DATA PROTECTION NOTICE

DATA PROTECTION NOTICE

Last updated: June 2021


In the following, the companies of the VILA VITA Group

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Straße 24, 60329 Frankfurt am Main, Germany,
  • VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, and
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg, Germany

would like to inform you about the processing of your personal data

  • when visiting our websites or using our other online services,
  • in the context of your stay in one of our hotels or the provision of our services,
  • as a job applicant and
  • as a service provider or supplier.

The controller within the meaning of Article 4 (7) GDPR (General Data Protection Regulation) is the respective company of the VILA VITA Group,

  • whose website or online service you are visiting or using (the respective controller is indicated in the imprint of the website or online service) and
  • with whom you make an enquiry, a reservation or a booking and have or would like to enter into a contractual relationship for the provision of accommodation and/or catering services. You can find the name of the controller for the service you have used on your invoice, receipt, reservation, booking confirmation, etc.

The companies of the VILA VITA Group work closely together in a variety of activities and services. This also applies to the processing of your personal data. The companies of the VILA VITA Group have therefore concluded an agreement on joint responsibility in accordance with Article 26 GDPR. In it, the parties have agreed who fulfils which obligations under the GDPR. This concerns in particular the fulfilment of the rights of data subjects. Joint responsibility exists on the one hand in the joint processing of customer or guest data to improve our services and on the other, in the areas of guest and customer relations management, for example in the case of bookings or reservations in our hotels and restaurants. Thus, in case of full occupancy, we can offer you alternatives in another hotel or restaurant of the VILA VITA Group or link services, such as joint invoicing. There is also joint responsibility between the parties in the areas of (online) marketing, IT infrastructure and facilities and financial accounting. VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, has been designated by the VILA VITA Group as the primary controller, in particular for the fulfilment of the rights of data subjects. This does not affect the assertion of your rights against the other companies of the VILA VITA Group.

You can also reach our data protection officer at the above addresses – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

2.1.   Relevant legal bases for data processing

If the legal basis is not expressly stated in this Data Protection Notice, the following legal bases apply: 

  • If we have obtained your consent for data processing, Article 6 (1) (a) and Article 7 GDPR serve as the legal basis for data processing. If data processing takes place for the fulfilment of our services and the implementation of contractual measures and to respond to enquiries, Article 6 (1) (b) GDPR is the legal basis for the data processing. If data processing serves to fulfil a legal obligation, Article 6 (1) (c) GDPR is the legal basis. Examples of this are the fulfilment of storage periods under commercial law or the fulfilment of tax (archiving) obligations. 
  • If the processing of personal data is necessary to protect the legitimate interests of our company or a third party, Article 6 (1) (f) GDPR serves as the legal basis. Legitimate interests particularly include the guaranteeing of IT security and IT operation, the assertion of legal claims and defence in legal disputes, the creation of user statistics, advertising for our own services and products of the companies of the VILA VITA Group, as well as market and opinion research by the aforementioned, provided that direct advertising has not been objected to.
  • The companies of the VILA VITA Group are obliged to comply with EU data privacy regulations and to take appropriate measures to ensure data security when exchanging data with each other, as per their Inter-Group Agreement. In addition, the Inter-Group Agreement essentially stipulates that the companies of the VILA VITA Group cooperate and mutually exchange data equally – in particular in the areas of advertising and marketing – in the process adhering to data subjects’ rights (their rights as data subjects, their right to information etc.). It also stipulates that VILA VITA,  with its registered office in Marburg, Germany, is primarily responsible for this.
     

2.2.   Your rights

You have the right

  • of access in accordance with Article 15 GDPR, 
  • to rectification in accordance with Article 16 GDPR, 
  • to erasure in accordance with Article 17 GDPR,
  • to restriction of processing in accordance with Article 18 GDPR and
  • to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG (the German Federal Data Protection Act) apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.
 

2.3. Duration of storage

Where not otherwise stated in this Data Protection Notice, personal data will only be stored for as long as is necessary to fulfil the relevant purpose, or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These result in particular from the German Handelsgesetzbuch (Commercial Code), the Abgabenordnung (Fiscal Code), the Geldwäschegesetz (Money Laundering Act) and the Meldegesetz (Registration Act). The periods stipulated in these cases may be up to 10 years.

