Privacy policy

Scope

This privacy policy applies to all pages of www.bwhhotels.de. It does not cover any linked websites of other providers.

Controller

The following party is known as the controller under data protection law and therefore responsible for the processing of personal data within the scope of this privacy policy:
BWH Hotels Central Europe GmbH
Frankfurter Straße 10-14 65760 Eschborn Germany
+49 6196 47240 / +49 6196 4724200
info@bwhhotels.de

Questions about data protection

If you have any questions about data protection with regard to our company or our website, you can contact our data protection officer:
SPIRIT LEGAL Rechtsanwaltsgesellschaft mbH
Attorney-at-law and data protection officer
Peter Hense
Postal address:
Data protection officer
c/o BWH Hotels Central Europe GmbH, Frankfurter Straße 10-14, 65760 Eschborn
Contact via encrypted online form:
Contact data protection officer
If you have any questions about data protection with regard to our company or our website, you can contact us using the contact details provided under “Controller”.

Security

We have taken comprehensive technical and organisational precautions to protect your personal data from unauthorised access, abuse, loss and other external disruption. To this end, we regularly review our security measures and adapt them to the latest standards.

Your rights

You have the following rights with regard to the personal data concerning you that you can assert against us:

Right of access: You can request access to the personal data concerning you which we process, as set forth in Art. 15 GDPR.
Right to rectification: If the information concerning you is not (or no longer) correct, you can request its rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
Right to erasure: You may request the erasure of your personal data in accordance with Art. 17 GDPR.
Right to restriction of processing: Pursuant to Art. 18 GDPR, you have the right to demand that the processing of your personal data be restricted.
Right to object to processing: Pursuant to Art. 21(1) GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data which occurs based on Art. 6(1) Sentence 1(e) or (f) GDPR. If you object, we will not process your data further, unless we can prove compelling legitimate reasons for the processing which override your interests, rights and freedoms. Processing will also continue if the processing serves to establish and exercise or defend against legal claims (Art. 21(1) GDPR). Furthermore, under Art. 21(2) GDPR you have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that this is related to such direct marketing. In this privacy policy, we draw your attention to this right to object when describing each processing operation.
Right to withdraw your consent: If you have given your consent for processing, you have a right to withdraw that consent under Art. 7(3) GDPR.
Right to data portability: You have the right to receive the personal data you have given us in a structured, commonly used, machine-readable format (“data portability”) and the right to transfer this data to another controller, if the prerequisites of Art. 20(1)(a), (b) GDPR are fulfilled (Art. 20 GDPR).

You can assert your rights by informing us using the contact details specified under “Controller” above or by contacting the data protection officer designated by us.

If you believe that the processing of your personal data violates data protection law, then under Art. 77 GDPR you also have the right to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:
The Hessian Commissioner for Data Protection and Freedom of Information, Postfach 31 63, 65021 Wiesbaden, visitor address: Gustav-Stresemann-Ring 1, 65189 Wiesbaden, phone: +49 (0)611/14080, email: poststelle@datenschutz.hessen.de, www.datenschutz.hessen.de

Using our website

In principle, you can use our website for purely informational purposes without disclosing your identity. When you access the individual pages of the website in this sense, this only results in access data being transferred to our web hosting service so that the website can be displayed to you. This involves the following data being processed:

Browser type/version
Operating system used
Language and version of the browser software
Date and time of access
Hostname of the accessing device
IP address
Content of the request (specific page)
Access status / HTTP status code
Websites accessed via the website
Referrer URL (website visited before)
Notification of whether the access was a success
Volume of data transferred and
Time zone difference from GMT.

It is necessary for this data to be processed temporarily in order to make it technically possible for you to visit our website and to deliver the website to your device. The access data is not used to identify individual users and is not combined with other data sources. The data is also stored in log files, in order to ensure the functionality of the website and the security of the information technology systems. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have legitimate interests in ensuring the functionality, integrity and security of the website. Storing access data in log files, in particular the IP address, for a longer period of time enables us to detect and prevent misuse. This includes, for example, defending against requests that would overload the service as well as against bots. The access data will be erased as soon as it is no longer required for achieving the purpose of its processing. In the case of recording the data to provide the website, this is the case when you end your visit to the website. The log data is generally stored directly and in such a way that it can only be accessed by administrators, and it is erased after seven days at the latest. After that, it is only indirectly available by reconstructing backups, and is finally erased after a maximum of seven days.

