1. Name and contact details of the controller responsible for data processing
and of the company data protection officer.
The operator of this website and responsible for the collection,
The entity responsible for the processing and use of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-2018) is:
Pension Villa am Meer
Erbengemeinschaft Patrone
Friedrichstraße 25
25980 Sylt (Westerland district)
The pension’s Data Protection Officer is Ms. Silke Harms.
2. General information
We process your data in compliance with applicable data protection regulations. This privacy policy informs you about the personal data we collect and store. You will also find information on how your data is used and the rights you have regarding its use.
You can download the privacy policy as a PDF for printing here.
3. Collection and storage of personal data, as well as the nature and purpose of their use.
You have various options for contacting us via the Internet:
a) Visiting our website
Whenever you visit our website, your browser automatically sends information to
our website's server, where it is temporarily stored in a so-called log file.
The following data are collected without any action on your part and stored
until they are automatically deleted:
• the IP address of the requesting computer
• the date and time of access
• the name and URL of the accessed file
• the website from which access originated
• your computer's operating system and the browser you use
• the name of your Internet service provider.
We process the aforementioned data for the following purposes:
• ensuring a smooth connection to the website
• ensuring a user-friendly experience on our website
• evaluating system security and stability
• other administrative purposes.
The legal basis for data processing is Article 6(1)(f) of the GDPR, under which
processing is lawful if
"processing is necessary for the purposes of the legitimate interests pursued by the controller or
by a third party, except where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data,
in particular where the data subject is a child."
Our legitimate interest in data collection arises from the purposes listed above. Under no
circumstances do we use the collected data to draw conclusions about your identity.
In addition, we use cookies and another analysis tool on our website
(see Section 5 for further details).
b) Use of our contact form
For questions of any kind, we offer you the opportunity to contact us via a form
provided on this website.
Providing a valid e-mail address, your name, street address,
postal code and city/town, as well as your arrival and departure dates, is required
so that we know who the inquiry is from and can respond to it.
Further information may be provided voluntarily.
Data processing for the purpose of contacting us is based on your
voluntarily given consent (Article 6(1)(a) of the GDPR).
The personal data collected by us for the use of the contact form
will be automatically deleted once your inquiry has been resolved.
4. Data transfer
Your personal data will only be transmitted to third parties if:
• you have given your express consent to do so (Art. 6(1)(a) GDPR)
• the transfer is legally permissible and necessary for the performance of contractual relationships with you (Art. 6(1)(b) GDPR)
• there is a legal obligation to transfer the data (Art. 6(1)(c) GDPR)
• the transfer is necessary for the establishment, exercise, or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data (Art. 6(1)(f) GDPR).
5. Online-Reservation
On our website, you have the option to book various room categories at our hotel, as well as additional services such as transfers, bicycle rentals, or garage parking, by providing personal data. To conclude the contract, you are required to provide the personal data necessary for the booking process. The mandatory information includes your first and last name, email address, postal address, telephone number, and credit card details. You may also voluntarily provide additional information so that we can tailor your room to your individual preferences as best as possible. We process your personal data in order to handle your reservation; thus, the processing of your data is necessary for the performance of a contract with you. For this purpose, we may also share your data with payment service providers and our contractual partners. The legal basis for processing your personal data is Art. 6 (1) (b) of the GDPR.
Under commercial and tax laws, we are required to retain your address, payment, and order data for a period of ten years. However, we restrict the processing of this data after two years.
We attach the utmost importance to the security of your data. To prevent unauthorized access by third parties to your personal data—particularly financial information—data transmission (especially during the booking process) is secured using 2048-bit SSL encryption.
6. Cookies and Analysetool
We do not use cookies or analytics tools on our website.
7. Social Media
We take the current discussion regarding data protection on social networks very seriously.
It has not yet been conclusively determined under the law whether and to what extent all
networks offer their services in compliance with European data protection regulations.
We therefore expressly point out that the services we use—Facebook, Twitter, Xing,
Google+, and YouTube—store and use their users' data (e.g., personal information, IP
addresses) in accordance with their own data usage policies for business purposes.
We have no influence over data collection and its subsequent use by these social
networks. We have no information regarding the scope, location, or duration of data
storage, the extent to which the networks comply with existing deletion obligations,
what analyses or data linkages are performed, or to whom the data is disclosed.
