(hereinafter referred to as “MHS”)
The Client uses the services offered by MHS to achieve a sustained increase in the direct business of hotels.
In this context, it cannot be ruled out that the Client will process personal data. Under Art. 28 GDPR, it is necessary to conclude a data processing agreement for this purpose which covers the processing of personal data on behalf of a controller.
In order for such processing on behalf of a controller to be permissible under Art. 28 GDPR, the Client must commission MHS to process data. This agreement contains MHS’s commissioning by the Client, and defines the parties’ rights and obligations in connection with this data processing as well as the resulting special obligations with regard to data protection and data security. In principle, the Client shall be responsible for compliance with the provisions of the GDPR and other regulations on data protection and in this respect shall retain control over the data to be processed. Hereinafter the term "Controller" is used for the Client.
a) MHS shall process personal data on behalf of the Controller within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR). This agreement defines the parties’ rights and obligations in connection with the processing of personal data.
b) Where the term ‘data processing’ or ‘processing’ (of data) is used in this agreement, this is based on the definition of ‘processing’ within the meaning of Art. 4 No. 2 GDPR.
2) Object of the commissioned data processing
This agreement shall apply to all activities that are related to the underlying commissioning and where employees of MHS, or third parties commissioned by MHS, may come into contact with or receive personal data of the Controller. The work and/or services with which the Controller has commissioned MHS is specified in Annexe 1. This annexe also indicates the object of the processing, the nature and purpose of the processing, the nature of the personal data, and the categories of data subjects.
3) Obligations of MHS
a) MHS shall process personal data exclusively within the framework of the agreements made and/or in compliance with any supplementary instructions issued by the Controller. This does not apply to legal regulations which may oblige MHS to process the data in a different way. In such a case, MHS shall notify the Controller of such legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest. The purpose, nature and scope of data processing shall otherwise be governed exclusively by this agreement and/or the Controller’s instructions. MHS shall be prohibited from processing data in any other way, unless the Controller has agreed to this in writing.
b) As a rule, MHS undertakes to carry out data processing on the Controller’s behalf only in Member States of the European Union (EU) or the European Economic Area (EEA).
c) Any transfer of the data processing or use to a third country shall require the Controller’s approval and may only take place if the legal regulations – under Sect. 78 ff. of the German Federal Data Protection Act (BDSG) as well as Art. 44 and Art. 49 GDPR – are observed. This concerns, inter alia, any commissioning which requires the use of support platforms. In Annexe 1, MHS refers to the applicable privacy notices in this regard. Approval shall be deemed to have been granted if the data processing agreement is approved and the use of the support platforms forms part of the processing.
d) MHS shall inform the Controller without undue delay if, in its opinion, an instruction issued by the Controller violates legal regulations. MHS shall be entitled to suspend execution of the relevant instruction until it has been confirmed or changed by the Controller. If MHS can demonstrate that processing according to the Controller’s instruction may lead to liability on the part of MHS pursuant to Art. 82 GDPR, MHS shall be entitled to suspend further processing in this respect until the liability between the parties has been clarified.
4) Reporting obligations of MHS
a) MHS shall be obliged to notify the Controller without undue delay of any breach of data protection regulations or of the contractual agreements and/or of the instructions issued by the Controller which has occurred in the course of the processing of data by it or by other persons employed to carry out the processing. The same shall apply to any breach of personal data MHS processes on behalf of the Controller.
b) Furthermore, MHS shall inform the Controller without undue delay if a supervisory authority takes action against MHS pursuant to Art. 58 GDPR and if this may also involve checking the processing that MHS performs on behalf of the Controller.
c) MHS is aware that the Controller may be bound by a notification obligation under Art. 33 or 34 GDPR, which requires notification to the supervisory authority within 72 hours after knowledge of a violation arises. MHS shall assist the Controller in complying with the notification obligations. In particular, MHS shall notify the Controller of any unauthorised access to the personal data processed on the Controller’s behalf, without undue delay as soon as it becomes aware of such access. MHS’s notification to the Controller shall include the following information in particular:
a. a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b. a description of the measures taken or proposed by MHS to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5) Duties of cooperation on the part of MHS
a) MHS shall support the Controller in its obligation to respond to requests from data subjects to exercise their rights under Art. 12–23 GDPR.
b) MHS shall assist the Controller in its preparation of records of processing activities.
c) Taking into account the nature of the processing and the information available to it, MHS shall assist the Controller in complying with the obligations specified in Art. 32–36 GDPR.
