DATA PROTECTION

PART I – General Information

The protection of your data is important to us. We will therefore only process your data within the limits of current data privacy laws and protect them using the latest technology. More information about the processing of your personal data and your rights in accordance with data privacy laws is provided below. You will find further information about the processing of your customer data at https://www.vilavitapannonia.at/de/ueber-uns/datenschutz.html.

1. Controller and data protection officer

Vila Vita Pannonia Betriebsgesellschaft mbH
Storchengasse 1
A-7152 Pamhagen
T +43 2175 2180 - 0
F +43 2175 2180 - 444
E info@vilavitapannonia.at

You can also contact our data protection officer at the address provided above, citing the reference "Data Protection Officer" or at datenschutz@vilavitapannonia.at.

2. General information about data processing and your rights

2.1. Data processed and their origin

We mainly process personal data that we have received or collected from the data subjects as part of the booking process or obtained from enquiries made via our website. Moreover, we also process personal data obtained from publicly accessible sources (e.g. the press, the Internet), in as far as this is required and permitted for marketing or customer service purposes. We also process personal data lawfully forwarded to us by other companies in the VILA VITA group (VILA VITA HOTEL and TOURISTIK GmbH, Hotel und Residenz Rosenpark GmbH, VILA VITA Marburg GmbH, VILA VITA Gastronomie- und Handelsgesellschaft mbH, Congresszentrum Marburg GmbH & Co. KG) or by third parties (e.g. information about criminal offences).

The personal data processed by us within this context consist of personal particulars (name, address and other contact data, date and place of birth, nationality), medical data relevant to the person's stay with us (e.g. severe disabilities or dietary requirements) and identification data (e.g. identity card data). In addition, data resulting from your orders placed with us may be collected (e.g. payment order), as well as data resulting from meeting our contractual obligations (e.g. accommodation agreement) and other data comparable to the categories mentioned.

2.2. Relevant legal basis for data processing

Where the legal basis is not explicitly mentioned in this Data Privacy Notice, the following legal basis applies. Where we have obtained your consent to data processing, Article 6 Paragraph 1 (a) and Article 7 of the GDPR serve as a legal basis for data processing. Where data processing takes place in order to provide our services and comply with contractual requirements, as well as to answer enquiries, Article 6 Paragraph 1 (b) of the GDPR will be the legal basis for data processing. Where data processing takes place in fulfilment of a legal obligation, Article 6 Paragraph 1 (c) of the GDPR is the legal basis. Examples are the fulfilment of the specifications of the Federal Registration Act (Bundesmeldegesetz), commercial archiving periods or to meet tax (archiving) obligations.

Where processing personal data is required to protect the legitimate interests of our company or a third party, we make use of Article 6 Paragraph 1 (f) of the GDPR as a legal basis. Legitimate interests particularly include the guarantee of IT security and IT operation, the institution of any legal claims and representation in legal disputes, advertising and marketing for the services and products provided by the VILA VITA Group, business management actions and the development of products and services, the prevention and detection of criminal offences, video monitoring to ensure adherence to house regulations and to collect evidence in the event of burglary or theft (also see Section 4 of the Federal Data Protection Act, [Bundesdatenschutzgesetz]), activities to ensure the safety of buildings and installations (e.g. access control), activities to implement house regulations as well as market and opinion surveys carried out by the aforementioned parties, where there has been no objection to direct marketing.

2.3. Your rights

You have the right to

  • access in accordance with Article 15 of the GDPR 
  • rectification in accordance with Article 16 of the GDPR
  • erasure in accordance with Article 17 of the GDPR
  • restriction of processing in accordance with Article 18 of the GDPR
  • data portability in accordance with Article 20 of the GDPR

The restrictions of Sections 34 and 35 of the GDPR apply to the rights to access and erasure. In addition, in accordance with Section 77 of the GDPR you have the right to submit a complaint to a data protection supervisory authority in accordance with Section 19 of the Federal Data Protection Act.

Any consent you grant us with regard to processing personal data may be withdrawn by you at any time with effect for the future.

