In the following, we explain how we handle your Personal Data. "Personal Data" is information that can be directly or indirectly attributed to you, such as your name or your e-mail address.
Controller in accordance with data protection laws, in particular the EU General Data Protection Regulation ("GDPR"), is:
Lehnen Websolutions GmbH & Co. KG
Am Dürener Weg 82
Phone: +49 (0) 2423 - 930 90 40
Email: Contact form or email@example.com
3. General information on data processing
a. Scope of processing
We collect and use Personal Data of our users only to the extent necessary and permitted by law.
b. Legal bases for the processing of Personal Data
When processing of Personal Data
- based on the consent of the data subject, Art. 6 (1) lit. a GDPR, if applicable, with Art. 49 (1) lit. a GDPR is the legal basis;
- is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR is the legal basis;
- in order to take steps at the request of the data subject prior to entering into a contract, Art. 6 (1) lit. b DSGVO is the legal basis;
- is necessary for compliance with a legal obligation to which the Controller is subject, Art. 6 (1) lit. c GDPR is the legal basis;
- is necessary in order to protect the vital interests of the data subject or of another natural person, Art. 6 Abs. (1) lit. d GDPR is the legal basis;
- is necessary for the purpose of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, Art. 6 (1) lit. f GDPR is the legal basis.
c. Data deletion and storage period
In principle, we delete or block Personal Data as soon as the purpose of processing no longer applies. If we are required by law to retain data, it will not be blocked or deleted until the statutory retention period has expired, unless there is a need to continue storing the data.
d. Recipients of the collected data
The recipient of the data collected via the website is the Controller. In addition, processors may have access to the data collected via the website. However, compliance with legal regulations is ensured in this respect by data processing agreements we conclude with processors. Data is only transferred to third countries if we inform you of this below.
We do not engage in any profiling or automated decision-making via our website.
4. Provision of the website and creation of log files
a. External hosting
This website is hosted by an external service provider (hereinafter "Hoster"). The personal data collected on this website is stored on the Hoster's servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contractual data, contact data, names, website accesses and other data generated via a website.
The Hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 (1) lit. b DSGVO) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 (1) lit. f DSGVO). Our Hoster will only process your data to the extent necessary to fulfill its service obligations and follow our instructions regarding this data. To ensure data protection-compliant processing, we have concluded a data processing agreement with our Hoster. [Alternatively, in case of hosting in a third country: In order to ensure data protection-compliant processing, we have concluded a data processing agreement with our Hoster, which also includes the current EU standard contractual clauses (EU) 2021/914 of June 4, 2021 (hereinafter "SCC"). We use the following Hoster: HostEurope GmbH, Hansestr. 111, 51149 Köln.
b. Log files
When you access our website/application, the browser used on your end device automatically transmits information to the server of our website/application and temporarily stores it in a so-called log file. We have no influence on this. The following information is collected without your interaction and stored until automated deletion or alienation:
- the IP address of the requesting internet-capable device,
- the date and time of the access,
- the name and URL of the file accessed,
- the website/application from which the access originated (Referrer URL),
- the browser you use and, if applicable, the operating system of your internet-capable computer as well as the name of your access provider,
- the device used (e.g. desktop or smartphone),
- the language of the browser you are using.
The legal basis for the processing of the IP address is Article 6 (1) lit. f GDPR. Our legitimate interest is based on the purposes of data collection listed below. At this point, we would like to point out that we are not able to draw any direct conclusions about your identity from the collected data and that we will not do so.
The IP address of your device and the other data listed above are used by us for the following purposes:
- ensuring a smooth connection setup,
- ensuring a comfortable use of our website/application,
- evaluation of system security and stability.
The data is deleted as soon as it is no longer required for the purpose for which it was collected. When collecting data to provide the website, this is the case when the respective session has ended. When storing the data in log files, this is the case after 60 days at the latest.
