Privacy policy

THE FLAG Service Frankfurt GmbH

This Data Protection Policy contains information on the extent to which we process your personal data (hereinafter referred to as “data”).

1. Controller

The controller in accordance with the General Data Protection Regulation (GDPR) is:

THE FLAG Service Frankfurt GmbH
Listertalstraße 73
57439 Attendorn

Web: the-flag.de
E-mail: datenschutz@the-flag.de

2. Data protection officer contact details

Matthias Rosa, RMPrivacy GmbH, Am Winterhafen 78, 55131 Mainz

3. Joint processing

We process personal data jointly in THE FLAG group of companies to ensure effective internal management of personal data and group systems. To this end, we transfer your data to companies affiliated with us in accordance with section 18 et seq. of the German Stock Corporation Act (AktG), or process the data in systems that are jointly operated together with the companies affiliated with us.

You can view the stakeholders in our group of companies here: https://the-flag.de/wp-content/uploads/2021/05/the-flag-gruppe.pdf

The legal basis for the joint processing of data is our overriding legitimate interest in an effective administration and IT infrastructure pursuant to Art. 6 (1) f) GDPR.

We are jointly responsible together with our affiliated companies for the processes that are subject to joint data processing in accordance with Art. 26 GDPR. Accordingly, we have set out the internal authorities and responsibilities in a binding contract.

The information requirements under the GDPR will be fulfilled by the company that you contact first.

We have assigned the fulfilment of data subject rights internally to RMBC GmbH, which you can contact at datenschutz@the-flag.de. You can also contact us at any time if you have any queries or would like to exercise your data protection rights using the contact details in section 1. We will then forward your query internally to the relevant department.

The specific processes that are covered by joint processing are indicated accordingly below.

4. General Information on data processing

We process data within the scope of our business and website operations.

This also includes disclosure in the form of transfer to third parties and, if necessary, to third countries outside the European Union (EU) and the European Economic Area (EEA). Insofar as we transfer data outside the EU or the EEA, we have indicated this accordingly below.

5. Data processing

The individual data affected, processing purposes, legal bases, recipients and transfer to third countries are stated below:

a) Website

You can find information of a general nature on data processing on our website at https://the-flag.de/datenschutzerklaerung/.

b) Contacting us

If you contact us, we process the following data about you for the purpose of processing and handling your enquiry: name, contact information – if you have provided it – and your message.

The legal basis for processing your data is our obligation to fulfil a contract and/or to fulfil our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your search pursuant to Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

c) Contacting us for job applications

If you contact us to submit a job application, e.g. by e-mail or through a contact form, your data (e.g. name, e-mail address, requested place of work), your message and job application documents are processed for the sole purpose of processing and handling your job application.

The legal basis for these data processing activities is section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.

Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 ( 1) f) GDPR, namely for the assertion and/or defence of claims.

d) Inclusion in our pool of applicants

If you wish, we can include your application profile in our pool of applicants so that we can consider and invite you to apply for suitable vacancies.

The legal basis for inclusion in our applicant pool is your consent pursuant to Art. 6 (1) a) GDPR.

e) Conclusion and performance of accommodation agreements

Within the scope of our accommodation services, we process your data to arrange (reservation) and conclude (booking) future and/or existing contractual relationships between you and our company. We require the following data to complete your booking or reservation: surnames and given names of all guests; address of the person making the booking or reservation; e-mail address; credit card or bank details.

Reservation enquiries and bookings can be made via our website. The legal basis for processing data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.

We transmit your transaction data (name, booking date, payment type, amount and payee, bank or credit card details, if applicable) to the payment service provider commissioned to process the payment.

When you make an online booking via our website, you will be redirected to the booking page of our external booking platform operator, TravelClick, INC., 7 Times Square, 38th Floor, NY 10036, USA (“TravelClick”), where you can complete the booking online. TravelClick processes the data in the USA.

Alternatively, you can also make reservation requests directly via our website. In this case, communication occurs without data being transmitted to TravelClick.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

f) Registration procedures for accomodation establishments

We process the following data where they are governed by the registration provisions of the Federal Registration Act (Bundesmeldegesetz, BMG): arrival and scheduled departure dates, surname, given name, date of birth, nationality, address, number of travelling companions and their nationalities as well as serial numbers of the recognised and valid passports or equivalent papers for foreign persons.

