DATA PROTECTION NOTES

I. Names and contact details of the controller and the company data protection officer

This data protection information applies to the Internet offering of Bikini Island & Mountain Hotels GmbH (hereinafter: “Bikini Hotels”), Ericus 1, 20457 Hamburg, Germany, which can be accessed at the domain https://www. bikini-hotels.com and in the various sub-domains:

1. Data controller as defined by the EU General Data Protection Regulation (GDPR)

Bikini Island & Mountain Hotels GmbH,

Ericus 1, 20457 Hamburg, Germany;

Email: info@bikini-hotels.com

2. Data protection officer

Bikini’s company data protection officer can be contacted at the following address:

PROFESSIONAL GROUP CONVERSIA S.L.U.

CIF B17962655

Av. Mas Pins 150, 3a – Edifici Punt Blau

17457 Riudellots de la Selva (GIRONA)

Tel.902877192

Fax.902877042

info@conversia.es

II. Collection and storage of personal data and its type and purpose of use

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth, email address, IP address or user behaviour. Information which cannot be used to identify you (or only with a disproportionate level of effort), for example because it is anonymised, is not defined as personal data. Processing of personal data (such as collection, consultation, use, storage or transmission) will always require a legal basis or your consent. Processed personal data will be erased as soon as the purpose of processing has been completed and it is no longer necessary to comply with any legal storage obligations.

Insofar as we process your personal data in order to provide specific offerings we will inform you below about the specific procedures, the extent and the purpose of the data processing, the legal basis for processing and the corresponding storage period.

1. When performing a contract

We will only collect, process and use personal data insofar as it is required for the establishment, structuring or amendment of a legal relationship (inventory data). This will take place on the basis of Art. 6 Para. 1 (b) GDPR, which permits the processing of data to perform a contract or pre-contractual measures. We will only collect, process and use personal data collected when you use our Internet offering (usage data) insofar as this is required to allow you to make use of the service or for us to charge for this use.

The customer data which has been collected will be erased following completion of the order or when the business relationship ends. Legal storage obligations remain unaffected by this.

We use the HotelNetSolutions booking engine to make it easier for you to book your stay with us and on well-known booking platforms online. Your data will be collected, processed and used solely for the purpose of establishing, performing and processing the contractual relationship established when a booking is made.

In this context, it should be taken into consideration that our business relationship may be intended to last for a number of years. Should the data no longer be required to perform contractual or legal obligations, then it will be erased at regular intervals unless its – time-limited – further processing is required for the following purposes:

  • In accordance with Article 6 Para. 1 Clause 1 (c) GDPR, legal storage and documentation regulations (e.g. German tax and trade laws such as HGB, GWG or AO) require us to store the data for a longer period of time; or
  • Further processing serves to preserve evidence within the scope of statute of limitations regulations. In accordance with Sect. 195 ff. German Civil Code (BGB) these statute of limitation regulations may be up to 30 years, whereby the standard statute of limitations is three years; or
  • You have consented to longer storage in accordance with Art. 6 Para. 1 Clause 1 (a) GDPR.

2. When visiting the website

We use cookies on our website. These are small files which are automatically created by your browser and stored on your end device (laptop, tablet, smartphone or similar) when you visit our website. Cookies cause no damage to your end device and do not contain any viruses, trojans or other form of malware. The cookie is used to store information relating to the specific end device which is being used. This does not, however, mean that we are able to obtain specific knowledge concerning your identity.

Cookies are employed to make using our offering more user-friendly. We thus use so-called ‘session cookies’ to recognise whether you have already visited specific pages on our website in the past. These cookies are automatically deleted when you leave our website.

Over and above this, we also employ temporary cookies to optimise user-friendliness; these cookies are installed on your end device for a predefined, limited period of time. Should you revisit our website to make use of our offering during this time, then we are able to automatically recognise that you are returning to the website and to identify the entries and settings you used. This in turn means that you do not have to provide this information again.

Parallel to this, we also employ cookies to collect statistics regarding use of our website and to evaluate how we can optimise our offering for you (see Section V). Should you revisit our site, these cookies allow us to automatically recognise that you have already visited us. They will automatically be deleted after a corresponding predefined period of time. The data processed using cookies is necessary for the above-mentioned purposes to safeguard our legitimate interests and those of third parties as defined by Art. 6 Para. 1 Clause 1 (f)) GDPR.

Most browsers accept cookies automatically. You can, however, configure your browser to block cookies or to inform you before a new cookie is installed. Full deactivation of cookies may, however, mean that you are unable to use all the features offered on our website.

What exactly does this mean?

When you visit our www.bikini-hotels.com website and its subdomains the browser installed on your end device will automatically transmit information to our web server. This information will be temporarily stored in a so-called log file. When doing so, the following information will be collected without any action on your part and stored until it is automatically erased:

  • The requesting computer’s IP address,
  • The date and time of the request,
  • The name and URL of the file requested,
  • The volume of data transmitted and the download time,
  • The website from which the request was sent (referrer URL),
  • The type of browser used and, where applicable, your computer’s operating system and your access provider’s name.

