(Information on data protection in the context of our data processing in accordance with Articles 12, 13, 14 and 21 of the General Data Protection Regulation)
Thank you for visiting our website and your interest in our company. The protection of your personal data is important to us. Pursuant to Articles 12, 13, 14 and 21 of the General Data Protection Regulation
(GDPR), this policy explains how your personal data is handled when you use our website https://www.boeckmanns-restaurant.de (hereinafter referred to as the “website”).
Personal data are particulars about the personal or factual circumstances of an identified or identifiable natural person. These include information such as name, address, phone number and date of birth.
Controller within the meaning of the General Data Protection Regulation:
Realotel Hamburg Zwei Hotelbetriebs GmbH
c/o Courtyard by Marriott Hamburg City
65185 Wiesbaden, Germany
Phone: +49 (0) 40 298420
2. Data protection officer
Contact details of our data protection officer:
The in-house data protection officer of Realotel Hamburg Zwei Hotelbetriebs GmbH can be contacted at the above address, Data Protection Department, or by email at: firstname.lastname@example.org.
3. Purposes and legal bases for data processing
3.1 Use of the website for information purposes
You can visit our website without providing any information about yourself. If you use our website merely for information purposes, and therefore do not make a booking, send an enquiry or otherwise send us information concerning you, we do not process any personal data – only data sent by your browser allowing you to visit the website and information sent to us by cookies used.
3.1.1 Technical provision of the website
For the purposes of technical provision of the website, our system (i.e. the web server) automatically collects information from your browser each time you access the website.
Temporary storage of your IP address by our system is necessary to enable delivery of the website to your computer. For this purpose, the IP address of the user must necessarily remain stored for the
duration of the session.
The IP address is stored in the log files to ensure our website’s functionality. Additionally, we also use this data to optimise the website and to ensure the security of our IT systems (e.g. attack detection). An
analysis of the data for marketing purposes in conjunction with the tools mentioned under 3.1.3 also takes place.
The following information is collected:
IP address, anonymised/abbreviated;
browser type/version (for example, Firefox 59.0.2 (64 bit));
browser language (for example, English);
operating system used (for example, Windows 10);
internal resolution of browser window;
Java script activation;
time of access.
The consent manager sets a cookie for you for the allocation of your decision. This cookie contains some personal data. The data is exclusively processed in the European Union. This data involves the
End user’s IP number in anonymised form (the last three digits are set to “0”)
Date and time of consent.
End user’s browser user agent.
The URL from which the consent was sent.
An anonymised, random, encrypted key.
The end user’s consent status, which serves as evidence of consent.
We process your personal data for the technical provision of our website on the following legal basis:
to fulfil a legal obligation to which we are subject pursuant to Article 6, paragraph 1, point (c) of the GDPR in conjunction with further provisions of the GDPR, insofar as we are obliged to be able to document and provide evidence of your decision regarding consent to data processing for cookies and other, similar tools,
to protect our legitimate interests pursuant to Article 6, paragraph 1, point (f), of the GDPR in order to be able to make the functions of the website technically available to you.
3.1.3 Google Tag Manager
On our website, we use the Google Tag Manager, from Google Inc., Gordon House, Barrow Street, Dublin, Ireland (“Google”). The Google Tag Manager is a solution that marketers can use to manage
website tags via an interface. The Google Tag Manager service itself (which implements the tags) is a cookie-free domain and does not collect any personal data. The Google Tag Manager service causes
other tags to be triggered, which may then collect data in certain situations. Google Tag Manager does not access such data. If a deactivation has been put into effect at domain or cookie level, it will remain valid for all tracking tags implemented by Google Tag Manager.
3.1.4 Google Analytics
On our website, we use Google Analytics, a web analytics service from Google Inc., Gordon House, Barrow Street, Dublin, Ireland (“Google”). Google Analytics uses ‘cookies’, text files that are stored on
your computer and enable analysis of your use of the website. The information generated by cookies about your use of our website is usually transmitted to and saved on a server operated by Google within Europe. However, if IP anonymisation is enabled on this website, Google will shorten your IP address within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area beforehand. Only in exceptional cases is the full IP address transferred to a Google server in the United States and truncated there. Google uses this information on our behalf to analyse your use of the website, compile website activity reports and provide further services associated with use of the website in particular and use of the Internet in general to the website operator. The IP address transmitted from your browser in the context of Google Analytics will not be combined with other
We use Google Analytics with the extension ‘anonymizelp()’ on our website. This means that IP addresses are further processed in shortened form thus preventing them from being directly linked to an
We process your personal data in the context of Google Analytics for the purposes of analysing your
use of the website on the following legal basis:
Your consent pursuant to Article 6, paragraph 1, point (a) of the GDPR.