5. Contact forms
For questions or concerns of any kind, we offer you the opportunity to contact us via contact forms provided on our website or our contact email address mentioned above. For sending a request using our contact form, it is necessary to provide a name and an e-mail address so that we know from whom the request originates and to answer it quickly. Additional information (such as a phone number) can be provided voluntarily. In the application form, the applicant can additionally provide the URLs of the LinkedIn or XING profile (including the personal data listed in the respective profile such as name, profile picture, contact details) as well as a salary requirement. This information is optional.
The processing of the data entered in the contact forms or transmitted to our contact e-mail address is based on a legitimate interest (Art. 6 (1) lit. f GDPR). By providing the contact form and a contact e-mail address, we would like to enable you to contact us in an uncomplicated manner. If the contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.
The Personal Data collected by us when contacting us via our contact forms will be deleted after completion of your request.
6. Registration ("Try for free") and log-in
If you register to use our services or to try them out within the offered free testing period, we require the name of the accommodation and its address, the website on which our booking engine is to be integrated, as well as a contact person with full name and e-mail address for the purpose of setting up our system, a customer account and sending the log-in data. In addition, you can provide a telephone number where we can reach you in case of questions. Your e-mail address and a password are required for the log-in after registration. If you decide to conclude a fee-based contract and pay our invoices by SEPA direct debit, we will also process your bank details (account holder, IBAN and BIC).
The legal basis for processing the data is Art. 6 (1) lit. a GDPR if the user has given his consent. If the registration as well as log-in serves the fulfillment of a contract or the implementation of pre-contractual measures, the legal basis for the processing of the data is Art. 6 (1) lit. b GDPR.
Your Personal Data will be deleted as soon as it is no longer required for the purpose for which it was collected. This is the case when you initiate the deletion of your customer account. However, there may also be a need for further storage beyond this in order to comply with contractual or legal obligations. In this case, the data will be deleted when all contractual and legal retention periods have expired.
7. Demo version of our booking engine
Part of our website is also a sample version of our online booking engine, through which test bookings can be made. During the test booking process, our system collects and processes the data necessary to make a reservation, in particular a name, a telephone number, an e-mail address, an address if applicable, as well as the date of arrival and departure and the booked accommodation and additional services. You are free to use fictitious data and pseudonyms instead of real data when entering your data. Upon completion of the test booking, the contact data provided as well as the associated booking data will be stored on our web servers. The demo booking process allows the simple demonstration of the functionality of the online booking engine offered by us to our potential customers, in which we have a legitimate interest (Art. 6 (1) lit. f GDPR). The personal data collected during the test booking will not be utilized by us and will be automatically deleted one week after the departure date selected in the booking process.
When visiting our website, you can determine which cookies we store on your device.
We use the following cookies:
a. Technically necessary cookies
aa. Cookie Consent Tool
In order to be able to manage cookies in a data protection compliant manner, we use our own cookie consent solution. When visiting our website, an essential cookie ("resavio_cookie_consent") is stored in the user's browser, in which the consent given or the revocation of consent is stored.
If you give your consent via the cookie banner, the following data is automatically logged:
- Date and time of consent
- Domain and path of the website
- UID (randomly generated ID)
- The consent status of the end user, which serves as proof of consent
The legal basis is Art. 6 (1) lit. f GDPR with § 25 (2) of the German Telecommunications-Telemedia Data Protection Act (Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei Telemedien -"TTDSG"). The cookie is necessary to comply with the legal requirements of data protection law. This is also our legitimate interest in the processing of Personal Data. This cookie has a storage period of one year.
bb. Session Cookie
We use our own session cookie "resavio_session", which contains a session ID (randomly generated session identifier) that is used to identify your unique session on the website. This ensures that all functions of the website can be fully displayed. The legal basis is Art. 6 (1) lit. f GDPR with § 25 (2) TTDSG. The cookie is technically necessary to deliver the website to you. This is also our legitimate interest in processing the Personal Data. This cookie is deleted when you close the browser.
cc. Security Cookie
We use our own security cookie "XSRF-TOKEN" to prevent cross-site request forgery (CSRF). The cookie contains a randomly generated security token. The legal basis is Art. 6 (1) lit. f GDPR with § 25 (2) TTDSG. The cookie is technically necessary in order to be able to guarantee a certain security standard. This is also our legitimate interest in processing the Personal Data. This cookie has a lifespan of approximately 1 hour.
