GDPR information and instructions for
guests (customers) of the bars / restaurants / hotels of Kuffler Group
on processing of personal data of customers
The following information and instructions are based on the EU General Data Protection Regulation ("GDPR"). These information and instructions relate to personal data (hereinafter referred to as "data") which we collect and otherwise process (as to the definition of "processing" see art. 4 no. 2 GDPR) within the framework of your stay and/or preparation of our stay in one of our restaurants and/or hotels operated by a company of Kuffler Group, which are:
(1) Roland Kuffler GmbH, Residenzstrasse 12, 80333 München, telephone +49.89. 290 705-0, fax +49.89. 294 076, [email protected]
(2) Mangostin Asia Gastronomie- und Handelsgesellschaft mbH & Co. Betriebs KG, other data as in number (1)
(3) Kuffler Inn Design GmbH, other data as in number (1)
(4) Haus Kuffler GmbH & Co.KG, other data as in number (1)
(5) Kuffler Catering Service GmbH & Co. KG, other data as in number (1)
(6) Kuffler Weinzelt GmbH, other data as in number (1)
(8) Kuffler AOF Restauration GmbH & Co., Opernplatz 1, 60313 Frankfurt am Main, telephone +49. 69. 1340 215, fax +49. 69. 1340 239, [email protected]
(9) Schlossschänke auf dem Johannisberg
(10) Kuffler und Bucher GmbH & Co. KG, other data as in number (7) with [email protected]
(11) Kuffler Airport Gastronomiegesellschaft mbH & Co, other data as in number (7) with [email protected]
(12) Tangente Frankfurt GmbH & Co, other data as in number (7) with [email protected]
(13) Kuffler CC Gastro GmbH, Hildastrasse 25, 65189 Wiesbaden, telephone +49.611. 172 917 0, fax +49.611. 172 952 171, [email protected]
– hereinafter: "Kuffler" or "we"/"our" –
Since we often refer to the GDPR in this information, here is the link to the official text of the GDPR, including the 173 recitals of the EU introducing its provisions (the recitals are the official grounds for the law). You can download the GDPR in the HTML and/or PDF format in all EU languages under the following link: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=celex%3A32016R0679.
1. Controller within the meaning of GDPR, data protection officer
The controller within the meaning of art. 4 no. 7 GDPR is the respective company of Kuffler Group (see above): when enquiring / booking / staying in one of our bars/restaurants/hotels, it is the company with which you enter in a contractual relationship on the performance of bar / restaurant and/or accommodation services and other additional services, including the preparation of such services – this company is mentioned on your cash receipt, receipt, bill, or similar document evidencing the service(s) performed. It is also possible to assign the various operations / restaurants / hotels to any of the above-listed companies when you consult the imprint under .kuffler.de , see https://www.kuffler.de/en/imprint.php – which explains in detail which restaurant is operated by which one of the above-listed companies, i.e. with which company you entered into a contract in this particular case, and which company provides additional information.
The data protection officer is:
For the companies listed under numbers (1) to (6): Eberhard Mayer, c/o Roland Kuffler GmbH, Residenzstr. 12, 80333 München, email: [email protected] , Tel.: 089 . 290 705-0
For the companies listed under numbers (7) to (12): Jens Speth, c/o Kuffler Gruppe, Kurhausplatz 1, 65189 Wiesbaden, email: [email protected] , Tel: 0611 . 34153120
2. Definition of personal data and categories concerned
The legal definition of personal data can be found in art. 4 no. 1 GDPR, further explanations thereon in the recital no. 26 of GDPR.
Personal data, hereinafter in short "data", include any information that can be used to identify a natural person or can be assigned to a natural person, such as your name, address, phone number. Since the definition of such data by the GDPR is extensive, they may also include data with which a natural person can be identified, if not directly and immediately, but at least at a reasonable expenditure (of time, technology, general discretion, etc.). Company data do not count as personal data, when these data do not contain any information about natural persons, such as a simple company address without indication of a concrete addressee, e.g. an email address like "[email protected][company name].de/.com".