6) Monitoring powers
a) The Controller shall have the right to monitor compliance with the statutory provisions on data protection and/or compliance with the contractual arrangements agreed between MHS and the Controller and/or MHS’s compliance with the Controller’s instructions, to the required extent.
b) MHS shall be obliged to provide information to the Controller to the extent necessary to carry out the monitoring within the meaning of Paragraph a).
c) MHS and the Controller anticipate that monitoring will be required no more than once a year. The nature and method of the monitoring shall be subject to individual agreement between MHS and the Controller. Further inspections must be justified, stating the reasons.
d) If MHS wishes, proof of compliance with the technical and organisational measures may be provided by submitting an appropriate, up-to-date certificate, reports or report extracts from independent bodies (e.g. data protection officer) or appropriate certification, if the inspection report reasonably enables the Controller to satisfy itself of compliance with the technical and organisational measures in accordance with Annexe 3 to this agreement.
e) In the case of measures taken by the supervisory authority against the Controller within the meaning of Art. 58 GDPR, in particular with regard to information and monitoring obligations, MHS shall be obliged to provide the necessary information and to enable the competent supervisory authority to carry out an on-site inspection. The Controller must be informed of this.
7. Subcontractual relationships
a) MHS shall be entitled to use the subcontractors specified in Annexe 2 to this agreement to process data on its behalf. Any change of subcontractors or the appointment of further subcontractors shall be permitted under the conditions set out in Paragraph b).
b) MHS shall select the subcontractor carefully and check before commissioning that the subcontractor is able to fulfil the agreements made between the Controller and MHS. MHS must in particular check in advance, and regularly during the contract period, that the subcontractor has taken the technical and organisational measures necessary for the protection of personal data in accordance with Art. 32 GDPR. If there are plans to change a subcontractor or commission a new one, MHS shall inform the Controller in text form in good time, but no later than four weeks prior to the change or the new commissioning (“Information”). The Controller shall be entitled to object to the change or the new commissioning of the subcontractor in text form within three weeks after receipt of the Information, stating the reasons. The Controller shall be entitled to withdraw its objection at any time in text form. In the event of an objection, MHS shall be entitled to terminate the contractual relationship with the Controller by giving least 14 days’ notice to the end of a calendar month. MHS shall take reasonable account of the Controller’s interests when determining the notice period. If the Controller does not object within three weeks of receipt of the Information, the Controller shall be deemed to have consented to the change or new commissioning of the subcontractor concerned. The Controller shall be informed separately in the Information of the consequences of not responding.
c) MHS shall be obliged to have the subcontractor confirm that it has designated a company data protection officer in accordance with Art. 37 GDPR, insofar as the subcontractor is legally obliged to designate a data protection officer. If the subcontractor is unable to designate a data protection officer, it shall be obliged to use MHS’s data protection officer, or the data protection agency used by MHS.
d) MHS shall ensure that the arrangements agreed in this contract and, if applicable, any supplementary instructions issued by the Controller, also apply to the subcontractor.
e) MHS shall conclude a data processing agreement with the subcontractor that meets the requirements of Art. 28 GDPR. In addition, MHS shall impose the same personal data protection obligations on the subcontractor as are specified between the Controller and MHS. A copy of the data processing agreement shall be made available to the Controller upon request. Electronic transmission shall be sufficient in this respect.
f) MHS shall in particular be obliged to ensure by contractual regulations that the monitoring powers of the Controller and of supervisory authorities also apply to the subcontractor and that corresponding monitoring rights of the Controller and of the supervisory authorities are agreed. It must also be contractually stipulated that the subcontractor shall be required to tolerate these monitoring measures and any on-site inspections.
g) Subcontractual relationships within the meaning of Paragraphs a) to f) shall not include third-party services which MHS uses as purely ancillary services in order to carry out its business activities. This includes, for example, cleaning services, pure telecommunication services without concrete reference to services that MHS provides for the Controller, postal and courier services, transport services, guarding services. MHS shall nevertheless be obliged to ensure that appropriate precautions and technical and organisational measures have been taken to guarantee personal data protection, even in the case of ancillary services provided by third parties.
