Sorat HotelsDE

Data protection

Book Best Price

Data protection information

This privacy policy clarifies users about the nature, scope and purpose of the collection and use of personal data of the website by the responsible provider, the SORAT Hotel Verwaltungs GmbH. Website or internet presence shall mean, below, all pages of the responsible provider at www.sorat-hotels.com and and search.sorat-hotels.com/srh. For our booking websites beginning with bookings.travelclick.com/... the data protection declaration stored there applies. Current status of this privacy policy is März 2024.


I. Name and address of the responsible body

The responsible within the meaning of the general data protection regulation and other national data protection laws of the member states as well as other data protection regulations is the:


II. Name and contact details of the data protection supervisor

The designated privacy officer is:


III. General information about data processing

1. Scope of processing of personal data

In principle, we process personal data of our users only to the extent necessary to provide a functioning website and our content and services. The processing of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent can not be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for processing of personal data

Insofar as we obtain the consent of the data subject for processing of personal data, article 6 (1) (a) EU general data protection regulation [GDPR] constitutes the legal basis. In the processing of personal data necessary for the performance of a contract of which the data subject is a party, article 6 (1) (b) GDPR constitutes the legal basis. This also applies to processing operations required to carry out pre-contractual actions. Insofar as the processing of personal data is required to fulfill a legal obligation that is subject to our company, article 6 (1) (c) GDPR constitutes the legal basis. In the event that vital interests of the data subject or another natural person require the processing of personal data, article 6 (1) (d) GDPR constitutes the legal basis. If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, article 6 (1) (f) GDPR constitutes the legal basis for processing.

3. Data deletion and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage is deleted. In addition, such storage may be provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for conclusion of a contract or fulfillment of the contract.

IV. Website providing and creating log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected here:

  • Information about the browser type and version
  • Operating system of the user
  • Internet service provider of the user
  • IP address of the user
  • Date and time of access
  • Websites from which the system of the user reaches our website
  • Website accessed by the user's system through our website
  • Volume of data transferred when calling up our website

The log files contain IP addresses or other data that allow an assignment to a user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user is switching contains personal data. The data is also stored in the log files of our system. A storage of this data together with other personal data of the user does not take place.

2. Legal basis for data processing

Legal basis for the temporary storage of data and log files is article 6 (1) (f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this Kontext. The purposes mentioned also include our legitimate interests in data processing within the meaning of article 6 (1) (f) GDPR.

4. Duration of data storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed. In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5. Opposition and disposal possibility

Data capture for providing the website and the storage of the data in log files is essential for the operation of the website. There is consequently no contradiction on the part of the user.

V. Use of cookies

1. Description and scope of data processing

We use cookies on our website. Cookies are text files that are stored in the internet browser or in the internet browser on the computer system of the user. If a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break. The following data is stored and transmitted in the cookies:

  • Information cookie note
  • Screen resolution
  • Log-in information
2. Legal basis for data processing

Article 6 (1) (f) GDPR provides the legal basis for the processing of personal data by deploying cookies. The legal basis for the processing of personal data by using technically necessary cookies is article 6 (1) (f) GDPR. The legal basis for the processing of personal data by using cookies for analysis purposes is the consent of the user article 6 (1) (f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some features of our website can not be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page break. We require cookies for the following applications:

  • Information cookie note
  • Screen resolution
  • Log-in information

The user data collected through technically necessary cookies will not be used to create user profiles. For these purposes, our legitimate interest in the processing of personal data pursuant to article 6 (1) (f) GDPR.

4. Duration of data storage, opposition and disposal possibility

Cookies are stored on the computer of the user and transmitted by the computer of the user to our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may lead to impaired functionality of the website, either fully or in part.

5. Supplementary information

In addition to the cookie information provided above we inform here about the cookie policy used by the company Travelclick Inc. on the SORAT Hotels website and reservation platforms of the hotels:

 Clickstream marketing tracking cookie: This is a cookie dropped on hotel websites and the booking engines [that are receiving clickstream marketing services] to track marketing email click-throughs and to optionally tag known end users who made specific page visits and for remarketing to booking abandonments. This cookie expires after one year.

 Media cookie: These are cookies that are dropped on a Customer’s website through a tag manager implementation. This tag is generated through the advertising platforms used for the applicable media network, e.g., Google. These cookies contain information about the users’ browser such aspreferences, browser type, location, IP and language. This information is used to deliver advertisements to the user on other websites within a media network. Depending on the settings of the advertising campaign and the strategy in place, the cookie duration might vary from 2 to 45 days. After this period, the cookie expires.

Meta cookie: These are cookies dropped on end user’s browser to track attribution of a booking on a meta site such as Kayak. These cookies contain information related to the booking. For example, search cookies collect check-in date, check-out date, purchase currency, hotel property, # rooms, Property ID, # of travelers). Once an end user hits a pixel (i.e. search pixel) that has been placed on a webpage, a cookie is dropped on the browser of that end user.