2.4. Storage period

Where not otherwise stated in this Data Privacy Notice, personal data will only be stored for as long as necessary to fulfil the relevant purpose, or our contractual or legal obligations. We are subject to various storage and documentation obligations. These particularly result from the Commercial Code (Handelsgesetzbuch), the Fiscal Code (Abgabenordnung) and the Money-Laundering Act (Geldwäschegesetz). The periods stipulated in these cases may be up to 10 years.

2.5. Transfer of personal data

Where we forward personal data to other persons or companies, this will only take place on the basis of your consent, a legal permit, a legal obligation (e.g. to public offices and institutions such as supervisory or financial authorities) or on the basis of an agreement on order processing in terms of Article 28 of the GDPR. Other recipient categories may be found in this Data Privacy Notice.

2.6. Transfer of data to third countries

Processing of personal data outside the European Economic Area will only take place where a third country has been confirmed by the European Commission as having appropriate data privacy laws according to Articles 44 et seqq. of the GDPR or other appropriate guarantees regarding the protection of personal data.

2.7. Automatic decision-making

Some of your data will be automatically processed in order to evaluate certain personal aspects (profiling), for marketing and advertising purposes and to send you personalised advertisements by e-mail or post.

Legal and regulatory provisions for combating money laundering, the financing of terrorism and financial crime are also binding for us. Data analysis will also be carried out within this context.

3. Data privacy information for newsletter

Some of our websites permit you to subscribe to a free newsletter. Written subscription is also possible at some of our outlets. We use this newsletter to inform you about the VILA VITA Group and its products and services. If you would like to receive this newsletter, we require you to provide us with a valid e-mail address and information that allows us to verify that you are the owner of the e-mail address you have provided or that its owner agrees to receive the newsletter. No other data will be collected. These data will only be used to send the newsletters and will not be forwarded to any third parties outside the VILA VITA Group. When you subscribe to the newsletter, we will store the date of your application and your IP address if you should subscribe via a website. This storage will only be for the purposes of providing evidence in the event that a third party should make fraudulent use of an e-mail address and subscribe to the newsletter without the knowledge of the authorised person. However, we will only statistically evaluate reading behaviour to the extent that it can be determined whether the recipient has opened the newsletter and clicked on the links. This is a function that we only use to verify user activities and to be able to implement appropriate optimisations. The newsletter also contains a so-called "web beacon", a file that is downloaded from our server when opening the newsletter. Your consent to store the data, the e-mail address and its use to forward the newsletter can be withdrawn at any time. Such withdrawal can take place via a link in the newsletters themselves, on the website or by notifying the aforementioned contact persons.

4. Amendments

We reserve the right to amend this Data Privacy Notice with future effect.

 

PART II - Website use

1. More information about data processing for users of our websites

1.1. Cookies

Our websites make use of cookies. These are small data packages that are stored on the customer's terminal device. In addition to so-called session cookies, which are automatically deleted as soon as you log out or close the browser, so-called permanent cookies that recognise a repeat user are also used. These cookies are automatically deleted after a specified period.

It is possible to object to the placement of cookies at any time by changing your Internet browser settings. You can delete cookies already placed at any time. When you deactivate cookies, it is possible that not all our website functions will be fully utilisable. The legal basis for setting a cookie is to protect the aforementioned legitimate interests according to Article 6 Paragraph 1 (f) of the GDPR.

1.2. Collection of general data and compilation of protocol data

When you call up our website, general data and information are automatically collected and stored in a server protocol. The following data may be collected:

  • Information about the browser type and version
  • Information about the user's operating system
  • Information about the user's service provider
  • The Internet protocol address (IP address) of the user or the calling system
  • Date and time of access
  • The website via which you reached us (referrer URL)
  • Websites called up via our website by the user's system

Processing of these data is used to provide our websites, to guarantee the functionality of our IT systems and to optimise our website. Such data and information are always anonymously collected and are statistically evaluated by us with the aim of ensuring data privacy and data security. In these cases the log file data are always stored separately from other personal data we may have collected and are generally not forwarded to third parties. These data are automatically deleted on expiry of the specified period. The legal basis for temporary processing of the data is to protect the aforementioned legitimate interests according to Article 6 Paragraph 1 (f) of the GDPR.

