We take the protection of your personal data (hereinafter also referred to as “data”) and thus your privacy very seriously. We therefore inform you in the following about the processing of your data upon the use of our app.
Personal data is information that can be individually assigned to you. Examples include your name, address, postal address, telephone number, payment data, IP address or e-mail address. Non-personal data is information such as the number of users of an app.
I. Controller and data protection officer
The controller for the processing of your personal data in the context of the use of the EVENT Hotels app is DITO Hotel Management GmbH & Co. KG (hereinafter EVENT or we/us). The contact details are: DITO Hotel Management GmbH & Co. KG, Konrad-Adenauer-Ufer 5, 50668 Cologne, Germany, phone: 0221-9730560, fax: 0221-973056930, email: moc.sletohtneve@ofni.
We have appointed an external data protection officer. He can be reached as follows: MORGENSTERN consecom GmbH, Jan Morgenstern, Große Himmelsgasse 1, 67346 Speyer, Tel: +49 (0) 6232 – 10011944.
II. How your data is processed
1. Use of the app
When downloading the app, the required information is transferred to the app store, i.e. in particular the username, email address and customer number of your account, the time of the download and the individual device identification number. In addition, the app store independently collects various data. We have no influence on this data processing and are not responsible in this regard. We only process data as far as necessary for downloading the app to your mobile device.
Each time you use the app, usage data is transmitted and stored in log files (server log files). The data records stored in the process contain the following data: Date and time of retrieval, IP address, amount of data transferred, as well as product and version information of the device used.
Furthermore, we require the following data to provide the services of the app: Your device identification, unique number of the terminal device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity), mobile phone number (MSISDN), MAC address for WLAN use, name of your mobile terminal device, e-mail address.
Said processing is legally justified by Art. 6 (1) b), f) GDPR (user relationship, legitimate interest). The legitimate interest of EVENT arise from the provision of an app with information, the offering of services to guests, the online processing of bookings and the optimization of app operation. The data processed by us in the process is required to enable you to use the app.
The log files are analysed in an anonymised form in order to improve the app and make it more user-friendly, to find and correct errors more quickly, and to control server capacities. For example, we thereby can predict the times when the use of the app is particularly popular and we therefore are able to provide appropriate data volume. Your IP address will either be deleted or anonymised after termination of use. In case of anonymisation, the IP addresses are changed in such a way that they can no longer be assigned to an identified or identifiable natural person.
Said processing is legally justified by Art. 6 (1) f) GDPR (legitimate interest). Our legitimate interests lie in the provision of an app with information and the offering of services to guests as well as the optimisation of the app. The provision of the data is neither legally nor contractually required.
2. Check-in and check-out
Via the app you are able to check in to your booked location. To do this, you must enter both, your reservation number and your last name in the first step and select the hotel you have booked. This data is neither stored nor passed on to any other properties belonging to us. Your personal data will only be used to process the check-in process with the app.
If you would like to communicate your reservation data via QR code, you will have to confirm that the app can use the camera of your mobile device. If you grant access, you can scan the QR code with the app. The app will then access the camera and transfer your booking data to our server in the extent necessary to provide this functionality. If you do not grant permission, you will not be able to use the QR code function. You can then alternatively enter your reservation data via the respective form.
In the next step, further data on your credit card (e.g. credit card number, cardholder, country of the credit institution, validity date) as well as data on the billing address (name, street with house number, postal code, city, country, e-mail address) must then be entered. By doing so, the address and the credit card information will be transmitted to the payment solution provider PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main (hereinafter PAYONE).
Said processing is legally justified by Art. 6 (1) b) GDPR (contract purposes and pre-contractual measures). The provision of the data is necessary because otherwise you will not be able to check in using the app.
The processed personal data is deleted unless EVENT can claim legitimate interest in its continued retention and there are no legal retention obligations. In any case, only those data will continue to be stored that are actually absolutely required to achieve the corresponding purpose. As far as possible, the personal data will be anonymised.
During the check-out process, you also have the option of entering a second address or a second credit card as an alternative to your invoice.
Even when exercising this option, the permissibility of the processing and storage of the data is determined as described above.
3. 3D-Secure and PAYONE
In order to safeguard secure processing of payment data, when providing your credit card number and further validation information, the “3D Secure” procedure for strong customer authentication is performed. This authentification measure is performed by PAYONE. You as the guest must confirm the payment process in your online banking account by using a TAN. To do so, you must log in to your account using the authentication method you have chosen (fingerprint, facial recognition, password, etc.). We do not collect data that you enter when logging into your online banking account.
PAYONE acts as a so-called “acquirer” in this regard and handles the secure routing and settlement of credit card transactions with international credit card companies. In the course of this activity, PAYONE collects data you provide. This data is forwarded to the respective payment card system.