We will process the above-mentioned data for the following purposes:

  • To ensure smooth establishment of a connection to the website,
  • To facilitate convenient use of our website,
  • To evaluate system security and stability as well as
  • For further administrative purposes.

The legal basis for data processing is Art. 6 Para. 1 Clause 1 (f)) GDPR. Our legitimate interests arise from the above-mentioned list of data collection purposes. On no account will we use the data collected to identify you personally.

Over and above this, we use cookies and analysis services when users visit our website. For more details on this, please see Section IV of this data protection declaration.

3. When subscribing to our newsletter

If, in accordance with Art. 6 Para. 1 Clause 1 (a) GDPR, you have explicitly consented to it, we will use your email address to send you our newsletter at regular intervals. Provision of an email address is sufficient to receive the newsletter. To ensure that no errors occur when users register for our newsletter we use the so-called ‘double opt-in procedure’ (DOI procedure). After you have registered for our newsletter by ticking the corresponding box we will send a confirmation link to the email address you have provided. Your email address will not be added to our newsletter emailing circulation list until you have clicked this confirmation link.

Note on right of withdrawal – you can unsubscribe from the newsletter at any time by withdrawing your consent, for example by using the link provided at the end of each newsletter. Alternatively you can email your unsubscribe request to

info@bikini-hotels.com

at any time.

4. Establishing contact / Contact form

You have several options to establish contact with us (e.g. by email, telephone, fax or postal mail). Should you establish contact with us, we will use the personal data which you provided to us voluntarily during this process for the sole purpose of establishing contact with you and processing your enquiry.

The legal basis for data processing within the scope of establishing contact is Art. 6 Para. 1 Clause 1 (a), (b), (c) and (f)) GDPR.

Personal data which we collect to establish contact with you will be erased after your enquiry has been dealt with, unless, following the establishment of contact, further data processing is required in accordance with Section II. 1 of this data protection declaration.

III. Transfer of data

Your personal data will only be transferred to third parties for the purposes listed below.

We will only transfer your personal data to third parties if:

  • You have given us your explicit consent to do so in accordance with Art. 6 Para. 1 Clause 1 (a) GDPR,
  • Transfer is necessary to perform the contractual relationship with you and there is no reason to assume that you have an overriding interest in your data not being transferred which requires protection in accordance with Art. 6 Para. 1 Clause 1 (f) GDPR,
  • The transfer is necessary to comply with a legal obligation in accordance with Art. 6 Para. 1 Clause 1 (c) GDPR, and
  • This is legally permissible and, in accordance with Art. 6 Para. 1 Clause 1 (b) GDPR, is necessary to perform pre-contractual measures or a contract with you.

IV. Google AdWords conversion tracking / Google Maps / Google Fonts

1. Google AdWords conversion tracking

We use Google conversion tracking to gather statistics on use of our website and to optimise it for you. Within the scope of this service Google AdWords installs a cookie (see Section II 2.) on your computer insofar as you access our website via a Google ad. These cookies expire after 30 days and are not used for personal identification purposes. Should the user visit certain pages on the AdWords client’s website before the cookie expires, Google and the client are able to recognise that the user clicked the ad and was taken to the website.

Every AdWords client is assigned a different cookie. Cookies cannot thus be traced via AdWords clients’ websites. The information obtained with the help of the conversion cookie is used to compile conversion statistics for AdWords clients who have booked the conversion tracking option. These clients receive information regarding the total number of users who clicked their ad and were taken to the website equipped with a conversion tracking tag. They do not, however, receive any information which would enable them to identify the user’s personal details.

Should you not wish to participate in the tracking process, you can block the cookie – for example by changing your browser settings to deactivate the automatic installation of all cookies. You can also deactivate conversion tracking cookies by setting your browser to block cookies from the “www.googleadservices.com” domain. To view Google’s data protection notice on conversion tracking click here (https://services.google.com/sitestats/de.html).

2. Google Maps

Our website uses the Google Maps service via an API. The service is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. To facilitate use of the Google Maps functions your IP address must be stored. This information is usually transmitted to a Google server in the USA, where it is stored. We have no influence over the transmission of this data. The use of Google Maps takes place in the interest of attractive presentation of our online offerings and to facilitate easy finding of the locations mentioned on the website. This is a legitimate interest as defined by Art. 6 Para. 1 (f) GDPR. For more information about handling of user data please see Google’s data protection notice at: https://www.google.de/intl/de/policies/privacy/.

3. Google Fonts

To facilitate the uniform presentation of fonts this website uses so-called ‘web fonts’ provided by Google. When accessing a site your browser will download the required web fonts to your browser cache to facilitate correct presentation of texts and fonts. Your browser must establish contact with Google’s servers for this purpose. By doing so, you are providing Google with information that our website was accessed via your IP address. The use of Google Fonts takes place in the interest of uniform, attractive presentation of our online offerings and is thus a legitimate interest as defined by Art. 6 Para. 1 (f) GDPR. Should your browser not support web fonts, then one of your computer’s standard fonts will be used instead. For more information about Google Fonts visit https://developers.google.com/fonts/faq and see Google’s data protection notice: https://www.google.com/policies/privacy/.