2.4. Transfer of personal data

If we transfer personal data to other persons or companies, this will only be done on the basis of your consent, legal permission, a legal obligation (for example to public bodies and institutions such as supervisory or financial authorities) or an agreement on order processing in accordance with Article 28 GDPR. Further recipient categories can be found in this Data Protection Notice.

2.5.  Transfer of data to third countries

Personal data is only processed outside the European Economic Area if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

2.6.   Automated decision making

Your data is partially automatically processed in order to evaluate certain personal aspects (profiling), for marketing and advertising purposes and to send you personalised advertising by email or post.

Legal and regulatory provisions for combating money laundering, the financing of terrorism and financial crime are also binding for us. Data analyses are also carried out within this context.

3.1. Online services

For the purposes of this Data Protection Notice, “online services” means all 

  • websites,
  • software applications (apps) and
  • social media sites

that are operated by us or for which we are responsible and from which you access this Data Protection Notice.

3.2. Cookies

Our online services make use of cookies, which are small text files that are stored on the user’s terminal device. In addition to so-called session cookies, which are automatically deleted as soon as you log out or close the browser, so-called permanent cookies that recognise a returning user are also used. These cookies are automatically deleted after a specified period of time.
It is always possible to object to the storage of cookies by making the appropriate setting changes in your internet browser. You can delete cookies that have already been stored at any time. If you deactivate cookies, you may not be able to use all the functions of our website fully. Some cookies are necessary for the operation of a website, for example, for shopping baskets in the online shop or to save logins or user settings. Some cookies are also used for security purposes. The legal basis for storing these so-called essential or absolutely necessary cookies is the protection of the aforementioned legitimate interests in accordance with Article 6 (1) (f) GDPR. 
In addition, there are statistics, marketing and personalisation cookies. These are used, for example, to measure reach or to display personalised content that corresponds to the potential interests of a user. If we use statistical, marketing and personalisation cookies, we will inform you about this when you access our website and in this Data Protection Notice. The legal basis is your consent in accordance with Article 6 (1) (a) GDPR. 
 

3.3. Collection of general data and creation of log data

When our online services are accessed, general data and information are automatically collected and stored in a server log. The following data may be collected:

  • Information on the browser type and version
  • Information on the user’s operating system
  • Information on the user’s service provider
  • The internet protocol (IP) address of the user or the calling system
  • Date and time of access
  • The site you reached us from (referrer URL)
  • Websites accessed by the user’s system via our website

The processing of this data is used for the provision of our website, to ensure the functionality of our information technology systems and to optimise our website. We statistically evaluate this data and information, which is always collected anonymously, with the aim of ensuring data protection and data security. The data of the log files is always stored separately from other personal data that may be collected and is generally not disclosed to third parties. The erasure of the data takes place automatically after the expiry of the deadline. The legal basis for the temporary processing of the data is the protection of the aforementioned legitimate interests pursuant to Article 6 (1) (f) GDPR.
 

3.4. Contact form and email contact

Some of our websites provide a contact form and an e-mail address that enables you to contact us electronically. If you use one of these options to contact us, the personal data you send us will be automatically stored. The storage and further processing of this data is solely for the purpose of processing your contact request and subsequently contacting you. Data will never be disclosed to third parties outside the VILA VITA Group. The data forwarded by you will be erased after completion of the process, provided that its erasure is not subject to any contractual or legal storage periods. In such a case, the data for which storage is required will be erased after expiry of the storage period. The legal basis for the processing of this data is Article 6 (1) (f) GDPR.