 Performance cookies: These cookies are used to monitor the use of our website. They help Travelclick and us understand how people are interacting with our website. Examples Google Analytics (_ga, _gid, _gat, _gac, __utmX):

- _ga [expiration time: 2 years] - used to distinguish users
- _gid [expiration time: 24 hours] - used to distinguish users
- _gat [expiration time: 1 minute] - used to throttle request rate
- _gac_<property-id> [expiration time: 90 days] - contains campaign related information for the user, if we have linked our Google Analytics and AdWords accounts, AdWords website conversion tags will read this cookie unless you opt-out
- _utma [expiration time: 2 years from set/update] - used to distinguish users and sessions
- _utmt [expiration time: 10 minutes] - used to throttle request rate
- _utma [expiration time: 2 years from set/update] - used to distinguish users and sessions
- _utmt [expiration time: 10 minutes] - used to throttle request rate
- _utmb [expiration time: 30 mins from set/update] - used to determine new sessions and visits
- __utmz [expiration time: 6 months from set/update] - stores the traffic source or campaign that explains how the user reached our site
- __utmv [expiration time: 2 years from set/update] - used to store visitor-level custom variable data
- Hotjar
- Piwik

Advertising and third-party cookies: These cookies are used by Travelclick and third parties to show other content that is relevant to the visitor’s interest, and to measure the effectiveness of online marketing campaigns on your site. Examples: Google DoubleClick, Google Maps, AddThis, Triptease, SaleCycle. If you do not want your personal information to be used or transferred to third parties for their own marketing purposes, you may send an email to privacypolicy@travelclick.com. You can also adjust your internet browser settings to refuse cookies. However, some Travelclick features and services may not operate properly or as quickly if your cookies are disabled. The legal basis for tracking cookies is the protection of legitimate interests in accordance with article 6 (1) (a) GDPR. To find out more about cookies, visit www.aboutcookies.org and the Travelclick privacy policy. More about how Google processes personal information is found in the Google privacy and terms.

VI. Interest-based ads

1. Description and scope of data processing

Many web services collect user data in order to sell it without asking users. We do not use such third party trackers and we do not use your user information for advertising purposes in order to promote our website or our other products or services, and the products and services of third parties.

VII. Newsletter and press mailing list

1. Description and scope of data processing

On our website you can subscribe to a free newsletter as well as weekly lunchnews of Parduin restaurant in Brandenburg or to register for our press mailing list. For these applications, we use the so-called double-opt-in procedure. This means that after your regastration we will send you an e-mail to the e-mail address specified in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. When registering for the newsletter, the data from the input mask will be sent to us. The data from the input mask are transmitted to us when registering for the newsletter. We collect the user's e-mail address as a mandatory entry. Other information: salutation, first name, name, address, travel region, favorite hotel, interests, age are optional. This information will only be transmitted when the fields are completed. In addition, the following data is collected when registering for the newsletter or press distribution list:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access
  • Language setting

For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy. We generally do not transmit your data to third parties in connection with the processing of data for the sending of newsletters or press releases. The data will be used exclusively for sending the newsletter or the press release.

2. Legal basis for processing of personal data

In the presence of a consent of the user article 6 (1) (a) GDPR provides the legal basis for the processing of personal data by registration for our newsletter or press mailing list.

3. Purpose of data processing

The collection of the e-mail address of the user serves to deliver the newsletter or the press release. The collection of other personal data in the context of the registration process serves to prevent misuse of the services or the used email address.

4. Duration of data storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The e-mail address of the user is therefore stored as long as the subscription to the newsletter or the press distribution list is active. The other personal data collected during the registration process will normally be deleted after a period of seven days.

5. Opposition and disposal possibility

The subscription to the newsletter or press mailing list may be terminated at any time by the concerned user. For this purpose, a corresponding link can be found in every newsletter or in every press release. This also allows a revocation of the consent to the storage of the personal data collected during the registration process.

VIII. Newsletter tracking

1. Description and scope of data processing

The term tracking is understood in the network as the collection and evaluation of user behavior. We point out that we evaluate your user behavior when sending the newsletter. We send our newsletters via phpList and can determine if a newsletter message has been opened and which links have been clicked. With the phpList the dispatch of newsletters can be organized and analyzed. For this evaluation, the e-mails sent include so-called web beacons or tracking pixels that represent one-pixel image files stored on our website. For the evaluations, we link the data mentioned in VI point three and the web beacons with your e-mail address and an individual ID. The data are collected exclusively pseudonymised, so the IDs are not linked to your other personal data, a direct personal reference is not excluded. In addition, the following data is collected when opening the newsletter:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access
  • Language setting
  • Email address
  • Clicks on links inside the e-mail

We generally do not transmit your data to third parties in connection with the data processing for the tracking. The data will be used exclusively for tracking.

2. Legal basis for processing of personal data

Legal basis for the tracking of data is article 6 (1) (a) GDPR in the protection of legitimste interests. Furthermore, the legal basis for the processing of this data, which is necessary for the fulfilment of newsletter sending, is article 6 (1) (a) GDPR. The fulfillment of newsletter sending is given when registering.

3. Purpose of data processing

With the purpose of data processing we aim at the statistical evaluation possibility. For this purpose, we record both the openings of the e-mail as well as the internal clicks in order to track users' click paths and to minimize abandonment rates. This information is used to measure the success of our newsletter marketing and to make the content of future newsletters more exciting and relevant. In addition, the analysis gives us hints for the programming, search engine optimization and design of the booking processes on our website.

4. Duration of data storage

We store your data only during the subscription to the newsletter as well as to avoid contradictions in the receipt of the newsletter. In case of cancellation from our newsletter service, we store the data purely statistically and anonymously.