You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. Upon request, we will provide you with the balancing of interests free of charge.

Technically necessary device information

In addition to the aforementioned access data, technologies are used when you use the website which store information on your device (e.g. desktop PC, laptop, tablet or smartphone) or access information which is already stored on your device. These technologies may include, for example, cookies, pixels, local storage, session storage, IndexedDB or browser fingerprinting technologies. These technologies can be used to recognise you across devices and websites.

According to Sect. 25(1) of the German Telecommunications and Digital Services Data Protection Act (TDDDG), we generally require your consent for the use of these technologies. According to Sect. 25(2) TDDDG, this is only not required if the technologies either enable the transmission of a message via a public telecommunications network or if they are strictly necessary to provide a telemedia service that you have expressly requested.

Some elements of our website serve the sole purpose of transmitting a message (Sect. (2) No. 1 TDDDG) or are strictly necessary to provide you with our website or individual features thereof (Sect. 25(2) No. 2 TDDDG):

Language settings.

The elements are erased after storage is no longer required.
You can prevent processing by adjusting your browser settings accordingly. For elements whose storage duration is not limited to the session, you can adjust your browser settings so that the elements are erased after your session has expired.

Technically non-essential device information

Our website also uses elements that are not technically essential. We only use these technologies with your consent in accordance with legal requirements. Information about the individual technologies and features can be found in our settings within the consent management platform (cookie banner) as well as in the following information, which is sorted according to the individual features.

Consent management platform

To make it easier for us to ask for your consent to the use of cookies or other tracking technologies so that we can process your device information and personal data when you visit our website, we use a consent tool. This gives you the opportunity to accept or decline the processing of your device information and personal data using cookies or other tracking technologies for the purposes listed. Such processing purposes may include the integration of external elements, integration of streamed content, statistical analysis, reach measurement, personalised product recommendations, or personalised advertising.

You can grant or refuse your consent for all processing purposes, or grant or refuse your consent for individual purposes or third-party providers.

You can change your settings again later on. The purpose of integrating the consent management platform is to allow users of our website to decide whether to allow cookies and similar technologies, and to offer them the opportunity to change settings that they have already made when they continue to use our website.

When the consent management platform is used, we process personal data as well as information from the devices used. The information about the settings you have made is also stored on your device.

The legal basis for the processing is Art. 6(1) Sentence 1(c) GDPR in conjunction with Art. 7(1) GDPR, insofar as the processing serves to fulfil the legally standardised obligations to provide evidence for the granting of consent. Otherwise, Art. 6(1) Sentence 1(f) GDPR is the relevant legal basis. Our legitimate interests in this processing lie in the storage of users settings and preferences with regard to the use of cookies and the evaluation of consent rates.

A new request for your consent will be made twelve months after you saved your user settings. Your user settings will then be saved again for this period, unless you delete the information about your user settings yourself beforehand in your device settings.

You may object to the processing, insofar as processing is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. Upon request, we will provide you with the balancing of interests free of charge.

The recipient of the personal data processed in this context is the provider of the consent management platform we use:

consentmanager GmbH (Eppendorfer Weg 183, 20253 Hamburg) with regard to the “consentmanager” consent ma-
nagement platform.

Contacting our company

When you contact our company, e.g. by email or using the contact form on the website, we will process the personal data you provide so that we can respond to your request. In order for us to process enquiries submitted via the contact form, it is essential that you provide a first and last name, a valid email address, the hotel and the location. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR and Art. 6(1) Sentence 1(b) GDPR, if the contact is made with the intention of concluding a contract. If the request is aimed at concluding a contract, it is necessary for you to provide your data. If you do not provide your data, it will not be possible to conclude/execute a contract and process the request. The other data processed during the submission process serves to prevent any misuse of the contact form and to ensure the security of our information technology systems. As soon as processing is no longer necessary, we will erase the data generated here or, if statutory retention obligations apply, restrict processing of the data. You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. Upon request, we will provide you with the balancing of interests free of charge.