1.3. Contact form and e-mail contact

Some of our websites provide a contact form and an e-mail address that enables you to contact us electronically, for example to make a booking. When you use one of these channels to contact us, the personal data you forward to us will be automatically stored. Storage and further processing of these data only serves the purpose of processing your contact request and subsequently making contact with you. They will never be forwarded to third parties outside the VILA VITA Group. The data forwarded by you will be deleted once the process is complete, provided that their deletion is not subject to any contractual or statutory storage periods. In such a case, the data for which storage is required will be deleted once the storage period expires. The legal basis for processing these data is Article 6 Paragraph 1 (f) of the GDPR.

1.4. Use of Google Analytics

Some of our websites use the analysis tool Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. Web analysis involves the collection and evaluation of information about the behaviour of website users. This would include information about the website from which you reached us, the website sections you accessed and the length of time for which you viewed such sections. Cookies are used for this purpose. Cookies are text files that are placed and stored on a computer system via an Internet browser. The information collected by the cookie is transmitted to a server of Google Inc. in the USA. In addition to website use information, this also includes your IP address. However, we use Google Analytics with the supplement "AnonymizeIP". This means that your IP address will be truncated and anonymised by Google if you call up our website within a member state of the European Union or in other countries that are signatory states of the Agreement on the European Economic Area. The IP address transmitted will also not be combined with other Google data. The purpose of such data processing is to evaluate visitor flows and the use of the website by visitors. We have commissioned Google to compile online reports for us in this regard. We make use of the information thus collected to optimise our website. The legal basis for data processing is Section 15 Paragraph 3 of the Telemedia Act or Article 6 Paragraph 1 (f) of the GDPR. The aforementioned purposes are legitimate interests. The valid data privacy conditions and terms and conditions of Google Analytics may be found at https://www.google.com/analytics/terms/us.html and https://policies.google.com.

You can prevent the placement of cookies by our website at any time by making an appropriate setting in the Internet browser, thus permanently objecting to the placement of cookies. In addition, cookies already placed by Google can be deleted at any time via an Internet browser or other software program.
Furthermore you have the option of objecting to and preventing the collection of the data created by the cookie and related to the use of this website, as well as the processing of these data by Google. To do this, you must download and install a browser add-on. You will find the download here: https://tools.google.com/dlpage/gaoptout. The add-on prevents your data from being collected and processed in future.

1.5. Use of Google marketing services

Some of our websites use the marketing and remarketing services of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The Google marketing services (including Google Adwords, Google Conversion Tracking, Google Optimize and Google Double Click) allow us to show more targeted advertisements for and on our website in order to present users with advertisements that are potentially in line with their interests.

When our and other websites using Google marketing services are called up, Google executes a code, incorporating so-called (re)marketing tags into the website. They are used to place a cookie on the user device (comparable technologies may be used instead of cookies), with the cookies being placed by various domains (including google.com, doubleclick.net, etc.) This file contains information about the websites the user has visited, the content he was interested in and the products he has clicked on. It also tracks technical information about the browser and operating system, referring websites, the duration of the visit and other information about how the online services are used. The user's IP address is recorded, but is truncated within the member states of the European Union or in other signatory states of the Agreement on the European Economic Area and will only be transferred to a Google server in the USA in full and truncated there in exceptional cases. The IP address is not combined with user data within other Google products.

The information above may also be combined with such information from other sources by Google. If the user subsequently visits other websites, he may be shown targeted advertising in accordance with his interests. User data are processed in pseudonymised form as part of Google's marketing services, i.e. without storing and processing the name or e-mail address of the users. This does not apply if a user explicitly permits Google to process the data without pseudonymisation. The information collected about the user by Google's marketing services is transmitted to Google and stored on Google's servers in the USA.

The Google marketing services we use also include the online advertising software Google AdWords. Each AdWords customer receives a so-called conversion cookie. The information obtained with the aid of cookies is used to compile conversion statistics for AdWords customers who have decided to make use of conversion tracking. AdWords customers are informed of the total number of users who have clicked on their advertisement and been transferred to a website equipped with a conversion tracking tag. However, they do not receive any information with which they could personally identify users.

