(hereinafter referred to as „the client“)
(hereinafter referred to as „MHS“)
The client uses the services of MHS in order to sustainably increase the hotels’ direct business. Therefore the client’s usage of personal data can’t be excluded in this context. Article 28 DSGVO necessitates the closure of a contract for order data processing. The legitimacy of such order processing under Article 28 DSGVO requires the client to place an order with MHS. This contract contains this client’s order with MHS and regulates the rights and obligations of both parties in accordance with the data processing as well as with consequential particular obligations in reference to data protection and data security. Generally the client is responsible for the compliance with the regulations of DSGVO and other data protection regulations and therefore retains sole authority of the data to be processed.
a) MHS processes personal data on behalf of the client under Article 4 Number 8 and under Article 28 of Regulation (EU)2016/679- General Data Protection Regulation (DSGVO). This contract regulates the rights and obligations of both parties in connection with the processing of personal data.
b) Provided the term “data processing” or “processing” (of data) is being used in this contract, the definition of “processing” will underlie Article 4 Number 2 of the DSGVO.
2. Object of the order
This agreement applies to all actions relating to the underlying order and with which employees of MHS or through MHS contracted third parties come in contact with the client’s personal or provided data. The client’s order with MHS incorporates the work and/or services as stated in attachment 1. The data undergoing processing, nature and purpose of the processing, the nature of personal data and the categories of affected people are also listed in this attachment.
3. Obligations of MHS
a) MHS uses personal data solely within the regulations of the agreement and/or within compliance of the client’s possible additional instructions. Exceptions to this are legal regulations that might obligate MHS to an ulterior processing.
In such a case MHS will inform the client of the legal requirements before the processing provided the right affected won’t prohibit such a notification due to am important public interest. Otherwise purpose, nature and scope of the data processing comply with this contract and/or the client’s instructions.
Any data processing deviating hereof of is prohibited to MHS unless the client has agreed to it in written form. b) MHS is binded to execute the data processing of the order solely in the member states of the European Union (EU) or the European Economic Area (EWR).
c) MHS will immediately inform the client if a client’s instruction are violating legal regulations. MHS is entitled to withhold the execution of the respective instruction until the client either confirms or changes it. Provided MHS can demonstrate that an execution of the client’s instruction will lead to a liability of MHS under Article 82 DSGVO, MHS does then maintain the right to withhold further processing until the clarification of liability between the two parties has been performed.
4. Reporting Obligation of MHS
a) MHS is obligated to inform the client about each violation of data protection regulations or of contractual regulations and/or the client’s instructions which occurred within the data processing by the client himself or other employed people engaged with the processing. The same applies to each violation of the protection of personal data which MHS processes by the client’s order.
b) Furthermore MHS will inform the client immediately if a supervisory authority under Article 58 DSGVO operates against MHS and this might effect a control of the processing which MHS executes by the client’s order.
c) MHS knows that the client has a reporting obligation under Article 33, 34 DSGVO which includes a reporting to the supervisory authority within 72 hours after having known. MHS will support the client with the realization of the reporting obligations. MHS will particularly inform the client about each unauthorized access to personal data that has been processed by the client’s order immediately after knowledge of the access. The report of MHS to the client has to contains the following information in particular:
a. A description of the nature of the violation of personal data if possible stating the categories and an approximate number of the affected people and categories and an approximate number of the affected personal data records.
b. a description of the measures executed or suggested by MHS in order to remove the violation of the protection of personal data and also possible measures to reduce detrimental effects.
5. MHS’s obligation to cooperate
a) MHS assists the client in his obligation to answer to requests of realization of rights of people affected under Article 12-23 DSGVO.
b) MHS helps with the creation of directories of the client’s processing activities
c) MHS supports the client in the fulfillment of the obligations stated in Article 32-36 DSGVO in consideration of the nature of processing and the information available to it.
6. Powers of supervision
a) The client has the right to control in so far as necessary the compliance with legal provisions for data protection and/or the compliance with the contractual regulations agreed on by the parties and/or the compliance with the client’s instructions to MHS
b) MHS is obligated to the provision of information towards the client as far as this is necessary for the execution of inspection according to Abs. a).
c)The here mentioned contractual parties assume that an inspection will only be necessary once a year. Nature und process of inspection underlie the individual agreement between MHS and the client. Additional inspections are to be accounted for by the client.
d) MHS can decide to have the compliance with technical and organizational measures verified by presentation of a suitable, recent certificate of reports or report extracts of independent authorities (e.g. data protection officer) or of a suitable certification provided the examination report facilitates the client to be convinced of the compliance with the technical and organizational measures according to attachment 3 of this contract.
e) MHS is obligated to provide the client with the necessary information in case of measures of the supervisory authority towards the client according to Article 58 DSGVO particularly in regards to disclosure and inspection obligation and to facilitate on-the-spot checks for the respective responsible supervisory authority. The client has to be informed hereof.