8. Obligation to maintain confidentiality
a) When processing data for the Controller, MHS shall be obliged to maintain confidentiality in respect of data which it receives or becomes aware of in connection with the order.
b) MHS has familiarised its employees with the relevant data protection provisions and required them to provide an undertaking to maintain confidentiality.
c) Upon request, MHS shall be required to prove to the Controller that its employees have provided the undertaking according to Paragraph b).
9) Safeguarding the rights of data subjects
a) The Controller shall be solely responsible for safeguarding the rights of data subjects. MHS shall be obliged to support the Controller in its duty to process requests from data subjects under Art. 12–23 GDPR. In this context, MHS shall in particular ensure that the information required in this respect is made available to the Controller without undue delay so that the latter can in particular comply with its obligations under Art. 12(3) GDPR.
b) Insofar as MHS’s cooperation is necessary for the Controller to be able to safeguard the rights of data subjects, in particular the right of access and the rights to have data rectified, blocked or erased, MHS shall take the necessary measures according to the Controller’s instructions. MHS shall take appropriate technical and organisational measures to support the Controller as far as possible in fulfilling its obligation to respond to requests from data subjects to exercise their rights.
c) This shall not affect provisions on any remuneration of additional expenses incurred by MHS for its cooperation when data subjects exercise their rights vis-à-vis the Controller.
The remuneration owed to MHS shall be agreed separately.
11) Technical and organisational measures for data security
a) MHS hereby assures the Controller that it shall comply with the technical and organisational measures that are necessary to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 GDPR.
b) The status of the technical and organisational measures in place at the time of contract conclusion is attached as Annexe 3 to this agreement. MHS and the Controller agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. MHS shall agree in advance with the Controller any significant changes that may affect the integrity, confidentiality or availability of personal data. MHS may implement measures without consulting the Controller if this involves only minor technical or organisational changes and does not adversely affect the integrity, confidentiality and availability of personal data. The Controller may request an up-to-date overview of the technical and organisational measures taken by MHS once a year, or when it has justified reasons for doing so.
12) Duration of the processing on the Controller’s behalf
a) The agreement shall begin upon approval and run for the duration of the main contract concluded between the parties on the Controller’s use of MHS’s services.
b) The Controller may terminate the agreement at any time without notice if there is a serious breach by MHS of the applicable data protection regulations or of obligations arising from this agreement, if MHS is unable or unwilling to carry out an instruction from the Controller, or if, in breach of the agreement, MHS refuses entry to the Controller or the competent supervisory authority.
After termination of the agreement, MHS shall be required, at the Controller’s discretion, to either return or erase all documents, data and processing or usage results that are related to the processing performed on the Controller’s behalf and have come into its possession. The erasure shall be documented in an appropriate manner. This shall not affect any statutory retention obligations or other obligations to store the data.
14) Final provisions
a) This agreement is subject to German law.
b) Ancillary agreements shall require the written form.
c) Should individual parts of this agreement be invalid, this shall not affect the validity of the remaining provisions of the agreement.
Leipzig, 15 April 2021
Ullrich Kastner, Ronnie Jahraus
Managing Directors of myhotelshop GmbH
Services provided by MHS: Scope, nature and purpose:
Creation of placements (campaign selection, setup and optimization), consulting and management (online direct sales strategy development) and website services (stronger conversions and enhanced booking experiences).
Types of data:
Any data stored by MHS in connection with the contractual relationship, in particular that of its business clients, their employees, namely names, addresses, email addresses, telephone numbers if applicable, as well as details of contact use and order fulfilment.
Employees of the contractual partners, as well as customers of the hotels.