When we process data, the following data categories are concerned:
Key personal data (name, address, communication data (telephone, email, etc.);
Key contractual data (purpose, object, and term of the contract, purchased services, peculiarities relevant for our services);
Other contract invoicing and/or payment data.
3. Processing of data, purpose
The legal definition of data processing can be found in art. 4 no. 2 GDPR (key word: "processing"). According to this definition:
"`processing´ means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of availability, alignment or combination, restriction, erasure or destruction".
We process personal data within the framework of contractual relationships relating to the purchase of our services, regardless of whether one-time or recurrent, and within the framework of the preparation for such services (the latter among others within the framework of reservations/bookings, non-committal enquiries about free capacities for specific dates, etc.). Furthermore, we process data for accounting purposes, of course.
Purpose of processing:
According to the above, the collected data are processed for the purposes of:
(1) internal planning of our contractual relationship with you (including other guests/customers who are also covered by the contract, e.g. family members, etc.), including preparation of the services agreed in the contract, organisation of bar/restaurant and/or other services as well as events (e.g. banquets and/or catering). Any other purposes of processing are provided by contract concluded with you, respectively,
(2) performance of mutual obligations under the contract and their control. Such obligations may include accessory duties, e.g. particular duties of care or performance vis-à-vis our guests resulting from individual and personal particularities or, in the case of hotel services, supporting you in complying with your registration duties under statutory regulations (e.g. your duty to official registration when checking in pursuant to § 29 para. 2 phrase 1 Federal Registration Act – in German: `Bundesmeldegesetz ).
In particular, we also use data to perform our duties under the contracts concluded with you, and to invoice our services to you. In addition, we must meet our information duties vis-à-vis authorities, if necessary.
4. Use, purpose of processing, and disclosure of personal data
We disclose data, to the required extent, only to those third/external parties with which we must cooperate in order to perform specific services for you, as well as to other external providers of data processing (so-called [third-party] "processors" within the meaning of art. 4 no. 8 GDPR – for more details on this topic see below).
All our internal employees are bound to keep the data secret in accordance with § 53 Federal Data Protection Act – in Gernan: Bundesdatenschutzgesetz, BDSG.
All external service providers entrusted with processing your data (“processors” see above) are also bound to keep your data secret and confidential and protect your interests, in particular under third-party processing contracts (art. 28 GDPR). Under such a contract, we have the contractual and binding right to issue instructions to processors on how to treat your data.
We process data in accordance with the provisions of GDPR and the Federal Data Protection Act (BDSG) enacted in order to implement GDPR. According to the provisions of these statutes, our processing of personal data is statutorily justified for the following purposes:
a) to perform contractual duties (art. 6 para. 1 lit. b 1st alternative GDPR) or its preparation (art. 6 para. 1 lit. b 2nd alternative GDPR). Within this framework, we also disclose data to the above-mentioned internal and/or external persons, to the required extent;
b) for legitimate interests (art. 6 para. 1 lit. f) GDPR)
To the permitted extent, we also process your data beyond fulfilment of the contract in order to safeguard our legitimate interests, provided that this is not contrary to your overriding data protection interests. Examples:
measures for business control and development of services;
review and optimization of demand analysis;
assertion of legal claims and defence in litigation cases;
ensuring IT security and smooth IT operations;
preventing and investigating criminal acts.
c) If you have given your consent to such processing (art. 6 para. 1a GDPR)
To the extent that you consented to our processing data for specific purposes (e.g. your special consent to receive newsletters when filling out the registration form of a hotel), such processing is lawful under art. 6 para. 1a GDPR. You may revoke your consent at any time. Any data processing carried out up to such revocation remains legal, however.
d) On the basis of statutory requirements (art. 6 para. 1 lit. c GDPR) – above all the data query on registration forms connected with hotel check-in and their further processing: such processing is bindingly stipulated by § 29 para.1 phrase 1 in conjunction with § 30 para. 2 and para. 4 of the Federal Registration Act.
e) In addition, we are subject to various legal obligations, i.e. statutory requirements (e.g. commercial law, tax laws, etc.: storage of accounting data pursuant to § 147 para. 3 of the Tax Code – in German. Abgabenordnung, AO - or § 257 para. 4 of the Commercial Code – in German: Handelsgesetzbuch, HGB). To the extent that data are processed thereunder, this is done exclusively on the basis of the mentioned statutory regulations.
