Information on data collection and processing within the HotMiles Program
Jetzt 5 % bei der Buchung  
von Tagungen und Events sparen.
Book
Find your hotel:

Information on data collection and processing within the HotMiles Program


1. Name and address of the controller for the processing

For Art. 4(7) of the General Data Protection Regulation (GDPR), other data protection laws applicable in EU member states, and other provisions related to data privacy, the controller for the HotMiles programme is:

My H-Hotels GmbH
Braunser Weg 12
34454 Bad Arolsen
Germany

2. Contact data of the data protection officer

Stefan Burghardt
RKM Data GmbH
Bertha-von-Suttner-Str. 9
37085 Göttingen
Germany
Tel: +49 (0) 551 707 280
E-Mail: [email protected]

3. What data do we collect?

3.1 Master data

When you enrol in the HotMiles programme, we collect some of the data you disclose in the online form, such as your title, first as well as last names, email address (if you are enrolling in HotMiles Business Events, the company name and address as well), and your confirmation that the prerequisites for your participation have been met. We need those data before we can enter into a contract with you.

During your enrolment or later, you can also voluntarily disclose additional data, like your address and date of birth. You can still participate in the HotMiles programme even if you do not provide this data to us.

When you open your HotMiles account, we will give you a HotMiles participant ID. It allows you to be identified as a participant unambiguously.

3.2 Programme data

If you collect or redeem HotMiles, we record them as ‘programme data’ which includes the information we need for the credit and to administer, develop and market the programme. It also provides information about the partner with whom you are collecting HotMiles, and services for which you are receiving the credit. When redeeming HotMiles, this includes information about the requested premium and the number or HotMiles used.

3.3 Status information

When you receive a state from HotMiles (silver, gold, or platinum), we store the necessary data, such as the type of status and the number and dates of the overnight stays. It is omitted for HotMiles Business Events.

4. . What do we use your data for?

We collect, process, and use your data to:

  • process your application to participate in the programme;
  • For HotMiles Business Events, to review your information regarding your eligibility to partici-pate in the programme;
  • allow you to collect and redeem HotMiles, in particular, to credit the collected HotMiles to your account and debit your HotMiles account accordingly when a bonus is collected;
  • always be able to review whether you were credited with the correct number of Hot-Miles when a bonus is collected;
  • manage your HotMiles status;
  • send you other current information about HotMiles;
  • fulfil our statutory obligations, especially retention requirements.

If you have granted us a separate consent, we will send you the following by email or electronically:

  • Information about your status and the status of your HotMiles, interesting offers, the HotMiles programme, as well as participating partners and their benefits. Based on your consent, we can process your master data, programme data, status data, and the data col-lected during the use of our services (website, app, newsletter or other media) to send you customised information;
  • Market research surveys to improve the HotMiles programme.

5. Do we forward your data to third parties or commissioned data processors?

We will forward the data to third parties only if this is necessary to collect and redeem the HotMiles or a statutory obligation exists. We will also transmit the status you have attained to participating hotels so they will grant you the appropriate benefits. You will find a list of all participating hotels at https://www.h-hotels.com/en/hotmiles/participating-hotels. For HotMiles Business Events, we may forward data to your company if this is necessary to check your eligibility.

We have commissioned data processors such as Oracle (Opera), Datev, distributors of the newsletter, the operators of computer centres, providers of Software as a Service (SaaS) to pro-cess your data for the bonus programme, as well as providers of credit vouchers. Contracts bind those processors to follow Art. 28 GDPR.

6. Legal basis for processing

We process the data to execute the contract with you and to fulfil statutory obligations based on (Art. 6(1)(1)(a, b, c) GDPR), provided you have granted your consent. You may withdraw your consent at any time, doing so will not affect the legality of any processing performed based that consent before it was withdrawn.

7. Routine correcting and blocking of personal data

We will store the data for as long as you participate in the HotMiles programme. Once your contractual relationship with us ends, we will block the data and store it for the period specified by the statutory retention requirements.

8. Collecting site data through the HotMiles app

For data collection connected with the use of the HotMiles app, we refer to our data privacy statement. You can find that app in the Apple App Store and the Google Play Store (omitted for HotMiles Business Events).

