A World of Hospitality

Link to Homepage Vila Vita Marburg

A World of Hospitality

Filter by categories

Status: 03/2026

Data Protection

Below, the companies of the VILA VITA corporate group would like to

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Straße 24, 60329 Frankfurt am Main,
  • VILA VITA Marburg SE, Anneliese Pohl Allee 17, 35037 Marburg,
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg,

inform you about the processing of your personal data

  • when visiting our websites or using our other online services,
  • as part of your stay in one of our properties or the provision of our services,
  • as an applicant and
  • as a service provider or supplier
    inform.

The responsible party within the meaning of Article 4 No. 7 GDPR is the respective company of the VILA VITA corporate group,

 

  • whose website or online service you visit or use. The respective responsible party is specified in the imprint of the website or online service.

  • with whom you make an inquiry, a reservation, or a booking and wish to enter into a contractual relationship for the provision of accommodation and/or catering services. You can find out who the responsible party is from your invoice, receipt, reservation, or booking confirmation, etc., of the service you have used.

     

The companies of the VILA VITA corporate group work closely together on a variety of activities and services. This also concerns the processing of your personal data. The companies of the VILA VITA corporate group have therefore concluded an agreement on joint responsibility in accordance with Article 26 GDPR. In this, the parties have agreed on who fulfills which obligations under the GDPR. This particularly concerns the fulfillment of rights of persons affected by data processing. Joint responsibility exists both in the joint processing of customer or guest data to improve our services on the one hand and in the areas of guest and customer relations management on the other, for example in bookings or reservations in our hotels and restaurants. This way, we can offer you alternatives in another hotel or restaurant of the VILA VITA corporate group in case of full occupancy or link services, such as joint invoicing. There is also joint responsibility in the areas of (online) marketing, IT infrastructure and IT facilities, and financial accounting. As the primarily responsible party, especially for fulfilling the rights of persons affected by data processing, the VILA VITA corporate group has appointed VILA VITA Marburg SE, Anneliese Pohl Allee 17, 35037 Marburg. The assertion of your rights against the other companies of the VILA VITA corporate group remains unaffected.

 

You can also reach our data protection officer at the above addresses, with the addition "Data Protection Officer" or at datenschutz(at)vilavitahotels.com.

2.1. Relevant Legal Bases for Data Processing

 

If the legal basis is not explicitly mentioned in these data protection notices, the following legal bases are relevant:

 

  • Insofar as we obtain your consent for data processing, Article 6 (1) lit. a and Art. 7 GDPR is the legal basis for data processing. If the processing of the data is for the fulfillment of our services and the implementation of contractual measures as well as answering inquiries, Art. 6 (1) lit. b GDPR is the legal basis for data processing. If data processing is for the fulfillment of a legal obligation, Article 6 (1) lit. c GDPR is the legal basis. Examples of this are the fulfillment of commercial retention obligations or the fulfillment of tax (retention) obligations.
  • If the processing of personal data is necessary to protect a legitimate interest of our company or a third party, Article 6 (1) lit. f GDPR serves as the legal basis. Legitimate interests are, in particular, ensuring IT security and IT operations, asserting legal claims and defense in legal disputes, creating user statistics, advertising for our own services and products of the VILA VITA corporate group, as well as market and opinion research by the aforementioned, provided that direct advertising has not been objected to.
  • The companies of the VILA VITA corporate group are obliged by an intergroup contract to maintain the data protection level applicable within the EU during data exchange among each other and to take appropriate measures for data security. The intergroup contract also essentially regulates that the companies of the VILA VITA corporate group cooperate equally in the areas of advertising and marketing and exchange data among each other, that the statutory data subject, information, and other rights of data subjects are always respected, and that VILA VITA Marburg SE, based in Marburg, is primarily responsible for this.

 

2.2 Your Rights

 

You have the right

 

  • to information according to Art. 15 GDPR,
  • to correction according to Art. 16 GDPR,
  • to deletion according to Art. 17 GDPR,
  • to restriction of processing according to Art. 18 GDPR
  • to data transfer according to Art. 20 GDPR.

 

For the rights to information and deletion, the restrictions of §§ 34 and 35 BDSG apply.

 

In addition, you have a right to complain under Art. 77 GDPR to a data protection supervisory authority according to § 19 BDSG.

 

You can revoke any consent given to us for the processing of personal data at any time with effect for the future.

 

2.3 Duration of Data Storage

 

Unless otherwise specified in these data protection notices, personal data is only stored for as long as is necessary to fulfill the respective purpose or to fulfill our contractual or legal obligations. We are subject to various retention and documentation obligations. These arise in particular from the Commercial Code, the Fiscal Code, the Money Laundering Act, and the Registration Act. The deadlines specified there can be up to 10 years.

 

2.4 Transmission of Personal Data

 

If we transmit personal data to other persons or companies, this is only done based on your consent, a legal permission, due to a legal obligation (e.g. to public authorities and institutions such as supervisory authorities or tax authorities), or based on a processing agreement according to Art. 28 GDPR. Further categories of recipients can be found in these data protection notices.

