Privacy Information for Our Prospective Customers and Hotel Guests

We are delighted that you are interested in our company, our products and our services. As the controllers responsible under data protection law, we want you to feel comfortable regarding the protection of your personal data in your interactions with us and our staff. We take the protection of your personal data very seriously. Compliance with German and European data protection regulations is a matter of course for us. The protection of your personal data is therefore our top priority. With the following information, we would like to explain in detail how we handle your personal data:

Name and contact details of the controller

Sonnenhotels GmbH
Nordhäuser Str. 1, 38667 Bad Harzburg

Contact details of the data protection officer

Supervisory authority

Die Landesbeauftragte für den Datenschutz Niedersachsen
Barbara Thiel, Prinzenstraße 5, 30159 Hannover
|

The controller responsible for the processing of your personal data in the context of this contact is

Sonnenhotels GmbH Nordhäuser Str. 1 38667 Bad Harzburg Phone: +49 (0) 53 21/ 68 55 40 Fax: +49 (0) 53 21 / 68 55 471 Email: info@sonnenhotels.de

The appointed data protection officer is DataCo GmbH Sandstr. 33 80335 München Phone: +49 (0) 89 7400 458 40 Email: datenschutz@dataguard.de www.dataguard.de

a. Your personal data that we process

On various occasions (initiation, performance and termination of a hotel stay), we collect data about you and/or the persons accompanying you, such as:

  • Contact details (such as surname, first name, address data, telephone number, email address)
  • Arrival and departure dates
  • Information about children travelling with you (such as first name, date of birth, age)
  • Customer number of existing customers
  • Vehicle registration number, if applicable, when using the car park
  • Preferences and personal interests for the current and future stay (e.g. smoking or non-smoking room, preferred flooring, preferred bedding, newspapers/magazines, sports, cultural interests, food and drinks, etc.)
  • Follow-up discussions/questions/comments after or during a stay in one of our hotels

b. Purposes of data processing

In the context of the initiation, performance and termination of a hotel stay, your personal data are processed for the following purposes:

  • To handle your enquiry as a prospective customer. For this purpose we use your contact details in order to be able to respond to your enquiry.
  • To prepare and carry out pre-contractual measures – this includes, for example, preparing and sending an individual offer or individual agreements and sending booking confirmations with the aim of concluding a contract.
  • To add your contact details to our customer database.
  • To fulfil our contractual obligations arising from the accommodation agreement with you. For this purpose we pass on your personal data, among others, to authorities and processors in order to ensure a smooth stay for you.
  • To keep you optimally informed about our products and services. This also includes sending (direct) advertising by email or by post.
  • To ensure smooth invoicing of the services provided. For this purpose your personal data are processed in order to issue invoices. In addition, we forward your personal data to our external service providers (the processors listed below).
  • To comply with our legal obligations. This includes, for example, the transmission of your personal data to the tax office.
  • To provide you, as our customer, with optimal support. This includes in particular communicating with you by email, mobile phone, landline or fax.
  • For the purpose of sending our newsletter, provided you have subscribed to it
  • To fulfil post-contractual measures.
  • To assert, exercise or defend legal claims.
  • To comply with the Registration Act (Meldegesetz) and the Accommodation Establishments Ordinance (Beherbergungsstättenverordnung), the data are stored and passed on to the respective cities/municipalities. In the event of official audits, these data must be handed over.

c. Legal bases of data processing

We process the data in the context of the initiation, performance and termination of a hotel stay on the basis of Art. 6 para. 1 sentence 1 lit. a – f GDPR.

Processing of your personal data on the basis of consent

Insofar as we obtain your consent for the processing of your personal data, the processing of your personal data is based on Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Arts. 5, 7 GDPR.

Processing for the purpose of performing the contract with you

Insofar as we process your personal data for the purpose of performing a contract, Art. 6 para. 1 sentence 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre- and post-contractual measures.