7. Subcontract conditions
a) MHS is authorized to engage the subcontractors stated in this contract’s attachment 2 for processing the data on behalf of the order. The change of subcontractor or the commissioning of additional subcontractors is permitted according to the conditions stated in paragraph b).
b) MHS has to choose the subcontractor carefully and has to check prior to commissioning that the subcontractor can comply with the conditions agreed on between MHS and the client. Particularly before and regularly during the contractual period MHS hat to check that the subcontractor has chosen the necessary technical and organizational measures according to Article 32 DSGVO for the protection of personal data. MHS will inform the client in case of an intended change of a subcontractor or a planned commissioning of a new subcontractor in good time but the latest 4 weeks prior to the change / the new commissioning in written form (“Information”). The client has the right to object to the change or the new commissioning of the subcontractor stating the respective reasons in written form within three weeks after having received the “Information”. The objection can be withdrawn by the client any time in written form. In case of an objection MHS can terminate the contractual relationship with the client giving at least 14 days to end of a calendar month. With the cancelation period MHS will respect the client’s interests accordingly. If there is no objection from the client within three weeks of access to the “information” then this counts as the client’s affirmation for the change / new commissioning of the respective subcontractor. The meaning of the client’s silence will be pointed out to him in the “information”.
c) MHS is obligated to get a confirmation from the subcontractor as to him naming an operational data protection officer according to Article 37 DSGVO provided the subcontractor is legally obligated to name an operational data protection officer. If the subcontractor can’t name a data protection officer then he is obligated to use the data protection officer of MHS or the respective data protection institution responsible for MHS. d) MHS has to ensure that the regulations and the client’s additional instructions agreed on in this contract also apply to the subcontractor.
e) MHS has to enter a contract for commissioned data processing with the subcontractor that concurs with the requirements of Article 28 DSGVO. Furthermore MHS has to impose the same obligations for the protection of personal data on the subcontractor as have been agreed upon between the client and MHS. By request MHS has to transmit a copy of the contract of the commissioned data processing to the client. The electronic transmission is admissible.
f) MHS is especially obligated to ensure by contractual regulations that that the client’s and the supervisory authority’s powers of inspection apply to the subcontractor and that correspondent powers of inspection are agreed upon with the client and the supervisory authority. Furthermore it has to be stipulated that inspection measures and possible on-the spot checks have to be accepted by the subcontractor.
g) Services which MHS uses as mere ancillary services in order to carry out business activity are not to be regarded as subcontractor relations according to paragraph a) to f). This includes for example cleaning services, pure telecommunications services without direct reference to services which MHS generated for the client, postal and courier services, transport services, surveillance services. Notwithstanding MHS is obligated that appropriate measures and technical and organizational measure have been taken in order to secure the protection of personal data this also applies to ancillary services rendered by third parties.
8. Confidentiality obligation
a) During the processing of data for the client MHS is obligated to maintain the confidentiality of data which it received in accordance with the order or which it came in knowledge of.
b) MHS has familiarized its employees with the for them relevant regulations of the data protection and obligated them to confidentiality.
c) The employees‘ obligation has to be verified according to paragraph b by the client’s request.
9. Protection of rights for individuals affected
a) The client is solely responsible for the protection of the rights for individuals affected. MHS is obligated to support the client in his obligation to process requests of individuals affected according to Article 12-23 DSGVO. In particular MHS has to ensure that the client immediately receives the necessary information in order for him to realize his obligations from Article 12 paragraph 3 DSGVO.
b) As far as a participation of MHS is required by the client for the protection of the rights of individuals affected – especially in respect of information, correction, blocking or deletion – MHS will take the appropriate measures according to the client’s instructions. MHS will support the client where possible with suitable technical and organizational measures in order to fulfill his obligation to answer the requests for the execution of the rights for individuals affected.
c) Regulations about a possible compensation for additional efforts which result from cooperative performances towards the client in correlation with enforcement of rights for individuals affected at MHS remain unaffected.
Payment of MHS will be agreed on separately.
11. Technical and organizational measures for data protection
a) MHS obligates itself towards the client to comply to the technical and organizational measures which are necessary for the compliance with the applicable data protection regulations. This includes the regulations from Article 32 DSGVO.
b) The existing status of the technical and organizational measures at the time of conclusion of contract has been added to this contract in attachment 3. The parties agree that modifications of the technical and organizational measures might be required for the adaptation to technical and legal factors.
