Privacy Policy
Preamble
With the following privacy policy we would
like to inform you which types of your personal data (hereinafter also
abbreviated as “data”) we process for which purposes and in which
scope. The privacy statement applies to all processing of personal data carried
out by us, both in the context of providing our services and in particular on
our websites and within external online presences, such as our social media
profiles (hereinafter collectively referred to as “online services”).
The terms used are not gender-specific.
Last Update: 22. April 2024
Table of contents
- Preamble
- Controller
- Overview of processing operations
- Relevant legal bases
- Security Precautions
- Transmission of Personal Data
- Data Retention and Deletion
- Rights of Data Subjects
- Business services
- Use of online platforms for listing and sales purposes
- Provision of online services and web hosting
- Contact and Inquiry Management
- Commercial communication by E-Mail, Postal Mail, Fax or
Telephone
- Profiles in Social Networks (Social Media)
- Changes and Updates to the Privacy Policy
Controller
Hotel am Schlosspark
Wilhelmsplatz 3
16945 Meyenburg
Inhaber: Märkisch Prignitzer Möbel GmbH & Co. KG
Freyensteiner Straße 24
16945 Meyenburg
Vertretungsberechtigte Personen:
MPM GmbH
Geschäftsführer: Marten Lucht und Dirk Hörnschemeyer
E-mail address: info@germania-meyenburg.de
Phone: +49 (0) 33968 502-0
Legal Notice: https://www.germania-meyenburg.de/impressum/
Overview of processing operations
The following table summarises the types of
data processed, the purposes for which they are processed and the concerned
data subjects.
Categories of Processed Data
- Inventory data.
- Payment Data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication and process data.
Categories of Data Subjects
- Customers.
- Prospective customers.
- Communication partner.
- Users.
- Business and contractual partners.
Purposes of Processing
- Provision of contractual services and fulfillment of
contractual obligations.
- Contact requests and communication.
- Security measures.
- Direct marketing.
- Office and organisational procedures.
- Affiliate Tracking.
- Managing and responding to inquiries.
- Feedback.
- Marketing.
- Provision of our online services and usability.
- Information technology infrastructure.
Relevant legal bases
Relevant legal bases according to the
GDPR: In the following, you will find an overview
of the legal basis of the GDPR on which we base the processing of personal
data. Please note that in addition to the provisions of the GDPR, national data
protection provisions of your or our country of residence or domicile may
apply. If, in addition, more specific legal bases are applicable in individual
cases, we will inform you of these in the data protection declaration.
- Consent (Article 6 (1) (a) GDPR) –
The data subject has given consent to the processing of his or her
personal data for one or more specific purposes.
- Performance of a contract and prior requests (Article 6 (1) (b)
GDPR) – Performance of a contract to which the
data subject is party or in order to take steps at the request of the data
subject prior to entering into a contract.
- Compliance with a legal obligation (Article 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal
obligation to which the controller is subject.
- Legitimate Interests (Article 6 (1) (f) GDPR) – the processing is necessary for the protection of the
legitimate interests of the controller or a third party, provided that the
interests, fundamental rights, and freedoms of the data subject, which
require the protection of personal data, do not prevail.
National data protection regulations in
Germany: In addition to the data protection
regulations of the GDPR, national regulations apply to data protection in
Germany. This includes in particular the Law on Protection against Misuse of
Personal Data in Data Processing (Federal Data Protection Act – BDSG). In
particular, the BDSG contains special provisions on the right to access, the
right to erase, the right to object, the processing of special categories of
personal data, processing for other purposes and transmission as well as
automated individual decision-making, including profiling. Furthermore, data
protection laws of the individual federal states may apply.
Security Precautions
We take appropriate technical and
organisational measures in accordance with the legal requirements, taking into
account the state of the art, the costs of implementation and the nature,
scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, in
order to ensure a level of security appropriate to the risk.
The measures include, in particular,
safeguarding the confidentiality, integrity and availability of data by
controlling physical and electronic access to the data as well as access to,
input, transmission, securing and separation of the data. In addition, we have
established procedures to ensure that data subjects’ rights are respected, that
data is erased, and that we are prepared to respond to data threats rapidly.
Furthermore, we take the protection of personal data into account as early as
the development or selection of hardware, software and service providers, in
accordance with the principle of privacy by design and privacy by default.
Masking of the IP address: If IP addresses
are processed by us or by the service providers and technologies used and the
processing of a complete IP address is not necessary, the IP address is
shortened (also referred to as “IP masking”). In this process, the
last two digits or the last part of the IP address after a full stop are
removed or replaced by wildcards. The masking of the IP address is intended to
prevent the identification of a person by means of their IP address or to make
such identification significantly more difficult.
