DATA PRIVACYINFORMATION

The following information is designed to give an overview of how we process your personal data in connection with the services outlined below and to inform you about your rights under the European Data Protection Regulation (GDPR):

  • Processing personal data as part of contacting us with general inquiries
  • Processing personal data in connection with and directly after your stay at one of our hotels
  • Processing personal data as part of video surveillance on our premises
  • Processing personal data in connection with digital offers (newsletters), existing customer marketing, and program information
  • Processing personal data as part of your membership of our loyalty program and loyalty programs of our cooperation partners
  • Mandatory communication as part of the loyalty program
  • Processing personal data as part of purchasing vouchers
  • Processing personal data as part of arranging services
  • Processing personal data by a processor on behalf of the controller
  • Processing personal data in the context of using this website

I. General information and your rights as data subject

1. Party responsible for data processing (“controller”)

2. The controller as defined in Article 4 (7) GDPR is:

Steigenberger Hotels AG Lyoner Straße 25 60528 Frankfurt am Main, Germany Phone: +49 (0)69 66564-460 Fax: +49 (0)69 66564-888 E-Mail: service@hrewards.com

Full details pursuant to Section 5 of the German Telemedia Act (Telemediengesetz, TMG) (Imprint)

  1. Contact details of the Data Protection Officer You can contact our Data Protection Officer at

TÜV Informationstechnik GmbH Am TÜV 1 45307 Essen, Germany E-Mail

4. Your rights as a data subject

Every data subject whose personal data is processed has the right of access to obtain from the controller information about the personal data concerning him or her pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object to processing pursuant to Art. 21 GDPR, and the right to data portability pursuant to Art. 20 GDPR. In addition, the restrictions pursuant to Sections 34 and 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply to the right of access by the data subject and the right to erasure.

Where processing of your personal data is based on your consent that you have given us, you have the right to withdraw your consent at any time without this affecting the lawfulness of processing based on consent before its withdrawal.

In addition, data subjects have the right to lodge a complaint with the responsible Data Protection Authority under Art. 77 GDPR in conjunction with Section 19 BDSG.

5. Processing the data of minors

Minors may not transmit any personal data to us without the consent of a parent or legal guardian. We do not process any data knowingly obtained from minors on our website.

6. Automated decision-making and profiling

When entering into or performing a contract with you, you will not be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, as set out in Art. 22 GDPR.

7. Additional information on your right to object pursuant to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR (data processing on the basis of balancing interests).

If you object, your personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing is carried out for the establishment, exercise, or defense of legal claims.

If your personal data is processed by us for the purpose of existing customer marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing. To object to processing you can use the unsubscribe function in digital media, select the corresponding settings in the membership or subscriber area, use the contact form on our website, or use the contact details provided in section I. to inform us of your objection without using a particular format.

8. Personal data storage periods and criteria for determining these periods

We process and store your personal data for as long as is necessary to fulfill our contractual and legal duties and obligations. If the data is no longer required to fulfill our contractual duties, it will be erased on a regular basis unless temporary further processing of the data is necessary because of

(a) national or regional registration laws and regulations at the place of data collection and/or contract performance

(b) national retention periods under commercial or fiscal law at the place of data collection and/or contract performance

(c) national, regional, or local tax regulations (such as visitors’ tax, tourist tax, etc.) at the place of data collection and/or contract performance

(d) membership of our own H Rewards loyalty program

The periods for retention and/or documentation specified thereunder are usually two to ten years. For further information on the storage period of your personal data please see the relevant sections on different types of processing.

9. Documentation of modifications to and corrections of personal data

Under our duty of documentation, we process and keep a record of all modifications to and corrections of your personal data such as

  • First and last name
  • Home address and, where different, billing and correspondence addresses
  • Date of birth
  • Gender, salutation, title
  • Email address(es) if multiple addresses are used or specified
  • Phone number(s) if multiple numbers are used or specified
  • Passport data
  • Loyalty program membership numbers
  • Preferences and wishes related to your stay
  • General interests, preferences, and wishes
  • Password

10. Duty to provide data

You have a duty to provide personal data whenever this data is required in order (to render our services) or whenever we are required by law to collect this data; this applies in particular to

  • performing an accommodation contract
  • managing your membership account of our own loyalty program, H Rewards
  • complying with registration laws and requirements applicable at the hotel location

If you fail to provide us with necessary information we may not be able to provide the requested services in full or may not be able to provide them at all.

II. Contacting us Contacting us with general inquiries through our website or the service center You can contact us in various ways, including via the contact form on our website or by calling our service center.

1. Processed personal data As part of general inquiries, we receive, process, and store the following personal data depending on the nature of your request:

  • First and last name
  • Gender, salutation, title,
  • Email address(es) if multiple addresses are used or specified
  • Phone number(s) if multiple numbers are used or specified
  • Loyalty program membership numbers
  • Other personal data that you provide voluntarily in your inquiry
  • Audio recordings of calls to the service center (only with your consent)

2. Purposes and legal bases of processing your personal data

We process your personal data for the following purposes and on the following legal bases: To process your queries, requests for information, and complaints if such processing is related to the performance of a contract or the implementation of pre-contractual measures. In this case, the legal basis for processing your personal data is Art. 6 (1) (b) GDPR. In other cases, the legal basis is our legitimate interest in effectively processing any queries that we receive pursuant to Art. 6 (1) (f) GDPR. Calls to our service center are only recorded if you have previously consented to this (Art. 6 (1) (a) GDPR). Recordings are only made for the purpose of providing training for employees on how to handle queries.