5. Opposition and disposal possibility

As a recipient, you have the option to object to this form of data collection at any time. If you do not want an analysis by phpList, you have to unsubscribe from the newsletter. For this purpose, we provide a link in every newsletter message. Furthermore, you can unsubscribe from the newsletter directly on the website.

IX. Registration

1. Description and scope of data processing

Our website offers users the option to register by entering personal data. As part of this process, the data is entered into an input screen, transmitted to us, and saved. We do not share data with third parties.

a] Registration for My SORAT travel agent account for online bookings

If you are travel agent and if you want to use our travel agent service on our Linoweb online reservation system, you need to register for a My SORAT travel agent account. In the event of registration for a My SORAT travel agent account, the personal data you provide for the purpose of processing reservations and statistical evaluation purposes will be stored and used. Personal data from your registration will also be stored and used for quality management and in case of registration for our newsletter or bonus program. All other data requested, such as the billing address and information about the means of payment, are voluntary and must not be left. The use and processing of the data takes place exclusively in the specified manner. The following personal data is collected as part of this registration process:

  • Username or Email
  • Password
  • Travel agency
  • IATA number
  • Prefix, first name and family name
  • Function
  • Post address
  • Country
  • Phone

Furthermore, following personal data is stored at the time of the registration process:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access
  • Language setting

b] Registration for a membership in the SORAT loyalty program

In the event of registration for a membership in our SORAT loyalty program, the personal data you provide for the purpose of processing reservations and statistical evaluation purposes will be stored and used. Personal data from your registration will also be stored and used for quality management, for sending the bonus point statement of account via e-mail, for our bonus program e-mail newsletter as greeting cards by letter post [for example birthday]. All other data requested, such as the billing address and information about the means of payment, are voluntary and must not be left. The use and processing of the data takes place exclusively in the specified manner. The following personal data is collected as part of this registration process:

  • Email
  • Prefix, first name and family name
  • Post address

Furthermore, following personal data is stored at the time of the registration process:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access
  • Language setting

For the processing of the data, your consent is obtained during all above-mentioned registration processes and reference is made to this privacy policy.

2. Legal basis for processing of personal data

Legal basis for the storage of data is article 6 (1) (a) GDPR in the presence of the consent of the user. Furthermore, the legal basis for the processing of this data, which is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, is article 6 (1) (b) GDPR. The fulfillment of a contract is given for example when making a reservation.

3. Purpose of data processing

User registration is required to make available certain content and services on our website. In addition, a registration of the user is necessary to fulfilling a contract, this also applies to processing which is required to carry out pre-contractual measures. In the case of an travel agent account for room reservations at travel agent rates. In the case of registration of the loyalty program managing member registration, for room reservations at bonus rates for members, premium redemptions as well as sending the bonus newsletter with information on the status of the bonus point account by email, sending greeting cards by letter post. In the case of a registration for a My SORAT account for faster processing of the booking process.

4. Duration of data storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection.

5. Opposition and disposal possibility

As a user, you have the option of canceling the registration at any time. You can change the data stored about you at any time. You can delete your My SORAT account at any time, unsubscribe from service offers and revoke your consent at any time. To delete, log in to our Linoweb reservation page with your user data. If you do not use your account for more than two years, the account will be deactivated. To activate, send an e-mail to our support. The bonus membership in the SORAT loyalty program can be terminated at any time in accordance with the conditions of participation. The cancellation of the bonus membership requires the written form. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible, unless contractual or legal obligations preclude deletion.

X. Contact forms and email contact

1. Description and scope of data processing

On our website, there are various contact forms which can be used to contact us electronically. If a user uses this option, the data entered in the input screen shall be transferred to us and stored. This data includes:

a] Contact form for table reservations

  • Email
  • First name and family name
  • Phone
  • Date of the restaurant visit
  • Alternative date
  • Time of the restaurant visit
  • Number of guests
  • Wishes and notes
  • Declaration of consent

b] Contact form for applications

  • Hotel name
  • Job opportunity
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Application letter
  • Digital attachments like references, report cards
  • Salary expectations
  • Starting date
  • Declaration of consent

c] Contact form for travel offers

  • Prefix
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Special selection
  • Travel date
  • Way of confirmation
  • Hotel prospekt
  • Declaration of consent

d] Contact form for convention requests and specials

  • Conference package
  • Company
  • Department
  • Prefix
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Type of event
  • Number of persons
  • Date and time
  • Alternative date
  • Number of rooms
  • Seating style
  • Conference technology
  • Special requirements
  • Food service
  • Overnight stay number of rooms
  • Arrival day and departure day
  • Offer requested until
  • Option date requested until
  • Social programme
  • Wishes
  • Declaration of consent

e] Contact form for Christmas parties

  • Company
  • Prefix
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Number of persons
  • Date and time
  • Alternative date
  • Offer requested until
  • Christmas party special
  • Culinary informationen
  • Social programme
  • Wishes
  • Declaration of consent

f] Contact form for hotel review

  • Travel date
  • Room details
  • Review details
  • Description of experience
  • Booking information
  • Sort of trip
  • Age
  • Name
  • Email
  • Recommendation
  • Publication on homepage
  • Declaration of consent

g] Contact form for hotel brochure ordering

  • Prefix
  • First name and family name
  • Company
  • Department
  • Post address
  • Country
  • Email
  • Phone
  • Hotel brochure selection
  • Remarks
  • Declaration of consent

