Data Protection

Name: AHORN Hotels & Resorts
Address: DE

Information on data processing in accordance with Articles 13 and 14 of the GDPR

We are delighted that you are visiting our website and thank you for your interest. Our dealings with our customers and prospective clients are a matter of trust. We place great value on the trust placed in us and therefore recognise the importance of, and our obligation to, handle your data with care and protect it from misuse.

AHORN Hotels & Resorts adheres specifically to the EU General Data Protection Regulation (GDPR) and the current Federal Data Protection Act (BDSG). Below, we explain what information we collect during your visit to our websites and in our hotels, and how this information is used.

Name and address of the data controller

The data controller within the meaning of the GDPR and other national data protection laws of the Member States, as well as other data protection regulations, is:

AHORN Management GmbH
Tauentzienstr. 11
D-10789 Berlin
Germany
Tel.: +49 (0) 30 315 950 73
Email: info@ahorn-hotels.de

Name and address of the Data Protection Officer

Mr Andreas Thurmann
DataSolution LUD GmbH
Isarstr. 13
D-14974 Ludwigsfelde
Germany
Email: mail@hoteldatenschutz.de

General information on data processing

Scope of the processing of personal data

We generally collect and use our users’ personal data only to the extent necessary to provide a fully functional website and our content and services. The collection and use of our users’ personal data generally takes place only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.

Legal basis for the processing of personal data

Where we obtain the data subject’s consent for the processing of personal data, Article 6(1)(a) of the GDPR serves as the legal basis. Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures. Where the processing of personal data is necessary to comply with a legal obligation to which our company is subject (e.g. national registration laws), Article 6(1)(c) of the GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override the aforementioned interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing.

Data erasure and retention period

The data subject’s personal data shall be erased or restricted as soon as the purpose for which it was stored no longer applies. Storage may also take place if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data shall also be blocked or erased when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

Collection, processing and use of personal data at AHORN Hotels & Resorts

Description and scope of data processing

The hotel group’s purpose is the operation of several hotels in Germany under joint responsibility. Data collection, processing and use are carried out for the purpose stated above.

AHORN Management GmbH, Tauentzienstr. 11, 10789 Berlin, Germany, is the data controller responsible for carrying out central services such as reservations, marketing and human resources management. To enhance our services, we manage all data received in our central hotel software within the hotel group as well as in the CRM system. The data controller is the hotel at which the booking is made. The respective booking data can only be viewed by the controller; access to a guest’s master data is shared, for example, to make a reservation for another hotel at a later date, to rebook, or to carry out marketing activities centrally. To this end, central services such as reservations and marketing access this data.

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of an accommodation contract with the guest. The data transmitted is stored in our hotel software and used for the performance of the contract.

Data subjects, data and data categories:

To fulfil the stated purpose, the following categories of personal data are collected, processed and used:

Guest data (in particular first name and surname, address details, contact details, booking details, guest requests, billing details)
Other customer data (in particular address details, billing and service details)
Prospective customer data (in particular interest in accommodation, address details)

Recipients to whom the data may be disclosed:

Data may be disclosed to the following recipients:

Internal departments involved in the execution and fulfilment of the respective business processes (e.g. hotels within the hotel group, central reservations, accounts, sales & marketing, IT organisation)
Public authorities that receive data on the basis of legal provisions (e.g. law enforcement agencies, public sector authorities)
External contractors in accordance with Article 28 of the GDPR (service providers)
Other external bodies (e.g. credit institutions, companies where data subjects have given their written consent or where a transfer is permissible on the basis of an overriding legitimate interest)

Purpose of data processing

The main purpose of the collection, processing or use of personal data is the administration, support and hospitality of guests within the framework of the accommodation contract.

Duration of storage

The legislator has enacted a wide range of retention obligations and periods. Upon expiry of these periods, the relevant data and data records are routinely deleted or anonymised if they are no longer required for the performance of the contract. Thus, commercial or financial data relating to a completed financial year is deleted after a further ten years in accordance with legal provisions, provided that no longer retention periods are prescribed or required for legitimate reasons. Reservation documents may be destroyed after 6 years, and the special registration form after one year has elapsed at the end of the year.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Processing of personal data of domestic guests during online check-in

In order to process the accommodation contract, we are required to collect and store the following personal data from you, as a domestic guest, at hotel check-in:

Date of arrival and expected date of departure (for planning and organising your stay)
Surname and first name (for identification and contact purposes)
Email address (to participate in the online check-in/out procedure to simplify and speed up the check-in and check-out process, to confirm your booking and to send you relevant information regarding your reservation, and to send you your invoice after your stay)
Address (for contacting you and invoicing) Identification
data, unless you initiate a card-based payment transaction with Strong Customer Authentication (SCA), in which case the transaction-specific reference number of the payment method used is collected. In this case, the unique reference number of the payment method used is stored together with the data mentioned above.
National law may stipulate that additional data may be collected on the registration form for the collection of tourist and spa taxes (to meet the requirements of the tourist and spa authorities).

Strong customer authentication refers to a requirement of the EU Payment Services Directive (PSD2) that ensures online payments are secure and reduces instances of fraud. It requires users to confirm their identity using two out of three factors when making payments – knowledge (something only the user knows, e.g. a password), possession (something only the user has, e.g. a smartphone) and inherence (something unique to the user, e.g. a fingerprint).

If you choose to use the online check-in option, this is facilitated via the Hotelbird platform operated by hotelbird GmbH, Plinganserstraße 150, 81369 Munich, Germany. Hotelbird is committed to handling the data you provide in accordance with data protection regulations and takes all organisational and technical measures to protect your data. For further information on data protection, please refer to Hotelbird’s privacy policy.

The use of the software involves the processing of personal data. This may include the following personal data:

Master and communication data (e.g. first name and surname, email address)
Address data (e.g. street, house number, postcode, town, country)
Booking or travel data (e.g. arrival and departure dates, booking number, room number)
Usage data (e.g. start, duration and end of use, feature used, language used, browser and operating system used)
Geodata (e.g. GPS position)
Not all of the above data categories are collected or requested every time the software is used. This depends on the settings we have individually configured or the services we use. In principle, the software can be used without user registration.

Legal basis for data processing

The processing of your personal data is generally carried out to fulfil the accommodation contract. The legal basis for processing your email address, insofar as we have received this from you in advance or have already stored it from a previous stay, is additionally our legitimate interest in data processing. Our legitimate interest lies in improving our service offering by simplifying processes and digital communication.

We would like to use the personal data we collect during online check-in to supplement your details in our hotel software for the purpose of contract fulfilment. Additionally, the data may be used, where applicable, to open your room door via an app at our hotel. The system checks whether you are authorised to request or use a service provided.

Where we are legally obliged to collect and store personal data (e.g. under the German Course Regulations), we base the processing on the fulfilment of a legal obligation.

Purpose of data processing

By contacting you, we wish to give you, as a guest, the opportunity to receive information prior to your upcoming stay and to check in in advance and complete the electronic registration form.

Categories of recipients

Hotelbird as the software provider and its subcontractors for, for example, hosting, SMS, email distribution and, where applicable, the provision of a chatbot.
Other service providers we engage, e.g. hotel reservation system, door access system, chatbot, operations & communication software, etc.
Payment service providers.
Other external bodies, provided the data subject has given their consent or a transfer is permissible on grounds of overriding interest.
Public authorities in the event of legal obligations, e.g. tax regulations.
We reserve the right, in the event of a legal obligation, to disclose information about you if the disclosure is required of us by lawfully acting authorities or law enforcement agencies. The legal basis is Article 6(1)(c) of the GDPR (legal obligation).

