Privacy Notice
This Privacy Notice was last updated: 27.02.2022
I. Introduction/Controller
This privacy notice applies with regard to the processing of personal data by
Suites21 ("we", "our", "us")
info@suites21.de
Schulzengasse 12
69120 Heidelberg
T + 49 1515 387 0002
in connection with the provision of the website www.suites21.de, including the services provided via this website.
II. Categories of personal data
The following data regarding the use of and the interactions with our services, is automatically collected when you use our website and services:
- information about the browser (type and version used, language)
- the Internet service provider of the user
- the IP address of the user
- date and time of access request
- time zone difference to Greenwich Mean Time (GMT)
- access status/HTTP status code
- the data volume transferred
- websites from which the system of the user comes to our website
- websites accessed by the user’s system through our website
- type of device and operating system
III. Processing purposes, legal basis and recipients and categories of recipients
Below you can find a description of the purposes for which we process personal data, including the recipients or categories of recipients to whom we transfer personal data for the purposes mentioned in each case and the relevant legal basis.
Any access to personal data is restricted to those persons who need to know the respective personal data in order to perform their professional duties ("need-to-know principle").
Personal data will only be disclosed to third parties (e.g. to courts or law enforcement agencies) if we are required to do so by law, if we have obtained the relevant consent, or if the disclosure is otherwise permitted by law.
We may transfer your personal data for the respective purposes to the following recipients and categories of recipients:
- Data processors – Just like other data controllers, we rely on the services of third parties. The service providers are subject to local data protection laws and are also contractually obligated to process the personal data only in accordance with the respective contract and instructions. We also require our service providers to comply with technical and organizational measures that ensure the protection of personal data.
- Private third parties – Affiliated or unaffiliated private bodies other than us.
1. We process your personal data in order to comply with legal obligations (Art. 6 (1) c) GDPR) to which we are subject, including for the following purposes:
- Maintain information security
- Participation in investigations and proceedings (including judicial proceedings) conducted by public authorities in particular, for the purpose of detecting, investigating and prosecuting illegal acts.
- Complying with legal retention obligations (see IV. "Storage duration and deletion" below).
2. We process personal data to the extent necessary for the purposes of the legitimate interests pursued by us or by a third party (Art. 6 (1) f) GDPR), including for the following purposes:
- Participation in proceedings (including judicial proceedings) conducted by public authorities, in particular, for the purpose of detecting, investigating and prosecuting illegal acts, unless there is a statutory obligation.
- Prevention, detection, investigation, mitigation and remediation of fraud, security breaches and other prohibited or unlawful activities, including the assessment of corresponding risks.
IV. Storage duration and deletion
We store personal data as long as it is necessary to fulfill the respective purposes. When we no longer need personal data to comply with contractual or legal obligations, it is deleted from our systems or anonymized. Something else only applies if we have to fulfill legal or official obligations, e.g., statutory retention obligations. In Germany such retention obligations may arise, in particular, arise under the German Commercial Code (Handelsgesetzbuch, "HGB") or the German Fiscal Code (Abgabenordnung, "AO"), and may generally be 6 to 10 years (e.g. for contracts and business letters).
V. Cross-border data transfer outside of the EU/EEA
Some of the recipients of your personal data will be located outside of European Union (EU) and the European Economic Area (EEA), respectively, where the data protection laws may provide a different level of protection compared to the laws in the EU and the EEA and with regard to which an adequacy decision by the European Commission does not exist. The countries which provide an adequate level of data protection from a European data protection law perspective include Andorra, Argentina, Canada, Faeroe Islands, Guernsey, the State of Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and the Eastern Republic of Uruguay. With regard to data transfers to recipients outside of the European Economic Area and outside the aforementioned countries we provide appropriate safeguards, in particular, by way of entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses) with the recipients or taking other measures to provide an adequate level of data protection, where this is required under applicable law. We will provide you with a copy of the respective measure we have taken upon request.
VI. Rights of the data subject
Under applicable data protection law you have the right, in addition to the right to withdraw your consent at any time (the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal) to make a complaint to a data protection supervisory authority. In addition, you may be entitled to the following rights (though these rights may be restricted by national law). To exercise your rights, please contact us using the contact details provided under I. above.
1. Right of access:
You may have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. The right of access includes, among other things, the purposes of the processing, the categories of the personal data to be processed, and the recipients or categories of recipient to whom the personal data will be disclosed. However, this right is not unrestricted as the rights of other persons may limit your right of access.
In certain circumstances you have the right to receive a copy of the personal data processed by us. For further copies requested by you, we charge a reasonable fee, where relevant calculated on the basis of administrative costs.
2. Right to rectification:
You have the right, where relevant, to request the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including through the provision of a supplementary statement.
3. Right to erasure (right to be forgotten):
Subject to certain preconditions, you have the right to request us to erase personal data concerning you and we may be obliged to erase such personal data.
4. Right to restriction of processing:
Subject to certain preconditions, you have the right to request that we restrict the processing of your personal data. In that case, the data concerned will be marked and only processed by us for certain purposes.
5. Right to data portability:
Subject to certain preconditions, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit that data to a different controller without hindrance from us.
6. Right to object:
Subject to certain preconditions, you have the right to object at any time to the processing of your personal data by us on grounds arising from your particular situation. This also applies with regard to related profiling. Furthermore, you have the right to object at any time to the processing of personal data for the purpose of direct marketing. This also applies to profiling where this is connected to direct marketing.