Use of support platforms, by MHS or third parties identifiable from the subcontractual relationship, for the provision of the contracted services:
For their part, the support platforms constitute separate companies which, as of 25 May, work and operate in a GDPR-compliant manner. MHS has to assure this fact from the moment of the cooperation between MHS and the support platform / company. These companies can be contacted separately by the Controller. The Controller is also entitled to request information via MHS about the Controller’s personal data, after stating a justified and substantiated reason.
The support platforms mentioned above may apply tracking technologies which measure the provision of the service and thus lead to the billability of the same. Tracking devices:
Use of tools:
MHS currently uses the following subcontractors:
Technical and organisational measures at MHS
MHS takes the following technical and organisational measures for data security within the meaning of Art. 32 GDPR:
a) Physical access control
Unauthorised persons are physically denied access to data processing systems used to process or use personal data:
Storage of data in a data centre / on a server that is not generally accessible, and there:
b) Equipment access control
Unauthorised use of data processing systems must be prevented:
c) Data access control
It must be ensured that persons authorised to use a data processing system can only access personal data subject to their access authorisation, and that data cannot be read, copied, changed or removed without authorisation during processing, use and storage.
d) Physical, equipment and data access control for and from a third country
Should MHS deem it necessary, the following measures to secure physical access, equipment access and data access will be considered and applied:
e) Separation control
It must be ensured that data collected for different purposes can be processed separately:
a) Input control
It must be ensured that it can be examined and established later on whether and by whom personal data has been entered, changed or deleted in data processing systems:
b) Data transmission control
It must be ensured that personal data cannot be read, copied, changed or deleted by unauthorised persons when transferred electronically or while being transported or stored on data carriers, and that it can be examined and established where personal data is to be transmitted by data transmission equipment.
3) Availability and resilience
It must be ensured that personal data is protected against accidental destruction or loss.
4) Procedures for regular review, assessment and evaluation
MHS employees are instructed in data protection law at regular intervals and they are familiar with the procedural instructions and user guidelines for data processing on behalf of the Controller, including with regard to the principal’s right to issue instructions. Each employee is required to provide a written undertaking to comply with data protection requirements under the GDPR no later than on the first day at the start of his or her employment. The employee does not have access to personal data before providing such an undertaking.
Please find here the old GDPR.
Data protection statement: We are delighted by your interest in our website. Protecting your privacy is very important to us. Below we will inform you in detail as to how your data is handled.
1. The collection, processing and use of personal data
You can visit our site without having to enter personal data. We only save access data without reference to the user, e.g. the name of your Internet service provider, the site from which you visited us, or the name of the requested file. The data is analysed exclusively to allow us to improve our services, and does not allow us to identify you as an individual.
Personal data is only collected if voluntarily given to us by you as part of a particular contract or when registering for our newsletter. We use the data you provide us with to fulfil and process your order. Upon the complete fulfilment of the contract, your information will be blocked and then deleted upon expiry of tax and commercial law retention periods, provided you have not expressly consented to the further use of your information. On registering for the newsletter your email address will be used for private advertising purposes, until you unsubscribe from the newsletter. You can unsubscribe at any time.
2. We will not share your personal information with third parties, unless
with your express prior consent, or unless
a third party informs us that the content (pictures, text) you have provided for our online offer violates their rights, meaning we are obliged to publish this data, for example due to a court or administrative order.
3. Your consent to receive our newsletter.
You have expressly granted the following consent(s) and we have logged the consent. According to the German Telemedia Act (TMG) we are obliged to keep the content of the consent ready to be called up at any time. This consent may be withdrawn at any time in the future.
Permission for email advertising. I want to subscribe to the newsletter (this can be cancelled at any time). On registering for the newsletter your email address will be used for private advertising purposes, until you unsubscribe from the newsletter. You can unsubscribe at any time.
Cookies are used on certain pages to encourage users to visit our website and to allow the use of certain functions. These are small text files that are stored on your computer. Most of the cookies we use are deleted from your hard drive at the end of the browser session (session cookies). Other cookies will remain on your computer and allow us to recognise you for your next visit (permanent cookies). Many Internet browsers have the default setting to allow cookies. You can deactivate the saving of cookies, or configure your browser so that cookies can be accepted or rejected manually.
