Steigenberger Spa GmbH strives to the best of its ability to ensure that the information contained on this Internet site are accurate and appropriate. However it does not assume any liability or guarantee for the accuracy, validity, or completeness of the information provided. Furthermore, Steigenberger Spa GmbH is not responsible for the content of the external websites that are hyperlinked. Steigenberger Spa GmbH reserves the right to change or expand the information provided here without notification.
The content of Steigenberger Spa GmbH’s website are protected by copyright. The distribution of information, especially the use of texts, text excerpts, or images requires prior written authorization from Steigenberger Soa GmbH.
Responsible for the content:
Steigenberger Spa GmbH Lyoner Str. 25 60528 Frankfurt am Main Germany
Executive Board: Kai H. Gehrmann Value added tax identification number (Germany): DE187077296 Corporate headquarters: Frankfurt – HR: 42780 Registry court: Amtsgericht Frankfurt am Main
Data protection & security
I. Information on processing of personal data With the information provided to you below, we would like to give an overview, according to Articles 13 and 14 GDPR of how your personal data are processed when you use our website www.thespa.steigenberger.com and to inform you of your rights under data protection legislation.
1. Controller for data processing The controller for data processing on this website pursuant to Article 4 No 7 GDPR and the provider of the website (service provider) within the meaning of the German Tele Media Act (Telemediengesetz – TMG) is
Steigenberger Spa GmbH Lyoner Straße 25 60528 Frankfurt am Main Tel.: +49 69 215-908 Fax: +49 69 215-996 E-mail: firstname.lastname@example.org
Managing Director: Kai H. Gehrmann Value-added tax identification number: DE187077296 Company registered office: Frankfurt am Main – HRB 42780 Registration court: Local court of Frankfurt am Main
2. Contact details of the Data Protection Officer You can reach our Data Protection Officer at
3. Purposes and legal basis for processing personal data We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the new German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG-new) as well as all other relevant legislation for the purposes and on the legal basis as set out below:
(a) For processing and managing booking requests and bookings as well as for providing our services under the conduction of booked Spa-Treatments including payments – the legal basis for this is the first sentence of Article 6(1)(b)) GDPR.
(b) For fulfilling a legal obligation to which our company is subject as controller (e.g. by tax laws, accounting obligations, etc.) – the legal basis for this is the first sentence of Article 6(1)(c)) GDPR.
(c) For sending our e-mail newsletter including managing your subscription to the newsletter – the legal basis for this is your consent pursuant to the first sentence of Article 6(1)(a)) GDPR.
(d) For executing and managing your membership in our Club100 – the legal basis for this is your consent pursuant to the first sentence of Article 6(1)(a)) GDPR.
(e) For direct advertising of our offerings and services – the legal basis for this is the first sentence of Article 6(1)(f)) GDPR. Our overriding legitimate interest follows from Recital 47 of the GDPR.
(f) For ensuring compliance with house rules, for preventing and clarifying criminal acts (in particular also by video monitoring), for establishing and defending against legal claims and for safeguarding interests in legal disputes, for ensuring IT security and IT operation, for identifying credit risks – the legal basis for this is the first sentence of Article 6(1)(f) GDPR. Our overriding legitimate interests following from our obligation to ensure that our guests have a safe stay in the hotel as well as from our interest in enforcing our tangible and intangible claims and safeguarding our rights as well as defending against unjustified claims. Furthermore, the processing of personal data in the scope which is absolutely required to prevent fraud pursuant to Recital 47 of the GDPR likewise constitutes a legitimate interest of our company. Minors Minors may not send any personal data to us without the consent of their parents or guardians. Through our website, we do not process any personal data knowingly acquired from minors.
4. Categories of personal data recipients If and to the extent required for the purposes as set out above under item 3, we also disclose your personal information to the following recipients or categories of recipients pursuant to Article 4 No 9 GDPR:
Within our company only those persons or entities are permitted to view or access your data (to the extent required in each case) who need such data for performance of our contractual and statutory duties.