The legal basis for data processing is Section 15 Paragraph 3 of the Telemedia Act or Article 6 Paragraph 1 (f) of the GDPR. The aforementioned purposes are legitimate interests. The valid data privacy conditions and terms and conditions of Google Marketing Services may be found at https://policies.google.com/technologies/ads.

You can prevent the placement of cookies by our website at any time by making an appropriate setting in the Internet browser, thus permanently objecting to the placement of cookies. In addition, cookies already placed by Google can be deleted at any time via an Internet browser or other software program.

If you wish to object to targeted advertising by Google Marketing Services, you can make use of the options provided by Google at http://www.google.com/ads/preferences.

2. Incorporation of third-party services and content (social plug-ins, etc.)

Some of our websites make use of the services and content of third-party providers. This particularly applies to so-called "social plug-ins", videos or fonts. This only takes place on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in the provision and dissemination of our content, in analysis, in optimisation and in the operation of our website. Our websites may thus incorporate the services and content of the following third-party providers:

  • Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (when personal data is processed, if a data subject lives outside the USA or Canada, then the controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
  • Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA
  • YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA
  • XING AG, Gänsemarkt 43 – 20354 Hamburg – Germany
  • Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA
  • Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
  • LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA (for data privacy matters outside the USA: LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland)
  • Pinterest Inc., 808 Brannan St, San Francisco, CA 94103, USA

Where a website makes use of social plug-ins, we make use of the "Shariff" solution to protect your data. This means that social plug-ins will only be incorporated into our website as graphics. There will thus be no direct link to the website of the plug-in provider. When you click on an image, you will be taken directly to the relevant provider. Your data will only be forwarded to the provider at this stage. If you do not click on the image, no data will be exchanged with the providers of the incorporated social plug-ins. Additional information about the use of your data may be found in the terms and conditions and data privacy notices of the relevant providers. Information and advice about the Shariff solution used by us may be found here: http://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

Further data privacy information, and advice about the social plug-ins used by us, as well as the services of third-party providers:

2.1. Data privacy information for Facebook components

Some of our websites make use of the social plug-ins and components of the social network Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If the data subject lives outside the USA or Canada, the controller is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

When you make use of Facebook plug-ins, your web browser establishes a direct link to the Facebook servers. The content of the plug-in is sent directly from Facebook to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Facebook with the aid of this plug-in and thus also no information about the data collected by Facebook. However, Facebook can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into your Facebook profile. Moreover, if you click on the Facebook "Like" button, you will link content from our website to your Facebook profile, allowing Facebook to assign your visit to our website to you. The same applies to other Facebook plug-ins we use.

An overview of all Facebook plug-ins may be found at https://developers.facebook.com/docs/plugins. You will find the Facebook data privacy policy at https://facebook.com/about/privacy/. This will provide you with additional information about the collection, processing and use of personal data by Facebook and the settings options offered by Facebook to protect your personal data.

2.2. Data privacy information for Google+1 button

Some of our websites use the Google+1 button of the social network Google+. This component is provided and operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States ("Google").

When you make use of the Google+1 button, your web browser establishes a direct link to the Google servers. The content of the plug-in is sent directly from Google to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Google with the aid of this plug-in and thus also no information about the data collected by Google. However, Google can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into Google+ with your Google+ profile. Moreover, if you click on the Google+1 button, you will link content from our website to your Google+ profile, allowing Google to assign your visit to our website to you. More detailed information about the Google+ button and the use of your data by Google may be found at https://developers.google.com/+/web/buttons-policy.

2.3. Data privacy information for YouTube videos

Videos from the YouTube Internet portal have been embedded into some of our websites. These videos are made available by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (YouTube). YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043- 1351, USA.