Processing for compliance with a legal obligation

Insofar as the processing of your personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR serves as the legal basis. Our statutory obligation to process data arises, for example, from retention obligations (e.g. under tax and/or commercial law).

Processing on the basis of legitimate interest

Where our legitimate interests exist and are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, Art. 6 para. 1 sentence 1 lit. f GDPR may constitute the legal basis for direct marketing purposes. The legitimate interests we pursue in this respect – in addition to the purposes listed under b. – include:

  • Being able to keep you optimally informed about our products, offers and services by way of direct marketing;
  • Communicating with you, in particular in order to be able to respond to your enquiries by email, telephone and/or fax;

The legal basis for processing activities in connection with the assertion, exercise or defence of legal claims is likewise our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

d. Source from which your personal data originate

Your personal data that we process:

  • Surname
  • First name
  • Email address
  • Address information
  • Telephone
  • Mobile number

and that we have not collected directly from you originate from the following sources:

  • Tour operators
  • Coach companies
  • (Online and other) travel agencies
  • Booking platforms
  • Reading tour providers

In the course of processing your personal data, we may pass on the personal data concerning you to the following recipients. We only transfer your personal data to external recipients if you have consented or if this is permitted by law. External recipients of your personal data are in particular:

  • Third parties
  • Authorities, e.g. tax offices, courts, trade supervisory authority
  • Billing partners
  • Debt collection agencies
  • Credit institutions
  • Parcel service providers
  • Postal services
  • Tax advisors
  • Processors:

| Processor | Address | Country | Purpose | | --- | --- | --- | --- | | Apaleo GmbH | Sandstr. 33, 80335 München | Germany | Property management system for managing customer data and hotel bookings as well as customer and company invoices. | | CODE2ORDER GmbH | Eichwiesenring 4F 70567 Stuttgart | Germany | straiv by Code2Order provides digital check-in and check-out including the registration form, a digital guest folder, guest messaging and automated emailing of, for example, booking confirmations. | | Vioma GmbH | Industriestr. 27, 77656 Offenburg | Germany | Online booking system (IBE) for easy hotel booking via the Sonnenhotels website | | ReGuest GmbH | Kuperionstr. 34, 39012 Meran | Italy | Customer quotation tool. For the easy creation of travel offers for prospective customers. | | DATEV eG | 90429 Nürnberg, Paumgartnerstr. 6 – 14 | Germany | Processing of financial and invoicing information | | Microsoft Corporation | | Germany | Receiving, storing and composing emails, document creation and storage. PC logins to cloud servers | | HBCS GmbH | Juliusstr. 11, 38118 Braunschweig | Germany | External IT service provider | | MAIC Hotel Solution | Gospodarska 15, Vukovar HR-32000 | Croatia | Digital concierge with digital guest folder |

In the case of processors and service providers outside the EU/EEA, your above-mentioned personal data are only processed insofar as this is the subject of our data processing agreement pursuant to Art. 28 GDPR with these recipients.

Your personal data are not transferred to third countries outside the European Union or the European Economic Area, and no such transfer is planned.

  • Microsoft (M365) and Google Tag Manager

As a rule, the personal data collected and generated during the provision of the relevant products and services are stored on our servers within the European Union. Since the providers of our software solutions offer their products and/or services on the basis of the resources and servers available worldwide, your personal data may be transferred to other jurisdictions outside the European Union and the European Economic Area or accessed from such a jurisdiction outside the European Union. In particular, personal data are transferred to the third country USA within the meaning of Art. 15 para. 2 GDPR. In order to ensure that the necessary level of protection is maintained when data are transferred to a third country, contractual measures are agreed for this purpose. The software provider has its registered office in the United States of America, which has not been recognised as providing an adequate level of data protection. To ensure appropriate safeguards for the protection of the transfer and processing of personal data outside the EU, the transfer of data to and the processing of data by our service providers take place on the basis of appropriate safeguards pursuant to Art. 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses pursuant to Art. 46 para. 2 lit. c GDPR.