V. Embedded videos and images from external websites

Some of our pages included embedded content from YouTube or Instagram. When you retrieve a specific page from our Internet offering which includes embedded videos or images originating from our YouTube or Instagram channels, the only personal data which will be transmitted is your IP address. In the case of YouTube your IP address will be transmitted to Google Inc., in the case of Instagram to Instagram Inc., 181 South Park Street Suite 2, San Francisco, California 94107, USA (“Instagram”).

VI. Data subject rights

You have the following rights:

  • In accordance with Art. 7 Para. 3 GDPR – to withdraw consent which you have given us at any time. This will mean that we are no longer able to continue processing data which was covered by this consent;
  • In accordance with Art. 15 GDPR – to demand information about the personal data which we process. You can, in particular, demand information about the purposes of processing; the category of personal data concerned; the categories of recipients to whom the personal data has been or will be disclosed; the envisaged storage period; the existence of a right to request rectification, erasure, or restriction of processing of data or to object to data processing; the existence of a right to lodge a complaint; the source of your data insofar as it was not collected by us; and the existence of automated decision-making including profiling and, where applicable, meaningful information about the logic involved;
  • In accordance with Art. 16 GDPR – to demand without delay the rectification of inaccurate data or the completion of incomplete personal data stored by us;
  • In accordance with Art. 17 GDPR – to demand the erasure of personal data stored by us, insofar as processing of the data is not necessary to exercise the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest; or for the establishment, exercise or defence of legal claims;
  • In accordance with Art. 18 GDPR – to demand restriction of processing of your personal data insofar as you contest its accuracy; its processing is unlawful, however you oppose its erasure; we no longer need the data, however you require it to establish, exercise or defend a legal claim; or you have objected to processing under the terms of Art. 21 GDPR;
  • In accordance with Art. 20 GDPR – to demand that you receive the personal data which you have provided to us in a structured, commonly used and machine-readable format or to demand its transfer to another controller;
  • In accordance with Art. 77 GDPR – to lodge a complaint with a supervisory authority. To do so you can generally contact the supervisory authority in your habitual place of residence or place of work or the place where our business is headquartered.

VII. Right to object / withdraw

1. Right to object

Insofar as your personal data is being processed on the basis of legitimate interests as defined by Art. 6 Para. 1 Clause 1 (f) GDPR and in accordance with Art. 21 GDPR, you have the right to object to processing of your personal data on grounds relating to your personal situation or where your data is being processed for direct marketing purposes. In cases of direct marketing you have a general right to object without having to state specific grounds which we must implement.

2. Right to withdraw

Insofar as we are processing data on the basis of consent given by you, you have the right to withdraw this consent at any time. Withdrawal of consent will not mean that any data processing which was carried out on the basis of this consent before the date on which it was withdrawn will become invalid.

3. Exercising of these rights

Should you wish to exercise your right to object / withdraw, simply send an email to info@bikini-hotels.com. Alternatively, you can exercise your right to object / withdraw by sending a letter to Bikini Island & Mountain Hotels GmbH, Ericus 1, 20457 Hamburg, Germany.

VIII. Data security

To ensure that your visit to our website is secure, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. This is generally 256-bit encryption. Should your browser not support 256-bit encryption, then we will use 128-bit v3 technology instead. The locked padlock symbol in your browser’s lower status bar indicates that an individual page of our Internet presence is encrypted.

In addition to this, we have implemented appropriate technical and organization security measures to protect your data against accidental or deliberate manipulation; partial or full loss; destruction or unauthorized access by third parties. Our security measures are continuously updated in line with technological developments.

IX. Currentness and amendment of this data protection declaration

This data protection declaration is current and valid in the version of November 2019.

Further development of our website and offerings in connection with it or changes in legal or official requirements may make it necessary to amend this data protection declaration. To view or print off the relevant current data protection declaration at any time, please go to our website https://www.bikini-hotels.com/de/datenschutz/.

X. DialogShift Chat Application

Our website uses the chat application from DialogShift GmbH, Torstr. 201, 10115 Berlin. This application processes and stores data for the purpose of web analysis, operating the chat application, and responding to inquiries. For the operation of the chat function, chat texts are stored, and a cookie with a unique ID is set—this serves to recognize you as a customer. A cookie is a small text file that is stored locally in the cache on your device. With the help of this cookie, our application recognizes the device again and can retrieve past chat logs. This cookie is stored for 90 days since its last use. You can disable the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be executed. The possible disclosure of, for example, names, email addresses, or a telephone number is voluntary and with the consent to temporarily use and store these data for the purpose of making contact until the end of the contact. These personal data are deleted after 90 days. The legal basis for data processing is according to Art. 6 Para. 1 lit. a GDPR, § 25 Para. 1 TTDSG based on your consent. DialogShift offers further information on data collection and use as well as your rights and options for protecting your privacy at https://www.dialogshift.com/datenschutz.

Bikini Island & Mountain Hotels
Ericus 1
20457 Hamburg
Germany

info@bikini-hotels.com