Privacy Policy

Privacy Policy Event Hotels App

We take the protection of your personal data (hereinafter also referred to as “data”) and thus your privacy very seriously. We therefore inform you in the following about the processing of your data upon the use of our app.
Personal data is information that can be individually assigned to you. Examples include your name, address, postal address, telephone number, payment data, IP address or e-mail address. Non-personal data is information such as the number of users of an app.

I. Controller and data protection officer

The controller for the processing of your personal data in the context of the use of the EVENT Hotels app is DITO Hotel Management GmbH & Co. KG (hereinafter EVENT or we/us). The contact details are: DITO Hotel Management GmbH & Co. KG, Konrad-Adenauer-Ufer 5, 50668 Cologne, Germany, phone: 0221-9730560, fax: 0221-973056930, email: info@eventhotels.com.
We have appointed an external data protection officer. He can be reached as follows: MORGENSTERN consecom GmbH, Jan Morgenstern, Große Himmelsgasse 1, 67346 Speyer, Tel: +49 (0) 6232 – 10011944.

II. How your data is processed

1. Use of the app
When downloading the app, the required information is transferred to the app store, i.e. in particular the username, email address and customer number of your account, the time of the download and the individual device identification number. In addition, the app store independently collects various data. We have no influence on this data processing and are not responsible in this regard. We only process data as far as necessary for downloading the app to your mobile device.
Each time you use the app, usage data is transmitted and stored in log files (server log files). The data records stored in the process contain the following data: Date and time of retrieval, IP address, amount of data transferred, as well as product and version information of the device used.
Furthermore, we require the following data to provide the services of the app: Your device identification, unique number of the terminal device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WLAN use, name of your mobile terminal device, e-mail address.
Said processing is legally justified by Art. 6 (1) b), f) GDPR (user relationship, legitimate interest). The legitimate interest of EVENT arise from the provision of an app with information, the offering of services to guests, the online processing of bookings and the optimization of app operation. The data processed by us in the process is required to enable you to use the app.
The log files are analysed in an anonymised form in order to improve the app and make it more user-friendly, to find and correct errors more quickly, and to control server capacities. For example, we thereby can predict the times when the use of the app is particularly popular and we therefore are able to provide appropriate data volume. Your IP address will either be deleted or anonymised after termination of use. In case of anonymisation, the IP addresses are changed in such a way that they can no longer be assigned to an identified or identifiable natural person.
Said processing is legally justified by Art. 6 (1) f) GDPR (legitimate interest). Our legitimate interests lie in the provision of an app with information and the offering of services to guests as well as the optimisation of the app. The provision of the data is neither legally nor contractually required.

2. Check-in and check-out
2.1. Check-in
Via the app you are able to check in to your booked location. To do this, you must enter both, your reservation number and your last name in the first step and select the hotel you have booked. This data is neither stored nor passed on to any other properties belonging to us. Your personal data will only be used to process the check-in process with the app.
If you would like to communicate your reservation data via QR code, you will have to confirm that the app can use the camera of your mobile device. If you grant access, you can scan the QR code with the app. The app will then access the camera and transfer your booking data to our server in the extent necessary to provide this functionality. If you do not grant permission, you will not be able to use the QR code function. You can then alternatively enter your reservation data via the respective form.
In the next step, further data on your credit card (e.g. credit card number, cardholder, country of the credit institution, validity date) as well as data on the billing address (name, street with house number, postal code, city, country, e-mail address) must then be entered. By doing so, the address and the credit card information will be transmitted to the payment solution provider PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main (hereinafter PAYONE).
Said processing is legally justified by Art. 6 (1) b) GDPR (contract purposes and pre-contractual measures). The provision of the data is necessary because otherwise you will not be able to check in using the app.
The processed personal data is deleted unless EVENT can claim legitimate interest in its continued retention and there are no legal retention obligations. In any case, only those data will continue to be stored that are actually absolutely required to achieve the corresponding purpose. As far as possible, the personal data will be anonymised.

2.2. Check-out
During the check-out process, you also have the option of entering a second address or a second credit card as an alternative to your invoice.
Even when exercising this option, the permissibility of the processing and storage of the data is determined as described above.