8. Protection of minors
Persons under the age of 18 should not transmit personal data to us without the consent of their parents or legal guardians.
We do not request personal data from children and young people. We do not knowingly collect such data, nor do we pass it on to third parties.
9. Rights of data subjects
You have the right,
* pursuant to Art. 7(3) GDPR, to withdraw your previously given consent to us at any time
The withdrawal of consent does not affect the lawfulness of processing based on consent
before its withdrawal. The only consequence of the withdrawal is that we may no longer
continue the data processing based on that consent in the future.
* pursuant to Art. 15 GDPR, to request information about the personal data concerning
you that we process
In particular, you may request information about
• the purposes of the processing
• the categories of personal data that are or have been processed
• the recipients or categories of recipients to whom your data are or have been disclosed
• the planned storage period
• the existence of a right to rectification, erasure, or restriction of processing, or a right to object
• the existence of a right to lodge a complaint with a supervisory authority
• the source of your data, if not collected by us
• the existence of automated decision-making, including profiling, and—where applicable—meaningful information about the logic involved as well as the significance and envisaged consequences of such processing for you.
• to request, pursuant to Art. 16 GDPR, the immediate rectification of inaccurate personal data concerning you or the completion of personal data stored by us if they are incomplete
• to request, pursuant to Art. 17 GDPR, the erasure of personal data stored by us
This does not apply insofar as the processing of your data is necessary
• for exercising the right of freedom of expression and information
for compliance with a legal obligation
for reasons of public interest in the area of public health
* for archiving purposes in the public interest, scientific or
historical research purposes, or statistical purposes
* for the establishment, exercise, or defense of legal claims.
* to request the restriction of the processing of your personal
data pursuant to Art. 18 GDPR
This applies if
• you contest the accuracy of the data
• the processing is unlawful, but you oppose the erasure of the data
and request the restriction of data use instead
• we no longer need the data, but you require the data for the establishment,
exercise, or defense of legal claims
• you have objected to the processing pursuant to Art. 21(1) GDPR.
• to receive the personal data concerning you, which you have provided to us,
in a structured, commonly used, and machine-readable format, or to request
transmission to another controller, pursuant to Art. 20 GDPR
• to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
As a rule, you may contact the supervisory authority of your habitual
residence, your place of work, or the location of our firm's registered office.
10. Right to object
If your personal data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right, pursuant to Art. 21 GDPR, to object to the processing if there are grounds relating to your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without requiring you to specify a particular situation.
If you wish to exercise your right to object, please send an email to ap@hvs-sylt.de.
11. Data security
When you visit our website, we use the widely adopted SSL (Secure Socket Layer) protocol in conjunction with the highest level of encryption supported by your browser; typically, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead.
You can tell whether a specific page of our website is being transmitted via an encrypted connection by looking for the closed key or padlock symbol in your browser's bottom status bar.
Furthermore, we employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
12. Links to other websites
We link to websites of other providers (third parties) that are not affiliated with us.
If you click on these links, we no longer have any influence on which data is transmitted
these providers (third parties) are collected and used. More detailed information on
Data collection and use can be found in the data protection declaration of the respective company
provider (third party).
We assume no responsibility for data collection and processing by third parties.
You can recognize third-party websites because they are always in their own
Open your browser window. In contrast, new websites open ours
Always view the offer in a new tab in your browser.
13. How to contact us if you have questions
If you have any questions regarding data protection on our website, we look forward to receiving your email at ap@hvs-sylt.de.
14. Regular updates to this privacy notice
The data protection framework applicable to service providers is subject to
constant changes and adjustments.
These changes and adjustments make it necessary to update our
privacy policy from time to time.
You can identify the current version by the "Last updated:..." line at the end of this
privacy policy.
Last updated: 25 May 2018
Information on data processing
Dear Guest,
In accordance with the GDPR, we are required to provide you with the following information. Please feel free to speak to us personally at any time should you have any questions or concerns.
Specifically, the following applies—taking into account the new EU General Data Protection Regulation (GDPR):
1. Name and contact details of the controller and the company data protection officer
The party responsible for the collection, processing, and use of your personal data within the meaning of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-2018) is
Pension Villa am Meer
Patrone Estate (Erbengemeinschaft Patrone)
Friedrichstraße 25
25980 Sylt (Westerland district).
The pension’s Data Protection Officer is Ms. Silke Harms.