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose. Your personal data will only be stored for as long as is necessary for the performance and processing of the online check-in. In Hotelbird, your data will be anonymised after 6 months. Any further statutory retention obligations remain unaffected by this.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Processing of personal data of foreign guests during online check-in

In order to process the accommodation contract and to comply with legal obligations arising from the Federal Registration Act, the collection and storage of the following personal data from you as a foreign guest is required during hotel check-in:

Date of arrival and expected date of departure (for the planning and organisation of your stay and to fulfil the requirements of the Federal Registration Act)
Surname and first name (for identification and contact purposes, and to fulfil the requirements of the Federal Registration Act)
Date of birth (to fulfil the requirements of the Federal Registration Act)
Nationality (to fulfil the requirements of the Federal Registration Act)
Address (for identification, invoicing and, where applicable, contacting you, as well as to comply with the requirements of the Federal Registration Act) Identification
data, unless you initiate a card-based payment transaction with Strong Customer Authentication (SCA), in which case the transaction-specific reference number of the payment method used is collected. In this case, the unique reference number of the payment method used is stored together with the data mentioned above.
Number of foreign fellow travellers and their nationality (to comply with the requirements of the Federal Registration Act)
Serial number of the recognised and valid passport or passport substitute (identity document) (Compliance with the requirements of the Federal Registration Act)
State law may stipulate that further data may be collected on the registration form for the collection of tourist and spa taxes (compliance with the requirements of the tourist and spa authorities)

The details on the registration form will be compared with those on your identity document. If there are any discrepancies, this will be noted on the registration form. If you do not present an identity document, or if the one presented is not valid, this will also be noted on the registration form.

Strong customer authentication refers to a requirement of the EU Payment Services Directive (PSD2), which ensures that online payments are secure and reduces instances of fraud. It requires users to confirm their identity using two out of three factors when making payments – knowledge (something only the user knows, e.g. a password), possession (something only the user has, e.g. a smartphone) and inherence (something unique to the user, e.g. a fingerprint).

The use of the software involves the processing of personal data. This may include the following personal data:

Master and communication data (e.g. first name and surname, email address)
Address data (e.g. street, house number, postcode, town, country)
Booking or travel data (e.g. arrival and departure dates, booking number, room number)
Registration form data (e.g. nationality, date of birth, passport number, digital signature)
Invoice data (e.g. billing address, prices, services booked (e.g. parking, gym)
Usage data (e.g. start, duration and end of usage, feature used, language used, browser and operating system used)
Geodata (e.g. GPS position)
Not all of the above data categories are collected or requested every time the software is used. This depends on the settings we have individually configured or the services we use. In principle, the software can be used without user registration.

Legal basis for data processing

We wish to use the personal data we collect during the online check-in process to supplement your details in our hotel software for the purpose of contract fulfilment. Additionally, the data may be used, where applicable, to open your room door via an app at our hotel. The system automatically checks whether you are authorised to request or use a service provided.

Where we are legally obliged to collect and store personal data (e.g. under the German Course Regulations), we base the processing on the fulfilment of a legal obligation.

Purpose of data processing

By contacting you, we wish to give you, as a guest, the opportunity to receive information prior to your upcoming stay and to check in in advance and complete the electronic registration form.

Categories of recipients

Duration of storage

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Your stay at the hotel

Description and scope of data processing

During your stay at our hotel, we collect and process information about guests in our hotel software. Data from the following groups of people may be stored:

Guests, business partners, companies,
interested parties and potential interested parties (e.g. in the case of enquiries regarding offers)
The data collected may include:

First name and surname
Date of birth
Contact details (telephone, mobile, email address)
Address, company name if applicable
Nationality
ID and passport details (for foreign guests on the registration form)
Data relating to services provided, billing data, payment processing
data (e.g. credit card details)
Video recordings for the collection of evidence in the event of vandalism, burglary, robbery or other criminal offences

If you have made your booking via a hotel portal, a tour operator or a travel agency, your data will be forwarded to us by these providers for the purpose of fulfilling the contract entered into.

The town or municipality where a hotel is located may levy a cultural tax or visitor’s tax, i.e. a tax charged on paid accommodation. In this case, the guest is liable for the tax. As an accommodation provider, we collect the tax from the guest and pay it to the city/municipality. As a guest, you may be exempt from the tax if your stay is for business purposes. In this case, in accordance with the city/municipality’s requirements, we will collect your personal details and information about your stay in a separate declaration.

Purposes and legal basis of data processing

We use the personal data you provide exclusively to fulfil the agreed contractual services, i.e. the administration, care and hospitality of guests within the framework of the accommodation contract.

We store your data in our hotel software as well as in reservation, billing and payment applications. In addition to your personal data, this may also include billing data relating to food and drink, telephone calls made from the room and/or other hotel-specific services.

Hotels are obliged under registration regulations (Section 29 et seq. of the Federal Registration Act) to have their guests complete a registration form on site or online. In addition to the first name, surname and address, this form also contains details of the date of birth, nationality and accompanying family members. We must also request an identity document number from foreign guests. All other details are provided on a voluntary basis.

Where services are used, only data necessary for the provision of those services is generally collected. If further data is collected, this constitutes voluntary information. Personal data is processed exclusively for the purpose of fulfilling the requested services and to safeguard our legitimate business interests in accordance with Article 6(1)(f) of the GDPR.

Data is used for the following purposes:

Registration on arrival and departure, including completion of the registration form
Issuing room keys for yourself and fellow travellers
Provision of requested services
Processing of payment arrangements
Billing and reporting in relation to the cultural tax / visitor’s tax
Saving preferences for future hotel stays Our
guests’ contact details may be used at a later date for marketing purposes. The use of your email address requires your consent.

Data will only be processed for purposes other than those mentioned above insofar as such processing is permitted under Article 6(4) of the GDPR and is compatible with the original purposes of the contractual relationship. We will inform you of any such further processing of your data prior to it taking place.

Recipients to whom the data may be disclosed:

Public authorities that receive data on the basis of legal provisions (e.g. city or local authorities, law enforcement agencies, public sector authorities)
Internal departments involved in the execution and fulfilment of the relevant business processes (e.g. administration, accounting, sales & marketing, IT organisation)
Affiliated hotels (master data in the PMS)
External contractors in accordance with Article 28 of the GDPR (service providers)
Other external bodies (e.g. credit institutions)
Deletion of data

The legislator has enacted a wide range of retention obligations and time limits. Once these periods have expired, the relevant data and data records are routinely deleted if they are no longer required for the performance of the contract. For example, commercial or financial data relating to a completed financial year is deleted in accordance with legal requirements after a further ten years, provided that no longer retention periods are prescribed or required for legitimate reasons. Booking documents may be destroyed after 6 years; the registration form after one year has elapsed at the end of the quarter. Unless data is affected by this, it will be deleted automatically once the stated purposes no longer apply.

Video recordings are stored for 72 hours.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Online booking via the website

Description and scope of data processing

On our website, you can book rooms and packages for any Ahorn Hotel. If you make use of this option, the data entered in the form will be transmitted to us and stored. This data includes: title, first name and surname, email address, telephone number, postal address, number of travelling companions, estimated time of arrival, requests, payment method, and the date and time of the reservation.

We use payment service providers to process the transaction. You can select the payment method yourself. Please note that, depending on your selection, your payment details may be transmitted to and processed on the payment service provider’s servers in the USA.

When you make an online booking via our websites, this is done via the online booking system of HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin, Germany. All booking data you enter is transmitted in encrypted form.

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of an accommodation contract. The provision of a title (Mr, Mrs, Ms, etc.) is a voluntary field. We process this information on the basis of our legitimate interest in addressing you politely and personally in our correspondence. Should you choose not to provide a title, this will not result in any disadvantage to you.

To enhance our services, we manage all data received in our central CRM software within AHORN Hotels & Resorts. The data controller is the hotel where the booking is made. The respective booking data can only be viewed by the data controller; access to a guest’s master data is shared, for example, to make a reservation for another hotel at a later date, to rebook, or to carry out marketing activities centrally. To this end, central services such as reservations and marketing access this data. The legal basis for the processing of the data is our legitimate interest in data processing within the framework of the centralised management and use of our customers’ and business partners’ data within the hotel group.

Purpose of data processing

We process the personal data from the input form solely for the purpose of handling the booking enquiry and processing payments.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of a contractual relationship, we will delete the data received as soon as national, commercial, statutory or contractual retention requirements have been met. The data provided is stored in our hotel software and used for the performance of the contract. Should no contractual relationship arise, we will delete the data at the end of the year following one year.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. Please note that in the event of an objection, the booking cannot be completed or the conversation continued.

Online booking via other websites

Description and scope of data processing

AHORN Hotels & Resorts offers prospective guests the opportunity to book rooms and packages for any AHORN hotel via hotel booking portals (third-party providers). If you take advantage of this option, the data entered in the input form will be transmitted to us and stored to the extent permitted by the respective hotel booking portal in accordance with its own data protection regulations. Data may include: title, first name and surname, email address, telephone number, address, number of fellow travellers, estimated time of arrival, requests, payment details (credit card).

