H REWARDS LOYALTY PROGRAM PRIVACY POLICY (SINCE FEBRUARY 2023)

    The following information is intended to give you an overview of the processing of your personal data in connection with the following services and to inform you about your rights under the GDPR:

    • Within the framework of the membership in our loyalty program (including becoming a member).
    • Within the framework of membership in a loyalty program of cooperation partners.
    • In the context of the documentation of changes, corrections of personal data.

    I. Information on processing of personal data regarding H Rewards Loyalty Program.

    1. Controller for data processing

    H Rewards Pte. Ltd.
    11 Penang Lane
    238485, Singapore
    Phone: +65 6771 1121
    email: dpo@hworld.com

    H World Holdings Singapore Pte. Ltd. is the parent company of Steigenberger Hotels GmbH and of H Rewards Pte. Ltd. H Rewards Pte. Ltd. operates the H Rewards Loyalty Program.

    2. Contact details of the Data Protection Officer and EU Representative

    2.1 You can reach our Data Protection Officer at

    Wodianka privacy legal GmbH
    Dockenhudener Straße 12a
    22587 Hamburg, Germany
    email: dpo@hworld.com

    2.2 You can reach our EU Representative at

    Steigenberger Hotels GmbH
    Lyoner Strasse 25
    60528 Frankfurt am Main, Germany
    Phone: +49 69 80 88 57 88
    eMail: eu-representative@hrewards.com

    3. Your personal data

    3.1 Membership in the H Rewards Loyalty Program
    Within the scope of membership in our own H Rewards Loyalty Program, we collect, process and store the personal data listed under point 3.5.

    3.2 Membership in the loyalty program of a cooperation partner
    Within the framework of membership in a loyalty program of one of our cooperation partners, such as Miles & More or bahn.bonus, we collect, process and store the personal data listed under point 3.5.

    3.3 Usage of the customer account
    For the use of the customer account we collect, process and store the personal data listed under point 3.5.

    3.4 Documentation of changes and corrections of personal data
    In accordance with our duty of documentation, we process and store all changes and corrections to the personal data listed under point 3.5.

    3.5 Your personal data
    We collect the following personal data and process it in accordance with the GDPR.

    • Name and surname
    • Residential address and, if applicable, different billing and communication addresses
    • Date of birth
    • Sex and form of address
    • Email address(es), if more than one is used or provided
    • Telephone number(s), if more than one is used or indicated
    • Membership numbers of loyalty programs
    • Residence preferences and wishes
    • General interests, preferences and wishes
    • Password

    Please see below the section “Your rights as a data subject” regarding your rights as a data subject, including information on the correction or deletion of your respective personal data.

    3.6 Personal Information We Collect from Third Party Providers When you register or sign in to the H Rewards Platform through a third-party service (e.g., Facebook, Google, Apple), you instruct the service to provide us with information such as, but not limited to, your email address, first and last name, title, and date of birth.

    a) Google single sign-on

    For registration on our website, we also use the authentication service Google Single-Sign-On, of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is the representative of Google LLC in Europe. In the context of the single sign-on process, the following information is transmitted to us: Name, email address, language, title and date of birth. Your data will also be processed in the USA, among other places. Google is certified under the EU-US Data Privacy Framework. In doing so, the US providers undertake to comply with the EU level of data protection when processing the relevant data. Furthermore, Google uses so-called standard contractual clauses. You can revoke your consent to the use of single sign-on applications at https://adssettings.google.com/authenticated. More information on data processing can be found in Google's privacy policy: https://policies.google.com/privacy?hl=de.

    b) Facebook Single-Sign-On

    For registration on our website, we also use the authentication service Facebook Single-Sign-On, of Meta Platforms, Inc, 1601 Willow Road 94025 Menlo Park, CA. Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour Dublin 2 Ireland, is the agent of Meta Platforms, Inc in Europe. In the context of the single sign-on process, the following information is transmitted to us: Name, email address, title and date of birth. Your data will also be processed in the USA, among other places. Meta is certified under the EU-US Data Privacy Framework. In doing so, the US providers undertake to comply with the EU level of data protection when processing the relevant data. Furthermore, Meta uses so-called standard contractual clauses. At https://www.facebook.com/adpreferences/ad_settings you can revoke your consent to the use of single sign-on applications. More information on data processing can be found in Meta's privacy policy: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.

    c) Apple Single-Sign-On

    For registration on our website, we also use the authentication service Facebook Single-Sign-On, of Apple Inc., One Apple Park Way, Cupertino, Kalifornien, Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, is the agent of Apple Inc. in Europe. In the context of the single sign-on process, the following information is transmitted to us: Name, email address, title and date of birth. Your data will also be processed in the USA, among other places. Apple is certified under the EU-US Data Privacy Framework. In doing so, the US providers undertake to comply with the EU level of data protection when processing the relevant data. Furthermore, Apple uses so-called standard contractual clauses. At https://www.apple.com/legal/privacy/en-ww/ you can revoke your consent to the use of single sign-on applications. More information on data processing can be found in Apple's privacy policy: https://www.apple.com/legal/privacy/data/en/apple-id/

    4. Purposes and legal basis for processing personal data

    We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) as well as all other relevant legislation for the purposes and on the legal basis as set out below:

    (a) In order to create, edit, update and manage your Member Account and to properly process credits and debits to your Member Account, and to provide our services in connection with membership in the H Rewards Loyalty Program. The legal basis for this is Article 6 (1) (b) GDPR.

    (b) For processing bonus credits (points, miles, etc.) and other services in connection with your membership in the loyalty programs of our cooperation partners. The legal basis is the fulfilment of the contract in accordance with Article 6 (1) (b) GDPR.

    (c) For comprehensive recognition, especially if you are a member of our H Rewards Loyalty Program, at all service contact points (personal and/or digital) of the hotels and entities belonging to H World Group and automatic updating of your recurring wishes, preferences and requirements, e.g. always two pillows, in order to always be able to provide a high-quality service corresponding to the hotel brand. The legal basis for this is our justified interest in offering our customers the best possible service in accordance with Article 6 (1) (f) GDPR.

    (d) For the purpose of processing your enquiries, information and complaints, insofar as the processing is connected with the fulfilment of a contract or is necessary for the implementation of pre-contractual measures, the legal basis for the processing of your personal data is Article 6 (1) (b) GDPR. In other cases, the legal basis is our legitimate interest in the effective processing of inquiries addressed to us in accordance with Article 6 (1) (f) GDPR.

    (e) To compile statistics based on anonymous data analysis for the improvement and development of products, services and program content of the H Rewards Loyalty Program. The legal basis for this is our legitimate interest in the further development of our H Rewards Loyalty Program in accordance with Article 6 (1) (f) GDPR.

    (f) For the purposes of authentication and fraud prevention, especially in connection with membership of the H Rewards Loyalty Program or a loyalty program of our cooperation partners such as Miles & More or bahn.bonus. The legal basis for this is Article 6 (1) (f) GDPR.

    (g) In order to safeguard domestic authority, to prevent and resolve criminal offences, to assert and defend legal claims and to safeguard interests in legal disputes, to ensure IT security and IT operation and to identify credit risks. The respective legal basis for this is Article 6 (1) (f) GDPR.

    Our overriding legitimate interests result from our obligation to ensure a safe stay of our guests in the hotel as well as from our interest in enforcing our material and immaterial claims and safeguarding our rights and in defending against unjustified claims. Furthermore, the processing of personal data to the extent absolutely necessary for the prevention of fraud also constitutes a legitimate interest of our company in accordance with recital 47 of the GDPR.

    5. Minors

    Minors may not transmit any personal data to us without the consent of the respective parent(s) or guardian(s). Furthermore, we do not store any personal data of minors without the consent of their parents or guardians. Through our website, we do not process personal data of minors that we knowingly obtain.

