The operator of this website and the party responsible for the collection, processing, and use of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-2018) is
Hotel von Stephan
Erbengemeinschaft Patrone
Friedrichstraße 25
25980 Sylt (Westerland district)
Data Protection Officer: Silke Harms
We process your data in compliance with applicable data protection regulations. This privacy policy informs you about the personal data we collect and store from you. It also provides information on how your data is used and the rights you have regarding the use of your data. You can download the privacy policy as a PDF for printing here.
You have various options for contacting us via the Internet:
Whenever you visit our website, your browser automatically sends information to our website's server, where it is temporarily stored in a so-called log file. The following data is collected without any action on your part and stored until automatic deletion:
We process the aforementioned data for the following purposes:
• ensuring a smooth connection setup for the website
• ensuring a convenient user experience on our website
• evaluating system security and stability
• other administrative purposes.
The legal basis for data processing is Art. 6(1) sentence 1 point (f) of the GDPR, according to which
processing is lawful if
"processing is necessary for the purposes of the legitimate interests pursued by the controller or
by a third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data,
in particular where the data subject is a child."
Our legitimate interest in data collection arises from the purposes listed above.
Under no circumstances do we use the collected data to draw conclusions about your
identity.
In addition, we use cookies and another analysis tool on our website
(see section 5 for further details).
b) Use of our contact form
For questions of any kind, we offer you the opportunity to contact us via a form
provided on this website. Providing a valid email address, your name, street address, postal code and town/city, as well as your arrival and departure dates, is required so that we know who the inquiry is from and can respond to it. Additional information may be provided voluntarily.
Data processing for the purpose of contacting us is based on your voluntarily given consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
The personal data collected by us for the use of the contact form will be automatically deleted once your inquiry has been processed.
4. Disclosure of Data
Your personal data will only be transmitted to third parties if:
• you have given your express consent to do so (Art. 6(1)(a) GDPR);
• the disclosure is legally permissible and necessary for the performance of contractual relationships with you (Art. 6(1)(b) GDPR);
• there is a legal obligation to disclose the data (Art. 6(1)(c) GDPR);
• the disclosure is necessary for the establishment, exercise, or defense of legal claims and there is no reason to assume that you have an overriding interest in the non-disclosure of your data (Art. 6(1)(f) GDPR).
5. Online Reservations
On our website, you have the option to book various room categories at our hotel, as well as additional services such as transfers, bicycle rentals, or garage parking spaces, by providing personal data. To conclude the contract, you are required to provide the personal data necessary for the agreement. The mandatory information includes your first and last name, email address, postal address, telephone number, and credit card details. You may also voluntarily provide additional information so that we can tailor your room to your individual preferences as best as possible. We process your personal data in order to handle your reservation; thus, the processing of your personal data is necessary for the performance of a contract with you. For this purpose, we may also transmit your data to payment service providers and our contractual partners. The legal basis for processing your personal data is Art. 6 (1) (b) of the GDPR.
Under commercial and tax laws, we are required to retain your address, payment, and order data for a period of ten years. However, we restrict the processing of this data after two years.
We attach the utmost importance to the security of your data. To prevent unauthorized access by third parties to your personal data—particularly financial information—data transmission (especially during the booking process) is secured using 2048-bit SSL encryption.
6. Cookies and analysis tools
We do not use any cookies or analysis tools on our website.
7. Social Media
We take the current debate regarding data protection on social networks very seriously.
At present, the legal position remains unresolved as to whether and to what extent all networks
provide their services in compliance with European data protection regulations.
We therefore expressly point out that the services we use—Facebook, Twitter, Xing, Google+,
and YouTube—store user data (e.g., personal information, IP addresses) and use it for business
purposes in accordance with their own data usage policies.
We have no influence over the data collection and subsequent use of data by these social
networks. We have no information regarding the scope, location, or duration of data storage,
the extent to which the networks comply with existing deletion obligations, the types of
analysis and data linking performed, or the parties to whom the data is disclosed.