Legal basis for data processing

The legal basis for the processing of data is the conclusion of an accommodation contract.

Purpose of data processing

We process the personal data from the input form solely for the purpose of handling the booking enquiry and processing payments.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of a contractual relationship, we will delete the data received as soon as national, commercial, statutory or contractual retention requirements have been met. The data transmitted is stored in our hotel software and used for the performance of the contract. Should no contractual relationship arise, we will delete the data at the end of the year following one year.

AHORN Hotels & Resorts has no influence over the retention periods applied by the respective hotel booking portal.

Right to object

Sending emails before arrival

Description and scope of data processing

We would like to send a welcome email to those guests from whom we have received an email address as part of the booking process prior to their arrival. A few days before arrival, the guest will receive a booking summary and information regarding the booking and available additional services via email.

When we send these emails, we do so via the RIMS platform operated by MP-Network GmbH, Anemonenweg 5, D-85586 Poing, Germany.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest in data processing in connection with the booking, i.e. the pre-contractual relationship.

Purpose of data processing

By contacting you, we aim to provide guests with important information about their stay in advance and give them the opportunity to book additional services quickly and conveniently.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose.

Right to object

The enquirer has the right to object to the processing of their personal data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Contact form/Email contact

Description and scope of data processing

Our website features a contact form which can be used to contact us electronically. If you make use of this option, the data entered in the form will be transmitted to us and stored. This data comprises: hotel, title, first name and surname, email address and the nature of your enquiry (mandatory fields), as well as your telephone number (optional).

Alternatively, you may contact us via the email address provided. In this case, the user’s personal data transmitted with the email will be stored.

Legal basis for data processing

The legal basis for the processing of the data is, first and foremost, our legitimate interest in data processing in the context of the enquirer making contact. If the purpose of making contact is to conclude a contract, the additional legal basis for the processing is within the framework of a pre-contractual relationship or contractual relationship.

Purpose of data processing

We process the personal data from the input form solely for the purpose of handling the contact. In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data. The provision of a title (Mr, Mrs, Ms, etc.) is a voluntary field. We process this information on the basis of our legitimate interest in addressing you politely and personally in our correspondence. If the title is not provided, this will not result in any disadvantage to you.

The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data sent by email, this is the case once the relevant conversation with the user has ended. The conversation is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

If the contact relates to a pre-contractual relationship (enquiry regarding an offer or booking), the data transmitted will also be stored in our hotel software and used for the performance of the contract. If no contractual relationship is established, we will delete the data at the end of the year following one year.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. Please note that in the event of an objection, the conversation cannot be continued and we will be unable to provide any offers etc. In this case, all personal data stored in the course of the contact will be deleted.

Table booking

Description and scope of data processing

Our website offers the option to book a table at our restaurants in selected hotels. If you make use of this option, the data entered in the form will be transmitted to us. This data includes: first name and surname, email address, details of the table reservation (date, time, number of people, restaurant), and comments.

When you make a table reservation via our website, this is done through the online reservation system provided by resmio GmbH, Gneisenaustr. 66–67, D-10961 Berlin, Germany. All order data you enter is transmitted in encrypted form. Further information can be found in the system provider’s privacy policy.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest in data processing. If the person making the reservation gives their consent to receive future news about the restaurant, this consent serves as the legal basis.

Purpose of data processing

The processing of personal data serves solely the purpose of making a table reservation.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Booking wellness treatments

Description and scope of data processing

Our website offers the option to book our wellness services. If you make use of this option, the data entered in the form will be transmitted to us. This data includes: title, first name and surname, email address, telephone number, and booking details (date, time, treatment, price).

When you make bookings for our wellness offers via our website, this is done via the online booking system Termin2go operated by Termin2go GmbH, Radinkendorf 20, 15848 Beeskow. All order data you enter is transmitted in encrypted form. Further information can be found in the system provider’s privacy policy at https://www.termin2go.com/de-DE/datenschutzhinweise.

Legal basis for data processing

The legal basis for the processing of data is our legitimate interest in data processing. The provision of a title (Mr, Mrs, Ms, etc.) is a voluntary field. We process this information on the basis of our legitimate interest in addressing you politely and personally in our correspondence. Should you choose not to provide a title, this will not result in any disadvantage to you.

Purpose of data processing

The processing of personal data serves solely to book massage treatments.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Purchasing a voucher via the website

Description and scope of data processing

You can purchase vouchers on our website. If you make use of this option, the data entered in the input form will be transmitted to us and stored. This data includes: title/company name, first name and surname, date of birth, email address, postal address, telephone/fax number, voucher value, personalisation of the voucher (personal details for the recipient), delivery options, and payment details via third-party providers.

When you purchase a gift voucher via our website, this is processed via the online ordering platform of HotelNetSolutions GmbH, Genthiner Str. 8, 10785 Berlin, Germany. All order data you enter is transmitted in encrypted form. Further information can be found in the system provider’s privacy policy.

We use payment service providers to process the purchase transaction. You can select the payment method yourself. Please note that, depending on your selection, your payment details may be transmitted to and processed on the payment service provider’s servers in the USA.

Legal basis for data processing

The legal basis for the processing of the data is the conclusion of a sales contract. The provision of a title (Mr, Mrs, Ms, etc.) is a voluntary field. We process this information on the basis of our legitimate interest in addressing you politely and personally in our correspondence. If you do not provide a title, this will not result in any disadvantages for you.

Purpose of data processing

We process the personal data from the input form solely for the purpose of processing the voucher purchase and handling the payment transaction.

Duration of storage

Right to object

You have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose.

Newsletter service

Description and scope of data processing

Our website offers various ways to subscribe to our newsletter service. If you take advantage of this option, the data entered in the input form (email address) will be transmitted to us and stored.

Should we receive an email address by other means, where the recipient clearly informs us that they wish to receive our newsletter, we will collect their data via the input form on our website.

Legal basis for data processing

The legal basis for the processing of the data is the recipient’s consent. This is ensured by a double opt-in procedure.

Purpose of data processing

We process personal data solely for the purpose of sending individual newsletters.

Duration of storage

The data will be deleted as soon as the newsletter service is unsubscribed from.

Right to object

As a recipient of a newsletter, you have the right at any time to object to the processing of your data or to withdraw your consent. You can unsubscribe from the newsletter service with every newsletter. In addition, we have set up the email address abmelden@ahorn-hotels.de. Please provide us with your email address here.

Publication of information and images relating to events

Description and scope of data processing

We publish information about events we have organised via our website, our social media channels and, where applicable, other media. In addition, we would like to publish photos from our events via the aforementioned media. Participants, guests and third parties may be depicted in the photos.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest in publishing information about our events. Where we commission a photographer to take photos for us at an event, we will inform participants in the relevant areas via information signs or displays, or will indicate our intention in advance on the invitation.

Purpose of data processing

The processing of personal data serves the purposes of public relations and the provision of information regarding events that we have organised.

Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose of its publication or if consent to its processing or publication has been withdrawn.

Right to object and right to erasure

All participants, as well as other third parties, have the right to object to the publication of their personal data (in particular photographs) at any time. To this end, all participants will be informed at the entrance to the event that they may decline to be photographed or inform the photographer that images of themselves should not be used or published. In the latter case, the photographer will take a separate photograph so that the person who has objected can be identified at a later date.

It is always possible that we may inadvertently publish images of individuals where consent has not been given or where publication has been objected to. If publication is not desired, we will take immediate steps to comply with your wishes. In the case of group photos, we reserve the right to blur faces. Please contact us directly; we have set up the email address widerruf@ahorn-hotels.de for this purpose.

Support, advice and marketing for corporate clients

Description and scope of data processing

For the purposes of supporting, advising and marketing to corporate clients, we collect and use the contact person, telephone number and postal address in addition to the business partner or potential business partner. We obtain this information from various sources, either through an enquiry (by email or telephone), or via events, trade fairs, business cards received by our sales staff, etc.

Legal basis for data processing

The legal basis for data processing is, first and foremost, our legitimate interest in processing data in the context of the enquirer making contact. If the purpose of making contact is to conclude a contract, the additional legal basis for processing is within the framework of a pre-contractual relationship or contractual relationship.

