Dear guests, what data do we collect during your visit or through your use of our website and how do we handle data that is generated when you use our digital services? We would like to answer these and other questions in this privacy policy.
As a company under private law based in Berlin, our online services are subject to the provisions of the European General Data Protection Regulation (GDPR), the supplementary Federal Data Protection Act as amended in 2018 (BDSG n.F.), the Telemedia Act (TMG) and the Act on Data Protection and Privacy in Telecommunications and Telemedia (TTDSG).
We have taken extensive technical and organizational measures and concluded corresponding contracts to ensure that both we and our external service providers comply with data protection regulations and requirements.
1. responsible body
The controller pursuant to Art. 4(7) GDPR is
PATIO Betriebs UG (haftungsbeschränkt)
Kirchstraße 13a / Helgoländer Ufer
10577 Berlin
Phone: +49 30 4030 1700
Email: info@patio-berlin.de
2. data protection officer
According to §38 BDSG n.F., we are currently not obliged to appoint a data protection officer. Nevertheless, in order to ensure that we comply with data protection regulations and requirements, we carry out data protection training at regular intervals and have our processes reviewed by means of external data protection audits.
For comments, suggestions, questions or to assert your rights, you can contact us at any time at the following e-mail address:
3. responsible supervisory authority
The supervisory authority responsible for us is the
Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin
Entrance: Alt-Moabit 60
Phone: +49 30 13889-0
Fax: +49 30 2155050
mailbox@datenschutz-berlin.de
If you have the impression that we are not handling your personal data correctly, you have the right to contact the above-mentioned authority.
4. data collection via our online offers
How do we collect your personal data?
Other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view).
This data is collected automatically as soon as you access our online offering in your browser.Your personal data will not be merged with other data sources.
You provide us with your data yourself. This is done, for example, by filling out and sending a contact form or by sending us an e-mail.
Why and to what right do we collect your data?
We store and process personal data that you send us as part of a job application in your interest.
The legal basis for this is Article 6(1)(b) or Article 6(1)(f) of the GDPR.We only store and process personal data that you send us in the context of a complaint, comment or for any other reason if it is in our legitimate interests or those of a third party.
The legal basis for this is Article 6(1)(f) of the GDPR.We store and process personal data that is automatically collected by our IT systems
to improve our online offering (see section Technical → Analysis tools). The data stored and processed here is anonymized according to the state of the art and does not allow any conclusions to be drawn about your person.
to protect our IT systems from attacks
The legal basis for this is Article 6(1)(f) of the GDPR
We store and process personal data that you provide to us as part of a reservation, reservation inquiry or a general inquiry in order to be able to fulfil a contract concluded with you or to carry out pre-contractual measures.
The legal basis for this is Article 6(1)(b) of the GDPR.
If you provide us with medical data, e.g. food allergies, we also store and process this data.
The legal basis for this is Article 6(1)(d) of the GDPR.
Is your data analyzed automatically (profiling)
We do not use any automated decision-making or profiling.
Will your data be passed on?
Your data will not be passed on to third parties within the meaning of the GDPR unless we are obliged to do so by other regulations and laws (e.g. tax laws) or are compelled to do so in the exercise of official authority.
We work with various service providers as part of our business activities. In doing so, it is necessary for us to pass on personal data or for the service providers to gain access to your personal data. We select our service providers with due care and have concluded data processing agreements with all of them.
What rights do you have in relation to your personal data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. You also have the right to lodge a complaint with the competent supervisory authority.
You can find more detailed information on your rights in relation to your personal data in the "Your rights" section.
How long do we store and process your personal data?
Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies.
If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law)
In the latter case, your data will be deleted once these reasons no longer apply.
5. technical
Encrypted data transmission
In order to prevent your personal data and confidential content from being read or even intercepted by third parties during transmission, our online services only allow encrypted data transmissions. The SSL and TLS encryption methods are used here.
You can recognize an encrypted connection when your browser displays a padlock in the address bar. If the lock is crossed out in red or says "not secure", the connection is not encrypted and you should not transfer any data for security reasons.
Cookies
Our Internet pages use so-called "cookies". Cookies are small data packets and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.
Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).
Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies can be used to evaluate user behavior or for advertising purposes.
Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of §25 para.2 TTDGS and Article 6 para. 1 lit. f of the GDPR.
The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG); the consent can be revoked at any time.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.
You can see which cookies are used on this website in an overview at the end of this privacy policy.
Analysis tools
We use the Matomo tool to optimize our online content. The open source tool is installed locally and stores data locally on our server.
Your personal data will only be stored if you have consented to this in the cookie consent banner.
You can revoke this consent at any time - with effect for the future. To do so, simply click on the "Open cookie settings" button at the end of this privacy policy and deactivate "Statistics".
With the help of this tool, we are able to collect and analyze data about the use of our website by website visitors. This enables us to find out, among other things, when which pages were accessed and from which region. We also record various log files (e.g. pseudonymized IP address, referrer, browser and operating system used) and can measure whether our website visitors perform certain actions (e.g. clicks, reservations, etc.).
This analysis tool is used on the basis of Article 6(1)(1) of the GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its online offerings and its advertising.
Server log files
The host of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
Our online services are hosted by Mittwald CM Service GmbH & Co KG in Germany.
We have concluded an order processing agreement with Mittwald. Mittwald is subject to German data protection law. You can find more information on the Mittwald website: https://www.mittwald.de/datenschutz
This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - the server log files must be recorded for this purpose.
6. your rights
Withdrawal of your consent to data processing
Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)
If data processing is carried out on the basis of Article 6(1)(e) or (f) of the GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy. If you lodge an objection,
We will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims (objection under Article 21 (1) of the GDPR).
If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct marketing (objection pursuant to Article 21 (2) of the GDPR).
Right to lodge a complaint with the competent supervisory authority
In the event of infringements of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.
Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.
Information, correction and deletion
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if applicable, a right to correction or deletion of this data at any time. You can contact us at any time with regard to this and other questions on the subject of personal data.
Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time to do this. The right to restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.
- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but you need it for the exercise, defense or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure.
- If you have lodged an objection in accordance with Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
7. definitions
In our privacy policy, we use terms that are used and defined in the GDPR. We would like to explain the most important terms so that you know what they mean.
Personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This basically includes any handling of personal data such as collection, storage, modification, use, transmission, dissemination, erasure or destruction, etc.
Controller
The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller must ensure the permissibility of data processing through the use of technical and organizational measures that are regularly reviewed.
Pseudonymization
Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Processor
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient
A recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent
Consent is an expression of self-determination under data protection law. It is the voluntary, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative act by which the data subject indicates that they consent to the processing of their personal data. Consent that has been given can be withdrawn at any time.
Data subject
This is you. If your personal data is processed, you are the data subject within the meaning of the GDPR.
Data processing agreement
This is a contract prescribed by data protection law that ensures that the processor processes personal data provided to it or to which it has access only in accordance with our instructions and in compliance with the GDPR.