5. Use of Facebook plug-ins:
Our website uses social plug-ins ('plug-ins') from the social networking site Facebook , which is run by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ('Facebook'). The plug-ins can be identified by the Facebook logo or the caption 'Social plug-in from Facebook' or 'Facebook social plug-in'. You can find an overview of the Facebook plug-ins and what they look like here: http://developers.facebook.com/plugins
If you open a page on our website which contains one of these plug-ins, your browser will connect directly to the Facebook servers. The content of the plug-ins will be transferred from Facebook directly onto your browser and then integrated into the website.
By integrating the plug-in, Facebook will receive the information that your browser has opened that particular page on our website, even if you do not have a Facebook account or are not logged in to Facebook at that moment. This information (including your IP address) will be transferred from your browser directly to a server in the USA and saved there.
If you are logged in on Facebook, Facebook can directly match your visit to our website to your Facebook account. If you make any interaction with the plug-ins, by clicking the 'like' button or leaving a comment, for example, the information will be transferred to a Facebook server and saved there. The information will also be published on Facebook and on display to your Facebook friends.
Facebook is permitted to use this information for the purposes of advertising, market research and for designing or configuring Facebook web pages. For this purpose, Facebook creates profiles regarding usage, interests and relationships, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide further services linked to the use of Facebook.
You must log out of Facebook before visiting our website if you do not want Facebook to collect data about you from our website and assign it to your Facebook account.
6. Use of Facebook Connect.
We also offer you the opportunity to register for myhotelshop services via the Facebook Connect service using the information saved on your Facebook account. This will only result in a transfer of information from Facebook to us with your prior consent. A new user account with us will be created using the transferred information. The transfer of information to us is performed only once. There is no permanent link between the Facebook and myhotelshop accounts.
7. Use of Google '+1' buttons.
The +1-button from google.com is integrated into our websites, which is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA('Google'). The button is displayed as the coloured word/icon '+1'. When you open a website on which this button is implemented, your browser will connect directly to the Google servers. The button is transmitted from Google directly onto your browser, and from your browser it is displayed on our website.
8. Use of the Twitter plug-in.
We also use social plug-ins from the social networking site twitter.com, which is operated by Twitter Inc., 795 Folsom St., Suite 600, San Francisco CA 94107, USA ('Twitter'). The plug-ins are displayed with a Twitter logo. When you visit a page of our website that contains one of these plug-ins, your browser connects directly to the Twitter servers. Twitter sends the content of the plug-in directly to your browser, which then integrates it into the website.
9. Web analytics.
This website uses Google Analytics, a Web analysis service from Google Inc. ('Google'). Google Analytics uses 'cookies', text files that are saved on your computer and allow your use of the website to be analysed. The information about your use of the website which is generated by the cookie (including your IP address) is transferred to a Google server in the USA and saved there. Google will use this information to analyse your use of the website, to compile reports about website activities for the operators of the site, and to render further services connected to the use of websites and the Internet. Google will also relay this information to third parties to the extent that this is prescribed by statute or where third parties are contracted by Google.
Under no circumstances will Google link your IP address to other data retrieved by Google. You can prevent the installation of the cookies using a special setting of your browser software; however, in that case, please be aware that you might not be able to use all functions of this website to their full extent. The use of this website implies your express agreement to Google using the data collected from you in the way and for the purpose described above.
10. Right of objection.
You can object to the collection and saving of your data by Google Analytics at any time and with immediate effect for the future, e.g. by downloading a browser add-on for deactivating Google Analytics and installing it for your browser. You can find the deactivation add-on here: http://tools.google.com/dlpage/gaoptout?hl=de
11. Data protection.
We protect our website and other systems through technical and organisational measures against loss, destruction, access, modification or distribution of your data by unauthorised persons. Your customer account (if you have one) can only be accessed by entering your personal password. You should always ensure your login data remains confidential and to close the browser window after you are finished communicating with us, especially when sharing use of the computer with others.