We do not disclose your data to third parties, unless you have consented to such disclosure, or we are bound to such disclosure by statutory provisions and/or the binding order of an authority or a court of justice. The other third parties to which we disclose your data are limited to above-mentioned processors within the meaning of art. 4 no. 8 GDPR.
Hence, we do not disclose your data in countries outside the EU and/or the European Economic Area (EAA).
5. In particular: email correspondence
When you contact us by email, all data of this email correspondence, including email addresses and other data from email contents, are sent by your mail server to our mail server (and vice-versa). Our mail server is operated by the German company 1&1 Internet SE, Elgendorfer Str. 57, 56410 Montabaur, and is based in Germany. Thus, 1&1 is a processor with whom we closed an agreement on third-party data processing services (content see under https://hosting.1und1.de/hilfe/fileadmin/pdf/de_DE/data schutz/Vertrag_zur_Auftragsverarbeitung_AVV_.pdf, concluded in German, therefore only available in German): This agreement, like all the other agreements on third-party data processing do, bindingly ensures that statutory data protection requirements are complied with.
1&1 does not analyse data from emails and will process them in a purely technical manner only to the extent that you and we actually trigger such technical process by computer instructions given during our email correspondence.
In this case, too, the legal basis for such processing is art 6 para. 1 lit b) in two alternatives, see above, and/or art. 6 para. 1 lit f). In the latter case, our justified interest according to GDPR is to communicate with you in an up-to-date, fast, and comprehensible way fitting the business organisation where you work. In our opinion, you do not have any conflicting overriding interest. Of course, in this case, too, you continue keeping your rights, see Section 10 below on this issue.
We completely delete email-related data on our mail server in regular intervals, if only to gain free memory space. We durably store email-related data in our end devices (PCs, laptops, smartphone), but only access them in the case of lawful need (see above Section 4 b).
6. Catering / table / hotel reservations
When you contact one of our restaurants/hotels by other means than our websites www.kuffler.de, www.hotel-muenchen-palace.de, www.mangostin.de, www.weinzelt.com, (please see the particular data protection information on each site), e.g. by email or telephone in order to enquire for services and/or bindingly reserve such services, such as a table in a restaurant, a hotel room, or a catering date/event, we generally carry out this reservation by using an automated reservation system. The collected data include:
a. number of persons;
d. first name of the reserving person;
e. last name of the reserving person;
f. if appropriate: email address;
g. if appropriate: phone number;
h. If appropriate, we ask you for voluntary indication of other wishes (e.g. allergies, preferences, etc.), and/or occasion of the reservation, and the like;
i. date and hour of the actual reservation operation.
The data entered in our reservation system are stored in the computer system of the bar/restaurant/hotel concerned and matched with other data, mainly regarding availability of the requested facilities. In no event are the data exchanged with other computer/reservation systems of other companies of our Group (see above Section 1). This processing is only aimed at generating a proposal for a date / table / room and/or a proposal for other related services or special features of such services.
The legal basis for such processing is art. 6 para. 1 lit. b GDPR, since both a reservation contract is closed and another contract (entertainment and/or accommodation contract) is prepared.
Such data processing is aimed at enabling both you and us to close an effective, reliable, and comprehensible reservation agreement and to perform it as intended. It also has the – subsequent – goal to offer you and your guests (if any, mainly if catering was ordered) in accordance with your request a stay, as pleasant and complication-free as possible, in the restaurant / hotel at the reserved time and place, matching the occasion you indicated and exactly in accordance with your special wishes.
All this will be carried out upon an enquiry sent to our competent staff.
If, after such reservation, a contract for services is concluded, your data will be kept for accounting and other subsequent purposes. We also keep the data mentioned under above letter h. because they may be needed in the course of any later communication with you (for further tuning of the reservation / coordination of services after the first contact – mainly for catering services). The aim of this concrete processing is to respond quickly, individually, and attentively to future enquiries for any restaurant or hotel services and/or catering events.
