Data Protection Policy

Rudolf Muhr Swiss Holding AG, THE FLAG

This Data Protection Policy contains information on the extent to which we process your personal data (hereinafter referred to as “data”).

1. Controller

The controller in accordance with the General Data Protection Regulation (GDPR) is:

Rudolf Muhr Swiss Holding AG
Baslerstrasse 100
8048 Zürich-CH

Web: www.the-flag.de
E-mail: datenschutz@the-flag.de

2. Joint processing

We process personal data jointly in THE FLAG group of companies to ensure effective internal management of personal data and group systems. To this end, we transfer your data to companies affiliated with us in accordance with section 18 et seq. of the German Stock Corporation Act (AktG), or process the data in systems that are jointly operated together with the companies affiliated with us.

You can view the stakeholders in our group of companies here: https://the-flag.de/wp-content/uploads/2021/05/the-flag-gruppe.pdf

The legal basis for the joint processing of data is our overriding legitimate interest in an effective administration and IT infrastructure pursuant to Art. 6 (1) f) GDPR.

We are jointly responsible together with our affiliated companies for the processes that are subject to joint data processing in accordance with Art. 26 GDPR. We have accordingly defined the internal authorities and responsibilities in a binding contract.

The information requirements under the GDPR will be fulfilled by the company that you contact first.

We have assigned the fulfilment of data subject rights internally to RMBC GmbH, which you can contact at: datenschutz@the-flag.de. You can also contact us at any time if you have any queries or would like to exercise your data protection rights using the contact details in section 1. We will then forward your query internally to the relevant department.

The specific processes that are covered by joint processing are indicated accordingly below.

3. General Information on data processing

We process data within the scope of our business and website operations.

This also includes disclosure in the form of transfer to third parties and, if necessary, to third countries outside the European Union (EU) and the European Economic Area (EEA). Insofar as we transfer data outside the EU or the EEA, we have indicated this accordingly below.

4. Data processing

The individual data affected, processing purposes, legal bases, recipients and transfer to third countries are stated below:

a) Website

You can find information of a general nature on data processing on our website at https://the-flag.de/datenschutzerklaerung/.

b) Contacting us

If you contact us, we process the following data about you for the purpose of processing and handling your enquiry: name, contact information – if you have provided it – and your message.

The legal basis for processing your data is our obligation to fulfil a contract and/or to fulfil our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your request pursuant to Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

c) Contacting us for job applications

If you contact us to submit a job application, e.g. by e-mail or through a contact form, your data (e.g. name, e-mail address, requested place of work), your message and job application documents are processed for the sole purpose of processing and handling your job application.

The legal basis for these data processing activities is section 26 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which states that data may be processed which are required in connection with making a decision about concluding an employment contract with an applicant.

Should the data be required once the application process has been completed, i.e. for litigation purposes, the data may be processed to maintain our legitimate interests in accordance with Art. 6 (1) f) GDPR, namely for the assertion and/or defence of claims.

d) Inclusion in our pool of applicants

If you wish, we can include your application profile in our pool of applicants so that we can consider and invite you to apply for suitable vacancies.

The legal basis for inclusion in our applicant pool is your consent pursuant to Art. 6 (1) a) GDPR.

e) Conclusion and performance of accommodation agreements

Within the scope of our accommodation services, we process your data to arrange (reserve) and conclude (book) future and/or existing contractual relationships between you and our company. We require the following data to complete your booking or reservation: surnames and given names of all travelling companions; address of the person making the booking or reservation; e-mail address; credit card or bank details.

Reservation enquiries and bookings can be made via our website. The legal basis for processing data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.

We transmit your transaction data (name, booking date, payment type, amount and payee, bank or credit card details, if applicable) to the payment service provider commissioned to process the payment.

When you make an online booking via our website, you will be redirected to the booking page of our external booking platform operator, TravelClick, INC., 7 Times Square, 38th Floor, NY 10036, USA (“TravelClick”), where you can complete the booking online. TravelClick processes the data in the USA. Information on data protection: https://www.travelclick.com/privacy-policy.html.

Alternatively, you can also make reservation requests directly via our website. In this case, communication occurs without data being transmitted to TravelClick.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

f) Registration procedures for accommodation establishments

We process the following data where they are governed by the registration provisions of the Federal Registration Act (Bundesmeldegesetz, BMG): arrival and scheduled departure dates, surname, given name, date of birth, nationality, address, number of travelling companions and their nationalities as well as serial numbers of the recognised and valid passports or equivalent papers for foreign persons.