3.5. Newsletter and email advertising

Our newsletter provides information about current products, offers, events and news of the VILA VITA Group (VILA VITA Hotel & Touristik GmbH, VILA VITA Marburg GmbH, Congresszentrum Marburg GmbH & Co. KG). To subscribe, it is generally sufficient to enter your email address. Providing further data is voluntary. If you have subscribed to our newsletter, we will use your email address and, where appropriate, any other data you have voluntarily provided to send the newsletter. If you successfully subscribe to the newsletter, we store the date of your registration and, in the case of registration via a website, also your IP address. This storage serves as proof in the event that a third party makes fraudulent use of an email address and subscribes to the newsletter without the knowledge of the authorised person. The newsletter is sent on the basis of your consent in accordance with Article 6 (1) (a) GDPR. If consent is not required to advertise our own similar goods or services, this is done on the basis of legitimate interests in accordance with Article 6 (1) (f) GDPR in advertising our goods and services, provided that this is legally permitted – for example in the case of advertising to existing customers – and you have not objected to this. We also store the data collected in the subscription process on the basis of legitimate interests in order to, where appropriate, be able to prove your consent if necessary. You can cancel your newsletter subscription at any time by clicking on the unsubscribe link found in each newsletter. Alternatively, you can also contact us directly at the above-mentioned postal or email address. Upon termination, we may store the unsubscribed email addresses for up to three years in order to be able to prove any consent previously given. 

In order to continuously optimise our newsletter and to be able to offer you a user-oriented and secure newsletter, we evaluate individual user activities. We measure how often the newsletter is opened and which links users click on. For this purpose, the newsletter contains a so-called “web beacon”; a file that is retrieved from our server once the newsletter has been opened. This initially collects technical information (for example browser type, operating system, time of retrieval). Whether and when a newsletter was opened and which links were clicked on can also be determined. This information helps us to recognise the usage and reading habits as well as interests of our subscribers in order to adapt content and improve the user experience. The evaluation is based on your consent as well as on our legitimate interests in providing a user-friendly and informative newsletter. 

 

3.5. Analysis and targeting tools, optimisation of our online services and online marketing

3.6.1. Google Analytics

We use the analysis tool Google Analytics, a web analysis service of Google LLC, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Web analytics involves the collection, collation and analysis of information about the behaviour of website users. This includes for example information about which site you reached us from, the sub-pages you accessed and the length of time spent on those sub-pages. Cookies are used for this purpose. Cookies are text files that are placed and stored on a computer system via an internet browser. The information collected by the cookie is transmitted to a Google Inc. server in the USA. In addition to information on website usage, this also includes your IP address. However, we use Google Analytics with the, “AnonymizeIP” add-on. This means that your IP address will be truncated and anonymised by Google if you access our site within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. The transmitted IP address will also not be merged with other Google data. The purpose of the data processing is the evaluation of visitor flows and website usage by visitors in order to design and improve our website in line with requirements. Google creates online reports on our behalf for this purpose. We use the information obtained from this to optimise our website. The legal basis for data processing is your consent in accordance with Article 6 (1) (a) GDPR. If consent is not obtained, processing is based on the legitimate interests described above in accordance with Article 6 (1) (f) GDPR.

The applicable terms of service and terms of use of Google Analytics can be found at https://marketingplatform.google.com/about/analytics/terms/us/ and https://policies.google.com/?hl=en.
You can also prevent the placement of cookies by our site by making the appropriate setting changes in your internet browser, in doing so permanently objecting to the placement of cookies. In addition, the cookies already stored by Google can be deleted at any time using an internet browser or other software programmes.

Furthermore, you have the option of objecting to and preventing the collection of the data generated by the cookie and related to the use of this site, as well as to the processing of this data by Google. To do this, you must download and install a browser add-on. You can download it here: https://tools.google.com/dlpage/gaoptout?hl=en. The add-on will prevent your data from being collected and processed in the future.

3.6.2. Google marketing services

We use marketing and remarketing services provided by Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google’s marketing services (including Google Adwords, Google Conversion Tracking, Google Optimize and Google Double Click) allow us to display more targeted ads, for example to show users on our website or on other websites with only those advertisements that potentially match their interests. 
If you access an online service that uses Google’s marketing services, a cookie will be stored on your terminal device, through which cookies from various domains can be set (including google.com, doubleclick.net, etc.). The stored cookie saves which websites you have visited, which content you were interested in and which offers you clicked on. In addition, technical details about the browser and operating system, referring websites, the duration of the visit and other details about the use of the online offer are collected. Your IP address will also be collected, but will be truncated within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will it be transferred in full to a Google server in the USA and truncated there. The IP address will not be merged with other data from other Google services. Google may combine the aforementioned information with such information from other sources. If you subsequently visit other websites, ads tailored to your interests may be displayed in this way. User data is processed in pseudonymised form as part of Google’s marketing services, i.e. without storing and processing the name or email address of the user. This does not apply if a user has expressly allowed Google to process the data without pseudonymisation. The information collected about users by Google’s marketing services is transmitted to Google and stored on Google’s servers in the USA.  
The Google marketing services we use include, among other things, the online advertising programme Google AdWords. Every AdWords customer receives a so-called conversion cookie. The information obtained with the help of the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are informed of the total number of users who have clicked on their ad and have been redirected to a site equipped with a conversion tracking tag. However, they do not receive any information with which users can be personally identified. 
The legal basis for data processing is your consent in accordance with Article 6 (1) (a) GDPR. If consent is not obtained, processing is based on the legitimate interests described above in accordance with Article 6 (1) (f) GDPR.