Establishment, exercise or defence of legal claims

We also process personal data for the establishment, exercise or defence of legal claims. The legal basis for this processing is Art. 6(1) Sentence 1(c) GDPR and Art. 6(1) Sentence 1(f) GDPR. In these cases, we have a legitimate interest in the assertion or defence of claims. You may object to the processing. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. Upon request, we will provide you with the balancing of interests free of charge.

Fulfilment of other legal obligations

We may also process the aforementioned personal data to fulfil other legal obligations, in particular if there is an enforceable official or court order or if we are obliged to do so by law. The legal basis in such cases is Art. 6(1) Sentence 1(c) GDPR.

Marketing via email and messenger services

Advertising to existing customers

We reserve the right to use the email address you provide when ordering in accordance with the statutory provisions in order to send you the following content by email at the time of or after your order, unless you have already objected to this processing of your email address:

Attractive offers from our portfolio, in particular regarding services related to brand affiliation with BWH Hotels
Individual customer support
New offers involving our products and services
Invitations to company events.

The legal basis of the data processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests in the processing described lie in enhancing and optimising our services, conducting direct marketing and ensuring customer satisfaction. We will erase your data when you stop using the service, but no later than three years after termination of the contract. We use an external email marketing service to send the emails. For more information on this service provider, please refer to the “Email marketing services” section.

We would like to point out that you can object to receiving direct marketing and to the processing of the data for direct marketing purposes at any time without incurring any costs other than the transmission costs according to the basic rates. Here you have a general right of objection without giving reasons (Art. 21(2) GDPR). To do this, click on the unsubscribe link in the relevant email or send us your objection to the contact details provided under “Controller”. Upon request, we will provide you with the balancing of interests free of charge.

You have the option of receiving email notifications when products become available again, as well as subscribing to our email newsletter, through which we will regularly inform you about the following content:

Attractive offers from our portfolio, in particular regarding services related to brand affiliation with BWH Hotels
Individual customer support
New offers involving our products and services
Invitations to company events.

To receive the newsletter, you must provide your email address (for the newsletter we send by email) and specify a recipient (name or pseudonym). We process this data for the purpose of sending the email newsletter and for as long as you have subscribed to the newsletter.
We use an external marketing service provider to send the newsletter. For more information, please refer to the “Marketing service provider” section.
The legal basis for the processing is Art. 6(1) Sentence 1(a) GDPR. We will process your data until you withdraw your consent.
You can withdraw your consent to the processing of your email address for the purpose of sending you the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller”. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Double opt-in procedure

In order to document your newsletter registration and to prevent abuse of your personal data, we use what is known as a double opt-in procedure for email newsletter registrations. Once you have entered the data marked as mandatory, we will send you an email to the email address you have provided, in which we ask you to expressly confirm your subscription to the newsletter by clicking on a confirmation link. We process your IP address, the date and time of your registration for the newsletter and the time of your confirmation. This is how we ensure that you really want to receive our email newsletter. We are legally obliged to be able to demonstrate that you have consented to the processing of your personal data in connection with registering for the newsletter (Art. 7(1) GDPR). Due to this legal obligation, this data processing is carried out on the basis of Art. 6(1) Sentence 1(c) GDPR.

You are not obliged to provide your personal data during the registration process. However, if you do not provide the required personal data, we may not be able to process your subscription or process it in full. If you do not confirm your newsletter subscription, we will block the information transmitted to us and erase it automatically after one month at the latest. Once you confirm your registration, we will process your data for as long as you have subscribed to the newsletter.

Newsletter tracking

We also statistically evaluate newsletter opening rates, the number of clicks on links in newsletters and the reading time. For this purpose, user activity on our websites and within the newsletters we send out is evaluated on the basis of device-specific information (e.g. email client used and software settings). For this analysis, the emails sent out contain so-called web beacons or tracking pixels, which constitute single-pixel image files that are also embedded on our website.

