1 General information
1.1 Controller and data protection officer
1.2 Legal basis for the processing of your personal data
1.3 Rights of the data subject
1.4 Storage period of personal data
2 Contractual processing
3 Application data
4 Data processing in the context of the website
4.1 Log files, Hosting
4.2 Contact
4.3 Cookies
5 Information to interested parties
6 Forwarding of the data: General and contractual purpose
7 Forwarding of the data: Tools as part of the operation of the website and online services
7.1 Google
7.1.1 Google Analytics
7.1.2 Google TagManager
7.2 Matomo
7.3 Borlabs Cookiemanagement
8 Data storage outside the EU/EEA
9 Our presence on social media
9.1 Facebook (Meta)
9.2 Google/ YouTube
9.3 TikTok
9.4 Instagram (Meta)
1 General information
The following declaration informs you about what kind of personal data is collected by us as the responsible body and for what purpose, and to what extent this data is made accessible to third parties.
1.1 Controller and data protection officer
Sono Hospitality GmbH
Herzogspitalstraße 24
80331 Munich
Munich, Germany
Telephone: +49 5401 89200
1.2 Legal basis for the processing of your personal data
The processing of personal data requires a legal basis, which we would like to present to you below.
Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data for which we obtain the consent of the data subject.
Article 6 (1) (b) GDPR serves as the legal basis for the processing of personal data required for the fulfilment of a contract to which the data subject is a party. This also includes processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6 (1) (f) GDPR serves as the legal basis for the processing. The legitimate interest of our company lies in the performance of our business activities and in analysing, optimising and maintaining the security of our online offering.
1.3 Rights of the data subject
You have a right to information about the personal data we have stored about you. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.
In accordance with the statutory provisions, you also have the right to rectification of inaccurate data, restriction of processing, data portability and erasure of your personal data. To do this, send us an e-mail with the subject ‘Data protection’.
You also have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing of your personal data is in breach of the statutory provisions.
For reasons arising from your particular situation, you can object at any time to the processing of personal data concerning you by us, which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions (Art. 21 GDPR). If the legal requirements are met, we will then no longer process your personal data.
In the case of direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object, your personal data will no longer be processed for these purposes.
If you have given your consent, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
If you exercise one of the aforementioned rights as a data subject, we will process your personal data collected in this context in order to respond to your enquiry. Your personal data is processed to fulfil a legal obligation.
In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing of this data which override your interests, rights and freedoms or your personal data serves the establishment, exercise or defence of legal claims.
1.4 Storage period of personal data
Unless we have provided storage information on the specific points, the following applies: We store personal data for the duration of the respective statutory retention period or as long as the purpose of the collection exists. After the retention period has expired, the data is routinely deleted, unless there is a need to initiate or fulfil a contract. If the user’s data is not deleted because it is required for other and legally permissible purposes, its processing is restricted as far as possible. Accordingly, the data will be blocked where possible and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons.
2 Contractual processing
When you enter into a contractual relationship with us, we generally collect the following data: Title, first and last name, email address, address, telephone/mobile phone number, information necessary for the performance of the contract.
We require this data so that we can identify you as a contractual partner, fulfil the contract, contact you and for invoicing purposes. The data processing takes place at your / our request or order and is necessary for the purposes mentioned for the mutual fulfilment and obligation arising from the contractual relationship.
We may also process data on the basis of a legitimate interest, e.g. in the assertion of or defence against claims arising from the contractual relationship. The personal data collected will be stored until the end of the contractual relationship and then deleted, unless we are obliged to store it for a longer period of time in accordance with legal obligations due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO).
3 Application data
You can apply to us electronically, e.g. by e-mail. We process the data that you have sent us in connection with your application in order to check your suitability for the position and to carry out the application process. Please note that your data will be accessible to our HR department and the relevant departments for the position to be filled. We would like to consider all applications only on the basis of qualifications, regardless of race, ethnic origin, gender, religion or belief, disability, age or sexual identity. We therefore ask you to refrain from including such information in your application wherever possible. The legal basis for the processing of your personal data in application procedures is § 26 BDSG or Art. 6 para. 1 b) GDPR. Accordingly, the processing of data required in connection with the decision on the establishment of an employment relationship is permitted. Should the data be required for legal prosecution after completion of the application process, data processing may be carried out on the basis of the requirements of Art. 6 para. 1 lit. f) GDPR to safeguard legitimate interests. Our interest then lies in the assertion or defence of claims.
Applicant data will be deleted after 6 months at the latest in the event of a rejection. In the event that you have consented to further storage of your personal data, we will transfer your data to our applicant pool. There the data will be deleted after two years. If you have been accepted for a position as part of the application process, the data will be stored permanently for the purposes of the employment relationship. You can change or delete your application at any time and revoke any consent you may have given at any time.
