We manage our websites in accordance with the principles set out below:
We undertake to comply with the statutory provisions on data protection and endeavor to always take into account the principles of data avoidance and data minimization.
1. Name and address of the data controller
The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states of the European Union as well as other data protection regulations is:
Dr. Hövener Nachfolger Immobilien GmbH
Tel. +49 (0)251.29790370
2. Explanation of terms
The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states of the European Union as well as other data protection regulations is: hier eingesehen werden.
3. Legal basis for processing data
a) Processing of personal data under GDPR
We only process your personal data, such as your surname and first name, your e-mail address and IP address, etc., if there is a legal basis for doing so. Under the General Data Protection Regulation, the following regulations apply here in particular:
- 6 (1)(1)(a) GDPR: The data subject has given consent to the processing of their personal data for one or more specific purposes.
- 6 (1)(1)(b) GDPR: The processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject's request.
- 6 (1)(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the data controller is subject
- 6 (1)(1)(d) GDPR: Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- 6 (1)(1)(e) GDPR: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- 6 (1)(1)(f) GDPR: processing is necessary due to the legitimate interests of the data controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular when the data subject is a child.
b) Consent of the legal guardian pursuant to Art. 8 (1)(2)(2) GDPR
A parent or guardian must consent to all data processing on this website that requires the consent of a minor under the age of 16.
You can revoke your consent at any time by sending a written revocation notice to the contact details of the data controller. Processing shall remain lawful until revocation.
c) Processing information pursuant to Section 25 (1) TTDSG (German Federal Act on Privacy in Telecommunications and Telemedia)
We also process information pursuant to Section 25 (1) of the TTDSG by storing information on your terminal equipment or accessing information that is already stored on your terminal equipment. This can be both personal information and non-personal information, e.g. cookies, browser fingerprints, advertising IDs, MAC addresses and IMEI numbers. Terminal equipment is any equipment connected directly or indirectly to the interface of a public telecommunications network for the transmission, processing or reception of messages, as set out in Section 2 (2) (6) TTDSG.
As a rule, we process this information on the basis of your consent, as set out in Section 25 (1) TTDSG.
If an exception exists pursuant to Section 25 (2) (1) and (2) TTDSG, we do not require consent. Such an exception exists, if we access or store information solely for the purpose of transmitting a message via a public telecommunications network or when it is strictly necessary for us to provide a telemedia service that you have specifically requested. You can revoke your consent at any time.
We would like to inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the revocation.
4. Disclosure of personal data
The disclosure of personal data also constitutes processing within the meaning of the previous section 3. We would, however, like to inform you again about the issue of passing on information to third parties. Protecting your personal data is very important to us. For this reason, we are particularly careful when it comes to passing on your data to third parties.
We will therefore only disclose data to third parties if there is a legal basis for the processing. We will, for instance, disclose personal data to persons or companies that act as data processors for us pursuant to Art. 28 GDPR. A data processor is any person who processes personal data on our behalf – i.e. in particular someone in a relationship of instruction and control with us.
In accordance with the requirements of the GDPR, we conclude a contract with each of our data processors to oblige them to comply with data protection regulations to ensure comprehensive protection of your data.
5. Storage period and deletion
We will delete your personal data if it is no longer required for the purposes for which it was collected or otherwise processed; we will also delete your data if processing it is not necessary to exercise the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims.
6. SSL or TLS encryption
This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the website operator. You can recognize an encrypted connection when the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
When cookies are used, a distinction is made between technically necessary cookies and "other" cookies. Technically necessary cookies are absolutely necessary to provide you with an information society service that you have specifically requested.
a) Technically necessary cookies
In order to make our services more pleasant for you to use, we use technically necessary cookies; these might include session cookies (e.g. language and font selection, shopping cart, etc.), consent cookies, cookies to ensure server stability and security, or others. The legal basis for using cookies can be found in Art. 6 (1) (1) (f) GDPR, and results from our legitimate interest in the error-free operation of the website and the interest in providing our services to you in an optimized manner.
b) Other cookies
Other cookies include cookies for statistical, analysis, marketing and retargeting purposes.
We use these cookies for you based on your consent pursuant to Section 6 (1) (1) (a) GDPR.
We would like to inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent prior to the revocation.