The legal basis of the processing is Art. 6(1) Sentence 1(a) GDPR. We will erase your data if you unsubscribe from the newsletter.
You can withdraw your consent at any time, either by sending us a message (see the contact details under “Controller”) or by clicking directly on the unsubscribe link in the newsletter. This will not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

Opt-out list

If you cancel your registration by withdrawing your consent or, in the case of advertising to existing customers, by exercising your right of objection, we will continue to process your data, in particular your email address, to ensure that you do not receive any more newsletters from us. For this purpose, we will add your email address to an opt-out list, which makes it possible to prevent you from receiving any further newsletters from us. The legal basis for the data processing is Art. 6(1) Sentence 1(c) GDPR, in order to comply with our obligations to provide evidence, and failing this, Art. 6(1) Sentence 1(f) GDPR. In this case, we have a legitimate interest in complying with our legal obligations to make sure that we stop sending you newsletters.

Marketing service provider

We use the following marketing services to advertise to existing customers:

„Optimizely, which is provided by Optimizely GmbH (Wallstraße 59, 10179 Berlin) and Optimizely Inc. (119 Fifth Avenue, 7th Floor, New York, NY 10003 US). Optimizely also processes your data in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Optimizely Inc. is certified under this. In addition, standard data protection clauses have been concluded with Optimizely in order to commit Optimizely to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Episerver by sending an email to: dpo@optimizely.com For more information about the storage period, please refer to the Optimizely privacy policy at: www.optimizely.com/de/legal/datenschutz/

You may object to the processing, insofar as it is based on Art. 6(1) Sentence 1(f) GDPR. Your right of objection exists if you have reasons arising from your particular situation. You may send us your objection using the contact details specified under “Controller” above. Upon request, we will provide you with the balancing of interests free of charge.

Enforcement of rights, address investigation, debt collection

In the event of non-payment, we reserve the right to pass on the data provided at the time of ordering to a lawyer and/or to external companies (e.g. Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss, Germany) in order to ascertain an address and/or enforce our rights. The legal basis of the processing is Art. 6(1) Sentence 1(f) GDPR. Our legitimate interests lie in fraud prevention and avoiding default risks. In addition, we may pass on your data to the extent necessary in order to safeguard our rights, as well as the rights of our affiliates, our partners, our employees and/or users of our website. Under no circumstances will we sell or rent your data to third parties. The legal basis for the processing is Art. 6(1) Sentence 1(f) GDPR. We have a legitimate interest in the processing for the purpose of enforcing our rights. As soon as storage is no longer necessary, we will erase the data generated or, if statutory retention obligations apply, restrict processing of the data.

Hosting

We use external hosting services provided by Mittwald CM Service GmbH & Co. KG (Königsberger Str. 4-6, 32339 Espelkamp), which serve to provide the following services: infrastructure and platform services, computing capacity, storage resources and database services, security and technical maintenance services. For these purposes, all of the data required for the operation and use of our website – including the access data mentioned under “Using our website” – is processed. The legal basis for this processing is Art. 6(1) Sentence 1(f) GDPR. By using hosting services, we are pursuing our legitimate interests in making our website efficient and secure.

Services for statistical, analysis and marketing purposes

We use services from third parties for statistical, analysis and marketing purposes. This enables us to offer you a user-friendly, optimised experience when visiting the website. The third-party providers use cookies, pixels, browser fingerprinting or other tracking technologies to control their services. In the following, we inform you about the services from external providers currently in use on our website, about the related processing in each case, and about how you can withdraw your consent.