4 Data processing in the context of the website
4.1 Log files, Hosting
The server statistics automatically store data that the browser transmits to us as part of our legitimate interest in analysing and for security reasons (so-called ‘log files).
This is the following data in detail:
· Language and version of the browser software
· Operating system used
· Host name of the accessing computer (IP address)
· Date and time of the server request
· Time zone difference to Greenwich Mean Time (GMT)
· Content of the request (specific page)
· Amount of data transferred
· Access status/ HTTP status code
As a rule, we cannot assign this data to specific persons. This data is not merged with other data sources. The data is also deleted within 7 days after a statistical analysis. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.
We make use of hosting services. These are used to provide infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services in order to maintain the operation of this online offering.
In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offering on the basis of our legitimate interests in the efficient and secure provision of this online offering.
4.2 Contact
When you contact us, e.g. by e-mail, your details will be stored by us in order to answer your questions.
Your data will not be passed on to third parties unless applicable data protection regulations justify a transfer or we are legally obliged to do so. You can revoke your consent at any time with effect for the future. In the event of cancellation, your data will be deleted immediately, unless there is a legal exception for further processing. Your data will otherwise be deleted once we have processed your enquiry or the purpose of storage no longer applies and there are no other legal exceptions to the contrary.
4.3 Cookies
Cookies are small text files that are stored on your computer and through which certain information flows to the location that sets the cookie. They are used to make the website more user-friendly and effective and/or to make it easier for you to navigate our website.
We only set cookies that are not absolutely necessary with your consent. You can revoke this consent at any time for future use.
Consent is voluntary and you can also use our website without accepting cookies. You can also configure your browser settings according to your wishes and, for example, refuse to accept third party cookies or all cookies or delete cookies that have already been saved. If you do not accept cookies, please note that our website may not function properly in this case. Unless we provide other information on the individual topics mentioned in this privacy policy or in the cookie banner, the lifespan of cookies is 24 months.
You can find out which function on our website sets cookies in the individual function descriptions in our privacy policy and in the cookie banner.
5 Information to interested parties
If you, as our contractual partner, have concluded a contract for our services, we will offer you further information about our own similar services via the e-mail address sent to you when the contract was concluded (Section 7 III UWG). You can object to this mailing at any time. These mailings are sent on the basis of our legitimate interest in advertising.
6 Forwarding of the data: General and contractual purpose
We pass on data to third parties if this is necessary for the fulfilment of the contract and / or if we are legally obliged and / or entitled to do so in individual cases. The data is typically passed on to contracted service providers, including hosting, operation, maintenance and support of IT systems, communication systems and disposal under certain circumstances. In addition, your data may also be transmitted to postal or delivery services, your bank, tax consultants/auditors and lawyers.
7 Forwarding of the data: Tools as part of the operation of the website and online services
In some cases, we use external service providers within the scope of your consent or our legitimate interests with regard to the analysis, optimisation and economic operation of the online offer. If you have given your consent for tools that are not necessary for the operation of the website, you can have these settings changed again at any time. We list our service providers below.
If your data is to be used for other purposes, we will inform you in advance and only use the data if you have expressly given your further consent to this in advance.
7.1 Google
With your consent, we use services for which Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’) is responsible for the optimisation and economic operation of our online offering. Google LLC is certified under the Data Privacy Framework, so that possible measures have been taken to ensure compliance with European data protection law.
7.1.1 Google Analytics
This website uses Google Analytics as a web analysis service on the basis of your consent. Google Analytics uses ‘cookies’, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States.
We would like to point out that this website uses Google Analytics with IP anonymisation and therefore IP addresses are shortened by Google in member states within the European Union or in other contracting states of the Agreement on the European Economic Area before transmission in order to exclude a direct personal reference. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there.
Google will use this information on behalf of the provider to analyse your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. To the best of our knowledge, Google will not associate your IP address with any other data held by Google.
You can revoke your consent at any time with effect for the future by accessing the cookie settings on our website and changing your selection there. This will not affect the lawfulness of the processing carried out on the basis of your consent until you withdraw it. You can also prevent the installation of cookies in advance by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also object to the collection and storage of data by Google for the respective end device at any time with effect for the future in connection with the use under this link:
https://tools.google.com/dlpage/gaoptout?hl=de
Google Analytics 4 sets a maximum retention period of 14 months for data storage. The purpose and scope of the data collection and the further processing and use of the data by Google as well as your rights in this regard and setting options to protect your privacy can be found in Google’s data protection information at https://marketingplatform.google.com/about/analytics/terms/de/ and at
https://policies.google.com/?hl=de
7.1.2 Google TagManager
We use the Google Tag Manager. This allows us to manage website tags via an interface and thus integrate Google marketing services into our online offering, for example. The Tag Manager itself does not process any personal user data. For the respective Google services, please refer to the respective information and usage guidelines at https://www.google.com/intl/de/tagmanager/use-policy.html
7.2 Matomo
This website uses Matomo, an open source software for the statistical analysis of visitor access. The Matomo analysis tool uses so-called ‘cookies’, which are text files that are stored on your computer and enable your use of our website to be analysed. The information generated by the cookie about your use of this website is stored on our server in Germany. This site uses Matomo with the extension ‘AnonymizeIP’. This means that IP addresses are further processed in abbreviated form, so that direct personal references can be ruled out.