3. 3D-Secure and PAYONE
In order to safeguard secure processing of payment data, when providing your credit card number and further validation information, the “3D Secure” procedure for strong customer authentication is performed. This authentification measure is performed by PAYONE. You as the guest must confirm the payment process in your online banking account by using a TAN. To do so, you must log in to your account using the authentication method you have chosen (fingerprint, facial recognition, password, etc.). We do not collect data that you enter when logging into your online banking account.
PAYONE acts as a so-called “acquirer” in this regard and handles the secure routing and settlement of credit card transactions with international credit card companies. In the course of this activity, PAYONE collects data you provide. This data is forwarded to the respective payment card system.
For further information regarding the processing of your data by the payment card system, please refer to the relevant data protection regulations, for example at www.mastercard.de/de-de/datenschutz.html or www.visa.co.uk/privacy/ (depending on the credit card company).
This processing is permitted under Art. 6 (1) b), c), f) GDPR (user relationship, legal obligation, legitimate interest).
Detailed information on the duration of data storage and your rights vis-à-vis PAYONE can be found at www.payone.com/DE-de/dsgvo.

4. Crash analytics (Firebase Analytics and crash reporter)
For crash and error analytics, we use Firebase from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This service collects various information (e.g. your operating system, device model, region, ID, IP address, etc.) in the context of app usage. The collected information is transferred to a Google server in Ireland and stored there. If applicable, the data may also be transferred to the USA. For cases of data transfer to the USA, Google has agreed on corresponding standard contractual clauses. For more information, please refer to the privacy policy of Google https://firebase.google.com/support/privacy.
Google will use this information to evaluate the use of the app in order to compile reports on the activities in the app for EVENT.
Your IP address is used to automatically recognise you upon your next use of the app. The IP address is anonymised in a way that only a shortened IP address is transmitted to Google.
This processing is permissible under Art. 6 (1) a) GDPR (consent).You can decide whether you want to allow the use of Firebase by activating or deactivating the error reports.
We will only delete your personal data if you expressly request this and we have no legitimate interest in its continued retention.

4.1 Google Analytics for Firebase
Furthermore we use the function Google Analytics for Firebase.
With the use of this function there are several information (e.g. about your operating system, device model, region, ID, etc.) which will be collected due to the use of the app. The collected information will be transferred as stated above.
Google will use this information for analytic and classification purposes.
This processing is permissible under Art. 6 (1) a) GDPR (consent).You can decide whether you want to allow the use of Google Analytics for Firebase by activating this function on your first use of the app.
We will only delete your personal data if you expressly request this and we have no legitimate interest in its continued retention. Furthermore will any data, which is connected to a marketing-ID, be storaged by Google for the duration of 60 days. Further will the data on user level be storaged by Google for a period of up to 14 months. More information about the storage and retention of your data are available under https://firebase.google.com/support/privacy.

4.2 Firebase Crashlytics
We also use the function Firebase Crashlytics.
With the use of this function there are crash-stack-traces which will be recorded and used. This use is necessary to assign crashes to a project, send e-mail-notifications at project group members and show them in the Firebase Console. Thus this function’s use is to help debugging. The collected information will be transferred as stated above.
Google will use this information to track the numbers of users, who are affected by the crash.
During the use of this function there will be no collection of personal data as by the use itself. Nevertheless it is possible for Firebase Crashlytics to get personal data (e.g. your ip-adress) from Google Analytics for Firebase.
This processing is permissible under Art. 6 (1) a) GDPR (consent). Your consent will be gained during the setup of your smartphone by accepting the processing of your personal data by the error reporting services from Google. The app will be communicating with the smartphone and check if the necessary consent is given. You can revoke your consent at any time with effect for the future by changing your smartphone settings.
We do not store any of your personal data. Nevertheless further data will be stored for the duration of 90 days: crash-stack-traces. The remaining collected data will be stored and retended according to the stated above. More information about the storage and retention of your data are available under https://firebase.google.com/support/privacy.