AdUp Ads retargeting

Our website also uses the AdUp Ads analytics and retargeting features from Axel Springer Teaser Ad GmbH, Axel-Springer-Str. 65, 10969 Berlin (hereinafter referred to as “AdUp”). In particular, AdUp uses cookies, AdUp pixels and fingerprinting methods to process the information generated about how your device uses our website, in order to record specific user behaviour on our website and evaluate the. To this end, AdUp assigns a unique identifier to your browser (browser ID) when you visit our website in order to process your interactions with our website. Information stored on users’ devices is also processed, such as in particular user agent, browser information (such as browser ID, timestamp), request ID, type of interaction (such as page view) and other data mentioned under “Using our website”. This enables us to target users of our website with interest-based ads, tailor our advertising campaigns to users’ interests and preferences, and measure the effectiveness of our ads. Thanks to the AdUp tracking technologies used, your browser automatically establishes a direct connection to the AdUp servers. We do not perform any personal identification of individual users. The maximum storage period with AdUp is twelve months. With regard to the storage of and access to information on your device, the legal basis is Sect. 25(1) TDDDG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. For further information about the protection of your data and how long AdUp stores your data, please refer to: www.adup-tech.com/rechtliches/datenschutz

You can withdraw your consents to the processing at any time by moving the slider back in the consent tool advanced settings. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

eTracker

We use the web analysis service “eTracker” (eTracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany) for the statistical evaluation of visitor numbers, page views, downloads, websites visited previously, and for measuring the success of entries in search engines. The eTracker tool uses technologies such as tracking pixels and fingerprinting to record, analyse and categorise the information generated by the user’s device about the use of our website and interactions with our website as well as access data – in particular the IP address, browser information, the website visited previously, the date and time of the server request, and conversion data – for the purpose of statistical analysis and measuring the reach of ads in search engines. We use eTracker with the extension which causes IP addresses to be shortened before processing them further, in order to make it more difficult to identify individuals. With regard to the storage of and access to information in your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Telemedia Data Protection Act (TDDDG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. For further information about the protection of your data and how long eTracker stores your data, please refer to:

www.etracker.com/en/data-protection-by-etracker/

You can withdraw your consent to the processing at any time by moving the slider back for the specific third-party provider in the consent tool advanced settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

Google Ads Remarketing

We use the Google Ads tool with the Dynamic Remarketing feature, which is provided by Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, US; hereinafter referred to as “Google” and “Google Ads”). The Dynamic Remarketing feature allows us to recognise users of our website on other websites within the Google advertising network (in Google Search or on YouTube, so-called Google Ads, or on other websites) and present ads tailored to their interests. Ads may also refer to products and services that you have already viewed on our website. For this purpose, analyses are performed of user interactions on our website, e.g. which offers a user was interested in, so that we can display targeted advertising to users on other sites after they have left our website. When you visit our website, Google Ads stores a cookie on your device. Google uses cookies to process the information generated by your device about the use of our website and interactions with our website as well as the data mentioned under “Using our website”, in particular your IP address, browser information, the website visited before and the date and time of the server request, for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. If a user is registered with a Google service, Google can associate the visit with the user’s account and create and evaluate user profiles across applications. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Digital Services Data Protection Act (TDDDG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Google also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Google, LLC is certified under this. So-called standard contractual clauses have been concluded with Google, LLC in order to commit Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at: cloud.google.com/terms/sccs. The maximum storage period with Google is 24 months. For further information about the protection of your data and how long Google stores your data, please refer to: policies.google.com/privacy

You can withdraw your consents to the processing at any time by moving the slider back in the consent tool advanced settings. Please note that this will not affect the lawfulness of the processing before your withdrawal.

LinkedIn Ads (conversion)