3. Categories of recipients of personal data

If you have a direct question for the hotel, for example regarding your reservation, your query will be forwarded directly to that hotel. We also work with a service provider in our service center who supports us in handling your queries.
If your query is related to data privacy, such as requests for information, it will be forwarded to the data protection department for processing. All other queries will be forwarded to the offices/departments whose involvement is necessary for handling your query.

4. Duration of storage of personal data

If you contact us we will store your personal data. The only purpose of storing your data is to be able to deal with your request and to contact you. Your contact requests are usually erased after 10 years.

5. Transfer of data to third countries

If your query is related to a hotel in a third country, the data that we receive when you contact us will be transferred to the third country where the hotel is located to be dealt with.

III. Processing your personal data in connection with your stay

Queries, bookings/reservations, travel preparations, arrival/check-in, departure

1. Processed personal data

We process your data in order to handle and manage your reservation requests and reservations and to provide our services under the accommodation contract, including managing your stay at our hotel and processing the payment. In addition, the hotels are generally obligated under the relevant applicable registration laws and regulations to collect the aforementioned personal data from guests staying at the hotel. We also process and store any preferences and wishes expressed to us on a voluntary basis which are either relevant to the specific visit or are of a general nature (recurring requirements, preferences, and wishes). We are also obligated under our contract with you to inform you of any significant changes. We will use the personal data we hold on you for this purpose.

  • First and last name
  • Home address and, where different, billing and correspondence addresses
  • Date of birth
  • Payment data and credit card data
  • Gender, salutation, title
  • Email address(es) if multiple addresses are used or specified
  • Phone number(s) if multiple numbers are used or specified
  • Passport data
  • Loyalty program membership numbers
  • Preferences and wishes related to your stay
  • General interests, preferences, and wishes

2. Purposes and legal bases of processing your personal data

We process your personal data for the following purposes and on the following legal bases:

To handle and manage your reservation requests and reservations and provide our services under the accommodation contract, including managing your stay at our hotel and processing payment (in particular also for tracking your use of our services (telephone, bar, spa, chargeable TV channels etc.), performing check-in activities (digitally and on site), and managing access to the rooms). The legal basis for this is Art. 6 (1) (b) GDPR.

As part of contractual performance, we are required to inform you of any significant changes that occur during your stay. We provide this information preferably via email to the email address stored in the central guest profile. If this is no longer valid we reserve the right to contact you by different means, such as by post. The legal basis for this is the performance of our accommodation contract with you pursuant to Art. 6 (1) (b) GDPR.

To fulfill a legal obligation that our company is subject to as the controller (e.g., due to registration laws, fiscal law, obligation to keep records, etc.). The legal basis for this is Art. 6 (1) (c) GDPR. To ensure that your stay with us meets your needs and expectations based on your personal data that is already stored in our system and helps us recognize you at all service contact points (in person and/or digital), in particular if you are a member of our loyalty program, e.g., data transferred with your reservation, data provided voluntarily during previous visits (regular guests, returning guests), and any add-on services or requirements related to your visit, e.g., bouquet of flowers in your room, two pillows. The legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest is in offering our guests the highest possible standard of service.

To create, edit, manage, and update your membership account and to correctly deal with any credits and debits to your membership account as well as to provide our services as part of your membership of our H Rewards loyalty program. The legal basis for this is Art. 6 (1) (b) GDPR. To process bonus credits (points, miles, etc.) and other services rendered as part of your membership of the loyalty programs of our cooperation partners. The legal basis for this is the performance of the contract pursuant to Art. 6 (1) (f) GDPR. To maintain, assure, and improve the quality of our products and services, in particular by carrying out and analyzing satisfaction surveys and comments from guests, by processing your personal data in our central guest database, which allows us to recognize you as a returning guest, to better assess your needs and wishes, to improve the quality and personal touch of our communication with you, and to create offers tailored to you – the legal basis for this is Art. 6 (1) (f) GDPR. Our overriding legitimate interests arise from the accommodation contract entered into with you, which constitutes a relevant and appropriate relationship within the meaning of recital (47) GDPR, and from the fact that this type of data processing is customary for international hotel chains and in line with the reasonable expectations of the majority of guests. As part of a group of companies, which includes businesses operating hotels under the umbrella brand Deutsche Hospitality, our company also has a legitimate interest pursuant to recital 48 GDPR, namely to transfer personal data of guests within the group of companies for internal administrative purposes.