    6. Categories of personal data recipients

    If and to the extent necessary for the purposes set out in section 4 above, we will also disclose your personal data to the following recipients or categories of recipients in accordance with Article 4 No. 9 GDPR:

    Within our H World Group, only those entities will be granted access to your data (to the extent necessary in each case) that need it to fulfil our contractual and statutory obligations.

    We use Steigenberger Hotels GmbH (“Steigenberger") as a data processor to operate H Rewards Loyalty Program (including operating the respective website and app). We have concluded a data processing agreement with EU standard contractual clauses (Module Two: controller to processor data transfer). Steigenberger processes and stores your personal data in our central guest database in particular for internal administrative purposes such as the administration and updating of consents and revocations as well as the member account and other connected services. In this context, your personal data is also disclosed to other hotels/entities belonging to H World Group, if you use H Rewards Loyalty Program with a hotel/entity of our H World Group. Disclosure is only made to the extent necessary within the scope of a specific purpose and only to companies that are noted accordingly in the list of hotel operators. Furthermore, only authorized employees are allowed to view and process your personal data within the scope of their function.

    We may also obtain personal data for these purposes from service providers (e.g. within the scope of order processing in accordance with Article 28 GDPR) and vicarious agents. These are companies in the following categories: credit services and payment processing, IT services, cleaning services, logistics, printing services, telecommunications, debt collection, consulting and advisory services, and sales and marketing. The respective service providers can be seen from the list of service providers processors, which is updated regularly.

    Furthermore, data may be passed on to public bodies and institutions if there is a legal obligation to do so (e.g. financial authorities, law enforcement agencies).

    Other data recipients may be those entities for which you have given us your consent to transfer data.

    7. Transfer of personal data to a third country

    A transfer of personal data to bodies in states outside the European Union (so-called third countries) takes place insofar as

    (a) it is necessary for the execution of your reservations and handling of your hotel stay.

    (b) it is necessary for implementation as part of membership of the H Rewards Loyalty Program or with a cooperating partner.

    (c) it is required by law.

    (d) you have given us your consent.

    As can be seen in detail from the list of service providers/processors provided above, our company uses service providers for certain tasks who are based in a third country or belong to an international group with companies in third countries or who in turn cooperate with service providers based in a third country. Personal data may be transferred to such service providers if the European Commission has decided that an adequate level of protection exists in the third country in question (in accordance with GDPR requirements). If the Commission has not made such a decision, our company or the service provider may only transfer personal data to a third country or to an international organisation if appropriate safeguards are in place and enforceable rights and effective legal remedies are available (Article 46 (1) GDPR). Beyond the cases mentioned above, our company does not transfer personal data to bodies in third countries or to international organisations.

    We transfer personal data to Steigenberger based on a data processing agreement with EU standard contractual clauses (Module Two: controller to processor data transfer).

    8. Period of retention of personal data and criteria for determining that period

    We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. If the data are no longer required for the fulfilment of contractual obligations, they are regularly deleted, unless their temporary further processing is necessary due to

    (a) national or regional reporting laws or regulations at the place of data collection or contract implementation.

    (b) national commercial and fiscal retention periods at the place of data collection or contract implementation.

    (c) national, regional or local tax code at the place of data collection or contract implementation.

    (d) membership of its own H Rewards Loyalty Program.

    The periods of retention or documentation specified there are one to ten years.

    9. Your rights as a data subject

    Every data subject has the right of access by the controller to the personal data concerned in accordance with Article 15 GDPR, the right of rectification in accordance with Article 16 GDPR, the right of deletion in accordance with Article 17 GDPR, the right to limit processing in accordance with Article 18 GDPR, the right to object to processing in accordance with Article 21 GDPR and the right of transferability in accordance with Article 20 GDPR. The right of information and the right of deletion are also subject to the restrictions pursuant to Sections 34 and 35 of the BDSG.

    Please see section 12 regarding more information on your right to object to processing under Article 21 GDPR.

    If the processing of your personal data is based on a consent granted to us, you have the right to revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

    Furthermore, you have the right of appeal with a data protection supervisory authority in accordance with Article 77 GDPR.

    10. Obligation to provide data

    The obligation to provide personal data always exists when such provision is necessary for the performance of a contract or when we are legally obliged to process such data; this applies in particular to

    (a) the drafting of a contract and the execution of the contract;

    (b) the creation and management of the Member's account in its own H Rewards loyalty program;

    (b) compliance with the laws and regulations governing registration at the hotel location.

    If you do not provide us with the necessary information, we may not be able to provide the services you have requested or may not be able to provide them completely.

    11. Automated decision-making and profiling

    When establishing and executing our contractual relationship, you will not be subjected to a decision based solely on automated processing, including profiling, pursuant to Article 22 GDPR, which produces legal effects concerning you or similarly affects you in a serious way.

    12. Additional information on your right to object pursuant to Article 21 GDPR

    You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Article 6 (1) (e) GDPR (processing in the public interest) or Article 6 (1) (f) GDPR (processing based on a balancing of interests); this also applies to profiling based on this provision in accordance with Article 4 (4) GDPR.

    If you file an objection, we will no longer process your personal data unless we can demonstrate compelling reasons for processing that are worthy of protection and outweigh your interests, rights and freedoms, or unless the processing serves to assert, exercise or defend legal claims.

    If your personal data is processed by us in order to acquire existing customers, you have the right to object at any time to the processing of personal data relating to you for the purpose of such advertising; this also applies to profiling, insofar as it is connected with such acquisition of existing customers.

    The objection is possible by using the unsubscribe function in digital media, corresponding settings in the Member Area or Subscriber Area, using the contact form on the website or by sending an informal letter to the contact data mentioned above.

    II. Additional Information regarding data processes on our website

    1. Membership Account

    You can register on our website as a member of the H Rewards Loyalty Program (user account/account) by providing your full first and last name, your current home address, date of birth, preferred email address and a password. This registration can be done via the menu item "Login/Register" in the header or by adding a password during your booking and when entering your personal data.

    Upon successful login/registration, a member account will automatically be created for you, which is available for the H Rewards Loyalty Program’s website and the websites of all hotel brands/entities belonging to H World Group.

    Regarding your membership, we transfer your data to the respective service providers and respective operators.

    In your member account you can view and change your personal data. In addition, all important information about your membership is displayed, such as membership status. In the member area, you can book hotel accommodation, change or cancel reservations that you have made using your membership details, and make award bookings according to your account balance.

    You can cancel your membership at any time. The member account will automatically be deleted after final termination of the membership (see termination in the terms of participation). The legal basis for the processing of your personal data in connection with the setting up and use of your membership account is your membership in accordance with the terms and conditions of the H Rewards Loyalty Program.

    2. Connection and synchronization of different customer profiles

    Your personal data is collected at different contact points (e.g. member account, hotel, ...) in different forms (handwritten and digital). This may result in multiple customer profiles and contradictory information, especially in the context of the administration of consents or in the case of multiple membership numbers. In order to provide you with the best possible service and to ensure the correct processing of your personal data, we are careful to combine multiple data based on unique characteristics, such as first name, surname and address, to form a unique profile. For the merging of customer profiles we use the information that we collect in the course of your membership and hotel stay as well as the personal data that you have voluntarily submitted to us by other means.

    Without this automated and in some cases necessary manual merging, we cannot guarantee the proper processing of your personal data, as different customer profiles may have different settings. The processing and merging takes place in the central guest database of our processor Steigenberger.

    3. User account/account

    You can register for a user account (account) on our website with your email address and the allocation of a password. This registration can be done via the menu item “Registration” in the header or by adding a password when you make your booking and input your personal data.

    Upon successful registration, a user account (account) will be created for you automatically, which is valid for the websites of all hotel brands/entities belonging to H World Group.

    In the user account you can see and edit (e.g. cancel or change) all the bookings you have transacted since your registration by providing your user data via one of the respective websites. You may delete your user account at any time.

