Your security is the highest priority

PRIVACY POLICY FOR THE ONLINE SHOP OF B&B HOTELS GERMANY GMBH

Status: July 2018

With the following data protection declaration, we would like to inform you about the type, scope and purposes of the processing of personal data in the online shop on the website https://www.hotel-bb.com/de/shop/deutschland (the "Online Shop"), operated by B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main ("B&B", "we", "us" or "our").

1. Responsible person

B&B is the controller within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; "DS-GVO").

2. Processing of personal data

2.1 To place an order in our online shop, you must provide us with your name, address, date of birth and email address. On a voluntary basis, you can provide your telephone number so that we can contact you more quickly if we have any queries about your order.
In addition, it is necessary to provide payment data. The data collected depends on the payment method you have chosen. If you have chosen the credit card payment method, you will have to provide your credit card number, expiry date and the check digit.
We process your personal data only to the extent necessary for processing and accepting your orders, processing and shipping your orders and fulfilling our contractual obligations. We need your e-mail address to send you order and shipping confirmations as well as the invoice and - in the case of the purchase of a voucher - to send you a purchased voucher. Your payment details will be processed to make the payment.
In the event that you purchase a voucher in the online shop, we store the voucher code, the voucher amount, the date of issue as well as the redemption transactions carried out with the voucher code as well as remaining amounts.
The legal basis for the processing of your personal data described in this section 2.1 is the preparation and execution of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).
2.2 When you visit the online shop, the following data is also transmitted to us in server log files:
- Browser type, language and version,
- operating system used,
- website from which you visit us (referrer URL),
- website you visit,
- amount of data transferred
- Date and time of your access,
- your internet protocol (IP) address.
This data is collected for system security purposes, in particular to defend against attempted attacks on our servers and the online shop. The legal basis for this processing is Art. 6 para. 1 lit. f) DS-GVO. The legitimate interest pursued by us is the prevention of fraudulent or illegal activities and the protection of our systems and servers.
You have the right to object to this type of data processing at any time on grounds relating to your particular situation. To exercise this right, you can contact us at any time using the contact details provided in section 7.

3. Passing on personal data to third parties

3.1 We pass on your personal data to our shipping service providers (DHL, UPS) in order to deliver the products you have ordered. The legal basis for this processing is the performance of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).
3.2 In accordance with the applicable data protection regulations, B&B uses the following external processors (Art. 28 DS-GVO) acting on behalf of B&B and providing services in connection with our online shop:
- INCERT eTourismus GmbH & Co KG, Leonfeldner Straße 328, 4040 Linz, Austria: technical service provider of the online shop;
- Concardis GmbH, Helfmann-Park 7, 65760 Eschborn, Germany
- TourismusSuite GmbH, Hamtorstraße 9, 41460 Neuss: technical service provider
- Hess & Co. GmbH, Borsigstraße 1, 63110 Rodgau: logistics service provider for the online shop
These processors have access to your personal data, but may only use it on our instructions and for the purposes of order processing.
3.3 If you use the PayPal payment service, we will forward your name, delivery address, email address and shopping cart details to PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449 Luxembourg ("PayPal") so that PayPal can process the payment. The legal basis for this processing is the execution of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).
3.4 If you choose the payment method credit card, your payment will be processed via the payment service "SaferPay" of SIX Payment Services (Germany) GmbH, Langenhorner Chaussee 92-94, 22415 Hamburg ("SaferPay"). In order for SaferPay to process your payment, your credit card information is collected directly from SaferPay and processed there. No credit card information is stored on our server. The legal basis for this processing is the execution of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).
3.5 The credit card transaction is settled via the payment service provider Concardis GmbH, Helfmann-Park 7, 65760 Eschborn ("Concardis"), which acts as a so-called acquirer. In order for Concardis to be able to settle your credit card transaction, your credit card data will be collected by Concardis and processed there. The processing is carried out on the legal basis of the execution of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).

4. Use of cookies

4.1 Information on cookies and their use on our website can be found in the general data protection declaration for our website https://www.hotel-bb.com/de/datenschutzbestimmungen.
4.2 In the online shop, we use a session cookie that saves your selection of goods in the shopping basket and the payment method you have selected as part of the ordering process. The legal basis for our use of this cookie is the preparation or execution of our purchase contract with you (Art. 6 para. 1 lit. b) DS-GVO).

5. Storage period

5.1 In the event of a cancellation of the purchase or order process, the data stored by us will be deleted after 14 days.
5.2 In the event of a contract being concluded, we will only store your personal data for as long as is necessary to achieve the purposes for which they were collected, or - if there are any legal storage obligations beyond this - for the duration of the legally prescribed storage period. Afterwards, your personal data will be deleted. Retention obligations arise for reasons of commercial and tax law. According to legal requirements, data is stored for six (6) years in accordance with Section 257 (1) of the German Commercial Code (commercial letters, accounting documents) and for ten (10) years in accordance with Section 147 (1) of the German Fiscal Code (accounting documents, commercial and business letters, documents relevant for taxation).
5.3 If you exercise your right to object to the processing of your personal data, we will delete your personal data immediately, unless there is another legal basis for the processing and storage of this data.
5.4 Information in the log files pursuant to section 2.2 will be stored for a maximum period of 12 months for security reasons and then deleted.

6. Your rights under the GDPR

In particular, you may have the following rights under the GDPR:
- Right of access: you have the right to request information at any time about whether we are processing personal data about you and, if so, to request information about that personal data. To exercise this right, you may contact either us directly or our Data Protection Officer at any time using the contact details set out in section 7 above.
- Right to rectify your personal data: When we process your personal data, we will endeavour to take reasonable steps to ensure that your personal data is accurate and up to date for the purposes for which it was collected. In the event that your personal data is inaccurate or incomplete, you may request that it be corrected. To exercise this right, you can contact either us directly or our Data Protection Officer at any time using the contact details set out in section 7 above.
- Right to erasure or restriction of processing: You may have the right to request the erasure of your personal data or the restriction of its processing. To exercise this right, you may contact either us directly or our Data Protection Officer at any time using the contact details set out in section 7 above.
- Right to data portability: where applicable, you have the right to obtain the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to transfer this data to another controller. To exercise this right, you can contact either us directly or our data protection officer at any time using the contact details listed in section 7.
- Right to object: You have the right to object to the processing of your personal data, as detailed in this Privacy Policy.
- Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority within the European Union. You can contact the Hessian Commissioner for Data Protection and Freedom of Information.

7. Contact details and data protection officer

7.1 If you have any questions about this privacy policy or about the processing of your personal data by us, or if you wish to exercise your rights under the GDPR, you can contact us at any time: By post at B&B Hotels Germany GmbH, Altkönigstraße 10, 65239 Hochheim am Main, by email at datenschutz@hotelbb.com or by telephone at +49 (0) 6146 9090 0.
7.2 You can also contact our data protection officer at any time: By e-mail to datenschutz@hotelbb.com or by post to B&B Hotels Germany GmbH, Der Datenschutzbeauftragte, Altkönigstraße 10, 65239 Hochheim am Main.