This is in the mutual interest both of the guests and our company, in particular when it comes to high-class restaurant and/or hotel and/or catering services that we are offering: you as our guest can expect and certainly will, due to our long-standing experience, that your personal wishes and preferences are taken into consideration in the event of future reservations/bookings/orders as well, and that the required information is available in the restaurant/hotel/catering service, so that we can offer you a positive choice of recommendations for your concrete order / booking and thus meet your wishes on an individual basis. As a high-end restaurant/hotel/catering operator, our aim will always be to treat you and your wishes individually and with special attention, as you as our guest can legitimately expect. Therefore, art. 6 para. 1 lit. f GDPR is the legal basis for storing such data.
Due to this particular objective, we keep the aforementioned data stored so that we can handle your enquiries in accordance with the above also in future.
Other data will be deleted when they are no longer needed to achieve their purpose. This can be the case if an order is cancelled or after expiry of statutory limitation periods (§§ 195 et seq. of the German Civil Code - BGB) concerning accounting data, etc. To the extent that data are kept for evidence purposes, they will only be used in the event that such evidence is required.
If you decided to subscribe to our free newsletter in the check-in form of a hotel or any other operation of our Group outside our above-mentioned websites, the following information applies:
Whenever you subscribe to the newsletter and consent to its mailing, we collect the following data:
b. first name;
c. last name;
d. email address.
For an effective subscription of the desired newsletter, we protect your data interests as follows:
After your subscription, we send an email to your email address as mentioned in the subscription (confirmation mail). In the confirmation mail, you are asked to click a confirmation link. Only after this is done, will you be registered by our system as subscriber of the desired newsletter(s).
The data collected in connection with a subscription to newsletters are not disclosed to other third parties who are not processors as described above. We use these data together with those processors exclusively for mailing newsletters, for selecting the correct newsletter as requested, as well as analysing your behaviour in relation to reading online newsletters in a completely anonymized form. The results of such analysis are stored in a completely anonymized form as well.
The legal basis for processing data after subscription to newsletters by users is the user's consent (art. 6 para. 1 lit. a GDPR).
Collection of users' email addresses serves the purpose of sending the newsletter.
The confirmation mail is required in order to prevent third parties from using your email address.
Your confirmation to subscription is stored in a digital protocol so that the registration process can be evidenced in accordance with the legal requirements to be complied with.
Our newsletters contain information about offers made by the above-mentioned companies of Kuffler Group.
The data will be deleted as soon as they are no longer required for achieving the purpose of their collection. Thus, the email address of the user, Mr/Ms, last name and first name will be kept stored as long as subscription to the newsletters is active, as well as its confirmation via confirmation mail.
The subscription to newsletters may be terminated by the user at any time. To do so, a corresponding link can be found at the end of every newsletter. Termination / revocation is also possible under www.kuffler.de/newsletter/anmeldung.php, where a link appears "cancel subscription" in bold letters : simply follow instructions (by entering the email address concerned).
This procedure also revokes your consent to store personal data collected during registration; however, the lawfulness of previous data processing is not affected by the revocation.
We take all necessary technical and organisational security measures to protect your data against unauthorized access, loss, and abuse. Your data are stored in a secure operational environment not accessible to the public. Our computers are protected by firewalls and virus scanners. Our correspondence is encrypted to the necessary extent. Back-up and recovery procedures as well as role service classes and access concepts are granted. When processing data, our employees are bound to comply with data protection rules, see above (reference to § 53 BDSG). Access control mechanisms make sure that only authorized employees are granted access rights. The same applies to data processing by our processors, in particular 1&1.
9. Further information pursuant to art. 13 GDPR
As is our duty under art. 13 para. 2 lit e) and f) GDPR, we finally would like to point to the following:
- You are not bound to provide any data of any kind whatsoever, neither by statute nor by contract – which means that you are free to do so or not. However, this does not apply to those data requested when checking in to a hotel under the section: Registration form pursuant to § 30 para. 2 BMG" (which is especially mentioned in the corresponding paper form).
- In order to conclude a contract with us, you have to provide specific personal data and other data required for such contracts.
