+49 (0) 89 23 11 660 | 
 info@deutsche-eiche.de

Privacy Notice

 

Our aim is to provide you with a comprehensive overview of how we process your personal data and to inform you of your data protection rights. We have listed the most commonly used terms below to make it easier for you to read this Privacy Policy.

Consent: 'Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.' – article 4 paragraph 11 GDPR

Controller: 'Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.' – article 4 paragraph 7 GDPR

Data subject: The term 'data subject' refers to any identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

Filing system: 'Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.' – article 4 paragraph 6 GDPR

General Data Protection Regulation (GDPR): The General Data Protection Regulation (GDPR) is a binding legal standard of the European Union. It regulates the processing of personal data by most data controllers responsible for processing across the EU.

Personal data: 'Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.' – article 4 paragraph 1 GDPR

Personal data breach: 'Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' – article 4 paragraph 12 GDPR

Processing: 'Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.' – article 4 paragraph 2 GDPR

Processor: 'Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.' – article 4 paragraph 8 GDPR

Profiling: 'Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.' – article 4 paragraph 4 GDPR

Recipient: 'Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.' – article 4 paragraph 9 GDPR

Restriction of processing: 'Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.' – article 4 paragraph 3 GDPR

Supervisory authority: 'Supervisory authority means an independent public authority which is established by a Member State pursuant to article 51.' – article 4 paragraph 21 GDPR

Third party: 'Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.' – article 4 paragraph 10 GDPR

 

 

1.            GENERAL INFORMATION ON THE PROCESSING OF PERSONAL DATA IN OUR COMPANY

We would like to provide you with detailed information about our Privacy Policy in the interests of transparency and in accordance with articles 13 and 14 of the General Data Protection Regulation (GDPR).

 

1.1.         Responsible for data processing

The party responsible for data processing on this website pursuant to article 4 paragraph 7 GDPR and service provider as defined by the German Telemedia Act (TMG) is


Deutsche Eiche Gärtnerplatz GmbH

Reichenbachstraße 13

80469 Munich

Phone: +49 89 23 11 66 0

Fax: +49 89 23 11 66 69

Email: info@deutsche-eiche.de  

Website: www.deutsche-eiche.de  


For full information pursuant to § 5 TMG please see our Legal Notice.

 

1.2.         Contact details of the data protection officer at the Deutsche Eiche

Mr Blagadusha

TÜV-certified data protection officer 

 

Deutsche Eiche Gärtnerplatz GmbH

Reichenbachstraße 13, 80469 Munich

E-mail (direct): philipp.blagadusha@deutsche-eiche.de   

E-mail (department): datenschutz@deutsche-eiche.de  

 

1.3.         Data collected

1.3.1.      Hotel

1.3.1.1.  Reservation process

When making a booking, whether online through our website, through an online booking platform (such as Booking.com or Expedia.de), through a travel agent, by telephone, by email or directly at the hotel, the following personal data are processed: name, surname, email address, postal address, telephone number, arrival and departure dates, reservation number, name and surname of your fellow travellers, credit card type, credit card number and its expiry date, if applicable, additional room preferences (e.g. facing the courtyard/street, quiet, with bath, hypoallergenic bedding etc.).

 

1.3.1.2.  Check-in and checkout

Upon arrival and departure, we collect and process the following personal data: name, surname, email address, postal address, billing address (if different), telephone number, arrival and departure dates, reservation number, date of birth, passport number, name and surname of your fellow travellers, credit card type, card number and its expiration date, additional room preferences if requested (e.g. facing the courtyard/street, quiet, with bath, hypoallergenic bedding, etc.).

 

1.3.1.3.  Hotel stay

While staying at the hotel, guests often visit our restaurant, roof rooftop and sauna, and use other services, including massage, taxi orders and printing of boarding passes. To provide these services, we process the following personal data if necessary: eating habits, dietary requirements, allergies and intolerances, room number, payment information, travel information (such as flight number), and additional contact information (e.g. for returning forgotten items). CCTV cameras (see 1.3.6.) are in place in some designated areas of our business.

 

1.3.1.4.  Cancellations and no-shows

In the event of a cancellation or no-show, we process personal data such as name, surname, email address, postal address, (if different) billing address, telephone number, arrival and departure dates, reservation number, and the names of your fellow travellers.

 

1.3.2.      Sauna

In general, we do not collect or process any personal data during your visit to our sauna unless you

  • pay by credit or debit card;
  • make an appointment for a massage;
  • contact us by telephone, letter or email.

We may collect and process personal data about you at such times, including names, surnames, telephone numbers, email addresses and payment details. We have CCTV cameras (see 1.3.6.) in some designated areas of our premises.

 

1.3.3.      Restaurant

The following personal data are required to reserve a table in our restaurant: name, surname, telephone number, email address, dietary requirements and intolerancees (if applicable) and room number (for hotel guests). If paying by card we will collect and process the necessary payment information. We will only collect information such as your address if necessary for billing purposes and at your request. Some designated areas are subject to CCTV (see 1.3.6).