To enhance our services, we manage all data received in the central CRM module within AHORN Hotels & Resorts. The data controller is the hotel with which a business relationship exists. Central departments such as sales, banqueting, reservations and marketing access this data. The legal basis for the processing of the data is our legitimate interest in data processing within the framework of the centralised management and use of our customers’ and business partners’ data within the hotel group.

Purpose of data processing

We use this contact data exclusively for our own purposes and to tailor our own sales activities to your needs in accordance with legal provisions.

Duration of storage

In principle, no deletion period is specified. However, should our sales department have had no contact with the company contact within 3 years, the sales department will decide whether to delete the company contact’s contact person.

If the contact is in relation to a pre-contractual relationship (quote or booking enquiry), the data provided will also be stored in our hotel software and used for the purpose of fulfilling the contract. If no contractual relationship is established, we will delete the data at the end of the year following one year.

Right to object

As a company contact, you have the right to object to the processing of your data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. In this case, all personal data relating to the contact person that has been stored for the business partner will be deleted.

Online review

Description and scope of data processing

Former guests can submit a review of our hotel after check-out. To this end, we would like to send you an email within 14 days of your departure to ask you to submit a hotel review on HolidayCheck. Each review can be published anonymously if desired. Should you not have felt comfortable in one of our hotels, we would like to take the opportunity to contact you.

If, as a former guest, you take advantage of this opportunity to submit an online review, your data will be stored in the review form. This data includes: your email address and voluntary information such as your first name, surname, language and the details of your review.

Legal basis for data processing

The legal basis for the processing of the data is our legitimate interest.

Purpose of data processing

The purpose of the hotel review is to communicate and summarise hotel guests’ opinions via our website, so that prospective guests can form their own impression of our facilities and services. Additionally, the results are used for our internal quality management.

Duration of storage

The data will not be deleted.

Right to object and right to erasure

You may request the removal of the review at any time (right to be forgotten). To do so, please contact HolidayCheck. Further information can be found in the privacy policy.

Your online application

Description and scope of data processing

If you provide us with personal data as part of the application process, this data will be classified into the following data types and categories for the purposes of collection, processing and/or use:

Personal data (first name and surname, date of birth, address, school qualifications)
Contact details (landline, mobile, fax, email address)
Reference information (from third parties, e.g. credit agencies or public registers)
Data relating to assessment and evaluation during the application process
Data on education and training (school, vocational training, civilian/military service, degree, PhD)
Data on previous professional career, training and employment references
Information on other qualifications (e.g. language skills, computer skills, voluntary work)
Application photo
Details of salary expectations
Application history
If you submit an online application via our website, this is done via the softgarden online application system operated by softgarden e-recruiting GmbH, Tauentzienstraße 14, D-10789 Berlin, Germany. All data you enter is transmitted in encrypted form. softgarden is committed to handling the data you provide in accordance with data protection regulations. It takes all organisational and technical measures to protect your data.

We use the personal data you provide exclusively for the purpose of processing your application for the advertised position. Only those persons involved in the application process will have access to your personal data. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. We do not pass on your personal data to third parties unless you have consented to the transfer of data or we are obliged to do so on the basis of legal provisions and/or official or court orders.

Should an applicant’s profile match another job vacancy published by one of our affiliated companies, we will be happy to forward the application documents. We will obtain the applicant’s consent beforehand. Otherwise, the data will be used exclusively for the processing of the application by the relevant department and for communication purposes.

Legal basis for data processing

The legal basis for the processing of data is the pre-contractual relationship or the conclusion of a contract with the user. We will obtain consent in advance for the forwarding of application documents to an affiliated company.

Purpose of data processing

We process the personal data from the input form solely for the purpose of processing the application.

Duration of storage

Your data will be automatically deleted within six months of the conclusion of the specific application process. This does not apply if statutory provisions preclude deletion, require further storage for the purposes of evidence, or if you have expressly consented to longer storage. No notification will be sent regarding the deletion of the data.

Right to object

The user has the right to object to the processing of their personal data at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. Please note that in the event of an objection, the application cannot be completed or the conversation continued.

Sharing your data with a credit reference agency

Description, scope and purpose of data processing

In the event of a credit risk, we will transfer your data (name, address, email address, company details and, where applicable, contract and debt details) to IHD Gesellschaft für Kredit und Forderungsmanagement mbH, Augustinusstr. 11 B, 50226 Frechen, and, where applicable, to other cooperating credit reference agencies.

For the purpose of deciding on the establishment, performance or termination of the contractual relationship, we also collect or use automatically generated probability scores, the calculation of which may incorporate, amongst other things, address data.

Legal basis for data processing

The legal basis for this transfer is Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Transfers on the basis of Article 6(1)(f) GDPR may only take place insofar as this is necessary to pursue the legitimate interests of our company and does not override the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

Right to object

Detailed information regarding our contractual partner, IHD, within the meaning of Article 14 GDPR – namely the business purpose, the purpose of data storage there, the legal basis, the recipients of data by IHD, the right to access, the right to erasure and rectification, and profiling – can be found at www.ihd.de/datenschutz

Hosting of the website and creation of log files

Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

Information about the browser type and version used
The user’s
operating system The user’s IP address
Date and time of access
Websites from which the user’s system accessed our website
Websites accessed by the user’s
system via our website The data is also stored in our system’s log files. This data is not stored together with other personal data relating to the user. Personal user profiles cannot be created. The stored data is evaluated solely for statistical purposes.

Legal basis for data processing

The legal basis for the temporary storage of the data and log files is our legitimate interest in data processing in connection with the provision of our website.

Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

Data is stored in log files to ensure the website functions properly. Furthermore, we use the data to optimise the website and to ensure the security of our IT systems. The data is not analysed for marketing purposes in this context.

These purposes also constitute our legitimate interest in data processing for the provision of our website.

Duration of storage

The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case once the respective session has ended.

In the case of data stored in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, users’ IP addresses are deleted or anonymised so that it is no longer possible to identify the client making the request.

Right to object and right to erasure

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, the user has no right to object.

Use of cookies

Description and scope of data processing

Cookies are small files that enable us to store specific information relating to you, the user, on your computer whilst you are visiting one of our websites. Cookies help us to determine the frequency of use and the number of users of our websites, as well as to design our services for you as conveniently and efficiently as possible.

We also use cookies on our website that enable us to analyse users’ browsing behaviour. In this way, the following data may be transmitted: search terms entered, frequency of page views, and use of website functions. The user data collected in this way is pseudonymised through technical measures. Consequently, it is no longer possible to link the data to the user accessing the site. The data is not stored together with other personal data of the users. When accessing our website, the user is informed about the use of cookies for analytical purposes and their consent to the processing of the personal data used in this context is obtained. In this context, reference is also made to this privacy policy.

Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is our legitimate interest in data processing.

The legal basis for the processing of personal data using cookies for analytical purposes is the user’s consent to this effect.

Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be provided without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change. The user data collected by technically necessary cookies is not used to create user profiles.

Analytical cookies are used to improve the quality of our website and its content. These cookies tell us how the website is used, enabling us to continuously optimise our offering.

Duration of storage, right to object and removal

Cookies are stored on the user’s computer and transmitted to our site by the user. As a user, you therefore have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all of the website’s functions to their full extent.

Below, we describe in more detail which cookies we use on the site.

These cookies enable us to tailor the functions and content of the site to your needs by storing your preferences. For example, these cookies can be used to save your user data in our forum or to select a language. Furthermore, they can be used to provide interactive information, such as viewing our virtual catalogues or videos.

Overview of the cookies used

We use various cookies in the operation of this website, as described here. In the Consent Manager, you can access information about the cookies used for the respective services.

Cookie consent with CCM19 Cookie

Our website uses the cookie consent technology provided by CCM19 Cookie to obtain your consent to the storage of certain cookies in your browser and to document this in accordance with data protection regulations. The provider of this technology is Papoo Software & Media GmbH – Dr Carsten Euwens, Bornschein, Auguststr. 4, 53229 Bonn, Germany.

When you visit our website, a CCM19 cookie is stored in your browser, in which the consents you have given or the withdrawal of these consents are stored. This data is not passed on to CCM19.