Our website uses the features of LinkedIn Ads, provided by LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland; hereinafter referred to as “LinkedIn”). If you access our website via an ad from LinkedIn, LinkedIn will place acookie on your device or in your browser in order to measure the reach of our ads, to make it possible to measure the success of an ad and to continuously improve our ads. LinkedIn uses the cookies to process the information generated by your device about interactions with our ads (e.g. retrieval of a particular web page or click on an ad) as well as, in part, the data mentioned under “Using our website”, such as your IP address, device and browser information, referrer URL as well as timestamps for the purpose of analysing the reach and success of our ads, whereby LinkedIn shortens IP addresses. By using the conversion tracking features of LinkedIn, we can in particular determine the extent to which the ads we have placed have influenced relevant actions on our website. For this purpose, your browser automatically establishes a direct connection to the LinkedIn server. If you are logged in with a LinkedIn service, LinkedIn can associate the information recorded with your user account, in particular information about your visit to our website. The direct identifiers of registered users processed in this context are removed by LinkedIn within seven days and the remaining data is then erased within 180 days. Even if you do not have a LinkedIn user account or have not logged in, it is possible that LinkedIn will obtain and process your IP address in particular and other identifying information. As part of the evaluation, LinkedIn does not share any personal data with us, but only transmits statistical evaluations to us to measure the success of our ads. This means that we learn in the form of statistics to what extent our ads served on LinkedIn are successful and have led to relevant actions on our website. In the process, we also obtain statistical analyses of which groups of people (e.g. with a certain job title, or from a certain company or industry, etc.) have carried out actions. Based on this, we can specify our target groups and improve the targeting of our ads. With regard to the storage of and access to information on your device, the legal basis is Sect. 25(1) TDDDG; for further processing, the legal basis is Art. 6(1) Sentence 1(a) GDPR. LinkedIn also processes data in the US. We have concluded so-called standard contractual clauses with LinkedIn in order to commit LinkedIn to an appropriate level of data protection. A copy is of course available on request. For further information about the protection of your data and how long LinkedIn stores your data please refer to: https://www.linkedin.com/legal/privacy-policy

Meta Custom Audiences | Lookalike Audiences

Our website also uses the Website Custom Audience targeting feature for ads, which is provided by Meta (the provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and Meta Platforms Inc. 1601 Willow Rd, Menlo Park, California, US; hereinafter referred to as “Meta”). So-called web beacons, such as the Meta Pixel, are used to record information about how you use our website, which is then processed by Meta. This allows visitors to our website to be matched with users on Meta. This makes it possible to display interest-based ads (“Meta Ads”) to users of the website, and users of Meta who belong to a comparable audience, when they visit the Meta social network and to analyse their interactions with our website. We also use Meta’s extended Lookalike Audience feature to create new audiences/recipients based on an original audience defined by us, to whom we can then serve interest-based ads when they visit the Meta social network. Meta then uses this original audience to identify new audiences based on our pre-defined criteria, such as interests (“lookalike audience”). Your browser uses Meta Pixels – small graphics that are also embedded on our website, are automatically loaded when you visit our website, and enable tracking of user activity – to automatically establish a direct connection to the Meta server. Embedding Meta Pixels allows Meta to process the information generated in this way about the use of our website by your device – such as the fact you accessed a specific website – and to process the access data mentioned under “Using our website” , in particular the IP address, browser information, Meta ID, device ID, language settings, date and time of the server request and event data such as page views, button views and other interactions for the purpose of serving personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. If you are registered with a Meta service, Meta can associate the information recorded with your user account. Even if you are not registered with Meta or have not logged in, it is possible that the provider will obtain and process your IP address and other identifying information. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Digital Services Data Protection Act (TDDDG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Meta also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Meta Platforms, Inc. is certified under this. Standard data protection clauses have also been concluded with Meta Platforms, Inc. in order to commit Meta Platforms, Inc. to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Meta at: www.facebook.com/help/contact/341705720996035. The information in Facebook cookies will be stored for a maximum of 90 days.

For further information about the protection of your data and how long Meta stores your data, please refer to: www.facebook.com/privacy/policy/ and www.facebook.com/policies/cookies/

You can withdraw your consent to the processing at any time by moving the slider back in the Advanced Settings of the consent tool www.bwhhotels.de/en/. This does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

When using the aforementioned Meta Business Tools, your personal data (Business Tools data) will be processed both by us and by Meta. The processing of personal data described above in connection with the use of Meta Business Tools and, in particular, the processing of your hashed contact data and event data, i.e. information obtained in connection with the analysis of your interactions with our website or online presence, is carried out by us and Meta as joint controllers in accordance with Art. 26 GDPR, whereby the responsibility for fulfilling the data protection obligations under the GDPR may vary depending on the processing phase. The purpose of the processing is to optimise the relevant marketing campaigns and analyses, in particular the comparison with Meta user IDs for serving targeted ads, for which we use Meta Business Tools as a means.