 

2.5 Transmission of Data to Third Countries

 

Processing of personal data outside the European Economic Area only takes place if an adequate level of data protection according to Art. 44 ff. GDPR has been confirmed by the EU Commission in the third country or other appropriate guarantees for the protection of personal data are in place.

 

2.6 Automatic Decision-Making

 

Your data is partially processed automatically to evaluate certain personal aspects (profiling), for marketing and advertising purposes, and to address you with personalized advertising via email or post.
 
Furthermore, we are required by legal and regulatory requirements to combat money laundering, terrorist financing, and property-endangering crimes. In this context, data evaluations are also carried out.

3.1 Online Services

"Online Services" in the context of these data protection notices are all websites,

  • software applications (apps), and
  • social media pages,

which you access these data protection notices from.
 

3.2  Cookies

Our online services use cookies. These are small text files that are stored on the user's device. In addition to so-called session cookies, which are automatically deleted as soon as you log out or close the browser, so-called permanent cookies are also used to recognize a returning user. These cookies automatically expire after a fixed period.

It is possible at any time to object to the setting of a cookie through the corresponding settings in the internet browser. Already set cookies can be deleted at any time. If cookies are deactivated, not all functions of our website may be fully usable. Some cookies are necessary for the operation of a website, e.g. for shopping carts in the online shop or to save logins or user settings. Some cookies also serve security purposes. The legal basis for setting these so-called essential or absolutely necessary cookies is the protection of the aforementioned legitimate interests according to Art. 6 (1) lit. f GDPR.

In addition, there are statistics, marketing, and personalization cookies. These are used, for example, for reach measurement or to display personalized content that corresponds to a user's potential interests. If we use statistics, marketing, and personalization cookies, we will inform you about this when you visit our website and in these data protection notices. The legal basis is your consent according to Art. 6 (1) lit. a GDPR.


3.3 Collection of General Data and Creation of Log Data

When you access our online services, general data and information are automatically collected and stored in a server log. The following data can be collected:

  • Information about the browser type and version
  • Information about the user's operating system
  • Information about the user's service provider
  • The internet protocol address (IP address) of the user or calling system
  • Date and time of access
  • The page you came from (referrer URL)
  • Websites that are accessed by the user's system via our website

The processing of this data serves to provide our website, to ensure the functionality of our information technology systems, and to optimize our website. This data and information, which is generally collected anonymously, is statistically evaluated by us with the aim of ensuring data protection and data security. The data in the log files is always stored separately from other personal data that may be collected and is generally not passed on to third parties. The data is automatically deleted after the deadline expires. The legal basis for the temporary processing of the data is the protection of the aforementioned legitimate interests according to Art. 6 (1) lit. f GDPR.
 

3.4  Contact Form and Email Contact

Some of our online services offer you the opportunity to contact us via a contact form or an email address. If you use this, the personal data you provide to us will be automatically stored. The storage and further processing of this data is solely for processing your contact request and for subsequent contact with you. Disclosure to third parties outside the VILA VITA corporate group generally does not occur. The data you provide will be deleted after the process is completed, provided that no contractual or legal retention periods stand in the way of deletion. In this case, the data subject to retention will be deleted after the deadline expires. The legal basis for processing the data is Art. 6 (1) lit. f GDPR.
 

3.5 Newsletter and Email Advertising

With our newsletter, we inform you about current products, offers, events, and news from the VILA VITA corporate group (VILA VITA Hotel & Touristik GmbH,  VILA VITA Marburg GmbH, Congresszentrum Marburg GmbH & Co. KG). To register, it is usually sufficient if you provide your email address. Providing further data is voluntary. If you have registered for our newsletter, we will use your email address and any other data you have voluntarily provided to send the newsletter. Upon successful registration for the newsletter, we store the date of your registration and, in the case of registration via a website, also your IP address. This storage serves as proof in case a third party misuses an email address and registers for the newsletter without the knowledge of the authorized person. The newsletter is sent based on your consent according to Art. 6 (1) lit. a GDPR. If consent to advertise our own similar goods or services is not required, this is done based on legitimate interests according to Article 6 (1) lit. f GDPR in the promotion of our goods and services, provided this is legally permitted, e.g. in the case of existing customer advertising, and you have not objected. We also store the data collected during the registration process based on legitimate interests to be able to provide proof of your consent if necessary. You can unsubscribe from the newsletter at any time using the unsubscribe link included in every newsletter. Alternatively, you can also contact the above-mentioned postal or email address directly. Upon termination, we can store the unsubscribed email addresses for up to three years to be able to prove previously given consent.

To continuously optimize our newsletter and to offer you a user-oriented and secure newsletter, we evaluate individual user activities. We measure how often the newsletter is opened and which links users click on. For this purpose, the newsletter contains a so-called "web beacon," a file that is retrieved from our server when the newsletter is opened. Initially, technical information (e.g. browser type, operating system, time of retrieval) is collected. It is also possible to determine whether and when a newsletter was opened and which links were clicked. This information helps us to recognize the usage and reading habits as well as the interests of our subscribers to adapt content and improve the user experience. The evaluation is based on your consent and on our legitimate interests in a user-friendly and informative newsletter.