 

1.3.4.      Rooftop terrace

During your visit to the rooftop terrace, we may collect and process the following personal data: name, surname, telephone number, email address (only for events and groups), information about allergies and intolerances, if applicable. If paying by card we will collect and process the necessary payment information. We will only collect information such as your address if necessary for billing purposes and at your request. Some designated areas are subject to CCTV (see 1.3.6).

 

1.3.5.      Vouchers

When purchasing a gift or monetary voucher in person or online, we will collect the following data: name, surname, telephone number and email address. If paying by card we will collect and process the necessary payment information. We will only collect information such as your address if necessary for billing purposes and at your request.

 

1.3.6.      CCTV

Our company operates a multi camera, multi-screen, digital CCTV system, which is monitored in the public areas. The following data are collected as part of the footage: image data, timestamp (date and time) and location of the cameras. Guests, employees of Deutsche Eiche, suppliers, and other persons present in those areas are affected. All available cameras are labelled with corresponding information signs in accordance with article 13 GDPR in A4 format. At the main entrance, there is a notice in A3 format with detailed information. Our CCTV policy is available for inspection at the reception desk (German only). The data processing is carried out for the purpose of exercising the right to property, preventing criminal offenses (e.g. burglary, property damage, theft, drug offenses), and securing evidence in the event of criminal offenses. The legal basis for data processing is Art. 6(1)(f) of the GDPR (publicly accessible areas) and § 26(1) sentence 1 of the BDSG (non-publicly accessible areas). The overriding legitimate interests of our company arise from our obligation to ensure our guests a safe stay, from our interest in enforcing our material and immaterial claims as well as protecting our rights and defending against unfounded claims. Potential recipients of the data are law enforcement agencies as well as persons or companies that we entrust with the exercise of our rights, such as solicitors. Transfer of the data to third countries or international organisations is not intended. If a recording of CCTV footage is made, this is deleted after a period of 48 hours. Only if this is necessary on a case-by-case basis to assert legal claims or to prosecute criminal offenses, a longer storage for evidentiary purposes will be carried out. Once the purpose of further storage has been achieved, these data will also be deleted. The rights of the data subjects can be found in section 1.10. of this Privacy Policy. 

 

1.3.7.      Public events with photo and video recordings

In the context of public events, we intend to report on them using photo and video recordings. The following data will be collected: photos and videos, timestamps (date and time) and the location of the event. Visitors, employees of Deutsche Eiche, suppliers and other persons present at the event are affected. In this regard, appropriate A3 format signs will be displayed at each public event to indicate the creation of photo and video recordings. The legal basis for the production and use of photos and videos is derived from article 6 paragraph 1 point f GDPR (legitimate interests) and § 23 KunstUrhG (German Copyright Law for Works of Art and Photography). We reserve the right to send photos and videos to the local media with a request for publication as part of our press work. We will also publish photos and videos on our website and our company accounts on Facebook/Instagram. Data recipients are:

  • Website: visionbites GmbH – Internet Agency & Typo3 Agency Munich, Pappenheimstraße 3, 80335 Munich, Germany
  • Facebook/Instagram: Meta Platforms Ireland Limited 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland

A further aim is to use the photos and videos taken for internal documentation purposes. The duration of storage (publication) will depend on the information value of the footage and the public interest in the event. Individual photos are archived internally and encrypted for a longer period under restricted processing. This is done to protect our copyright claims to the photos we have taken and, where appropriate, for future publication in our business chronicle to tell the story of our company.

 

1.3.8.      Applications

To carry out the application process, we collect and process the candidate’s personal data. This processing may take place electronically, if the candidate submits the relevant application documents by email.

If an employment contract is concluded with the candidate, the transmitted data will be stored in accordance with the applicable legal provisions for the purpose of processing the employment relationship.

In the event of a rejection, the application documents will be automatically deleted after six months unless there are other legitimate interests of the data controller for processing the data. Such legitimate interests could include, for example, an obligation to provide evidence as part of a procedure under the German General Equal Treatment Act (AGG). Printed application folders will be returned as they are the property of the applicant.

 

1.4.         Lawfulness of processing

In accordance with the General Data Protection Regulation (GDPR), the current German Federal Data Protection Act (BDSG (neu)) and other relevant laws, we process your personal data for the purposes set out below and on the legal grounds set out below:

