Data Protection Policy
This Data Protection Policy contains information on the extent to which we process your personal data (hereinafter referred to as “data”).
1. Controller
The controller in accordance with the General Data Protection Regulation (GDPR) is:
THE FLAG Service München GmbH
Listertalstraße 73
57439 Attendorn
Web: www.the-flag.de
E-mail: datenschutz@the-flag.de
2. Data protection officer contact details
Matthias Rosa, RMPrivacy GmbH, Große Langgasse 1a, 55116 Mainz
3. Joint processing
We process personal data jointly in THE FLAG group of companies to ensure effective internal management of personal data and group systems. To this end, we transfer your data to companies affiliated with us in accordance with section 18 et seq. of the German Stock Corporation Act (AktG), or process the data in systems that are jointly operated together with the companies affiliated with us.
You can view the stakeholders in our group of companies here: https://the-flag.de/wp-content/uploads/2021/05/the-flag-gruppe.pdf
The legal basis for the joint processing of data is our overriding legitimate interest in an effective administration and IT infrastructure pursuant to Art. 6 (1) f) GDPR.
We are jointly responsible together with our affiliated companies for the processes that are subject to joint data processing in accordance with Art. 26 GDPR. Accordingly, we have set out the internal authorities and responsibilities in a binding contract.
The information requirements under the GDPR will be fulfilled by the company that you contact first.
We have assigned the fulfilment of data subject rights internally to RMBC GmbH, which you can contact at datenschutz@the-flag.de. You can also contact us at any time if you have any queries or would like to exercise your data protection rights using the contact details in section 1. We will then forward your query internally to the relevant department.
The specific processes that are covered by joint processing are indicated accordingly below.
4. General Information on data processing
We process data within the scope of our business and website operations.
This also includes disclosure in the form of transfer to third parties and, if necessary, to third countries outside the European Union (EU) and the European Economic Area (EEA). Insofar as we transfer data outside the EU or the EEA, we have indicated this accordingly below.
5. Data processing
The individual data affected, processing purposes, legal bases, recipients and transfer to third countries are stated below:
a) Website
You can find information of a general nature on data processing on our website at https://the-flag.de/datenschutzerklaerung/.
b) Contacting us
If you contact us, we process the following data about you for the purpose of processing and handling your enquiry: name, contact information – if you have provided it – and your message.
The legal basis for processing your data is our obligation to fulfil a contract and/or to fulfil our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your search pursuant to Art. 6 (1) f) GDPR.
This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.
c) Contacting us for job applications
If you contact us to submit a job application, e.g. by e-mail or through a contact form, your data (e.g. name, e-mail address, requested place of work), your message and job application documents are processed for the sole purpose of processing and handling your job application.
The legal basis for these data processing activities is section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.
Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 ( 1) f) GDPR, namely for the assertion and/or defence of claims.
d) Inclusion in our pool of applicants
If you wish, we can include your application profile in our pool of applicants so that we can consider and invite you to apply for suitable vacancies.
The legal basis for inclusion in our applicant pool is your consent pursuant to Art. 6 (1) a) GDPR.
e) Conclusion and performance of accommodation agreements
Within the scope of our accommodation services, we process your data to arrange (reservation) and conclude (booking) future and/or existing contractual relationships between you and our company. We require the following data to complete your booking or reservation: surnames and given names of all guests; address of the person making the booking or reservation; e-mail address; credit card or bank details.
Reservation enquiries and bookings can be made via our website. The legal basis for processing data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.
We transmit your transaction data (name, booking date, payment type, amount and payee, bank or credit card details, if applicable) to the payment service provider commissioned to process the payment.
When you make an online booking via our website, you will be redirected to the booking page of our external booking platform operator, TravelClick, INC., 7 Times Square, 38th Floor, NY 10036, USA (“TravelClick”), where you can complete the booking online. TravelClick processes the data in the USA.
Alternatively, you can also make reservation requests directly via our website. In this case, communication occurs without data being transmitted to TravelClick.
This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.
f) STRAIV Check-In registration procedures for accommodation establishments
We use the service straiv by code2order of code2order GmbH, Eichwiesenring 4F, 70567 Stuttgart (“straiv”) to check you in digitally and to fulfil our legal reporting obligations under the Federal Registration Act.
In doing so, we process the following data:
Date of arrival and expected departure, surname, first name, date of birth, nationalities, address, number of fellow travellers and their nationality as well as serial number of the recognised and valid passport or passport replacement document in the case of foreign persons, room number, booking data, if applicable geodata when using corresponding modules.