For further information regarding the processing of your data by the payment card system, please refer to the relevant data protection regulations, for example at www.mastercard.de/de-de/datenschutz.html or www.visa.co.uk/privacy/ (depending on the credit card company).
This processing is permitted under Art. 6 (1) b), c), f) GDPR (user relationship, legal obligation, legitimate interest).
Detailed information on the duration of data storage and your rights vis-à-vis PAYONE can be found at www.payone.com/DE-de/dsgvo.
4. Crash analytics (Firebase Analytics and crash reporter)
Google will use this information to evaluate the use of the app in order to compile reports on the activities in the app for EVENT.
Your IP address is used to automatically recognise you upon your next use of the app. The IP address is anonymised in a way that only a shortened IP address is transmitted to Google.
This processing is permissible under Art. 6 (1) a) GDPR (consent).You can decide whether you want to allow the use of Firebase by activating or deactivating the error reports.
We will only delete your personal data if you expressly request this and we have no legitimate interest in its continued retention.
4.1 Google Analytics for Firebase
Furthermore we use the function Google Analytics for Firebase.
With the use of this function there are several information (e.g. about your operating system, device model, region, ID, etc.) which will be collected due to the use of the app. The collected information will be transferred as stated above.
Google will use this information for analytic and classification purposes.
This processing is permissible under Art. 6 (1) a) GDPR (consent).You can decide whether you want to allow the use of Google Analytics for Firebase by activating this function on your first use of the app.
We will only delete your personal data if you expressly request this and we have no legitimate interest in its continued retention. Furthermore will any data, which is connected to a marketing-ID, be storaged by Google for the duration of 60 days. Further will the data on user level be storaged by Google for a period of up to 14 months. More information about the storage and retention of your data are available under https://firebase.google.com/support/privacy.
4.2 Firebase Crashlytics
We also use the function Firebase Crashlytics.
With the use of this function there are crash-stack-traces which will be recorded and used. This use is necessary to assign crashes to a project, send e-mail-notifications at project group members and show them in the Firebase Console. Thus this function’s use is to help debugging. The collected information will be transferred as stated above.
Google will use this information to track the numbers of users, who are affected by the crash.
During the use of this function there will be no collection of personal data as by the use itself. Nevertheless it is possible for Firebase Crashlytics to get personal data (e.g. your ip-adress) from Google Analytics for Firebase.
This processing is permissible under Art. 6 (1) a) GDPR (consent). Your consent will be gained during the setup of your smartphone by accepting the processing of your personal data by the error reporting services from Google. The app will be communicating with the smartphone and check if the necessary consent is given. You can revoke your consent at any time with effect for the future by changing your smartphone settings.
We do not store any of your personal data. Nevertheless further data will be stored for the duration of 90 days: crash-stack-traces. The remaining collected data will be stored and retended according to the stated above. More information about the storage and retention of your data are available under https://firebase.google.com/support/privacy.
5. Digital room key
You also have the option to open your room without a separate room key or room card via the app using the “key card” function.
The permissibility of this processing is based on Art. 6 (1) b) GDPR (contract performance and pre-contractual measures). The provision of the data is necessary to use this function.
The processed personal data is deleted unless EVENT has a legitimate interest in its continued retention and there are no legal retention obligations. In any case, only those data will continue to be stored that are actually absolutely required to achieve the corresponding purpose. As far as possible, the personal data is anonymised.
6. Updates and check-out reminder
After check-in, you can decide whether you want to receive check-out updates and reminders in the app. You can deactivate this function o at any time.
The permissibility of this processing is based on Art. 6 (1) b) GDPR (contract performance and pre-contractual measures). The provision of the data is necessary if you wish to receive updates and reminders.
III. Your rights
You have the following rights: you have a right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR) and data transfer (Art. 20 GDPR). We make every effort to process requests expeditiously.
If your personal data is processed on the basis of Art. 6 (1) f) GDPR, you have the right to object, provided that there are grounds for doing so that arise from your particular situation or the objection is directed against direct advertising (Art. 21 GDPR). If you object to direct advertising, we will no longer send you promotional messages.
You also have the right to contact a supervisory authority (https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html).
You can revoke a consent given to EVENT at any time with effect for the future. However, this will not affect the data processing based on this consent that took place until then. For your communication please use the contasct details provided above.
IV. Disclosure to third parties
The data collected using the app and the information you provide when contacting us are transmitted to the EVENT server and stored there. Furthermore, the collected data is passed to PAYONE and Google as described above. In addition, your data may be passed on to persons at EVENT who are involved in the processing (clerks, customer service). The transfer to these recipients takes place either on the basis of a legal obligation of EVENT, for the processing of your contract or within the framework of order processing.
V. Third party links