GDPR Privacy Statement of NextGuest

See previous sections 1-7.

8.  Processing in the Context of our Customer Database 

8.1.  In this Section we will inform you about how we process and use personal data in relation to you that we store in our customer database and on the specific rights you have in this respect. 

8.2.  We will set up a customer account in our customer database if a customer relationship exists or is established with you. The customer account contains your master data (name, address, account etc.). All correspondence and documents (correspondence, orders, contracts, complaints, etc.) within the scope of the customer relationship will then be linked to this customer account. 

8.3. We will store and process the above information to fulfil the respective contractual relationship with you with respect to our products and services that you use on the one hand, and, on the other hand, to safeguard our legitimate interest in improving our deliveries and services according to your individual requirements with regard to your concerns and interests and to thus promoting the sale of our products and services, and, if necessary, to offer you additional products or services in accordance with your interests, to document contractual agreements and correspondence for asserting, exercising or defending related legal claims(legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR), to fulfil statutory documentation and document retention obligations (legal basis for processing: Art. 6 no. 1 lit. c) of the GDPR). 

8.4.  We share data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Sec. 12 below. 

8.5. We refer to Sections 13 et seq. for further regarding the possible recipients and storage periods of the above information. 

8.6. You can object to the use of your data for direct marketing purposes at any time (cf. Section 15.7). 

9. Processing of Prospective Supplier Data and Supplier Data 

9.1.   In this Section we will inform you about how we process and use personal data in relation to prospective and actual suppliers. In this context we use the term “supplier” cover not only the suppliers of products but any business partner who is not a customer or employee, including also service providers, consultants and freelancers. 

9.2.    We generally store and process data in relation to prospective and actual suppliers in the same manner and in the same databases as data on prospective and actual suppliers. Therefore, all information on prospective customer data and customer data in this Privacy Statement also apply to data in relation to prospective and actual suppliers.  

9.3.    We will store and process data in relation to prospective and actual suppliers and all correspondence and documents (correspondence, orders, contracts, complaints, etc.) within the scope of the business relationship to perform the respective contractual relationship with you with respect to your products and services on the one hand (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR), and, on the other hand, to protect our legitimate interest in documenting contractual agreements and correspondence for establishing, exercising or defending related legal claims, and, where relevant, fulfilling our product monitoring obligation with respect to your products and services (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR) as well as fulfilling statutory documentation and document retention obligations (legal basis for processing: Art. 6 no. 1 lit. c) of the GDPR). 

9.4.   We share data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Sec. 12 below. 

9.5.   We also refer to Sections 13 et seq. for further information regarding the possible recipients and retention periods of the above information. 

10. Processing of Job Applicant Data by NextGuest CRM 

10.1.  In this Section, we will inform you how NextGuest CRM processes and uses personal data in relation to you that it collects in connection with applications for employment with the company or other entities within our group of undertakings and on the specific rights you have in this respect. 

10.2.  Data Collection, Legal Basis and Purposes 

10.2.1. If you send NextGuest CRM your application documents via the general contact form or by e-mail, you should be aware that such transmission is not effectively protected against unauthorized access. NextGuest CRM will therefore never ask you to send your application documents exclusively in this way. We recommend that you submit your application documents only by post or via the secure connection we have provided for this purpose. 

10.2.2. If you register with NextGuest CRM as an applicant and send application documents in printed or electronic form, it will store and process your contact data, your application documents (in printed or electronic form) and all documents and records concerning you which are created in the course of the application process (all these data and documents will be collectively referred to subsequently as "applicant data") for the duration of the application procedure, and for the purpose of performing the application procedure (legal basis for processing: Art. 6 no. 1 lit. b) of the GDPR). 

10.2.3. NextGuest CRM does not normally require special categories of personal data for the application process. It kindly asks you not to include such data in your application documents. Where such data are relevant in exceptional circumstances, NextGuest CRM will process them together with other applicant data. This may include information on job restrictions based on pregnancy or health issues or information on disabilities in view of our special legal obligations vis-á-vis the disabled. In these cases it processes your data for carrying out obligations and exercising specific rights in the field of employment and social security and social protection law (legal basis for processing: Art. 9(2)(b) of the GDPR in conjunction with Section 26 of the German FDPA) and/or for the assessment of your working capacity (legal basis for processing: Art. 9(2)(h) in conjunction with Section 22(1)(b) of the German FDPA). 

10.2.4. Where during the application process you provide information or documents which are not strictly necessary for the application process, NextGuest CRM processes such information or documents within the scope of your consent (legal basis for processing: Art. 6 no. 1 lit. a) of the GDPR). 