Securing online connections through TLS/SSL
encryption technology (HTTPS): To protect the data of users transmitted via our
online services from unauthorized access, we employ TLS/SSL encryption
technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are
the cornerstones of secure data transmission on the internet. These
technologies encrypt the information that is transferred between the website or
app and the user’s browser (or between two servers), thereby safeguarding the
data from unauthorized access. TLS, as the more advanced and secure version of
SSL, ensures that all data transmissions conform to the highest security
standards. When a website is secured with an SSL/TLS certificate, this is
indicated by the display of HTTPS in the URL. This serves as an indicator to
users that their data is being securely and encryptedly transmitted.
Transmission of Personal Data
In the course of processing personal data,
it may happen that this data is transmitted to or disclosed to other entities,
companies, legally independent organizational units, or individuals. Recipients
of this data may include service providers tasked with IT duties or providers
of services and content that are integrated into a website. In such cases, we
observe the legal requirements and particularly conclude relevant contracts or
agreements that serve to protect your data with the recipients of your data.
Data Retention and Deletion
We delete personal data that we process in
accordance with legal provisions as soon as the underlying consents are revoked
or no further legal bases for processing exist. This applies to cases where the
original purpose of processing no longer applies or the data is no longer
needed. Exceptions to this rule exist if statutory obligations or special
interests require a longer retention or archiving of data.
In particular, data that must be retained
for commercial or tax law reasons, or whose storage is necessary for legal
prosecution or for protecting the rights of other natural or legal persons,
must be archived accordingly. Our privacy policy may contain additional
information on the retention and deletion of data specifically applicable to
certain processing activities.
Where there are multiple statements
regarding the retention period or deletion deadlines of a date, the longest
period always applies.
If a period does not expressly start on a
specific date and lasts at least one year, it automatically begins at the end
of the calendar year in which the event triggering the period occurred.
Data that is no longer stored for its
originally intended purpose but due to legal requirements or other reasons is
processed exclusively for reasons justifying their retention.
Further information on processing
methods, procedures and services used:
- Data Retention and Deletion (Germany): The following general deadlines apply for the retention and
archiving according to German law:
10 Years – Fiscal Code/Commercial Code – Retention period for books and
records, annual financial statements, inventories, management reports,
opening balance sheet as well as the necessary work instructions and other
organisational documents, booking receipts and invoices (Section 147
Paragraph 3 in conjunction with Paragraph 1 No. 1, 4 and 4a of the German
General Tax Code (AO), Section 14b Paragraph 1 of the German VAT Act
(UStG), Section 257 Paragraph 1 Numbers 1 and 4, Paragraph 4 of the German
Commercial Code (HGB)).
6 Years – Other business documents: received commercial or business
letters, copies of dispatched commercial or business letters, and other
documents to the extent that they are significant for taxation purposes,
for example, hourly wage slips, operating accounting sheets, calculation
documents, price tags, as well as payroll accounting documents, provided
they are not already accounting vouchers and cash register tapes Section
(Section 147 Paragraph 3 in conjunction with Paragraph 1 No. 2, 3, 5 of
the German General Tax Code (AO), Section 257 Paragraph 1 No. 2 and 3,
Paragraph 4 of the German Commercial Code (HGB)).
3 Years – Data required to consider potential warranty and compensation
claims or similar contractual claims and rights, as well as to process
related inquiries, based on previous business experiences and common
industry practices, will be stored for the duration of the regular statutory
limitation period of three years. This period begins at the end of the
year in which the relevant contractual transaction took place or the
contractual relationship ended in the case of ongoing contracts (Sections
195, 199 of the German Civil Code).
Rights of Data Subjects
Rights of the Data Subjects under the GDPR:
As data subject, you are entitled to various rights under the GDPR, which arise
in particular from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right, on grounds arising from
your particular situation, to object at any time to the processing of your
personal data which is based on letter (e) or (f) of Article 6(1) GDPR,
including profiling based on those provisions. Where personal data are
processed for direct marketing purposes, you have the right to object at
any time to the processing of the personal data concerning you for the
purpose of such marketing, which includes profiling to the extent that it
is related to such direct marketing.
- Right of withdrawal for consents: You have the right to revoke consents at any time.
- Right of access: You have the right
to request confirmation as to whether the data in question will be
processed and to be informed of this data and to receive further
information and a copy of the data in accordance with the provisions of
the law.
- Right to rectification: You have
the right, in accordance with the law, to request the completion of the
data concerning you or the rectification of the incorrect data concerning
you.
- Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the
right to demand that the relevant data be erased immediately or,
alternatively, to demand that the processing of the data be restricted in
accordance with the statutory provisions.
- Right to data portability: You have
the right to receive data concerning you which you have provided to us in
a structured, common and machine-readable format in accordance with the
legal requirements, or to request its transmission to another controller.
- Complaint to the supervisory authority: In accordance with the law and without prejudice to any other
administrative or judicial remedy, you also have the right to lodge a
complaint with a data protection supervisory authority, in particular a
supervisory authority in the Member State where you habitually reside, the
supervisory authority of your place of work or the place of the alleged
infringement, if you consider that the processing of personal data
concerning you infringes the GDPR.
Business services
We process data of our contractual and
business partners, e.g. customers and interested parties (collectively referred
to as “contractual partners”) within the context of contractual and
comparable legal relationships as well as associated actions and communication
with the contractual partners or pre-contractually, e.g. to answer inquiries.
We process this data in order to fulfill
our contractual obligations. These include, in particular, the obligations to
provide the agreed services, any update obligations and remedies in the event
of warranty and other service disruptions. In addition, we process the data to
protect our rights and for the purpose of administrative tasks associated with
these obligations and company organization. Furthermore, we process the data on
the basis of our legitimate interests in proper and economical business management
as well as security measures to protect our contractual partners and our
business operations from misuse, endangerment of their data, secrets,
information and rights (e.g. for the involvement of telecommunications,
transport and other auxiliary services as well as subcontractors, banks, tax
and legal advisors, payment service providers or tax authorities). Within the
framework of applicable law, we only disclose the data of contractual partners
to third parties to the extent that this is necessary for the aforementioned
purposes or to fulfill legal obligations. Contractual partners will be informed
about further forms of processing, e.g. for marketing purposes, within the
scope of this privacy policy.
Which data are necessary for the
aforementioned purposes, we inform the contracting partners before or in the
context of the data collection, e.g. in online forms by special marking (e.g.
colors), and/or symbols (e.g. asterisks or the like), or personally.
We delete the data after expiry of
statutory warranty and comparable obligations, i.e. in principle after expiry
of 4 years, unless the data is stored in a customer account or must be kept for
legal reasons of archiving. The statutory retention period for documents
relevant under tax law as well as for commercial books, inventories, opening
balance sheets, annual financial statements, the instructions required to
understand these documents and other organizational documents and accounting
records is ten years and for received commercial and business letters and
reproductions of sent commercial and business letters six years. The period
begins at the end of the calendar year in which the last entry was made in the
book, the inventory, the opening balance sheet, the annual financial statements
or the management report was prepared, the commercial or business letter was
received or sent, or the accounting document was created, furthermore the
record was made or the other documents were created.
- Processed data types: Inventory
data (For example, the full name, residential address, contact
information, customer number, etc.); Payment Data (e.g. bank details,
invoices, payment history); Contact data (e.g. postal and email addresses
or phone numbers). Contract data (e.g. contract object, duration, customer
category).
- Data subjects: Prospective
customers; Business and contractual partners. Customers.
- Purposes of processing: Provision
of contractual services and fulfillment of contractual obligations;
Contact requests and communication; Office and organisational procedures.
Managing and responding to inquiries.
- Legal Basis: Performance of a
contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a
legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6
(1) (f) GDPR).
Further information on processing
methods, procedures and services used:
- Hospitality, hotel and accommodation services: We process the data of our guests, visitors and interested
parties (uniformly referred to as “guests”) in order to provide
our accommodation and related services of a tourist or gastronomic nature
and to invoice the services provided.
As part of our assignment it may be necessary for us to process special
categories of data within the meaning of Article 9 (1) GDPR, in particular
information on the health of a person or information relating to his/her
religious belief. In this case processing is carried out in order to
protect the health interests of visitors (e.g. in the case of information
on allergies) or otherwise to satisfy their physical or mental needs on
request and with their consent.
If necessary for the fulfillment of the contract or required by law, or
agreed by guests, or it is based on our legitimate interests, we disclose
or transfer the guests’ data e.g. to the service providers involved in the
fulfillment of our services or from authorities, billing centers and in
the area of IT, office or comparable services; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance
with a legal obligation (Article 6 (1) (c) GDPR).
Use of online platforms for listing and sales purposes
We offer our services on online platforms
operated by other service providers. In addition to our privacy policy, the
privacy policies of the respective platforms apply. This is particularly true
with regard to the payment process and the methods used on the platforms for
performance measuring and behaviour-related marketing.