When you call up a website that incorporates a YouTube component or when you play an embedded video, your web browser establishes a direct link to the YouTube servers. The content is streamed directly to your browser by YouTube or downloaded and played. We have no influence on the range of data collected by YouTube during this process and thus also no information about the data collected by YouTube. However, YouTube can find out that you have visited our website from your IP address when you download the video. This is particularly the case if you are logged into YouTube with your YouTube profile. More detailed information about data privacy and the use of your data by YouTube may be found at http://www.google.de/intl/policies/privacy/.

2.4. Data privacy information for Instagram components

Some of our websites make use of plug-ins of the social network Instagram, e.g. the Insta button. These components are provided and operated by Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA (Instagram).

When you make use of Instagram plug-ins, such as the Insta button, your web browser establishes a direct link to the Instagram servers. The content of the plug-in is sent directly from Instagram to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Instagram with the aid of this plug-in and thus also no information about the data collected by Instagram. However, Instagram can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into Instagram with your Instagram profile. Moreover, if you click on the Insta button, you will link content from our website to your Instagram profile, allowing Instagram to assign your visit to our website to you. More detailed information about the Insta button and other plug-ins of this provider, as well as the use of your data by Instagram, may be downloaded from https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy.

2.5. Data privacy information for LinkedIn plug-ins

Some of our websites use the LinkedIn plug-in of the social network LinkedIn. This component is provided and operated by the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, United States (LinkedIn). LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland, is responsible for data privacy matters outside the USA.

When you make use of the LinkedIn button, your web browser establishes a direct link to the LinkedIn servers. The content of the plug-in is sent directly from LinkedIn to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by LinkedIn with the aid of this plug-in and thus also no information about the data collected by LinkedIn. However, LinkedIn can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into LinkedIn with your LinkedIn profile. Moreover, if you click on the LinkedIn button, you will link content from our website to your LinkedIn profile, allowing LinkedIn to assign your visit to our website to you. More detailed information about the LinkedIn button and other plug-ins of this provider, as well as the use of your data by LinkedIn, may be downloaded from https://www.linkedin.com/legal/privacy-policy and https://www.linkedin.com/legal/cookie-policy.

2.6. Data privacy information for Twitter

Some of our websites make use of plug-ins and components of the microblogging service Twitter. These components are provided and operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (Twitter).

When you make use of the Twitter button or Twitter components, your web browser establishes a direct link to the Twitter servers. The content of the plug-in or the component is sent directly from Twitter to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Twitter with the aid of this plug-in and thus also no information about the data collected by Twitter. However, Twitter can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into Twitter with your Twitter profile. By clicking on the Twitter button, you will link content from our website with your Twitter profile or transmit data and information to Twitter or other users of Twitter, with Twitter and other Twitter users being able to assign the visit to our website to you. More detailed information about the Twitter button and other plug-ins of this provider, as well as the use of your data by Twitter, may be downloaded from https://twitter.com/privacy and https://about.twitter.com/resources/buttons.

2.7. Data privacy information for the Xing Share button

Some of our websites use the Share button of the social network Xing. This component is provided and operated by XING SE, Dammtorstraße 30, 20354 Hamburg, Germany (Xing).

When you make use of the Share button, your web browser establishes a direct link to the Xing servers. The content of the plug-in or the component is sent directly from Xing to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Xing with the aid of this plug-in and thus also no information about the data collected by Xing. However, Xing can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into Xing with your Xing profile. Moreover, if you click on the Xing button, you will link content from our website to your Xing profile or transmit data and information to Xing, allowing Xing to assign your visit to our website to you. More detailed information about the Xing button and other plug-ins of this provider and the use of your data by LinkedIn can be downloaded from https://www.xing.com/privacy and https://www.xing.com/app/share?op=data protection.

2.8. Data privacy information for Google Maps and Google Fonts

Some of our websites make use of the map service "Google Maps" and the fonts of the "Google Webfonts" service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. We use the Google Maps API for the visual depiction and incorporation of geographical information on some websites. When Google Maps is used, Google also processes data about the use of the map functions. In addition, we use the font libraries of Google Webfonts. During this process, font libraries are transferred to the cache of your browser. If your browser settings do not permit this or if your browser does not support the fonts, written content is shown in a standard font. In order to transfer the font libraries to your cache, a connection to the service provider is automatically established.