We forward these data on to the relevant registration authority.

The legal basis for this is our statutory obligation in accordance with Art. 6 (I) d) DSGVO in conjunction with section 30 Federal Registration Act.

g) Self-check-in

Our hotels are equipped with terminals where you can check in independently upon arrival. We process the following data for this purpose:

–           Personal master number (client reference number)

–           Surname, given name, name affixes, if applicable

–           Contact details (telephone no., e-mail address)

–           Contract details

–           Date of birth

The legal basis for processing these data is our contractual performance obligations in accordance with Art. 6 (1) b) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

h) Contract processing

We process your contract data from the respective accommodation agreement to manage the existing contractual relationship between you and our company.

The legal basis for processing these data is the fulfilment of our contractual obligations in accordance with Art. 6 (1) b) GDPR, and in individual cases, the fulfilment of our statutory obligations pursuant to Art. 6 (1) c) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

i) Information provided by the tenant themselves for accommodation rentals

In order to assess your reliability and credit rating as a future tenant, we, the landlord, require that you disclose corresponding confidential information. We process the following data in this respect, if provided by you: name, address, proof of income.

The legal basis for processing data in the context of information provided by the tenant themselves is our legitimate interest pursuant to Art. 6 (1) f) GDPR in order to ensure that the prospective rental relationship can be conducted and managed properly. In addition, this gives us the opportunity to assess whether the accommodation on offer meets your needs as a prospective tenant.

j) Video surveillance in our buildings

We occasionally use video surveillance in our properties. The monitored areas are marked with the following pictogram and information:

We use video surveillance to protect against burglaries and vandalism. The legal basis for this our legitimate interest in accordance with Art. 6 (1) lit. f GDPR regarding the protection of property against vandalism. All persons present in the marked area are recorded. All recordings are automatically deleted after 72 hours.

k) Welcome system

We process guest data such as room, name and given name so that we can display a welcome text on the TV of the room you have booked.

The legal basis for the processing this data is our legitimate interest in being able to offer you a pleasant stay in accordance with Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

l) Member Programme

By signing up to our Member Programme and becoming a participant in our loyalty programme, you can benefit from a range of advantages. To this end, we process your name, e-mail address, date of birth, address and password.

The legal basis for participation in the Member Programme is your consent pursuant to Art. 6 (1) a) GDPR

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

5. Data retention period

We store your personal data only as long as it is required for the purposes for which it is processed or until you withdraw your previous consent for us to do so. The retention period for certain data may be up to 10 years in the event of us having to comply with statutory retention periods, regardless of the processing purposes.

6. Your rights as the data subject

a) Information

You can request free-of-charge information on all of your personal data that we have stored at any time.

b) Correction, deletion and restriction of processing (block), objection

Should you no longer agree to the storage of your personal data, or should your data have become incorrect, we shall initiate its deletion or block upon your corresponding request or make the respective corrections (if this is possible in accordance with the applicable laws). The same applies if you wish for us to restrict the processing of your data in the future. You have the right to object, in particular, if your data is required for the performance of a task that is in the interest of the public or in our legitimate interest as well as any profiling based thereon. You also have the same right to object to data processing for the purpose of direct advertising.

c) Right to revoke your consent with future effect

You can revoke any consent you may have given with future effect. Your revocation shall not affect the legitimacy of the processing up to the date of revocation.

d) Data transferability

You may exercise your right to transfer your data in cases where they are processed on the basis of a contract, pre-contractual negotiations, consent or by automated means. Upon request, we will provide you with your data in a standard, structured and machine-readable format to enable you to transfer them to another data controller if you so wish.

e) Restriction of processing

The above rights do not apply to data that we cannot use for identifying the data subject, such as data that has been anonymised for analysis purposes. Information, deletion, blocking, correction and transfer to another company with regard to this data may be possible if you provide us with additional information that enables us to identify the data subject.

f) Exercising your rights as a data subject and right of complaint

Should you have questions regarding the processing of your personal data as well as information on, the correction, blocking and deletion of, and objection to data, or wish to transfer the data to another company, please contact datenschutz@the-flag.de.

You may also submit a complaint to a supervisory authority with regard to your rights as a data subject:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.