Privacy Policy

THE FLAG Costa del Sol

This Data Protection Policy contains information on the extent to which we process your personal data (hereinafter referred to as “data”).

1. Controller

The controller in accordance with the General Data Protection Regulation (GDPR) is:

C/Duquesa de Parcent, No. 8 BJ
29001 Malaga – Spain


2. Joint processing

We process personal data jointly within THE FLAG group of companies for the purpose of effective internal management of personal data and group systems. For this purpose, we transfer your data to companies affiliated with us in accordance with § 18 AktG ff by analogy, or process the data in systems jointly operated with the companies affiliated with us.

You can view the parties involved in our group of companies here:

The legal basis for the joint data processing is our overriding legitimate interest in effective administration and IT infrastructure pursuant to Art. 6 para. 1 f) GDPR.

We are jointly responsible with our affiliated companies for the processes subject to joint data processing pursuant to Art. 26 GDPR. Accordingly, we have bindingly defined the internal competences and responsibilities in a contract.

The respective company with which you are first in contact will fulfil the information obligations of the GDPR.

We have assigned the fulfilment of data subject rights internally to RMBC GmbH. You can reach them at You can also contact us at any time with enquiries or to assert your data protection rights using the contact details in section 1. We will then forward your request internally for processing.

The specific processes that fall under joint processing are marked accordingly below.

3. General Information on data processing

In the course of our business and website operations, we process data.

This also includes disclosure by transmission to third parties and, where applicable, to so-called third countries outside the European Union (“EU”) and the European Economic Area (“EEA”). Where we transfer data outside the EU or EEA, we have marked this accordingly below.

4. Data processing

The individual data concerned, processing purposes, legal bases, recipients and, if applicable, the transfers to third countries are listed below:

a) Website

General information on data processing on our website can be found at

b) Contacting us

If you contact us, we process the following data from you for the purpose of processing and handling your enquiry: Name, contact details -if provided by you- and your message.

The legal basis of the data processing is our obligation to fulfil the contract and/or to fulfil our pre-contractual obligations pursuant to Art. 6 (1) b) GDPR and/or our overriding legitimate interest in processing your enquiry pursuant to Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility according to section 2 of this data protection declaration.

c) Processing and implementation of accommodation contracts

Within the scope of our accommodation offer, we process your data for the initiation (reservation) and execution (booking) of the future or existing contractual relationship between you and us. We require the following data for your booking or reservation: first and last name of all travellers; address of the person making the booking or reservation; e-mail address; credit card details and/or bank details.

Reservation requests and bookings can be made via our website. The legal basis for the data processing is our obligation to fulfil the contract in accordance with Art. 6 para. 1 b) GDPR.

We transmit your transaction data (name, date of booking, payment method, amount and payee, bank details or credit card details, if applicable) to the payment service provider commissioned to process the payment.

When booking online via our website, you will be redirected to the booking page of our external booking platform operator TravelClick, INC., 7 Times Square, 38th Floor, NY 10036, USA (“TravelClick”), where you can make the booking online. TravelClick’s data processing takes place in the USA.

Alternatively, you can also make reservation requests directly via our website. In this case, the communication takes place without any data transfer to TravelClick.

This processing takes place within the framework of joint responsibility according to section 2 of this privacy policy.

d) Registration procedure for places of accommodation

In the event that accommodation establishments are subject to the obligation to register under the Federal Registration Act (Bundesmeldegesetz, BMG), we process the following data: Date of arrival and expected departure, surname, first name, date of birth, nationalities, address, number of fellow travellers and their nationality as well as a recognised and valid passport or passport equivalent document number in the case of foreign persons.

We forward this data to the competent registration authority.

The legal basis is our legal obligation pursuant to Art. 6 I d) GDPR in conjunction with § 30 BMG.

e) Self Check-In

You can check in to our hotels independently via a terminal when you arrive. For this purpose we process the following data:

– Personal identification number (customer number)

– Surname, first name, if applicable

– Contact data (telephone no., e-mail address)

– contract data

– date of birth

The legal basis for data processing is our obligation to fulfil the contract in accordance with Art. 6 para. 1 b) GDPR.