To uphold the house rules, to prevent and investigate crimes and offenses, to assert legal claims and defend against legal claims and represent our interests in legal disputes, to ensure IT security and maintain IT operations, to identify risks related to creditworthiness – the legal basis for this is Art. 6 (1) (f) GDPR. Our overriding legitimate interests stem from our obligation to ensure our guests’ safe and secure stay at the hotel and from our interest in asserting our material and immaterial claims and exercising our rights and in defending ourselves against unjustified claims. Furthermore, it is also a legitimate interest of our company to process personal data to the extent strictly necessary in order to prevent fraud pursuant to recital (47) GDPR.

3. Categories of recipients of personal data

If and where necessary for the aforementioned purposes, we will also disclose your personal data to the following recipients or categories of recipients as defined in Art. 4 (9) GDPR: Within our company, only those offices/departments that need your personal data in order for us to fulfill our contractual and legal duties will be able to view or access it (to the extent necessary).

To the extent that your personal data is processed in our central guest database it will also be disclosed to other companies that operate one or several hotels of the brands which are part of Deutsche Hospitality (Steigenberger Hotel & Resorts, IntercityHotel, Jaz in the city, Maxx by Steigenberger). The respective operators of each of these hotels are shown on the list of hotel operators. This list is updated on a regular basis and all hotels that use our central guest database are specially marked here. When crediting any points accrued by you in membership programs of cooperation partners during your visit, we transfer your data to the relevant cooperation partners.

Service providers used by us (e.g., for data processing on our behalf as set out in Art. 28 GDPR) and vicarious agents may also receive personal data for these purposes. These are companies that belong to the categories of credit services and payment processing, IT services, cleaning services, logistics, printing services, telecommunications, debt collection, consulting, and sales and marketing. The relevant service providers are shown in The list of service providers/processors , which is updated on a regular basis. Furthermore, data may be transferred to official bodies and institutions if we are under a legal obligation to do so (e.g., fiscal authorities, law enforcement authorities, registration authorities). Other recipients of data may be those bodies and institutions to which you have given your consent for the transfer of data.

4. Duration of storage of personal data

We process and store your personal data for as long as is necessary to fulfill our contractual and legal duties and obligations. When the data is no longer needed for the fulfillment of contractual obligations, it will regularly be erased unless temporary further processing of the data is necessary because of retention periods specified under commercial and fiscal law (including the German Commercial Code (Handelsgesetzbuch, HGB), the German Fiscal Code (Abgabenordnung, AO), the German Federal Act on Registration (Bundesmeldegesetz, BMG)). The periods of retention and/or documentation specified thereunder are between two and ten years.

5. Transfer of data to third countries

If you booked a stay in a hotel in a country outside the European Union (third country), your data will be transferred to this third country if it is necessary to do so in order to make your reservations and manage your stay at the hotel. If you are a member of our loyalty program or that of one of our cooperation partners, it will be necessary to transfer the points you accrued to the partner to perform services under the membership scheme.

6. Merging your guest profiles

Your personal data is collected at various points of contact (e.g., membership account, hotel) in different ways (in writing and digitally). This is why it may be the case that multiple different guest profiles exist in our database which contain inconsistent information. As we strive to offer you the best possible service and wish to ensure that your personal data is processed correctly, we are keen to merge multiple copies of data into one unique profile using unique characteristics, such as first name, last name, and address. To merge guest profiles, we use the information collected in the context of your H Rewards membership and your stay in our hotel as well as the personal data that you communicated to us in any other way on a voluntary basis.

The legal basis for this is Art. 6 (1) (f) GDPR. Without this automated and sometimes necessary manual merging we cannot ensure that your personal data will be processed properly and correctly. This is why we have a legitimate interest in merging the data.

The processing and merging is carried out in the central guest database of Steigenberger Hotels AG.

IV. Other processing immediately after your stay (post-stay messages)

After your stay you will receive from us a post-stay message in which we ask you to rate your stay in our hotel (satisfaction survey) unless you have previously unsubscribed from this communication by email or by using the unsubscribe link in a post-stay message.

1. Processed personal data

  • First and last name
  • Membership number
  • Gender, salutation, title
  • IP address
  • Email address(es) if multiple addresses are used or specified
  • Preferences and wishes related to your stay
  • General interests, preferences, and wishes
  • Data that you transfer to us in a satisfaction survey

2. Purposes and legal bases of processing personal data

We process your personal data for the following purposes and on the following legal bases:

To maintain, assure, and improve the quality of our products and services, in particular through analyzing complaints, satisfaction surveys, and comments from guests. The legal basis for this is our legitimate interest in offering our customers the best possible service pursuant to Art. 6 (1) (f) GDPR.

3. Categories of recipients of personal data

In the context of the customer satisfaction survey included in the post-stay messages we work with a service provider who is the recipient of this data (processor).

4. Duration of storage of personal data

We store any data collected in the customer satisfaction survey for a period of 3 years. Your IP address will be anonymized after 28 days.

5. Transfer of data to third countries

We do not intend to transfer this data to a third country or an international organization.