 

3.6 Analysis and Targeting Tools, Optimization of Our Online Services and Online Marketing

3.6.1 Google Analytics (GA4)

We use Google Analytics 4 (GA4), a user analysis service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google Ireland). The user analysis is carried out using a pseudonymous user identification number. This serves to assign information to a device. The collected information helps us to evaluate visitor flows and better understand the use of the website by visitors. This allows us to tailor and improve our website to meet needs. For this purpose, GA4 collects information about which content you have accessed, how long the visit lasted, where you came from to us, and which search terms you may have used or which sources link to our site. We can also recognize a renewed visit to our website. The IP address is truncated by the last two digits by default and is not logged. In addition to the aforementioned information, GA4 can also collect geoinformation, e.g. about the user's location from which our online services were used or accessed (city, including latitude and longitude, country, continent). Although Google processes user data on servers within the EU, data processing in third countries, particularly the USA, cannot be completely ruled out, as data from Google Ireland can be passed on to the parent company, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data processing for the purpose of user analysis only takes place with your consent. The legal basis is therefore Art. 6 (1) lit. a GDPR. If no consent is obtained, processing is based on the aforementioned legitimate interests according to Art. 6 (1) lit. f GDPR.

If you have consented, we may also use the "Google Signals" function in our online services. With the help of Google Signals, Google Analytics can collect additional information about users who have activated personalized ads (e.g. interests) and ads can be delivered to these users in cross-device remarketing campaigns.

The processing agreement agreed with Google and standard contractual clauses to ensure the level of data protection when processing in third countries can be viewed at https://business.safety.google/adsprocessorterms/. Additional information about the types of processing and the processed data can be found here: https://privacy.google.com/businesses/adsservices. Google's terms of use and data protection notices for Google Analytics can be found at https://www.google.com/analytics/terms/de.html and https://policies.google.com/privacy. Further information about Google Analytics can also be found at https://marketingplatform.google.com/intl/de/about/analytics/. An objection option can be found here: https://tools.google.com/dlpage/gaoptout?hl=de.
 

3.6.2 Google Marketing Services

We use marketing and remarketing services from Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Google Marketing Services (including Google Adwords, Google Conversion Tracking, Google Optimize, and Google Double Click) allow us to display advertisements more specifically, e.g. to present users with only those ads that potentially match their interests on our or other websites. 

If you access an online service that uses Google Marketing Services, a cookie is set on your device, whereby cookies can be set from various domains (including google.com, doubleclick.net, etc.). The cookie stores which websites have been visited, what content was of interest, and which offers were clicked on. In addition, technical information about the browser and operating system, referring websites, visit time, and other information about the use of the online offer is collected. Your IP address is also recorded, but it is truncated and only transmitted in full to a Google server in the USA in exceptional cases and truncated there. The IP address is not merged with other data from other Google services. The aforementioned information can also be combined by Google with such information from other sources. When you subsequently visit other websites, ads tailored to your interests can be displayed. User data is processed pseudonymously within the framework of Google Marketing Services, i.e. without storing and processing the user's name or email address. This does not apply if a user has expressly allowed Google to process the data without pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the USA.  

The Google Marketing Services we use also include the online advertising program Google AdWords. Each AdWords customer receives a so-called conversion cookie. The information obtained using the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can personally identify users. 

The legal basis for data processing is your consent according to Art. 6 (1) lit. a GDPR. If no consent is obtained, processing is based on the aforementioned legitimate interests according to Art. 6 (1) lit. f GDPR.

The applicable data protection conditions and terms of use of Google Marketing Services can be found at policies.google.com/technologies/ads.

You can prevent the setting of cookies by our website at any time by making the appropriate setting in the internet browser and thus permanently object to the setting of cookies. In addition, cookies already set by Google can be deleted at any time via an internet browser or other software programs. 

If you wish to object to interest-based advertising by Google Marketing Services, you can use the options provided by Google at www.google.com/ads/preferences.
 

3.6.3 Microsoft Clarity

Microsoft Clarity On our online services, we use Microsoft Clarity. This is a web analytics service from Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, hereinafter referred to as "Microsoft". We use Microsoft Clarity to analyze usage behavior and improve our offering. Data on mouse movements, clicks, scrolling behavior, and other interactions as well as usage and user-related information, such as IP address, location, time, or frequency of visits to our website, are collected. The legal basis for processing is Art. 6 (1) lit. a GDPR (consent). The data can be stored for up to a year. The collected data is also passed on to Microsoft, which acts as a processor for us. A corresponding processing agreement according to Art. 28 GDPR has been concluded. A transfer of data to the USA cannot be ruled out. We have therefore also agreed on EU standard contractual clauses (SCCs) with Microsoft and implemented additional protective measures to ensure an adequate level of data protection. In addition, Microsoft has committed to complying with the principles of data processing of the Data Privacy Framework (DPF). Further information on Microsoft's data protection regulations can be found at https://clarity.microsoft.com/terms and https://privacy.microsoft.com/de-de/privacystatement.
 