10.2.5. You can find out how NextGuest also store and use your applicant data, e.g., book keeping information where you are indemnified for out-of-pocket expenses, in Section 10.4. 

10.3. Recipients and Categories of Recipients 

10.3.1. If the advertised position is with another entity in our group of undertakings or otherwise is group-related, e.g. if the position reports to an employee of another entity within the group of undertakings (so-called matrix structure), NextGuest CRM may also make the applicant data accessible to those employees of other companies in the group of undertakings who participate in the recruitment process. This serves the purposes specified in Section 10.2 and also to protect its legitimate interest in an exchange of information within the group of undertakings as required for the execution of the application procedure (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). 

10.3.2. NextGuest CRM shares data with other companies of our group of undertakings. For further information on this and on the safeguards, we have put in place in this respect, please refer to Sec. 12 below. 

10.3.3. NextGuest CRM also refer to Sections 13 et seq. for further information regarding the possible recipients and retention periods of the above information. 

10.4. Retention Periods and Deletion 

10.4.1. If the application is successful, the applicant data will continue to be stored and used as part of your personnel file in order to perform the employment contract. 

10.4.2. If the application process is not successful, NextGuest CRM will return printed application documents to you and will retain copies of them and all other applicant data for another three months after completion of the application process and will then delete or anonymize them. The storage of these data and documents serves to protect our legitimate interest in establishing, exercising or defending legal claims in connection with the application procedure, particularly if we need them as evidence in our defense against the assertion of discrimination in the selection process (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). 

11.Processing in the Context of Visits to NextGuest CRM’s Facilities, CCTV Surveillance 

11.1.  In this Section we will inform you about how NextGuest CRM processes and uses personal data in relation to you that it collects in connection with your visits to its facilities and on the specific rights you have in this respect. 

11.2.  When you visit NextGuest CRM’s facility, it asks you to register. Typically, your name and company and the date and time of visit will be recorded and you may be asked to sign a confidentiality undertaking. 

11.3.  NextGuest CRM will store and process the above information to protect its legitimate interest in preventing abusive behavior during visits and in establishing, exercising or defending possible legal claims (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). Unless one of the longer retention periods set forth below applies, the information will be retained for one year after the visit. If you are a customer, they may be stored in your customer account and retained for the longer periods described in Sec. 14. 

11.4.  Sensitive areas of our facilities may be subject to closed circuit TV (CCTV) surveillance. CCTV cameras will be placed visibly and clearly marked. CCTV Cameras may be linked to live monitors without further recording but may also involve recording of videos. Recordings may be reviewed by security staff either on a random sample basis or where there is an indication of unauthorized access or abusive behavior. After 72 hours recordings will be deleted unless required for investigation of a specific incident. NextGuest CRM will store and process information collected through CCTV surveillance to protect our legitimate interest in preventing unauthorized access and abusive behavior during visits and in establishing, exercising or defending possible legal claims (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). Information collected through CCTV surveillance will not be used for any other purpose. 

12.0.  Data Transfers, Legal Basis and Purposes  

Personal data controlled by us may be disclosed between NextGuest and NextGuest CRM, as well as to other companies within our group of undertakings (“Affiliate(s)”), where such data is uploaded to a joint account.  

NextGuest and NextGuest CRM maintain joint salesforce.com and Marketo accounts together. Salesforce.com and Marketo are cloud-based enterprise software services including sales, service, marketing, analytics, community, and mobile apps operated, and may be hosted in an unsafe third country.  

We use the salesforce.com platform to store and process individual and company contact information on customers and their employees of our Hospitality Provider customer, applicant, as well as our own employees. This includes name, title, email address, phone number, street address, company name, contract information, account information, and correspondence and communications. We also use the salesforce.com platform to track sales opportunities and to conduct outreach and client engagement via email. Data uploaded to salesforce.com may be shared by Affiliates for the purpose of account planning and management.  

Data uploaded to joint accounts are accessed by all Affiliates with access to the account for the purposes identified above. We may also share such data with NextGuest Digital Europe outside of joint accounts for the same purposes. In any case, access to data in joint accounts is always restricted by multiple levels of access rights granted on a need-to-know basis ensuring that the Affiliates, and within each Affiliate the respective employees, access only the data they require for their business functions. 

We have concluded a contract processing agreement with SFDC to ensure that personal data is processed only on its behalf and in accordance with its instructions and has agreed to exercise its rights under such agreements also in our interest.  