  • To process and manage room enquiries and reservations and to fulfil our contractual obligations arising from  your reservation confirmation, including your stay at the hotel and settling the payment. In particular, this includes tracking your use of our services, such as table reservations, consumption of food and beverages, use of telephone services, sauna, massages, etc. The legal basis for this is article 6 paragraph 1 point b  GDPR.
  • To fulfil a legal obligation to which our company is subject as a responsible entity, such as reporting and tax laws or accounting obligations. The legal basis for this is article 6 paragraph 1 point c GDPR.
  • To maintain, ensure and improve the quality of our services. This includes, in particular, conducting and evaluating satisfaction surveys and guest feedback, as well as processing your personal data in our central guest database in order to recognise you as a returning guest, to better assess your needs and wishes, to improve the quality and individuality of our communication with you, and to create tailor-made offers for you. The legal basis for this is article 6 paragraph 1 point f GDPR. Our overriding legitimate interests arise from the contractual clauses of the reservation confirmation with you, which constitute a significant and fair relationship within the meaning of Recital 47 GDPR.
  • To protect our property rights, to prevent and investigate criminal offences, to assert and defend legal claims and interests in legal disputes, and to ensure IT security. The legal basis for this is article 6 paragraph 1 point f GDPR. Our overriding legitimate interests arise from our obligation to ensure a safe stay for our guests, as well as our interest in enforcing our tangible and intangible claims, protecting our rights and defending ourselves against unjustified claims. According to Recital 47 GDPR, the processing of personal data is also a legitimate interest of our company when it is necessary for fraud prevention.
  • To process the purchase of vouchers. The legal basis for this is article 6 paragraph 1 point b GDPR.

 

1.5.         Minors and privacy

Please note that without the consent of a parent or guardian, individuals under the age of 18 should not provide any personal information to us. In any event, we will not knowingly collect or process personal data from children and young people, or disclose such data to third parties without their consent.

 

1.6.        Communication by email and fax

Please note that sending unencrypted emails and possibly faxes is considered insecure as it allows unauthorised persons to access and potentially manipulate the contents of the email or fax. We therefore recommend that you do not send confidential information to us by email or fax. If it is necessary to send confidential information by email, please use encryption (preferably AES-256 encryption).

 

1.7.               Sharing of data

For the purposes indicated in 1.4., your personal data may be communicated to the following recipients or categories of recipients, to the extent permitted by article 4 paragraph 9 GDPR:

  • Only those departments within our company that need access to your data to fulfil our contractual and legal obligations will have access to your data.
  • Service providers (within the framework of data processing in accordance with article 28 GDPR) and agents commissioned by us may also receive personal data for the above-mentioned purposes. These service providers/agents are companies in the fields of credit and payment processing, IT services, logistics, printing, telecommunications, debt collection, consultancy, and sales and marketing. Our list of service providers and order processors is updated on an ongoing basis.
  • In addition, personal data may be disclosed to government agencies (e.g., tax authorities, and law enforcement agencies) when required by law.
  • Other entities may also be recipients of your data if you have provided us with your consent for data disclosure under Art. 6(1)(a) of the GDPR.

 

1.8.         Third-country data transfer

The transfer of personal data to entities located in countries outside the European Union (hereinafter 'third countries') will only take place under the following conditions:

  • to the extent strictly necessary for the execution of your reservation and the processing of your stay at the hotel,
  • as required by law, or
  • if you have given us your consent to do so.

Our company has partners (travel agencies/booking portals) located in third countries or belonging to an international group with offices located in third countries or working with service providers located in third countries. These are always secure third countries. Transferring personal data to such service providers is only permitted if the European Commission has decided that the relevant third country provides an adequate level of protection (pursuant to article 45 GDPR). If the European Commission has not made such a decision, our company or the service provider may only transfer personal data to a third country or an international organisation if adequate safeguards are in place and if enforceable rights and effective remedies are provided (see article 46 paragraph 1 GDPR).

Our company will not transfer personal data to entities in third countries or international organisations outside the cases mentioned above.

 

1.9.         Data retention

We use your personal data exclusively for the fulfilment of our contractual and legal obligations and store it only for the period necessary for these purposes. Once these data are no longer needed, a delition takes place regularly. Nevertheless, we would like to point out that there are commercial and tax retention obligations which require temporary further processing. These retention periods can range from six months to ten years. They depend on the type of data and the relevant legislation, such as the German Commercial Code (HGB) or the German Fiscal Code (AO).

 

1.10.       Rights of the individual

The data subject also has rights under the GDPR. These consist of the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, the right to lodge a complaint.

 

1.10.1.   Right to be informed pursuant to article 15 GDPR

You may request information from us as to whether and to what extent we process your data. The restrictions of § 34 BDSG (neu) apply to the right to be informed.

 

1.10.2.   Right to rectification pursuant to article 16 GDPR

You can ask us to correct or complete your data at any time if it is incomplete or inaccurate.

 

1.10.3.   Right to erasure pursuant to article 17 GDPR

If we process your data unlawfully or if the processing is disproportionate to your legitimate interests, you have the right to request that we delete your data. Please note that there may be reasons that preclude immediate deletion, such as legal retention obligations. Regardless of whether you exercise your right to erasure, we will delete your data immediately and completely if there are no statutory or regulatory retention periods. In addition, the restrictions of § 35 BDSG (neu) apply to the right of deletion.

 

1.10.4.   Right to restriction of processing pursuant to article 18 GDPR

Pursuant to article 18 GDPR, you may request us to restrict the processing of your personal data if any of the following applies:

  • You dispute the accuracy of the personal data for a period of time that allows us to verify the accuracy of the data.
  • The processing of your personal data is unlawful, but you refuse to have it deleted and instead request a restriction on the use of the data.
  • We no longer need the personal data for the purposes collected, but you need these data to establish or defend legal claims.
  • You have objected to the processing of your personal data.