    The legal basis for processing your personal data in connection with the creation and use of your user account is your membership agreement.

    4. Digital offers (newsletter), acquisition of existing customers and program information

    4.1 Advertising (newsletter)

    With the email newsletter, we will regularly inform you about the offers and services of H World Group as well as offers within the framework of membership in the H Rewards Loyalty Program, according to the preferences you specify (please see list of operators above).

    If you would like to receive the email newsletter, we need a valid email address from you. We use the so-called double-opt-in procedure to register you for our newsletter. This means that after your registration we will send you an email to the email address you have provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within two weeks, your information will be blocked and automatically deleted after one month. In addition, we store your IP address and the time of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

    Please note that members, who originally provided their marketing consent to Steigenberger, will continue to receive email marketing messages from Steigenberger, unless they revoke their respective consent with regard to further processes.

    4.2 Advertising regarding existing customers

    4.2.1 Advertising for members within the framework of membership of the loyalty program With respect to the H Rewards Loyalty Program, we reserve the right to send our members offers from our range of services as membership advertising by email. Our justified interest in the implementation of existing customer acquisition is to inform our members about the current membership status and to be able to offer individual and exclusive offers to target groups. We can process your personal data, which you have entered in the member account or which you provide during a stay, for the purpose of member recruitment within the framework of the existing membership.

    4.2.2 Advertising to existing customers within the framework of a stay We reserve the right to send our guests offers from our range of services as an advertisement for existing customers by email. Our justified interest in the execution of existing customer advertising is to be able to offer our guests individual offers in a target group-oriented manner, which are based on a previous booking (transaction) or the existing customer relationship.

    Your personal data, which you provide us with when making a booking, can be processed by us within twelve (12) months after a previous transaction for the purpose of sending advertising to existing customers. If you do not make a new booking within this period or do not carry out any other transaction, your personal data will no longer be processed for the purpose of acquiring existing customers and will be deleted accordingly, unless you have subscribed to a newsletter or your personal data must continue to be stored due to other regulations.

    4.3 Obligatory communication

    4.3.1 Communication in the context of membership Within the framework of the operation of the loyalty program, we are legally obliged to inform you about changes in the program (conditions of participation). The communication will be made exclusively by email to the email address stored in the member account. If this is no longer valid, we reserve the right to contact you by other means, e.g. by post.

    4.3.2 Communication media For the aforementioned communication purposes, we use the following communication media according to the settings and consents stored in the central customer profile: • Email
    • Messenger Services
    • Phone
    • Post

    4.4 Revocation of consents and objections to Member Advertising

    4.4.1 Revocation of consents As a subscriber to the email newsletter, you can revoke your consent to the processing of your email address to send the email newsletter at any time. The revocation can be made via the relevant link in each email newsletter or by email with the subject "Unsubscribe" to update@news.hrewards.com.

    4.4.2 Objections to Member Advertising You can object to the use of your email address for the purpose of sending advertising to existing customers or members at any time without incurring any costs other than the transmission costs according to the basic rates. For more information on exercising your right to object to the use of your email address for direct marketing purposes, please refer to the section above “Your rights as a data subject”.

    Current version: February 2023


    DATA PRIVACY INFORMATION - WEBSITE

    The following information is designed to give an overview of how we process your personal data in connection with the services outlined below and to inform you about your rights under the European Data Protection Regulation (GDPR):

    • Processing personal data as part of contacting us with general inquiries
    • Processing personal data in the context of reservations of tables in bars or restaurants or appointments and bookings of spa visits
    • Processing personal data in connection with and directly after your stay at one of our hotels
    • Processing personal data as part of video surveillance on our premises
    • Processing personal data in connection with digital offers (newsletters), existing customer marketing, and program information
    • Processing personal data as part of your membership of our loyalty program and loyalty programs of our cooperation partners
    • Mandatory communication as part of the loyalty program
    • Processing personal data as part of purchasing vouchers
    • Processing personal data as part of arranging services
    • Processing personal data by a processor on behalf of the controller
    • Processing personal data in the context of using this website

    I. General information and your rights as data subject

    1. Party responsible for data processing (“controller”)

    2. The controller as defined in Article 4 (7) GDPR is:

    Steigenberger Hotels GmbH Lyoner Straße 25 60528 Frankfurt am Main, Germany Phone: +49 (0)69 66564-460 Fax: +49 (0)69 66564-888 E-Mail: service@hrewards.com

    Full details pursuant to Section 5 of the German Telemedia Act (Telemediengesetz, TMG) (Imprint)

    1. Contact details of the Data Protection Officer You can contact our Data Protection Officer at

    TÜV Informationstechnik GmbH Am TÜV 1 45307 Essen, Germany E-Mail

    4. Your rights as a data subject

    Every data subject whose personal data is processed has the right of access to obtain from the controller information about the personal data concerning him or her pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object to processing pursuant to Art. 21 GDPR, and the right to data portability pursuant to Art. 20 GDPR. In addition, the restrictions pursuant to Sections 34 and 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply to the right of access by the data subject and the right to erasure.

    Where processing of your personal data is based on your consent that you have given us, you have the right to withdraw your consent at any time without this affecting the lawfulness of processing based on consent before its withdrawal.

    In addition, data subjects have the right to lodge a complaint with the responsible Data Protection Authority under Art. 77 GDPR in conjunction with Section 19 BDSG.

    5. Processing the data of minors

    Minors may not transmit any personal data to us without the consent of a parent or legal guardian. We do not process any data knowingly obtained from minors on our website.

    6. Automated decision-making and profiling

    When entering into or performing a contract with you, you will not be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, as set out in Art. 22 GDPR.

    7. Additional information on your right to object pursuant to Art. 21 GDPR

    You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR (data processing on the basis of balancing interests).

    If you object, your personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing is carried out for the establishment, exercise, or defense of legal claims.

    If your personal data is processed by us for the purpose of existing customer marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing. To object to processing you can use the unsubscribe function in digital media, select the corresponding settings in the membership or subscriber area, use the contact form on our website, or use the contact details provided in section I. to inform us of your objection without using a particular format.

    8. Personal data storage periods and criteria for determining these periods

    We process and store your personal data for as long as is necessary to fulfill our contractual and legal duties and obligations. If the data is no longer required to fulfill our contractual duties, it will be erased on a regular basis unless temporary further processing of the data is necessary because of

    (a) national or regional registration laws and regulations at the place of data collection and/or contract performance

    (b) national retention periods under commercial or fiscal law at the place of data collection and/or contract performance

    (c) national, regional, or local tax regulations (such as visitors’ tax, tourist tax, etc.) at the place of data collection and/or contract performance

    (d) membership of our own H Rewards loyalty program

    The periods for retention and/or documentation specified thereunder are usually two to ten years. For further information on the storage period of your personal data please see the relevant sections on different types of processing.

    9. Documentation of modifications to and corrections of personal data

    Under our duty of documentation, we process and keep a record of all modifications to and corrections of your personal data such as

    • First and last name
    • Home address and, where different, billing and correspondence addresses
    • Date of birth
    • Gender, salutation, title
    • Email address(es) if multiple addresses are used or specified
    • Phone number(s) if multiple numbers are used or specified
    • Passport data
    • Loyalty program membership numbers
    • Preferences and wishes related to your stay
    • General interests, preferences, and wishes
    • Password

    10. Duty to provide data

    You have a duty to provide personal data whenever this data is required in order (to render our services) or whenever we are required by law to collect this data; this applies in particular to

    • performing an accommodation contract
    • managing your membership account of our own loyalty program, H Rewards
    • complying with registration laws and requirements applicable at the hotel location

    If you fail to provide us with necessary information we may not be able to provide the requested services in full or may not be able to provide them at all.

    II. Contacting us Contacting us with general inquiries through our website or the service center You can contact us in various ways, including via the contact form on our website or by calling our service center.