h] Contact form for suite or apartment booking requests

  • Travel date
  • Number of persons
  • Alternative date
  • Prefix
  • First name and family name
  • Post address
  • Country
  • Email
  • Phone
  • Preferred contact type
  • Declaration of consent

i] Contact form for ordering award vouchers

  • Bonus membership number
  • Prefix
  • First name and family name
  • Email
  • Hotel
  • Declaration of consent

j] Contact form for events

  • Hotel name
  • Type of event
  • Prefix
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Number of persons
  • Date and time
  • Alternative date
  • Number of rooms
  • Arrival day and departure day
  • Offer requested until
  • Option date requested until
  • Wishes
  • Declaration of consent

k] Contact form for event or catering request

  • Type of event
  • Number of persons
  • Date and time
  • Alternative date
  • Wishes
  • Prefix
  • First name and family name
  • Email
  • Phone
  • Post address
  • Country
  • Declaration of consent

Furthermore, following personal data is stored at the time by sending a contact form:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access

For the processing of the data, your consent is obtained during the registration process and reference is made to this privacy policy. Alternatively, you can also contact us on the email addresses provided. In this case, the user’s personal data which is transferred with the email is stored. Data is not disclosed to third parties in this regard insofar as it is unnecessary for direct processing of the request. The data is only used for processing the conversation.

2. Legal basis for data processing

Legal basis for data processing, provided that the user has given their consent to this effect, is article 6 (1) (a) GDPR. The legal basis for processing data transferred in the course of sending an email is article 6 (1) (f) GDPR. If you have contacted us by email with the aim of concluding a contract, article 6 (1) (b) GDPR forms an additional legal basis.

3. Purpose of data processing

We process personal data from the input screen for the purpose of processing contact and – provided that the visitor has given their express consent to this effect. If the user makes contact by e-mail, there is also a required legitimate interest in data processing. The other personal data processed during the sending process is used to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Duration of data storage

The data shall be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the contact form’s input screen and the data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the situation concerned has been conclusively clarified and the user has no further interest. Furthermore, following personal data is stored at the time by sending a contact form:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access

The data will be deleted after a period of seven days.

5. Opposition and disposal possibility

You have the opportunity to revoke your consent to the processing of your personal data at any time. If you contact us by e-mail, you may object to the storage of your personal data at any time. In such a case, the conversation can not continue. If you would like to revoke your consent to data processing either in whole or in part, please send this revocation to the SORAT Hotel Verwaltungs GmbH, contact data provided above. The use of your above rights is free of charge for you. All personal data stored during the course of contact is deleted in this case.

XI. Contact management sales department and other Business partners

1. Description and scope of data processing

On our website, there is a contact form for contact confirmation which can be used for the electronic approval of other business partners and their data processing after transferring a business card to our sales department or responsible hotel staff. If a user realizes this possibility, the indicated data on the business card and voluntarily transferred data will be transferred to us and stored in our sales database. This data includes [if available]:

a] Business card

  • Title
  • Präfix
  • First name and family name
  • Company
  • Department
  • Position
  • Post address
  • Email
  • Phone
  • Fax
  • Website

b] Additional data requested to the Business card

  • Date of birthday
  • Interesses
  • Wishes
  • Notes

c] Consent form to a] and b]

  • Title
  • Prefix
  • First name and family name
  • Email
  • Declaration of consent

Furthermore, following personal data is stored at the time by sending a contact form:

  • Information about the browser type and version
  • Operating system of the user
  • IP address of the user
  • Date and time of access
2. Legal basis for data processing

Legal basis for data processing, provided that the user has given their consent to this effect, is article 6 (1) (a) GDPR and is article 6 (1) (f) GDPR. Furthermore, the legal basis for the processing of this data, which is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, is article 6 (1) (b) GDPR. The fulfillment of a contract is given for example when making a reservation or contract for meetings.

3. Purpose of data processing

The purpose and interest in processing lies in administration, tendering and contracting, financial accounting, office organization, data archiving, updating of contract data, which is necessary for the maintenance of the continuing business, performing our duties and providing our services, and contacting by phone, email, letter post or fax, for customer care and service such as sending greetings cards to birthdays, holidays and other festive occasions, for marketing as for invitation cards by letter or electronically to hotel events [such as roadshows, openings] and to send mailings by email and for market research.

4. Duration of data storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection.

5. Opposition and disposal possibility

You have the opportunity to revoke your consent to the processing of your personal data at any time. If you contact us by e-mail, you may object to the storage of your personal data at any time. In such a case, the conversation can not continue. If you would like to revoke your consent to data processing either in whole or in part, please send this revocation to the SORAT Hotel Verwaltungs GmbH, contact data provided above. The use of your above rights is free of charge for you. All personal data stored during the course of contact is deleted in this case.

XII. Transferring personal data to third parties

1. Online booking on this website

In order to be able to make your reservations and orders and to offer you, as a guest and visitor of SORAT Hotels and Partners of SORAT Hotels, high service standards and quality of service, we will pass on your data to the respective SORAT Hotel and Partner of SORAT Hotels. If you use our offer through our website and make a booking, the booking information is passed on to the external operator of the internet booking machine Travelclick, Incorporated, 55 W 46th St 27th floor, New York, NY 10036, EE. UU. The legal basis for the processing is article 6 (1) (1) (b) GDPR. For more information, please see Travelclick’s perspective on GDPR. The transmission of your personal data between your computer or mobile device and our server is always encrypted by using Secure Sockets Layer [SSL]. We have taken technical and organisational measures to protect your personal data, in particular against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. These security measures are continually updated in line with technological developments. By entering your personal data, you give us permission to save it and use it for settlement processes within the booking process. For this purpose, we refer you to this privacy policy by means of a checkbox and via another checkbox you agree that we will pass on your data to the respective booked SORAT Hotel or Partner of SORAT Hotels. To process your booking, we work together with the payment service providers. Certain personal data are forwarded to these service providers, see section XIII.