5. Digital room key
You also have the option to open your room without a separate room key or room card via the app using the “key card” function.
The permissibility of this processing is based on Art. 6 (1) b) GDPR (contract performance and pre-contractual measures). The provision of the data is necessary to use this function.
The processed personal data is deleted unless EVENT has a legitimate interest in its continued retention and there are no legal retention obligations. In any case, only those data will continue to be stored that are actually absolutely required to achieve the corresponding purpose. As far as possible, the personal data is anonymised.

6. Updates and check-out reminder
After check-in, you can decide whether you want to receive check-out updates and reminders in the app. You can deactivate this function o at any time.
The permissibility of this processing is based on Art. 6 (1) b) GDPR (contract performance and pre-contractual measures). The provision of the data is necessary if you wish to receive updates and reminders.

III. Your rights

You have the following rights: you have a right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data transfer (Art. 20 GDPR). We make every effort to process requests expeditiously.
If your personal data is processed on the basis of Art. 6 (1) f) GDPR, you have the right to object, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising (Art. 21 GDPR). If you object to direct advertising, we will no longer send you promotional messages.
You also have the right to contact a supervisory authority (https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html).
You can revoke a consent given to EVENT at any time with effect for the future. However, this will not affect the data processing based on this consent that took place until then. For your communication please use the contasct details provided above.

IV. Disclosure to third parties

The data collected using the app and the information you provide when contacting us are transmitted to the EVENT server and stored there. Furthermore, the collected data is passed to PAYONE and Google as described above. In addition, your data may be passed on to persons at EVENT who are involved in the processing (clerks, customer service). The transfer to these recipients takes place either on the basis of a legal obligation of EVENT, for the processing of your contract or within the framework of order processing.

V. Third party links

When using the app, you may see content that links to third-party websites. We do not have access to, nor can we control, the cookies or other features used by third-party sites. Such third party sites are not subject to our privacy policy.

Privacy Policy Website

General

Personal data

The subject of privacy is personal data (hereinafter referred to as “data”), i.e. any information relating to an identified or identifiable natural person. Examples of such information include name, address, occupation, e-mail address, state of health, income, marital status, genetic characteristics, telephone number and, if applicable, user data such as the IP address.

Controller

The Controller for processing your personal data in the context of using the website https://eventapp.eventhotels.com/ (hereinafter referred to as the “website”) is Dito Management Holding GmbH & Co. KG (hereinafter referred to as the “Operator” or “Controller”). The contact details are as follows:

Dito Management Holding GmbH & Co. KG
Konrad-Adenauer-Ufer 5
50668 Köln

Gesetzliche Vertretung: Dito Verwaltung GmbH, eingetragen am Amtsgericht Köln, HRB 26188
Tel: +49 221 973056-0
Fax: +49 221 973056-930
E-Mail: info@eventhotels.com

Data protection officer

The data protection officer is reachable at datenschutz@eventhotels.com.

Right to object

If you want to object to the processing of your data by the Operator in accordance with this privacy policy entirely or for individual measures, you can use the contact details, which are stated under the imprint. Please note that in the event of such an objection, the use of the website and the access of the services provided may be restricted or not possible at all.

Scope and purposes of data processing, legal bases, provision of data and storage period

Access and use of the website

Each time the website and its subpages are accessed, usage data is transferred by the respective internet browser and stored in log files (server log files). The stored data records contain the following data:

date and time of access
name of the subpage which is accessed
IP address
referrer URL (original URL from which you have accessed the website)
data volume transferred
product and version information of the browser used

The admissibility of this processing is based on Art. 6 para. 1 b) GDPR stating that the processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The data processed by the Operator is required to enable you to access and use the website. Such data must necessarily be processed while using a telemedia. Otherwise, you are not able to access the website. The log files are evaluated by the Operator in anonymised form in order to continuously improve the website and make it more user-friendly, to find and rectify faults more quickly and control server capacities. For example, it can be understood at which time the use of the website is particularly popular and the Operator can provide appropriate data volume.
The admissibility of this processing is based on Art. 6 para. 1 f) GDPR stating that the processing is lawful if it is necessary for the purposes of preserving the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest of the Operator lies in providing a website with information and offering services to customers as well as optimising the operation of the website. The provision of data is neither prescribed by law nor contractually. The consequence of not providing personal data is that the data cannot be used to optimise the website.
Your IP address will be deleted or anonymised after termination of use. In the case of anonymisation, the IP addresses are changed in such a way that they can no longer be assigned to an identified or identifiable natural person or can only be assigned with a disproportionate large amount of time, costs and effort.

