I. Data Controller Name and Address

The Data Controller as defined by the General Data Protection Regulation (GDPR) and other, national data protection laws of the EU member states as well as other applicable data protection provisions is:

Hotel Castel GmbH
Keschtngasse 18
39019 Tirol (BZ)
Italy
ph.: +39 0473 923 693
E-mail: info@hotel-castel.com
Website: www.hotel-castel.com

II. Data Protection Officer Name and Address

The Data Protection Officer of the Data Controller is:

Daniel Dobitsch
Keschtngasse 18
39019 Tirol (BZ)
Italy
ph.: +39 0473 923 693
E-mail: marketing@hotel-castel.com
Website: www.hotel-castel.com

III. General information regarding data processing

1. Extent to which we process personally identifiable data

As a matter of principle, we process our users' personally identifiable data exclusively to the extent necessary for the purposes of providing a functional website as well as our content and services. We only process our users' personally identifiable data upon receiving the user's express consent, except in cases where factual causes make it impossible for us to obtain such advance consent, and legal regulations permit processing the data.

2. Legal basis for processing personally identifiable data

To the extent that we obtain the Data Subject's consent to the processing of personally identifiable data, the EU General Data Protection Regulation (GDPR), Art. 6(1)(a) provides the legal basis.

Provided that it is necessary to process personally identifiable data in fulfilment of a contract between ourselves and the Data Subject, Art. 6(1)(b) of the GDPR provides the legal basis. The same applies to any data processing that is necessary to perform certain pre-contractual activities.

To the extent that processing of personally identifiable data is required to fulfil a legal obligation of our company, the legal basis is Art. 6(1)(c) of the GDPR.

In the event that processing of personally identifiable data is of vital importance to the Data Subject or any other natural person, the legal basis is provided by Art. 6(1)(d) of the GDPR.

If the data must be processed to protect the legitimate interests of our company or any third party, Art. 6(1)(f) of the GDPR shall be the legal basis for data processing, unless the interests, fundamental rights and fundamental freedoms of the Data Subject supersede such interests of our company or third party.

3. Data erasure and duration of storage

The Data Subject’s personally identifiable data will be deleted or blocked as soon as the reason for its storage ceases to exist. Furthermore, the data may be stored if such storage is required under European or national legislation in EU regulations, laws or other provisions applicable to the Data Controller. Moreover, the data will be blocked or deleted upon expiry of any storage term specified by such legislation unless continued storage of the data is necessary for conclusion or performance of a contract.

IV. Provision of this website and creation of log files

1. Description and scope of data processing

Every time our web pages are accessed, our system automatically captures data and information from the computer system accessing them.

The following information is collected:

  1. Information about the browser type and version
  2. The user's operating system
  3. The user's Internet service provider
  4. The user's IP address
  5. Date and time of access to the site
  6. The websites from which the user's system accessed to our website
  7. Websites the user's system accesses from our website

This information is likewise stored in the log files of our system. We do not collect the user's IP address or other information that would allow us to identify a specific user. None of this data is stored together with other personally identifiable data of the particular user.

2. Legal basis for processing your data

The legal basis for the temporary storage of this data is provided by GDPR, Art. 6(1)(f).

3. Purpose of data processing

Temporary storage of the IP address by the system is necessary to make the website available to the user's computer. This requires storing the user's IP address for the duration of the session.

The same purpose is the basis of our legitimate interest in processing the data pursuant to GDPR, Art. 6(1)(f).

4. Duration of data storage

The data will be deleted as soon as it is no longer needed for the purpose of its collection. To the extent that the data is collected for the purpose of providing the website, this occurs when the respective session is terminated.

5. Option to object, or request erasure

Capturing the data so as to make the website available, and storing the data in log files is a necessary prerequisite for operating these webpages. Therefore the user is not provided with an option to object.

V. Use of Cookies

a) Description and scope of data processing

Our website uses cookies. Cookies are text files stored on the user's computer system in or by the user's Internet browser. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie will contain a unique sequence of characters allowing the browser to be identified the next time it accesses the website.