V. Video surveillance on our premises during your stay

If we carry out video surveillance at the hotel where you made a booking (businesses owned by Steigenberger Hotels AG and its subsidiaries) , the following will apply to any processing of personal data associated with this surveillance:

  1. Processed personal data
  • Image and video recordings
  1. Purposes and legal bases of processing personal data If CCTV cameras are installed at the hotel that you visit, they are being used for the purposes of enforcing house rules, preventing crimes and offenses (e.g., damage to property or theft), and securing criminal prosecution. The legal basis for processing this data is Art. 6 (1) (f) GDPR. Our company’s overriding legitimate interests stem from our obligation to ensure our guests’ safe and secure stay at the hotel and from our interest in asserting our material and immaterial claims and exercising our rights and in defending ourselves against unjustified claims.

  2. Categories of recipients of personal data Potential recipients of the data are the law enforcement authorities and persons or companies engaged in exercising our rights (such as lawyers), or service providers contracted to carry out the video surveillance.

  3. Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

  4. Duration of storage of personal data If surveillance footage is recorded, these recordings will be erased no later than after 72 hours; after the retention period has ended, only such data as is needed for an investigation into specific incidents or for the assertion of claims based on a specific event (e.g., a crime or offense) will be stored. Such data will also be erased when the reason for its prolonged retention ceases to exist.

VI. Processing personal data in connection with digital offers (newsletter), existing customer marketing, and program information

  1. Newsletter Our email newsletter provides you with information on a regular basis and in line with your specified preferences about the offers and services provided by the hotels belonging to Deutsche Hospitality (see list of hotel operators), the offers and services provided by our cooperation partners (see list) , and the offers associated with your membership of the H Rewards loyalty program.

If you wish to receive the email newsletter, we need you to provide us with a valid email address. We use the double-opt-in process for you to sign up to our newsletter. This means we will send an email to the specified email address after you register asking you to confirm that you wish to receive the newsletter. If you fail to confirm your sign-up within a period of two weeks, your information will be blocked and, after one month, automatically erased. We also store the IP address used by you in each case and the times of your registration and confirmation. The purpose of this process is to be able to prove your registration and, where necessary, investigate any misuse of your personal data.

1.1. Processed personal data We process the following personal data in connection with sending our newsletter:

  • First and last name
  • Home address and, where different, billing and correspondence addresses
  • Date of birth
  • IP address
  • Gender, salutation, title
  • Email address(es) if multiple addresses are used or specified
  • Loyalty program membership numbers
  • General interests, preferences, and wishes

1.2. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

To send our email newsletter to you, including administering your subscription to the newsletter. The legal basis for this is your consent pursuant to Art. 6 (1) (a) GDPR. As a subscriber to our email newsletter, you may withdraw at any time your consent to us processing your data in order to send our email newsletter. To withdraw your consent, you can use the relevant link included in every email newsletter or send an email to news@update.hrewards.com specifying "Abmelden" (Unsubscribe) in the subject line.

1.3. Categories of recipients of personal data We use an external service provider (processor) to send our newsletters to subscribers. 1.4. Duration of storage of personal data As soon as you withdraw your consent to receive the newsletter, your personal data will be erased. 1.5. Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

1.6. Tracking in connection with the newsletter service We use tracking service providers in connection with our newsletter service in order to measure open and click rates of the emails.

  1. Existing customer marketing 2.1. Existing customer marketing in the context of loyalty program membership We reserve the right to send our loyalty program members emails with offers from our range of services as members’ marketing. Your membership allows us to process your personal data provided to us in your membership account or during a visit to one of our hotels for the purpose of members’ marketing. For the purpose of communicating with you as described above, we use the following communication media in accordance with the settings and permissions stored in the central guest profile:
  • Email
  • Telephone
  • Post

2.2. Existing customer marketing We reserve the right to send our guests emails with offers from our range of services as existing customer marketing. Our legitimate interest in engaging in existing customer marketing is to be able to offer our guests targeted, individual offers prepared on the basis of a previous booking (transaction) or existing customer relationship. We may process your personal data provided to us in a booking for a period of 12 months after the transaction was made in order to send marketing messages to existing customers. If no other booking or other transaction is made within this period, your personal data will no longer be processed for the purpose of existing customer marketing and will therefore be erased unless you have a newsletter subscription or your personal data must be retained for longer due to other arrangements. You may object at any time to the use of your email address for the purpose of sending marketing to existing customers without incurring any costs other than the transmission costs at basic rates. If your personal data is processed by us for the purpose of existing customer marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing.

2.3. Processed personal data We collect the following personal data in connection with existing customer marketing:

  • First and last name
  • Home address and, where different, billing and correspondence addresses
  • Date of birth
  • Gender, salutation, title
  • Email address(es) if multiple addresses are used or specified
  • Loyalty program membership numbers
  • General interests, preferences, and wishes

2.4. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

To send marketing messages about our offers and services to existing customers – the legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest in engaging in existing customer marketing is to inform our members about their current membership status and send our members and existing customers targeted, individual, exclusive offers.

You may object at any time to the use of your email address for the purpose of sending marketing to existing customers or members without incurring any costs other than the transmission costs at basic rates. More detailed information on exercising your right to object to the use of your email address for direct marketing measures is provided within this Privacy Policy.

2.5. Categories of recipients of personal data When we carry out existing customer marketing measures, your personal data will only be disclosed to those employees in our company who can view our central guest database. In addition, we use an external service provider (processor) to send marketing messages to existing customers.

