Data Privacy Statement
I. Name and address of the controller
The controller as defined by the General Data Protection Regulation, other national data protection laws of the member states, and other data protection provisions:
Klaus Kern
Obersexau 24
79350 Sexau
Telefon: (0 76 45) 3 37
E-Mail: info@berggasthof-linde.de
II. Name and address of the data protection officer
We are not obligated to appoint a data protection officer.
III. General information on data processing
1. Extent of the processing of personal data
We collect and use personal data from our users only if necessary to process our contracts. After our contractual obligations have been fulfilled, we will process data only after we have been granted permission to do so. This does not apply if practical circumstances prevent us from obtaining prior consent or we may process the data under statutory provisions.
2. Legal bases for processing personal data
If the data subject permits us to process personal data, Art. 6 (1) a GDPR serves as the legal basis.
If personal data must be processed to fulfil a contract whose contracting party is the data subject, the legal basis is Art. 6 (1) b GDPR. This also applies to processing operations that are necessary to implement pre-contractual measures.
If personal data must be processed to fulfil a legal obligation to which our company is subject, the legal basis is Art. 6 (1) c GDPR.
If the processing is necessary to safeguard a legitimate interest of our company or a third party, and that legitimate interest is not outweighed by the interests, basic rights and freedoms of the data subject, the legal basis will be Art. 6 (1) f GDPR.
3. Data deletion and duration of storage
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage no longer applies. We may also store that data if such storage is provided for through the European or national legislature, in the form of directives under European Union law, statutes or other provisions to which the controller is subject. The data will also be deleted or blocked if a storage period prescribed by the standards mentioned expires, unless the data must be stored for longer to conclude or fulfil a contract.
IV. Provision of the homepage, cookies and creation of logfiles
This homepage is made with software of and hosted by Wix.com Ltd. Namal 40, 6350671 Tel Aviv, Israel ("Wix"). Wix.com participates in, and has certified its compliance with, the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Wix.com is committed to subjecting all Personal Information received from European Union (EU) member countries and Switzerland, respectively, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles.
More information on cookies, creation of logfiles and other information collected on visitors can be found here:
https://www.wix.com/about/privacy
V. Establishing contact through forms and email
1. Description and extent of the data processing
On our internet site, contact can be made via the forms and email addresses provided. In this case, the user’s personal data transmitted along with the form or email will be stored. In the forms, the data provided by the user (input and selection fields), as well as the time of sending and the IP address, for protection against misuse. In an email, the user data provided in that email, as well as all other data transmitted from the user’s email programme. In this context, the data will not be forwarded to third parties. The data will be used exclusively to process the visitor’s inquiry.
2. Legal basis for data processing
The legal basis for processing data transmitted when a form or email is sent is Art. 6 (1) f GDPR. If contact is established to conclude a contract, an additional legal basis for the processing is Art. 6 (1) b GDPR.
3. Purpose of data processing
If contact is established using a form or email, personal data is processed only to manage the contact that is made. This also constitutes the required legitimate interest in processing the data.
4. Duration of storage
The data will be deleted when it is no longer needed to meet the goal for which it was collected. For personal data sent via a form or email, this is the case if the respective conversation with the user has ended. The conversation will end when circumstances reveal that the situation concerned has been finally cleared up.
5. Possibility for objection and rectification
The user may at any time revoke their consent to have their personal data processed. If the user contacts us through a form or email, they can object at any time to having their personal data stored. In such a case, the conversation cannot be continued. If they do object, all personal data that was stored when contact was established will be deleted.
VI. Google Maps und Fonts
This site uses the map service Google Maps and the option of incorporating fonts from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To use these services, your IP address must be stored. This information is normally transmitted to a Google server in the USA and stored there. The provider of this homepage has no influence on this data transmission.
The use takes place in the interest of an attractive presentation of our online offerings, and to make it easy to find the location indicated by us on the homepage. This constitutes a legitimate interest as defined by Art. 6 (1) f GDPR.
You will find more information about how user data is handled in Google’s data privacy statement:
https://www.google.de/intl/de/policies/privacy/.
VII. Booking system
We use a booking system of TourOnline AG, Borsigstraße 26 in 73249 Wernau. The TourOnline AG is PCI-certified. The booking system is unsed to enable comfortable booking on this website.