dd. Authentication Cookies
We use our own authentication cookies "remember_users_*", "verify_users_*" and "password_hash_users_*" (where * is replaced by a random sequence of numbers and letters). These are cookies used for authentication (log-in) on our website. The cookie "remember_users_*" will only be stored if you check the "remember me" box during log-in. The legal basis is Art. 6 (1) lit. f GDPR with § 25 (2) TTDSG. The cookies are technically necessary to ensure convenient and secure authentication for the user. This is also our legitimate interest in the processing of Personal Data. The cookies have an unlimited lifetime.
b. Technically unnecessary cookies
We use the following technically unnecessary cookies:
aa. Statistics Cookie
We use our own statistics cookie "resavio_referer". This cookie stores information about the origin of a website visitor, i.e. the website from which the visitor came to our site ("Referrer"). The legal basis is your consent given via our cookie banner according to Art. 6 (1) lit. a with. Art. 49 (1) lit. a GDPR and § 25 (1) TTDSG. You can revoke your consent at any time. The cookie has a lifespan of 30 days.
9. Social Media Profiles
We operate various social media profiles to communicate with interested parties and to provide information about our products and services, among other things:
- Facebook Fanpage, a service of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook")
- Twitter Profile of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland ("Twitter")
- LinkedIn company profile of LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland ("LinkedIn")
- YouTube profile of YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94006, USA ("Youtube")
As part of the operation of our social media profiles, we may access information such as statistics on the use of our social media profiles provided by the operator of the social media platform. These statistics are aggregated and may include, in particular, demographic information (e.g., age, gender, region, country), employment-related information (e.g., job, function, industry, work experience, company size), and data on interaction with our social media profile (e.g., likes, shares, subscriptions, viewing of images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design and our activities and content on the social media profile and to optimize them for our followers. The collection and use of these statistics is subject to joint controllership with the operator of the social media platform.
The legal basis for this data processing is Art. 6 (1) lit. b GDPR, in order to stay in contact with our users and to inform them as well as to carry out pre-contractual measures with interested parties, as well as Art. 6 (1) lit. f GDPR based on our legitimate interest in effective information and communication with users.
10. Transfer of data to third countries
Where this is not possible, transfer of data is based on exceptions according to Art. 49 GDPR, in particular your consent or the necessity of the transfer for the performance of the contract.
If a third country transfer is required and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the consent banner, you will also be informed of this.
11. Your rights as a data subject
If your Personal Data is processed, you are a data subject within the meaning of the GDPR and you have the following rights:
Right to obtain information about the data stored about you, including any recipients and the planned storage period, Art. 15 GDPR.
Right to rectification, should incorrect data be processed, Art. 16 GDPR. If the legal requirements are met, you have the following additional rights:
- Right to erasure, Art. 17 GDPR
- Right to restriction of processing, Art. 18 GDPR
- Right to notification, Art. 19 GDPR
- Right to data portability, Art. 20 GDPR
- Right to object, Art. 21 GDPR
- Right to withdraw of consent, Art. 7 (3) GDPR
If you believe that the processing of your Personal Data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority of your choice pursuant to Art. 77 (1) GDPR.
Right to object, Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of Personal Data concerning you which is based on Art. 6 (1) lit. e or lit. f GDPR; this also applies to profiling based on those provisions.
The Controller shall no longer process your Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where your Personal Data is processed for direct marketing purposes, you shall have the right to object at any time to processing of Personal Data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
In accordance with Art. 7 (3) GDPR, you have the right to revoke your consent at any time. This has the consequence that we no longer continue to process the data that was based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the European member state of your residence, workplace or the place of the alleged infringement, if you consider that the processing of your Personal Data infringes the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the data subject of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The competent supervisory authority in NRW is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
12. Data security
To protect the security of your data during transmission, we use state-of-the-art encryption methods. You can see whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
Status: March 2023