2.6. Duration of storage of personal data If no other booking or other transaction is made within a period of 12 months, your personal data will no longer be processed for the purpose of existing customer marketing and will therefore be erased unless you have a newsletter subscription, are a loyalty program member, or your personal data must be retained for longer due to other arrangements.

2.7. Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

VII. Loyalty program membership, membership account (user account / account), communication

  1. Membership/user account You can register as a member of the H Rewards loyalty program (user account / account) in accordance with the applicable Terms & Conditions of Membership by providing us with your full first name and last name, salutation, your current home address, your date of birth, your preferred email address and specifying a password. You can register in the following ways:
  • on the H Rewards app
  • on the H Rewards website
  • during the booking process
  • before using the high-speed Wi-Fi or
  • after receiving an invitation to register sent out by a hotel employee
  • by scanning a registration QR code

Following your successful registration, a membership account will be created automatically based on the applicable Terms & Conditions of Membership. When you register to become a member, you are deemed to have agreed to the transfer of the data that you provided during your registration to the relevant operators of the brands of Deutsche Hospitality.

You can view and amend your personal details in the membership account. Any important information regarding your membership, such as your membership status, will also be displayed here. In the members’ area, you can book hotel accommodation or cancel bookings that you made on the website or the app specifying your membership details and you can redeem rewards according to your account status. You may cancel your membership at any time. The membership account will be automatically deleted after the final cancelation of the membership (see cancelation in the terms and conditions of membership).

1.1 Processed personal data We process the following personal data as part of your membership of our own loyalty program: • First and last name • Home address and, if different, billing and communication addresses • Date of birth • Gender, salutation, title • Email address(es) if multiple addresses are used or specified • Phone number(s) if multiple numbers are used or specified • Loyalty program membership number • Preferences and wishes related to your stay • General interests, preferences, and wishes • Password • Reward redemptions

1.2 Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases: To carry out and manage your membership of our loyalty program – the legal basis for this is the performance of our contract with you pursuant to Art. 6 (1) (b) GDPR. The legal bases for processing your personal data in connection with the creation and use of your membership account are your membership in accordance with the Terms & Conditions of the Loyalty Program as well as Art. 6 (1) (b) GDPR. To create, edit, manage, and update your membership account and to correctly deal with any credits and debits to your membership account as well as to provide our services as part of your membership of our H Rewards loyalty program. The legal basis for this is Art. 6 (1) (b) GDPR. To create statistics based on anonymized data analyses to improve and enhance products, services, and the contents of the H Rewards loyalty program. The legal basis for this is our legitimate interest in enhancing our loyalty program pursuant to Art. 6 (1) (f) GDPR. For authentication and fraud prevention in the context of your membership of the H Rewards loyalty program or a loyalty program of one of our cooperation partners, such as Miles & More or bahn.bonus. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

To ensure comprehensive recognition, in particular of members of our loyalty program, across all service contact points (in person and/or digital) at hotels belonging to Deutsche Hospitality and to ensure automatic updates of your recurring wishes, preferences, and needs, e.g., always two pillows, in order for us to provide you with a high-quality service appropriate to the hotel brand. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR to provide our customers with the highest possible standard of service.

1.3 Categories of recipients of personal data In the context of fulfilling the membership requirements it is necessary for us to transfer your data to various recipients. These are in particular the hotels of Deutsche Hospitality and our cooperation partners. 1.4 Duration of storage of personal data Your membership account data will be stored until your membership is canceled. Any unredeemed points, rewards, and the membership status achieved will become invalid six months after the cancelation's effective date. 1.5 Transfer of data to third countries If you provide your membership number voluntarily for a stay in a hotel located in a third country, your data will be transferred to the hotel in question so that the points can be credited.

2. Communication in the context of a contract As part of the performance of the contract with you, we are required by law to inform you of any significant changes that occur during your stay. We primarily provide this information via email to the email address stored in the central customer profile. If this is no longer valid we reserve the right to contact you by different means, such as by post.

2.1 Communication media For the purpose of communicating with you as described above, we use the following communication media in accordance with the settings and permissions stored in the central customer profile:

  • Email
  • Messenger services
  • Telephone
  • Post

2.2 Mandatory communication as part of the loyalty program As part of operating the loyalty program, we are required by law to inform you of any changes to the program (Terms & Conditions of Membership). We usually provide this information via email to the email address stored in the membership account. If this is no longer valid we reserve the right to contact you by different means, such as by post. 2.3 Categories of recipients of personal data We use an external service provider to send out our communications. 2.4 Duration of storage of personal data As part of operating the loyalty program, we are required by law to inform you of any changes to the program. 2.5 Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

3. Membership of a loyalty program of a cooperation partner We process personal data in connection with your membership of a loyalty program of one of our cooperation partners, such as Miles & More or bahn.bonus. [(List of cooperation partners)]/en/partners

3.1 Processed personal data • Email address(es) if multiple addresses are used or specified • Loyalty program membership numbers

3.2 Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

To process bonus credits (points, miles, etc.) and other services rendered as part of your membership of the loyalty programs of our cooperation partners. The legal basis is our legitimate interest pursuant to Art. 6 (1) (b) GDPR.