8. Protection of Minors
Persons under the age of 18 should not transmit personal data to us without the consent of their parents or legal guardians.
We do not request personal data from children and adolescents. We do not knowingly collect such data, nor do we share it with third parties.
9. Rights of Data Subjects
You have the right:
* to revoke your previously given consent at any time, in accordance with Art. 7 (3) GDPR.
Revocation does not affect the lawfulness of processing based on consent before its
revocation. The consequence of revocation is simply that we may no longer continue
the data processing that was based on that consent.
* to request information about the personal data concerning you that we process,
in accordance with Art. 15 GDPR.
In particular, you may request information regarding:
• the purposes of the processing
• the categories of personal data being or having been processed
• the recipients or categories of recipients to whom your data have been or will be disclosed
• the planned storage period
• the existence of a right to rectification, erasure, or restriction of processing, or a right to object
• the existence of a right to lodge a complaint with a supervisory authority
• the source of your data, if not collected by us
• the existence of automated decision-making, including profiling, and—where applicable—meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you. • to request, pursuant to Art. 16 GDPR, the immediate rectification of inaccurate personal data concerning you or the completion of personal data concerning you that we store, if such data is incomplete
• to request, pursuant to Art. 17 GDPR, the erasure of personal data concerning you that we store
This does not apply insofar as the processing of your data is necessary
• for exercising the right of freedom of expression and information
• for compliance with a legal obligation
• for reasons of public interest in the area of public health
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes
• for the establishment, exercise, or defense of legal claims.
• to request, pursuant to Art. 18 GDPR, the restriction of the processing of your personal data
This applies insofar as
• the accuracy of the data is contested by you
• the processing is unlawful, but you oppose the erasure of the data and request the restriction of its use instead
• we no longer need the data, but you require the data for the establishment, exercise, or defense of legal claims
• you have objected to the processing pursuant to Art. 21(1) GDPR.
• to receive, pursuant to Art. 20 GDPR, the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller
• to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
As a general rule, you may contact the supervisory authority of your habitual residence, your place of work, or the location of our firm's registered office.
10. Right to Object
If your personal data is processed on the basis of legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), you have the right, pursuant to Art. 21 GDPR, to object to the processing if there are grounds relating to your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without the need for you to specify a particular situation.
If you wish to exercise your right to object, please send an email to ap@hvs-sylt.de.
11. Data Security
When you visit our website, we use the widely adopted SSL (Secure Socket Layer) protocol in conjunction with the highest level of encryption supported by your browser; typically, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead.
You can tell whether a specific page of our website is being transmitted in encrypted form by the closed key or lock symbol displayed in the bottom status bar of your browser.
Furthermore, we employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
12. Links to other websites
We provide links to websites of other providers (third parties) that are not affiliated with us.
Once you click these links, we no longer have any control over the data collected and used
by these providers (third parties). You can find more detailed information regarding
data collection and usage in the privacy policy of the respective provider (third party).
We assume no responsibility for data collection and processing by third parties.
You can identify third-party websites by the fact that they always open in a separate
browser window. In contrast, new websites within our own service always open in a
new browser tab.
13. How to contact us with questions
If you have questions regarding data protection on our website, we look forward to receiving
your email at ap@hvs-sylt.de
14. Regular updates to this privacy notice
The legal framework regarding data protection for service providers is subject to
constant change and adjustment.
These changes and adjustments make it necessary to update our
privacy notice from time to time.
You can identify the current version by the line "Last updated:..." at the end of this
privacy notice.
Last updated: 25 May 2018
Information on Data Processing
Dear Guest,
Under the GDPR, we are required to provide you with the following information. Please feel free to speak to us personally at any time should you have any questions or concerns.
Specifically, the following applies—taking into account the new EU General Data Protection Regulation (GDPR):
1. Name and contact details of the controller and the company data protection officer
The party responsible for the collection, processing, and use of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-2018) is
Hotel von Stephan
Erbengemeinschaft Patrone
Friedrichstraße 25
25980 Sylt (Westerland district)
The hotel’s data protection officer is Ms. Silke Harms.