The data collected is stored until you request its deletion, delete the CCM19 cookie yourself, or the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected.

The CCM19 cookie consent technology is used to obtain the legally required consents for the use of cookies. The legal basis for this is Article 6(1)(c) of the GDPR.

Facebook Pixel

Our website uses Meta Pixels from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to create so-called Custom Audiences, i.e. to segment groups of visitors to our website, determine conversion rates and subsequently optimise them. This occurs in particular when you interact with advertisements that we have placed in collaboration with Meta Platforms Ireland Limited.

The use of Meta Pixels is based on your consent in accordance with Article 6(1)(a) of the GDPR.

In cases where no adequacy decision by the European Commission exists (including US companies that are not certified under the EU-US DPF), we have agreed on other suitable safeguards with the recipients of the data in accordance with Articles 44 et seq. of the GDPR. Unless otherwise stated, these are standard contractual clauses of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.

In addition, prior to such a transfer to a third country, we will seek your consent in accordance with Article 49(1)(a) of the GDPR, which you provide via the Consent Manager (or other forms, registrations, etc.). Please note that transfers to third countries may involve risks of which the details are unknown (e.g. data processing by the third country’s security authorities, the exact scope of which and the consequences for you we do not know, over which we have no influence and of which you may not become aware).

We have no influence over the specific retention period of the processed data; this is determined by Meta Platforms Ireland Limited. Further information can be found in the privacy policy for Meta Pixel.

TikTok Pixel

We use TikTok Pixel from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, to create so-called custom audiences, i.e. to segment groups of visitors to our website, determine conversion rates and subsequently optimise them. This occurs in particular when you interact with advertisements that we have placed in collaboration with TikTok Technology Limited.

The use of TikTok Pixel is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG.

We have no influence over the specific storage period of the processed data; this is determined by TikTok Technology Limited. Further information can be found in the privacy policy for TikTok Pixel.

Spotify Pixel

We have integrated the Spotify Pixel into our website. This is an analytics service provided by Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. The Spotify Pixel enables the collection and analysis of user behaviour on our website in order to measure the effectiveness of Spotify advertising campaigns and to facilitate targeted advertising on the Spotify platform.

Spotify Pixel uses cookies and similar technologies to collect certain information about visitor behaviour (e.g. pages visited, interactions, time spent on site) as well as technical information (such as IP address, device type, operating system, browser type and user agent). This data may be used to recognise users across different websites and to categorise them into target groups for Spotify advertising campaigns.

If you are a registered user of a Spotify service, Spotify may associate the data collected via the pixel with your user account. Even if you are not registered with or logged into Spotify, the provider may process and store your IP address and other identifying characteristics.

Your data is passed on to the service provider, Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden.

The use of the Spotify pixel is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG.

In addition, prior to such a transfer to a third country, we obtain your consent in accordance with Article 49(1)(a) of the GDPR, which you provide via the Consent Manager (or other forms, registrations, etc.). Please note that transfers to third countries may involve risks of which the details are unknown (e.g. data processing by security authorities in the third country, the exact scope of which and the consequences for you we do not know, over which we have no influence and of which you may not become aware).

We have no influence over the specific retention period of the processed data; this is determined by Spotify. Further information can be found in Spotify’s privacy policy.

HolidayCheck Tracking

As part of our online services, we use the “HolidayCheck Tracking” service provided by HolidayCheck AG to analyse your usage behaviour on our website and to continuously improve our services. In particular, a so-called “device fingerprint” is created and transmitted to HolidayCheck’s servers. The device fingerprint can be analysed in conjunction with a HolidayCheck user ID, enabling it to be matched with Google Analytics user data. In this way, various page views and interactions can be attributed to a (pseudonymous) user in order to better understand travel and booking processes.

What data is collected?

Device-specific information (device fingerprint)
HolidayCheck user ID (if you are logged in to HolidayCheck or such an ID exists) Hotel websites
visited (hotel name, hotel URL)
For bookings (where applicable): booking information (non-personalised), including number of travellers (PAX), travel dates, duration of stay, price

The processing of your data serves the purpose of statistical analysis and measuring the success of hotel and travel offers. This enables us and HolidayCheck to make improvements, enhance user-friendliness and tailor the offering to your interests.

If you give your consent, Article 6(1)(a) of the GDPR (consent) is the applicable legal basis. HolidayCheck tracking does not take place without your consent.

The data collected is transmitted to HolidayCheck (HolidayCheck Group AG, Arabellastraße 23, 81925 Munich, Germany) and analysed there. Data will only be disclosed to third parties where this is legally permissible and necessary within the scope of the purposes described.

You can enable or disable HolidayCheck tracking via our Consent Manager. If you do not wish to use HolidayCheck tracking, you may withdraw your consent at any time with effect for the future. The lawfulness of the processing carried out prior to withdrawal remains unaffected. Please note that, in the event of withdrawal, not all functions of our website may be fully available. For further information on data processing by HolidayCheck, please refer to their privacy policy.

We will only store the data for as long as is necessary to achieve the stated purposes or until you withdraw your consent. HolidayCheck itself may set its own retention periods, over which we have no influence. We have no control over the specific retention period of the processed data; this is determined by HolidayCheck. Further details can be found in the HolidayCheck privacy policy.

Use of Microsoft services

BING Advertising

We have integrated Microsoft Advertising into our website. Microsoft Advertising is a service provided by Microsoft Corporation to display targeted advertising to users. Microsoft Advertising uses cookies and other browser technologies to analyse user behaviour and recognise users.

Microsoft Advertising collects information about visitor behaviour across various websites. This information is used to optimise the relevance of the advertising. Furthermore, Microsoft Advertising delivers targeted advertising based on behavioural profiles and geographical location. Your IP address and other identifying characteristics, such as your user agent, are transmitted to the provider.

The ANID is a unique identifier assigned to a specific Microsoft account. This identifier makes it possible to uniquely identify a user without, however, containing any direct personal data (such as name or email address). The ANID is used to display targeted advertising. This means that Microsoft can use this identifier to provide personalised advertisements based on the user’s interests and behaviour. This is often done by collecting and analysing data about the user’s online behaviour. In addition to advertising, the ANID is also used to provide personalised content and services. This may mean that websites or applications adapt their content and functions to better meet the user’s preferences and needs. The identifier may also be used for general operational purposes. This could include improving security, diagnosing technical issues or optimising the user experience.

In this case, your data is transferred to the operator of Microsoft Advertising, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States.

The use of Microsoft Advertising is based on your consent in accordance with Article 6(1)(a) of the GDPR.

We intend to transfer personal data to third countries outside the European Economic Area, in particular the USA. Data transfers to the USA are carried out in accordance with Article 45(1) of the GDPR on the basis of the European Commission’s adequacy decision. The US companies involved and/or their US sub-processors are certified under the EU-US Data Privacy Framework (EU-US DPF). In cases where no adequacy decision by the European Commission exists (including US companies that are not certified under the EU-US DPF), we have agreed on other suitable safeguards with the recipients of the data in accordance with Articles 44 et seq. of the GDPR. Unless otherwise stated, these are standard contractual clauses of the European Commission in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE. In addition, prior to such a transfer to a third country, we will seek your consent in accordance with Article 49(1)(a) of the GDPR, which you provide via the Consent Manager (or other forms, registrations, etc.). Please note that transfers to third countries may involve risks of which the details are unknown (e.g. data processing by security authorities in the third country, the exact scope of which and the consequences for you we do not know, over which we have no influence and of which you may not become aware).

We have no influence over the specific retention period of the processed data; this is determined by Microsoft Corporation. Further information can be found in the Microsoft Advertising Privacy Statement.

If you, as a user, decide to opt out of interest-based advertising from Microsoft, this decision is linked to the ANID. This means that Microsoft can use the ANID to remember that this user does not wish to receive personalised advertising. This ensures that your preference is respected, even if you log back into your Microsoft account or browse on different devices.

Use of Google services

Google Tag Manager

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags via an interface and enables us to control the precise integration of services on our website

This allows us to flexibly integrate additional services in order to analyse user access to our website.

The use of Google Tag Manager is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG.