The applicable terms of service and terms of use of Google Marketing Services can be found at policies.google.com/technologies/ads.

You can prevent the storage of cookies by our site at any time by making the appropriate setting changes in your internet browser, in doing so permanently objecting to the storage of cookies. In addition, cookies already placed by Google can be deleted at any time via an internet browser or other software programmes. 
If you wish to object to targeted advertising by Google’s marketing services, you can use the options provided by Google at www.google.com/ads/preferences.
 

3.7. Plugins and embedded functions and content from third-party providers

Some of our online services use services and content from third-party providers. This applies in particular to so-called “social plugins”, videos or fonts. This content is obtained directly from the server of the respective third-party provider either when you access our online service or pending your consent (for example by separately activating a plug-in). Your IP address is also transmitted in the process. If this doesn’t happen, the third-party provider cannot deliver the content to your browser or offer the desired function. 

If we ask for your consent to activate embedded functions and content, the legal basis is your consent in accordance with Article 6 (1) (a) GDPR. Otherwise, the data is processed on the basis of our legitimate interests in providing and disseminating our content and a user-friendly as well as optimal user experience in accordance with Article 6 (1) (f) GDPR. We may, where appropriate, use the following services or service providers with embedded functions and content:

 

3.8. Presence in social networks

Some companies of the VILA VITA Group use social networks to make direct contact with customers. The possibility of also getting in contact with customers via social networks and providing a corresponding platform for this purpose is a legitimate interest in accordance with Article 6 (1) (f) GDPR. If you visit our sites, your data will also be processed by the respective social network, where appropriate also outside the European Union, for example in the USA. The respective social network is responsible for this processing and for the processing operations that go beyond it, such as the analysis of user behaviour by social networks. The companies of the VILA VITA Group have no influence on this. The VILA VITA companies are represented on the following social networks:

3.9. Booking rooms online

We offer you the possibility of booking rooms online. For this purpose, the data required for the reservation as well as for the further initiation and conclusion of the contract are collected, in particular your name, the names of any accompanying persons, address, telephone number and email address, booking or travel dates, as well as details of the selected payment method. The data that you need to provide in order to make the booking is marked accordingly and all other data is voluntary. Your online booking is made via the online reservation system TravelClick, Inc, address: 7 Times Square, 38th Floor, New York, USA. All of the booking data that you enter is transmitted in encrypted form. More information on the processing of your data by TravelClick can be found at: https://www.travelclick.com/legal/privacy-policy/. After completing the booking, you will receive a booking confirmation at the email address you provided. The legal basis for the processing of your data is Article 6 (1) (b) GDPR. We store your address, payment and booking data for a period of 10 years due to the commercial and tax regulations incumbent upon us. 

3.10. Online restaurant and bar reservations

If you would like to reserve a table online in one of our restaurants or bars, we require details from you on the date, time, number of persons as well as your name and, if applicable, your email address or telephone number. For this purpose, we use the online reservation system Reservision, a service provided by RESERViSiON GmbH, Seestr. 29, 64354 Reinheim, Germany. Your details will be stored and processed for the purpose of processing your enquiry or reservation. The legal basis is Article 6 (1) (b) GDPR. Your reservation data will be erased upon cancellation of the reservation or on the day following the reservation, unless we still need your data for billing and other questions in the follow-up to your reservation. In order to be able to respond to future enquiries from you – or in the case of future reservations, to your individual requests – we store certain data about your visit or your requests, provided you have given your consent. The legal basis for data processing is your consent in accordance with Article 6 (1) (a) GDPR. If consent is not obtained, processing is based on the legitimate interests described above in accordance with Article 6 (1) (f) GDPR.