VIII. Rights of the data subject
If your personal data is processed, you are the data subject as defined by the GDPR and are entitled to the following fights toward the controller:
1. Right to information
You can demand that the controller confirm whether we are processing personal data concerning you.
If this is the case, you can demand access to the following information from the controller:
(1) the purposes for which the personal data is processed
(2) the categories of personal data being processed
(3) the recipient or categories of recipients to whom the personal data concerning you were or will be disclosed
(4) the planned duration of the storage of the personal data concerning you, or if no specific information is available to this end, the criteria for determining the storage period
(5) the existence of a right to have the personal data concerning you corrected or deleted, a right to restrict its processing through the controller, or a right to object to that processing
(6) the right to complain to a supervisory authority
(7) all available information on the origin of the data, if the personal data was not collected from the data subject
You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.
2. Right to correction
If the processed personal data that concerns you is incorrect or incomplete, you have the right against the controller to have it corrected, deleted, or both. The controller must undertake such correction without undue delay.
3. Right to restrict the processing
You can demand that the processing of the personal data concerning you be restricted, under the following conditions:
(1) If you dispute that the personal data concerning you is incorrect, for a duration which enables the controller to check its correctness
(2) The processing is incorrect and you waive your right to have it deleted, instead demanding that its use be restricted
(3) The controller of the personal data no longer needs it for the purposes of its processing, but you need it to assert, exercise or defend against legal claims, or
(4) If you have filed an objection against the processing under Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.
If the processing of the personal data concerning you has been restricted, these data – regardless of their storage – may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
If the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.
4. Right to deletion
a. Obligation to delete
You may demand from the controller that the personal data concerning you be deleted without undue delay. The controller is obligated to delete these data without undue delay provided one of the following grounds applies:
(1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based under Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for the processing;
(3) you object to the processing under Art. (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21 (2) GDPR.
(4) The personal data concerning you was illegally processed.
(5) The personal data concerning you must be deleted to fulfil a legal obligation under EU or member state law to which the controller is subject.
(6) The personal data concerning you was collected in regard to information society services offered pursuant to Art. 8 (1) GDPR.
b. Information to third parties
If the controller has publicised the personal data and is obligated under Art. 17 (1) GDPR to delete that data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the deletion by such controllers of any links to, or copy or replication of, those personal data.
c. Exceptions
The right to deletion does not exist if the processing is necessary:
(1) to exercise the right to information and freedom of expression
(2) to fulfil a legal obligation which requires the processing under
EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller
(3) for reasons of the public interest in the area of public health under Art. 9 (2) h and i as well as Art. 9 (3) GDPR
(4) for archiving, scientific or historical research purposes in the public interest, or statistical purposes under Art. 89 (1)
GDPR insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this agreement, or
(5) to assert, exercise or defend against legal claims.
5. Right to information
If you have asserted your right to correction, deletion or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort. You have the right to be informed by the controller about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as:
(1) The processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (1) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and
(2) the processing occurs with the help of automated procedures.
In exercising this right, you may also effect that the personal data concerning you are transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.
The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.
7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you is processed based on Art. 6 (1) e or f GDPR.
The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise of defend against legal claims.
If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).
8. Right to withdraw the declaration of consent under data protection laws
You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing consent will not affect the legality of any processing performed on the basis of that consent before that consent was withdrawn.
9. Automatic decision-making in individual cases
You have the right not to be subject to a decision based exclusively on automated processing, which legally affects or otherwise significantly impairs you. This does not apply if that decision
(1) is necessary to conclude or fulfil a contract between you and the controller,
(2) is permitted under EU or member state law to which the controller is subject and which stipulate reasonable measures for guarding your rights, freedoms and legitimate interests, or
(3) is made with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) a or g GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests.
Regarding the cases mentioned in (1) and (3), the controller shall take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.
10. Right to complain to a supervisory authority
If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority – especially in the member state of your abode, your workplace, or the place of the suspected breach – without prejudice to other administrative rights or judicial remedies.
The supervisory authority to which the complaint is submitted shall inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.
IX. Instagram
We are running an Instagram Channel from Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA. Further information on data privacy can be found here: https://help.instagram.com/155833707900388.