Contact form and e-mail at a click

If you wish to get in touch with the Operator, a corresponding contact form is available. You must enter the following information in this form:

name
e-Mail address
message

In addition, you can voluntarily provide the following information:

telephone number
company address

Furthermore, you have the option to open an e-mail directed to the Operator at just one click on the website. The e-mail address linked to your e-mail program is automatically used as the sender. If you do not want your e-mail address to be retrieved in this way, you can change it in the settings of your respective e-mail program.
The admissibility of this processing is based on Art. 6 para. 1 b) GDPR stating that the processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
The personal data processed will be deleted after expiry of the legal retention periods unless the Controller has a legitimate interest in further storage. In any case, only the data will continue to be stored that is necessary to achieve the corresponding purpose. As far as possible, the personal data is anonymised.

Use of cookies

The Operator uses so-called cookies, which are small data packets normally consisting of letters and numbers and stored on a browser when you visit certain websites. Cookies enable the website to recognise your browser, track you visiting various sections of the website and identify you when you return to the website. Cookies do not contain any data that identifies you personally, but the information concerning you stored by the Operator can be assigned to the data obtained from and stored in the cookies.
Information that the Operator obtains from you using cookies may be used for the following purposes:

recognising the user’s computer when visiting the website
tracing the user’s surfing activities on the website
improving the website’s user-friendliness
evaluating the use of the website
operating the website
preventing fraud and improving the website’s security
individual design of the website considering the user’s needs

Cookies do not cause any damage on a browser. They neither contain any viruses nor allow the Operator to spy on you. Two types of cookies are used:

Temporary cookies are automatically deleted when your browser is closed (session cookies).
Persistent cookies, in contrast, have a longer lifetime. This type of cookies enables you to be recognised again when you return to the website. You will find further information in the cookie settings.

The Operator is able to track your usage behaviour for the above-mentioned purposes and to an appropriate extent by using cookies. Moreover, cookies enable you to optimise your surfing on the Operator’s website. This information is only processed in anonymised form.
The admissibility of this processing is based on Art. 6 para. 1 f) GDPR stating that the processing is lawful if it is necessary for the purposes of preserving the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest of the Operator lies in optimising the website. The provision of data is necessary in order to be able to access the Operator’s website without errors. If you do not accept cookies or delete cookies that have already been set, this may lead to functional restrictions of the website. The provision of data is neither prescribed by law nor contractually. Without the provision of data, you are not able to use all functions of the website.

Use of tracking tools

Google Analytics

The Operator uses the web analysis service Google Analytics of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This service uses the above-described cookies to collect information such as your operating system, browser, IP address, the website accessed previously as well as the date and time of your visit to the Operator’s website. The information generated by the cookies about the use of the website will be transferred to a Google server in Ireland and stored there. If necessary, the data may also be transferred to the USA. The transfer of your personal data to the USA is carried out using standard data protection clauses pursuant to Art. 46 para. 2 c) GDPR, which were issued by the European Commission pursuant to Art. 93 para. 2 GDPR. Information on the standard data protection clauses is available on the European Commission’s website (https://ec.europa.eu/info/index_de). You will find further information directly at Google https://policies.google.com/privacy/frameworks?gl=de.

Google will use this information in order to evaluate the use of the website, compile reports on the website activity for the Operator and render further services relating to the website activity and internet use. If this is prescribed by law or if third parties process this data on behalf of Google, Google will share this information with these third parties. This use is anonymised or pseudonymised. You will find further information directly at Google https://policies.google.com/privacy?hl=de.

When using Google Analytics, no direct personal data is stored, but only the internet protocol address. This information is used to automatically recognise you the next time you visit the Operator’s website and make navigation easier for you.

You can change your cookie settings at any time via Cookiebot by using the arrow key on the right-hand side of the screen.
The personal data collected in the context of the use of tracking tools will be deleted unless the Controller has a legitimate interest in further storage. In any case, only the data will continue to be stored that is necessary to achieve the corresponding purpose. As far as possible, the personal data is anonymised.
The provision of data is neither prescribed by law nor contractually. Without the provision of data, Google Analytics cannot be used.