9. Creation of log files

Whenever the internet site is accessed, we record data through an automated system. They are stored in the server’s log files.

It includes, in particular, information on the browser type and version used; the user’s operating system, internet service provider, and IP address; the date and time of access; websites from which the user’s system arrived at our internet site (referrer); and websites that are called up from the user’s system via our website.

The data is processed to optimise our internet site, deliver its content, and ensure the functionality of our IT systems. Data of the log files are always stored separately from the user’s other data.

10. Use of cookies

Our internet sites use cookies. Cookies are small amounts of data stored on the user’s computer system by the internet browser. When a site is accessed, the cookies can be transmitted there to allow the user to be identified. Cookies make it easier for the user to use internet sites.

However, you can object to the placement of cookies at any time by changing your browser settings accordingly. Once set up, cookies can be deleted. However, if you deactivate cookies, you might not be able to use all of our internet site’s functions to their full extent.

11. Web analytics

This website uses Google Analytics, a web analysis service of Google Inc. (Google). Google Analytics uses cookies. Text files which are stored on your computer and which make it possible to analyse your usage of the website. The information the cookie generates regarding your use of this website is generally transferred to a Google server in the United States and stored there. However, if IP anonymisation is activated on this website, Google will truncate your IP address in advance within the member states of the European Union or other Contracting Parties to the EEA Agreement. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. On behalf of this website’s operator, Google will use this information to evaluate how you use the website, compile reports about website activities, and render additional services for the website operator which are connected with the use of the website and the internet.

Our website uses Google Analytics with the extension ‘_anonymizeIp()’. As a result, IP ad-dresses are processed shortened, a direct connection to an individual can thus be excluded.

The IP address transmitted as part of Google Analytics will not be pooled with other Google data.

You can prevent cookies from being stored by adjusting your browser software appropriately. However, you may not be able to use all of this website’s features to their full extent if you do.

You can also prevent Google from recording and processing the data generated by the cookie that relates to your use of the website (including your IP address) by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Google Analytics is used in compliance with the prerequisites on which the German data protec-tion authorities have agreed with Google. Information of the third-party provider: Google Ire-land Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 436 1001. Usage condi-tions: http://www.google.com/analytics/terms/de.html, an overview of data privacy: http://www.google.com/intl/de/analytics/learn/privacy.html, and the data privacy statement: http://www.google.de/intl/de/policies/privacy.

12. Use of social media plug-ins

12.1 Social media plug-ins used

We currently set the following social media plug-ins. Facebook, Instagram, X, LinkedIn, Xing, Pinterest, Google+, and YouTube. In doing so, we use the ‘two-click’ solution. As a general rule, no personal data will be initially forwarded to the plug-in’s provider whenever you visit our site. You recognise the plug-in’s provider by its logo, or by the marking on the tile over its initial letter. You may use the button to communicate directly with the plug-in’s provider. The plug-in provider receives the information that you have accessed the corresponding website of our online service only if you click on the marked field and activate it. Moreover, additional personal data from you will be transmitted to the respective plug-in provider and stored there (in the US, if the provider is American). Since the plug-in’s provider collects data through cookies, in particular, we recommend that you delete all cookies by adjusting your browser’s security settings before clicking on the greyed-out tile.

We do no influence the collected data and dataprocessing operations, nor are we aware of the full extent of the data collection, the purpose of processing or the storage periods. We also have no information about the deletion of the collected data through the plug-in’s provider.

The plug-in’s provider stores the data collected about you as a user profile and uses those data for purposes of advertisement, market research, or the needs-based design of its website. The data is used that way in particular (even for users who are not logged in) to present needs-based advertisement and to inform other users of the social network about your activities on our website. You may contact the plug-in’s provider to object to this user profile being formed. We use the plug-in to give you the chance to interact with the social networks and other users so that we can improve our offerings and make them more interesting for you as a user. The legal basis for using the plug-in is Art. 6 (1)(1)(f) GDPR.

