We are delighted to see that you are interested in the MyMaritim bonus points programme. The information below will outline how your personal data is processed in the context of the MyMaritim bonus points programme.
The "controller", within the meaning of the General Data Protection Regulation (GDPR), is:
Maritim Hotelgesellschaft mbH
Herforder Strasse 2
32105 Bad Salzuflen, Germany
Phone: +49 (0) 5222 9530
You can find more information about our company, details of authorised representatives and other ways to contact us at: www.maritim.com/en/imprint
Registration for the MyMaritim bonus programme
To participate in the MyMaritm bonus programme, we need your first and last name as well as your email address. Maritim will able to attribute bonus points that you have earned to you based on this information so that you can then redeem them at a later date.
If you make a selection in the "Your preferences" section to share your travel interests with us, we will be able to email you with personalised offers. Your consent to receive email offers is not linked to participation in the bonus programme. It is voluntary and you can revoke it at any time with future effect.
When you register for the MyMaritim bonus programme, the following data from the input mask is transmitted to us:
Information about your travel interests – if you have selected this (this information is submitted voluntarily)
The following data is also collected when you register:
Your consent to the processing of the data is obtained during the registration process and reference is made to these data protection provisions.
We use the so-called ‘double opt-in’ procedure to register your consent and to prevent misuse of your data.
Therefore, after your registration, you will receive an email in which you will be asked to confirm your registration. Your data will only be processed in the MyMaritim bonus programme software after you have confirmed your registration via this email. This process ensures that you genuinely want to participate in the bonus programme.
Your registration is logged in order to be able to prove the registration process has taken place in accordance with the legal requirements. This includes logging the time of registration and confirmation as well as the IP address. Changes to your saved data are also logged.
The data collected will be used exclusively for the MyMaritim bonus programme and will not be passed on to third parties. Data processing is carried out using our service provider TravelClick Inc.’s web-based software. TravelClick Inc. is located at 55 W 46th Street, 27th Floor, New York, NY 10036, USA. This service provider was carefully selected by the Maritim Hotelgesellschaft.
In order to ensure that the data processing takes place in an authorised manner, a processing contract as well as the EU’s standard data protection clauses have been agreed in accordance with data protection requirements.
Earning bonus points
If you participate in the MyMaritim bonus programme, the actual transaction you make at a participating Maritim hotel will be used to calculate bonus points and will be credited to your MyMaritim account following your stay. To calculate your bonus points, we record the date and place of the services we provided for you and the associated transaction.
Redeem bonus points
You can redeem bonus points earned, either in full or in part, on one of your next bookings on the www.maritim.de booking page or, after registration, in your MyMaritim account at www.maritim.com.
Your data will be stored as long as your participation in the MyMaritim bonus programme remains active.
Upon receipt of the declaration of revocation, the data will be deleted immediately if there are no legal retention periods (e.g. tax code (Abgabenordnung), turnover tax law (Umsatzsteuergesetz) usually 10 years) preventing this and the revocation is effective. The effectiveness of the data processing carried out up until the revocation of consent remains unaffected.
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the controller:
1. Right to information
You shall have the right to obtain confirmation from the controller as to whether or not personal data concerning you is being processed, and, where that is the case, the right to request the following information about the personal data:
1. the purposes for which the personal data is being processed
2. the categories of personal data that are processed
3. the recipients, or the categories of recipients, to whom the personal data relating to you has been, or will be, disclosed
4. the envisaged period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
5. the existence of a right to request from the controller rectification or erasure of your personal data or to restrict the processing of your personal data or to object to this processing
6. the right to lodge a complaint with a supervisory authority
7. where the personal data is not collected from the data subject, any available information as to its source
8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Right to rectification
You have a right to rectification and/or completion from the controller if the processed personal data concerning you is inaccurate or incomplete. The controller must make the correction immediately.
3. Right to restriction of processing
Under the following conditions, you can request that the processing of your personal data be restricted if:
1. you contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data
2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
3. the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or
4. you have objected to processing pursuant to Article 21(1) GDPR pending the verification as to whether the legitimate grounds of the controller override your grounds.
Where the processing of personal data relating to you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been obtained according to the above conditions, you will be informed by the controller before the restriction of processing is lifted.
4. Right to Erasure
a) Obligation to erase
You have the right to request that the controller erase the personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
1. the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
2. you withdraw the consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
3. you object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
4. The personal data relating to you has been unlawfully processed.
5. the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
6. the personal data has been collected in relation to the offer of information society services as referred to in Article 8(1) GDPR.
b) Information provided to third parties
Where the controller has made the personal data relating to you public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
The right to deletion does not exist if processing is necessary
1. for exercising the right of freedom of expression and information
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.
5. Right to be informed
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or deletion of the data or restriction of processing, unless this turns out to be impossible or involves disproportionate effort.
You have the right to be informed about these recipients by the controller.
6. Right to data portability
You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where:
1. the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
2. the processing is carried out by automated means.
In exercising this right, you shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other parties must not be affected by this.
The right to data portability shall not apply to the processing of data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to Object
You have the right to object, on grounds relating to your particular situation, at any time, to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data is processed for direct marketing purposes, you shall have the right to object, at any time, to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Should you object to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Questions/right to lodge a complaint with a supervisory authority
If you have any further questions about the protection of your personal data, this data protection declaration, declarations of consent that have been issued as well as the processing of your personal data or complaints about data protection, you can contact our data protection officer. You can reach them at the above postal address or by sending an e-mail to firstname.lastname@example.org.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority.
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia)
Phone: +49 (0)211 384240
Fax: +49 (0)211 3842410
More information about data protection can be found at www.maritim.com/en/data-protection