You can withdraw your consent by
preventing cookies from being saved to your device using the respective setting in your browser software; please bear in mind however, that if you disable cookies, you may not be able to use all of this website’s features fully;
downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en or
clicking this link to prevent collection by Google Analytics on our website in the future. An optout cookie will be stored in your browser. Please note that you need to enable the opt-out cookie in each browser you use on all your end devices, and enable it again, where appropriate, if you delete all the cookies in a browser.
You can withdraw the consent you gave via the cookie banner here.
More detailed information about terms and conditions of use and data privacy of or at Google Analytics can be found at http://www.google.com/analytics/terms/de.html or at https://policies.google.com/?hl=en-GB
3.1.5 Google Maps
Our website integrates Google Maps, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC., 1600 Amphitheatre Parkway, Mountain
View, CA 94043, USA) (“Google”). Google Maps is a web service depicting interactive (geographical) maps in order to visually present geographical information. We use this service to display our restaurant’s location and make it easier to find us. Data is processed in order to be able to display the map and the marked location to you.
To increase the protection of your data when you visit our website, Google Maps is restricted and only integrated into the site using an HTML link. This ensures that a connection to the Google servers is not
established when you access our website and your data is not sent to Google. Your browser will establish a direct connection to the Google servers so you can plan your route, only when you click the link,
thereby giving your consent to data transfer. In functional terms, the integration of Google Maps equates to a hyperlink and consequently your data is not collected on our website by us or by Google.
3.2 Active use of the website
In addition to using our website for purely informational purposes, you can also actively use our website to download information, register for a newsletter or event, or contact us. In this case, in addition to the processing of your personal data as indicated above when you use the website purely for informational purposes, we also use other personal data, that we require, for instance, to process your order.
3.2.1 User enquiries
In order to process the enquiries you send us, e.g. to our email address, to answer these specifically and to supply you with the desired information, documents, etc., we process the personal data you
supply in this context. This includes your contact details, to allow us to send you a reply or ask any necessary follow-up questions, and other information you send us in this context. Depending on your
details and the subject of the enquiry and security, contact may be made electronically, over the phone or by post.
We process your personal data to respond to user enquiries, request information, etc., on the following legal basis:
to protect our legitimate interests pursuant to Article 6, paragraph 1, point (f) of the GDPR; our legitimate interest lies in providing an appropriate response to or execution of customer enquiries;
if the enquiry serves to enter into a contract, then Article 6, paragraph 1, point (b) of the GDPR provides a further legal basis.
In order to allow you to make bookings yourself on our website and in order to accept and organise them, we use the “Bookatable” service provided by Bookatable GmbH & Co. KG, Deichstraße 48-50,
20459 Hamburg, Germany, email: email@example.com (“Bookatable”). In doing so, we process the personal data you supply in this context. This includes your gender, name, email address and telephone
number, in order to be able to identify you on your visit and, where necessary, to ask any follow-up questions required or inform you of changes to the booking.
We will process your personal data for this purpose on the following legal basis:
to protect our legitimate interests pursuant to Article 6, paragraph 1, point (f) of the GDPR; our legitimate interest lies in appropriate processing of your booking;
to process and organise your requested booking as a pre-contractual measure and in the context of your visit to the restaurant in accordance with Article 6, paragraph 1, point (b) of the GDPR.
3.2.3 Sending an application
We will process your personal data in the context of your application insofar as you provide this data to us. Application documents may include special categories of personal data.
Processing of personal data
Applicant details generally include the following:
First name and surname
Your level of education (where necessary)
Date and place of birth
Contact details (address, email, telephone and/or mobile phone number)
Application documents (covering letter, CV, references)
We also process data that you send us by email when you contact us.
We use the personal data provided by you within the framework of legal requirements as the basis for our decisions in the application process. We use your professional qualifications, for example, to decide whether we want to consider you for a narrower selection procedure or obtain a personal impression in an interview, in order to decide whether we want to offer you the position for which you have applied.