Akismet

The Operator uses the service Akismet of Automattic Inc., 60 29th Street 343, San Francisco, CA 94107, USA, on the website, which sends comments to a server in the USA in order to check whether they are actually written comments or spam. The transfer of your personal data to the USA is carried out using standard data protection clauses pursuant to Art. 46 para. 2 c) GDPR, which were issued by the European Commission pursuant to Art. 93 para. 2 GDPR. Information on the standard data protection clauses is available on the European Commission’s website (https://ec.europa.eu/info/index_de). You will find further information in the privacy policy of Automattic https://automattic.com/privacy/.

The admissibility of this processing is based on Art. 6 para. 1 f) GDPR stating that the processing is lawful if it is necessary for the purposes of preserving the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The use for the website security constitutes a legitimate interest of the Operator according to Art. 6 para. 1 f) GDPR.
The provision of data is neither prescribed by law nor necessary for the conclusion of a contract. The consequence of not providing data is that you are not able to use corresponding comment functions.
The Operator does not store any personal data about the integration of Akismet. The personal data collected by Akismet will be deleted unless Automattic has a legitimate interest in further storage. In any case, only the data will continue to be stored that is necessary to achieve the corresponding purpose. As far as possible, the personal data is anonymised. The data is stored by Automattic in accordance with its own privacy policy

Right of access, to rectification, erasure, restriction, object and data portability

Right of access (Art. 15 GDPR)

Upon request, the Operator provides you with information as to whether data is processed concerning you. The Operator makes every effort to process requests for information as quickly as possible.

Right to rectification (Art. 16 GDPR)

You have the right to obtain from the Controller an immediate rectification of inaccurate personal data concerning you.

Right to erasure (Art. 17 GDPR)

You have the right to obtain from the Operator the erasure of personal data concerning you immediately and the Operator is obliged to erase personal data immediately if one of the grounds stated in Art. 17 para. 1 a) – f) GDPR applies.

Right to restriction (Art. 18 GDPR)

You have the right to obtain from the Controller restriction of processing if one of the grounds stated in Art. 18 para. 1 a) – d) GDPR applies.

Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 para. 1 e) or f) GDPR, including profiling based on those provisions. The Operator shall no longer process your personal data unless the Operator demonstrates compelling legitimate grounds for processing which override the interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims. If personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
You have the right to object, on grounds relating to your particular situation, to processing of your personal data for scientific or historical research purposes pursuant to Art. 89 para. 1 GDPR unless the processing is necessary for the performance of a task in the public interest.
Please use the contact address specified in the imprint for your notification.

Right to data portability (Art. 20 GDPR)

You have the right to receive your personal data, which you provided to the Operator, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from the operator to which the personal data has been provided, unless the processing is based on a consent pursuant to Art. 6 para. 1 a) GDPR, Art. 9 para. 2 a) GDPR or on a contract pursuant to Art. 6 para. 1 b) GDPR and the processing is carried out by automated means.

Withdrawal of consent

If you have given your consent to processing of your personal data and withdraw it, the processing shall not be affected before its withdrawal.

Right to complain (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority at any time.

Recipients

The data collected when you were accessing and using the website and the information you provided when contacting will be transmitted to the server and stored there. In addition, your data may be transferred to the following categories of recipients:

Persons working for the Controller who are engaged in the processing (e.g. marketing department, personnel management, customer service)
Processors (e.g. computer centre, IT service provider, software support, provider of analysis tools, mailing services)
Operator’s contractual partners (e.g. banks, tax advisers)

To the extent that one of the recipients is located in a third country, the Operator shall comply with the principles of Art. 44 DS-GVO regarding the permissibility of data transfers to a third country, in particular through data transfers based on adequacy decisions (e.g. the EU-U.S. Data Privacy Framework) or subject to appropriate safeguards such as standard contractual clauses.

Links to third-party websites

When visiting the website, content linked to third-party websites may be displayed. The Operator has neither access to the cookies or other functions used by third parties nor can control them. Such third-party websites are not subject to the Operator’s privacy provisions.