- We do not carry out any so-called "automated decision-making", including profiling, pursuant to art. 22 para. 1 and 4 GDPR, neither with your data.
10. Your RIGHTS
Pursuant to art. 13 para. 2 lit. b) GDPR, you have the right to information, rectification, erasure, limitation of processing and/or objection against processing as well as the right to data portability, subject to the particular statutory prerequisites of article 15 et seq. GDPR, respectively. In detail:
a) Right to information
You may request confirmation about whether any (personal) data concerning you are processed. If so, you may request the information provided in art. 15 GDPR.
b) Right to rectification
Pursuant to art. 16 GDPR, you have a right to have your processed (personal) data rectified and/or completed, if they are incorrect or incomplete.
c) Right to restriction of processing
Under the following prerequisites (for further prerequisites see also art. 18 GDPR), you may request restriction of the processing of your (personal) data, in particular:
(1) when you contest the accuracy of your data for a period enabling to verify the accuracy of these personal data;
(2) when processing is unlawful and you oppose erasure of these personal data and instead request restriction of their use; or
(3) when you object against processing pursuant to art. 21 para. 1 GDPR, pending verification whether the controller's legitimate grounds override yours.
If processing of your data has been rightfully restricted by you as described above, these data – except their storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for protecting rights of another natural or legal person or for reasons of important public interest of the Union or any Member State. If restriction of processing according to above prerequisites is restricted, you will be informed before the restriction is cancelled.
d) Right to erasure
(1) Obligation to erase, art. 17 GDPR
You may request the respective controller that your (personal) data are deleted without undue delay, where one of the following grounds applies:
(a) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) you revoke your consent on which the processing is based according to art. 6 para. 1 lit. a or art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing;
(c) you object to the processing pursuant to art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to art. 21 para. 2 GDPR;
(d) the personal data have been unlawfully processed;
(e) erasure of your data is required to comply with a legal obligation of Union or Member State law to which the controller is subject (generally: Germany);
(f) your data have been collected in relation to the offer of information society services pursuant to art. 8 para. 1 GDPR.
(2) Information to third parties
Where the controller has made your data public and is obliged to erase them pursuant to art. 17 para. 1 GDPR, the controller, taking account of available technology and the cost of implementation – shall take reasonable steps, including technical measures, to inform controllers processing your personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
You have no right to erasure to the extent that processing is required
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health pursuant to art. 9 para. 2 lit. h and i as well as art. 9 para. 3 GDPR;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89 para. 1 GDPR, in so far as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
e) Right to notification (art. 19 GDPR)
If you have asserted your right to rectification, erasure and/or restriction of processing, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about this recipient by the controller.
f) Right to data portability (art. 20 GDPR)
According to this provision, you have in particular – for more detail see art. 20 GDPR – the right to receive the data provided by you in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from the controller to which the personal data had been provided, where
(1) the processing is based on consent pursuant to art. 6 para. 1 lit. a GDPR or art. 9 para. 2 lit. a GDPR or on a contract pursuant to art. 6 para. 1 lit. b GDPR, and
(2) the processing is carried out by automated means.
The exercise of your right to data portability pursuant to paragraph 1 may not adversely affect the rights and freedoms of others.
g) Right to object
If your data are processed for direct marketing purposes, e.g. newsletters, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data which is based on art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions.
The controller may no longer process the personal data unless he demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or processing for the establishment, exercise or defence of legal claims.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
h) Right to revocation of the consent to data processing
You have the right to revoke any declaration of consent to the processing of your data at any time. This revocation of consent will not affect the lawfulness of the processing effected before revocation of consent.
i) Automated decision in the individual case including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Only for the sake of completeness do we refer to art. 22 GDPR.
j) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes GDPR.
Since several places are possible, we offer you an official list of all data protection officers with their contact data. To this end, please click the following links of the Federal Commissioner for Information and Data Protection, Bonn: https://www.bfdi.bund.de/DE/Infothek/Anschriften_links/anschriften_links-node.html (sorry again, only German text available). The supervisory authority with which the complaint has been lodged will inform you on the progress and outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.