The service providers (e.g. as part of contract processing pursuant to Article 28 GDPR) and agents engaged by us may receive personal data for these purposes. These are undertakings from the categories credit services and payments processing, IT services, cleaning services, logistics, printing services, telecommunications, collecting, advising and consulting as well as distribution and marketing.
Further data recipients may be those entities for which you have given us your consent to data transfer.
5. Transfer of personal data to a third country A transfer of personal data to entities in countries outside the European Union (third countries) takes place if
(a) it is prescribed by law, or (b) you have given us your consent.
Our company uses for certain tasks service providers which have their corporate seat in a third country or which belong to an international group with companies in third countries or which for their part work together with service providers having their seat in a third country. A transfer of personal data to such service providers is permissible if the European Commission has decided that the third country in question ensures an adequate level of protection (pursuant to Article 45 GDPR). If the Commission has not made such decision, our company or the service provider may transfer personal data to a third country or an international organisation only if appropriate safeguards are provided for and enforceable data rights and effective legal remedies are available (Article 46(1) GDPR). Beyond the cases mentioned above, our company does not transfer personal data to entities in third countries or to international organisations.
6. Period of storage of personal data and criteria for defining such period We process and store your personal data for as long as required for us to fulfil our contractual and legal duties. If the data are no longer required for fulfilment of contractual duties, they are normally deleted unless their further processing for a limited term is required by retention periods prescribed by commercial or tax legislation (including the German Commercial Code (Handelsgesetzbuch – HGB), German Tax Code (Abgabenordnung – AO)). The periods prescribed their for storage and/or documentation purposes range from two to ten years.
7. Your rights as a data subject Every data subject whose personal data are processed has the right to obtain information from the controller about the personal data in question pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object to the processing pursuant to Article 21 GDPR as well as the right to data portability pursuant to Article 20 GDPR. The right to obtain information and the right to erasure are further subject to the restrictions pursuant to sections 34 and 35 BDSG-new.
Further information on your right to object to processing pursuant to Article 21 GDPR.
If the processing of your personal data is based on a consent granted to us, you have the right to revoke your consent at any time without the legality of the processing performed on the basis of such consent up to revocation being affected thereby.
Your also have the right to lodge a complaint with the competent data protection supervisory authority pursuant to Article 77 GDPR in conjunction with section 19 BDSG-new.
8. Requirement to provide data You are not required to provide any personal data when using our website. If you would like us to contact you, then we need at least (i) your name, and (ii) your telephone number or your email address.
9. Automated decision-making and profiling When establishing and executing our contractual relationship, you will not be subjected to a decision based solely on automated processing, including profiling, pursuant to Article 22 GDPR, which produces legal effects concerning you or similarly affects you in a serious way.
10. Additional information on your right to object pursuant to Article 21 GDPR You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which are based on the first sentence of Article 6(1)(e)) GDPR (data processing in the public interest) or the first sentence of Article 6(1)(f)) GDPR (data processing based on a balancing of interests), including profiling based on those provisions pursuant to Article 4(4) GDPR.
If you make an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override the your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If your personal data are processed by us for direct marketing purposes, you have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing.
The objection may be made without any particular form and should be directed to our Data Protection Officer under the contact details specified in item 2 above.
II. Additional information on data processing on this website
1. Bookings for treatment appointments For doing bookings and managing treatment appointments, we use a software solution by the provider Booker Software Inc. 165 Broadway #107, New York, New York USA. We have established with this provider the required legal agreements for data protection in regards to order processing, including an agreement based on the EU standard contractual clauses.
2. E-mail newsletter With the e-mail newsletter we keep you regularly informed about your preferred offers and services belonging to our company.
If you wish to receive the e-mail newsletter, we will need a valid email address for you. For those registering for our newsletter, we use what is known as the double-opt-in procedure. That means that after your registration we send you an e-mail to the e-mail address specified in which we ask you to confirm that you wish to be sent the newsletter. If you do not confirm your registration within 2 weeks your information is blocked and after one month automatically deleted. Moreover, we store in each case your IP addresses used and times of log-on and confirmation. The purpose of the procedure is to be able to prove your registration and where necessary to clarify any potential misuse of your personal data.