This processing is carried out within the framework of joint responsibility according to section 2 of this data protection declaration.

f) Contract execution

We process your contractual data from the relevant tenancy agreement for the purpose of implementing the existing tenancy relationship for residential accommodation.

The legal basis of the data processing is the fulfilment of our contractual obligations pursuant to Art. 6 (1) b) GDPR and, in individual cases, the fulfilment of our legal obligations pursuant to Art. 6 (1) c) GDPR.

This processing is carried out within the scope of joint responsibility according to section 2 of this data protection declaration.

g) Tenant self-disclosure for residential tenancies

In order to assess your reliability and creditworthiness as a future tenant, we as landlord require a corresponding tenant self-disclosure from you. The following data, if provided by you, will be processed: Name, address, proof of income.

The legal basis for data processing in the case of tenant self-disclosure is our legitimate interest pursuant to Art. 6 (1) f) GDPR, in order to ensure that the intended tenancy can be properly implemented and processed. In addition, we have the possibility to understand whether the offered living space meets your needs as a prospective tenant.

h) Registration for waiting lists

As a prospective tenant, you have the option of being placed on our waiting list with your tenant profile. As soon as a corresponding accommodation unit becomes available for your rental request, we will inform you directly via the contact details you have provided. The legal basis for the registration for waiting lists is your consent in accordance with Art. 6 Para. 1 a) GDPR.

i) Video surveillance in our buildings

We occasionally use video surveillance in our properties. The monitored areas are marked with the following pictogram and information:

We use video surveillance to protect against burglaries and vandalism. The legal basis for this our legitimate interest in accordance with Art. 6 (1) lit. f GDPR regarding the protection of property against vandalism. All persons present in the marked area are recorded. All recordings are automatically deleted after 72 hours.

j) Welcome system

We process guest data such as room, name and given name so that we can display a welcome text on the TV of the room you have booked.

The legal basis for the processing this data is our legitimate interest in being able to offer you a pleasant stay in accordance with Art. 6 (1) f) GDPR.

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

k) Member programme

By signing up to our Member Programme and becoming a participant in our loyalty programme, you can benefit from a range of advantages. To this end, we process your name, e-mail address, date of birth, address and password.

The legal basis for participation in the Member Programme is your consent pursuant to Art. 6 (1) a) GDPR

This processing is carried out within the scope of joint responsibility set out in section 2 of this Data Protection Policy.

5. Data retention period

We only store personal data for as long as it is necessary for the purposes for which it is processed or for as long as any consent you have given us has not been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data may be up to 10 years, irrespective of the processing purposes.

6. Your right as the data subject

a) Information

You can request free-of-charge information on all of your personal data that we have stored at any time.

b) Correction, deletion and restriction of processing (block), objection

If you no longer agree with the storage of your personal data or if this data has become incorrect, we will arrange for the deletion or blocking of your data or make the necessary corrections (insofar as this is possible according to the applicable law) on the basis of a corresponding instruction. The same applies if we are only to process data in a restrictive manner in the future. You have the right to object in particular in cases where your data is required for the performance of a task that is in the public interest or in our legitimate interest, as well as profiling based on this. You also have such a right of objection in the event of data processing for the purpose of direct advertising.

You can revoke your consent at any time with effect for the future. Your revocation does not affect the lawfulness of the processing until the time of revocation.

d) Data transferability

If data processing is carried out on the basis of a contract, pre-contractual negotiations, consent or with the help of automated procedures, you have the right to data portability. Upon request, we will provide you with your data in a common, structured and machine-readable format so that you can transfer the data to another responsible party if you so wish.

e) Restriction of processing

Data for which we are unable to identify the data subject, e.g. if it has been anonymised for analysis purposes, is not covered by the above rights. Access, erasure, blocking, correction or transfer to another company of this data may be possible if you provide us with additional information that allows us to identify you.

f) Exercising your rights as a data subject and right of complaint

If you have any questions about the processing of your personal data, if you wish to obtain information, correct, block, object to or delete data, or if you wish to have your data transferred to another company, please contact

You also have the option of complaining to a supervisory authority about your data protection rights.