We share data in the contexts specified hereinabove in order to protect our legitimate interests in coordinating sales processes and business and IT administrative processes on the level of the group of undertakings and planning and providing our deliveries and services as close to our customers as possible (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR).  

In order to provide for a uniform level of data protection throughout our group of undertakings, we have agreed upon uniform data protection provisions for all data transfers within our group of undertakings which, with respect to data exports outside of the European Economic Area, incorporate the standard data protection clauses adopted by the Commission for this purpose. 

13.    General Information on Additional Uses, Recipients, Categories of Recipients, and Transfers 

13.1.    All of our servers and databases may be operated, maintained or further developed by additional processors or other contractors. They may have access to your data.  

13.2.   Where we store and process data for the performance of contracts, we may pass these data on to agents and contractors we employ for such performance (e.g. to carriers for transportation purposes). 

13.3.   Where we store and process data for communication with you, we may use additional processors or contractors in order to process or transmit electronic or paper correspondence with you (e.g. letter shops, mailing service providers), who will then have access to your data. 

13.4.   We will transfer your personal data to competent law enforcement, regulatory or other authorities, institutions or bodies if we are legally obligated to do so (legal basis for processing: Art. 6 no. 1 lit. c) of the GDPR) or if we have a legitimate interest in averting coercive measures of such authorities, institutions or bodies within the scope of their legal responsibilities (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). Such legally required or necessary transmissions are not the subject of this Privacy Statement. 

13.5.  When establishing a contractual relationship, we may process data on (prospective) customers or suppliers, or applicants in the context of “know your customer”, anticorruption, anti-money laundering, anti-terror and export control or similar screenings or audits in order to perform our compliance obligations and give effect to our compliance policies. The legal basis for such audits and screenings is the fulfilment of a legal obligation, where they are legally required (legal basis for processing: Art. 6 no. 1 lit. c) of the GDPR), and otherwise our legitimate interest in avoiding business relationships which we consider to violate our ethical standards (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). 

13.6.  NextGuest’s data protection officer will have access to your data as necessary for the consummation of its data protection tasks. The data protection officer is under a statutory obligation of confidentiality. 

13.7.  We may use third party service providers for the archiving and/or destruction of documents. They will have access to your data. 

13.8.  We may also retain consultants or advisors such as legal, tax or business consultants. They may have access to your data. 

13.9.  Where we use contractors of the categories listed hereinabove to handle your data on our behalf, we have concluded, or will conclude prior to such processing, a contract processing agreement with the contractor to ensure that personal data is processed only on our behalf and in accordance with our instructions. Where the data are not processed on our behalf, we will enter into appropriate confidentiality agreements with the contractors. 

14.    General Information on Retention Periods and Anonymization 

14.1.    We have enacted a data retention and deletion policy in order to ensure that personal data are only stored for as long as necessary for their purpose. 

14.2.    Our data retention and deletion policy takes account of the principle that personal data should be retained for limited periods even after the storage purpose has become obsolete, in order to preserve our legitimate interest in preventing unintentional deletions, in enabling the establishment, exercise or defense of legal claims and in rendering the administration of retention and deletion periods practicable (legal basis for processing: Art. 6 no. 1 lit. f) of the GDPR). We assume that your interests do not conflict with this, because these additional retention periods are appropriate with respect to the interests to be protected. 

14.3.    Unless detailed information on deletion periods has already been provided above, the following general deletion periods will apply in accordance with our data retention and deletion policy. Where data fall under several different deletion periods, the longest will always apply: 

14.3.1.    We will retain customer data for the duration of the customer relationship. After the end of the customer relationship such data will continue to be retained for as long as these data are necessary for the maintenance of the customer account and for the administration of documents or data relating to the customer which fall into any of the categories identified hereinbelow. Otherwise customer data will be deleted after expiry of one year. 

14.3.2.    For compliance with the statutory retention period for commercial letters and tax documents we will retain correspondence, invoices, and other booking documentation for 7 years (NextGuest CRM retains booking documentation for 11 years). 

14.3.3.    We will retain contract-related data and documents for 7 years (11 years for NextGuest CRM) after the end of the contractual relationship in view of the statutory limitation period for claims and statutory document retention obligations for booking receipts. 

14.4.    If the term “erasure” or "deletion" is used in this Privacy Statement, we reserve the right to anonymize the relevant data record, such that it can no longer be assigned to you, instead of complete deletion. 

14.5.    Anonymized data may be processed and used by us and our processors for an unlimited period. The processing and use of anonymized data are not subject to the GDPR and is not the subject of this Privacy Statement. 