We use cookies to make a website more user-friendly. Some elements of our web pages require the ability to re-identify the accessing browser after it has switched pages. In addition, our website may use cookies allowing the user's surfing behaviour to be analysed.

For more information on the cookies we use please refer to: Cookie Settings

When a user accesses our website, we inform the user that we use cookies for analytical purposes, and ask his or her consent to our processing the personally identifiable data in this context. At the same time, the user is referred to this data protection policy.

b) Legal basis for processing the data

The legal basis for processing personally identifiable data through the use of technically required cookies is provided by GDPR, Art. 6(1)(f).

The legal basis for processing personally identifiable data through the use of cookies for analytical purposes with the user's express consent is provided by GDPR, Art. 6(1)(a).

c) Purpose of data processing

Technically required cookies serve the purpose of making the use of websites easier for users. Some features of our website cannot be provided without the use cookies. For these features to function, it must be possible to recognise the browser even after the user has temporarily left the page.

User data collected by technically required cookies is not used to create user profiles.

Analytical cookies are used to improve the quality of our website and its content. Analytical cookies tell us how the website is used so we can continuously improve our services.

These purposes form the basis for our legitimate interest in processing the personally identifiable data pursuant to GDPR, Art. 6(1)(f).

e) Duration of data storage, option to object or to request erasure

Cookies are stored on the user's computer, which transmits them to our webpage. This gives you, the user, full control over the use of cookies. By changing the settings in your Internet browser, you can disable or limit the transmission of cookies. Cookies which have already been stored can be deleted at any time. This may be done in an automated process. If all cookies for our website are disabled, some features of our website may not be usable as intended.

VI. Newsletter

1. Description and scope of data processing

Our website provides the option of subscribing to a free newsletter. When a user subscribes to the newsletter, the data from the registration form is transmitted to us. The following data is collected: Title, first name, last name, e-mail address.

In addition, the following data is collected during registration:

  1. Date and time of registration
  2. Language, if applicable

During the registration process, you are asked to give your consent to your data being processed, and referred to this data privacy policy.

When you purchase products or services through our website and provide your e-mail address, we may use your e-mail address to send you a newsletter. In such a case, the newsletter is exclusively used to advertise for our own products or services of a similar type.

When we process your data for the purpose of distributing newsletters, we will not disclose your data to any third parties. Your data will be used exclusively for the purpose of sending you the newsletter.

2. Legal basis for processing your data

The legal basis for processing the data with the user's express consent following the user's registration for the newsletter is provided by GDPR, Art. 6(1)(a).

The legal basis for sending the newsletter following the sale of products or services is the German Unfair Competition Act (UWG), section 7(3).

3. Purpose of data processing

The user's e-mail address is captured for the purpose of sending the newsletter to the user.

Any other personally identifiable data collected during registration is used to prevent misuse of the services or the e-mail address used.

4. Duration of data storage

The data will be deleted as soon as it is no longer needed for the purpose of its collection. Consequently, the user's e-mail address is stored as long as the newsletter subscription remains active.

All other personally identifiable information collected during registration is usually deleted after a period of seven days.

5. Option to object or to request erasure

The user may cancel his or her subscription of the newsletter at any time using a hyperlink that can be found in every newsletter.

The same process allows the user to revoke his or her consent to the storage of his or her personally identifiable data collected during registration.

VII. Contact form and e-mail contact

1. Description and scope of data processing

Our website provides a contact form that may be used to contact us electronically. A user's data entered into this contact form will be transmitted to us and stored by us. This data includes:

  • When requesting rooms and suites: Title, first name, last name, phone no. for queries, e-mail address, comments or special requests if any, airport pick-up, and how the user became aware of us. The same information is collected when requesting a brochure by post (refer to item c).
  • When requesting a table reservation in the Trenkerstube restaurant: Title, first name, last name, phone no. for queries, e-mail address, comments or special requests if any.
  • When requesting a brochure: Title, first name, last name, phone no. for queries, street address, postal code, city and country.
  • When requesting a ringback from our office: Title, first name, last name, phone no. for queries, e-mail address if applicable, comments or special requests if any, and time for the requested ringback.