The data will be forwarded regardless if you possess an account with the plug-in’s provider and are logged in there. If you are logged in with the plug-in’s provider, the data we have collected will be assigned directly to your account with that provider. For example, if you click the activated button and link the page, the plug-in’s provider will also store this information in your user account and share your contact data publicly. We recommend that you regularly log out after using a social network—especially before activating the button—since this will allow you to avoid this type of assignment to your profile with the plug-in’s provider.

12.2 Data privacy statements of the providers

You can obtain additional information about the purpose and scope of the data collection and how the plug-in’s provider will process those data in the data privacy statements of that provider communicated in the following. There you can also obtain additional information about your rights, and options for adjusting your settings in this regard to protect your privacy.

Addresses, URLs, and data privacy notices of the different plug-in providers:

  • a) Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; http://www.facebook.com/policy.php; additional information about data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
  • b) Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 436 1001; https://www.google.com/policies/privacy/partners/?hl=de. Google participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework
  • c) X, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. X participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
  • d) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework
  • e) Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany; http://www.xing.com/privacy
  • f) Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland; https://policy.pinterest.com/de/privacy-policy

12.3 Inclusion of YouTube videos

We have included YouTube videos in our online services, which are stored at http://www.youtube.com and can be played directly from our website. Those videos are all incorporated into ‘extended data protection mode’. Hence, no data about you as a user is transmitted to YouTube if you don’t watch the videos. Data will not be communicated until you play the videos. We do not influence this data transmission.

When you visit the website, YouTube is informed that you have accessed the respective subpage of our website. It happens regardless of whether YouTube provides a user account into which you are logged, or whether a user account exists. If you are logged in with Google, your data will be assigned directly to your account. To keep this from happening, you must log out of YouTube before activating the button. YouTube will store your data as a usage profile and use it for advertising, market research, or to design its website based on user needs. This type of use will especially occur (even for users who are not logged in) to render needs-based advertisement, but also to inform other users of the social network about your activities on our website. You may object to this user profile being formed. You must contact YouTube to exercise that right.

For additional information about the purpose and scope of the data collection and how YouTube will process those data, please read YouTube’s data privacy statement. There you can also obtain additional information about your rights, and options for adjusting your settings in this regard to protect your privacy: https://www.google.de/intl/de/policies/privacy. Google also processes your data in the US and participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

We use the software Hotjar (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe) to improve the user experience on our internet sites. Hotjar helps us measure and evaluate user behaviour (input movements, activations, movement height, et cetera) on our internet sites. To that end, Hotjar places cookies on users’ devices and can store user data like browser information, operating system, length of time on the site, et cetera. You can read more about how Hotjar processes data at https://www.hotjar.com/privacy.

13. Rights of data subjects

In cases where your data is processed, following the GDPR, you are the data subject and entitled to the following rights toward the data controller:

13.1 Right to information

You can demand that the data controller confirms whether we are processing your data.

In this case, you can demand access to the following information from the data controller:

  • a) the purposes for which the personal data are being processed;
  • b) the categories of personal data being processed;
  • c) the recipient or categories of recipients to whom your data concerning will be disclosed;
  • d) the planned duration of the storage of your data, or if no specific information is available, the criteria for determining the storage period;
  • e) the correction or deletion of your data, as well as the limitation of the processing by the data controller or the right to object to this processing;
  • f) to complain to a supervisory authority;
  • g) to obtain all available information on the source of the data if your data is not collected by the data subject;
  • h) to obtain, at least in these cases, meaningful information about the involved logic, the scope and the intended effects of the processing an automated decision-making process including profiling according to Art. 22(1) and (4) GDPR and.

You have the right to demand whether your data is communicated to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.

13.2 Right to rectification

We will gladly remedy the situation on request if incorrect information is stored. You can keep most of your master data up to date by going to your customer profile on our website.

13.3 Right to restrict processing

You may demand that the processing of your data is restricted, under the following conditions:

  • a) if you dispute that your data is incorrect, for a duration which enables the data controller to check their correctness;
  • b) the processing is unlawful, and you waive your right to have the data deleted, and instead, demand their use to be restricted;
  • c) the controller of the personal data no longer needs them for their processing, but you need them to assert, exercise or defend against legal claims; or
  • d) if you objected to the processing under Art. 21(1) GDPR and it has not yet been established whether the data controller’s legitimate reasons outweigh your reasons.

