We are delighted to learn of your interest in our company. Data protection is a particularly high priority for the Puschkinhaus Mühlhausen GmbH management team. As a general rule, you can use the Puschkinhaus Mühlhausen GmbH website without having to divulge any personal data. However, if an individual using our website wishes to utilise special services of our company via the site, the need to process personal data could arise. If it becomes necessary to process personal data and no legal basis for such processing has been established, we would generally obtain the consent of the individual concerned.
The processing of personal data, such as the name, address, email address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to Puschkinhaus Mühlhausen GmbH. By means of this data protection declaration, our enterprise would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.
As the data controller, Puschkinhaus Mühlhausen GmbH has implemented various technical and organizational measures to ensure the highest level of protection for the personal data processed through this website. However, while we take every precaution to protect your personal data, security vulnerabilities are inherent to Internet-based data transmission and it is not possible to eliminate all risks. In acknowledging the inherent vulnerability of Internet-based data transmission, we would like to give you the option of transmitting your personal data to us via alternative means, e.g. by phone.
1. Definition of terms
a) Personal data
Personal data refers to any information relating to an identified or identifiable individual (hereinafter referred to as the “data subject”). An identifiable individual is someone who can be identified, either directly or indirectly, by referencing an identifier such as a name, identification number, location data, online identifier, or one or more specific factors that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
b) Data subject
The data subject is any identified or identifiable individual whose personal data is processed by the data controller.
Processing refers to any operation or series of operations carried out, whether by automated means or not, pertaining to personal data. This includes collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, restricting, erasing, or destroying personal data.
d) Restriction of processing
Restriction of processing means deliberately marking stored personal data with the aim of limiting their future processing.
Profiling refers to any type of automated processing of personal data that involves using such data to evaluate specific personal aspects relating to an identified or identifiable individual. This includes analysing or predicting aspects of a person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
Pseudonymisation refers to processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable individual.
g) Controller or person responsible for processing
The controller or person responsible for processing is the individual or legal entity, public authority, agency or other body which, solely or jointly alongside others, determines the purposes and means of the processing of personal data. If the purposes and means of such processing are determined by Union or Member State law, the controller may be designated by Union or Member State law, or by specific criteria laid down in Union or Member State law.
h) Data processor
A data processor is an individual or legal entity, public authority, agency, or other entity that processes personal data on behalf of the data controller.
A recipient is an individual or legal entity, public authority, agency, or other body to whom personal data is disclosed, whether a third party or not. Authorities that may receive personal data in the context of a specific investigation and in accordance with Union or Member State law are not considered recipients.
j) Third party
A third party is an individual or legal entity, public authority, agency, or other entity other than the data subject, the controller, the processor, and the persons who are authorised to process personal data under the direct responsibility of the controller or processor.
Consent refers to any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which he or she, via a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the data controller
The data controller, as defined by the General Data Protection Regulation, other data protection laws applicable in Member States of the European Union, and other provisions pertaining to data protection, is:
Puschkinhaus Mühlhausen GmbH
Tel.: +49 (0)3601 402 204
3. Name and address of the Data Protection Officer
The Data Protection Officer of the Data Controller is:
Puschkinhaus Mühlhausen GmbH
Tel.: +49 (0)3601 402 206
Any data subject may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.
4. Collection of general data and information
The website of our restaurant/hotel, Puschkinhaus Mühlhausen GmbH, automatically collects a series of general data and information whenever a data subject or automated system accesses the system. These general data and information are stored in the server log files. The following information may be collected when a data subject or automated system accesses our restaurant/hotel’s website: (1) the type and version of the browser used, (2) the operating system used by the accessing system, (3) the website from which the accessing system accessed our website (known as the referrer), (4) the sub-pages accessed on our website by the accessing system, (5) the date and time of access to our website, (6) an internet protocol (IP) address, (7) the internet service provider of the accessing system, and (8) other similar data and information used to prevent attacks on our IT systems.
The Puschkinhaus Mühlhausen GmbH company does not use these general data and information to draw conclusions about the data subject. The purpose of collecting this information is to (1) ensure that the content of our website is correctly displayed, (2) optimise the content of our website and its advertising, (3) ensure the permanent functionality of our IT systems and the technology of our website, and (4) provide law enforcement agencies with the information they need to initiate criminal prosecution in the event of a cyberattack. The Puschkinhaus Mühlhausen GmbH collects and evaluates this information in anonymised form for statistical purposes and to improve our data protection and data security measures. This helps ensure an optimal level of protection for the personal data we process. The anonymised data from server log files is stored separately from any personal data provided by a data subject.