At the time the message is sent, the following data is also stored:

  1. The user's IP address
  2. Date and time of registration

Item (1) is used to track cyberattacks.

During the registration process, you are asked to give your consent to your data being processed, and referred to this data privacy policy.

As an alternative option, you may contact us using the e-mail address provided. In this case the personally identifiable data transmitted with the e-mail message will be stored.

The data will not be disclosed to any third parties but be used exclusively for the purpose of processing the conversation.

2. Legal basis for processing your data

The legal basis for processing the data with the user's express consent is provided by GDPR, Art. 6(1)(a).

The legal basis for processing the data transmitted with an e-mail message is provided by GDPR, Art. 6(1)(f). If the purpose of the e-mail correspondence is to enter into a contract, GDPR article 6(1)(b) provides an additional legal basis.

3. Purpose of data processing

We process the information from the contact form solely to arrange our interaction with the user. In the case of ourselves being contacted by e-mail, this constitutes the required legitimate interest in processing the data.

All other personally identifiable data processed when sending correspondence is used to prevent misuse of the contact form and to protect the security of our information technology systems.

4. Duration of data storage

The data will be deleted as soon as it is no longer needed for the purpose of its collection. For the personally identifiable data from the contact form and any e-mail correspondence, this will occur as soon as the respective conversation with the user has been completed. A conversation is considered to have been completed when the circumstances indicate that the relevant subject of the correspondence has been clarified conclusively.

Any other personally identifiable information collected when sending communications will be deleted no later than seven days after the end of the conversation.

5. Option to object or to request erasure

The user may at any time revoke his or her consent to the processing of personally identifiable data. If the user contacts us by e-mail, the user may at any time object to his or her personally identifiable data being stored. If the user chooses to do so, the conversation cannot be continued.

To request erasure of your data, please contact Hotel Castel GmbH and ask that your data be deleted.

All personally identifiable data stored in the process of our interaction will then be erased.

VIII. Web analysis using Google Analytics

1. Scope of our processing of personally identifiable data

This website uses the service Google Analytics provided by Google Inc. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) to analyse the way users use the website. Google Analytics uses cookies, text files stored on your computing device. Information collected by cookies is usually transmitted to, and stored on, a Google server in USA.   This website uses IP anonymisation. Within the member states of the EU and the European Economic Area, user IP addresses are truncated. This prevents identification of individuals using their IP addresses. Based on the data processing agreement between the website operators and Google Inc., Google uses the aggregated information to evaluate website use and activities and to provide services related to Internet use.

2. Legal basis for processing personally identifiable data

The legal basis for the processing of personally identifiable user data is provided by GDPR, Art. 6(1)(f).

3. Purpose of data processing

Processing personally identifiable user data allows us to analyse the surfing behaviour of our users. By evaluating the resulting data, we can gain insight into the use of individual components of our website. This helps us improve our website and its user-friendliness on a continuous basis. These purposes represent our legitimate interest in processing the personally identifiable data pursuant to GDPR, Art. 6(1)(f). IP address anonymisation ensures that the user's interest in the protection of personally identifiable data is properly accounted for.

4. Duration of data storage

The data will be deleted as soon as it is no longer needed for the purpose of its collection.

5. Option to object or to request erasure

Cookies are stored on the user's computer, which transmits them to our webpage. This gives you, the user, full control over the use of cookies. By changing the settings in your Internet browser, you can disable or limit the transmission of cookies. Cookies already stored can be deleted at any time. This may be done in an automated process. If all cookies for our website are disabled, some features of our website may not be usable as intended.

On our website, we offer our users the option to opt out of the data analysis process. To opt out, please follow the appropriate link: Cookie Settings

This sets an additional cookie in your system which will tell our system not to store the user's data. If a user deletes this cookie from his or her system, the user must subsequently set the opt out cookie again.

To find further information on Google Inc.'s use of data, please go to: https://support.google.com/analytics/answer/6004245

IX. Rights of Data Subjects

The following list states all rights of Data Subjects according to the GDPR. Rights without relevance for this website do not have to be listed. Therefore shortening the list is legitimate.