    1. Processed personal data As part of general inquiries, we receive, process, and store the following personal data depending on the nature of your request:

    • First and last name
    • Gender, salutation, title,
    • Email address(es) if multiple addresses are used or specified
    • Phone number(s) if multiple numbers are used or specified
    • Loyalty program membership numbers
    • Other personal data that you provide voluntarily in your inquiry
    • Audio recordings of calls to the service center (only with your consent)

    2. Purposes and legal bases of processing your personal data

    We process your personal data for the following purposes and on the following legal bases: To process your queries, requests for information, and complaints if such processing is related to the performance of a contract or the implementation of pre-contractual measures. In this case, the legal basis for processing your personal data is Art. 6 (1) (b) GDPR. In other cases, the legal basis is our legitimate interest in effectively processing any queries that we receive pursuant to Art. 6 (1) (f) GDPR. Calls to our service center are only recorded if you have previously consented to this (Art. 6 (1) (a) GDPR). Recordings are only made for the purpose of providing training for employees on how to handle queries.

    3. Categories of recipients of personal data

    If you have a direct question for the hotel, for example regarding your reservation, your query will be forwarded directly to that hotel. We also work with a service provider in our service center who supports us in handling your queries.
    If your query is related to data privacy, such as requests for information, it will be forwarded to the data protection department for processing. All other queries will be forwarded to the offices/departments whose involvement is necessary for handling your query.

    4. Duration of storage of personal data

    If you contact us we will store your personal data. The only purpose of storing your data is to be able to deal with your request and to contact you. Your contact requests are usually erased after 10 years.

    5. Transfer of data to third countries

    If your query is related to a hotel in a third country, the data that we receive when you contact us will be transferred to the third country where the hotel is located to be dealt with.

    III. Processing your personal data in connection with your stay

    Queries, bookings/reservations, travel preparations, arrival/check-in, departure

    1. Processed personal data

    We process your data in order to handle and manage your reservation requests and reservations and to provide our services under the accommodation contract, including managing your stay at our hotel and processing the payment. In addition, the hotels are generally obligated under the relevant applicable registration laws and regulations to collect the aforementioned personal data from guests staying at the hotel. We also process and store any preferences and wishes expressed to us on a voluntary basis which are either relevant to the specific visit or are of a general nature (recurring requirements, preferences, and wishes). We are also obligated under our contract with you to inform you of any significant changes. We will use the personal data we hold on you for this purpose.

    • First and last name
    • Home address and, where different, billing and correspondence addresses
    • Date of birth
    • Payment data and credit card data
    • Gender, salutation, title
    • Email address(es) if multiple addresses are used or specified
    • Phone number(s) if multiple numbers are used or specified
    • Passport data
    • Loyalty program membership numbers
    • Preferences and wishes related to your stay
    • General interests, preferences, and wishes

    2. Purposes and legal bases of processing your personal data

    We process your personal data for the following purposes and on the following legal bases:

    To handle and manage your reservation requests and reservations and provide our services under the accommodation contract, including managing your stay at our hotel and processing payment (in particular also for tracking your use of our services (telephone, bar, spa, chargeable TV channels etc.), performing check-in activities (digitally and on site), and managing access to the rooms). The legal basis for this is Art. 6 (1) (b) GDPR.

    As part of contractual performance, we are required to inform you of any significant changes that occur during your stay. We provide this information preferably via email to the email address stored in the central guest profile. If this is no longer valid we reserve the right to contact you by different means, such as by post. The legal basis for this is the performance of our accommodation contract with you pursuant to Art. 6 (1) (b) GDPR.

    To fulfill a legal obligation that our company is subject to as the controller (e.g., due to registration laws, fiscal law, obligation to keep records, etc.). The legal basis for this is Art. 6 (1) (c) GDPR. To ensure that your stay with us meets your needs and expectations based on your personal data that is already stored in our system and helps us recognize you at all service contact points (in person and/or digital), in particular if you are a member of our loyalty program, e.g., data transferred with your reservation, data provided voluntarily during previous visits (regular guests, returning guests), and any add-on services or requirements related to your visit, e.g., bouquet of flowers in your room, two pillows. The legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest is in offering our guests the highest possible standard of service.

    To create, edit, manage, and update your membership account and to correctly deal with any credits and debits to your membership account as well as to provide our services as part of your membership of our H Rewards loyalty program. The legal basis for this is Art. 6 (1) (b) GDPR. To process bonus credits (points, miles, etc.) and other services rendered as part of your membership of the loyalty programs of our cooperation partners. The legal basis for this is the performance of the contract pursuant to Art. 6 (1) (f) GDPR. To maintain, assure, and improve the quality of our products and services, in particular by carrying out and analyzing satisfaction surveys and comments from guests, by processing your personal data in our central guest database, which allows us to recognize you as a returning guest, to better assess your needs and wishes, to improve the quality and personal touch of our communication with you, and to create offers tailored to you – the legal basis for this is Art. 6 (1) (f) GDPR. Our overriding legitimate interests arise from the accommodation contract entered into with you, which constitutes a relevant and appropriate relationship within the meaning of recital (47) GDPR, and from the fact that this type of data processing is customary for international hotel chains and in line with the reasonable expectations of the majority of guests. As part of a group of companies, which includes businesses operating hotels under the umbrella brand H World International, our company also has a legitimate interest pursuant to recital 48 GDPR, namely to transfer personal data of guests within the group of companies for internal administrative purposes.

    To uphold the house rules, to prevent and investigate crimes and offenses, to assert legal claims and defend against legal claims and represent our interests in legal disputes, to ensure IT security and maintain IT operations, to identify risks related to creditworthiness – the legal basis for this is Art. 6 (1) (f) GDPR. Our overriding legitimate interests stem from our obligation to ensure our guests’ safe and secure stay at the hotel and from our interest in asserting our material and immaterial claims and exercising our rights and in defending ourselves against unjustified claims. Furthermore, it is also a legitimate interest of our company to process personal data to the extent strictly necessary in order to prevent fraud pursuant to recital (47) GDPR.

    3. Categories of recipients of personal data

    If and where necessary for the aforementioned purposes, we will also disclose your personal data to the following recipients or categories of recipients as defined in Art. 4 (9) GDPR: Within our company, only those offices/departments that need your personal data in order for us to fulfill our contractual and legal duties will be able to view or access it (to the extent necessary).

    To the extent that your personal data is processed in our central guest database it will also be disclosed to other companies that operate one or several hotels of the brands which are part of H World International (Steigenberger Hotel & Resorts, IntercityHotel, Jaz in the city, Maxx by Steigenberger). The respective operators of each of these hotels are shown on the list of hotel operators. This list is updated on a regular basis and all hotels that use our central guest database are specially marked here. When crediting any points accrued by you in membership programs of cooperation partners during your visit, we transfer your data to the relevant cooperation partners.

    Service providers used by us (e.g., for data processing on our behalf as set out in Art. 28 GDPR) and vicarious agents may also receive personal data for these purposes. These are companies that belong to the categories of credit services and payment processing, IT services, cleaning services, logistics, printing services, telecommunications, debt collection, consulting, and sales and marketing. The relevant service providers are shown in The list of service providers/processors , which is updated on a regular basis. Furthermore, data may be transferred to official bodies and institutions if we are under a legal obligation to do so (e.g., fiscal authorities, law enforcement authorities, registration authorities). Other recipients of data may be those bodies and institutions to which you have given your consent for the transfer of data.

    4. Duration of storage of personal data

    We process and store your personal data for as long as is necessary to fulfill our contractual and legal duties and obligations. When the data is no longer needed for the fulfillment of contractual obligations, it will regularly be erased unless temporary further processing of the data is necessary because of retention periods specified under commercial and fiscal law (including the German Commercial Code (Handelsgesetzbuch, HGB), the German Fiscal Code (Abgabenordnung, AO), the German Federal Act on Registration (Bundesmeldegesetz, BMG)). The periods of retention and/or documentation specified thereunder are between two and ten years.

