Privacy Policy and Principles of Data Processing

We take the protection of your personal data very seriously. With this notice, we inform you in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) about how we process personal data of guests, prospects, contractual partners, suppliers, applicants, and other business partners.

The type and scope of data processed depend primarily on the services requested or agreed upon. The purpose of this information is to give you a comprehensive overview of processing activities and your rights.

1. Controller

The controller responsible for data processing is the respective company of our hotel and gastronomy business:

Cosmopolitan Hotelbetriebs GmbH
Schützenstraße 11
80335 München

Hotel Excelsior München GmbH & Co. KG
Schützenstraße 11
80335 München

Further information about our company, authorized representatives, and additional contact options can be found in the imprint of our website.

https://www.excelsior-hotel.de/impressum
https://www.schwabinger-wahrheit.de/impressum
https://www.geisel-privathotels.de/beyond/impressum
https://www.geisel-privathotels.de/vinothek/impressum

2. Data Protection Officer

You can reach our Data Protection Officer here:

Data Protection Officer

Geisel Privathotels
Schützenstraße 11
80335 München
datenschutz@geisel-privathotels.de

3. Purposes and Legal Basis of Processing
We process personal data in accordance with the provisions of the GDPR and the BDSG.

a) Hotel Guests
To fulfill accommodation contracts, we process data for bookings, stays, billing, and the legally required registration form (§ 29 ff. BMG). The legal basis is Art. 6 (1) lit. b and lit. c GDPR.
We also store a guest history (previous stays, preferences) based on our legitimate interest (Art. 6 (1) lit. f GDPR) in order to provide you with personalized service.
Marketing and direct advertising are carried out only with your consent or where legitimate interests exist (Art. 6 (1) lit. a and f GDPR). Newsletters are sent only after prior registration (Art. 6 (1) lit. a GDPR).
In connection with restaurant reservations via online tools, we process your data to perform the contract (Art. 6 (1) lit. b GDPR). After your stay, we may invite you to provide a voluntary review (Art. 6 (1) lit. f GDPR).
Part of the data is exchanged between affiliated hotels within our group to optimize capacity and customer service (Art. 6 (1) lit. f GDPR).
Health data, such as allergies or food intolerances, are processed only on the basis of your explicit consent (Art. 6 (1) lit. a GDPR).

b) Business Partners (Customers, Suppliers, Service Providers)
We process personal data of business partners as far as necessary for the initiation, execution, or handling of contractual and business relationships. This includes master data (e.g., name, company, position), contact data, contractual and billing data, as well as communication data.
The legal bases are Art. 6 (1) lit. b GDPR (contract performance), Art. 6 (1) lit. c GDPR (legal obligation), and Art. 6 (1) lit. f GDPR (legitimate interest, e.g., documentation or IT security).

c) Applicants
Data in the application process is processed to decide on the establishment of an employment relationship (§ 26 BDSG, Art. 6 (1) lit. b GDPR).
If no employment is offered, we delete your data after 6 months. If included in our applicant pool, the data will be stored for a maximum of 2 years. In the event of employment, the application data will be transferred to the HR information system.
Legal bases are § 26 BDSG and Art. 6 (1) lit. f GDPR (defense of legal claims).

4. Categories of Personal Data
We process in particular:
- Master data (name, address, date of birth, nationality, company, position)
- Contact data (telephone number, e-mail address, postal address)
- Contract and stay data (bookings, restaurant reservations, special requests)
- Payment and billing data (bank details, credit card details, invoices)
- Communication data (correspondence, newsletters, reviews)
- Applicant data (CV, qualifications, references)
- Special categories of personal data (health data such as allergies), only on the basis of your consent

5. Sources of Data
We usually receive the data directly from you, and in the case of business partners also via their contact persons. In some cases, data may be provided by third parties if necessary for contract processing.

6. Recipients
Your data is shared within our organization only with departments that need it (e.g., reception, administration, accounting, marketing, HR).
External recipients may include:
- IT and software service providers
- Payment service providers, banks, tax advisors
- Public authorities where legally required (e.g., tax authorities, police, supervisory authorities)
- Transport companies, event organizers, or other partners in the context of contract performance
- Hotels within our group of companies
Processing by processors is carried out on the basis of Art. 28 GDPR.

7. Transfer to Third Countries
A transfer to countries outside the EU/EEA takes place only if necessary for contract performance or if you have given your consent. In such cases, appropriate safeguards (e.g., EU Standard Contractual Clauses) ensure an adequate level of data protection.

8. Duration of Storage
We store your personal data for as long as necessary for the purposes for which it was collected. Contractual and billing data are subject to statutory retention periods (6–10 years). Applicant data is deleted after rejection within 6 months, or after 2 years if included in the applicant pool.
Guest history and marketing data are stored until you object or withdraw your consent, unless longer statutory retention periods apply.

9. Your Rights
Under the GDPR you have in particular the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 GDPR)
You can exercise these rights at any time using the contact details provided in section 1. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

10. Obligation to Provide Data
The provision of certain data is legally required (e.g., registration form). Without the provision of necessary data, contracts or business relationships cannot be concluded.

11. Video Surveillance
In certain areas of our hotel (e.g., entrances, lobby, underground parking, corridors) we use video surveillance. It serves to protect guests, employees, and property as well as to investigate criminal acts.
Legal bases: Art. 6 (1) lit. f GDPR (legitimate interest), in individual cases also Art. 6 (1) lit. c GDPR (legal obligation).
Storage period: Generally a maximum of 72 hours, longer only in the event of security incidents. Recipients are internal security officers and, if necessary, law enforcement authorities. On-site notices inform about video surveillance.

12. Data Processing in the Gastronomy Sector
For restaurant reservations, we store your data in our booking systems or transfer it to service providers. This serves to fulfill the contract (Art. 6 (1) lit. b GDPR) and our legitimate interest (Art. 6 (1) lit. f GDPR) in offering high-quality service.
Data on allergies or food intolerances is processed only with your consent (Art. 6 (1) lit. a GDPR).

13. Joint Controllership within the Group of Companies
Within our group of companies (e.g., affiliated hotels), personal data is jointly processed pursuant to Art. 26 GDPR to improve our services. This enables us, for example, to offer alternative room options within partner hotels in the event of full occupancy without you having to provide your data again.