3.6.4 Meta Pixel

We use the Meta Pixel from Facebook/Meta for conversion measurement. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. With the help of the Meta Pixel, we can present targeted advertising to visitors to our website on the social networks of Meta Platforms (e.g. Facebook, Instagram) and also measure and analyze the effectiveness of the ads placed there. When using the Meta Pixel, data transmission to the USA or other third countries cannot be ruled out. If data is transmitted to the USA or other third countries, this is done on the basis of the EU Commission's standard contractual clauses. Further details can be found at: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

The data collected by the Meta Pixel remains anonymous for us. We cannot draw any conclusions about the identity of a user. However, Facebook stores and processes this data, which allows a connection to your Facebook profile. Facebook can use the data according to its privacy policy (https://de-de.facebook.com/about/privacy/) for its own advertising purposes, e.g. to place personalized ads on Facebook and on websites outside of Facebook. We, as the website operator, have no influence on this data usage. We do not use the "extended matching" offered by Meta. If the Meta Pixel collects personal data on our website and transmits it to Meta / Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). This joint responsibility only relates to the collection and transmission of the data to Meta / Facebook. The details of the joint responsibility are laid down in the following agreement according to Art. 26 GDPR: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information and for the data protection-compliant implementation of the Facebook tool on our website, while Facebook ensures the data security of the processed data. Data subject rights, such as access requests, can be asserted directly with Facebook. If you assert your data subject rights with us, we will forward them to Facebook.

The use of the Meta Pixel takes place on the basis of your consent according to Art. 6 (1) lit. a GDPR and § 25 TDDSG.

Further information can also be found in the privacy policies of Meta or Facebook at https://de-de.facebook.com/about/privacy/. You can also deactivate the remarketing function "Custom Audiences" in the ad settings at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. To do this, you must be logged in to Facebook.  
 

3.7 Plugins and Embedded Functions and Content from Third Parties

Some of our online services use services and content from third parties. In particular, so-called "social plugins", videos, or fonts. These contents are either obtained directly from the server of the respective third party provider when calling up our online service or subject to your consent (e.g. by activating a plugin separately). Your IP address is also transmitted. Otherwise, the third party provider cannot deliver the content to your browser or offer the desired function.

If we ask for your consent for the activation of embedded functions and content, the legal basis is your consent according to Art. 6 (1) lit. a GDPR. Otherwise, the data is processed on the basis of our legitimate interests in providing and distributing our content and a user-friendly and optimal user experience according to Art. 6 (1) lit. f GDPR. We may use the following services or service providers with embedded functions and content:

 

3.8 Presence in Social Networks

Some companies of the VILA VITA corporate group use social networks to get in direct contact with customers. The possibility to also get in touch with customers via social networks and to provide a corresponding platform for this is a legitimate interest according to Art. 6 (1) lit. f GDPR. If you visit our pages, your data is also processed by the respective social network. Possibly also outside the European Union, e.g. in the USA. This processing and the further processing operations, such as the analysis of user behavior by social networks, are the responsibility of the respective social network. The companies of the VILA VITA corporate group have no influence on this. You can find the presence of VILA VITA companies on the following social networks:

3.9  Online Room Booking

We offer you the opportunity to book rooms online. For this purpose, the data required for the reservation and for further contract initiation and conclusion are collected, in particular your name, the names of any accompanying persons, address, telephone number, and email address, booking or travel data, as well as information on the payment method chosen. The data required for your booking is marked accordingly. All other data is voluntary. Your online booking is made via online reservation systems of third-party providers. After completing the booking, you will receive a booking confirmation at the email address you provided. The legal basis for processing your data is Art. 6 (1) lit. b GDPR. We store your address, payment, and booking data for a period of ten years due to the commercial and tax law regulations that apply to us. We may use the following providers:

gauVendi, a service of GauVendi GmbH, Feuerwehrstrasse 10, 60435 Frankfurt, which allows you to make a room booking according to your personal needs and allows us to view and manage the necessary information about your booking.

The following data is processed:

  • Number of people
  • Arrival and departure date
  • Booked room features and rooms
  • Booked additional services
  • Booking country
  • Other data relevant to reservation and cancellation

The legal basis for processing is Art. 6 (1) lit. b) GDPR, the fulfillment of the booking contract that is concluded with you, as well as Art. 6 (1) lit. f) GDPR, our interest in the optimal provision of additional options when booking and maintaining business relationships.

We also use a feature that allows us to display additional offers tailored to your region directly when booking. For this purpose, your IP address, which is available to us through your visit to our website, is used in a shortened, anonymized form to obtain a rough estimate of your geolocation and to offer you suitable regional additional options. Apart from the short-term processing of your IP address for this purpose, no further processing of personal data takes place in this context. The legal basis for processing is Art. 6 (1) lit. f) GDPR, our legitimate interest in displaying suitable additional services to you.

The data is processed as long as necessary for the processing of the booking. Subsequently, relevant data is stored in accordance with legal retention periods and then deleted.