- Processed data types: Inventory
data (For example, the full name, residential address, contact
information, customer number, etc.); Payment Data (e.g. bank details,
invoices, payment history); Contact data (e.g. postal and email addresses
or phone numbers); Contract data (e.g. contract object, duration, customer
category); Usage data (e.g. page views and duration of visit, click paths,
intensity and frequency of use, types of devices and operating systems
used, interactions with content and features). Meta, communication and process
data (e.g. IP addresses, timestamps, identification numbers, involved
parties).
- Data subjects: Customers.
- Purposes of processing: Provision
of contractual services and fulfillment of contractual obligations;
Marketing. Affiliate Tracking.
- Legal Basis: Performance of a
contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests
(Article 6 (1) (f) GDPR).
Further information on processing
methods, procedures and services used:
Provision of online services and web hosting
We process user data in order to be able to
provide them with our online services. For this purpose, we process the IP
address of the user, which is necessary to transmit the content and functions
of our online services to the user’s browser or terminal device.
- Processed data types: Usage data
(e.g. page views and duration of visit, click paths, intensity and
frequency of use, types of devices and operating systems used,
interactions with content and features). Meta, communication and process
data (e.g. IP addresses, timestamps, identification numbers, involved
parties).
- Data subjects: Users (e.g. website
visitors, users of online services).
- Purposes of processing: Provision
of our online services and usability; Information technology
infrastructure (Operation and provision of information systems and
technical devices, such as computers, servers, etc.).); Security measures.
Provision of contractual services and fulfillment of contractual
obligations.
- Legal Basis: Legitimate Interests
(Article 6 (1) (f) GDPR).
Further information on processing
methods, procedures and services used:
- Provision of online offer on rented hosting space: For the provision of our online services, we use storage space,
computing capacity and software that we rent or otherwise obtain from a
corresponding server provider (also referred to as a “web
hoster”); Legal Basis: Legitimate Interests (Article 6 (1) (f)
GDPR).
- Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called
“server log files”. Server log files may include the address and
name of the accessed web pages and files, date and time of access,
transferred data volumes, notification of successful retrieval, browser
type along with version, the user’s operating system, referrer URL (the
previously visited page), and typically IP addresses and the requesting
provider. The server log files can be used for security purposes, e.g., to
prevent server overload (especially in the case of abusive attacks, known
as DDoS attacks), and to ensure server load management and stability; Legal
Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention
period: Log file information is stored for a maximum period of 30 days
and then deleted or anonymized. Data, the further storage of which is
necessary for evidence purposes, are excluded from deletion until the
respective incident has been finally clarified.
- 1&1 IONOS: Services in the
field of the provision of information technology infrastructure and
related services (e.g. storage space and/or computing capacities); Service
provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur,
Germany; Legal Basis: Legitimate Interests (Article 6 (1) (f)
GDPR); Website: https://www.ionos.com; Privacy Policy: https://www.ionos.com/terms-gtc/privacy-policy/. Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.
Contact and Inquiry Management
When contacting us (e.g. via mail, contact
form, e-mail, telephone or via social media) as well as in the context of
existing user and business relationships, the information of the inquiring
persons is processed to the extent necessary to respond to the contact requests
and any requested measures.
- Processed data types: Contact data
(e.g. postal and email addresses or phone numbers); Content data (e.g.
textual or pictorial messages and contributions, as well as information
pertaining to them, such as details of authorship or the time of
creation.); Usage data (e.g. page views and duration of visit, click
paths, intensity and frequency of use, types of devices and operating
systems used, interactions with content and features). Meta, communication
and process data (e.g. IP addresses, timestamps, identification numbers,
involved parties).
- Data subjects: Communication
partner (Recipients of e-mails, letters, etc.).
- Purposes of processing: Contact
requests and communication; Managing and responding to inquiries; Feedback
(e.g. collecting feedback via online form). Provision of our online
services and usability.
- Legal Basis: Legitimate Interests
(Article 6 (1) (f) GDPR), Performance of a contract and prior requests
(Article 6 (1) (b) GDPR).
Further information on processing
methods, procedures and services used:
- Contact form: When users contact us
via our contact form, e-mail or other communication channels, we process
the data provided to us in this context to process the communicated
request; Legal Basis: Performance of a contract and prior requests
(Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Commercial communication by E-Mail, Postal Mail, Fax or
Telephone
We process personal data for the purposes
of promotional communication, which may be carried out via various channels,
such as e-mail, telephone, post or fax, in accordance with the legal
requirements.
The recipients have the right to withdraw
their consent at any time or to object to the advertising communication at any
time.