 

1.10.5.   Right to data portability pursuant to article 20 GDPR

The right to data portability allows you to request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us, provided that the following conditions are met:

  • The processing of your data is based on your consent, which you may revoke at any time, or for the performance of a contract between us.
  • The processing is carried out using automated procedures.

Where it is technically possible for us to do so, we have to give you the option of transferring your data directly to another controller. 

 

1.10.6.   Right to object pursuant to article 21 GDPR

You have the right to object to the processing of your data at any time on grounds relating to your particular situation (withdrawal of consent) where we process your data on the basis of a legitimate interest. This right also applies to data processing based on these provisions that involves profiling. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims. You have the right to object at any time without giving reasons for the processing of your data for the purposes of direct marketing. You have the right to withdraw your consent at any time if the data processing is based on your consent.

 

1.10.7.   Right to lodge a complaint pursuant to article 77 GDPR

If you believe that we have breached German or European data protection regulations in the processing of your personal data, please contact us immediately to clarify any uncertainties. Of course, you also have the right to lodge a complaint pursuant to article 77 GDPR in conjunction with § 19 BDSG neu (German Federal Data Protection Act – new version) with a data protection supervisory authority. You can either contact the data protection authority responsible for your place of residence or country, or the data protection authority responsible for us. The data protection authority responsible for Deutsche Eiche GmbH is the Bayerisches Landesamt für Datenschutzaufsicht. We would like emphasise that we always endeavour to comply with all data protection regulations and work closely with the relevant data protection authorities to this end.

If you wish to exercise any of the above rights (1.10.1. – 1.10.7.), please contact the data protection officer of Deutsche Eiche Gärtnerplatz GmbH named in section 1.2. In case of doubt, we may request further information to confirm your identity. We are legally obligated to process your request within one month. In exceptional cases, the processing may take up to three months. If this is the case, we will inform you within one month that the processing of your request will take more time. We will provide detailed reasons for the delay.

 

1.11.       Your obligation to provide data

You must provide us with the personal information that is necessary to enter into and perform the reservation contract or that we are legally required to collect in order for us to fulfil our contract with you. We may not be able to fulfil the contract if you do not provide us with this information. In order to fulfil our reporting obligations, we are obliged to collect certain personal data for your registration by means of a registration form in accordance with § 30 (2) of the German Federal Registration Act (Bundesmeldegesetz).

 

1.12.       Automated decision-making and profiling 

We will not make decisions based solely on automated processing, including profiling, that are legally significant to you in the establishment and performance of the contract or that significantly affect you.

 

1.13.       Information about your right to object pursuant to article 21 GDPR 

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, pursuant to article 6 paragraph 1 point e GDPR (processing of data in the public interest) or article 6 paragraph 1 point f GDPR (processing of data based on legitimate of interests), including profiling pursuant to article 4 paragraph 4 GDPR.

In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of asserting, exercising or defending legal claims.

If we process your personal data for marketing purposes, you have the right to object at any time to the processing of your personal data for marketing purposes, including profiling, insofar as it relates to marketing to existing customers.

You may submit your objection to our data protection officer using the contact details set out in section 1.2.

 

 

2.            DATA PROCESSING IN CONNECTION WITH THE USE OF THIS WEBSITE

2.1.         Collection of general information when visiting our website

2.1.1.      Purpose and modalities of processing

You can visit our website without providing any personal information. The information automatically collected by our web servers (server log files) is of a general nature and includes the web browser used, the operating system, the domain name of the internet service provider, the website from which you visit us, the websites you visit on our site, as well as the date and duration of the visit. These data are processed in particular for the following purposes:

  • ensuring a smooth connection to our website,
  • ensuring smooth use of our website,
  • evaluating system security and stability, and
  • optimising our website.

These are data that do not allow any conclusions to be drawn about your person. An evaluation, except for statistical purposes in anonymised form, does not take place.

 

2.1.2.      Legal bases and legitimate interests

Processing is carried out in accordance with article 6 paragraph 1 point f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.

 

2.1.3.      Categories of recipients of personal data

The recipients of the data may be technical service providers who act as processors for the operation and maintenance of our website.

 

2.1.4.      Transfer of data to recipients in a third country or to an international organisation

We do not transfer data to third countries.

 

2.1.5.      Data retention

Once the data are no longer necessary for the purposes for which they were collected, they will be deleted.

 

2.1.6.      Obligation to provide data and consequences of failure to provide data

There is no legal or contractual obligation to provide personal data. However, the service and functionality of our website cannot be guaranteed without the IP address. Individual services and offers may also be limited or unavailable. An objection is therefore excluded.