3.3 Categories of recipients of personal data It is necessary to transfer your data to the respective cooperation partner so that the bonus can be credited. 3.4 Duration of storage of personal data We will store your data for a period of 10 years. 3.5 Transfer of data to third countries The data will only be transferred to a third country in cases where the cooperation partner in question is located in a third country or if you have provided your membership number when making a reservation at a hotel in a third country. In these cases, the data will be transferred on the basis of Art. 49 (1) (b) GDPR.

VIII. Purchasing vouchers The voucher shop allows you to purchase general vouchers and hotel-specific vouchers.

  1. Processed personal data We process the following personal data in connection with the purchase of vouchers:
  • Salutation, title
  • First and last name
  • Email address
  • Phone number
  • Date of birth
  • Address
  • Payment details
  1. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases: To handle the purchase of vouchers – the legal basis for this is Art. 6 (1) (b) GDPR.

  2. Duration of storage of personal data The data that we received from you when you purchased vouchers will be stored for 10 years.

  3. Categories of recipients of personal data We forward your data to a service provider in order to be able to send you the voucher. We also use various service providers to process the transaction, depending on the payment type.

  4. Transfer of data to third countries If you purchase a voucher for a hotel in a third country, the data that we receive from you when you purchase the voucher will be transferred for processing to the third country where the hotel is located.

IX. Brokering hotel reservations On its website, Steigenberger Hotels AG acts as a broker for booking accommodation in hotels of third-party hotel operators (see list of hotel operators). The parties entering into the accommodation contract are yourself and the respective hotel operator. As part of this brokering service it is necessary for us to transfer the data required for the fulfillment of the contract (e.g., first and last name of the guest, reservation period, email address) to the respective hotel operator. The legal basis for this is Art. 6 (1) (b) GDPR. If the brokering service is provided for a reservation in a hotel in a third country, the related transfer of data is based on Art. 49 (1) (b) GDPR.

X. Information regarding the use of cookies and payment service providers on this website

  1. Transfer to third countries If you consent to the use of cookies , you are at the same time explicitly consenting to the transfer of your personal data pursuant to 49 (1) (a) GDPR to an insecure third country. The United States in particular is regarded by the Court of Justice of the European Union as a country that does not have an adequate level of data protection. There is a risk that your data may be processed by U.S. authorities for control and monitoring purposes and you are left with no effective legal remedies in that regard.

As can be seen specifically from the [List of service providers / processors] (/en/service-providers-processors), our company uses service providers for certain tasks whose registered office is in a third country or who belong to an international group with companies in third countries or who themselves work with service providers based in a third country. The transfer of personal data to such service providers is permitted if the European Commission has decided that the third country in question offers an adequate level of protection (Art. 45 GDPR). In the absence of such a decision, our company or the service provider may transfer personal data to a third country or an international organization only if provisions are made for appropriate safeguards and if enforceable rights and effective legal remedies are available (Art. 46 (1) GDPR). If neither an adequacy decision pursuant to Art. 45 (3) GDPR has been made nor appropriate safeguards pursuant to Art. 46 GDPR are in place, the transfer of your personal data to a third country is only permissible under one of the following conditions:

  • You have explicitly consented to the proposed transfer of data, after having been informed of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards
  • The transfer is necessary for the performance of a contract between you and the controller or for the implementation of pre-contractual measures
  1. Integration of payment service providers for online payments To process online payments we use the following external service providers whose platforms you can freely choose between to process your payment:
  • Concardis GmbH (Helfmann-Park 7, 65760 Eschborn, Germany, Tel. +49 (0)69 79220)
  • American Express Payment Service Limited (Theodor-Heuss-Allee 112, 60486 Frankfurt/Main, Germany)
  • Paypal S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg)
  • Computop Paygate GmbH (Schwarzenbergstraße 4, 96050 Bamberg, Germany)
  • PPro & Nets If you wish to make an online payment this can be integrated into the booking or voucher purchase processes or you may do so via a corresponding link sent to an email address specified by you. If you click on such a link you will be forwarded to the payment platform. Further details regarding the handling of your personal data in this connection are provided there.

3. Cookies 3.1 Information about cookies We use cookies on our website. Cookies are small files created automatically by your browser and stored on your device (laptop, tablet, smartphone, or similar) when you visit our website. Cookies do not cause any harm to your device and do not contain any viruses, Trojans, or other malware. Their purpose is to store information obtained in connection with the specific device that you use. This does not mean, however, that we gain direct knowledge of your identity. Using cookies has a twofold objective: On the one hand, we want to make it more convenient for you to use our website and, on the other hand, we want to gather statistics on the use of our website and analyze these with the aim of optimizing the services we offer you. To achieve this, we use cookies for the following purposes:

Necessary functions:
These cookies contribute significantly to improving your browsing and booking experience on our website. Basic functionalities and applications such as shopping carts or electronic billing procedures are optimized, and their use is made possible. These cookies do not collect information about you that can be used for marketing campaigns or statistical analysis. These cookies are necessary for the use of the website, the legal basis for these cookies is Art. 6 para. 1 lit. b) DS-GVO and § 25 para. 2 Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG).