After revocation or objection, we store the
data required to prove the past authorization to contact or send up to three
years from the end of the year of revocation or objection on the basis of our
legitimate interests. The processing of this data is limited to the purpose of
a possible defense against claims. Based on the legitimate interest to
permanently observe the revocation, respectively objection of the users, we
further store the data necessary to avoid a renewed contact (e.g. depending on
the communication channel, the e-mail address, telephone number, name).
- Processed data types: Inventory
data (For example, the full name, residential address, contact
information, customer number, etc.). Contact data (e.g. postal and email
addresses or phone numbers).
- Data subjects: Communication
partner (Recipients of e-mails, letters, etc.).
- Purposes of processing: Direct
marketing (e.g. by e-mail or postal).
- Legal Basis: Consent (Article 6 (1)
(a) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Profiles in Social Networks (Social Media)
We maintain online presences within social
networks and process user data in this context in order to communicate with the
users active there or to offer information about us.
We would like to point out that user data
may be processed outside the European Union. This may entail risks for users,
e.g. by making it more difficult to enforce users’ rights.
In addition, user data is usually processed
within social networks for market research and advertising purposes. For
example, user profiles can be created on the basis of user behaviour and the
associated interests of users. The user profiles can then be used, for example,
to place advertisements within and outside the networks which are presumed to
correspond to the interests of the users. For these purposes, cookies are
usually stored on the user’s computer, in which the user’s usage behaviour and
interests are stored. Furthermore, data can be stored in the user profiles
independently of the devices used by the users (especially if the users are
members of the respective networks or will become members later on).
For a detailed description of the
respective processing operations and the opt-out options, please refer to the
respective data protection declarations and information provided by the
providers of the respective networks.
Also in the case of requests for
information and the exercise of rights of data subjects, we point out that
these can be most effectively pursued with the providers. Only the providers
have access to the data of the users and can directly take appropriate measures
and provide information. If you still need help, please do not hesitate to
contact us.
- Processed data types: Contact data
(e.g. postal and email addresses or phone numbers); Content data (e.g.
textual or pictorial messages and contributions, as well as information
pertaining to them, such as details of authorship or the time of
creation.); Usage data (e.g. page views and duration of visit, click
paths, intensity and frequency of use, types of devices and operating
systems used, interactions with content and features). Meta, communication
and process data (e.g. IP addresses, timestamps, identification numbers,
involved parties).
- Data subjects: Users (e.g. website
visitors, users of online services).
- Purposes of processing: Contact
requests and communication; Feedback (e.g. collecting feedback via online
form). Marketing.
- Legal Basis: Legitimate Interests
(Article 6 (1) (f) GDPR).
Further information on processing
methods, procedures and services used:
- Instagram: Social network; Service
provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04
X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f)
GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
- Facebook Pages: Profiles within the
social network Facebook; Service provider: Meta Platforms Ireland
Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy
Policy: https://www.facebook.com/about/privacy; Basis for third-country transfers: Data Privacy Framework (DPF); Further
Information: We are jointly responsible (so called “joint
controller”) with Meta Platforms Ireland Limited for the collection
(but not the further processing) of data of visitors to our Facebook page.
This data includes information about the types of content users view or
interact with, or the actions they take (see “Things that you and
others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), and
information about the devices used by users (e.g., IP addresses, operating
system, browser type, language settings, cookie information. see
“Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As
explained in the Facebook Data Policy under “How we use this
information?” Facebook also collects and uses information to provide
analytics services, known as “page insights,” to site operators
to help them understand how people interact with their pages and with
content associated with them. We have concluded a special agreement with
Facebook (“Information about Page-Insights”, https://www.facebook.com/legal/terms/page_controller_addendum),
which regulates in particular the security measures that Facebook must
observe and in which Facebook has agreed to fulfill the rights of the
persons concerned (i.e. users can send information access or deletion
requests directly to Facebook). The rights of users (in particular to
access to information, erasure, objection and complaint to the competent
supervisory authority) are not restricted by the agreements with Facebook.
Further information can be found in the “Information about Page
Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data).
The joint controllership is limited to the collection and transfer of the
data to Meta Platforms Ireland Limited, a company located in the EU.
Further processing of the data is the sole responsibility of Meta
Platforms Ireland Limited.
Changes and Updates to the Privacy Policy
We kindly ask you to inform yourself
regularly about the contents of our data protection declaration. We will adjust
the privacy policy as changes in our data processing practices make this
necessary. We will inform you as soon as the changes require your cooperation
(e.g. consent) or other individual notification.
If we provide addresses and contact
information of companies and organizations in this privacy policy, we ask you
to note that addresses may change over time and to verify the information
before contacting us.