5. Scope for contact via the website
To comply with legal requirements, the Puschkinhaus Mühlhausen GmbH website includes information to facilitate swift electronic contact with our company and direct communication with us. This includes a general email address for electronic mail (email). If a data subject contacts the data controller via email or a contact form, the personal data transmitted by the data subject will be automatically stored. Data voluntarily provided and transmitted by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. None of this personal data is disclosed to any third party.
6. Routine deletion and blocking of personal data
The controller processes and stores personal data of the data subject only for the period necessary to achieve the storage purpose or as provided by the European directives and regulations legislator or another legislator in laws or regulations to which the controller is subject.
If the purpose of the storage no longer applies or if a storage period prescribed by the European directives and regulations or any other competent legislator expires, the personal data are routinely blocked or deleted in accordance with the statutory provisions.
7. Rights of data subject
a) Right to confirmation
The European legislator grants every data subject the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed. If a data subject wishes to exercise the right to confirmation, they may contact an employee of the data controller at any time.
b) Right to information
The European legislator grants any individual whose personal data is being processed, the right to obtain from the data controller, at any time and free of charge, information about the personal data stored about them and a copy thereof. The European legislator also grants the data subject the right to obtain the following information:
- Purposes of processing
- Categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly with respect to recipients in third countries or international organisations
- If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- The existence of a right to obtain rectification or deletion of personal data concerning them or obtain the restriction of processing by the controller or a right to object to such processing
- The existence of a right of appeal to a supervisory authority
- And if the personal data is not collected from the data subject: All available information on the origin of the data
- The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information concerning the logic involved and the scope and intended effects of such processing for the data subject
The data subject also has the right to be informed whether personal data has been transferred to a third country or an international organisation. In the event of such transfer taking place, the data subject has the right to be informed about any appropriate safeguards relating thereto.
If a data subject wishes to exercise this right of access, he or she may contact any employee of the data controller at any time.
c) Right to rectification
The European legislator grants every person concerned by the processing of personal data the right to promptly obtain rectification of any inaccurate personal data concerning him or her. Furthermore, the data subject has the right to have incomplete personal data completed, including via a supplementary statement, keeping the purposes of the processing in mind.
If a data subject wishes to exercise this right of rectification, they may contact an employee of the data controller responsible for the processing at any time.
d) Right to deletion (Right to be forgotten)
The European legislator has granted to each person whose personal data is being processed the right to demand the immediate deletion of their personal data from the controller provided any of the following grounds applies and the processing is not necessary:
- The personal data have been collected or otherwise processed for purposes which no longer apply.
- The data subject has withdrawn consent on which the processing is based, pursuant to point (a) of Art. 6(1)(a) GDPR or point (a) of Art. 9(2)GDPR, and where no other legal grounds exist for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR and no overriding legitimate grounds exist for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data have been processed unlawfully.
- The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data were collected in relation to information society services offered pursuant to Art. 8(1) GDPR.
If one of the abovementioned reasons applies and a data subject wishes to request the deletion of personal data stored by Puschkinhaus Mühlhausen GmbH, they can contact an employee of the data controller at any time. The relevant employee at Puschkinhaus Mühlhausen GmbH will ensure prompt compliance with the request for deletion.
If personal data has been made publicly accessible by Puschkinhaus Mühlhausen GmbH, and our company is obliged to delete the same as the controller, pursuant to Art. 17(1) of the GDPR, Puschkinhaus Mühlhausen GmbH shall take reasonable steps, including technical measures and taking available technology and implementation costs into account, to inform other data controllers processing the published personal data that the data subject has requested that they delete all links to such personal data or copies or replications of such personal data, provided the processing of the same is not necessary. The relevant employee of Puschkinhaus Mühlhausen GmbH shall take the necessary measures in individual cases.
e) Right to restriction of processing
The European legislator grants every data subject affected by the processing of personal data the right to demand from the controller the restriction of processing provided one of the following conditions is met:
- The accuracy of the personal data is contested by the data subject for a period, enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, and the data subject opposes the deletion of the personal data and instead requests that their use be restricted.
- The data controller no longer needs the personal data for processing purposes, but the data subject requires them to establish, exercise or defend legal claims.
- The data subject has objected to processing, pursuant to Article 21(1) of the GDPR, pending verification as to whether the legitimate grounds of the controller override those of the data subject.
Provided one of the aforementioned conditions is met and a data subject wishes to request the restriction of personal data stored by Puschkinhaus Mühlhausen GmbH, they may contact an employee of the data controller at any time. The relevant employee of Puschkinhaus Mühlhausen GmbH shall arrange for the restriction of processing.
f) The right to data portability
The European legislator has granted every data subject the right to receive the personal data concerning him or her, which was provided by the data subject to a controller, in a structured, commonly used, and machine-readable format. Furthermore, they have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR, and the processing is carried out by automated means, provided the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to ensure that the personal data is transmitted directly from one controller to another, where technically feasible and provided this does not adversely affect the rights and freedoms of others.