• Statistical analysis:
Statistical analysis is the processing and presentation of data on user actions and interactions on websites and apps (e.g., number of page visits, number of unique visitors, number of returning visitors, entry and exit pages, time spent, bounce rate, click of buttons, booking or voucher order) and, if applicable, the classification of users into groups based on technical data on the software settings used (e.g., browser type, operating system, language setting, screen resolution). The legal basis for these cookies is consent in accordance with Art. 6 (1) a) DS-GVO and § 25 (1) TTDSG.

• Personalized advertising:
Certain functions of websites and apps are used to display personalized advertising materials (ads or commercials) to users in other contexts, for example on other websites, platforms, or apps. For this purpose, conclusions about the interests of users are drawn from demographic information, search terms used, contextual content, user behavior on websites and in apps, or from the location of users. Based on these interests, advertising materials will be selected and displayed on online content of other providers in the future. The legal basis for these cookies is consent in accordance with Art. 6 (1) a) DS-GVO and § 25 (1) TTDSG.

• Personalized advertising incl. data transfer to other countries:
Certain functions of websites and apps are used to display personalized advertising materials (ads or commercials) to users in other contexts, for example on other websites, platforms or apps. For this purpose, conclusions about the interests of users are drawn from demographic information, search terms used, contextual content, user behavior on websites and in apps or from the location of users. Based on these interests, advertising materials will be selected and displayed at other online content providers in the future. The legal basis for these cookies is consent pursuant to Art. 6 (1) a) DS-GVO and Section 25 (1) TTDSG. In addition, you explicitly consent to the transfer of your personal data to other countries (USA) according to Art. 49 para. 1 lit. a) DSGVO. In the listed countries, there is no adequate level of data protection and there are no suitable guarantees for the protection of your personal data (such as lack of enforcement of data subject rights and possible, inappropriate access to your personal data by state authorities). Your consent to the transfer of your personal data to third countries is voluntary and can be revoked at any time via our Privacy Policy. Further information on the processing of your personal data, including third country transfers, can also be found in our Privacy Policy.

3.2 Using the cookie consent tool to specify your cookie settings You can use the cookie consent tool to adjust your cookie settings at any time. Follow the link shown below to open the tool and select your settings for the above mentioned categories of cookies by giving or refusing your consent to the use of these cookies in your browser.
In this Privacy Policy you will find information about the partner companies and third-party providers who place cookies on our website and what categories these cookies belong to.

[Consent Panel]
3.3 Using your browser to specify your cookie settings You can specify in your browser that cookies should only be stored with your consent. Most browsers automatically accept cookies. However, you can reconfigure your browser so that no cookies are stored on your computer or that a warning appears before a new cookie is created. However, if all cookies are deactivated you may not be able to use all the functions of our website. If you want to accept only Steigenberger cookies but not cookies from our partners, then please select the option “Block third-party cookies” in your browser. To find out how you can refuse new cookies and deactivate existing ones, go to the Help function on the menu bar of your web browser. If you use shared computers that accept cookies and flash cookies, we recommend that you always log out completely at the end of your session.

3.4 Cookie providers used

Category Duration Purpose

AWIN AG Eichhornstraße 3 10785 Berlin, Germany Necessary functions 90 days Billing purposes

Criteo SA 32 Rue Blanche, 75009 Paris, France Personalized advertising 13 months Advertising

Dailypoint: Toedt, Dr. Selk & Coll. GmbH Augustenstr. 79, 80333, Munich, Germany Personalized advertising 90 days max. Profiling, advertising

DerbySoft (Hong Kong) Limited 14800 Landmark Blvd., Suite 640, Dallas, Texas 75254, USA Necessary functions 30 days/24 months Billing purposes

Facebook Inc. 1 Hacker Way, Menlo Park 94025, CA. USA Personalized advertising 28 days Advertising

Mapp Intelligence: Webtrekk GmbH Robert-Koch-Platz 4, 10115 Berlin, Germany Statistical analysis 6 months Analysis

Google Ads: Google Ireland Ltd. Gordon House, Barrow Street, Dublin 4, Ireland Personalized advertising 24 months max. Advertising

Microsoft Advertising/Bing Ads: Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399, USA Personalized advertising 13 months Advertising

TripAdvisor LLC 400 1st Avenue, Needham, MA 02494 USA Personalized advertising 24 months max. Advertising

zenloop GmbH Erich-Weinert-Straße 145, 10409 Berlin, Germany Statistical analysis 24 months max. Analysis