2. Online reviews for quality management

For the purposes of hotel evaluation by hotel guests and quality management, we have integrated on the hotel websites of the SORAT Hotels in Berlin, Brandenburg, Cottbus and Regensburg, the hotel rating software of the company Customer Alliance. We have a contract with the CA Customer Alliance GmbH - Headquarter Germany, Ullsteinstraße 130, Tower B, DE 12109 Berlin for data processing. We and Customer Alliance fully implement the strict requirements of the German data protection authorities when providing and using the Customer Alliance hotel software. Former guests can leave an anonymous review after check-out at our hotel. For this we will send you an e-mail after departure to ask you for a hotel review. You have the right to object to the use or not to carry out the hotel evaluation at any time. Customer Alliance has committed itself to the privacy-oriented handling of your transmitted data. It takes all technical and organizational measures to protect your data. For this purpose, we refer you to this privacy policy by means of a checkbox and via another checkbox you agree that we also pass on your data to Customer Alliance. All checkboxes must be activated for sending. Otherwise, a reservation and order is not possible. We provide the following data to Customer Alliance: title, first name, surname, arrival and departure dates as well as your e-mail address. The legal basis for the transfer of data to Customer Alliance is your consent according to article 6 (1) lit. a GDPR. For more information about Customer Alliance privacy policy, please visit www.customer-alliance.com/en/privacy-policy. After your departure, you will receive an e-mail from from the SORAT Hotels and Partners of SORAT Hotels in Nuremberg, Duesseldorf, Duisburg, Hof with a link to our website with the request to submit a hotel review. Your data will be processed on the SORAT Hotels web server. Your data will not be sold, rented or otherwise made available to third parties. Customer Alliance as well as Sorat Hotels will be deleted your data after three months. Transfers of personal data to state institutions and authorities are only possible within the framework of mandatory national legislation.

3. Further transferring personal data to third parties

Any further disclosure of your personal data to third parties will not take place, unless you have expressly consented to a transfer of personal data separately or we have reasonable grounds that oblige us to do so by court order or by law. Your data will not be sold, rented or otherwise made available to third parties. Transfers of personal data to state institutions and authorities are only possible within the framework of mandatory national legislation.

XIII. External payment service providers

1. Elavon and Cybersource

You can pay online with credit cards as well as by phone or by e-mail with credit card via Pay By Link or MOTO transaction. The payment is processed via the payment service provider Elavon Financial Services DAC, Office Germany, Lyoner Straße 36, DE 60528 Frankfurt am Main as well as the payment gateway of the Cybersource Corporation, Inc. 900 Metro Center Blvd, Foster City, CA 94404, USA – with which our technology provider Travelclick has signed a contract. In this context, in addition to the purchase amount and date, card data is also transmitted to the above-mentioned companies. Your credit card details will be checked and approved for payment during the check-out process by Elavon and Cybersource. The details are required to complete the transactions and we receive information with confirmation or negative disclosure of the payment. The entered data will be processed and stored by the payment service providers. The data may be transmitted by the payment service providers to credit reporting agencies. This transmission aims at the identity and credit check. In this context, we refer to the Elavon privacy statement as well as the Cybersource statement. We also refer to these for further information and assertion of rights of revocation, information and other data subjects. We use the services in our legitimate interest - according to article 6 (1) (b) GDPR, the legal basis for data processing is article 6 (1) (f) GDPR. We set the payment service providers to offer our users effective and secure payment options and in the context of the fulfillment of contracts on the basis of article 6 (1) (b) GDPR.

2. Paypal

If paying using the payment service provider PayPal, you will be redirected to the website of this payment service provider, PayPal [Europe] S.à.r.l. et Cie, S.C.A.., 22-24 Boulevard Royal, L-2449 Luxembourg. The personal data you enter are encrypted before being transmitted to PayPal. It typically includes your name, your address, your telephone number, your IP address, your e-mail address, and other information required for order handling and your specific order. The legal basis for the data forwarding is Article 6 (1) (b) of the GDPR. PayPal is the controller responsible for processing your personal data. If required for the purpose of completing the order, PayPal may also disclose data to third parties. PayPal will also transmit personal data to credit agencies, e.g. SCHUFA, in order to establish your identity and creditworthiness. More information on how PayPal processes data and information regading credit agencies can be found at the PayPal privacy statement. You can object to this processing of your data at any time by notifying PayPal. PayPal may, however, still be entitled to process your personal data if this is necessary for payment processing under the contract.