In cases where no adequacy decision by the European Commission exists (including US companies that are not certified under the EU-US DPF), we have agreed on other suitable safeguards with the recipients of the data in accordance with Articles 44 et seq. of the GDPR. Unless otherwise stated, these are the EU Commission’s standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at eur-lex.europa.eu/legal-content/DE/TXT/HTML/.

Furthermore, prior to such a transfer to a third country, we obtain your consent in accordance with Article 49(1), first sentence, point (a) of the GDPR, which you provide via the Consent Manager (or other forms, registrations, etc.). We would like to draw your attention to the fact that transfers to third countries may involve risks of which the details are unknown (e.g. data processing by security authorities in the third country, the exact scope of which and the consequences for you we do not know, over which we have no influence and of which you may not become aware).

You give your consent by accepting the use of cookies (cookie banner / Consent Manager), through which you may also withdraw your consent at any time with future effect in accordance with Article 7(3) of the GDPR.

We have no influence over the specific retention period of the processed data; this is determined by Google Ireland Limited. Further information can be found in Google’s privacy policy.

Google Analytics

Our website uses Google Analytics 4, a web analytics service provided by Google LLC. The data controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected via the cookies regarding your use of this website is generally transmitted to a Google server in the USA and stored there.

We use the User ID feature. With the help of the User ID, we can assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and analyse user behaviour across devices.

We also use Google Signals. This allows Google Analytics to collect additional information about users who have enabled personalised ads (interests and demographic data), and ads can be delivered to these users in cross-device remarketing campaigns.

In Google Analytics 4, IP address anonymisation is enabled by default. Due to IP anonymisation, your IP address is truncated by Google within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your visit to the website, your user behaviour is recorded in the form of ‘events’. Events may include:

Page views
First visit to the website
Start of the session
Your ‘click path’, interaction with the website
Scrolls (whenever a user scrolls to the bottom of the page (90%))
Clicks on external links
Internal search queries
Interaction with videos
File downloads Adverts
viewed /
clicked Language setting
The following is also recorded:

Your approximate location (region)
Your IP address (in truncated form)
Technical information about your browser and the devices you use (e.g. language setting, screen resolution)
Your internet service provider
The referrer URL (via which website/advertising medium you arrived at this website)
Purposes of processing

On our behalf, Google will process the information provided to evaluate website visitors’ use of the website and to compile reports on website activity. We use the reports provided by Google Analytics to analyse the website’s performance.

Recipients

Recipients of the data are/may be

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor pursuant to Article 28 of the GDPR)
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
It cannot be ruled out that US authorities may access the data stored by Google.

Transfers to third countries

Where data is processed outside the EU/EEA and there is no level of data protection equivalent to European standards, we have entered into EU Standard Contractual Clauses with the service provider to ensure an adequate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. The transfer of data to the USA and access by US authorities to data stored by Google cannot be ruled out. From a data protection perspective, the USA is currently considered a third country. You do not have the same rights there as you do within the EU/EEA. You may not have any legal remedies against access by authorities.

Retention period

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has expired is automatically deleted once a month.

Legal basis and withdrawal

The use of Google Analytics 4 is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG

In cases where no adequacy decision by the European Commission exists (including US companies that are not certified under the EU-US DPF), we have agreed on other appropriate safeguards with the recipients of the data in accordance with Articles 44 et seq. of the GDPR. Unless otherwise stated, these are the EU Commission’s standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at eur-lex.europa.eu/legal-content/DE/TXT/HTML/.

You can also prevent the storage of cookies from the outset by adjusting your browser settings accordingly. However, if you configure your browser to reject all cookies, this may result in restricted functionality on this and other websites. You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by (I) not giving your consent to the setting of the cookie or (II) downloading and installing the browser add-on to deactivate Google Analytics HERE.

Further information can be found in Google’s Terms of Service and Privacy Policy.

Google DoubleClick

We have integrated components from DoubleClick by Google into our website. DoubleClick is a Google brand under which specialised online marketing solutions are primarily marketed to advertising agencies and publishers. DoubleClick by Google transmits data to the DoubleClick server with every impression, as well as with clicks or other activities.

Each of these data transfers triggers a cookie request to the data subject’s browser. If the browser accepts this request, DoubleClick sets a cookie in your browser.

DoubleClick uses a cookie ID, which is necessary for the technical process to function. The cookie ID is required, for example, to display an advertisement in a browser. DoubleClick can also use the cookie ID to track which advertisements have already been displayed in a browser, in order to prevent duplicate ad placements. Furthermore, the cookie ID enables DoubleClick to track conversions. Conversions are tracked, for example, when a user has previously been shown a DoubleClick advertisement and subsequently makes a purchase on the advertiser’s website using the same web browser.

A DoubleClick cookie does not contain any personal data, but may contain additional campaign identifiers. A campaign identifier is used to identify the campaigns with which you have already come into contact on other websites. As part of this service, Google receives information that Google also uses to generate commission statements. Among other things, Google can track that you have clicked on certain links on our website. In this case, your data is transferred to the operator of DoubleClick, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We process your data using the DoubleClick cookie for the purpose of optimising and displaying advertising on the basis of your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG. Among other things, the cookie is used to place and display user-relevant advertising, as well as to generate reports on advertising campaigns or to improve them. Furthermore, the cookie serves to prevent the same advertisement from being displayed multiple times. Each time you visit a page on our website that incorporates a DoubleClick component, your browser is automatically prompted by the respective DoubleClick component to transmit data to Google for the purposes of online advertising and the settlement of commissions. There is no legal or contractual obligation to provide your data. If you do not give us your consent, you may still visit our website without restriction; however, not all functions may be fully available.

In cases where no adequacy decision by the European Commission exists (including US companies that are not certified under the EU-US DPF), we have agreed on other suitable safeguards with the recipients of the data in accordance with Articles 44 et seq. of the GDPR. Unless otherwise stated, these are the EU Commission’s standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. You can view a copy of these standard contractual clauses at eur-lex.europa.eu/legal-content/DE/TXT/HTML/.

Among other things, the cookie is used to display user-relevant advertising and to generate reports on advertising campaigns or to improve them. Furthermore, the cookie serves to prevent the same advertisement from being displayed multiple times. Each time you visit a page on our website that incorporates a DoubleClick component, your browser is automatically prompted by the respective DoubleClick component to transmit data to Google for the purposes of online advertising and the settlement of commissions. There is no legal or contractual obligation to provide your data. If you do not give us your consent, you may still visit our website without restriction; however, not all functions may be fully available.

We have no influence over the specific retention period of the processed data; this is determined by Google Ireland Limited. Further information can be found in Google’s privacy policy.

Google Ads

We have integrated Google Ads into our website. Google Ads is a service provided by Google Ireland Limited to display targeted advertising to users. Google Ads uses cookies and other browser technologies to analyse user behaviour and recognise users.

Google Ads collects information about visitor behaviour across various websites. This information is used to optimise the relevance of the advertising. Furthermore, Google Ads delivers targeted advertising based on behavioural profiles and geographical location. Your IP address and other identifying characteristics, such as your user agent, are transmitted to the provider.

If you are registered with a Google Ireland Limited service, Google Ads can associate your visit with your account. Even if you are not registered with Google Ireland Limited or have not logged in, it is possible that the provider may identify and store your IP address and other identifying characteristics.

In this case, your data is transferred to the operator of Google Ads, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

The use of Google Ads is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG

In addition, prior to such a transfer to a third country, we will seek your consent in accordance with Article 49(1)(a) of the GDPR, which you provide via the Consent Manager (or other forms, registrations, etc.). Please note that transfers to third countries may involve risks of which the details are unknown (e.g. data processing by security authorities in the third country, the exact scope of which and the consequences for you we do not know, over which we have no influence and of which you may not become aware).

We have no influence over the specific retention period of the processed data; this is determined by Google Ireland Limited. Further information can be found in the Google Ads Privacy Policy.

Use of social media plugins

We maintain so-called fan pages, accounts or channels on the networks listed below in order to provide you with information and offers within social media platforms, and to offer you further ways to contact us and find out about our services. Below, we explain what data we or the respective social network process in connection with your access to and use of our fan pages/accounts.

If you wish to contact us via Messenger or direct message on the respective social network, we generally process your username, which you use to contact us, and may store any further data you provide to the extent necessary to process or respond to your enquiry.

The legal basis is Article 6(1)(f) of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller).