Further information on the providers of cookies

zenloop Recipient: zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin, Germany Process: Marketing tools for personalized advertising are all similar in terms of their technical functions, which is why reference is made to this process in the following text with regard to all the providers mentioned above. Providers of personalized advertising use technologies such as cookies, tracking pixels, and device fingerprinting in order to show users ads that are relevant to them and to improve the reports on campaign performance. These providers enable us to display interest-based ads on the providers’ websites and on our website. This process also includes processing information stored on the users’ devices. The providers offer functions for this purpose that are generally referred to as remarketing. Remarketing allows website users to be recognized on other websites within the advertising network of the provider and to be presented with ads tailored to their interests. The ads may also be related to products and services that the user has already looked at on our website. This is made possible by analyzing user interaction on our website, e.g., what offers interest the users, in order to show them targeted advertising on other websites even after they leave our website. When a user visits our website the relevant provider places a cookie on the user’s device. The provider then uses cookies or tracking pixels to process the information generated by the users’ devices about their use of our website and their interaction with it as well as their access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to display and analyze personalized ads. The providers mentioned above also use the conversion function to draw attention to our attractive offers with the help of advertising material on external websites. We are able to determine how successful individual campaigns are with regard to the advertising campaign data. The providers use ad servers to deliver this advertising material. We use ad server cookies for this purpose, which enable us to measure certain parameters for measuring reach – e.g., the insertion of ads, the time spent looking at them, or the clicks made by users. This process also includes processing information stored on the users’ devices. If a user lands on our website via one of the provider's ads, the provider will place a cookie on the user’s device. The provider uses cookies or tracking pixels to process the information generated by the users’ devices about interaction with our advertising material (accessing certain web pages or clicking on an ad) as well as the users’ access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to analyze and visualize the measured reach of our ads. Based on the marketing tools used, the users’ browser automatically establishes a direct connection to the provider’s server.

Derbysoft Recipient: DerbySoft (Hong Kong) Limited, 14800 Landmark Blvd., Suite 640, Dallas, Texas 75254, USA Process: Derbysoft is a web service for measuring reach as well as for classic conversion tracking. Derbysoft therefore uses technologies such as cookies and tracking pixels in order to track a specific user behavior on the websites of our advertising partners. Derbysoft uses cookies or tracking pixels to process the information generated by the users’ devices about interactions with our advertising material (accessing certain internet pages or clicking on an ad) as well as the users’ access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to analyze and visualize the measured reach of our advertisements. Based on the marketing tools used, the users’ browser automatically establishes a direct connection to the provider’s server.

Mapp Intelligence This website uses Mapp Intelligence, a web analysis service of Webtrekk GmbH whose registered office is in Berlin, Germany.
Recipient: Webtrekk GmbH, Robert-Koch-Platz 4, 10115 Berlin, Germany Process: The Mapp Intelligence web analysis service uses technologies such as cookies, tracking pixels, and device fingerprinting in order to track a specific user behavior on websites and therefore transfers information to a server of Mapp located in Nuremberg, Germany, where this information is stored. This process also includes processing information stored on the users’ devices. With the help of tracking pixels embedded in websites and the cookies placed on the users’ devices, Mapp Intelligence processes the information generated about the usage of our website by the users’ devices, such as that a specific web page was accessed, and the users’ access data for the purpose of statistical website usage analysis. The access data includes in particular the IP address, browser information, the website visited before the current one, and the date and time of the server request. According to information from Mapp, the IP addresses are anonymized and erased immediately during preprocessing. On behalf of the operator of this website, Mapp will use the information collected by Mapp Intelligence in order to analyze how you use the website, to prepare reports on website activities, and to provide the website operator with further services associated with the use of the website and the internet. For further information about the terms and conditions of use and data privacy at Mapp please go to https://docs.mapp.com/display/CDBD/Allgemeine+Nutzungsbedingungen or https://www.webtrekk.com/privacy-notice.html

3.5 Local storage of data To optimize the design of our website, we collect the following data and store it locally on your device (e.g., in the browser). Provider/tool Category Duration Purpose www.hrewards.com Necessary functions 365 days Log in Token Cat UID Member level Currency

3.6 Integration of services and content of third-party providers (capture of IP addresses by third-party services)

Content of third parties (hereinafter referred to as “third-party providers”) is embedded in our online presence. To use such content, it is technically required to transfer the user’s IP address to the relevant third-party provider. This is because without the IP address the third-party providers would not be able to send the content embedded in the website to the relevant user’s browser. We have no influence on whether a third-party provider saves the IP address, e.g., for statistical purposes, or uses it in any other way. We use the following third-party providers on our website:

Third-party provider

MapTiler AG Höfnerstrasse 98 Unterägeri, Zug 6314 Switzerland Function Displaying maps on websites Purpose Maintaining, ensuring and improving the quality of products and services, in particular improving the user experience.

Monotype Imaging Holdings, Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA Myfonts.com Function displaying text on websites Purpose Maintaining, ensuring and improving the quality of products and services, in particular improving the user experience.

zenloop GmbH Erich-Weinert-Straße 145, 10409 Berlin, Germany Function B2B Software-as-a-Service platform for evaluating customer feedback provided at various touch points Purpose Customer and product reviews for quality management and improving the customer experience

Status of and updates to the Privacy Policy This Privacy Policy is valid from August 16th, 2022. We will update this Privacy Policy from time to time in the event of relevant changes to our website, the way in which we process personal data, or changes in the law. The updated version will be valid from the date of its publication. In the event of significant changes to this Privacy Policy you will be notified in good time before the changes come into effect by a corresponding notice on our website. Our guests may also be notified of the changes by email or in another way.