    5. Transfer of data to third countries

    If you booked a stay in a hotel in a country outside the European Union (third country), your data will be transferred to this third country if it is necessary to do so in order to make your reservations and manage your stay at the hotel. If you are a member of our loyalty program or that of one of our cooperation partners, it will be necessary to transfer the points you accrued to the partner to perform services under the membership scheme.

    6. Merging your guest profiles

    Your personal data is collected at various points of contact (e.g., membership account, hotel) in different ways (in writing and digitally). This is why it may be the case that multiple different guest profiles exist in our database which contain inconsistent information. As we strive to offer you the best possible service and wish to ensure that your personal data is processed correctly, we are keen to merge multiple copies of data into one unique profile using unique characteristics, such as first name, last name, and address. To merge guest profiles, we use the information collected in the context of your H Rewards membership and your stay in our hotel as well as the personal data that you communicated to us in any other way on a voluntary basis.

    The legal basis for this is Art. 6 (1) (f) GDPR. Without this automated and sometimes necessary manual merging we cannot ensure that your personal data will be processed properly and correctly. This is why we have a legitimate interest in merging the data.

    The processing and merging is carried out in the central guest database of Steigenberger Hotels GmbH.

    IV. Other processing immediately after your stay (post-stay messages)

    After your stay you will receive from us a post-stay message in which we ask you to rate your stay in our hotel (satisfaction survey) unless you have previously unsubscribed from this communication by email or by using the unsubscribe link in a post-stay message.

    1. Processed personal data

    • First and last name
    • Membership number
    • Gender, salutation, title
    • IP address
    • Email address(es) if multiple addresses are used or specified
    • Preferences and wishes related to your stay
    • General interests, preferences, and wishes
    • Data that you transfer to us in a satisfaction survey

    2. Purposes and legal bases of processing personal data

    We process your personal data for the following purposes and on the following legal bases:

    To maintain, assure, and improve the quality of our products and services, in particular through analyzing complaints, satisfaction surveys, and comments from guests. The legal basis for this is our legitimate interest in offering our customers the best possible service pursuant to Art. 6 (1) (f) GDPR.

    3. Categories of recipients of personal data

    In the context of the customer satisfaction survey included in the post-stay messages we work with a service provider who is the recipient of this data (processor).

    4. Duration of storage of personal data

    We store any data collected in the customer satisfaction survey for a period of 3 years. Your IP address will be anonymized after 28 days.

    5. Transfer of data to third countries

    We do not intend to transfer this data to a third country or an international organization.

    V. Video surveillance on our premises during your stay

    Video surveillance

    VI. Processing personal data in connection with digital offers (newsletter), existing customer marketing, and program information

    1. Newsletter Our email newsletter provides you with information on a regular basis and in line with your specified preferences about the offers and services provided by the hotels belonging to H World International (see list of hotel operators), the offers and services provided by our cooperation partners (see list) , and the offers associated with your membership of the H Rewards loyalty program.

    If you wish to receive the email newsletter, we need you to provide us with a valid email address. We use the double-opt-in process for you to sign up to our newsletter. This means we will send an email to the specified email address after you register asking you to confirm that you wish to receive the newsletter. If you fail to confirm your sign-up within a period of two weeks, your information will be blocked and, after one month, automatically erased. We also store the IP address used by you in each case and the times of your registration and confirmation. The purpose of this process is to be able to prove your registration and, where necessary, investigate any misuse of your personal data.

    1.1. Processed personal data We process the following personal data in connection with sending our newsletter:

    • First and last name
    • Home address and, where different, billing and correspondence addresses
    • Date of birth
    • IP address
    • Gender, salutation, title
    • Email address(es) if multiple addresses are used or specified
    • Loyalty program membership numbers
    • General interests, preferences, and wishes

    1.2. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

    To send our email newsletter to you, including administering your subscription to the newsletter. The legal basis for this is your consent pursuant to Art. 6 (1) (a) GDPR. As a subscriber to our email newsletter, you may withdraw at any time your consent to us processing your data in order to send our email newsletter. To withdraw your consent, you can use the relevant link included in every email newsletter or send an email to news@update.hrewards.com specifying "Abmelden" (Unsubscribe) in the subject line.

    1.3. Categories of recipients of personal data We use an external service provider (processor) to send our newsletters to subscribers. 1.4. Duration of storage of personal data As soon as you withdraw your consent to receive the newsletter, your personal data will be erased. 1.5. Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

    1.6. Tracking in connection with the newsletter service We use tracking service providers in connection with our newsletter service in order to measure open and click rates of the emails.

    1. Existing customer marketing 2.1. Existing customer marketing in the context of loyalty program membership We reserve the right to send our loyalty program members emails with offers from our range of services as members’ marketing. Your membership allows us to process your personal data provided to us in your membership account or during a visit to one of our hotels for the purpose of members’ marketing. For the purpose of communicating with you as described above, we use the following communication media in accordance with the settings and permissions stored in the central guest profile:
    • Email
    • Telephone
    • Post

    2.2. Existing customer marketing We reserve the right to send our guests emails with offers from our range of services as existing customer marketing. Our legitimate interest in engaging in existing customer marketing is to be able to offer our guests targeted, individual offers prepared on the basis of a previous booking (transaction) or existing customer relationship. We may process your personal data provided to us in a booking for a period of 12 months after the transaction was made in order to send marketing messages to existing customers. If no other booking or other transaction is made within this period, your personal data will no longer be processed for the purpose of existing customer marketing and will therefore be erased unless you have a newsletter subscription or your personal data must be retained for longer due to other arrangements. You may object at any time to the use of your email address for the purpose of sending marketing to existing customers without incurring any costs other than the transmission costs at basic rates. If your personal data is processed by us for the purpose of existing customer marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing.

    2.3. Processed personal data We collect the following personal data in connection with existing customer marketing:

    • First and last name
    • Home address and, where different, billing and correspondence addresses
    • Date of birth
    • Gender, salutation, title
    • Email address(es) if multiple addresses are used or specified
    • Loyalty program membership numbers
    • General interests, preferences, and wishes

    2.4. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

    To send marketing messages about our offers and services to existing customers – the legal basis for this is Art. 6 (1) (f) GDPR. Our legitimate interest in engaging in existing customer marketing is to inform our members about their current membership status and send our members and existing customers targeted, individual, exclusive offers.

    You may object at any time to the use of your email address for the purpose of sending marketing to existing customers or members without incurring any costs other than the transmission costs at basic rates. More detailed information on exercising your right to object to the use of your email address for direct marketing measures is provided within this Privacy Policy.

    2.5. Categories of recipients of personal data When we carry out existing customer marketing measures, your personal data will only be disclosed to those employees in our company who can view our central guest database. In addition, we use an external service provider (processor) to send marketing messages to existing customers.

    2.6. Duration of storage of personal data If no other booking or other transaction is made within a period of 12 months, your personal data will no longer be processed for the purpose of existing customer marketing and will therefore be erased unless you have a newsletter subscription, are a loyalty program member, or your personal data must be retained for longer due to other arrangements.

    2.7. Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

    VII. Loyalty program membership, membership account (user account / account), communication

    1. Membership/user account You can register as a member of the H Rewards loyalty program (user account / account) in accordance with the applicable Terms & Conditions of Membership by providing us with your full first name and last name, salutation, your current home address, your date of birth, your preferred email address and specifying a password. You can register in the following ways:
    • on the H Rewards app
    • on the H Rewards website
    • during the booking process
    • before using the high-speed Wi-Fi or
    • after receiving an invitation to register sent out by a hotel employee
    • by scanning a registration QR code

    Following your successful registration, a membership account will be created automatically based on the applicable Terms & Conditions of Membership. When you register to become a member, you are deemed to have agreed to the transfer of the data that you provided during your registration to the relevant operators of the brands of H World International.