Further information about data processing by Google may be found here: https://www.google.com/policies/privacy/.

2.9. Data privacy information for Pinterest components

Some of our websites use the plug-ins and components of the social network Pinterest. These components are provided and operated by Pinterest Inc., 808 Brannan St, San Francisco, CA 94103, USA.

When you make use of the Pin it button or Pinterest components, your web browser establishes a direct link to the Pinterest servers. The content of the plug-in or the component is sent directly from Pinterest to your browser and is integrated into the website by the browser. We thus have no influence on the range of data collected by Pinterest with the aid of this plug-in and thus also no information about the data collected by Pinterest. However, Pinterest can find out that you have visited our website from your IP address when you make use of the plug-in. This is particularly the case if you are logged into Pinterest with your Pinterest profile. By clicking on the Pin it button, you will link content from our website with your Pinterest profile or transmit data and information to Pinterest or other users of Pinterest, with Pinterest and other Pinterest users being able to assign the visit to our website to you. More detailed information about the Pin it button and other plug-ins of this provider and the use of your data by Pinterest can be downloaded from: http://pinterest.com/about/privacy/.


PART III – Employee information

1. Categories of personal data processed

We regularly process the following personal data: name, name affixes, (private) address, contact data (phone, mobile phone number, e-mail address), date and place of birth, age, gender, nationality, marital status, number of children, tax data, bank details, staff number, contractual data (e.g. salary information, working hours, allowances, lump-sum payments, years of experience, start and termination of employment dates), pension fund and tax identification numbers, time sheet data (including holidays, sick leave), driving licence data, social security data, navigation data, salary statement data, information about payments to savings schemes, education and qualification data, information about the guardians of employees who are minors, travelling expense claim data, travel logs, staff planning and management data, access control data, inventory information, data about phased return to work schemes, data about participation in events, information about authorisations and competencies, possibly images and the protocol data for the use of the IT systems. In some cases, special categories of personal data such as medical data may also be processed.

As an employee, you must provide the personal data that are required to justify, implement and terminate the employee relationship and to meet the associated contractual obligations or that we are legally obliged to collect. Without these data we will usually not be able to provide you with an employment contract.

2. Sources of personal data

We receive your personal data directly from you (e.g. during the recruitment process or during the employment period). In some cases your personal data will also be obtained from other sources, based on statutory requirements. This particularly includes event-related enquiries of tax-related information from the relevant tax office, as well as information about sick leave periods from the relevant medical insurance fund. We may also have received data from third parties (e.g. job centres). We also process personal data that we have legitimately obtained from publicly accessible sources (e.g. professional networks).

3. The purposes for which we process personal data and the legal basis for their processing

Based on your consent in accordance with Article 6, Paragraph 1 (a) of the GDPR, Article 7 of the GDPR in conjunction with Section 26 Paragraph 2 of the amended Federal Data Protection Act, we process your data for the purposes of external representation of the company (e.g. images on corporate websites), in internal, IT-supported communication systems (e.g. portrait images as avatars on internal communication platforms or e-mail clients).

To meet our contractual obligations in accordance with Article 6, Paragraph 1 (b) of the GDPR in conjunction with Section 26 Paragraph 1 of the amended Federal Data Protection Act, we process your data for the purposes of justifying, implementing and terminating the employment contract concluded with you, especially to record time worked, for time management and to work out your salary and travel expenses (including calculating and deducting social security contributions). In addition, collective bargaining agreements (group, general and local company agreements as well as collective agreements) in accordance with Article 88 Paragraph 1 of the GDPR in conjunction with Section 26 Paragraph 4 of the amended Federal Data Protection Act may be used as authorisation regulations in terms of data privacy laws.