Furthermore, GauVendi supports us in evaluating website visitor data and further analysis. For this purpose, Google Analytics is used, provided you have given your consent via the cookie banner, and this data is then shared with GauVendi. More detailed information on processing by Google Analytics can be found in the corresponding section of this statement. We have concluded a processing agreement with GauVendi according to Art. 28 GDPR, in which we oblige the provider to ensure the protection of your data.

In the context of processing, it is possible that your data will be transferred to third countries. For potential transfers to third countries outside the EU and the EEA for which there is no adequacy decision by the EU Commission, standard data protection clauses according to Art. 46 (2) lit. c GDPR have been agreed with the respective recipient in the third country. These oblige the recipient of the data in the third country to process the data in accordance with the level of protection in Europe.

Further information about GauVendi can be found in the service provider's privacy policy: https://www.gauvendi.com/data-protection

 

3.10 Online Reservations in Restaurant, Bar, and Spa

If you want to reserve a table online in one of our restaurants or bars, we need information about the date, time, number of people, as well as your name and possibly your email address or phone number. We use the online reservation system Reservision, a service of RESERViSiON GmbH, Seestr. 29, 64354 Reinheim. If you book an appointment online in our SPA, we use the booking system of Crqlar GmbH, Haller Straße 65, 6020 Innsbruck. Your information will be stored and processed for the purpose of processing your inquiry or reservation. The legal bases are Art. 6 (1) lit. a and b GDPR. Your reservation data will be deleted upon cancellation of the reservation or the day after the reservation unless we still need your data for billing and other questions following your reservation. To be able to respond individually to your future inquiries or reservations, we store certain data about your visit or your wishes with your consent. The legal basis for data processing is your consent according to Art. 6 (1) lit. a GDPR. If no consent is obtained, processing is based on the aforementioned legitimate interests according to Art. 6 (1) lit. f GDPR.

3.11  Online and Voucher Shop

If you use our online or voucher shop, we process the data you provide to process your order, payment, and delivery. We use your data to send you notifications about the delivery status or in case of delivery problems. If necessary, we use service providers, in particular postal and shipping companies, for order processing and delivery. We also use your data to process complaints and product warranty claims and, if necessary for an order, to determine whether you have reached the legal minimum age for a purchase. For payment processing, we use various online services from banks and payment service providers. The data required for the ordering process, delivery, and payment processing is marked accordingly. The legal basis is the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR.
 

3.12 Chatbot and Chat Functions

On some of our pages, we use a chatbot from DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This is a software that answers your questions or provides you with useful hints or information while you use our websites. If you use the chat function, the chatbot processes the information you enter. In addition, we store the contents of your communication. If you complete registration processes, consent declarations, or other declarations via the chatbot, we log these so that they can be proven later. Furthermore, the chatbot stores a cookie with an identification number to recognize you as a user. This cookie is stored for 90 days from the last use of the chatbot. You can disable the storage of the cookie in your browser settings or delete the cookie. Without the cookie, however, the chat functions cannot be used. Providing personal data such as your name, email address, etc., is voluntary. In addition to the data you enter, data on usage behavior may also be collected for statistical analysis and optimization of the service. The legal bases for data processing are Art. 6 (1) lit. a GDPR and Art. 6 (1) lit. f GDPR. The special interest lies in effective customer care and communication. Further information on the processing of personal data by the chatbot can be found here: https://www.dialogshift.com/data-privacy.    
 

3.13 Elfsight Plugin

We use the "Elfsight" service of Elfsight LLC, Paronyana str. 19/3, 201, Yerevan 0015, Armenia, to embed content, such as reviews, from social networks or review portals on our website. This may also involve the transfer of data to a third country (Armenia). Further information on data processing by Elfsight can be found in the provider's data protection notices: https://elfsight.com/privacy-policy/. The legal bases are Art. 6 (1) lit a, 49 (1) lit a GDPR.
 

3.14 Online Magazine Service

This website uses an iFrame with a website provided by CALAMEO SAS for an online magazine display service. When you access the page with the online magazine display, your browser loads the website data from the website provided by CALAMEO SAS to display the online magazines correctly. For this purpose, the browser you are using must establish a connection to the servers of CALAMEO SAS. This allows CALAMEO SAS to know that your IP address has accessed our website. We use the service provided by CALAMEO SAS to display online magazines to make our online services uniform and appealing and to facilitate use. This represents a legitimate interest within the meaning of Article 6 (1) lit. f) GDPR. The operator of this website points out that the data collection and processing on the website displayed in the iFrame is beyond its control. The responsibility for compliance with the provisions of the GDPR therefore lies with the operator of the embedded website. Further information on CALAMEO SAS and their privacy policy can be found at: calameo.com/privacy.

 

3.15 Communication via Whatsapp

 

You have the option to contact us via the messenger service WhatsApp (WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The use of this channel is solely on your initiative by writing to us via WhatsApp. For the technical provision and management of the channel, we use the platform "DialogShift" (DialogShift GmbH, Torstraße 201, 10115 Berlin), which acts as our processor.