3.11. Online and voucher shop

If you use our online or voucher shop, we process the data you provide for the purpose of processing your order, its payment and delivery. We use your data to update you on the delivery status or in case of problems with the delivery. If necessary, we use service providers, in particular postal and shipping companies, for order processing and delivery. We also use your data to process complaints and product warranty claims and, if necessary for an order, to determine whether you are of legal minimum age to make the purchase. We use various online services from banks and payment service providers to process payments. The data required for the order processing, delivery and payment processing is marked accordingly. The legal basis is the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR. 
 

4.1.    Processing purposes and legal bases

In the context of your stay in one of our hotels or the provision of our services, we process your data for the following purposes: 

  • Booking and guest registration – the legal basis being the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR – with the booking guest and, where appropriate, any other accompanying persons.
  • Accommodation and related on-site services, such as check-in and check-out, personalised services including consultation on these, bookings/reservations on behalf of the guest with third parties (tours, excursions, reservations, taxi and shuttle services, etc.), room service (for example intolerances communicated by the guest, etc.), housekeeping (for example expressed preferences regarding amenities such as requested pillows, duvets, etc.) and the handling of complaints, requests and enquiries. The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular the fulfilment of guest requests and preferences.
  • The provision of information and entertainment systems in the hotel and in the guest room (for example Wi-Fi, TV, infotainment systems, AppleTV, game consoles). The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR and legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular ensuring the functionality of our information technology systems, secure processing and IT security and the prevention and investigation of criminal offences
  • Providing consultation about and implementing the spa and wellness offers you may have booked (such as the making of appointments and the recording of restrictions and intolerances for a safe and customer-oriented service provision or treatment), creating treatment documentation, providing defence in legal disputes, providing personalised consultation and offer preparation, and processing complaints, requests and enquiries. The legal bases for this are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR (in particular in customer-oriented consultation and treatment and for defence in legal disputes) as well as the consent of the guest in accordance with Article 6 (1) (a) GDPR and, insofar as special categories of data are processed, in accordance with Article 9 (2) (a) GDPR. 
  • Marketing campaigns, customer relationship management and bonus programmes and comparable campaigns of the VILA VITA Group, for example sending information about products, offers and services of the VILA VITA Group that may be of interest to the guest, including personalised advertising, personalised services and benefits based on the preferences communicated by the guest. The legal basis is consent in accordance with Article 6 (1) (a) GDPR, legitimate interests in accordance with Article 6 (1) (f) GDPR, in particular in a customer-oriented service.
  • The planning and implementation of events and conferences – in particular support in the organisation, coordination, invitation, communication and accommodation of guests or attendees and the processing of enquiries and complaints – the provision, organisation and coordination of media technology and invoicing. Legal bases are the performance of the contract or the implementation of pre-contractual measures in accordance with Article 6 (1) (b) GDPR, insofar as the data of guests/attendees must be processed within the scope of legal obligations, Article 6 (1) (c) GDPR, and legitimate interests in accordance with Article 6 (1) (f) GDPR – in particular in a safe and customer-oriented event/event implementation. 
  • The fulfilment of legal requirements pursuant to Article 6 (1) (c) GDPR, such as in particular the fulfilment of reporting obligations in accordance with the German Bundesmeldegesetz (Federal Registration Act, BMG) (sections 29, 30 BMG), the fulfilment of contractual or legal storage obligations, for example in accordance with the German Handelsgesetzbuch (Commercial Code, HGB) or the Abgabenordnung (Fiscal Code, AO) (section 257 HGB, § 147 AO).

4.2. Type of data

We process different types of personal data to fulfil the respective purposes. In particular: 

  • Personal master data
  • Data on accompanying persons/family members
  • Address and contact details
  • Details on guest preferences and requests
  • Credit and debit card numbers, bank account details and other payment data
  • Passport, identity card and other identification data
  • Booking and reservation data
  • Travel data and data on itineraries and activities
  • Treatment information and documentation in the spa & wellness area
  • Contract master data/contract billing data and payment data
  • Photographs and video data