    You can view and amend your personal details in the membership account. Any important information regarding your membership, such as your membership status, will also be displayed here. In the members’ area, you can book hotel accommodation or cancel bookings that you made on the website or the app specifying your membership details and you can redeem rewards according to your account status. You may cancel your membership at any time. The membership account will be automatically deleted after the final cancelation of the membership (see cancelation in the terms and conditions of membership).

    1.1 Processed personal data We process the following personal data as part of your membership of our own loyalty program: • First and last name • Home address and, if different, billing and communication addresses • Date of birth • Gender, salutation, title • Email address(es) if multiple addresses are used or specified • Phone number(s) if multiple numbers are used or specified • Loyalty program membership number • Preferences and wishes related to your stay • General interests, preferences, and wishes • Password • Reward redemptions

    1.2 Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases: To carry out and manage your membership of our loyalty program – the legal basis for this is the performance of our contract with you pursuant to Art. 6 (1) (b) GDPR. The legal bases for processing your personal data in connection with the creation and use of your membership account are your membership in accordance with the Terms & Conditions of the Loyalty Program as well as Art. 6 (1) (b) GDPR. To create, edit, manage, and update your membership account and to correctly deal with any credits and debits to your membership account as well as to provide our services as part of your membership of our H Rewards loyalty program. The legal basis for this is Art. 6 (1) (b) GDPR. To create statistics based on anonymized data analyses to improve and enhance products, services, and the contents of the H Rewards loyalty program. The legal basis for this is our legitimate interest in enhancing our loyalty program pursuant to Art. 6 (1) (f) GDPR. For authentication and fraud prevention in the context of your membership of the H Rewards loyalty program or a loyalty program of one of our cooperation partners, such as Miles & More or bahn.bonus. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

    To ensure comprehensive recognition, in particular of members of our loyalty program, across all service contact points (in person and/or digital) at hotels belonging to H World International and to ensure automatic updates of your recurring wishes, preferences, and needs, e.g., always two pillows, in order for us to provide you with a high-quality service appropriate to the hotel brand. The legal basis for this is our legitimate interest pursuant to Art. 6 (1) (f) GDPR to provide our customers with the highest possible standard of service.

    1.3 Categories of recipients of personal data In the context of fulfilling the membership requirements it is necessary for us to transfer your data to various recipients. These are in particular the hotels of H World International and our cooperation partners. 1.4 Duration of storage of personal data Your membership account data will be stored until your membership is canceled. Any unredeemed points, rewards, and the membership status achieved will become invalid six months after the cancelation's effective date. 1.5 Transfer of data to third countries If you provide your membership number voluntarily for a stay in a hotel located in a third country, your data will be transferred to the hotel in question so that the points can be credited.

    2. Communication in the context of a contract As part of the performance of the contract with you, we are required by law to inform you of any significant changes that occur during your stay. We primarily provide this information via email to the email address stored in the central customer profile. If this is no longer valid we reserve the right to contact you by different means, such as by post.

    2.1 Communication media For the purpose of communicating with you as described above, we use the following communication media in accordance with the settings and permissions stored in the central customer profile:

    • Email
    • Messenger services
    • Telephone
    • Post

    2.2 Mandatory communication as part of the loyalty program As part of operating the loyalty program, we are required by law to inform you of any changes to the program (Terms & Conditions of Membership). We usually provide this information via email to the email address stored in the membership account. If this is no longer valid we reserve the right to contact you by different means, such as by post. 2.3 Categories of recipients of personal data We use an external service provider to send out our communications. 2.4 Duration of storage of personal data As part of operating the loyalty program, we are required by law to inform you of any changes to the program. 2.5 Transfer of data to third countries We do not intend to transfer this data to a third country or an international organization.

    3. Membership of a loyalty program of a cooperation partner We process personal data in connection with your membership of a loyalty program of one of our cooperation partners, such as Miles & More or bahn.bonus. [(List of cooperation partners)]/en/partners

    3.1 Processed personal data • Email address(es) if multiple addresses are used or specified • Loyalty program membership numbers

    3.2 Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases:

    To process bonus credits (points, miles, etc.) and other services rendered as part of your membership of the loyalty programs of our cooperation partners. The legal basis is our legitimate interest pursuant to Art. 6 (1) (b) GDPR.

    3.3 Categories of recipients of personal data It is necessary to transfer your data to the respective cooperation partner so that the bonus can be credited. 3.4 Duration of storage of personal data We will store your data for a period of 10 years. 3.5 Transfer of data to third countries The data will only be transferred to a third country in cases where the cooperation partner in question is located in a third country or if you have provided your membership number when making a reservation at a hotel in a third country. In these cases, the data will be transferred on the basis of Art. 49 (1) (b) GDPR.

    VIII. Purchasing vouchers The voucher shop allows you to purchase general vouchers and hotel-specific vouchers. 1. Processed personal data We process the following personal data in connection with the purchase of vouchers:

    • Salutation, title
    • First and last name
    • Email address
    • Phone number
    • Date of birth
    • Address
    • Payment details
    1. Purposes and legal bases of processing personal data We process your personal data for the following purposes and on the following legal bases: To handle the purchase of vouchers – the legal basis for this is Art. 6 (1) (b) GDPR.

    2. Duration of storage of personal data The data that we received from you when you purchased vouchers will be stored for 10 years.

    3. Categories of recipients of personal data We forward your data to a service provider in order to be able to send you the voucher. We also use various service providers to process the transaction, depending on the payment type.

    4. Transfer of data to third countries If you purchase a voucher for a hotel in a third country, the data that we receive from you when you purchase the voucher will be transferred for processing to the third country where the hotel is located.

    IX. Brokering hotel reservations On its website, Steigenberger Hotels GmbH acts as a broker for booking accommodation in hotels of third-party hotel operators (see list of hotel operators). The parties entering into the accommodation contract are yourself and the respective hotel operator. As part of this brokering service it is necessary for us to transfer the data required for the fulfillment of the contract (e.g., first and last name of the guest, reservation period, email address) to the respective hotel operator. The legal basis for this is Art. 6 (1) (b) GDPR. If the brokering service is provided for a reservation in a hotel in a third country, the related transfer of data is based on Art. 49 (1) (b) GDPR.

    X. Reservations of tables in bars or restaurants or scheduling and booking of spa visits Steigenberger Hotels GmbH offers the possibility to reserve tables in bars or restaurants as well as to schedule and book spa visits in its hotels via the website and app. The RESERViSiON reservation tool is used for this purpose. Data processing for table reservations via RESERViSiON: We process your personal data via RESERViSiON to make the reservation and to prepare your visit to our restaurant (legal basis Art. 6 para. 1 p. 1 lit. b DSGVO or for voluntary information Art. 6 para. 1 p. 1 lit. a DSGVO). RESERViSiON provides us with your data for this purpose on our behalf. After your visit to the restaurant, your personal data will be deleted from RESERViSiON, unless you have created a user profile with RESERViSiON with your consent in order to make future reservations easier. The following data is stored here: Salutation, first name, surname, e-mail and telephone. If you voluntarily enter further data, this will also be stored in RESERViSiON: title, company, cost centre, street, house number, address suffix, postcode, town, VAT ID number, allergies, reason. You can have your user profile in RESERViSiON deleted at any time by sending an e-mail to RESERViSiON and revoking your consent (datenschutz@reservision.de). After your visit to the restaurant, we will send you an e-mail which you can use to rate us. If you do not wish to receive such an e-mail, you can object to it at any time by clicking on the relevant link in the confirmation of your reservation. With your rating you help us to improve our service and quality. Submitted ratings will only be published without reference to your person (anonymised). Data processing for scheduling and booking spa visits via RESERViSiON: We process your personal data via RESERViSiON to make the reservation and to prepare your visit to our spa (legal basis Art. 6 para. 1 p. 1 lit. b DSGVO or for voluntary information Art. 6 para. 1 p. 1 lit. a DSGVO). RESERViSiON provides us with your data for this purpose on our behalf. After your visit to the spa, your personal data will be deleted from RESERViSiON unless you have created a user profile at RESERViSiON with your consent in order to make future reservations easier. Only the following data will be stored here: Salutation, first name, surname, e-mail and telephone. If you voluntarily enter further data, this will also be stored in RESERViSiON: title, company, cost centre, street, house number, address suffix, postcode, town, VAT ID number, allergies, reason. You can have your user profile in RESERViSiON deleted at any time by sending an e-mail to RESERViSiON and revoking your consent (datenschutz@reservision.de). After your visit to the spa, we will send you an e-mail which you can use to rate us. If you do not wish to receive such an e-mail, you can object to it at any time by clicking on the relevant link in the confirmation of your reservation. With your rating you help us to improve our service and quality. Submitted ratings will only be published without reference to your person (anonymised).