2.2.         User account

2.2.1.      Room reservations

We would like to inform you that it is not possible to open a user account when making a room reservation. Each room reservation is processed individually and there is no filing system associated with our website. You will therefore need to re-enter your details each time you make a new room reservation. You can make changes and cancellations using a link in the reservation confirmation email. By entering your data and making an online booking for a room reservation, you agree to the terms and conditions of sale at the stated price and consent to the transfer of your data to us (Deutsche Eiche Gärtnerplatz GmbH, Reichenbachstraße 13, 80469 Munich, Germany). The legal basis for the processing of your personal data arises from the conclusion of an accommodation contract in accordance with Art. 6(1)(b) of the GDPR.

 

2.2.2.      Online purchase of vouchers

You can register on our website to purchase a gift voucher by providing your email address and assigning a password to a user account. You can do this during the purchase process by entering your personal details and a password. If your registration is successful, a user account will automatically be created for you. This account is valid for our online gift voucher shop. By registering for a user account, you agree that the information you provide during the registration process will be shared with us (Deutsche Eiche Gärtnerplatz GmbH, Reichenbachstraße 13, 80469 Munich, Germany). The processing of your personal data is based on the conclusion of a contract according to Art. 6(1)(b) of the GDPR.


2.3.         Contact

2.3.1.      Contact form/email

Our website provides contact options that allow data subjects to quickly and easily get in touch with our company and to communicate directly with us using a general email address, in accordance with the applicable legal regulations. When a data subject sends an email or contacts the controller via a contact form, the personal data transmitted by the data subject are automatically stored. Personal data voluntarily provided by the data subject to the data controller will only be stored for the purpose of processing or contacting the data subject. It will not be disclosed to third parties.

 

2.3.2.      Newsletters/guest information

Our company does not send out newsletters. When you make a room reservation through our website, you have the opportunity to consent to the processing of your personal data for the purpose of receiving information about your stay at the hotel through an opt-in procedure ('I would like to receive information from your hotel'). In this case, you will only receive relevant information. You have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing until revoked. You can exercise your right of withdrawal by sending a message to datenschutz@deutsche-eiche.de.

 

2.3.3.      Advertising to existing customers

We reserve the right to send targeted offers to our guests via email as part of our existing customer marketing. Our legitimate interest in marketing to existing customers is to provide individual offers to our guests based on their previous booking history. The personal data provided to us during the booking process may be processed and used for the purpose of sending repeat advertising for a period of 12 months after a completed transaction. If you do not make a further booking or other transaction within this period, your personal data will no longer be used for existing customer advertising and will be deleted accordingly. This does not apply where other legislation requires us to retain your personal information. You have the right at any time to object to the use of your email address for the purposes of marketing to existing customers. For more information on how to exercise your right to object to the use of your email address for direct marketing purposes, please see section 1.10. of this Privacy Policy.

 

2.4.         Online security

Secure Socket Layers (SSL) encryption technology is used when personal information is transmitted via our website and the internet. This technology ensures secure transmission and protects your personal information from unauthorised access by third parties. Please note that our website may contain links to other websites. We are not responsible for the privacy practices of such other sites and encourage you to read the privacy policies of such other sites for your own protection.


2.5.         Use of cookies

Cookies are small files that allow specific user-related information to be stored on a PC or other device during the use of the website. In accordance with data protection regulations, we do not store any personal data in cookies. The use of cookies can be disabled, limited to certain web pages or a warning displayed before cookies are sent through browser settings. However, please note that the full functionality of our website may no longer be guaranteed if the user disables the use of cookies via their internet browser. In addition, third-party cookies may be stored on a user's PC or other device when using our website. Users can also disable the use of third-party cookies through their internet browser.

 

2.5.1.      Types of cookies

2.5.1.1.  Essential cookies

These cookies contribute significantly to improving your user and booking experience on our website. Basic functions and applications such as shopping carts or electronic billing are optimised and made easier to use. These cookies do not collect any information about you that could be used for marketing or statistical purposes.

 

2.5.1.2. Optional cookies (advanced website functionality)

We use these cookies to enable certain features of the website, such as storing personalised cookie settings. These cookies do not have the ability to store any other data. The use of cookies in the context of pseudonymous audience analysis is explained to users in section 2.10. of this Privacy Policy.

 

2.5.2.      Legal basis, objection and revocation of your consent

The use of technically necessary cookies as well as cookies for advanced website functionality is based on our legitimate interests according to article 6 paragraph 1 point f GDPR. Our legitimate interest is to provide a website for general information and communication purposes, advertising purposes and the online distribution of services. You can object to the use of cookies at any time by adjusting the settings in your browser to prevent our website from using cookies. Please note that if you do so, you may not be able to use all the features of our website to their full extent.

In the case of optional tracking cookies, the processing of your data is permitted on the basis of your consent in accordance with article 6 paragraph 1 point a GDPR and § 25 (1)(1) German Telecommunications Telemedia Data Protection Act (TTDSG). You may revoke this consent at any time (see Cookie Settings).