15. Your Rights 

You as the data subject have certain rights with regard to your personal data, which we will explain to you below: 

15.1.    Right of Access and Information (Art. 15 of the GDPR) - You have the right, where the statutory requirements are met, to request from us at any time, at no cost, confirmation as to whether personal data relating to you is being processed, a copy of this data and comprehensive information on this personal data. This right extends in particular, without limitation, to the purposes of processing, the categories of personal data being processed, the recipients, the storage period and the origin of the data. 

15.2.    Right to Rectification (Art. 16 of the GDPR) - You have the right to request us to rectify incorrect and incomplete personal 

15.3.    Right to be Forgotten (Art. 17 of the GDPR) - You have the right to demand from us the immediate deletion of personal data concerning you, where the statutory requirements are met, if, among other reasons, their storage is no longer necessary or unlawful, if you withdraw your consent on which their storage was based, if you have validly objected to their storage in accordance with Sections 15.7 et seq., if we are obligated to delete them for any other reason or if the data were collected as part of a web service.  If we have made the data public, in addition to deletion of the data, we must also inform other controllers in such cases that you have requested the deletion of this data and all references thereto, insofar as this is reasonable in view of the available technology and the implementation costs. The above obligation does not apply in certain exceptional cases, in particular storage for the purpose of establishing, exercising or defending legal claims. 

15.4.    Right to Restriction of Processing (Art. 18 of the GDPR) - You have the right to request us, where the statutory requirements are met, to restrict the processing of personal data relating to you, for example if you dispute their accuracy, the storage is no longer necessary or is unlawful and you still do not wish to have it deleted or if you have filed an objection to the processing (Sections 15.7 et seq.) as long as it has not yet been established whether our legitimate reasons outweigh yours. 

15.5.    Right to Data Portability (Art. 20 of the GDPR) - If automated processing of personal data occurs solely on the basis of your consent or to fulfil a contract with you or to implement pre-contractual measures, you have the right to require us, subject to statutory requirements, to make available the personal data in relation to yourself that you have provided to you or to a third party you designate, if this is technically feasible, in a structured, current and machine-readable format and not to impede its transfer to a third party. 

15.6.    Right of Objection (Art. 21(1) of the GDPR) - You have the right to require us, where the statutory requirements are met, to no longer process personal data relating to you which we process for the performance of a task which is in the public interest or for the protection of our legitimate interests or those of a third party, if you object to such processing for reasons which arise from your particular situation. In this case we must desist from further processing unless there are compelling grounds for processing which outweigh your interests, or the processing is carried out for the establishment, exercise or defense of legal claims. 

15.7.    Right of Objection to Direct Marketing (Art. 21(2) of the GDPR) - You can object to the further processing of your personal data for direct marketing purposes at any time, and we will consequently refrain from processing them for this purpose. This also applies to profiling insofar as it is associated with such direct marketing. 

15.8.    Automated Decisions (Art. 22 of the GDPR) - We will not make any decisions without your consent which produce legal effects concerning you or similarly significantly affect you and that are based exclusively on automated processing (including profiling). 

15.9.    Guarantees - To the extent that we indicate in this Privacy Policy that guarantees have been agreed to provide an adequate level of protection, you may request copies of the relevant documents from our designated representative within the EU. 

15.10.    Consents - If you consent to processing, this is voluntary, unless we inform you otherwise in advance, and the refusal of consent will not be sanctioned. You can withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Processing on a legal basis other than your consent will also be unaffected by such withdrawal. However, you may also exercise the above statutory rights in this respect (e.g. the right of objection pursuant to Sections 15.7 et seq.). In particular, you may withdraw any consent to the use of your e-mail address or telephone number for direct marketing at any time and may object to any further use of your e-mail address or telephone number for this purpose at any time, free of charge (other than communication costs payable to your provider). 

15.11.    Right to Lodge a Complaint - You have the right to lodge a complaint with a supervisory authority. This may include, among others, the supervisory authority responsible for your place of residence or the supervisory authority generally responsible for us (Sections 1.3 and 2.3). 

15.12.    Contact - You can contact us in any form to exercise your rights, in particular to withdraw any consent you may have given, and especially our representative in the European Union also. You may be required to identify yourself to us as a data subject to exercise your rights. 

16.    Security 

We have taken extensive, state-of-the-art technical and organizational measures to protect your personal data from unauthorized access and misuse. 

17. Changes to this Privacy Statement   

In the event of future changes to this Privacy Statement, you can retrieve old versions and information on the periods for which they were valid here.   

Last revised: December 16, 2019 

We’re here to help.