XIV. Captcha

1. Use of the captcha function

We use the Captcha risk analysis technology to detect bots, for example when entering data in online forms. The behavioral information provided by users, for example mouse movements or queries, is evaluated in order to be able to differentiate between people and bots. We do not work with any service provider, but with our own solution using our TYPO3 content management system. The captcha codes are loaded from our own server at Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany. When using this function, in addition to the code, information on the time of use, browser and your IP address are saved. The data collected and stored in this process is only used to distinguish between people and bots. The data are then used to track and, if necessary, block the IP address of the author, but not to identify the author. The legal basis for its use is lawfulness of processing article 6 (1) (f) GDPR, because there is a legitimate interest in protecting this website from bots and spam.

XV. Secure data transfer

1. SSL encryption

We use SSL encryption, Secure Sockets Layer on our website and on the Travelclick online booking engines for security reasons. This protects transmitted data and can not be read by third parties. You can see that the protocol label in the status bar of the browser changes from http: // to https: // and that a symbol in the form of a closed lock is visible there.

XVI. Web analysis services

1. Google Analytics privacy statement

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited [Google], a company registered and operated under Irish law with registration number 368047 and located at Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses so-called cookies. These are text files that are stored on your computer and that allow an analysis of the use of the website by you. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored based on article 6 (1) (a) GDPR and the legal basis for data processing with Google Analytics is article 6 (1) (a) GDPR. Consequently, these cookies may only be activated if prior consent has been obtained via the cookie banner. The website operator has a legitimate interest in analyzing user behavior and to optimize its website. Following data is being transmitted:

  • Information about the browser type and version
  • Operating system of the user
  • Referrer URL - previously visited page
  • IP address of the user
  • Date and time of access

IP anonymization: We have activated the IP anonymization feature on this website. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. Only in exceptional cases is the full IP address sent to a Google server in the US and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity, and to provide other services regarding website activity and Internet usage for the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google. You can prevent these cookies being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of this website. You can also prevent the data generated by cookies about your use of the website [incl. your IP address] from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available at the following link: Google tool. You can prevent the collection of your data by Google Analytics by clicking on the following link: Disable Google Analytics. An opt-out cookie will be set to prevent your data from being collected on future visits to this site. For more information about how Google Analytics handles user data, see Google's privacy policy: Google support or Google settings or Google developers. We have entered into an agreement with Google for the outsourcing of our data processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics. For more information, please refer to the Google privacy policy.

2. Google Tag Manager information

This website uses the Google Tag Manager, a service provided by Google Ireland Limited [Google], a company registered and operated under Irish law with registration number 368047 and located at Gordon House, Barrow Street, Dublin 4, Ireland. This service allows website tags to be managed through an interface. The Google Tool Manager only implements tags. This means that no cookies are used and no personal data is collected. The Google Tool Manager triggers other tags, which in turn collect data if necessary. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains valid for all tracking tags if they are implemented with the Google Tag Manager. Transfer to third countries are possible. As an appropriate safeguard we have agreed on standard contractual clauses pursuant to article 6 (1) (a) GDPR. More information on this topic is published here: ec.europa.eu.

XVII. Social networks, plugins, links, button

1. Social networks offer

We offer online offers on various social media platforms such as Facebook in order to provide information there and to be able to contact you. Here we are usually responsible together with the operator of the platform within the meaning of article 26 GDPR. We have no influence on the processing of personal data by the respective platform operator. As a rule, when you visit our social media offers, cookies are stored in your browser by the platform operator, in which your usage behavior or your interests are stored for market research and advertising purposes. The platform operators use the usage profiles, which are mostly obtained across devices, to show you personalized advertising. Data processing may also affect people who are not registered as users on the respective social media platform. Your data may be processed outside of the European Union, which can make it difficult to enforce your rights. When selecting such social media platforms, however, we make sure that the operators undertake to comply with EU data protection standards. The processing of your personal data when you visit one of our social media offers is based on our legitimate interests in a diverse external presentation of our company and the use of an effective information option and communication with you. The legal basis for this is article 6 (1) (f) GDPR. You may have given a platform operator your consent to data processing, in which case article 6 (1) (a) GDPR is the legal basis. Detailed information about data processing in connection with the use of our social media offerings, options for objecting via opt out and the assertion of information rights can be found in the data protection declaration of the relevant platform operator. The links to the data protection declarations of the platform operators can be found in our special data protection social networks.

2. Social media plugins

Social networks are only included on our website as a link to the corresponding services. After clicking on the integrated text link or image link, you will be redirected to the website of the respective provider. User information is only transmitted to the respective provider after it has been forwarded. For information on the handling of your personal data when using this website, please refer to the respective data protection regulations of the providers you use. Legal basis is article 6 (1) (a) GDPR.

3. Instagram

By clicking on the Instagram button, after logging into your account, this website will be linked to your Instagram website, we are not aware of the content of the transmitted data and their use by Instagram. For more information, please refer to the Instagram privacy policy, Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Your privacy settings are changeable to your Instagram account under settings.

4. Facebook

By clicking on the Facebook button, after logging in with your Facebook account, a connection is established between your browser and the Facebook server. Then you can link contents of our website with your profile on Facebook. We point out that we as the provider of this website are not aware of the content of the data transmitted and their use by Facebook. For more information, see the Facebook privacy statement, Facebook Inc. Privacy Statement, 1 Hacker Way, Menlo Park, California 94025, USA.

5. Xing

Our website links to our profile of the Xing network, provider New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. We do not use a plugin for this. When you click on the Xing button on our website, our Xing profile is opened in a new window. When you visit this page, your server establishes a connection to the Xing servers. To the best of our knowledge, personal data is not stored. In particular, no IP addresses are saved or usage behavior is evaluated. Further information on data protection can be found in Xing data protection.

