Data protection information about the processing of your personal data in the a&o Hostels & Hotels

With this data protection notice we would like to inform you as a guest of our hostel (for the sake of simplicity the term "hostel" will be used uniformly for our hostels and hotels in the following) or visitor about the collection, processing and storage of your personal data in our hostels within Europe.

One of the aims of the European Data Protection Basic Regulation (hereinafter abbreviated as DSGVO) and the respective national data protection laws is to ensure that persons affected by data processing are aware of the extent to which their personal data are processed.

Personal data are data that are related to your person or allow an inference to your person (for example your name, your date of birth or your cell phone number). In the following we will refer to this data in short as "data". This always refers to personal data. In the following, "processing of data" refers to any collection, storage or other use of data.

  1. Responsibility and contact persons

    a) Responsible for the general data processing in our hostels

    The person responsible for processing your personal data when you visit one of our hostels is the respective a&o operating company in accordance with the DSGVO. The list of operating companies can be found here.

    b) Data protection officer

    For all questions regarding data protection in connection with data processing in the hostels, you can also contact our data protection officer at any time. He can be reached at the e-mail address: [email protected]

  2. Data that we process and that we collect from you

    We collect the following personal data in our hostels:

    • Your personal data in the registration forms: With these we collect in particular the date of arrival and expected departure, first name and surname, date of birth, nationality, address, number of fellow travellers and their nationality and - for foreign persons - the serial number of the passport or passport replacement;
    • Your personal data when paying by card: host costs, date, bank and credit card data (encrypted);
    • Your personal data that you provide to receive the Traveller Card billing address, phone number, email address, Traveller Card category;
    • Data on the use of electronic hostel room keys to ensure the safety of our guests and to document unauthorized access;
    • license plate for parking service;
    • Data that you can voluntarily provide in the context of customer satisfaction surveys;
    • WLAN connection data;
    • Video recordings to maintain security.
  3. Purposes for which we process your data and legal basis

    We process personal data in accordance with the provisions of the European Data Protection Regulation (DS-GVO) and the respective national data protection laws.

    Your personal data will be processed for the following purposes:

    • To perform the check-in. The legal basis for this is Art. 6 para. 1 lit. b DSGVO.
    • For accommodation. The legal basis for this is art. 6 par. 1 lit. b DSGVO.
    • For payment processing. The legal basis for this is Art. 6 para. 1 lit. b DSGVO.
    • For the fulfillment of contracts or provision of services by service providers. The legal basis for this is Art. 6 para. 1 lit. b DSGVO.
    • For providing special services to regular customers (Traveller Card). The legal basis for this is Art. 6 para. 1 lit. b DSGVO.
    • To meet legal obligations. (Right to report, information and notification obligations, tax law, commercial law). The legal basis for this is Art. 6 para. 1 lit. c DSGVO.
    • In the context of a balancing of interests. Where necessary, we also process personal data to protect the legitimate interests of our company or the legitimate interests of third parties.

    This includes:

    • internal evaluations and analyses as well as marketing measures
    • Assertion, exercise or defense of legal claims
    • prevention of or preservation of evidence of criminal offences (video surveillance recordings)
    • Guarantee of IT security and IT operation

    The legal basis for this is Art. 6 para. 1 lit. f DSGVO

    • For the dispatch of existing customer advertising. If you have used our services before, we will send you advertising related to them. The legal basis for this data processing is Art. 6 para. 1 letter f DSGVO based on our interest in existing customer advertising.
  4. Transfer of your data

    We restrict access to your personal information to those employees who need it to perform services for you:p>

    • Accounting
    • IT
    • Marketing>/li>
    • Reception

    All our employees are trained in data protection and are obliged to handle your data properly. We continually monitor compliance with data privacy and take disciplinary action if we determine that personal information is being improperly handled. Part of the data processing may be carried out by our service providers. In particular, these may include data centers that store our website and databases, IT service providers that maintain our systems, and consulting firms. If we pass on data to our service providers, they may use the data exclusively for the fulfilment of their tasks. These service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organizational measures in place to protect the rights of the persons concerned and are regularly monitored by us. In the area of card payment (direct debit/girocard/credit card) we work together with Concardis GmbH, Helfmann-Park 7 65760 Eschborn.