You can revoke your consent to the use of cookies at any time in our cookie settings or by contacting us or prevent the installation of cookies by setting your browser software accordingly. You can also obtain information from the third-party provider on data protection at https://matomo.org/privacy-policy/
If you no longer agree to the storage and analysis of the usage information generated, you can also object to this.
7.3 Borlabs Cookiemanagement
Our website uses Borlabs Cookie, which sets a technically necessary cookie (borlabs-cookie) to store your cookie consent. Borlabs Cookie does not process any personal data.
The borlabs cookie stores the consent you gave when you entered the website. If you wish to revoke this consent, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked for your cookie consent again.
8 Data storage outside the EU/EEA
Where recognisable in the individual tool descriptions, we use tools from US third-party providers. Insofar as this is necessary for the purposes communicated, your IP address may be processed outside the European Economic Area, where a level of data protection corresponding to the European standard is not always consistently guaranteed and confirmed (e.g. by a suitable guarantee within the meaning of Art. 46 GDPR or an adequacy decision of the European Commission). In particular, it cannot therefore be ruled out that security authorities in a third country may gain access to your IP address without you being able to take effective legal action against this.
The IP address is transmitted to these third-party providers in accordance with Art. 49 para. 1 lit. a GDPR on the basis of your express consent given in the consent banner. This consent is voluntary. You can revoke it at any time with effect for the future. You will not suffer any disadvantages as a result.
In the opinion of some US third-party providers, a level of protection corresponding to the European standard is already guaranteed due to the conclusion of so-called standard contractual clauses and additional measures taken in accordance with the Schrems II case law. However, as the suitability of such measures to guarantee an adequate level of data protection is disputed, we have decided to transmit your IP address exclusively with your consent.
The certification of some companies under the Data Privacy Framework (DPF) serves to ensure the level of protection and can be queried here for the companies: https://www.dataprivacyframework.gov/s/ . This certification is sufficient as a measure to ensure an adequate level of data protection.
9 Our presence on social media
You can find us under online presences within social networks and platforms. We would like to use these presences to communicate with our customers, interested parties and users active there and to inform them about our services and our company in this way.
The processing of the personal data of users active there is based on our legitimate interests in communicating and providing information to and with users. If users have given their consent to data processing within the framework of the respective social platform, the processing takes place on the basis of this consent.
If you visit one of our social media sites, we are jointly responsible with the operator of the social platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint, see the following point ‘Rights of the data subject’) both against us and against the operator of the respective social platform.
We would like to point out that, despite the joint responsibility, we do not have full influence on the data processing operations of the social platform and may forward the rights request to the respective operator in order to better process the rights of the data subject. Our options generally depend on the company policy of the respective provider.
Our information on storage can be found below. We have no influence on the storage period of your data that is stored by the operator of the social platform for its own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).
Depending on the social platform named below, user data processing may also take place outside the European Union. EU standard contractual clauses have been agreed with the US companies or they are certified under the Data Privacy Framework (DPF), so that we have taken possible measures to ensure compliance with European data protection law.
As a rule, user data is processed by the platforms for market research and advertising purposes. For example, user profiles can be created from user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the platforms that presumably correspond to the interests of the users. For this purpose, cookies are usually stored on the user’s computer, in which the user’s usage behaviour and interests are stored. Data can also be stored in the user profiles independently of the devices used by the users. This occurs in particular if the users are members of the respective platforms and are logged in to them.
For a detailed description of the respective processing and the possibilities of objection, we refer to the following linked information from the providers.
9.1 Facebook (Meta)
The basis is an agreement on joint processing of personal data:
https://www.facebook.com/legal/terms/page_controller_addendum
Privacy policy: https://www.facebook.com/about/privacy/
Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
9.2 Google/ YouTube
(Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland)
Privacy policy: https://policies.google.com/privacy
Opt-Out: https://adssettings.google.com/authenticated
9.3 TikTok
(TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland)
Privacy policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=de
9.4 Instagram (Meta)
(Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Irland)
Privacy policy:/ Opt-Out: http://instagram.com/about/legal/privacy/
This privacy policy has been provided by the law firm Sieling – Fachanwaltskanzlei für IT-Recht.