When your personally identifiable data is processed, you are a Data Subject for the purposes of the GDPR, meaning you have the following rights vis-à-vis the Data Controller:

1. Right of information

You are entitled to obtain from the Data Controller a confirmation stating whether your personally identifiable data being processed by us.

If so, you may request the following information from the Data Controller:

  1. The purposes for which your personally identifiable data is being processed;
  2. the categories of personally identifiable data being processed;
  3. the recipients, respectively, recipient categories to whom your personally identifiable data has been or will be disclosed;
  4. the intended storage duration of your personally identifiable data or, if unknown, what criteria are used to determine the storage duration;
  5. the existence of your right to have your personally identifiable data rectified or erased, restrict its processing by the Data Controller, or object to such processing;
  6. your right to lodge a complaint to a regulatory authority;
  7. any available information about the origin of the data, provided that the personally identifiable data is not collected from the Data Subject;
  8. the existence of an automated decision-making process including profiling pursuant to GDPR, Article 22 (1) and (4), and – at least in these cases – meaningful information about the involved logic as well as the scope and the intended effects of such processing on the Data Subject.

You have a right to know whether your personally identifiable data have been or are being transmitted into a third country or to an international organization. In this context you may demand information about suitable guarantees regarding data transmission pursuant to GDPR, Article 46.

2. Right to data rectification

You have the right to have your personally identifiable data rectified and/or completed by the Data Controller if your data is incorrect or incomplete. The Data Controller is obliged to correct or amend your data without delay.

3. Right to restrict processing

You may demand restriction of the processing of your personally identifiable data under the following conditions:

  1. provided that you dispute the correctness of your personally identifiable data for a period of time that allows the Data Controller to verify the correctness of your personal data;
  2. provided that the processing of the data is unlawful but you object to the erasure of the personally identifiable data, instead demanding restriction of the use of the data;
  3. the Data Controller no longer needs the personally identifiable data for the processing purposes, however, you need the data to assert, exercise or defend your legal rights, or
  4. you have formally objected to the processing pursuant to GDPR, Article 21(1), and it has not yet been decided whether the legitimate grounds cited by the Data Controller take precedence over your grounds.

If the processing of your personally identifiable data is subject to restrictions, the data must not be processed – apart from being stored – without your consent, unless processing is required to assert, exercise or defend legal rights, or to protect the rights of another natural or legal person, or unless processing is warranted for reasons of an important public interest of the European Union or one of its member states.

If the restriction of data processing is suspended for one of the above reasons, you will be notified by the Data Controller in advance.

4. Right to erasure

a) Obligation to erase

You have the right to demand that the relevant personally identifiable data be erased immediately by the Data Controller, and the Data Controller is legally required to erase your data immediately, provided that one of the following occurs:

  1. Your personally identifiable data is no longer needed for the purposes for which it was collected or otherwise processed.
  2. You revoke your consent that formed the basis of processing according to GDPR, Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for further processing.
  3. You object to the processing of your data according to GDPR, Article 21(1), and there are no overriding legitimate grounds for processing, or you object to processing according to GDPR, Article 21(2).
  4. Your personally identifiable data has been processed in an unlawful manner.
  5. Erasure of your personally identifiable data is required to meet a legal obligation under EU law or the laws of an EU member state and the Data Controller is subject to such laws.
  6. Your personally identifiable data was collected in connection with services offered by the information society pursuant to GDPR, Article 8(1).

b) Disclosure of data to third parties

In the event that the Data Controller has made your personally identifiable data public and is under obligation to erase them according to GDPR, Article 17(1), the Data Controller shall take appropriate action, including but not limited to technical measures, with due regard to availability of appropriate technology as well as implementation costs, to notify the Data Processors who are processing the personally identifiable data that you, the Data Subject, have demanded that all links to such personally identifiable data or copies or replications thereof be erased.

c) Exceptions

The right to erasure shall not apply to the extent that processing of your data is required:

  1. to exercise the freedoms of expression and information;
  2. to fulfil a legal obligation to process the data under the laws of the European Union or its member states that the Data Controller is subject to, or to carry out a task that benefits the public interest or enforces public authority and has been delegated to the Data Controller;
  3. for public interest reasons in the area of public health according to GDPR, Article 9(2)(h) and (i) as well as Article 9(3);
  4. for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with GDPR, article 89(1), provided that the right as stipulated in subsection (a) would presumably render it impossible to achieve the goals of processing or impede such processing severely; or
  5. for the purposes of asserting, exercising or defending legal claims.