    XI. Information regarding the use of cookies and payment service providers on this website 1. Transfer to third countries If you consent to the use of cookies , you are at the same time explicitly consenting to the transfer of your personal data pursuant to 49 (1) (a) GDPR to an insecure third country. The United States in particular is regarded by the Court of Justice of the European Union as a country that does not have an adequate level of data protection. There is a risk that your data may be processed by U.S. authorities for control and monitoring purposes and you are left with no effective legal remedies in that regard.

    As can be seen specifically from the [List of service providers / processors] (/en/service-providers-processors), our company uses service providers for certain tasks whose registered office is in a third country or who belong to an international group with companies in third countries or who themselves work with service providers based in a third country. The transfer of personal data to such service providers is permitted if the European Commission has decided that the third country in question offers an adequate level of protection (Art. 45 GDPR). In the absence of such a decision, our company or the service provider may transfer personal data to a third country or an international organization only if provisions are made for appropriate safeguards and if enforceable rights and effective legal remedies are available (Art. 46 (1) GDPR). If neither an adequacy decision pursuant to Art. 45 (3) GDPR has been made nor appropriate safeguards pursuant to Art. 46 GDPR are in place, the transfer of your personal data to a third country is only permissible under one of the following conditions:

    • You have explicitly consented to the proposed transfer of data, after having been informed of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards
    • The transfer is necessary for the performance of a contract between you and the controller or for the implementation of pre-contractual measures
    1. Integration of payment service providers for online payments To process online payments we use the following external service providers whose platforms you can freely choose between to process your payment:
    • Concardis GmbH (Helfmann-Park 7, 65760 Eschborn, Germany, Tel. +49 (0)69 79220)
    • American Express Payment Service Limited (Theodor-Heuss-Allee 112, 60486 Frankfurt/Main, Germany)
    • Paypal S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg)
    • Computop Paygate GmbH (Schwarzenbergstraße 4, 96050 Bamberg, Germany)
    • PPro & Nets If you wish to make an online payment this can be integrated into the booking or voucher purchase processes or you may do so via a corresponding link sent to an email address specified by you. If you click on such a link you will be forwarded to the payment platform. Further details regarding the handling of your personal data in this connection are provided there.

    3. Cookies 3.1 Information about cookies We use cookies on our website. Cookies are small files created automatically by your browser and stored on your device (laptop, tablet, smartphone, or similar) when you visit our website. Cookies do not cause any harm to your device and do not contain any viruses, Trojans, or other malware. Their purpose is to store information obtained in connection with the specific device that you use. This does not mean, however, that we gain direct knowledge of your identity. Using cookies has a twofold objective: On the one hand, we want to make it more convenient for you to use our website and, on the other hand, we want to gather statistics on the use of our website and analyze these with the aim of optimizing the services we offer you. To achieve this, we use cookies for the following purposes:

    Necessary functions:
    These cookies contribute significantly to improving your browsing and booking experience on our website. Basic functionalities and applications such as shopping carts or electronic billing procedures are optimized, and their use is made possible. These cookies do not collect information about you that can be used for marketing campaigns or statistical analysis. These cookies are necessary for the use of the website, the legal basis for these cookies is Art. 6 para. 1 lit. b) DS-GVO and § 25 para. 2 Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG).

    • Statistical analysis:
    Statistical analysis is the processing and presentation of data on user actions and interactions on websites and apps (e.g., number of page visits, number of unique visitors, number of returning visitors, entry and exit pages, time spent, bounce rate, click of buttons, booking or voucher order) and, if applicable, the classification of users into groups based on technical data on the software settings used (e.g., browser type, operating system, language setting, screen resolution). The legal basis for these cookies is consent in accordance with Art. 6 (1) a) DS-GVO and § 25 (1) TTDSG.

    • Personalized advertising:
    Certain functions of websites and apps are used to display personalized advertising materials (ads or commercials) to users in other contexts, for example on other websites, platforms, or apps. For this purpose, conclusions about the interests of users are drawn from demographic information, search terms used, contextual content, user behavior on websites and in apps, or from the location of users. Based on these interests, advertising materials will be selected and displayed on online content of other providers in the future. The legal basis for these cookies is consent in accordance with Art. 6 (1) a) DS-GVO and § 25 (1) TTDSG.

    • Personalized advertising incl. data transfer to other countries:
    Certain functions of websites and apps are used to display personalized advertising materials (ads or commercials) to users in other contexts, for example on other websites, platforms or apps. For this purpose, conclusions about the interests of users are drawn from demographic information, search terms used, contextual content, user behavior on websites and in apps or from the location of users. Based on these interests, advertising materials will be selected and displayed at other online content providers in the future. The legal basis for these cookies is consent pursuant to Art. 6 (1) a) DS-GVO and Section 25 (1) TTDSG. In addition, you explicitly consent to the transfer of your personal data to other countries (USA) according to Art. 49 para. 1 lit. a) DSGVO. In the listed countries, there is no adequate level of data protection and there are no suitable guarantees for the protection of your personal data (such as lack of enforcement of data subject rights and possible, inappropriate access to your personal data by state authorities). Your consent to the transfer of your personal data to third countries is voluntary and can be revoked at any time via our Privacy Policy. Further information on the processing of your personal data, including third country transfers, can also be found in our Privacy Policy.

    3.2 Using the cookie consent tool to specify your cookie settings You can use the cookie consent tool to adjust your cookie settings at any time. Click the button in the lower left corner of your screen to open the tool and select your settings for the above mentioned categories of cookies by giving or refusing your consent to the use of these cookies in your browser. In this Privacy Policy you will find information about the partner companies and third-party providers who place cookies on our website and what categories these cookies belong to.

    Consent Tool

    3.3 Using your browser to specify your cookie settings You can specify in your browser that cookies should only be stored with your consent. Most browsers automatically accept cookies. However, you can reconfigure your browser so that no cookies are stored on your computer or that a warning appears before a new cookie is created. However, if all cookies are deactivated you may not be able to use all the functions of our website. If you want to accept only Steigenberger cookies but not cookies from our partners, then please select the option “Block third-party cookies” in your browser. To find out how you can refuse new cookies and deactivate existing ones, go to the Help function on the menu bar of your web browser. If you use shared computers that accept cookies and flash cookies, we recommend that you always log out completely at the end of your session.