Based on legal provisions in accordance with Article 6, Paragraph 1 (c) of the GDPR, we process your data to fulfil various legal obligations, especially the obligation to compile commercial and tax evidence in accordance with Section 257 of the Commercial Code (HGB), Section 147 of the Fiscal Code (AO) and Section 41 Paragraph 1 of the Income Tax Act (EStG), to process income tax data according to Section 39b of the Income Tax Act, to run working hour accounts according to Section 7d Paragraph 1 Sentence 1 of the Fifth Book of the Social Code Ordinance (SGB V), and to document overtime in accordance with Section 16 Paragraph 2 of the Working Hours Act (ArbZG) and occupational health and safety in accordance with Section 11 of the Occupational Safety Act (ArbSchG), to keep records in accordance with Section 17 of the Minimum Wage Act (MiLoG), to assess hazards according to Section 5 of the Occupational Safety Act and to document residence permits according to Section 18 of the Residence Permit Act (AufenthG).

Moreover, we may be obliged on the basis of the European Anti-Terrorism Directives 2580/2001 and 881/2002 to compare your data to the so-called "EU Terrorist Lists" to ensure that no money or other economic resources are being provided for the purposes of terrorism.

To weigh up interests to maintain the legitimate interests of the controller or a third party according to Article 6 Paragraph 1 (f) of the GDPR, we process your data for the purposes of staff planning, staff management, staff development, staff guidance and maintaining staff data, for internal communication, e.g. for the provision of address books, the organisation and implementation of internal company events and mandatory training, the provision and use of IT systems and IT-supported communication systems (telephone, e-mail, chats, video conferences), scheduling, taking stock of the IT systems and software provided, the maintenance of the legitimate interests of third parties (e.g. public authorities), the prevention and investigation of criminal offences in accordance with Section 26 Paragraph 1 Page 2 of the amended Federal Data Protection Act, guaranteeing IT security (including access and version control) and maintaining IT operations.

Additional information about special categories of personal data:
Where special categories of personal data are processed in accordance with Article 9 Paragraph 1 of the GDPR, this is done as part of the employment contract to exercise rights or to fulfil legal obligations arising from labour laws, social security laws and social protection laws (e.g. providing medical data to the medical insurance fund, recording severe disabilities for the purpose of calculating additional leave and determining the levy to be paid in compensation for a lack of workers with severe disabilities). This takes place on the basis of Article 9 Paragraph 2 (b) of the GDPR in conjunction with Section 26 Paragraph 3 of the amended Federal Data Protection Act. Moreover, it may be necessary to process medical data in order to evaluate your ability to work in accordance with Article 9 Paragraph 2 (h) in conjunction with Section 22 Paragraph 1 (b) of the amended Federal Data Protection Act.

In addition, the processing of special categories of personal data may be based on consent according to Article 9 Paragraph 2 (a) of the GDPR in conjunction with Section 26 Paragraph 2 of the amended Federal Data Protection Act (e.g. company health management).

If we should want to process your personal data for a purpose not mentioned above, we will inform you in advance.

4. Data recipients

Data recipients within our company are employees, departments, the workers' council or disability officer, who may require such data for processing for the aforementioned purposes. Within the VILA VITA Group, your data will be transmitted to certain companies where these companies undertake central data-processing tasks (e.g. salary statements, managing and processing the company old age pension, disposal of documents). In addition, the processors we use according to Article 28 of the GDPR and other service providers may receive data.

In certain cases we also provide data to public authorities and institutions (e.g. supervisory authorities, tax authorities, financial authorities, social insurance companies, registration offices) as well as to creditors, their representatives and third-party creditors in the event of wage and salary distraint, insolvency administrators in the event of individual insolvency, centres responsible for benefit payments and centres dealing with claims against the company's pension fund. These data will only be forwarded if this is permitted or required by statutory regulations, if you consent to this transmission or if, for other reasons, we are authorised to transmit such data.

5. Period for which personal data are stored

Personal data will only be stored for as long as necessary to fulfil the relevant purpose or to fulfil our contractual or legal obligations. We are subject to various storage and documentation obligations. These are based on the Commercial Code (HGB), the Tax Ordinance (AO), the Money-Laundering Act (GwG) and the Income Tax Act (EStG). The storage periods may be up to ten years. It may also happen that personal data are stored for the period in which claims can be filed against us (a statutory limit of between three and thirty years).