Essential modifications which could impair the integrity, confidentiality and availability of personal data will beforehand be agreed upon by MHS and the client.
Regulations which will merely cause minor technical or organizational modifications and not impair the integrity, confidentiality and availability of personal data can be realized by MHS without the client’s approval. The client can request a current version of the MHS’s chosen technical and organizational measures once a year or where there are reasonable grounds.
12. Duration of order
a) The contract starts with the approval and runs for the duration of the parties’ existing main contract about the client’s usage of services rendered by MHS.
b) The client can terminate the contract anytime without adherence to a cancelation period if MHS gravely violated the applicable data protection regulations or obligations from this contract, MHS can’t or won’t execute the client’s instructions or MHS contrary to contract denies access to the client or the responsible supervisory authority.
By the client’s request MHS has to return or delete all attained documents, data and created processing or usage results associated with the contractual relation after the contract’s termination. The deletion has to be documented in an appropriate manner. Possible legal retention obligations or other obligations for the retention of the data remain unaffected.
14. Final clause
a) This agreement underlies the German law.
b) Ancillary agreements are required in written form.
c) Should individual components of this contract be invalid then this will not affect the validity of the contracts remaining regulations.
Leipzig, den 24. Mai 2018
Managing director myhotelshop GmbH
Through the (re)confirmation of the terms and conditions the client has electronically delivered his declaration of intent for the conclusion of the contract
Services of MHS
Scope, nature and purpose:
Creation of placements (selection, setup and optimization of campaigns), consulting and management (development of strategies in direct online marketing) and website service (stronger conversions and increased booking experience).
Nature of data:
Any data accumulated by MHS within the contractual relation especially of its business clients, their employees, particularly name, address, e-mail address, if necessary telephone number as well as details for usage of contact and order fulfillment.
Employees of the contractual partner as well as the hotel’s customers.
Usage of supporting platforms, through MHS or apparent third parties from the subcontractual relation, for the delivery of stipulated services:
The supporting platforms for their part represent their own business which work and act in conformity with DSGVO since the 25.05. MHS has to insure itself of this fact from the time of the collaboration between MHS and the supporting platforms/businesses. These businesses can be separately contacted by the client. The client also has the right to request information about personal data of the client through MHS and after specification of a legitimate and justified reason.
MHS currently appoints the following subcontractors:
- easybill, easybill GmbH, Düsselstr. 21, 41564 Kaarst
- neue emotionale GbR, Agentur für digitales Marketing, Schlesische Straße 28 · 10997 Berlin
- Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp
Technical and organizational measures of MHS
MHS takes the following technical and organizational measures for data protection according to Article 32 DSGVO:
a) Access control
Access to data processing systems with which personal data can be processed or used is to be denied to unauthorized people:
Storage of data in a computer center / on a not publicly accessible server:
- electronic access control system with logging
- documented distribution of keys to employees
- guidelines for guest support in the company
- staffing of the computer center at business hours and constant availability of the people responsible
b) access control
The usage of the data processing systems by unauthorized people is to be prevented:
- Implementation through user account control, access to EDV systems only possible with username/password.
- MHS itself distributes passwords which can be altered after a first-time initiation
c) access control
It is to be guaranteed that the person authorized to use a data processing system can solely access data subject to access authorization and that personal data can’t unauthorizedly be read, copied, modified or erased during processing, usage and after storage:
- Setup of an access right concept with every single customer getting access only onto their own areas and data
- protocol of all access into the logfiles of MHS and third parties
- To ensure the secrecy of access data and for potential forwarding of those to employees is under the responsibility of the customer
d) Separation control
it is to be ensured that data that is collected for different reasons can also be treated separately:
- Data of the customer will either be physically or logically saved separately
- Data backup will as well be handled physically or logically separately
a) Data entry control
It is to be ensured that you can check and determine later if and from whom personal data can be entered, changed or deleted in data processing system:
- The data are entered and managed by MHS itself
- the access for MHS is protocolled, especially for access on databases and systems of the customer, which contain personal data.
b) Data Transfer Control
It is to be ensured that personal data during an electronic transfer or during a transport or the storage on a harddrive cant be read, copied, changed or deleted by unauthorized access and that you can checked and determined at which steps of the transmission of personal data through facilities of the data transfer is intended:
- Employees are (newly) committed under the data protection of the GDPR and or / §53 BDSG,
- the transfer of all data to and from customer areas only happen under SSL security
- for the implementation of means of transfer to external system (data export) is under the responsibility of the customer.