6. Google Maps

Our website uses Google Maps API to visually present geographical information. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When using Google Maps, Google also collects, processes and uses data about the use of the maps functions by visitors on that website. For more information about processing of data by Google read Google privacy policy. There you can also change your settings in the privacy center, so that you can manage and protect your data. Here are more ways to manage your own data related to Google products: Google support. It is possible to deactivate the Google Maps service and thus prevent the transfer of your data to Google by deactivating JavaScript in your browser. However, in this case you will be unable to use the map view.

7. YouTube

We have integrated YouTube videos in our online offer, a service provided by Google Ireland Limited [Google], a company registered and operated under Irish law with registration number 368047 and located at Gordon House, Barrow Street, Dublin 4, Ireland. Usually, when you visit a page with an embedded video, your IP address will be sent to YouTube and cookies will be installed on your computer. However, our videos are all integrated in an extended data-protection mode. In this case, YouTube will still contact the Google double click service, according to Google's privacy policy, personal information is not evaluated. As a result, YouTube does not store any information about visitors unless they watch the video. If you clicked on the video, your IP address will be sent to YouTube and YouTube will know that you have watched the video. If you are logged in to YouTube, this information will also be assigned to your user account. You can prevent this by logging out of your YouTube account. We are not aware of the possible collection and use of your data by YouTube. YouTube is used to help make our website appealing. This constitutes a justified interest pursuant to article 6 (1) (f) GDPR. Further information about handling user data, can be found in the data protection declaration. In addition, we refer you to the general handling and deactivation of cookies in this privacy policy.

XVIII. Products, services, content, links of third parties

1. Embedding of web fonts

If Google Fonts is integrated via the Google server by default, a connection to Google is established each time the page is accessed. From a legal point of view, the consent of the website user would be required in order to act as a website operator in accordance with the GDPR. Therefore, we have entered legally safe territory and incorporated the Google Fonts locally. So the fonts are from our own server by Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany and not loaded from the Google servers. The legal basis for this is a legitimate interest, as no data is sent to third-party providers. Note that our GDPR compliant integration means that disadvantages such as longer loading times or texts can first be displayed with a fallback font until the Google font is loaded.

2. Integration of third party content

It can happen that content from other websites is embedded within this online offer, such as Instagram images. This always assumes that the provider of such content - hereinafter referred to as third-party - perceive the IP address of the user. Without the IP address, they could not send the content to the browser of the respective user. The IP address is necessary for the presentation of that content. For more information about handling user information, see the third-party privacy policies. We strive to only use content of such providers that are using the IP address for the purpose of the delivery of content. However, please note that we as the provider are not notified if third-party stores the IP address for example for statistical purposes and if you are signed in to for example Instagram with your account, you are giving the third-party vendors the ability to associate your user behavior directly with your personal profile on those third-party sites. If we find out that a service provider is abusing this data, we will immediately remove that service from our site. If you want to prevent the third-party integrated services from assigning the visit to our website to your account, you can avoid it by logging out of your account. Our website uses the chat application of Dialogshift GmbH, Rheinsberger Straße 76/77, DE 10115 Berlin. This application processes and stores data for the purpose of web analysis, to operate the chat application and to answer queries. For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set - this is used to recognise you as a customer. A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, our application recognises the device and can retrieve past chat logs. This cookie is stored for 90 days since last use. You can disable the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be performed. The possible disclosure of for example name, email address or a telephone number is voluntary and with the consent to temporarily use and store this data for the purpose of contacting you until the end of the contact. This personal data is deleted after 90 days. The legal basis for data processing is article 6 (1) (f) GDPR based on our legitimate interest in effective customer support, for statistical analysis of user behaviour and for optimisation purposes of our offers. Dialogshift offers at www.dialogshift.com/en/data-privacy for further information on the collection and use of data and on your rights and options for protecting your privacy.

2. Integration of chat application

Our website uses the chat application of Dialogshift GmbH, Rheinsberger Straße 76/77, DE 10115 Berlin. This application processes and stores data for the purpose of web analysis, to operate the chat application and to answer queries. For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set - this is used to recognise you as a customer. A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, our application recognises the device and can retrieve past chat logs. This cookie is stored for 90 days since last use. You can disable the storage of cookies in your browser settings. However, without the use of cookies, the chat function cannot be performed. The possible disclosure of for example name, email address or a telephone number is voluntary and with the consent to temporarily use and store this data for the purpose of contacting you until the end of the contact. This personal data is deleted after 90 days. The legal basis for data processing is article 6 (1) (f) GDPR based on our legitimate interest in effective customer support, for statistical analysis of user behaviour and for optimisation purposes of our offers. Dialogshift offers at www.dialogshift.com/en/data-privacy for further information on the collection and use of data and on your rights and options for protecting your privacy.

4. Integration of third parties links

Our website contains links to third party websites on which contents we have no influence. If you follow a link to any of these websites, you browse outside our website. Due to this fact we cannot take guarantee for the foreign contents. Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites. Upon notification of violations, we will immediately remove such links.