Change cookie settings
8. Cookie banner
To obtain consent for the cookies we use, we use the cookie banner of the service provider devowl.io GmbH, Tannet 12, 94539 Grafling
Germany. This service sets a consent cookie in order to query and process the respective status of consent. This consent cookie is technically necessary and is therefore used on the basis of our legitimate interest pursuant to Art. 6 (1) (1) (f) GDPR, Section 25 (1) TTDSG.
9. Collection and storage of personal data, their type and purpose of use
a) External hosting
Our website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. For this reason, all personal data collected on our website is stored on our host’s servers, unless an external service of a third party is involved. This may include the IP address, your e-mail address, communication data or similar. In the following, we explain what specific personal data is involved for the individual functions and services. If we use an external third-party service, this will be stated clearly in the description of the respective service or tool.
The host only processes your data on our instructions and to the extent to which it is necessary to fulfil the services on the website. The host does not process any data for its own purposes. We have concluded a data processing contract with the host.
b) Contractual relationship
(1) Booking requests
You can book apartments via our website. Within the scope of the establishment of the contractual relationship, only personal data absolutely necessary for the performance of the contract is processed pursuant to Art. 6 (1) (1) (b) GDPR.
In order to use the booking form, it is necessary to enter a booking period, a first and last name so the system can determine a personal salutation, and a valid e-mail address, any additional optional services desired as well as the desired payment method, so that we know who the booking comes from and are able to process your booking.
In addition, you can send us further data, such as your telephone number, your address, preferred check-in times and a personal message. We use this voluntarily provided information to offer a customer-friendly service and to constantly improve it.
We process this data on the basis of your consent pursuant to Art. 6 (1) (1) (a) GDPR. You can revoke this consent at any time for the future. The processing of your data shall remain lawful until we receive your revocation.
We use the booking system provided by Smoobu GmbH
Pappelallee 78/79, 10437 Berlin for our apartment bookings. The data you provide will therefore also be processed by our booking provider while operating the booking system. Furthermore, other cookies may be set by the booking system. For this reason, we have concluded a contract for commissioned data processing with the booking system provider.
Further information on data protection can be found at:
We also pass on the data collected during the booking process (your first and last name and your booking period) to our service provider ebuero AG, Hauptstraße 8, 10827 Berlin, which provides call center services for us. This service provider has been contracted by us to answer questions about your booking outside of our business hours. For this reason, we have concluded a contract for commissioned data processing with this provider as well, pursuant to Art. 28 (3) GDPR.
Further information on data protection can be found at: https://www.ebuero.de/datenschutz
(2) Disclosure of data when using online payment service providers
Should you decide to pay with one of the online payment service providers available in the booking process, our booking system will transmit your contact details to the respective provider as part of the reservation made by you. The legitimacy of forwarding this data results from Art. 6 (1) (1) (b) GDPR, for the implementation of the payment method selected by you as well as from our legitimate interests pursuant to Art. 6 (1) (1) (f) GDPR to enable user-friendly and uncomplicated payment processing.
Personal data transmitted to the online payment service provider is usually a person’s first name, last name, address, telephone number, IP address, e-mail address, or other data required to process a reservation, as well as data related to the reservation, such as booked service, invoice amount and taxes in percent, invoice information, etc.
This transmission is necessary to process your reservation with the payment method you have selected, in particular to confirm your identity, to process your payment and to manage customer relations.
However, please note: Personal data may also be disclosed by the online payment service provider to other service providers, subcontractors or other affiliated companies, if this is necessary to fulfil the contractual obligations arising from your reservation or if the online payment service provider commissions a data processor to process personal data.
Depending on the selected payment method, e.g. invoice or direct debit, the provider will transmit the personal data collected in this process to credit agencies. This transmission serves to check your identity and creditworthiness in relation to the reservation you have made. You can find out which credit agencies are involved and which data is generally collected, processed, stored and passed on by the respective provider in the respective providers’ data protection declarations:
PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg unter https://www.paypal.com/de/webapps/mpp/ua/privacy-full
(3) Credit card payment
If you choose to pay by credit card, your personal data will be processed by the provider of our booking system and will be forwarded to the card-issuing institution to process your payment and to meet legal requirements, such as customer authentication in accordance with the EU Payment Services Directive PSD2. This is data required by the MV 3-D Secure Protocol and Core Functions Specification.