2. General information
We use your data in compliance with the applicable data protection regulations.
Below you will be informed about which personal data we collect and store from you. You will also receive information about how and why your data is used and what rights you have with regard to the use of your data.
3. Collection and storage of personal data as well as the nature and purpose of their use
When you book with us, we collect the following data:
• Your first name and surname, along with your form of address (Mr./Ms.)
• Your address
• Your telephone number (landline and/or mobile)
• Your personal email address
This data is collected:
• to identify you as our guest,
• to correspond and/or otherwise communicate with you,
• to provide you with responsible care during your stay on Sylt,
• for invoicing purposes,
• to handle any liability claims you may have against us,
• to pursue and enforce any claims (including payment claims) we may have against you.
Data processing takes place on the basis of an inquiry or the conclusion of a contract. It is necessary for the stated purposes—specifically for appropriate processing and the mutual fulfillment of contractual obligations—(Art. 6(1)(b) GDPR).
Your data is stored or collected both digitally (in our document management system – DMS) and in paper form.
Personal data collected by us in connection with the contract will be stored or retained after the matter has been concluded—subject to statutory retention periods under the Fiscal Code (Abgabenordnung)—and subsequently deleted or destroyed. Exceptions apply only if we are required to store or retain the data for a longer period due to other legal provisions (Art. 6(1)(c) GDPR) and/or if you have consented to or requested such longer-term storage or retention (e.g., with a view to a future contract) (Art. 6(1)(a) GDPR).
Upon expiration of the retention period, we will destroy your data held in paper form while maintaining strict confidentiality.
4. Transfer of data to third parties
As a general rule, your personal data will not be transmitted to third parties for purposes other than those listed below.
Data is only disclosed where necessary for the proper performance of the contract with you (Art. 6(1)(b) GDPR).
Employees of our company who come into contact with your data are subject to a strict confidentiality obligation—just as I am—and I continuously monitor compliance with this obligation. Other parties with whom we collaborate and who come (or could come) into contact with your data have been or will be contractually bound to confidentiality in writing; they are also expressly informed that any breach on their part renders them personally liable to prosecution.
5. Rights of data subjects
You have the right
• to withdraw your previously given consent to us at any time in accordance with Art. 7(3) GDPR.
The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The only consequence of the withdrawal is that we may no longer continue the data processing based on that consent for the future.
• In accordance with Article 15 of the GDPR, you have the right to request information about your personal data that we process.
Request information
In particular, you can request information about
- the purposes of the processing
- the categories of personal data that are or have been processed
- the recipients or categories of recipients to whom your data are or have been disclosed
- the planned storage period
- the existence of a right to rectification, erasure, or restriction of processing, or a right to object
- the existence of a right to lodge a complaint with a supervisory authority
- the source of your data, if not collected by us
- the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you.
• to request, pursuant to Art. 16 GDPR, the immediate rectification of inaccurate personal data concerning you or the completion of personal data concerning you stored by us, if these are incomplete
• to request, pursuant to Art. 17 GDPR, the erasure of personal data concerning you stored by us
This does not apply insofar as the processing of your data is necessary
- for exercising the right of freedom of expression and information
- for compliance with a legal obligation
- for reasons of public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes
- for the establishment, exercise, or defense of legal claims.
• gem. Art. 18 DS-GVO die Einschränkung der Verarbeitung Ihrer personenbezogenen Daten zu verlangen
This applies if:
- you contest the accuracy of the data
- the processing is unlawful, but you oppose the erasure of the data and
request the restriction of its use instead
- we no longer need the data
- you have objected to the processing pursuant to Art. 21(1) GDPR.
• to receive the personal data concerning you, which you have provided to us,
in a structured, commonly used, and machine-readable format, or to
request its transmission to another controller, pursuant to Art. 20 GDPR
• to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR
As a rule, you may contact the supervisory authority of your habitual
residence, your place of work, or the location of our hotel.
6. Right to object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1)(f) GDPR, you have the right to object to the processing pursuant to Art. 21 GDPR, provided there are grounds relating to your particular situation.
If you wish to exercise your right to object, please send an email to ap@hvs-sylt.de.