Privacy Policy

General Information About the Processing of Your Data

We are legally obligated to inform you about the processing of your personal data (hereinafter "data") when using our website. This privacy notice informs you about the details of the processing of your data as well as your related legal rights. For terminology such as "personal data" or "processing," the legal definitions from Art. 4 GDPR are authoritative.

We reserve the right to adapt the privacy policy with effect for the future, especially in the case of further development of the website, when using new technologies, or changes to the legal basis or corresponding case law. We recommend that you read the privacy policy from time to time and keep a printout or copy for your records.

The privacy policy applies to all pages of www.zahc.de. It does not extend to any linked websites or internet presences from other providers.

The controller responsible for the processing of personal data within the scope of this privacy policy is:

Zsuzsanna Albrecht Hospitality Consulting

Katharina Ostermeier

Email: datenschutz@zahc.de

If you have any questions about data protection with regard to our company or our website, you can contact us using the contact details specified in the "Controller" section.

We have taken comprehensive technical and organizational precautions to protect your personal data from unauthorized access, misuse, loss, and other external disturbances. To this end, we regularly review our security measures and adapt them to the state of the art.

You have the following rights with regard to the personal data concerning you that you can assert against us:

• Right to information (Art. 15 GDPR): You can request information in accordance with Art. 15 GDPR about your personal data that we process.
• Right to rectification (Art. 16 GDPR): If the information concerning you is not (or no longer) accurate, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request completion.
• Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data in accordance with Art. 17 GDPR.
• Right to restriction of processing (Art. 18 GDPR): You have the right in accordance with Art. 18 GDPR to request a restriction of the processing of your personal data.
• Right to object to processing (Art. 21 GDPR): You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data that is carried out on the basis of Art. 6 para. 1 p. 1 lit. e) or lit. f) GDPR, in accordance with Art. 21 para. 1 GDPR. In this case, we will not continue to process your data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms. Further processing also takes place if the processing serves the assertion and exercise of or defense against legal claims (Art. 21 para. 1 GDPR). In addition, according to Art. 21 para. 2 GDPR, you have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is related to such direct marketing. We will inform you of the right to object in this privacy policy in connection with the respective processing.
• Right to data portability (Art. 20 GDPR): If you have given your consent for processing, you have a right of withdrawal in accordance with Art. 7 para. 3 GDPR.

You can assert your rights by contacting us using the contact details provided in the "Controller" section.

If you believe that the processing of your personal data violates data protection law, you also have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, P.O. Box 200444, 40102 Düsseldorf or: Kavalleriestraße 2-4, 40213 Düsseldorf, Phone: 0211/38424-0, Email: poststelle@ldi.nrw.de, https://www.ldi.nrw.de.

You can generally use our website for purely informational purposes without disclosing your identity. When you access the individual pages of the website in this sense, only access data is transmitted to our webspace provider so that the website can be displayed to you. The following data is processed:

• Browser type/version
• Operating system used
• Language and version of the browser software
• Hostname of the accessing computer (IP address)
• Date and time of the server request
• Content of the request (specific webpage)
• Access status / HTTP status code
• Websites accessed via the website
• Referrer URL (the previously visited website)
• Report whether the request was successful and
• Amount of data transferred.

The temporary processing of this data is necessary to technically enable the process of a website visit. The access data is not used to identify individual users and is not combined with other data sources. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR. Our legitimate interests lie in ensuring the functionality of the website as well as the integrity and security of the website. The access data is deleted as soon as it is no longer necessary for achieving the purpose of its processing. In the case of data collection for providing the website, this is the case when you end your visit to the website.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details mentioned in the "Controller" section.

In addition to the aforementioned access data, technologies are used when using the website that store information in your end device (e.g., desktop PC, laptop, tablet, and smartphone) or access information that is already stored in your end device. These technologies may include, for example, cookies, pixels, LocalStorage, SessionStorage, IndexedDB, or browser fingerprinting technologies. These technologies can be used to recognize you across devices and websites.

According to § 25 para. 1 TTDSG, we generally need your consent to use these technologies. Such consent is only not required according to § 25 para. 2 TTDSG if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service explicitly requested by you.

Some elements of our website serve the sole purpose of transmitting a message (§ 25 para. 2 no. 1 TTDSG) or are absolutely necessary to provide you with our website or individual functionalities of our website (§ 25 para. 2 no. 2 TTDSG). You can prevent processing by making appropriate settings in your browser software.

When contacting our company, e.g., by email, the personal data you provide will be processed by us to answer your inquiry. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR or Art. 6 para. 1 p. 1 lit. b) GDPR if the contact aims at the conclusion of a contract. If the inquiry aims at a contract conclusion, providing your data is necessary and mandatory. If the data is not provided, contract conclusion or execution and the processing of the inquiry is not possible.