4.3.    Data transfer to payment service providers 

In connection with the processing of orders and bookings, we transfer personal data to service providers who support us with this processing. This applies in particular to providers of credit card billing services, insofar as the transfer of data is necessary to process the payment. In this respect, we collaborate with the company SIX Payment Services (Germany) GmbH, Global Data Protection Support, Langenhorner Chaussee 92-94, 22415 Hamburg, Germany. You can view the company’s privacy statement at https://www.six-payment-services.com/en/home.html. Where applicable, individual online services offer the possibility of using the online payment service of PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. If you choose PayPal as your payment method, the data required for the payment process will automatically be transferred to PayPal. Under certain circumstances, PayPal may transfer data to credit agencies for the purpose of checking your identity and creditworthiness. Further information on data processing by PayPal can be found here: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full. If you use Apple Pay, Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment is made via the “Apple Pay” function of your iOS terminal device (for example iOS, watchOS, macOS) and by charging the payment card deposited with Apple Pay. For the purpose of payment processing, the information you provide during the payment or ordering process, including information about your order, is disclosed to Apple in encrypted form. Further information on data processing by Apple and data protection can be found at: https://support.apple.com/en-gb/HT203027
The legal basis for the above processing activities is Article 6 (1) (b) GDPR.

4.4. Disclosure of personal data

In certain cases, we also disclose personal data to third parties, but only if you have consented, if there is a legal basis for the disclosure or if we are legally obliged to do so. Recipients may in particular be other companies within the VILA VITA Group, for example in order to make bookings and reservations, to plan and hold events, to process enquiries and complaints or to invoice services provided by us. Furthermore, we also pass on personal data to external service providers, in particular in the context of the provision of IT systems and services, payment and order processing or event organisation. To the extent that we are legally required or in the context of law enforcement, we also disclose personal data to public authorities. 
 

The VILA VITA Group, 

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Strasse 24, 60329 Frankfurt am Main, Germany,
  • VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, and
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg, Germany,
    is pleased that you are interested in a position with one of our companies. We would like to inform you below about the processing of your personal data in connection with your application.  

5.1. Controller 

The controller within the meaning of Article 4 (7) GDPR is the respective company of the VILA VITA Group, which is indicated in the respective job advertisement. 

You can also reach our data protection officer at the address given in the job advertisement – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

5.2. Processing purposes and legal bases

The data you provide as part of your application will be processed solely for the purpose of selecting job applicants or for the application process. This is particularly true in the case of checking your suitability for the advertised position or, if applicable, for other vacancies within the company or the VILA VITA Group. We use the data you have provided us with for this purpose. This may also include information that you make available in professional online networks or job boards. 

We will only disclose your job applicant data to other companies in the VILA VITA Group if you have expressly consented to this.

The legal basis for data processing is Article 6 (1) (b) GDPR and section 26 of the German Bundesdatenschutzgesetz (Federal Data Protection Act, BDSG). Should data be required for legal defence after completion of the application process, this data processing is based on legitimate interests in accordance with Article 6 (1) (f) GDPR. Our legitimate interest in the further processing is then the assertion of or defence against claims.

5.3. Type of data

We only process the data you provide us with, usually:

  • Personal master data
  • Address and contact details
  • CV, professional background and other details from the application
  • Training and qualification data
  • Photographs and video data

In the course of the application process, further data may be added, for example from interviews or from generally accessible sources such as professional online networks or former employers. In certain cases, for example for management positions, we may conduct assessments or potential analyses. 

5.4. Duration of storage

Applicant data will be erased six months after completion of the application process, unless there is a legal reason for erasure or you have expressly consented to longer storage. 

If we conclude an employment contract with you, we will store your application documents in your personnel file or in our personnel information system for the purpose of implementing the employment relationship on the basis of Article 6 (1) (b) GDPR and section 26 BDSG.  

5.5. Disclosure of personal data

As a matter of principle, only persons who need this data to carry out the application process will have access to your data. This includes employees of the HR department. They will view and process your application as soon as they receive it. In addition, department heads for the vacant position will have access to your application data.

5.6. Location of data processing

Application data is generally processed in data centres within the Federal Republic of Germany or the European Economic Area (EEA). Should data be processed outside the EEA, this will only be done if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

5.7. Your rights

You have the right

  • of access in accordance with Article 15 GDPR, 
  • to rectification in accordance with Article 16 GDPR, 
  • to erasure in accordance with Article 17 GDPR,
  • to restriction of processing in accordance with Article 18 GDPR and
  • to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.