This data is forwarded to process your payment pursuant to Art. 6 (1) (1) (b) GDPR as well as to fulfil our legal obligation to carry out strong customer authentication pursuant to Art. 6 (1) (1) (c) GDPR in conjunction with Directive EU 2015/2366 (PSD 2) or the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz - ZAG) for anti-money laundering and criminal prosecution.
Technical processing of credit card payments is carried out by the payment service provider
Stripe Payments Europe, Ltd, Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. This service was commissioned for the technical control of payment transactions including the implementation of the 3D Secure 2.0 procedure pursuant to Art. 28 GDPR. Other recipients of the data are the banks involved (the card-issuing bank/ the issuer and the merchant's credit card-accepting bank/ the acquirer).
c) Contact form
We provide a form on our website to enable you to contact us at any time. In order to use the contact form, it is necessary to enter a name so the system can determine a personal salutation; a valid e-mail address is also required, so that we know who the inquiry comes from, can contact you and are able to process your inquiry.
If you send us inquiries via the contact form, your details provided in the enquiry form, including contact details and your IP address, will be processed in accordance with Art. 6 (1) (1) (b) and f GDPR for the purpose of carrying out pre-contractual measures in response to your inquiry or for the exercise of our legitimate interest, i.e. to carry out our business activities.
The inquiries and the data provided in this context, will be deleted 3 months after receipt at the latest, unless they are required for a further contractual relationship.
Our website offers the possibility to leave a review for our apartments after your visit. If you would like to write a review, your name, email address, visitor category, travel period and rating of price/performance, facilities and location will be requested and processed. You can also leave a comment.
The legal basis results from Art. 6 (1) (1) (f) GDPR to exercise legitimate interests: the storage of this data is necessary for our security as we can be prosecuted for unlawful content on our website.
e) Use of Google Maps
Our website uses the Google Maps API. When using Google Maps, information about your use of this website (including your IP address) may be transmitted to and stored by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) on servers in the United States.
Google may transfer the information obtained through Maps to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, your IP address will under no circumstances be associated with any other data stored by Google. Nevertheless, we must point out that it is technically possible for Google to identify individual users on the basis of the data received.
The integration of Google Maps also results in Google Fonts being displayed by Google without intervention by the website operator or visitor. The integration of these web fonts takes place via a server call, usually a Google server in the USA. In the process, the following may be transmitted to the server and stored by Google:
- Name and version of the browser used
- Website the request was triggered from (referrer URL)
- Operating system of your computer
- Screen resolution of your computer
- IP address of the requesting computer
- Language settings of the browser or operating system the user is using
The use of Google Maps is a service we offer so that you can see exactly where we are and, if necessary, plan your visit to us better. The use of Google Maps is based on your consent pursuant to Art. 6 (1) (1) (a) GDPR.
f) 360° videos
We offer 360° iFrame videos of our apartments on our website to provide our website visitors with virtual tours of our property.
We use the service Spacewerk service provided by RW Grundbesitz GmbH, Dahlweg 120a, 48153 Münster, who create the videos for us and embed them via iFrame.
The videos are integrated via the 3-D data platform Matterport, a service of Matterport, Inc, 352 E. Java Dr. Sunnyvale, CA 94089, USA.
When you visit one of our pages that contains such a virtual tour, a connection is established to Matterport's servers and Matterport receives your IP address in the process. The information collected by Matterport is transmitted to the Matterport server in the USA. If you are logged into your Matterport account, you enable Matterport to associate your surfing behavior directly with your personal profile. You can prevent this by logging out of your Matterport account.
By integrating Matterport, the Content Delivery Network services Embedly (A Medium Corporation, 799 Market St., 5th Floor San Francisco, CA 94103, USA) and Cloudflare (Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA) are also automatically integrated without the intervention of the website operator or visitor.
The Content Delivery Network services help deliver the 360-degree videos on our website properly, securely and faster using regionally or internationally distributed servers.
When you access the 360-degree videos, you connect to Embedly and Cloudflare servers, which also operate servers in the USA. Technically, the information transfer between your browser and our website is routed via the network of Embedly or Cloudflare. This enables Embedly and Cloudflare to analyze traffic between your browser and our website and act as a filter between our servers and potentially malicious traffic from the internet.