If the processing of your data was restricted, this data—regardless of its storage—may be processed only (1) with your consent, (2) to assert, exercise, or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.

If the processing has been restricted according to the aforementioned conditions; the data controller will inform you before that restriction is lifted.

13.4 Right to deletion

13.4.1

You can demand from the data controller that your data is erased without delay, and the data controller is obligated to do so provided one of the following grounds applies:

  • a) Your data is are no longer necessary for the purposes for which they were collected or processed otherwise.
  • b) You withdraw your consent, on which the processing is based, following Art. 6(1)(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
  • c) You object to the processing under Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21(2) GDPR.
  • d) Your data is processed unlawfully.
  • e) your data must be erased to fulfil a legal obligation under EU or Member State law to which the data controller is subject.
  • f) Your was collected in connection with information society services under Art. 8(1) GDPR.

13.4.2

If the data controller has publicised your data but is obligated under Art. 17(1) GDPR to erase them, the data controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform data controllers who are processing your data that you, as the data subject, have requested that they erase any links to, or copies or replications of, those personal data.

13.4.3

The right to erasure does not exist if the processing is necessary:

  • a) to exercise the right to information and freedom of expression;
  • b) to fulfil a legal obligation which requires the processing under EU or Member State law to which the data controller is subject, or to carry out a task in the public interest or the exercise of public authority vested in the data controller;
  • c) for reasons of the public interest in the area of public health under Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
  • d) for archiving, scientific, or historical research purposes in the public interest, or statistical purposes under Art. 89(1) GDPR, insofar as the right mentioned in paragraph 1 is expected to prevent or seriously impair the realisation of the objectives of this processing; or
  • e) to establish, exercise, or defend against legal claims.

13.5 Right to be informed

If you have asserted your right to rectification, erasure, or restriction of the processing toward the data controller, the data controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom your data was disclosed, unless this proves impossible or would entail a disproportionate effort.

You have the right to be informed by the data controller about those recipients.

13.6 Right to data portability

You have the right to receive your data, which you have provided to the data controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another data controller without hindrance from the data controller to which your data was provided, as long as

  • a) the processing is based on consent following Art. 6(1)(1)(a) or 9(2)(a) GDPR, or is pursuant to a contract based om Art. 6(1)(1)(b) GDPR; and
  • b) the processing occurs with the help of automated procedures.

In exercising this right, can have your transmitted directly from one data controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.

The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.

13.7 Right to object

You have the right to object at any time, for reasons arising from your particular situation, if your data is processed based on Art. 6(1)(e or f) GDPR. It also applies to the process of profiling based on these provisions.

The data controller will cease processing of your data unless the data controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise, or defend against legal claims.

If your data was processed for direct marketing purposes, you may object to that processing at any time. It also applies to any profiling connected to direct marketing.

If you object to processing for direct marketing purposes, your data will no longer be processed for those purposes.

In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).

13.8 Right to revoke the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.

13.9 Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. It does not apply if that decision

  • a) is necessary to conclude or fulfil a contract between you and the data controller;
  • b) is permitted under EU or Member State law to which the data controller is subject, and which stipulates reasonable measures for guarding your rights, freedoms and legitimate interests; or
  • c) is made with your express consent.

However, these decisions may not be based on special categories of personal data under Art. 9(1) GDPR unless Art. 9(2)(a) or (g) GDPR apply, and reasonable measures have been taken to protect your rights, freedoms, and legitimate interests.

Regarding the cases mentioned in a) and c), the data controller must take reasonable measures to guard your rights, freedoms, and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your point of view, and to contest the decision.

13.10 Right to file a complaint with a supervisory authority

If you believe that the processing of your data breaches the GDPR, you have the right to complain to a supervisory authority—especially in the Member State of your abode, your workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.

You are also entitled to lodge a complaint with the supervisory authority competent for us:

The Commissioner for Data Protection of Hesse
Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany
Tel. +49 611/1408-0
Fax +49 611/1408-900 or -901

The supervisory authority to which the complaint is submitted will inform the complainant about the status and results of that complaint, including the possibility for a judicial remedy under Art. 78 GDPR.

Book now