13. Right of access to information.
The Federal Data Protection Act states that you have the right to free information about your stored data at any time, as well as the right to correct, block or delete this information.
14. Contact partner for data protection.
For questions regarding the collection, processing and use of your personal information, concerning the disclosure, correction, blocking or deletion of data, or the revocation of granted consents, please contact us at firstname.lastname@example.org.
15.Use of Hotjar
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
We use Matomo as an web analytics platform in order to analyse the behaviour of the website visitors to identify potential pitfalls; not found pages, search engine indexing issues, which contents are the most appreciated and and to improve the user-friendliness of our website. Once the data is processed (e.g. number of visitors reaching a not found pages), Matomo creates reports that allow us to take action, e.g. change the layout of the pages or publish new content.
We process the following data with Matomo: IP address (anonymized) , location of the user, date and time, title of the page viewed, URL of the displayed page (Page URL), URL of the page that was viewed prior to the current page, screen resolution, time in local timezone, files that were clicked and downloaded, main language of the browser and the user agent of the browser.
The data received through Matomo are sent to us (myhotelshop) and our service provider (InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand). Matomo data is hosted in Germany.
Matomo does not create profiles and observes the do-not-track setting of your browser.
If you would like us not to process personal data with Matomo when you visit our website, you can decide not to do so at any time. There are no consequences for the use of our website. You may object to the tracking of your personal data by using the following opt-out function:
By activating the check box above with a mouse click, a so-called opt-out cookie is set in your browser software, which in the future prevents Matomo from collecting your usage information on this website. If you delete the opt-out cookie from your browser software, in order to prevent Matomo from collecting the usage information of this website, you must set the opt-out cookie again by selecting the check box.
1. General Information
1.1 Provider of myhotelshop.de ("myhotelshop") is myhotelshop GmbH, Floßplatz 6, 04107 Leipzig ("Anbieter").
1.4 The user has no permanent right to use myhotelshop. A permanent availability of or access to this platform in particular are not an imperative requirement. Yet myhotelshop endeavors to facilitate uninterrupted usage of the platform and update the platform as to the users requirements.
1.5 myhotelshop does not warrant completeness, accuracy and availability of the information provided by myhotelshop. Every user who encounters wrong or misleading information is asked to inform myhotelshop.
2. Usage of myhotelshop and implementation of the "virtual property rights"
2.1 myhotelshop can be used without registration. Some functions and services though can be used by registered members only.
2.2 It is the user's sole responsibility as to which content is being put on myhotelshop. He obligates himself to myhotelshop not to include illegal content.
2.3 The user may not send send copious mails of the same content via myhotelshop. All kind of spamming or similarly objectionable actions towards other users is prohibited.
2.4 Acces to and usage of myhotelshop is executed individually via one webbrowser. The application of Webspider, Crawler or similar programs with the purpose of not only indexing the content but also extracting and saving large quantities of the platform's content is prohibited. Included are programs in particular that facilitate offers and services of a third party via the so-called Screenscraping.
3. User's Account
Users have the possibility to create an account for the usage of specific tools. The registration might also be carried out via an existing account on a social network, where the user is already registered.
4. Liability for a third party
4.1 The website also contains some links to a third party website whose content is not known to myhotelshop. myhotelshop merely procures the access to these websites and is not responsible for their content. The links to external websites are to facilitate their navigation. myhotelshop does not appropriate, but dissociates itself completely from all the content that is presented on the third party websites which are linked to this platform.
4.2 The owners of the websites, which are connected to this platform via a hyperlink, are solely responsible for their content as well as for their offered products.
5.1 The content offered by myhotelshop is protected by copyright. The usage of the content is subject to the effective copyright. This website may not be altered, copied, published, distributed or retained without the consent of myhotelshop. The material may exclusively be used for private and noncommercial purposes in strict consideration of the effective copyright.
6. Data Protection
More information concerning data protection and data security can be found in the data protection statement of myhotelshop.
7. Final Regulation
7.1 The General Terms and Conditions Act is based on the law of the Federal Republic of Germany.