    In addition, disclosure may occur in connection with governmental inquiries, court orders, and legal proceedings if necessary for law enforcement or prosecution.

  5. Storage duration

    In principle, we store personal data only as long as necessary to fulfill contractual or legal obligations for which we have collected the data. Afterwards, we delete the data immediately, unless we need the data until the expiry of the statutory limitation period for evidence purposes for civil law claims or because of statutory storage obligations. For evidence purposes, we must retain contract data for a further three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred after the statutory standard period of limitation at this point in time at the earliest. Even after this period, we still have to store some of your data for accounting reasons. We are obliged to do so because of legal documentation requirements, which may differ from country to country. The periods stipulated there for the retention of documents range from two to ten years. In principle (with some country-specific exceptions), registration forms are kept for one year from the day of arrival and are destroyed within three months of the retention period. However, longer retention periods may apply to registration forms, which also serve to collect tourism and spa fees, due to municipal statutes.

    Video recordings in public areas will be automatically overwritten after one week with the recordings made at that time, unless a permanent backup is made beforehand due to a known significant incident.

  6. Special feature in Italy, Czech Republic and Hungary

    In our accommodation facilities in Italy, the Czech Republic and Hungary, we are required by law to transmit recorded registration data electronically to the registration authorities.

    6a. Biometric capture in Berlin Mitte and Amsterdam

    In our accommodation facilities in Berlin Mitte and Amsterdam, we collect biometric data of persons in a test run in the lobby. We use the "AdPack" system from IDA Indoor Advertising GmbH (IDA) for this purpose. The collection serves the purpose of presenting our guests with content such as advertisements on the monitor in the lobby, which is matched to the gender and age group of the majority of people in the monitor's field of vision. For this purpose, the person standing in front of the camera is registered and evaluated according to gender and age group. The images captured by the camera are temporarily stored for 150 milliseconds and then deleted. Neither a&o, nor IDA nor any other third party gets access to the camera images. Only statistical data for the parameters "gender" and "age group" are stored. It is not possible to draw conclusions about the actual persons recorded.

  7. Your rights

    You have the right to request information about the processing of your personal data by us at any time. In the course of providing you with this information, we will explain the data processing to you and provide you with an overview of the data stored about your person. If data stored by us is incorrect or no longer current, you have the right to have this data corrected. You can also request the deletion of your data. If, in exceptional cases, deletion is not possible due to other legal regulations, the data will be blocked so that you are only available for this legal purpose. You can also have the processing of your data restricted, e.g. if you are of the opinion that the data we have stored is incorrect. You also have the right to data transferability, i.e. that we send you a digital copy of the personal data you have provided us with on request. In order to make your rights as described here applicable, you can contact us at any time using the contact details given above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection. In addition, you have the right to object to data processing based on Art. 6 para. 1 letter e or f DSGVO. Finally, you have the right to complain to the data protection supervisory authority responsible for us. You can assert this right at a supervisory authority in the member state of your residence, your place of work or the place of the suspected infringement. The European Commission's overview of the competent data protection authorities for the respective hostel locations can be found here.

  8. Right of revocation and objection

    By revoking the consent, the legality of the consent until the revocation is to be expected, not to be done. Insofar as we process your data on the basis of interests, interests, Art. 6 Para. 1 lit. f DSGVO, you have the right to object to the exercise of your data payment control, refusal of authorization, which is based on your own situation, which results from the direct situation, which relates to the direct objection, see Art. 21 DSGVO. Last autumn you have a general right of objection, which will be owned by us even without specifying. If you have concerns about the right of revocation or objection, you should send an informal message to the contact details given above.

  9. Data security

    We maintain current technical measures to ensure data security, in particular to protect your personal data from the dangers of data transfers and from third parties gaining knowledge. These are adapted to the current state of the art. To secure the personal data you provide on our website, we use Transport Layer Security (TLS), which encrypts the information you have entered.

  10. Changes to the privacy policy

    We update this data protection declaration from time to time, for example if we adapt our website or if the legal or official requirements change.