Privacy policy
In accordance with the statutory requirements of data protection law (in particular the BDSG and the European General Data Protection Regulation, „GDPR“), we inform you below about the nature, scope and purpose of the processing of personal data by our company. This privacy policy also applies to our website and our social media profiles. With regard to the definition of terms such as „personal data“ or „processing“, we refer to Art. 4 GDPR.
Name and contact details of the controller
The controller (hereinafter „controller“) within the meaning of Art. 4 no. 7 GDPR is:
Kiebitzberg GmbH & Co. KG
ArtHotel Kiebitzberg
Schönberger Weg 6
39539 Havelberg
Deutschland
E-Mail: ArtHotel@Kiebitzberg.de
Contact for data protection matters
If you have any questions about data protection or about exercising your rights, you can reach us at:
Kiebitzberg GmbH & Co. KG
Rathenower Straße 6
39539 Havelberg
Deutschland
E-Mail: info@Kiebitzberg.de
Rights of the data subject
You have the following rights with regard to the personal data concerning you. To exercise them, an informal notice to the contact details given above is sufficient.
- Withdrawal of consent (Art. 7(3) GDPR): Insofar as the processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of the processing carried out until withdrawal remains unaffected.
- Access (Art. 15 GDPR): The right to information about the data stored about you, in particular about the purposes of processing, the categories of data, the recipients, the intended storage period and the origin of the data.
- Rectification (Art. 16 GDPR): The right to have inaccurate data corrected and incomplete data completed.
- Erasure (Art. 17 GDPR): The right to have the data stored by us erased, unless statutory or contractual retention obligations or other grounds for further processing preclude this.
- Restriction of processing (Art. 18 GDPR): The right to request the restriction of processing where one of the conditions of Art. 18(1) GDPR is met (e.g. where the accuracy of the data is contested, or instead of erasure).
- Data portability (Art. 20 GDPR): The right to receive the data concerning you in a structured, commonly used and machine-readable format, or to have it transmitted to another controller.
- Objection (Art. 21 GDPR): The right to object at any time, on grounds relating to your particular situation, to processing based on a legitimate interest (Art. 6(1)(1)(f) GDPR). You may object at any time and without giving reasons to processing for the purposes of direct marketing.
- Complaint (Art. 77 GDPR): The right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work or the place of the alleged infringement.
You may object at any time and free of charge to the processing of your data for the purposes of direct marketing. Please inform us of this via the contact details given above.
A list of the supervisory authorities (for the non-public sector) with their addresses can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.
Types of data processed
Usage data (e.g. access times, pages visited), contact data (e.g. name, telephone number, e-mail address), communication data (e.g. IP address) as well as inventory and contract data (e.g. address, booking and travel data).
Purposes of processing
Processing of bookings and contracts, fulfilment of contractual and legal obligations (including retention obligations), handling of contact and booking enquiries, technically and economically optimized and user-friendly provision of the website, customer service and customer care, and the handling of application procedures.
Categories of data subjects
Visitors and users of the website, guests and customers, prospective customers, applicants and business partners. The data subjects are hereinafter referred to collectively as „users“.
Legal bases for processing
Where we have obtained your consent for the processing, Art. 6(1)(1)(a) GDPR is the legal basis. Where the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, Art. 6(1)(1)(b) GDPR is the legal basis. Where the processing is necessary to comply with a legal obligation (e.g. statutory retention obligations), Art. 6(1)(1)(c) GDPR is the legal basis. Where the processing is necessary to safeguard our legitimate interests or those of a third party and your interests or fundamental rights do not override them, Art. 6(1)(1)(f) GDPR is the legal basis.
Disclosure of personal data to third parties and processors
Without your consent, we do not, as a rule, pass any data on to third parties. Where disclosure does take place, it occurs on the basis of the legal bases mentioned above, for example to perform a contract, pursuant to a court order or a legal obligation. We also engage carefully selected processors (e.g. for web hosting, the booking system and e-mail dispatch). The transfer of data to processors always takes place on the basis of a contract pursuant to Art. 28 GDPR. These service providers are bound by our instructions and must have taken appropriate technical and organizational measures and comply with data protection provisions.
Transfer of data to third countries
We process your data predominantly via services to which the GDPR applies directly. Where processing takes place through services outside the EU or the EEA (e.g. by US providers such as Google), these must meet the special requirements of Art. 44 et seq. GDPR. The transfer then takes place on the basis of appropriate safeguards, such as an adequacy decision of the EU Commission — for providers in the USA, the „EU-US Data Privacy Framework“, to which the respective provider must be certified as having acceded — or the EU standard contractual clauses. Despite these safeguards, access by US authorities cannot be entirely ruled out in the case of transfers to the USA; we hereby draw your attention to this.