5. Right to notification

If you have asserted your right to rectification, erasure or restriction of processing of your data to the Data Controller, the Data Controller shall be obliged to notify all recipients to whom your personally identifiable data has been disclosed about the rectification or erasure of your data or the restriction of its processing, unless this is impossible or would entail a disproportionate effort.

You have the right to be informed about such recipients by the Data Controller.

6. Right to data portability

You have the right to receive your personally identifiable data which you have provided to the Data Controller in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another Data Controller without being obstructed by the Data Controller to whom you originally provided your personally identifiable data, provided that:

  1. processing of the data is based on consent pursuant to GDPR, Article 6(1)(a) or Article 9(2)(a), or on a contract according to GDPR, Article 6(1)(b), and
  2. the data is processed using automated methods.

In exercising this right, you also have the right to having your personally identifiable data transmitted directly from one Data Controller to another Data Controller, provided that this is technically feasible. This right does not apply where it would adversely affect the rights and freedoms of others.

The right to data portability does not apply if your personally identifiable data must be processed to fulfil a legal obligation to carry out a task that benefits the public interest or enforces public authority and has been delegated to the Data Controller.

7. Right to object

You have the right to object to our processing of your personally identifiable data according to GDPR, Article 6(1)(e) or (f) at any time on grounds relating to your particular situation; the same applies to any profiling performed on the basis of these legal stipulations.

In this case, the Data Controller will cease to process your personally identifiable data unless the Data Controller is able to demonstrate that such processing is required on compelling legitimate grounds which take precedence over your interests, rights or freedoms, or that such processing is necessary for the establishment, exercise or defence of legal claims.

You have the right to object to the processing of your personally identifiable data for direct marketing purposes; the same applies to profiling for direct marketing purposes.

If you object to the processing of your data for direct marketing purposes, your personally identifiable data will no longer be used for those purposes.

You may exercise your right to objection in connection with the use of information society services – notwithstanding Directive 2002/58/EC – using automated methods which apply technical specifications.

8. Right to withdraw your consent to data-processing

You have the right to withdraw your consent to our processing of your data submitted on the basis of data protection law at any time. Withdrawing your consent shall not affect the legality of our data-processing performed on the basis of your consent prior to its withdrawal.

9. Automated decision in individual cases, including profiling

You have the right not to be subject to a decision based solely on automatic processing – including profiling – which has a legal effect on you or will expose you to comparable significant disadvantages. This does not apply if this decision:

  1. is necessary for entering into or performing a contract between you and the Data Controller;
  2. is permitted by legal provisions of the European Union or the EU member states which the Data Controller is subject to, provided that these legal provisions include adequate measures to protect your rights and freedoms as well as your legitimate interests; or
  3. is made with your express consent.

However, these decisions must not be based on special categories of personally identifiable data pursuant to GDPR, Article 9(1), unless GDPR, Article 9(2)(a) or (g) applies and adequate measures have been taken to protect your rights and freedoms as well as your legitimate interests.

With regards to the cases described in items (1) and (3), the Data Controller will take reasonable measures to protect your rights and freedoms as well as your legitimate interests, including, but not limited to your rights to secure intervention by any person on behalf of the Data Controller, present your own views, and contest the decision.

10. Right to lodge a claim to a supervisory authority

Notwithstanding any other remedy of administrative law or jurisdiction, you have the right to lodge a claim to a supervisory authority, in particular in the EU member state where you reside, have your place of employment or where the alleged breach has occurred, if you believe that your personally identifiable data has been processed in a manner which violates the GDPR.

The supervisory authority where you have lodged your complaint will inform you, the claimant, about the ongoing proceedings related to your claim as well as the results, including any legal remedies available to you pursuant to GDPR, Article 78.