3. Availability and load-bearing capacity
It is to be ensured that personal data is protected against random destruction and loss:
- Customer data are regularly saved as data backups - by using redundant system,
- by using electricity systems that run flawless
4. Processes to regularly check, rate and evaluate
The employees will be regularly trained and updated around data protection policies and are aware with all procedural instructions and user policies for the data protection under the customer order, also considering the instruction power of the client. Every employee will therefore be obligated on the first day of his job latest to sign a document that ensures that he or she works under the dataprotection conditions of GDPR. Without that signed document an employee will not get access to personal data.
Data protection statement: We are delighted by your interest in our website. Protecting your privacy is very important to us. Below we will inform you in detail as to how your data is handled.
1. The collection, processing and use of personal data
You can visit our site without having to enter personal data. We only save access data without reference to the user, e.g. the name of your Internet service provider, the site from which you visited us, or the name of the requested file. The data is analysed exclusively to allow us to improve our services, and does not allow us to identify you as an individual.
Personal data is only collected if voluntarily given to us by you as part of a particular contract or when registering for our newsletter. We use the data you provide us with to fulfil and process your order. Upon the complete fulfilment of the contract, your information will be blocked and then deleted upon expiry of tax and commercial law retention periods, provided you have not expressly consented to the further use of your information. On registering for the newsletter your email address will be used for private advertising purposes, until you unsubscribe from the newsletter. You can unsubscribe at any time.
2. We will not share your personal information with third parties, unless
with your express prior consent, or unless
a third party informs us that the content (pictures, text) you have provided for our online offer violates their rights, meaning we are obliged to publish this data, for example due to a court or administrative order.
3. Your consent to receive our newsletter.
You have expressly granted the following consent(s) and we have logged the consent. According to the German Telemedia Act (TMG) we are obliged to keep the content of the consent ready to be called up at any time. This consent may be withdrawn at any time in the future.
Permission for email advertising. I want to subscribe to the newsletter (this can be cancelled at any time). On registering for the newsletter your email address will be used for private advertising purposes, until you unsubscribe from the newsletter. You can unsubscribe at any time.
Cookies are used on certain pages to encourage users to visit our website and to allow the use of certain functions. These are small text files that are stored on your computer. Most of the cookies we use are deleted from your hard drive at the end of the browser session (session cookies). Other cookies will remain on your computer and allow us to recognise you for your next visit (permanent cookies). Many Internet browsers have the default setting to allow cookies. You can deactivate the saving of cookies, or configure your browser so that cookies can be accepted or rejected manually.
5. Use of Facebook plug-ins:
Our website uses social plug-ins ('plug-ins') from the social networking site Facebook , which is run by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ('Facebook'). The plug-ins can be identified by the Facebook logo or the caption 'Social plug-in from Facebook' or 'Facebook social plug-in'. You can find an overview of the Facebook plug-ins and what they look like here: http://developers.facebook.com/plugins
If you open a page on our website which contains one of these plug-ins, your browser will connect directly to the Facebook servers. The content of the plug-ins will be transferred from Facebook directly onto your browser and then integrated into the website.
By integrating the plug-in, Facebook will receive the information that your browser has opened that particular page on our website, even if you do not have a Facebook account or are not logged in to Facebook at that moment. This information (including your IP address) will be transferred from your browser directly to a server in the USA and saved there.
If you are logged in on Facebook, Facebook can directly match your visit to our website to your Facebook account. If you make any interaction with the plug-ins, by clicking the 'like' button or leaving a comment, for example, the information will be transferred to a Facebook server and saved there. The information will also be published on Facebook and on display to your Facebook friends.
Facebook is permitted to use this information for the purposes of advertising, market research and for designing or configuring Facebook web pages. For this purpose, Facebook creates profiles regarding usage, interests and relationships, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide further services linked to the use of Facebook.
You must log out of Facebook before visiting our website if you do not want Facebook to collect data about you from our website and assign it to your Facebook account.
6. Use of Facebook Connect.
We also offer you the opportunity to register for myhotelshop services via the Facebook Connect service using the information saved on your Facebook account. This will only result in a transfer of information from Facebook to us with your prior consent. A new user account with us will be created using the transferred information. The transfer of information to us is performed only once. There is no permanent link between the Facebook and myhotelshop accounts.
7. Use of Google '+1' buttons.
The +1-button from google.com is integrated into our websites, which is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA('Google'). The button is displayed as the coloured word/icon '+1'. When you open a website on which this button is implemented, your browser will connect directly to the Google servers. The button is transmitted from Google directly onto your browser, and from your browser it is displayed on our website.