XIX. Images

1. Copyrights

Adobe Stock images: 3D character with 10% Discount sign on the start page [c] apcuk, images Lazy Sunday Berlin - young woman wake up in the morning and sitting on bed at window door side relaxing in holiday with sunlight, back side view [c] Kiattisak, Berlin, Berlin special - graphik [c] Party, Lazy Sunday Brandenburg - cheerful couple having breakfast together [c] goodluz, Lazy Sunday Nuremberg - couples feet on bed [c] kickimages on Lazy Sunday travel special website, coffee cup on the booking engine [c] tortoon, Whisky Tasting cheers on press releases webside [c] weyo; iStockphoto.com: Sustainability - green globe in forest with moss and sunlight [c] Romolo Tavani and all other images on our website are copyrighted. The SORAT Hotels have unlimited or simple rights of use for the published images. When using non-SORAT image material, a unique source information is provided, with the exception of the partner hotels of the SORAT hotel group. The SORAT Hotels are exempted from any claims of third parties in the context of the use of external images. SORAT Hotels assumes no liability for external images. By posting external images, the source statement guarantees that the SORAT Hotels can freely dispose of the images and that it is free of third-party rights and that imitated persons consent to the publication without any compensation being payable. The source statement exempts the SORAT Hotels in this respect from all claims of third parties, which make this in terms of the images set to the SORAT Hotels. Images and 360 ° hotel tours with the copyright Google may only be used on the SORAT Hotels websites or by Google itself in accordance with the Google terms of use. External use on other sites or in print products is prohibited. Unless otherwise indicated, all image rights of the images displayed on this website are owned by the SORAT Hotels and the SORAT partner hotels. SORAT's own images may only be used for editorial purposes by journalists and SORAT contractors. Graphical changes are not allowed except to crop the main subject.

XX. Rights of the data subject

1. General provisions

If personal data is processed by you, you are a victim within the meaning of the GDPR and you have the following rights to the person responsible:

2. Right of access by the data subject

You may ask the person responsible to confirm if personal data concerning you is processed by us. If such processing is available, you can request information from the person responsible about the following information:

[1] the purposes for which the personal data are processed;

[2] the categories of personal data that are processed;

[3] the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;

[4] the planned duration of storage of your personal data or, if specific information is not possible, the criteria used to determine that period;

[5] the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

[6] the right to lodge a complaint with a supervisory authority;

[7] all available information on the source of the data if the personal data are not collected from the data subject;

[8] the existence of automated decision-making, including profiling, referred to in article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information whether your personal data be transferred to a third country or an international organization. In this case of transfers, you may request to be informed of the appropriate guarantees referred to article 46 GDPR.

3. Right to rectification

As data subject you shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you; or or where interested therein, integration of the data. The correction shall be carried out without delay by the person responsible.

4. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

[1] the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

[2] the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

[3] the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

[4] the data subject has objected to processing pursuant to article 21 (1) GDPR peding the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under the conditions above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If you a data subject who has obtained restriction of processing pursuant under the conditions above you will be informed by the controller before the restriction of processing is lifted.

5. Right to erasure

a) Erase obligation

As data subject you shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

[1] your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

[2] you withdraw consent on which the processing is based according to point (a) of article 6 (1) GDPR, or point (a) of article 9 (2) GDPR, and where there is no other legal ground for the processing.

[3] you object to the processing pursuant to article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to article 21 (2) GDPR.

[4] the personal data have been unlawfully processed.

[5] the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

[6] the personal data have been collected in relation to the offer of information society services referred to article 8 (1) GDPR.

b) Information to third parties

Where the controller has made the personal data public and is obliged pursuant to article 17 paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

The obligation of erase shall not apply to the extent that processing is necessary:

1] for exercising the right of freedom of expression and information;

[2] for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

[3] for reasons of public interest in the area of public health in accordance with points (h) and (i) of article 9 (2) as well as article 9 (3) GDPR;

[4] for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89 (1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

[5] for the establishment, exercise or defence of legal claims.

6. Notification obligation

Have you obtained the right of rectification, deletion or limitation of the processing to the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with article 16 GDPR, article 17 (1) GDPR and article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

7. Right to data portability

You have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

[1] the processing is based on consent pursuant to point (a) of article 6 (1) GDPR or point (a) of article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR; and

[2] the processing is carried out by automated means.

In exercising the right to data portability you have the right that your personal data is transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons may not be affected. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

8. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of article 6 (1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

9. Right of withdraw the data protection declaration of consent

You have the right to revoke your data protection declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

10. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. That not apply if the decision:

[1] is necessary for entering into, or performance of, a contract between the data subject and a data controller;

[2] is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

[3] is based on the data subject’s explicit consent.

However, decisions shall not be based on special categories of personal data referred to in article 9 (1) GDPR, unless point (a) or (g) of article 9 (2) GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. In the cases referred to in points [1] and [3], the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

XXI. Complaints and settlement of disputes

1. Right of appeal to the supervisory authority

Irrespective of the rights above and the possibility of asserting another administrative or legal redress, you also have the possibility at any time of asserting your right to complain to a supervisory authority, in particular, in the member state of your place of domicile, of your place of work or of the location of the alleged infringement if you are of the view that the processing of personal data affecting you infringes legal data protection regulations, within the meaning of article 77 GDPR.

2. Online dispute resolution

The European Commission established an internet platform for the online settlement of disputes, the so-called OS platform. The OS platform is intended as a point of departure for the out-of-court settlement of disputes concerning contractual obligations arising from online purchase contracts. The OS platform is available under the following link: ec.europa.eu.