In the context of communication, the following data is processed in particular:

Your phone number as well as possibly your name and other information you provide,

the content of your messages, metadata such as timestamps, device information, and IP address (these are processed by WhatsApp/Meta).

The content of your messages is end-to-end encrypted by WhatsApp. We have no influence on the data processing by WhatsApp/Meta (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland), especially regarding the processing of metadata. Your personal data is also processed by WhatsApp in the USA, among other places. Further information on data processing by WhatsApp can be found in the https://www.whatsapp.com/legal/privacy-policy-eea.

The processing of your personal data within the framework of WhatsApp communication is based on your consent according to Art. 6 (1) lit. a GDPR or Art. 6 (1) lit. f GDPR (legitimate interest in efficient and user-friendly communication). The use of WhatsApp is voluntary. You can always use alternative contact methods (e.g. email, phone).

The messages processed via DialogShift are automatically deleted after a maximum of 90 days. Longer storage only takes place if this is necessary to process your request.

Note: Please note that WhatsApp/Meta acts as an independent controller and can process metadata (e.g. your phone number, device information, IP address) outside the EU. We recommend not transmitting sensitive data (e.g. health data, payment information) via WhatsApp.

4.1 Purposes of Processing and Legal Bases

In the context of your stay in one of our properties or the provision of our services, we process your data for the purpose of

 

  • booking and guest registration, the legal basis is the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR with the booking guest and possibly other accompanying persons.
  • accommodation and associated on-site services, such as check-in and check-out, personalized services, including advice on these, bookings/reservations on behalf of the guest with third parties (tours, excursions, reservations, taxi and shuttle services, etc.), room services (e.g. intolerances communicated by the guest, etc.), housekeeping (e.g. expressed preferences regarding amenities such as desired pillows, duvets, etc.), and the processing of complaints, wishes, and inquiries. The legal bases for this are the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR, legitimate interests according to Art. 6 (1) lit. f GDPR, in particular the fulfillment of guest wishes and preferences.
  • providing information and entertainment systems in the hotel and in the room (e.g. Wi-Fi, TV, infotainment systems, AppleTV, game consoles). The legal bases for this are the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR and legitimate interests according to Art. 6 (1) lit. f GDPR, in particular ensuring the functionality of our information technology systems, secure processing, and IT security, prevention and investigation of crimes.
  • advice and implementation of any spa and wellness offers you have booked, such as appointment reservations, recording restrictions and intolerances for safe and customer-oriented service provision or treatment, and treatment documentation, defense in legal disputes, personalized advice and offer creation, and processing of complaints, wishes, and inquiries. The legal bases for this are the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR, legitimate interests according to Art. 6 (1) lit. f GDPR, in particular customer-oriented advice and treatment, and defense in legal disputes, as well as the guest's consent according to Art. 6 (1) lit. a GDPR and, if special categories of data are processed, according to Art. 9 (2) lit. a GDPR. 
  • marketing campaigns, customer relationship management, and bonus programs and similar actions of the VILA VITA corporate group, e.g. sending information about products, offers, and services of the VILA VITA corporate group that may be of interest to the guest, including personalized advertising; personalized services and offers based on preferences communicated by the guest. The legal basis is the consent according to Art. 6 (1) lit. a GDPR, legitimate interests according to Art. 6 (1) lit. f GDPR, in particular a customer-oriented service.
  • planning and conducting events, conferences, and events, in particular support in organizing and coordinating, inviting, communicating, and accommodating guests or participants, processing inquiries and complaints; providing, organizing, and coordinating media technology; invoicing. The legal bases are the fulfillment of the contract or the implementation of pre-contractual measures according to Art. 6 (1) lit. b GDPR, insofar as data of guests/participants must be processed within the framework of legal obligations, Art. 6 (1) lit. c GDPR, legitimate interests according to Art. 6 (1) lit. f GDPR, in particular a safe and customer-oriented event implementation. 
  • fulfilling legal requirements according to Art. 6 (1) lit. c GDPR, such as in particular fulfilling reporting obligations under the Federal Registration Act (§§ 29, 30 BMG); fulfilling contractual or legal retention obligations, for example, according to the Commercial Code or the Fiscal Code (§ 257 HGB, § 147 AO). To fulfill the aforementioned reporting obligations, we also offer the collection of the data required for this in electronic form. A notification of the registration data is possible before your arrival. For this purpose, we use an online service from straiv GmbH, Eichwiesenring 4f, 70567 Stuttgart. There is no obligation to use the electronic form. You can still provide the registration data as usual upon arrival.
  • If you have provided your email address when booking, you will receive an email with information about your stay before your arrival. After your check-in, you will receive another email with information about your booking and information about our hotel and our offers. On the day of your departure, you will also receive an email with the option to check out online. You may also receive the option to review your invoice with this email. After your stay, you will have the opportunity to send us feedback and rate your stay. You may also receive an invoice in electronic form. You have the option in every email to object to the sending of further emails. The legal basis is Art. 6 (1) lit. f GDPR. We use an online service from straiv GmbH, Eichwiesenring 4f, 70567 Stuttgart, to send the emails.