We have entered into a joint controllership agreement with Meta in accordance with Art. 26(1) Sentence 2 GDPR and defined who fulfils the applicable obligations under the GDPR for each processing phase:

As BWH, we are independently responsible for the processing of personal data processed in Meta Business Tools used to conduct analysis, measure audience reach and generate campaign reports, and for matching it with user IDs, including combining it with event data collected.
We are jointly responsible with Meta Ireland Limited for the collection and transmission of event data and the Meta Pixels embedded on our website, including the Meta Conversions API.
In addition, Meta is an independent controller pursuant to Art. 4 No. 7 GDPR, in particular for any downstream processing of personal data contained in Meta Business Tools.

You may exercise your rights as a data subject against both us and Meta. We and Meta will notify each other without undue delay of any rights exercised by data subjects. We will provide each other with all the information necessary to respond to the relevant requests from data subjects. Irrespective of the responsibility for the respective processing phases in connection with the use of Meta Business Tools, we provide data subjects with the necessary information in accordance with Art. 13 and 14 GDPR and in accordance with Art. 26(2) GDPR in the context of this data protection information in a concise, transparent, intelligible and easily accessible form, using clear and simple language, free of charge. We and Meta provide each other with all the necessary information from our respective areas of responsibility.

The legal basis for the joint processing is your consent according to Sect. 25(1) TDDDG and for the further processing Art. 6 (1) Sentence 1(a) GDPR. For further information about the processing, in particular in the context of joint processing with Meta, please visit: www.facebook.com/legal/terms/businesstools_jointprocessing, www.facebook.com/legal/terms/businesstools/preview and www.facebook.com/about/privacy. You can access the agreement concluded with Meta regarding joint controllership in connection with Meta Business Tools at: www.facebook.com/legal/controller_addendum

Microsoft Ads (formerly Bing Ads)

Our website uses the tracking features of Bing Ads, which is provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, US; hereinafter referred to as “Microsoft” and “Microsoft Ads”). Microsoft stores a cookie on the user’s device to measure the reach of our ads and to enable us to attribute the success of an ad. The Microsoft Ads online advertising service uses technologies such as cookies, tracking pixels and device fingerprinting in order to serve ads that are relevant to users and to improve campaign performance reports. This involves processing information that is stored on users’ devices. Microsoft Ads makes it possible to display interest-based ads to users that are related to search results in Bing and Yahoo search engines. Ads may also refer to products and services that users have already viewed on our website. For this purpose, analyses are first performed of user interaction on our website, such as which offers users are interested in, so that we can display targeted advertising to the users on other sites after they have left our website. When users visit our website, Microsoft Ads stores a cookie on the user’s device. Microsoft uses cookies and tracking pixels to process the information generated by users’ devices about the use of our website and interactions with our website as well as access data, in particular the IP address, browser information, the website visited before and the date and time of the server request, across devices for the purpose of serving and analysing personalised ads. For this purpose, it is also possible to determine whether different devices belong to you or to your household. In addition, the Microsoft Ads online advertising service allows us to measure the reach of our ads and to track the success of a particular ad. This involves using “ad server cookies”, which can be used to measure certain reach measurement parameters, such as the display of ads, how long they were viewed, or clicks by users. With regard to the storage of and access to information on your device, your consent is the legal basis pursuant to Sect. 25(1) of the Telecommunications and Digital Services Data Protection Act (TDDDG); for further processing, your consent is also the legal basis pursuant to Art. 6(1) Sentence 1(a) GDPR. Microsoft also processes the data in part in the US. The EU Commission has issued an adequacy decision for data transfers to the US. Microsoft Corporation is certified under this. In addition, so-called standard contractual clauses have been concluded with Microsoft Corporation in order to commit Microsoft Corporation to an appropriate level of data protection. A copy of the standard contractual clauses can be requested at: go.microsoft.com/fwlink/p/. The information in Microsoft Ads cookies will be stored for a maximum of 14 months. For more information about the protection of your data and how long Microsoft Ads stores your data, please refer to: www.microsoft.com/de-de/privacy/privacystatement