We receive statistics regarding our accounts that are automatically generated via Insights features. The statistics include, amongst other things, the total number of page views, ‘Likes’, details of page activity and post interactions, reach, video views, and information on the proportion of men and women amongst our fans and followers.

The statistics contain only aggregated data that cannot be traced back to individual persons. We cannot identify you from this data.

You do not need to be a member of the relevant social network to view the content of our fan pages or accounts, and therefore no user account for the relevant social network is required.

Please note, however, that when you visit the respective social network, it collects and stores data even from website visitors without a user account (e.g. technical data required to display the website to you) and uses cookies and similar technologies, over which we have no control. Further details can be found in the privacy policy of the respective social network.

If you wish to interact with the content on our fan pages/accounts, e.g. comment on, share or like our posts, and/or contact us via messenger functions, prior registration with the respective social network and the provision of personal data are required.

We have no influence over the data processing carried out by the social networks in connection with your use of them. To the best of our knowledge, your data is stored and processed in particular in connection with the provision of the respective social network’s services, and furthermore for the analysis of usage behaviour (using cookies, pixels/web beacons and similar technologies), on the basis of which advertising tailored to your interests is displayed both within and outside the respective social network. It cannot be ruled out that your data may be stored by the social networks outside the EU/EEA and passed on to third parties.

Information regarding, amongst other things, the exact scope and purposes of the processing of your personal data, the storage period/deletion, as well as guidelines on the use of cookies and similar technologies in connection with registration and use of the social networks can be found in the privacy policies/cookie policies of the social networks. There you will also find information regarding your rights and options to object.

Use of Facebook plugins

Plugins from the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA, are integrated into our website. You can recognise the plugins by the logo on our site. An overview of the plugins can be found here.

We have no influence over the collection of data and its further processing by Facebook. Furthermore, we are unable to ascertain the extent to which, where and for how long the data is stored, the extent to which Facebook complies with existing obligations to delete data, what analyses and links are made with the data, and to whom the data is passed on. If you wish to prevent Facebook from processing personal data that you have transmitted to us, please contact us by other means.

Further information on this can be found in Facebook’s privacy policy. If you do not wish Facebook to be able to associate your visit to our pages with your user account, please log out of your respective user account!

Facebook Fan Page

On our Facebook fan page at: https://de-de.facebook.com/AHORNhotels/, we use plugins from the provider Facebook.com, which are provided by the company Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304 in the USA.

When you visit our Facebook page, Facebook (Meta) collects, among other things, your IP address and other information stored on your computer in the form of cookies. This information is used to provide us, as the operators of the Facebook pages, with statistical information regarding the use of the Facebook page. Facebook provides further information on this at the following link: https://facebook.com/help/pages/insights.

We are unable to draw conclusions about individual users from the statistical information provided. We use this information solely to respond to our users’ interests, to continuously improve our online presence and to ensure its quality.

We collect your data via our fan page solely to facilitate communication and interaction with us. This collection generally includes your name, message content, comment content and the profile information you have made ‘public’.

The processing of your personal data for the purposes mentioned above is based on our legitimate business and communication interests in providing an information and communication channel in accordance with Article 6(1)(f) of the GDPR. Should you, as a user, have given your consent to data processing to the respective social network provider, the legal basis for the processing extends to Article 6(1)(a) and Article 7 of the GDPR.

As the actual data processing is carried out by the social network provider, our ability to access your data is limited. Only the social network provider is authorised to have full access to your data. Consequently, only the provider can directly take and implement appropriate measures to fulfil your user rights (requests for information, requests for erasure, objections, etc.). The most effective way to exercise these rights is therefore to contact the relevant provider directly.

We are jointly responsible with Facebook for the personal data on the fan page. Data subjects’ rights may be exercised with Meta Platforms Ireland Ltd. as well as with us.

Under the GDPR, the primary responsibility for the processing of Insights data lies with Facebook, and Facebook fulfils all obligations under the GDPR with regard to the processing of Insights data; Meta Platforms Ireland Ltd. makes the key elements of the Page Insights supplement available to data subjects.

We do not make any decisions regarding the processing of Insights data or the storage duration of cookies on users’ devices.

Further information can be found directly on Facebook (Supplemental Agreement with Facebook).

Any person depicted, as well as other third parties, may object to the publication of their personal data (photos) at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. The right to object applies in particular to the future publication of images.

It may occasionally happen that we inadvertently publish images of people without their consent. If publication is not desired, we will take immediate steps to comply with your request. In the case of group photos, we reserve the right to blur faces.

Instagram fan page

Our Instagram fan page https://www.instagram.com/ahornhotels/ is a service provided by the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA. On Instagram, we would like to publish photos and information about our events and activities, as well as about selected individuals. The photos may feature staff members, guests, photo models, and third parties.

When you use the fan page, data containing information about your visits to our fan page is forwarded to Instagram’s servers. For logged-in users, this means that usage data is linked to their personal Instagram account. As soon as you, as a logged-in Instagram user, actively use the Instagram plugin, e.g. by clicking on the ‘Instagram’ logo, this data is transferred to your Instagram account. You can only prevent this by logging out of your Instagram account beforehand.

When you visit the Instagram page, Facebook collects, among other things, your IP address. Together with further information that Facebook obtains via cookies, Facebook, as the operator of the Instagram page, provides statistical information about the use of this Instagram page (so-called Page Insights). This consists of aggregated data that reveals how users interact with the page. These Page Insights may be based on personal data collected by Facebook in connection with a visit or interaction by users on or with our Instagram page and its content.

Using Page Insights, we can carry out an anonymous analysis of reach, page views, time spent on video posts, user actions (likes, comments, sharing posts), as well as by age, gender and location (as specified by users in their respective Instagram profiles). In doing so, settings can be adjusted or appropriate filters applied for the analysis of reach, such as selecting a time period, viewing a specific post, and demographic groupings (e.g. female, aged 20–30). This data is anonymised, aggregated and abstracted. These settings therefore do not allow us to draw any conclusions about individuals. The analysis serves to optimise the content on the Instagram page for public relations purposes.

The processing of your personal data for the purposes mentioned above is carried out on the basis of our legitimate business and communication interests in providing an information and communication channel in accordance with Article 6(1)(f) of the GDPR. Should you, as a user, have given your consent to data processing to the respective social network provider, the legal basis for the processing extends to Article 6(1)(a) and Article 7 of the GDPR.

As the actual data processing is carried out by the social network provider, our ability to access your data is limited. Only the social network provider is authorised to have full access to your data. For this reason, only the provider can directly take and implement appropriate measures to fulfil your user rights (requests for information, requests for erasure, objections, etc.). The most effective way to exercise these rights is therefore to contact the relevant provider directly.

We are jointly responsible with Instagram for the personal data on the fan page. Data subjects’ rights may be exercised with Meta Platforms Ireland Ltd. as well as with us.

Under the GDPR, the primary responsibility for the processing of Insights data lies with Instagram, and Instagram fulfils all obligations under the GDPR with regard to the processing of Insights data; Meta Platforms Ireland Ltd. makes the key elements of the Page Insights supplement available to data subjects.

We do not make any decisions regarding the processing of Insights data or the storage duration of cookies on users’ devices.

Further information can be found directly on Instagram (Supplemental Agreement with Facebook).

Further information, including details on the exact scope and purposes of the processing of your personal data, the storage period/deletion, and guidelines on the use of cookies and similar technologies in connection with registration and use, can be found in Instagram’s Privacy Policy/Cookie Policy (Note: clicking on the link below will take you to the Facebook social network website): https://help.instagram.com/519522125107875/?helpref=uf_share

This information can also be viewed in the help section of the Instagram website via the following link: https://help.instagram.com/581066165581870

Any person depicted, as well as other third parties, has the right to object to the publication of their personal data (photos) at any time. We have set up the email address widerruf@ahorn-hotels.de for this purpose. The right to object applies in particular to the future publication of images.

It may occasionally happen that we inadvertently publish images of people without their consent. If publication is not desired, we will take immediate action to comply with your rights. In the case of group photos, we reserve the right to blur faces.

YouTube Video

We have integrated YouTube Video into our website. YouTube Video is a component of the video platform operated by YouTube, LLC, on which users can upload content, share it via the internet and receive detailed statistics.