We will process your personal data in this case on the following legal basis:
data processing for employment-related purposes, Article 88, paragraph 1, of the GDPR in conjunction with Article 26, paragraph 1, point (1), of the new BDSG [German Data Protection Act].
Processing of special categories of personal data
According to Article 9 of the GDPR, special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious (for example, details of religious denomination) or philosophical beliefs, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person (for example, photos), data concerning health (for example, details of level of disability) or data concerning a natural person’s sex life or sexual orientation. If your CV includes special categories of personal data, we do not collect these intentionally. Please do not send us such data.
If, as part of your application documents, you send us special categories of personal data in accordance with Article 9, paragraph 1 of the GDPR, voluntarily and contrary to our explicit request (your photo or details of your religious denomination, for example), we will store this data on the basis of your consent in accordance with Article 88, paragraph 1 of the GDPR in conjunction with Article 26, paragraph 3, point (2) of the new GDPR. This will also apply if you provide us with further special personal data in the course of the application process. By sending this information voluntarily, you agree to the storage of
this special personal data in the context of the application process.
In principle, we do not take such special personal data into account when making recruitment decisions unless it is necessary on account of a legal obligation to take such special personal data into account. It may be the case with some job vacancies, for example, that persons with disabilities are afforded preferential treatment in accordance with applicable legislation. In such cases, information is always voluntary and provided with your explicit consent which you give by sending this information voluntarily.
We will process your special personal data on the following legal basis:
in accordance with Article 9, paragraph 1 of the GDPR based on your consent in accordance with Article 88, paragraph 1 of the GDPR in conjunction with Article 26, paragraph 3, point (2) of the new GDPR.
3.2.4 Complying with statutory regulations
We also process your personal data to fulfil other legal obligations. These may apply to us, for instance, in conjunction with handling bookings, your orders or business communications. These include, in particular, retention periods under commercial, trade or tax law.
We will process your personal data in this case on the following legal basis:
to fulfil a legal obligation to which we are subject pursuant to Article 6, paragraph 1, point (c) GDPR in conjunction with commercial, trade or tax law, insofar as we are obliged to record and store your data.
3.2.5 Law enforcement
We also process your personal data to assert our rights and to be able to enforce our legal claims. We also process your personal data in order to be able to defend ourselves against legal claims. Finally, we process your personal data if this is required to defend against or prosecute criminal offences.
We process your personal data for this purpose on the following legal basis:
to protect our legitimate interests pursuant to Article 6, paragraph 1, point (f) of the GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or prevent or resolve criminal offences.
Some sections of our website contain links to the websites of third-party providers. These websites are subject to their own privacy policies. We are not responsible for their operation, including the handling of data. If you send information to or via such third-party sites, you should check the privacy policies of these sites before sending information that can be traced to you personally.
5. Categories of recipients
In the first instance, only our employees receive your personal data.
As a rule, your data is only disclosed to third parties insofar as this is legally permitted or prescribed or you have given your consent to this. We also share your data to the extent required with the service
providers we use in order to be able to provide our services. We limit the disclosure of data to that which is necessary to provide you with our services. Some of our service providers receive your data in their capacity as processors and, in this case, are strictly bound by our instructions when handling your data. In some cases, the recipients act independently with your data which we send to them.
The categories of recipients of your data are indicated below:
Affiliated companies within the group, if these operate on our behalf as processors and provide IT services, for instance, or if this is required to provide our services;
Companies which help us process bookings;
Payment service providers and banks for the purposes of collecting outstanding payments from accounts or paying refunds;
Suppliers and courier services for the delivery of goods;
IT service providers which perform services such as storing data, assisting us with system administration and maintenance and providing functions on the website, and keepers and destroyers of files;
debt collection companies and legal advisors for the assertion of our rights;
public bodies and institutions, insofar as we are legally required to do so.
We can also exchange your personal data within our company group operating across Europe, e.g. with subsidiaries which require this data to fulfil our contractual and legal obligations or on the basis of our legitimate interests. These may involve economic, administrative or other internal commercial purposes; this shall only apply if not overriden by your interests or fundamental rights and freedoms.
6. Transfer to a third country
In the context of our use of Google Maps, we transfer your IP address, or your shortened IP address, to countries outside of the European Union, such as the US and Australia.
Data transfer to the USA is based on Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of
the protection provided by the EU-US Privacy Shield. Google LLC is certified in accordance with the specifications of the Privacy Shield.
