vouchers).

In the case of a general but not yet terminated request – the conversation cannot be continued.

Please address your objection also to the email address direkt@kuffler.de or to the data indicated in this Privacy Statement under Section I, or to the email address info@hotel-muenchen-palace.de.

In this case, all personal data stored during establishment of the contact will be deleted.

 

XIII.     Rights of the person concerned

If your personal data are processed by us, you, as the person concerned within the meaning of GDPR, have the following rights against us:

1.         Right to information

You may request confirmation on whether personal data concerning you are processed. If so, you may request the information listed in art. 15 GDPR.

We reserve the right to direct your interest  to this Privacy Statement if it contains the requested information.

2.         Right to rectification

Pursuant to art. 16 GDPR, you have a right to rectification and/or completion against the Controller where the processed personal data concerning you are incorrect or incomplete. We will carry out such rectification without undue delay.

3.         Right to restriction of processing

Under the following prerequisites, for further prerequisites see also art. 18 GDPR, you may request the restriction of processing of the personal data concerning you, in particular:

(1)     if you contest the accuracy of the personal data concerning you for a period enabling us to verify the accuracy of the personal data;

(2)     our processing is unlawful and you oppose erasure of your personal data and request restriction of their use instead; or

(4)     if you objected against the processing pursuant to art. 21 para. 1 GDPR, and it has not yet been established whether, when weighting your interests against ours, our legitimate interests will override yours.

If processing of the personal data concerning you has been rightfully restricted, these data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted according to the above-mentioned conditions, you will be informed before the restriction of processing is lifted.

      4.         Right to erasure

a)         Duty of erasure, art. 17 GDPR

You may request that the personal data concerning you are deleted without undue delay, to the extent that one of the following applies:

(1)     the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(2)     you revoke your consent on which the processing pursuant to art. 6 para. 1 lit. a or art. 9 para. 2 lit. a GDPR is based, and there is no other legal ground for the processing;

(3)     you object to the processing pursuant to art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to art. 21 para. 2 GDPR;

(4)     the personal data concerning you have been unlawfully processed;

(5)     the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject (generally: Germany);

(6)     the personal data concerning you have been collected in relation to the offer of information society services referred to in art. 8 para. 1 GDPR.

b)         Information to third parties

If we made public the personal data concerning you and if we are obliged to erase them pursuant to art. 17 para. 1 GDPR, we will take reasonable steps, including technical measures, thereby taking account of available technology and the cost of implementation, in order to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c)         Exceptions

You have no right to erasure where the processing is necessary:

(1)     for exercising the right of freedom of expression and information;

(2)     or compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3)     for reasons of public interest in the area of public health in accordance with art. 9 para. 2 lit. h and i as well as art. 9 para. 3 GDPR;

(4)     for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89 para. 1 in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)     for the establishment, exercise or defence of legal claims.

5.         Right to notification (art. 19 GDPR)

If you asserted your right to rectification, erasure and/or restriction of processing against us, we are obliged in accordance with art. 19 GDPR to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You are entitled to be informed about these recipients.

6.         Right to data portability (art. 20 GDPR)

According to art. 20 GDPR, you have the right, in particular, to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, where:

(1)     the processing is based on consent pursuant to art. 6 para. 1 lit. a GDPR or art. 9 para. 2 lit. a GDPR or on a contract pursuant to art. 6 para. 1 lit. b GDPR; and

(2)     the processing is carried out by automated means.

In exercising this right, you have the further right to have the personal data transmitted directly from one controller to another, where technically feasible. This right may not adversely affect the rights and freedoms of others.

7.         Right to object

If the personal data concerning you are processed for direct marketing purposes, e.g. in newsletters, you have the right to object at any time to the processing of these data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

You generally have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on art. 6 para. 1 lit. e or f GDPR , including profiling based on those provisions.

In such a case, we will not process the personal data concerning you any longer, unless we can demonstrate compelling legitimate grounds for the continuous processing that override your interests, rights, and freedoms, or for the establishment, exercise or defence of legal claims.

In the context of the use of information society services, you have the possibility – notwithstanding Directive 2002/58/EC – to exercise your right to object by automated means using technical specifications.

8.         Right to revocation of your consent to data processing

You have the right to revoke your consent to data processing at any time. However, such revocation will not affect the lawfulness of processing before revocation of the consent.

9.         Automated decision in the individual case including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or affects you significantly in a similar way. Only for the sake of completeness do we refer to art. 22 GDPR whose application we would of course accept if it applies.

10.       Right to complaint to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR.

Since lodging such a complaint is possible at several places, we offer an official list of all data protection officers with their contact data. Please follow the links of the Federal commissioner for information and data protection, Bonn: https://www.bfdi.bund.de/DE/Infothek/Anschriften_links/anschriften_links-node.html (Sorry, only German text available). The supervisory authority with which the complaint was lodged will inform you, the petitioner, about the status and results of the complaint, including the possibility of a judicial remedy pursuant to art. 78 GDPR.

 

Last amended: 24 May 2018