We have a legitimate interest in providing a website that is as error-free and secure as possible and in protecting our website from abusive data traffic.
- Name and version of the browser used
- Betriebssystem Ihres Rechners
- Webseite, von der aus der Zugriff erfolgt (Referrer-URL)
- The IP address of the requesting computer
- Time of the server request
are usually transferred to a server of Embedly or Cloudflare in the USA and stored there.
We have concluded the new standard contractual clauses with Embedly and Cloudflare.
Further information on data processing by Embedly is available at http://embed.ly/legal/privacy
For further information on data processing by Cloudflare, please visit https://www.cloudflare.com/de-de/privacypolicy/
The use of our 360° videos is based on your consent pursuant to Art. 6 (1) (p) (a) GDPR. You can revoke this consent at any time for the future. The processing of your data shall remain lawful until we receive your revocation.
We have concluded the new standard contractual clauses with Matterport. Matterport does not acquire any right to disclose your data.
For further information on data processing by Matterport, please visit https://matterport.com/legal/privacy-policy/.
For further information on data processing by Spacewerk, please visit https://www.spacewerk.de/datenschutzerklrung
10. Rights of the data subject
You have the following rights:
In accordance with Art. 15 GDPR, you have the right to request information about your personal data processed by us. This right to information includes information about:
- Processing purposes
- Categories of personal data
- The recipients or categories of recipients to whom your data have been or will be disclosed
- The planned storage period or at least the criteria for determining the storage period
- The existence of a right to rectification, erasure, restriction of processing or objection
- The existence of a right of appeal to a supervisory authority
- The origin of your personal data, if it has not been collected by us
- The existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details
In accordance with Art. 16 GDPR, you have the right to have incorrect or incomplete personal data stored by us corrected without delay.
In accordance with Art. 17 GDPR, you have the right to request immediate deletion of your personal data stored by us, if further processing is not necessary for one of the following reasons:
- The personal data is still necessary for the purposes for which they were collected or otherwise processed
- To exercise the right to freedom of expression and information
- To comply with a legal obligation which requires processing under the law of the European Union or the Member States to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- For reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
- To achieve purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, if the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing
- To assert, exercise or defend legal claims
(d) Restriction of processing
In accordance with Art. 18 GDPR, you may request the restriction of the processing of your personal data for one of the following reasons:
- You dispute the accuracy of your personal data.
- The processing is unlawful and you object to the erasure of your personal data.
- We no longer need your personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims.
- • You object to the processing pursuant to Art. 21 (1) GDPR.
If you have requested rectification or erasure of your personal data or a restriction of processing pursuant to Art. 16, Art. 17 or Art. 18 GDPR, we will notify all recipients to whom your personal data has been disclosed unless this proves impossible or involves a disproportionate effort. You can request that we tell you who these recipients are.
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.
You also have the right to request that this data be transferred to a third party if the processing was carried out with the aid of automated procedures and is based on consent pursuant to Art. 6 (1) (1) (a) or Art. 9 (2) (a) or based on a contract pursuant to Art. 6 (1) (1) (b) GDPR.
In accordance with Art. 7 (3) GDPR, you have the right to revoke your consent at any time. A revocation of consent does not affect the lawfulness of data processing carried out on the basis of your consent prior to the revocation. In the future, we may no longer continue data processing that was based on your revoked consent.
In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data violates the GDPR.
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) (1) (f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, if there are grounds for doing so that arise from your particular situation or the objection relates to direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying the particular situation. If you wish to exercise your right of revocation or objection, simply send an e-mail to firstname.lastname@example.org.
j) Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or that significantly affect you in a similar fashion. This shall not apply if the decision
- is necessary for the conclusion or performance of a contract between you and us
- is permitted by legislation of the European Union or of the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests
- is taken with your explicit consent
However, these decisions must not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2)(a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.
With regard to the cases referred to in i) and iii), we shall take reasonable measures to safeguard all rights and freedoms and your legitimate interests, including at least the right to demand that one of our agents take action, to express your point of view and to contest the decision.
Dated: June 7, 2023