4.2 Type of Data

To fulfill the respective purposes, we process different types of personal data. In particular:

 

  • Personal data
  • Data on accompanying persons/family members
  • Address and contact data
  • Information on guest preferences and wishes
  • Credit and debit card numbers, bank account data, and other payment data
  • Passport, identity card, and other identification data
  • Booking and reservation data
  • Travel data and data on travel itineraries and activities
  • Treatment information and documentation in the spa & wellness area
  • Contract master data/contract billing data and payment data
  • Photographs and video data

 

4.3 Data Transfer to Payment Service Providers

In connection with the processing of orders and bookings, we transfer personal data to service providers who support us in processing. This particularly affects providers of credit card billing services, insofar as the data transfer is necessary for processing the payment. In this regard, we work with the company SIX Payment Services (Germany) GmbH, Global Data Protection Support, Langenhorner Chaussee 92-94, 22415 Hamburg, Germany. The company's data protection regulations can be viewed at https://www.six-payment-services.com/de/home.html . On individual online services, it may be possible to use the online payment service of PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. If you choose PayPal as a payment method, your data required for the payment process will be automatically transmitted to PayPal. Under certain circumstances, PayPal may transmit to credit agencies for identity and credit checks. Further information on data processing by PayPal can be found here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/. If you use Apple Pay, the Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment is made via the "Apple Pay" function of your iOS device (e.g. iOS, watchOS, macOS) and by debiting the payment card stored with Apple Pay. For the purpose of payment processing, the information you provided during the payment or ordering process, including information about your order, is transmitted to Apple in encrypted form. Further information on data processing by Apple and data protection can be found at: https://support.apple.com/de-de/HT203027.

The legal basis for the aforementioned processing activities is Art. 6 (1) lit. b GDPR.
 

4.4 Disclosure of Personal Data

In certain cases, we also disclose personal data to third parties, but only if you have consented, there is a legal basis for the disclosure, or we are legally obliged to do so. Recipients can be in particular other companies within the VILA VITA corporate group, for example, to carry out or complete bookings and reservations, to plan and conduct events, to process inquiries and complaints, or to bill for services provided by us. Furthermore, we also disclose personal data to external service providers, particularly in the provision of IT systems and services, payment and order processing, or event organization. If we are legally obliged to do so or in the context of legal enforcement, we also disclose personal data to public authorities. 

The VILA VITA corporate group,

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Straße 24, 60329 Frankfurt am Main,
  • VILA VITA Marburg SE, Anneliese Pohl Allee 17, 35037 Marburg,
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg,

is pleased that you are interested in a position with one of our companies. We would like to inform you below about the processing of your personal data in connection with your application. 
 

5.1  Responsible Party

The responsible party within the meaning of Article 4 No. 7 GDPR is the respective company of the VILA VITA corporate group specified in the respective job advertisement.

You can also reach our data protection officer at the address specified in the job advertisement, with the addition "Data Protection Officer" or at datenschutz(at)vilavitahotels.com.

5.2  Purposes of Processing and Legal Bases

The data you provide in the context of your application is processed exclusively for the purpose of applicant selection or the application process. In particular, to check your suitability for the position you have applied for or possibly other open positions within the company or the VILA VITA corporate group. We use the data you provide to us for this purpose. This may also include information you make accessible in professional online networks or job boards.

We only pass on your applicant data to other companies in the VILA VITA corporate group if you have expressly agreed to the transfer.

The legal basis for data processing is Art. 6 (1) lit. b GDPR and § 26 Federal Data Protection Act (BDSG). If data is required for legal defense after the completion of the application process, this data processing is based on legitimate interests according to Art. 6 (1) lit. f GDPR. Our legitimate interest in further processing then lies in asserting or defending claims.
 

5.3 Type of Data 

We only process the data you provide to us, usually:

  • Personal data
  • Address and contact data
  • CV, professional career, and other information from the application
  • Education and qualification data
  • Photographs and video data

During the application process, further data may be added, e.g. from interviews or from publicly accessible sources such as professional online networks or former employers. In certain cases, e.g. for management positions, we may conduct assessments or potential analyses.
 

5.4 Storage Duration

Applicant data is deleted 6 months after the completion of the application process, provided there is no legal basis for deletion or you have not expressly agreed to longer storage.

If we conclude an employment contract with you, we store your application documents in your personnel file or in our personnel information system for the purpose of conducting the employment relationship based on Art. 6 (1) lit. b GDPR, § 26 BDSG. 

 

5.5 Disclosure of Personal Data

In principle, only persons who need this data to conduct the application process have access to your data. This includes employees of the HR department. They review and process your application upon receipt. In addition, department heads for the open position have access to your application data.
 

5.6 Place of Data Processing

Application data is generally processed in data centers within the Federal Republic of Germany or the European Economic Area (EEA). If data is processed outside the EEA, this only takes place if an adequate level of data protection according to Art. 44 ff. GDPR has been confirmed by the EU Commission in the third country or other appropriate guarantees for the protection of personal data are in place.
 