The data subject may contact the relevant employee of Puschkinhaus Mühlhausen GmbH at any time to exercise the right to data portability.
g) Right to objection
The European legislator grants every individual affected by the processing of personal data the right to object to the processing of their personal data, which is carried out on the basis of point (e) or (f) of Article 6(1) of the GDPR, for reasons arising from their particular situation. This also applies to profiling based on these provisions.
In the event of any objection, Puschkinhaus Mühlhausen GmbH shall no longer process the personal data, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the establishment, exercise or defence of legal claims.
If Puschkinhaus Mühlhausen GmbH processes personal data for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling, insofar as it is related to such direct advertising. If the data subject objects to the processing by Puschkinhaus Mühlhausen GmbH for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Moreover, the data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them by the Puschkinhaus Mühlhausen GmbH for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject can exercise their right to object by contacting any employee of Puschkinhaus Mühlhausen GmbH or another employee directly. The data subject is also free to exercise their right to object in relation to the use of information society services, notwithstanding Directive 2002/58/EC, via automated procedures using technical specifications.
h) Automated decision-making when conducting individual profiling
The European legislator grants every person affected by the processing of personal data the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects on them or similarly significantly affects them, unless the decision (1) is necessary to conclude or execute a contract between the data subject and the controller, (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary to conclude or execute a contract between the data subject and the controller or (2) is made with the explicit consent of the data subject, Puschkinhaus Mühlhausen GmbH shall take appropriate measures to safeguard the rights, freedoms, and legitimate interests of the data subject, including at least the right to obtain intervention of a person on the part of the controller, to express their point of view and to contest the decision.
If the data subject wishes to exercise rights related to automated decisions, they can contact an employee of the controller responsible for processing at any time.
i) Right to revoke a data protection consent
The European legislator grants every person whose personal data is being processed the right to withdraw their consent to the processing of their personal data at any time.
If the data subject wishes to exercise the right to withdraw consent, he or she may, at any time, contact any employee of the data controller.
8. Data protection in applications and in the application process
The controller collects and processes the personal data of applicants for the purpose of handling the application process. The processing may also be carried out electronically. This applies in particular if an applicant submits the corresponding application documents electronically, for example via email or an online form on the responsible party’s website. If the controller concludes an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with legal requirements. Provided the data controller does not enter into an employment contract with the applicant, the application documents will be automatically deleted two months after the announcement of the rejection decision, provided that there are no other legitimate interests of the data controller that would preclude deletion. Other legitimate interest in this sense may include, for example, an obligation to provide evidence in a procedure under the General Equal Treatment Act (AGG).
9. Legal basis for processing
Point (a) of Article 6(1) of the GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose in our company. If the processing of personal data is required to execute a contract to which the data subject is a party, such as when processing operations necessary to supply goods or provide any other service or consideration, the processing is based on point (b) of Art. 6(1) GDPR. The same applies to the processing operations required to implement pre-contractual measures, for example when inquiries about our products or services are received. If our company is subject to a legal obligation that requires the processing of personal data, such as fulfilling tax obligations, the processing is based on point (c) of Art. 6(1) GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would apply, for example, if a visitor to our company were to be injured and his or her name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Accordingly, the processing would be based on point (d) of Art. 6(1) GDPR. Finally, processing operations could be based on point (f) of Art. 6(1) GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. We are specifically permitted to carry out such processing operations because they were explicitly cited by the European legislator. He or she believed that a legitimate interest could be assumed, provided the data subject were a customer of the controller (Recital 47, sentence 2 of the GDPR).
10. Legitimate interests pursued by the controller or a third party in the processing
If the processing of personal data is based on point (f) of Article 6(1) GDPR, our legitimate interest refers to the execution of our business activities for the benefit of the well-being of all our employees and shareholders.
11. Duration for which personal data is stored
The criterion for the duration of the storage of personal data is the respective statutory retention period. Once this period has elapsed, the relevant data is routinely deleted, provided that it is no longer necessary to fulfil or initiate a contract.
12. Legal or contractual provisions for the provision of personal data; necessity for the conclusion of a contract; obligation of the data subject to provide the personal data; possible consequences of non-provision
Please note that the provision of personal data may be required by law (e.g. tax regulations) or may result from contractual arrangements (e.g. information about the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. Any failure to provide personal data would preclude the ability to enter into a contract with the data subject. Before providing personal data, the data subject must contact one of our employees. In each relevant case, our employee will inform the data subject whether the provision of personal data is required by law or contract, or necessary to conclude a contract, whether there is an obligation to provide the personal data, and what consequences failure to do so would result in.
13. Existence of automated decision-making
As a responsible company, we refrain from automated decision-making or profiling.