Erasure of data and storage period
Unless expressly stated otherwise in this privacy policy, your personal data will be erased or blocked as soon as the consent granted is withdrawn or the purpose of storage ceases to apply, unless further retention is required for evidentiary purposes or statutory retention obligations preclude this. This applies in particular to retention obligations under commercial law pursuant to § 257(1) HGB (6 years) and under tax law pursuant to § 147(1) AO (10 years). After the respective period has expired, the data will be blocked or erased, unless it continues to be required for the performance of a contract.
Existence of automated decision-making
We do not use automated decision-making or profiling.
Provision of the website and creation of log files
If you use our website purely for informational purposes (i.e. without registering or otherwise transmitting information), we collect only the personal data that your browser transmits to our server:
- IP address;
- the user's internet service provider;
- date and time of the request;
- browser type;
- language and browser version;
- content of the request;
- time zone;
- access status/HTTP status code;
- volume of data;
- the website from which the request originates;
- operating system.
This data serves the user-friendly, functional and secure delivery of our website as well as its optimization and statistical evaluation. The legal basis is our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR. For security reasons, we store this data in server log files for a period of 70 days. After this period has expired, it is automatically deleted, unless we need to retain it for evidentiary purposes in the event of attacks on the server infrastructure or other legal violations.
Cookies
On our website we use cookies — small text files that your browser stores on your device. We distinguish between:
- Necessary (essential) cookies: These are technically required for the operation of the website, for example to store your choice in the consent notice or to maintain a session during the booking process. The legal basis is § 25(2) TDDDG in conjunction with Art. 6(1)(1)(f) GDPR (legitimate interest in a functional website) or (b) in the case of contract initiation.
- Cookies and services requiring consent: Cookies or comparable technologies that are not strictly necessary (e.g. when embedding Google Maps or the iiQ-Check review widget) are only set if you have previously consented via our consent banner. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.
You can restrict or prevent the storage of cookies in your browser settings and delete cookies that have already been stored. If cookies are disabled, it may under certain circumstances no longer be possible to use all functions of the website to their full extent.
Getting in touch (contact form, e-mail, telephone)
When you contact us via our contact or enquiry form, by e-mail or by telephone, we process your details for the purpose of handling and dealing with your enquiry. In the case of a form or e-mail, this includes in particular the inventory and contact data you provide (e.g. name, e-mail address, telephone number) and the content of your message; in the case of contact by telephone, your telephone number and the details communicated during the call. The legal basis, where consent is present, is Art. 6(1)(1)(a) GDPR, and otherwise our legitimate interest in responding to your enquiry pursuant to Art. 6(1)(1)(f) GDPR; where the contact is aimed at concluding a contract, Art. 6(1)(1)(b) GDPR is an additional legal basis. The data is erased as soon as the respective enquiry has been conclusively dealt with and no statutory retention obligations (under commercial and tax law, 6 or 10 years) preclude this. You may object to storage at any time with effect for the future, or withdraw a consent granted. The technical dispatch of the data transmitted via the form or e-mail takes place via Google Workspace (see below).
Online booking system (DIRS21)
For room bookings and booking enquiries we use the online booking system „DIRS21“ (provider: TourOnline AG, Borsigstraße 26, 73249 Wernau, Deutschland). The booking widget (Internet Booking Engine, IBE) is embedded on our website and opens as an input mask or overlay when you start a booking. Data categories: inventory and contact data (name, address, e-mail address, telephone number), booking and contract data (travel period, number of rooms and persons, selected services, where applicable payment data) and usage and communication data (e.g. IP address). When the booking system is accessed, a connection is established to the provider's servers; usage data may be transmitted to and processed by TourOnline AG. DIRS21 sets technically necessary (session) cookies for the operation of the booking system. As online booking is a core function of our offering, the booking system is provided without prior consent. Purpose: carrying out and processing room bookings and booking enquiries, initiating and performing the accommodation contract. Legal bases: Art. 6(1)(1)(b) GDPR (performance of a contract and pre-contractual measures) and our legitimate interest in a functional, efficient booking process pursuant to Art. 6(1)(1)(f) GDPR. Category of recipient: TourOnline AG as processor (Art. 28 GDPR). Storage period: the data is erased as soon as it is no longer required for the performance of the contract, insofar as no statutory retention obligations (under commercial and tax law, 6 or 10 years) preclude this. Further information can be found in the provider's data protection notice at https://www.dirs21.de/datenschutz/.
Dispatch of enquiries and e-mails (Google Workspace)
For the e-mail dispatch of the data entered via our contact and enquiry forms, and for our business e-mail communication, we use „Google Workspace“ (provider for users in the EEA: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland). When you submit a form, the data you have entered (e.g. name, e-mail address, telephone number and your message) is transmitted to us via an encrypted connection through Google's mail servers and processed there for the purpose of dispatch. A transfer to third countries cannot be ruled out in this process; Google bases such transfers on appropriate safeguards (in particular EU standard contractual clauses or the EU-US Data Privacy Framework). Purpose: reliable receipt, dispatch and delivery of enquiries and e-mails. Legal bases: Art. 6(1)(1)(b) GDPR, insofar as the communication serves the initiation or performance of a contract, and otherwise our legitimate interest in reliable and secure e-mail communication pursuant to Art. 6(1)(1)(f) GDPR. Category of recipient: Google Ireland Limited as processor (Art. 28 GDPR). Storage period: the data is erased as soon as the respective conversation has been conclusively resolved and no statutory retention obligations preclude this. Further information can be found in Google's privacy policy at https://policies.google.com/privacy.