We do not transfer your personal data to countries outside the EU or the EEA or to international organisations.
7. Duration of storage
7.1 Use of the website for information purposes
In terms of the use of our website for purely informational purposes, we initially store your personal data on our servers only for the duration of your visit to our website. This personal data is deleted without undue delay as soon as you leave our website.
We store the decision you make regarding consent using Cookiebot for up to 12 months. Data collected by Google Analytics is usually stored for 14 months. In some cases, it may be stored by Google for
7.2 Active use of the website
In the case of active use of our website, we store your personal data initially for the period required to respond to your enquiry or for the duration of our business relationship. This includes the initiation of a
contract (legal relationship prior to entering into a contract) and the performance of a contract. Your booking details are stored by Bookatable for 3 years following your most recent booking.
In addition, we store your personal data thereafter until any legal claims arising from the relationship with you become time-barred, in order to use these as evidence where necessary. The period of limitation is generally between 1 and 3 years, but may be up to 30 years.
We will delete your personal data when claims become time-barred unless there is a statutory retention period, in accordance with the Handelsgesetzbuch (HGB; German Commercial Code), for example (Article 238, 257 (4) of the HGB), or the Abgabenordnung (AO; German Tax Code) (Article 147 (3), (4)). These statutory retention obligations may be between two and ten years. For this period, the data shall
only be processed again in the event of an audit by the tax authorities.
8. Your rights as data subject
If we process your personal data, you are a “data subject” as defined by the GDPR. You have the following rights vis-à-vis us as the controller:
Right of access
You can request information about whether we process personal data concerning you. In that event, you have a right of access to this personal data and other information associated with processing (Article 15 GDPR). Please note that this right to information may be restricted or excluded in certain circumstances.
Right to rectification
In the event that personal data concerning you is not (or no longer) applicable or is incomplete, you may request rectification and, where necessary, completion of this data (Article 16 GDPR).
Right to erasure or restriction of processing
If the legal prerequisites are in place, you may request the erasure of your personal data (Article 17 of the GDPR) or the restriction of processing of this data (Article 18 of the GDPR). However, the right to erasure in accordance with Article 17, paragraph 1 and 2 of the GDPR does not exist, for instance, if the processing of personal data is required for the purposes of fulfilling a legal obligation (Article 17, paragraph 3, point (b) of the GDPR).
Right to object
On grounds arising from your particular situation, you may object to the processing of personal data concerning you by us at any time (Article 21 of the GDPR). Providing the legal prerequisites are in place, we shall then no longer process your personal data.
Right to data portability
You have the right under Article 20 of the GDPR to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
Right to withdraw consent regarding data protection
You have the right to withdraw your consent at any time. The withdrawal applies with future effect; this means that the withdrawal does not affect the legality of the processing which took place on the basis of consent up until the point at which consent was revoked.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, a subject (you) has the right to lodge a complaint with a supervisory authority – in particular in the member state of your habitual residence – if you consider that the processing of your personal data by us infringes the GDPR.
The competent supervisory authority in our case is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit [Commissioner for data protection and freedom of information for the state of Hesse]
65021 Wiesbaden, Germany
Telephone: +49 (0)611 140 80
Fax: +49 (0)611 1408 611
However, we recommend that you always send your complaint to our data protection officer in the first instance.
Where possible, you should send requests to exercise your rights to the above address under Item 1 or directly to our data protection officer.
Right to object (Article 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (f) of Article 6, paragraph 1, (data processing based on a balance of interests, or point (e) of Article 6, paragraph 1, (data processing in the public interest). This also applies to profiling (Article 4, paragraph 4 of the GDPR) based on these provisions.
If you make an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
In individual cases, we also process your data for the purposes of direct advertising. If you do not wish to receive any advertising, you are entitled to object to this at any time; this also applies to profiling if this is in conjunction with such direct advertising. We shall comply with this objection for the future.
We will no longer process your data for the purposes of direct advertising if you object to processing for these purposes.
Objections can be informal and should be sent where possible to the address stated under Item 1.
9. Scope of your obligations to provide data
In principle, you are not obliged to provide us with your personal data. However, if you do not do so, we will not, for instance, be able to make our website available to you, respond to your enquiries, provide you with information, etc. or enter into a contract with you.
10. Profiling/automated decision-making
We do not conduct any profiling and do not use any pure automated decision-making processes in accordance with Article 22 of the GDPR.
Last updated: February 2020