YouTube Video enables us to integrate content from the platform into our website.

YouTube Video uses cookies and other browser technologies to analyse user behaviour, recognise users and create user profiles. This information, such as IP address, device information, referrer URL, videos viewed, IP address, information about the device used and videos viewed, is used, amongst other things, to analyse the activity of the content accessed and to generate reports. If a user is registered with YouTube, LLC, YouTube Video can associate the videos played with the user’s profile.

When you access this content, you establish a connection to the servers of YouTube, LLC, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, whereby your IP address and, where applicable, browser data such as your user agent are transmitted.

Use of the service is based on your consent in accordance with Article 6(1)(a) of the GDPR in conjunction with Section 25 of the TTDSG for the purpose of embedding and displaying promotional videos on our websites and analysing video views. You give your consent by accepting the use of cookies (cookie banner / consent manager), through which you may also withdraw your consent at any time with future effect in accordance with Article 7(3) of the GDPR.

We have no influence over the specific storage period of the processed data; this is determined by YouTube, LLC. Further information can be found in the privacy policy for YouTube Video.

The “LinkedIn button” is used on this website. When you visit this website, your browser establishes a connection to the servers of LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter referred to as “LinkedIn”).

LinkedIn is a social network that enables the creation of personal and professional profiles for individuals and company profiles. Users can maintain their existing contacts and make new ones within the social network. Companies and other organisations can create profiles to which photos and other company information can be uploaded in order to present themselves as employers and recruit staff. Other LinkedIn users have access to this information and can write their own posts and share this content with others. The network focuses on professional exchange on specialist topics with people who share the same professional interests.

When using or visiting the network, LinkedIn automatically collects data from users or visitors during their visit, such as username, job title and IP address. This is done using various tracking technologies. LinkedIn provides users with information, offers and recommendations based, amongst other things, on the data collected in this way.

We collect your data via our company profile solely to facilitate communication and interaction with us. This collection generally includes your name, message content, comment content and the profile information you have made ‘public’.

As the actual data processing is carried out by the social network provider, our access to your data is limited. Only the social network provider is authorised to have full access to your data. Consequently, only the provider can directly take and implement appropriate measures to fulfil your user rights (requests for information, requests for erasure, objections, etc.). The most effective way to exercise these rights is therefore to contact the relevant provider directly.

We are jointly responsible with LinkedIn for the personal data contained in our company profile. Data subjects’ rights may be exercised with LinkedIn Inc. as well as with us.

We do not make any decisions regarding the data collected on the LinkedIn site using tracking technologies.

Further information on LinkedIn can be found at: https://about.linkedin.com.

Further information on data protection at LinkedIn can be found at: https://www.linkedin.com/legal/privacy-policy.

Further information on storage periods/deletion, as well as guidelines on the use of cookies and similar technologies in connection with registration and use on LinkedIn, can be found at: https://de.linkedin.com/legal/cookie-policy?trk=homepage-basic_footer-cookie-policy.

Xing

The “XING Button” is used on this website. When you visit this website, your browser establishes a connection to the servers of XING SE, Dammtorstraße 30, 20354 Hamburg, Germany (“XING”).

XING is a social network that enables the creation of personal and professional profiles for individuals and company profiles. Users can maintain their existing contacts and make new ones within the social network. Companies and other organisations can create profiles to which photos and other company information can be uploaded in order to present themselves as employers and recruit staff. Other XING users have access to this information and can write their own articles and share this content with others. The network focuses on professional exchanges on specialist topics with people who share the same professional interests.

When using or visiting the network, XING or third parties engaged by XING automatically collect data from users or visitors during their use or visit, such as username, job title and IP address. This is done using various tracking technologies. XING provides users with information, offers and recommendations based, among other things, on the data collected in this way.

We are jointly responsible with XING for the personal data contained in our company profile. Data subjects’ rights may be exercised with New Work SE as well as with us.

We do not make any decisions regarding the data collected on the XING site using tracking technologies.

Further information on XING can be found at: https://corporate.xing.com/de/unternehmen.

Further information on data protection at XING can be found at: https://privacy.xing.com/de/datenschutzerklaerung.

THE HOTELS NETWORK

We have integrated THE HOTELS NETWORK into our website. THE HOTELS NETWORK is a service provided by THE HOTELS NETWORK, S.L., Av. Diagonal, 439, 3º-1ª, 08036 Barcelona, Spain. We use THE HOTELS NETWORK to take bookings and measure their performance.

THE HOTELS NETWORK uses cookies and other browser technologies to analyse user behaviour, recognise users and increase direct bookings. This information is used, amongst other things, to compile reports on website activity.

Furthermore, THE HOTELS NETWORK enables us to complete direct bookings via our website.

Your IP address and other identifying characteristics, such as your user agent, are transmitted to the provider.

The use of THE HOTELS NETWORK is based on your consent in accordance with Article 6(1)(a) of the GDPR and Section 25(1) of the TDDDG.

We have no influence over the specific retention period of the processed data; this is determined by THE HOTELS NETWORK, S.L. Further information can be found in the privacy policy for THE HOTELS NETWORK.

Protection of minors

This service is primarily aimed at adults. We do not currently market any specific sections for children. Consequently, we do not knowingly collect information to determine age, nor do we knowingly collect personal data from children under the age of 16. However, we advise all visitors to our website under the age of 16 not to disclose or provide any personal data via our service. Should we discover that a child under the age of 16 has provided us with personal data, we will delete the child’s personal data from our records, insofar as this is technically possible.

Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

You have the right to obtain information about the personal data stored about you, the purposes of the processing, any transfers to other bodies and the duration of storage.
If data is inaccurate or no longer necessary for the purposes for which it was collected, you may request rectification, erasure or restriction of processing. Where provided for in the processing procedures, you may also view your data yourself and correct it if necessary.
If there are reasons arising from your particular personal circumstances that militate against the processing of your personal data, you may object to such processing, provided that the processing is based on a legitimate interest. The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
If your personal data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for the purposes of direct marketing or profiling, the personal data concerning you will no longer be processed for these purposes.
You have the right to withdraw your consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to withdrawal.

If you have any questions regarding your rights or how to exercise them, please contact:

AHORN Head Office

Data Protection Officer

AHORN Management GmbH

Tauentzienstr. 11

D-10789 Berlin

Germany

Email: info@ahorn-hotels.de

DataSolution LUD GmbH

Isarstr. 13

D-14974 Ludwigsfelde

Germany

Email: mail@hoteldatenschutz.de

Right to lodge a complaint with a supervisory authority

As a data subject, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence or in the Member State where the alleged infringement occurred, if you consider that the processing of personal data relating to you infringes data protection law.

The supervisory authority to which the complaint is lodged shall inform you of the progress and outcome of your complaint, including the possibility of a judicial remedy.

Further information can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information. Follow the link.

Safety

AHORN Hotels & Resorts implements technical and organisational security measures in accordance with Article 32 of the GDPR to protect the data we manage against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments. Access to this data is restricted to a small number of authorised persons who are bound by special data protection obligations and who are involved in the technical, administrative or editorial management of data.

Updates and changes

We reserve the right to amend, update or supplement this privacy policy at any time. Any revised information regarding data processing applies only to personal data collected or amended after the changes come into effect.

Date | June 2025

Information on data processing in accordance with Articles 13 and 14 of the GDPR

Name and address of the data controller

General information on data processing

Collection, processing and use of personal data at AHORN Hotels &amp; Resorts

Processing of personal data of domestic guests during online check-in

Your stay at the hotel

Online booking via the website

Online booking via other websites

Sending emails before arrival

Contact form/Email contact

Table booking

Booking wellness treatments

Purchasing a voucher via the website

Newsletter service

Publication of information and images relating to events

Support, advice and marketing for corporate clients

Online review

Your online application

Sharing your data with a credit reference agency

Hosting of the website and creation of log files

Use of cookies

Cookie consent with CCM19 Cookie

Facebook Pixel

TikTok Pixel

Spotify Pixel

HolidayCheck Tracking

Use of Microsoft services

Use of Google services

Use of social media plugins

THE HOTELS NETWORK

Protection of minors

Rights of the data subject

Right to lodge a complaint with a supervisory authority

Safety

Updates and changes

Collection, processing and use of personal data at AHORN Hotels & Resorts