We store this data for one year and delete it at the latest three months after the end of this year, § 30 Para. 4 BMG. Upon corresponding order, we forward this data to the competent registration authority.
The legal basis of the data processing is the fulfilment of our legal obligations according to Art. 6 I c) GDPR in conjunction with § 30 Bundesmeldegesetz (BMG), otherwise with regard to the check-in the fulfilment of our contractual relationship according to Art. 6 I b) GDPR.
g) Self-check-In
Our hotels are equipped with terminals where you can check in independently upon arrival. We process the following data for this purpose:
– Personal master number (client reference number)
– Surname, given name, name affixes, if applicable
– Contact details (telephone no., e-mail address)
– Contract details
– Date of birth
The legal basis for processing these data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.
This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.
h) Contract processing
We process your contract data from the respective accommodation agreement to manage the existing contractual relationship between you and our company.
The legal basis for processing these data is the performance of our contractual obligations in accordance with Art. 6 (1) b) GDPR, and in individual cases, the fulfilment of our statutory obligations pursuant to Art. 6 (1 c) GDPR.
This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.
i) Information provided by the tenant themselves for accommodation rentals
In order to assess your reliability and credit rating as a future tenant, we, the landlord, require that you disclose corresponding confidential information. We process the following data in this respect, if provided by you: name, address, proof of income.
The legal basis for processing data in the context of information provided by the tenant themselves is our legitimate interest pursuant to Art. 6 (1) f) GDPR in order to ensure that the prospective rental relationship can be conducted and managed properly. In addition, this gives us the opportunity to assess whether the accommodation offered meets your needs as a prospective tenant.
j) Video surveillance in our buildings
We occasionally use video surveillance in our properties. The monitored areas are marked with the following pictogram and information:
We use video surveillance to protect against burglaries and vandalism. The legal basis for this our legitimate interest in accordance with Art. 6 (1) lit. f GDPR regarding the protection of property against vandalism. All persons present in the marked area are recorded. All recordings are automatically deleted after 72 hours.
k) Welcome system
We process guest data such as room, name and given name so that we can display a welcome text on the TV of the room you have booked.
The legal basis for the processing this data is our legitimate interest in being able to offer you a pleasant stay in accordance with Art. 6 (1) f) GDPR.
This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.
l) Member programme
By signing up to our Member Programme and becoming a participant in our loyalty programme, you can benefit from a range of advantages. To this end, we process your name, e-mail address, date of birth, address and password.
The legal basis for participation in the Member Programme is your consent pursuant to Art. 6 (1) a) GDPR.
This processing is carried out within the scope of joint responsibility set out in section 3 of this Data Protection Policy.
6. Data retention period
We store your personal data only as long as it is required for the purposes for which it is processed or until you withdraw your previous consent for us to do so. The retention period for certain data may be up to 10 years in the event of us having to comply with statutory retention periods, regardless of the processing purposes.
7. Your rights as the data subject
a) Information
You can request free-of-charge information on all of your personal data that we have stored at any time.
b) Correction, deletion and restriction of processing (block), objection
Should you no longer agree to the storage of your personal data, or should your data have become incorrect, we shall initiate its deletion or block upon your corresponding request or make the respective corrections (if this is possible in accordance with the applicable laws). The same applies if you wish for us to restrict the processing of your data in the future. You have the right to object, in particular, if your data is required for the performance of a task that is in the interest of the public or in our legitimate interest as well as any profiling based thereon. You also have the same right to object to data processing for the purpose of direct advertising.
c) Right to revoke your consent with future effect
You can revoke any consent you may have given with future effect. Your revocation shall not affect the legitimacy of the processing up to the date of revocation.
d) Data transferability
You may exercise your right to transfer your data in cases where they are processed on the basis of a contract, pre-contractual negotiations, consent or by automated means. Upon request, we will provide you with your data in a standard, structured and machine-readable format to enable you to transfer them to another data controller if you so wish.
e) Restriction of processing
The above rights do not apply to data that we cannot use for identifying the data subject, such as data that has been anonymised for analysis purposes. Information, deletion, blocking, correction and transfer to another company with regard to this data may be possible if you provide us with additional information that enables us to identify the data subject.
f) Exercising your rights as a data subject and right of complaint
Should you have questions regarding the processing of your personal data as well as information on, the correction, blocking and deletion of, and objection to data, or wish to transfer the data to another company, please contact datenschutz@the-flag.de.
You may also submit a complaint to a supervisory authority with regard to your rights as a data subject.