6. Transfer of data to third countries

Processing of personal data outside the European Economic Area (EEA) will only take place where a third country has been confirmed by the European Commission as having appropriate data privacy laws according to Article 44 et seqq. of the GDPR or other appropriate guarantees regarding the protection of personal data.

7. Your rights

You have the right to:

  • access in accordance with Article 15 of the GDPR
  • rectification in accordance with Article 16 of the GDPR
  • erasure in accordance with Article 17 of the GDPR
  • restriction of processing in accordance with Article 18 of the GDPR and
  • data portability in accordance with Article 20 of the GDPR

The restrictions of Sections 34 and 35 of the GDPR apply to the rights to access and erasure. In addition, in accordance with Section 77 of the GDPR you have the right to submit a complaint to a data privacy supervisory authority, in accordance with Section 19 of the Federal Data Protection Act.

Any consent you grant us with regard to processing personal data may be withdrawn by you at any time with effect for the future.

8. Automated individual decisions

In some areas we make use of automated decision-making procedures. However, there will be no fully automated decision-making in individual cases. If this should be the case in future, we will inform you separately.

Information about the right to object pursuant to Article 21 of the EU General Data Privacy Regulations (GDPR):

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6 Paragraph 1 (e) of the GDPR (data processing in the public interest) and Article 6 Paragraph 1 (f) of the GDPR (data processing based on the balance of interests); this also applies to profiling based on this regulation in accordance with Article 4 No. 4 of the General Data Protection Regulations.

In the event of an objection, we will no longer process your personal data, unless we demonstrate compelling legitimate grounds that outweigh your interests, rights and freedoms, or if such processing serves the purposes of establishing, exercising or defending legal claims. Your objection may be sent in any form to the address provided in 1.


PART IV – Information for applicants

Before you join our company and/or during the recruitment process, we will only process your personal data for the purposes and within the scope of the contractual relationship to be established.
1. Which personal data do we process?

We will first process the data you have sent to us in connection with your application.

2. For which purposes do we use these data?

We use these data to implement the application procedure. This takes place particularly to determine your suitability for the position you have applied for or to check for other vacancies within our company.

If we should offer you an employment contract, we will also store the data from your application in our staff information system.

3. What is the legal basis for data processing?

The legal basis for processing your personal data is Section 26 of the Federal Data Protection Act (BDSG). This legal basis permits us to process the data required for decision-making regarding your employment contract. Where data should be required for legal proceedings resulting from the conclusion of the recruitment process, such data processing will take place on the basis of legitimate interests in accordance with Article 6 Paragraph 1 (f) of the GDPR. Our legitimate interest in further processing will then include the establishment and defence of claims.

4. How long do we store the data?

Application data will be deleted 6 months after the application procedure is concluded, unless you have explicitly consented to a longer storage period.

5. To whom do we forward the data?

Your data will only be accessed by the parties who require these data to implement the application procedure. This includes staff of the human resources department of the VILA VITA Group. The staff will review and process your application on receipt thereof. Moreover, the departmental head responsible for the relevant position will have access to your application data.

6. Where are the data processed?

Application data are always processed in computer centres within the Federal Republic of Germany or the European Economic Area. Processing of personal data outside the European Economic Area (EEA) will only take place where a third country has been confirmed by the European Commission as having appropriate data privacy laws according to Article 44 and following of the GDPR or other appropriate guarantees regarding the protection of personal data.

7. What are my rights?

You have the right to:

  • access in accordance with Article 15 of the GDPR
  • rectification in accordance with Article 16 of the GDPR
  • erasure in accordance with Article 17 of the GDPR
  • restriction of processing in accordance with Article 18 of the GDPR and
  • data portability in accordance with Article 20 of the GDPR

The restrictions of Sections 34 and 35 of the GDPR apply to the rights to access and erasure. In addition, in accordance with Section 77 of the GDPR you have the right to submit a complaint to a data privacy supervisory authority in accordance with Section 19 of the Federal Data Protection Act.

You also have the right to object to processing within the limits of statutory regulations.

8. Is there automated decision-making in individual cases?

There will be no automated decision-making in connection with your application.