As a subscriber to the e-mail newsletter, you may at any time revoke your consent to the processing of your e-mail address for sending the newsletter. Consent may be revoked via the link provided for this purpose in each e-mail newsletter or by sending an e-mail with the subject "unsubscribe" to TheSpa@steigenberger.com.
3. Contact form and E-Mail contact
Type and extent of data processing There is a contact form on our website that can be used for contacting us electronically. If the user uses this option, the data entered into the entry form will be transferred to us and stored. At the time such a message is sent, the following data is stored:
1. The user's IP address 2. Date and time that the message was sent.
In order to process the data, you will be asked for your consent to this data protection declaration at the time of sending a message.
Alternatively, you can contact us with the provided email address. In such a case, the personal data that the user transfers in the email will be stored.
No data is transferred to third parties in this context. The data is used only to manage the conversation.
Legal basis for data processing The legal basis for the processing of data, when provided consent from the user, is article 6 paragraph 1 (a) GDPR. The legal basis for the processing of data that is transferred when sending an email is article 6 paragraph 1 (f) GDPR. If the email contact is made in order to complete an order, the additional legal basis for the data processing is article 6 paragraph 1 (b) GDPR.
Purpose of the data processing We process personal data from the entry form solely for the purpose of facilitating communication. Contact that is made via email also constitutes required legitimate interest in processing data. Additional personal data that is processed in sending an email serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
Duration of data storage That data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data from the contact form and personal data that is sent via email, this is the case when the conversation with the user is concluded. The conversation is concluded when it becomes clear based on the circumstances that the matter at hand has been finally resolved. Additional personal data collected in sending an email will be deleted at the latest after a period of seven days.
Possibilities for filing an objection or claim for removal The user has the possibility of retracting his or her consent for personal data to be processed at any time. If the user contacts us via email, he or she can object to personal data being stored at any time. If this occurs, then the conversation cannot be continued. In such a case, all personal data stored during the conversation will be deleted.
Specifically, we use the following types of cookies:
The data processed by cookies are required for the aforementioned purposes of safeguarding our legitimate interests as well as those of third parties pursuant to the first sentence of Article 6(1)(f) GDPR.
In your browser settings you may allow cookies to be stored only if your give your consent. Most browsers accept cookies automatically. However, you may configure your browser in such a way that no cookies are stored on your computer or that a notice is always displayed before a new cookie is created. But completely deactivating cookies may mean that you cannot use all functions of our website. If you wish to use only Steigenberger cookies but do not wish to accept cookies of partners, please select the option "Block cookies of third-party providers" in your browser. In the drop-down menu of your web browser, you will be displayed a help function showing you how to reject cookies and to disable cookies already received. In the case of shared-use computers that accept cookies and flash cookies, we recommend always logging off completely after the end of the session.
5. Analysis tools
The tracking measures used by use as specified below are performed on the basis of the first sentence of Article 6(1)(f) GDPR. With the tracking measures used we want to ensure that our website is designed to meet the needs of users and optimised on a continuous basis. We moreover use the tracking measures to statistically record the use of our website and to evaluate such use to optimise our offering for you. Such interests are to be deemed legitimate within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the relevant statements on such tracking tools.
6. Inclusion of third-party services and content (e.g. YouTube and Google Maps)
Third-party content such as videos from YouTube or maps from Google Maps (hereafter referred to as “Third Party Providers”) are included in this website. To use such content, the user’s IP address for technical reasons must be sent to the respective Third Party Provider, since without the IP address the Third Party Providers would not be able to send the content included in the Website to the browser of the respective user. We do not have any control over whether a Third Party Provider stores the IP address e.g. for statistical purposes or otherwise.
Current version and updating of this Private Policy
This Private Policy shall apply with effect from 22 May 2018.
We will update this Private Policy from time to time to reflect relevant changes to our website, changes in the processing of personal data or amendments to legislation. The revised version shall apply as of the published effective date. In the event of any material amendments to this Private Policy, we will inform you in good time prior to the effective date of such amendments by posting a notice on our website. Where applicable, we will also inform our guests of the amendments by e-mail or other means.