    3.4 Cookie providers used

    Category Duration Purpose

    AWIN AG Eichhornstraße 3 10785 Berlin, Germany Necessary functions 90 days Billing purposes

    Criteo SA 32 Rue Blanche, 75009 Paris, France Personalized advertising 13 months Advertising

    Dailypoint: Toedt, Dr. Selk & Coll. GmbH Augustenstr. 79, 80333, Munich, Germany Personalized advertising 90 days max. Profiling, advertising

    DerbySoft (Hong Kong) Limited 14800 Landmark Blvd., Suite 640, Dallas, Texas 75254, USA Necessary functions 30 days/24 months Billing purposes

    Facebook Inc. 1 Hacker Way, Menlo Park 94025, CA. USA Personalized advertising 28 days Advertising

    Mapp Intelligence: Webtrekk GmbH Robert-Koch-Platz 4, 10115 Berlin, Germany Statistical analysis 6 months Analysis

    Google Ads: Google Ireland Ltd. Gordon House, Barrow Street, Dublin 4, Ireland Personalized advertising 24 months max. Advertising

    Youtube Video: Google Ireland Ltd. Gordon House, Barrow Street, Dublin 4, Ireland Personalized advertising 24 months max. Advertising

    Microsoft Advertising/Bing Ads: Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399, USA Personalized advertising 13 months Advertising

    TripAdvisor LLC 400 1st Avenue, Needham, MA 02494 USA Personalized advertising 24 months max. Advertising

    Wingify Software Pvt. Ltd. (VWO) 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India Personalized advertising, 10 years period of storage, purpose A/B Testing

    LinkedIn LinkedIn Ireland Unlimited, Wilton Place, Dublin 2, Irland; Personalized advertising, 180 days period of storage, purpose advertising

    zenloop GmbH Erich-Weinert-Straße 145, 10409 Berlin, Germany Statistical analysis 24 months max. Analysis

    Further information on the providers of cookies

    zenloop Recipient: zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin, Germany Process: Marketing tools for personalized advertising are all similar in terms of their technical functions, which is why reference is made to this process in the following text with regard to all the providers mentioned above. Providers of personalized advertising use technologies such as cookies, tracking pixels, and device fingerprinting in order to show users ads that are relevant to them and to improve the reports on campaign performance. These providers enable us to display interest-based ads on the providers’ websites and on our website. This process also includes processing information stored on the users’ devices. The providers offer functions for this purpose that are generally referred to as remarketing. Remarketing allows website users to be recognized on other websites within the advertising network of the provider and to be presented with ads tailored to their interests. The ads may also be related to products and services that the user has already looked at on our website. This is made possible by analyzing user interaction on our website, e.g., what offers interest the users, in order to show them targeted advertising on other websites even after they leave our website. When a user visits our website the relevant provider places a cookie on the user’s device. The provider then uses cookies or tracking pixels to process the information generated by the users’ devices about their use of our website and their interaction with it as well as their access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to display and analyze personalized ads. The providers mentioned above also use the conversion function to draw attention to our attractive offers with the help of advertising material on external websites. We are able to determine how successful individual campaigns are with regard to the advertising campaign data. The providers use ad servers to deliver this advertising material. We use ad server cookies for this purpose, which enable us to measure certain parameters for measuring reach – e.g., the insertion of ads, the time spent looking at them, or the clicks made by users. This process also includes processing information stored on the users’ devices. If a user lands on our website via one of the provider's ads, the provider will place a cookie on the user’s device. The provider uses cookies or tracking pixels to process the information generated by the users’ devices about interaction with our advertising material (accessing certain web pages or clicking on an ad) as well as the users’ access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to analyze and visualize the measured reach of our ads. Based on the marketing tools used, the users’ browser automatically establishes a direct connection to the provider’s server.

    Derbysoft Recipient: DerbySoft (Hong Kong) Limited, 14800 Landmark Blvd., Suite 640, Dallas, Texas 75254, USA Process: Derbysoft is a web service for measuring reach as well as for classic conversion tracking. Derbysoft therefore uses technologies such as cookies and tracking pixels in order to track a specific user behavior on the websites of our advertising partners. Derbysoft uses cookies or tracking pixels to process the information generated by the users’ devices about interactions with our advertising material (accessing certain internet pages or clicking on an ad) as well as the users’ access data, in particular their IP address, browser information, the website visited before the current one, and the date and time of the server request in order to analyze and visualize the measured reach of our advertisements. Based on the marketing tools used, the users’ browser automatically establishes a direct connection to the provider’s server.

    Mapp Intelligence This website uses Mapp Intelligence, a web analysis service of Webtrekk GmbH whose registered office is in Berlin, Germany.
    Recipient: Webtrekk GmbH, Robert-Koch-Platz 4, 10115 Berlin, Germany Process: The Mapp Intelligence web analysis service uses technologies such as cookies, tracking pixels, and device fingerprinting in order to track a specific user behavior on websites and therefore transfers information to a server of Mapp located in Nuremberg, Germany, where this information is stored. This process also includes processing information stored on the users’ devices. With the help of tracking pixels embedded in websites and the cookies placed on the users’ devices, Mapp Intelligence processes the information generated about the usage of our website by the users’ devices, such as that a specific web page was accessed, and the users’ access data for the purpose of statistical website usage analysis. The access data includes in particular the IP address, browser information, the website visited before the current one, and the date and time of the server request. According to information from Mapp, the IP addresses are anonymized and erased immediately during preprocessing. On behalf of the operator of this website, Mapp will use the information collected by Mapp Intelligence in order to analyze how you use the website, to prepare reports on website activities, and to provide the website operator with further services associated with the use of the website and the internet. For further information about the terms and conditions of use and data privacy at Mapp please go to https://docs.mapp.com/display/CDBD/Allgemeine+Nutzungsbedingungen or https://www.webtrekk.com/privacy-notice.html

    Wingify Our websites use Visual Website Optimizer, an A/B testing tool/web analytics service provided by Wingify, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, Delhi 110034, India (hereinafter "Wingify"). Wingify uses cookies that enable an analysis of your use of our websites. The information generated by the cookies about your use of this website and your IP address are transmitted to a Wingify server in Belgium and stored there. For more information about the cookies used, please see this link. On our behalf, Wingify uses this information to evaluate your use of the website and, based on this, to optimize our websites. Wingify stores your data and these are deleted regularly. You can prevent the storage of cookies by setting your browser software accordingly or delete them. You can also object to the collection of the data generated by the cookie and related to your use of the website (including your IP address) to Wingify as well as the processing of this data altogether under this link. Details on the handling of your personal data can be found at the following link.

    3.5 Local storage of data To optimize the design of our website, we collect the following data and store it locally on your device (e.g., in the browser). Provider/tool Category Duration Purpose www.hrewards.com Necessary functions 365 days Log in Token Cat UID Member level Currency

    3.6 Integration of services and content of third-party providers (capture of IP addresses by third-party services)

    Content of third parties (hereinafter referred to as “third-party providers”) is embedded in our online presence. To use such content, it is technically required to transfer the user’s IP address to the relevant third-party provider. This is because without the IP address the third-party providers would not be able to send the content embedded in the website to the relevant user’s browser. We have no influence on whether a third-party provider saves the IP address, e.g., for statistical purposes, or uses it in any other way. We use the following third-party providers on our website:

    Third-party provider

    MapTiler AG Höfnerstrasse 98 Unterägeri, Zug 6314 Switzerland Function Displaying maps on websites Purpose Maintaining, ensuring and improving the quality of products and services, in particular improving the user experience.

    Monotype Imaging Holdings, Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA Myfonts.com Function displaying text on websites Purpose Maintaining, ensuring and improving the quality of products and services, in particular improving the user experience.

    zenloop GmbH Erich-Weinert-Straße 145, 10409 Berlin, Germany Function B2B Software-as-a-Service platform for evaluating customer feedback provided at various touch points Purpose Customer and product reviews for quality management and improving the customer experience

    Status of and updates to the Privacy Policy This Privacy Policy is valid from January 25th, 2024. We will update this Privacy Policy from time to time in the event of relevant changes to our website, the way in which we process personal data, or changes in the law. The updated version will be valid from the date of its publication. In the event of significant changes to this Privacy Policy you will be notified in good time before the changes come into effect by a corresponding notice on our website. Our guests may also be notified of the changes by email or in another way.