5.7  Your Rights

You have the right

  • to information according to Art. 15 GDPR,
  • to correction according to Art. 16 GDPR,
  • to deletion according to Art. 17 GDPR,
  • to restriction of processing according to Art. 18 GDPR
  • to data transfer according to Art. 20 GDPR.

For the rights to information and deletion, the restrictions of §§ 34 and 35 BDSG apply.

In addition, you have a right to complain under Art. 77 GDPR to a data protection supervisory authority according to § 19 BDSG.

You can revoke any consent given to us for the processing of personal data at any time with effect for the future.
 

5.8 Automated Decision-Making

An automated individual decision does not take place in connection with your application. 

With the following data protection notices, we would like to inform you according to Art. 13 General Data Protection Regulation about the processing of your personal data if you are in a business relationship as a service provider or supplier with a company of the VILA VITA corporate group

  • VILA VITA Hotel und Touristik GmbH, Wilhelm-Leuschner-Straße 24, 60329 Frankfurt am Main,
  • VILA VITA Marburg SE, Anneliese Pohl Allee 17, 35037 Marburg,
  • Congresszentrum Marburg GmbH & Co. KG, Anneliese Pohl Allee 3, 35037 Marburg,
    enter.
     

6.1 Responsible Party

The responsible party within the meaning of Article 4 No. 7 GDPR is the respective company of the VILA VITA corporate group,

  • whose website or online service you visit or use. The respective responsible party is specified in the imprint of the respective website or online service.
  • with whom you are in a contractual relationship or wish to enter into one. You can find out who the responsible party is from the tender, order or order confirmation, contract documents, or invoice.

In purchasing and procurement, the companies of the VILA VITA corporate group work closely together. This concerns both the processing of personal data in these areas and in financial accounting or accounting and the joint IT infrastructure and IT facilities. The companies of the VILA VITA corporate group have therefore concluded an agreement on joint responsibility according to Article 26 GDPR. In this, the parties have agreed on who fulfills which obligations under the GDPR. This particularly concerns the fulfillment of rights of persons affected by data processing. As the primarily responsible party, especially for fulfilling the rights of persons affected by data processing, the companies of the VILA VITA corporate group have appointed VILA VITA Marburg SE, Anneliese Pohl Allee 17, 35037 Marburg. The assertion of your rights against the other companies of the VILA VITA corporate group remains unaffected.

You can also reach our data protection officer at the above addresses, with the addition "Data Protection Officer" or at datenschutz(at)vilavitahotels.com.
 

6.2  Purposes of Processing and Legal Bases

The processing of personal data takes place to fulfill our obligations from the respective contract or to carry out pre-contractual measures such as, in particular, requesting individual offers for work, services, or the delivery of products, remuneration accounting, contractual correspondence, and complaints. The legal basis is Art. 6 (1) lit. b GDPR. Furthermore, we process personal data based on legitimate interests according to Art. 6 (1) lit. f GDPR. This includes, in particular, obtaining credit information and exchanging data with credit agencies, asserting legal claims and defense in legal disputes, ensuring IT security and IT operations, preventing and investigating crimes, and measures to ensure house rights. In addition, we process your data if this is necessary to fulfill legal obligations, in particular to fulfill commercial and tax law evidence according to § 257 HGB and § 147 AO.
 

6.3 Type of Data

The following data is usually processed by us:

  • Personal data
  • Address and contact data
  • Payment and billing data
  • Order and service data
  • Information from third parties
     

6.4 Storage Duration 

Unless otherwise specified in these data protection notices, personal data is only stored for as long as is necessary to fulfill the respective purpose or to fulfill our contractual or legal obligations. We are subject to various retention and documentation obligations. These arise in particular from the Commercial Code, the Fiscal Code, and the Money Laundering Act. The deadlines specified there can be up to 10 years.
 

6.5 Disclosure of Personal Data

If we transmit personal data to other persons or companies, this is only done based on your consent, a legal permission, due to a legal obligation (e.g. to public authorities and institutions such as supervisory authorities or tax authorities), or based on a processing agreement according to Art. 28 GDPR. Further categories of recipients can be found in these data protection notices.
 

6.6 Place of Data Processing

Your data is generally processed at locations within the Federal Republic of Germany or the European Economic Area (EEA). If data is processed outside the EEA, this only takes place if an adequate level of data protection according to Art. 44 ff. GDPR has been confirmed by the EU Commission in the third country or other appropriate guarantees for the protection of personal data are in place.
 

6.7 Your Rights 

You have the right

  • to information according to Art. 15 GDPR,
  • to correction according to Art. 16 GDPR,
  • to deletion according to Art. 17 GDPR,
  • to restriction of processing according to Art. 18 GDPR
  • to data transfer according to Art. 20 GDPR.

For the rights to information and deletion, the restrictions of §§ 34 and 35 BDSG apply.

In addition, you have a right to complain under Art. 77 GDPR to a data protection supervisory authority according to § 19 BDSG.

You can revoke any consent given to us for the processing of personal data at any time with effect for the future.