8. Use of the Twitter plug-in.
We also use social plug-ins from the social networking site twitter.com, which is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco CA 94107, USA ('Twitter'). The plug-ins are displayed with a Twitter logo. When you visit a page of our website that contains one of these plug-ins, your browser connects directly to the Twitter servers. Twitter sends the content of the plug-in directly to your browser, which then integrates it into the website.
9. Web analytics.
This website uses Google Analytics, a Web analysis service from Google Inc. ('Google'). Google Analytics uses 'cookies', text files that are saved on your computer and allow your use of the website to be analysed. The information about your use of the website which is generated by the cookie (including your IP address) is transferred to a Google server in the USA and saved there. Google will use this information to analyse your use of the website, to compile reports about website activities for the operators of the site, and to render further services connected to the use of websites and the Internet. Google will also relay this information to third parties to the extent that this is prescribed by statute or where third parties are contracted by Google.
Under no circumstances will Google link your IP address to other data retrieved by Google. You can prevent the installation of the cookies using a special setting of your browser software; however, in that case, please be aware that you might not be able to use all functions of this website to their full extent. The use of this website implies your express agreement to Google using the data collected from you in the way and for the purpose described above.
10. Right of objection.
You can object to the collection and saving of your data by Google Analytics at any time and with immediate effect for the future, e.g. by downloading a browser add-on for deactivating Google Analytics and installing it for your browser. You can find the deactivation add-on here: http://tools.google.com/dlpage/gaoptout?hl=de
11. Data protection.
We protect our website and other systems through technical and organisational measures against loss, destruction, access, modification or distribution of your data by unauthorised persons. Your customer account (if you have one) can only be accessed by entering your personal password. You should always ensure your login data remains confidential and to close the browser window after you are finished communicating with us, especially when sharing use of the computer with others.
13. Right of access to information.
The Federal Data Protection Act states that you have the right to free information about your stored data at any time, as well as the right to correct, block or delete this information.
14. Contact partner for data protection.
For questions regarding the collection, processing and use of your personal information, concerning the disclosure, correction, blocking or deletion of data, or the revocation of granted consents, please contact us at firstname.lastname@example.org.
1. General Information
1.1 Provider of myhotelshop.de ("myhotelshop") is myhotelshop GmbH, Bosestrasse 4, 04109 Leipzig ("Anbieter").
1.4 The user has no permanent right to use myhotelshop. A permanent availability of or access to this platform in particular are not an imperative requirement. Yet myhotelshop endeavors to facilitate uninterrupted usage of the platform and update the platform as to the users requirements.
1.5 myhotelshop does not warrant completeness, accuracy and availability of the information provided by myhotelshop. Every user who encounters wrong or misleading information is asked to inform myhotelshop.
2. Usage of myhotelshop and implementation of the "virtual property rights"
2.1 myhotelshop can be used without registration. Some functions and services though can be used by registered members only.
2.2 It is the user's sole responsibility as to which content is being put on myhotelshop. He obligates himself to myhotelshop not to include illegal content.
2.3 The user may not send send copious mails of the same content via myhotelshop. All kind of spamming or similarly objectionable actions towards other users is prohibited.
2.4 Acces to and usage of myhotelshop is executed individually via one webbrowser. The application of Webspider, Crawler or similar programs with the purpose of not only indexing the content but also extracting and saving large quantities of the platform's content is prohibited. Included are programs in particular that facilitate offers and services of a third party via the so-called Screenscraping.
3. User's Account
Users have the possibility to create an account for the usage of specific tools. The registration might also be carried out via an existing account on a social network, where the user is already registered.
4. Liability for a third party
4.1 The website also contains some links to a third party website whose content is not known to myhotelshop. myhotelshop merely procures the access to these websites and is not responsible for their content. The links to external websites are to facilitate their navigation. myhotelshop does not appropriate, but dissociates itself completely from all the content that is presented on the third party websites which are linked to this platform.
4.2 The owners of the websites, which are connected to this platform via a hyperlink, are solely responsible for their content as well as for their offered products.
5.1 The content offered by myhotelshop is protected by copyright. The usage of the content is subject to the effective copyright. This website may not be altered, copied, published, distributed or retained without the consent of myhotelshop. The material may exclusively be used for private and noncommercial purposes in strict consideration of the effective copyright.
6. Data Protection
More information concerning data protection and data security can be found in the data protection statement of myhotelshop.
7. Final Regulation
7.1 The General Terms and Conditions Act is based on the law of the Federal Republic of Germany.