 

2.5.3.      Cookie settings

Our website only uses cookies with the express consent of the user (opt-in). Once the user has consented to the use of cookies, the data subject may at any time object to the use of cookies by our website by changing the relevant settings in the footer of the website under the heading 'Cookie Settings'. If the data subject has already consented to the use of cookies, he or she can delete cookies that have already been set at any time using his or her internet browser or other software program. All popular web browsers have this feature. If the data subject deactivates the setting of cookies in the internet browser used, this may result in some of the functions of our website not being fully available.


2.5.4.      Cookie providers

Cookie providers

 

Provider/Tool

Category

Retention

Purpose

Local/

Cookie settings

Essential

10 days

Saving the cookie settings

 

Integration of services and content from third-party providers

 

Third-party provider

Functional description

Purpose

Website

Matomo

Matomo EU

(Server in Frankfurt und Dublin)

range analysis

Recording user behaviour to optimise the website

https://matomo.org/gdpr-analytics/

Google Maps

Google

Gordon House,

Barrow Street

Dublin 4

Ireland

advanced website functionality

Display of maps (via 'Google Maps' service) on the websites

https://policies.google.com/

privacy

 

Timify

TerminApp GmbH

Balanstraße 73,

Gebäude Nr. 24, 3. OG

81541 München,

Germany

advanced website functionality

massage booking tool

https://www.timify.com/

de/legal/

Stripe

510 Townsend Street

San Francisco, CA 94103, USA

advanced website functionality

Timify payments (massage booking tool)

https://stripe.com/privacy

 

Open Table

OpenTable GmbH,

Schumannstr. 27,

60325 Frankfurt,

Germany

advanced website functionality

Table reservation tool

https://www.opentable.de/

legal/privacy-policy

Selected

MPM Marketing GmbH

Maxhöhe 13,

D-82335 Berg a. Starnberger See,

Germany

advanced website functionality

Sightseeing and tickets

https://www.selected.de/

datenschutz/

 

2.5.5.      Range analysis  

Matomo is an open source web analytics software tool that allows us to collect, track and analyse data about visitor behaviour on our website. We use Matomo to analyse the flow of visitors to our website. The data and information collected are used, among other things, to evaluate the use of our website and to compile online reports on the activities on our website. This enables us to optimise our website and perform a cost-benefit analysis for online advertising. The data collected includes information about which website a visitor came from (referrer), which web pages of the website were visited and how often and for how long the web pages were viewed. The Matomo component is initially disabled when a visitor first comes to our website. Only when the visitor enables the 'Matomo' option in the website's cookie settings (opt-in) will the software set a cookie on the visitor's device. It is only by setting cookies that we can analyse the use of our website.

The processing of the analysed data is based on our legitimate interest (article 6 paragraph 1 point f GDPR). Recipients: If necessary, service providers may use the collected data as data processors for evaluation purposes. Transfer to third countries: The collected data will not be transferred to third countries. The Matomo software runs on our dedicated server and the log files are only stored on this server. Retention period: Through the _pk_id cookie, which lasts for 13 months, the _pk_ses cookie, which lasts for 30 minutes, and the _pk_testcookie, which is deleted at the end of the session, the internet browser sends data to our server for online analysis each time the visitor accesses our website or a single page through the Matomo component. This data includes the (truncated) IP address of the visitor's internet connection, the time and place of access, the pages accessed and the duration and frequency of visits. The data collected by the Matomo component helps us to track the origin of visitors and clicks. We store this personal information for a period of 36 months. Necessity of data provision: Every visitor to our website can prevent the installation of cookies by our website at any time by changing the settings of his or her internet browser. Such a browser setting will also prevent Matomo from placing a cookie on the user's information technology system. In addition, a cookie already placed by Matomo can be deleted at any time using an Internet browser or other software. In addition, any visitor to this website may at any time opt-out of the collection of information generated by the Matomo component relating to the use of this website and prevent the collection of such information.

In the event that the website visitor's information technology system is deleted, formatted, reinstalled or the cookie placed by Matomo is later deleted, these settings must be made again.

 
2.6.         Integration of third-party services and content, including collection of IP addresses by third-party services

To enhance the attractiveness of our offer, in accordance with our terms of use, there is the possibility to embed third-party content (e.g. videos) into posts, either by us or by users. The embedding can be done using so-called plugins, iFrames or similar technical means. When accessing the corresponding content, data such as your IP address may be transmitted to the respective service provider. However, for data protection reasons, the transmission of the data only occurs after active use of the respective service by clicking on it. The legal basis for this is our legitimate interest according to article 6 paragraph 1 point f GDPR, to provide users with an attractive online offer.