We do not store your personal data for longer than is necessary for the purpose for which they were collected. This means that data are destroyed or deleted from our systems as soon as they are no longer required. We take appropriate measures to ensure that your personal data are only processed under the following conditions:

  1. For as long as the data are used to provide you with a service
  2. As required by applicable law, contract or with regard to our statutory obligations
  3. Only for as long as is necessary for the purpose for which the data were collected, or longer if required by contract or applicable law, subject to appropriate safeguards.

A requirement may exist in particular where the data are still needed in order to fulfil contractual services, or to examine and grant or defend against warranty and, where applicable, guarantee claims. If the data are no longer required for the fulfilment of contractual or statutory obligations, they are regularly deleted, unless their – temporary – retention remains necessary, in particular to comply with statutory retention periods of up to ten years (including under the German Commercial Code (Handelsgesetzbuch), the German Fiscal Code (Abgabenordnung) and the German Anti-Money Laundering Act (Geldwäschegesetz)). In the case of statutory retention obligations, deletion is only possible after the respective retention period has expired.

Under the General Data Protection Regulation, you have the following rights:

  • If your personal data are processed, you have the right to obtain information from the controller about the data stored about you (Art. 15 GDPR).
  • If inaccurate personal data are processed, you have a right to rectification (Art. 16 GDPR).
  • If the legal requirements are met, you may request the erasure or restriction of processing (Arts. 17 and 18 GDPR).
  • If you have consented to the data processing or if a contract for data processing exists and the data processing is carried out by automated means, you may have a right to data portability (Art. 20 GDPR).
  • If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purposes of such marketing. If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
  • If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
  • You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is the State Commissioner for Data Protection of Lower Saxony (Landesbeauftragte für den Datenschutz Niedersachsen). You can reach her at

Die Landesbeauftragte für den Datenschutz Niedersachsen Barbara Thiel Prinzenstraße 5 30159 Hannover Phone: +49 (0511) 120 45 00 Email: poststelle@lfd.niedersachsen.de

If the legal requirements are met, you may, on grounds relating to your particular situation, object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR (Art. 21 GDPR).

If you have consented to the processing by the controller by means of a corresponding declaration, you may withdraw your consent at any time with effect for the future. The lawfulness of the data processing carried out on the basis of the consent up to the withdrawal is not affected by this.

You are obliged to provide your data in accordance with the provisions of the German Federal Registration Act (Bundesmeldegesetz, BMG).

  • Obtaining an electronic registration form under the conditions of the new Federal Registration Act (§ 29 para. 5 sentence 1 BMG), or
  • providing an analogue paper registration form with the handwritten signature of the accommodated person on the day of arrival, whereby the registration data may be pre-filled electronically (§ 29 para. 2 BMG), if you do not provide the required data

Furthermore, we need your details for correct invoicing.

| Field | Description | | --- | --- | | Arrival date | Date of arrival of the accommodated person (YYYYMMDD) | | Departure date | Date of the expected departure (YYYYMMDD) | | Surname | Full current surname with all name components, each separated by a space | | First names | All first names, each separated by a space | | Date of birth | Date of birth (YYYYMMDD) | | Nationality | All nationalities | | Address | Consisting of: a) country in which the place of residence is located, b) postcode of the place of residence, c) name of the place of residence, d) if applicable, additions to the place of residence, e) street name, f) house number digits and, where applicable, additional letters or supplementary digits, g) if applicable, additions to the address. | | Number of family members | Number of accompanying family members pursuant to § 29 para. 2 sentence 2 of the Federal Registration Act | | Number of fellow travellers | Number of fellow travellers in travel groups pursuant to § 29 para. 2 sentence 3 of the Federal Registration Act | | Nationality of fellow travellers | All nationalities of the fellow travellers of the travel groups | | Accommodation establishment | Consisting of the name and address of the accommodation establishment or facility that stores the data |