Google Maps
On our „Contact / Directions“ page we embed map material from „Google Maps“ (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland). The map is only loaded after you have expressly consented via our consent notice (consent banner); without consent, the map is not loaded and no data is transmitted to Google. Data categories: usage data (in particular IP address, approximate location, page visited). When the map is loaded, a connection is established to Google's servers — including in the USA; in the process, your IP address may be transmitted to Google. Purpose: user-friendly presentation of our location and directions. Legal basis: your consent pursuant to Art. 6(1)(1)(a) GDPR, which you can withdraw at any time with effect for the future via the settings of the consent banner. Further information can be found in Google's privacy policy at https://policies.google.com/privacy.
Interactive map (Leaflet, OpenStreetMap / CARTO)
On our „Discover the region“ page we embed an interactive map based on the open-source library „Leaflet“. The map material (map tiles) is loaded from the servers of CARTO (based on data from OpenStreetMap), and the Leaflet program library via the content delivery network „Cloudflare“ (Cloudflare, Inc.). When the map is loaded, your browser establishes a connection to these servers; in the process, your IP address is transmitted for technical reasons to the respective provider so that the map tiles or the library can be delivered to your browser. A transfer to third countries (including the USA) cannot be ruled out in this process. The purpose is the user-friendly presentation of excursion destinations and the surroundings on an interactive map. The legal basis is our legitimate interest in an appealing, informative presentation of the region pursuant to Art. 6(1)(1)(f) GDPR. Map data: © OpenStreetMap contributors (ODbL) · © CARTO. Further information: OpenStreetMap https://osmfoundation.org/wiki/Privacy_Policy, CARTO https://carto.com/privacy/ and Cloudflare https://www.cloudflare.com/privacypolicy/.
Guest reviews (iiQ-Check)
To display guest reviews, we embed the review widget „iiQ-Check“ (provider: ConsultiiQ GmbH, Spitalstraße 1, 38640 Goslar, Deutschland). The widget is only loaded after you have expressly consented via our consent notice (consent banner); without consent, a simple link to our public review profile is displayed instead and no data is transmitted to the provider. Data categories: usage data (e.g. IP address, device and browser information, time of access). When the widget is loaded, a connection is established to the provider's servers in order to display the reviews. Purpose: presentation of independent guest reviews and quality information on our website. Legal basis: your consent pursuant to Art. 6(1)(1)(a) GDPR, which you can withdraw at any time with effect for the future via the settings of the consent banner. Category of recipient: ConsultiiQ GmbH. Storage period: processing takes place only while the widget is displayed; otherwise, storage is governed by the provider's specifications. Further information can be found in the provider's data protection notice at https://www.iiq-check.de/datenschutz.
Presence on social media (Facebook, Instagram)
We maintain profiles on social networks — Facebook and Instagram (provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Irland) — and link to these in the footer of our website. The mere link does not yet set any cookies; a transfer of data to Meta only occurs when you click the link and access the respective network. When you visit our profiles, the data protection notices and terms of use of the respective network apply. As a rule, Meta also processes users' data for market research and advertising purposes and can create usage profiles from usage behaviour. For the insights data arising on our profile pages (fan pages), we are jointly responsible with Meta (Art. 26 GDPR). The legal basis is our legitimate interest in external presentation and communication pursuant to Art. 6(1)(1)(f) GDPR or, where you have granted it, your consent pursuant to Art. 6(1)(1)(a) GDPR. You can assert your rights as a data subject both against us and directly against Meta. Further information: Facebook https://www.facebook.com/about/privacy/ and Instagram https://help.instagram.com/519522125107875.
Data protection in the case of applications
Applications sent to us electronically or by post are processed for the purpose of carrying out the application procedure. Application documents containing „special categories of personal data“ under Art. 9 GDPR (e.g. a photo allowing conclusions to be drawn about ethnic origin, religion or marital status) are — with the exception of a voluntarily disclosed severe disability — not required. The legal basis for the processing is Art. 6(1)(1)(b) GDPR in conjunction with § 26 BDSG. If, at the end of the procedure, an employment relationship comes about, we store the data in compliance with the relevant data protection provisions. Otherwise, the application documents are deleted six months after the rejection is sent, in order to be able to meet any claims and evidentiary obligations under the AGG (General Equal Treatment Act).
Data security
In order to protect all personal data transmitted to us and to ensure that the data protection provisions are complied with by us and by our external service providers, we have taken appropriate technical and organizational security measures. Among other things, all data is transmitted encrypted between your browser and our server via a secure SSL/TLS connection.