 

2.6.1. Use of Google Maps

  • Type and purpose of the processing: This website uses, with your opt-in consent, the Google Maps API, a mapping service provided by Google Inc. to display an interactive map. By using Google Maps, information about your use of this website (including your IP address) may be transmitted to and stored by Google on servers in the United States.
  • Legal basis: The processing is based on your consent for the use of optional cookies. The legal basis for this is Art. 6(1)(a) of the GDPR.
  • Recipients: By using Google Maps, information about your use of this website (including your IP address) may be transmitted to and stored by Google on servers in the United States. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
  • Transfer to third countries: Google will process your data in the United States if you have opted-in to the use of Google Maps in your privacy settings.
  • Retention period: The terms of use and privacy policy for Google Maps can be found here: https://policies.google.com/privacy
  • Necessity of data provision: There is no legal or contractual requirement that you provide the personal information described above. However, without this information, the service and functionality of our website cannot be guaranteed. In addition, certain services and features may not be available or may be limited.
  • Withdrawal of consent: You can prevent the use of Google Maps and avoid sending data to Google by disabling JavaScript in your browser. Alternatively, you can set an opt-out cookie.

 

2.6.2. Use of Timify

  • Type and purpose of processing: This website, with your opt-in consent, uses the Timify API massage reservation service provided by TerminApp GmbH to display a reservation calendar. Through the use of Timify, information about your use of this website (including your IP address) may be transmitted to and stored on a server located in Ireland (Amazon Web Services Data Centres in Europe, Dublin).
  • Legal basis: The processing is based on your consent for the use of optional cookies. The legal basis for this is Art. 6(1)(a) of the GDPR.
  • Recipients: When you use Timify, information about your use of this website (including your IP address) may be transmitted to and stored on a server in Ireland at the Amazon Web Services data centres in Europe, Dublin. Timify is operated by TerminApp GmbH, Balanstrasse 73, Building No. 24, 3rd Floor, 81541 Munich, Germany (TIMIFY). The Timify website is hosted by Amazon Web Services at facilities located in Europe, Dublin.
  • Intended transfer to third countries: Timify processes your data in Germany and Ireland if you have consented to the use of Timify by opt-in in your privacy settings.
  • Retention period: The terms of use and privacy policy for Timify can be found here: https://www.timify.com/de/legal/
  • Necessity of data provision: There is no legal or contractual requirement to provide the personal information above. However, without this information, the service and functionality of our website cannot be guaranteed. In addition, certain services and features may not be available or may be limited.
  • Withdrawal of consent: You may opt out of the Timify service and the transfer of data to TerminApp GmbH or Amazon Web Services data centres in Europe, Dublin by disabling JavaScript in your browser. Alternatively, you can set an opt-out cookie.

 

2.6.3. Use of OpenTable

  • Type and purpose of data processing: This Website uses the OpenTable API, a table reservation service provided by OpenTable Inc. to display a calendar of reservations. With your opt-in consent, information about your use of this website (including your IP address) may be transferred to and stored on a server operated by OpenTable in the United States.
  • Legal basis: The processing is based on your consent for the use of optional cookies. The legal basis for this is Art. 6(1)(a) of the GDPR.
  • Recipients: When you use OpenTable, information about your use of this website (including your IP address) may be transferred to and stored on a server operated by OpenTable in the United States. OpenTable is operated by OpenTable Inc. at 109 Zeil, San Francisco, CA 94104, USA.
  • Intended transfer to third countries: OpenTable processes your information in the United States if you have opted-in to use OpenTable in your privacy settings.
  • Retention period: OpenTable's Terms of Use and Privacy Policy can be found here: https://www.opentable.de/legal/privacy-policy
  • Necessity of data provision: There is no legal or contractual requirement that you provide the personal information described above. However, without this information, the service and functionality of our website cannot be guaranteed. In addition, certain services and features may not be available or may be limited.
  • Withdrawal of consent: You may opt out of OpenTable's service and the transfer of information to OpenTable by disabling JavaScript in your browser. Alternatively, you may set an opt-out cookie.

 

2.6.4. Use of Selected

  • Type and purpose of data processing: Following your opt-in consent, this website uses the Selected API online service provided by MPM Marketing GmbH to display information or sell tickets. By using Selected, information about your use of this website (including your IP address) may be transferred to a server of MPM Marketing GmbH in Germany.
  • Legal basis: The processing is based on your consent for the use of optional cookies. The legal basis for this is Art. 6(1)(a) of the GDPR.
  • Recipient: By using Selected, information about your use of this website (including your IP address) may be transmitted to and stored on a server of MPM Marketing GmbH in Germany. Selected is operated by MPM Marketing GmbH, Maxhöhe 13, 82335 Berg a. Starnberger See, Germany.
  • Intended transfer to third countries: Selected processes your data in Germany if you have given your consent to the use of Selected by opt-in in your privacy settings.
  • Retention period: The terms of use and privacy policy for Selected can be found here: https://www.selected.de/datenschutz/  
  • Necessity of data provision: There is no legal or contractual requirement to provide the personal information listed above. However, without this information, the service and functionality of our website cannot be guaranteed. In addition, certain services and features may not be available or may be limited.
  • Withdrawal of consent: You have the ability to prevent the service of Selected and the transfer of data to MPM Marketing GmbH by simply disabling JavaScript in your browser. Alternatively, you can set an opt-out cookie.