5.8. Automated decision making

An automated individual case decision will be not be made in connection with your application. 
 

With the following Data Protection Notice, we would like to inform you about the processing of your personal data pursuant to Article 13 of the General Data Protection Regulation if you are a service provider or supplier in a business relationship with a company of the VILA VITA Group

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Strasse 24, 60329 Frankfurt am Main, Germany,
  • VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany,
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg, Germany

6.1. Controller

The controller within the meaning of Article 4 (7) GDPR is the respective company of the VILA VITA Group, 

  • whose website or online service you are visiting or using. The respective controller is indicated in the imprint of the respective website or online service. 
  • with whom you have or would like to enter into a contractual relationship. The name of the controller can be found on the invitation to tender, the order or order confirmation, the contract documents or the invoice.

The companies of the VILA VITA Group work closely together in purchasing and procurement. This applies to the processing of personal data in these areas as well as in financial accounting or bookkeeping and the joint IT infrastructure and IT facilities. The companies of the VILA VITA Group have therefore concluded an agreement on joint responsibility in accordance with Article 26 GDPR. In it, the parties have agreed who fulfils which obligations under the GDPR. This concerns in particular the fulfilment of the rights of the data subjects. VILA VITA Marburg GmbH, Anneliese Pohl Allee 17, 35037 Marburg, Germany, has been designated by the VILA VITA Group as the controller, in particular for the fulfilment of the rights of data subjects. This does not affect the assertion of your rights against the other companies of the VILA VITA Group.

You can also reach our data protection officer at the above addresses – making sure your correspondence is addressed to “Data Protection Officer” – or at datenschutz@vilavitahotels.com.

6.2. Processing purposes and legal bases

The processing of personal data is carried out for the fulfilment of our obligations arising from the respective contract or for the implementation of pre-contractual measures such as, in particular, the request for individual offers for work, services or the delivery of products, calculating fees, contractual correspondence and complaints. The legal basis is Article 6 (1) (b) GDPR. Furthermore, we process personal data on the basis of legitimate interests in accordance with Article 6 (1) (f) GDPR. This includes, in particular, obtaining creditworthiness information and exchanging data with credit agencies, asserting legal claims and defending ourselves in legal disputes, ensuring IT security and IT operations, preventing and investigating criminal offences and measures to ensure house rules. In addition, we process your data if this is necessary for the fulfilment of legal obligations, in particular for compliance with commercial and tax law in accordance with section 257 HGB and section 147 AO. 

6.3. Type of data

We usually collect the following data:

  • Personal master data
  • Address and contact details
  • Payment and invoice data
  • Order and performance data
  • Information from third parties

6.4. Duration of storage

Where not otherwise stated in this Data Protection Notice, personal data will only be stored for as long as is necessary to fulfil the relevant purpose, or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These result in particular from the German Handelsgesetzbuch (Commercial Code), the Abgabenordnung (Fiscal Code) and the Geldwäschegesetz (Money Laundering Act). The periods stipulated in these cases may be up to 10 years.

6.5. Disclosure of personal data

If we transfer personal data to other persons or companies, this will only be done on the basis of your consent, legal permission, a legal obligation (for example to public bodies and institutions such as supervisory or financial authorities) or an agreement on order processing in accordance with Article 28 GDPR. Further recipient categories can be found in this Data Protection Notice.

6.6. Location of data processing

Your data will generally be processed at locations within the Federal Republic of Germany or the European Economic Area (EEA). Should data be processed outside the EEA, this will only be done if a third country has been confirmed by the European Commission as having an adequate level of data protection pursuant to Article 44 et seqq. GDPR or other appropriate guarantees for the protection of personal data are in place.

6.7. Your rights

You have the right

  • of access in accordance with Article 15 GDPR, 
  • to rectification in accordance with Article 16 GDPR, 
  • to erasure in accordance with Article 17 GDPR,
  • to restriction of processing in accordance with Article 18 GDPR and
  • to data transfer in accordance with Article 20 GDPR.

The restrictions of sections 34 and 35 BDSG apply to the rights of access and the right to erasure. 

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR pursuant to section 19 BDSG.

You can withdraw your consent to the processing of your personal data at any time with future effect.