We forward these data on to the relevant registration authority.

The legal basis for this is our statutory obligation in accordance with Art. 6 (I) d) DSGVO in conjunction with section 30 Federal Registration Act.

g) Self-check-In

Our hotels are equipped with terminals where you can check in independently upon arrival. We process the following data for this purpose:

–           Personal master number (client reference number)

–           Surname, given name, name affixes, if applicable

–           Contact details (telephone no., e-mail address)

–           Contract details

–           Date of birth

The legal basis for processing these data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

h) Contract processing

We process your contract data from the respective accommodation agreement to manage the existing contractual relationship between you and our company.

The legal basis for processing these data is the performance of our contractual obligations in accordance with Art. 6 (1) b) GDPR, and in individual cases, the fulfilment of our statutory obligations pursuant to Art. 6 (1 c) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

i) Information provided by the tenant themselves for accommodation rentals

In order to assess your reliability and credit rating as a future tenant, we, the landlord, require that you disclose corresponding confidential information. We process the following data in this respect, if provided by you: name, address, proof of income.

The legal basis for processing data in the context of information provided by the tenant themselves is our legitimate interest pursuant to Art. 6 (1) f) GDPR in order to ensure that the prospective rental relationship can be conducted and managed properly. In addition, this gives us the opportunity to assess whether the accommodation offered meets your needs as a prospective tenant.

j) Video surveillance in our buildings

We occasionally use video surveillance in our properties. The monitored areas are marked with the following pictogram and information:

We use video surveillance to protect against burglaries and vandalism. The legal basis for this our legitimate interest in accordance with Art. 6 (1) lit. f GDPR regarding the protection of property against vandalism. All persons present in the marked area are recorded. All recordings are automatically deleted after 72 hours.

k) Welcome system

We process guest data such as room, name and given name so that we can display a welcome text on the TV of the room you have booked.

The legal basis for the processing this data is our legitimate interest in being able to offer you a pleasant stay in accordance with Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

l) Member programme

By signing up to our Member Programme and becoming a participant in our loyalty programme, you can benefit from a range of advantages. To this end, we process your name, e-mail address, date of birth, address and password.

The legal basis for participation in the Member Programme is your consent pursuant to Art. 6 (1) a) GDPR

This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.

6. Data retention period

We store your personal data only as long as it is required for the purposes for which it is processed or until you withdraw your previous consent for us to do so. The retention period for certain data may be up to 10 years in the event of us having to comply with statutory retention periods, regardless of the processing purposes.

7. Your right as the data subject

a) Information

You can request free-of-charge information on all of your personal data that we have stored at any time.

b) Correction, deletion and restriction of processing (block), objection

If you no longer agree to the storage of your personal data or if this data has become incorrect, we will arrange for the destruction or blocking of your data or make the necessary corrections (insofar as this is possible under the applicable law) on the basis of a corresponding instruction. The same applies if we are only to process data in a restrictive manner in the future. You have the right to object in particular in cases where your data is required for the performance of a task that is in the public interest or in our legitimate interest, as well as profiling based on this. You also have the right to object in the event of data processing for the purpose of direct advertising.

c) Right to revoke your consent with future effect

You can revoke any consent you may have given with future effect. Your revocation shall not affect the legitimacy of the processing up to the date of revocation.

d) Data transferability

By your request, we shall provide you with your data in a standard, structured and machine-readable format so that you can transfer it to another controller.

e) Restriction of processing

Data that do not enable us to identify the data subject, for example where the data have been anonymised for analysis purposes, are not covered by the rights set out above. Information, deletion, blocking, correction and transfer to another company may be feasible in respect of these data if you provide us with additional information enabling us to identify the data subject.

f) Exercising your rights as a data subject and right of complaint

Should you have questions regarding the processing of your personal data as well as information on, the correction, blocking and deletion of, and objection to data, or wish to transfer the data to another company, please contact datenschutz@the-flag.de.

You may also submit a complaint to a supervisory authority with regard to your rights as a data subject.