 

2.7.         Payment service providers for online payments

External payment service providers are used to process online payments:

  • PAYONE GmbH, headquartered at Lyoner Straße 9, 60528 Frankfurt am Main, Germany,
  • Adyen N.V., headquartered at Friedrichstraße 63, 10117 Berlin, Germany, and
  • PayPal (Europe) S.à r.l. et Cie, S.C.A., having its registered office at 22-24 Boulevard Royal 2449, Luxembourg.

Through the platforms of these payment service providers, you, as a customer, have the possibility to carry out payment transactions based on your free decision. The online payment may either be integrated directly into the booking process or sent to you via a link provided by you. If you use such a link, you will be redirected to the website of the relevant payment service provider.

 

 

3.            INFORMATION REGARDING EXTERNAL SITES OF DEUTSCHE EICHE

 

3.1.         Facebook

  • Purpose of processing: We have set up two Facebook pages at the addresses https://de-de.facebook.com/deutsche.eiche.muenchen and https://www.facebook.com/deutsche.eiche.dachterasse. When you access this page, Facebook processes your personal data. We receive statistics on the use of this page derived from this data.
  • Legal basis: article 6 paragraph 1 point f GDPR
  • Categories of data: Master data, contact data, content data, usage data, connection data, possibly location data.
  • Data recipients: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • Intended transfer to third countries: In individual cases to the USA and to other third countries (based on the standard data protection clauses of the EU Commission, article 46 paragraph 2 point c GDPR and based on adequacy decisions (article 45 GDPR))
  • Do we store personal data on your device or retrieve such data with your consent? No.
  • Data subject rights: Facebook is responsible for implementing your data subject rights. Facebook will inform you of your data subject rights at www.facebook.com/legal/terms/information_about_page_insights_data. You may also contact us to exercise your rights and we will promptly forward your request to Facebook.

 

3.2.         Instagram

  • Purpose of processing: We have set up two Instagram pages at the addresses https://www.instagram.com/deutscheeichemunchen/ and https://www.instagram.com/saunadeutscheeiche. When you visit this page, Instagram processes your personal data.
  • Legal basis: article 6 paragraph 1 point f GDPR
  • Categories of data: Master data, contact data, content data, usage data, connection data, possibly location data
  • Recipients of the data: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Intended transfer to third countries: In individual cases to the USA and to other third countries (based on the standard data protection clauses of the EU Commission, article 46 paragraph 2 point c GDPR and based on adequacy decisions (article 45 GDPR))
  • Do we store or read personal data on your device based on your consent? No.
  • Data subject rights: Instagram is responsible for implementing your rights as a data subject. Instagram will inform you of your rights as a data subject at www.facebook.com/legal/terms/information_about_page_insights_data. You may also contact us to exercise your rights and we will promptly forward your request to Instagram.

 

3.3.         Romeo

  • Purpose of processing: We have set up a Romeo page and a group under the name "deutsche_eiche" on Romeo. When you access this page, Romeo processes personal data about you.
  • Legal basis: article 6 paragraph 1 point f GDPR.
  • Categories of data: Master data, contact data, content data, usage data, connection data and possibly location data.
  • Data recipients: ROMEO B.V. De Ruijterkade 7 1013AA Amsterdam.
  • Planned transfer to third countries: In individual cases to the USA and to other third countries (based on the standard data protection clauses of the EU Commission, article 46 paragraph 2 point c GDPR and based on adequacy decisions (article 45 GDPR))
  • Do we store or read personal data on your device with your permission? No.
  • Data subject rights: Romeo is responsible for implementing your rights as a data subject. Romeo will inform you about your data subject rights at https://www.romeo.com/en/privacy/. You can also exercise your rights by contacting us and we will promptly forward your request to Romeo.

 

3.4.         TripAdvisor

  • Purpose of processing: We have a TripAdvisor page at https://www.tripadvisor.de/Hotel_Review-g187309-d235046-Reviews-Hotel_Deutsche_Eiche-Munich_Upper_Bavaria_Bavaria.html. When you visit this page, TripAdvisor processes personal data about you.
  • Legal basis: article 6 paragraph 1 point f GDPR
  • Categories of data: Master data, contact data, content data, usage data, connection data, possibly location data
  • Recipients of the data: Tripadvisor LLC, 400 1st Avenue, Needham, MA 02494 USA
  • Intended transfer to third countries: In individual cases to the USA and to other third countries (based on the standard data protection clauses of the EU Commission, article 46 paragraph 2 point c GDPR and based on adequacy decisions (article 45 GDPR))
  • Do we store or read personal data on your device based on your consent? No.
  • Data subject rights: TripAdvisor is responsible for implementing your rights as a data subject. TripAdvisor will inform you of your rights as a data subject at https://tripadvisor.mediaroom.com/de-privacy-policy. You may also contact us to exercise your rights and we will promptly forward your request to TripAdvisor.

 

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time in response to relevant changes to our website, the processing of personal data or changes in legislation. The revised version will be effective from the date of its publication. If there are material changes, we will notify you in advance by posting a notice on our website. The current version of this privacy policy is always available on this web page.