2. General Information
We process your data in compliance with applicable data protection regulations.
The following information outlines the personal data we collect and store about you. You will also find information on how and for what purposes your data is used, as well as the rights to which you are entitled regarding the use of your data.
3. Collection and storage of personal data and the nature and purpose of its use
When you make a booking with us, we collect the following data:
• Your first name and surname, including form of address (Mr./Ms.)
• Your address
• Your telephone number (landline and/or mobile)
• Your personal email address
This data is collected:
• to identify you as our guest,
• to correspond and/or otherwise communicate with you,
• to provide you with responsible care and assistance during your stay on Sylt,
• for invoicing purposes,
• to handle any liability claims you may have against us,
• to pursue and enforce any (payment) claims we may have against you.
Data processing takes place on the basis of an inquiry or the conclusion of a contract. It is necessary for the stated purposes—specifically for appropriate processing and the mutual fulfillment of contractual obligations—(Art. 6 para. 1 sentence 1 lit. b GDPR).
Your data is stored or collected both digitally (in our document management system – DMS) and in paper form.
Personal data collected by us in connection with the contract will be stored or retained after the matter has been concluded—subject to statutory retention periods under the Fiscal Code (Abgabenordnung)—and subsequently deleted or destroyed. Exceptions apply only if we are required to store or retain the data for a longer period due to other legal provisions (Art. 6 para. 1 sentence 1 lit. c GDPR) and/or if you have consented to or requested such longer-term storage or retention (e.g., with a view to a future contract) (Art. 6 para. 1 sentence 1 lit. a GDPR).
Upon expiration of the retention period, we will destroy your data held in paper form while ensuring strict confidentiality.
4. Disclosure of data to third parties
As a general rule, your personal data will not be transmitted to third parties for purposes other than those listed below.
Data is disclosed only to the extent necessary for the proper performance of the contract with you (Art. 6 para. 1 sentence 1 lit. b GDPR).
Employees of our company who come into contact with your data are subject—just as I am—to a strict confidentiality obligation, the observance of which I constantly monitor. Other persons with whom we collaborate and who come into contact (or could come into contact) with your data have also been, or will be, contractually bound to confidentiality in writing; they are also expressly informed that any breach of this obligation renders them personally liable to prosecution.
5. Rights of the Data Subject
You have the right
• to withdraw your previously given consent to us at any time in accordance with Art. 7(3) GDPR.
The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The only consequence of the withdrawal is that we may no longer continue the data processing based on that consent for the future.
•
to request information about your personal data processed by us, in accordance with Art. 15 GDPR
In particular, you may request information regarding:
- the purposes of the processing
- the categories of personal data that are or have been processed
- the recipients or categories of recipients to whom your data are or have been disclosed
- the planned storage period
- the existence of a right to rectification, erasure, or restriction of processing, or a right to object
- the existence of a right to lodge a complaint with a supervisory authority
- the source of your data, if not collected by us
- the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for you.
• to request, in accordance with Art. 16 GDPR, the immediate rectification of inaccurate personal data concerning you or the completion of personal data concerning you stored by us, if these are incomplete
• to request, in accordance with Art. 17 GDPR, the erasure of personal data concerning you stored by us
This does not apply insofar as the processing of your data is necessary:
- to exercise the right to freedom of expression and information
- to comply with a legal obligation
- for reasons of public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes
- to establish, exercise, or defend legal claims.
• to request the restriction of the processing of your personal data pursuant to Art. 18 GDPR
This applies insofar as:
- you contest the accuracy of the data
- the processing is unlawful, but you oppose the erasure of the data and request the restriction of its use instead
- we no longer need the data
- you have objected to the processing pursuant to Art. 21(1) GDPR.
• to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transmission to another controller, pursuant to Art. 20 GDPR
• to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
As a general rule, you may contact the supervisory authority at your habitual residence, your place of work, or the location of our hotel.
6. Right to Object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR, provided there are grounds for doing so arising from your particular situation.
If you wish to exercise your right to object, please send an email to ap@hvs-sylt.de.