We delete the data accruing in this context after the processing is no longer necessary – usually two years after the end of the communication – or restrict the processing if necessary to comply with existing mandatory statutory retention obligations.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details mentioned in the "Controller" section.

We process your personal data if and to the extent necessary for the initiation, establishment, execution, and/or termination of a legal transaction with our company. The legal basis for this results from Art. 6 para. 1 p. 1 lit. b) GDPR. The provision of your data is necessary for the conclusion of the contract, and you are contractually obligated to provide your data. If you do not provide your data, it is not possible to conclude and/or execute the contract.

After the purpose has been achieved (e.g., contract processing), the personal data is blocked for further processing or deleted, unless we are authorized to further process it based on consent you have given (e.g., consent to process the email address for sending electronic advertising), a contractual agreement, a legal authorization (e.g., authorization to send direct advertising), or based on legitimate interests (e.g., storage for asserting claims).

Your personal data will be passed on to third parties if

• it is necessary for the establishment, execution, or termination of legal transactions with our company (e.g., when passing on data to a payment service provider / shipping company to process a contract with you), (Art. 6 para. 1 p. 1 lit. b) GDPR), or
• a subcontractor or agent, whom we use exclusively within the scope of providing the offers or services requested by you, needs this data (such assistants are, unless you are expressly informed otherwise, only entitled to use the data to the extent necessary for the provision of the offer or service), or
• an enforceable official order exists (Art. 6 para. 1 p. 1 lit. c) GDPR), or
• an enforceable court order exists (Art. 6 para. 1 p. 1 lit. c) GDPR), or
• we are legally obligated to do so (Art. 6 para. 1 p. 1 lit. c) GDPR), or
• processing is necessary to protect vital interests of the data subject or another natural person (Art. 6 para. 1 p. 1 lit. d) GDPR), or
• it is necessary for the performance of our tasks according to Art. 6 para. 1 p. 1 lit. e) GDPR and the transfer is proportionate, or
• it is necessary to protect legitimate interests of our company or a third party and the interests or fundamental rights and freedoms of the data subject do not prevail (Art. 6 para. 1 p. 1 lit. f) GDPR).

Beyond this, we do not pass on your personal data to other persons, companies, or bodies unless you have effectively consented to such a transfer. The legal basis for the processing is then Art. 6 para. 1 p. 1 lit. a) GDPR. In the context of this privacy information, we inform you about the respective recipients with regard to the respective processing operation.

Feedback Surveys

Following the completion of our services, we would like to get your feedback. For this purpose, we process the email address you provided to send an email containing a link to the specific feedback survey. In this survey, we ask about your special wishes, technical information, and submit our offer for individual customer consultation.

We process your email address only to send the feedback email, and delete it after the purpose has been achieved unless we are authorized (e.g., due to a separate newsletter registration or similar) or obligated to further process it. The legal basis for the processing is your consent according to Art. 6 para. 1 p. 1 lit. a) GDPR.

You can revoke your consent to the processing of your email address for receiving feedback surveys at any time, either by directly clicking on the unsubscribe link in the sent email or by sending us a message via the contact details provided under "Controller". This does not affect the lawfulness of the processing that took place on the basis of the consent until the time of your revocation.

Feedback Service Provider

For creating and evaluating surveys, we use the online form service "Microsoft Forms" from Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA; hereinafter: "Microsoft" and "Microsoft Forms"). You can access the survey via a link that we sent to you by email. You will be redirected to a Microsoft page. Microsoft processes the data required to access the website, such as your IP address.

Microsoft also processes some of the data in the USA. There is no adequacy decision by the EU Commission for data transfer to the USA. So-called standard contractual clauses have been concluded with Microsoft to obligate Microsoft to an adequate level of data protection. You can obtain a copy of the standard contractual clauses by requesting at https://go.microsoft.com/fwlink/p/?linkid=2126612.

Further information on data protection and storage duration at Microsoft can be found at: https://www.microsoft.com/en-us/privacy/privacystatement.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR. Our legitimate interests in using a feedback service provider lie in optimizing the creation of feedback surveys.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details mentioned in the "Controller" section.

We use external hosting services from the providers ALL-INKL.COM (Hauptstraße 68, 02742 Friedersdorf, Germany) and HubSpot Ireland Limited (One Dockland Central, Guild Street, Dublin 1, Ireland), which serve to provide the following services: infrastructure and platform services, computing capacity as well as website hosting and content management functions. For these purposes, all data – including the access data mentioned under "Use of Our Website" – is processed, which is necessary for the operation and use of our website.

The legal basis for the processing is Art. 6 para. 1 p. 1 lit. f) GDPR. By using external hosting services, we pursue an efficient and secure provision of our web offering.

You can object to the processing. Your right to object exists for reasons arising from your particular situation. You can send us your objection via the contact details mentioned in the "Controller" section.