Privacy policy of the Hofbräuhaus
Privacy Policy
This privacy policy provides information about the processing of personal data (hereinafter referred to as “data”) in the context of the provision of our services and when you visit our website and social media presences, as well as about the rights to which you are entitled.
External Links
Our website contains links to external third-party websites, e.g. route planner, fan shop, 3D tour. If you follow an external link, we accept no liability or responsibility for the processing of your data on the linked page. Information about this can be found in the data protection guidelines of the respective page. You can recognize external links by the fact that they are marked in a different color, displayed as an image/button or by mouse over checking the link destination (e.g. the address displayed does not contain www.hofbraeuhaus.de).
Accessing the Website
When you access this website, the browser transmits data to us or our server host and stores it temporarily in a log file. These so-called server log files may contain information such as browser type and version, language, time zone, date and time of the visit, name and URL of the subpages accessed, the previously visited page (referrer URL), operating system of the device used (to display the mobile or desktop version) as well as the IP address and name of the provider used.
The legal basis for the processing of this data is Art. 6 Para.h 1 lit. f GDPR, our legitimate interest in processing the data for the purpose of correctly displaying the content, ensuring security and stability, facilitating administration, improving user-friendliness and functionality, e.g. fast loading of our website and avoiding attacks or overloading of the servers.
The processing is expressly not carried out for the purpose of gaining knowledge about you as the data subject. The data in the server log files is stored separately from all data provided by you.
If no further storage is required for evidentiary purposes, the data is automatically deleted or the oldest log file is overwritten.
The data is processed by our website administrator on the basis of a data processing agreement in accordance with Art. 28 GDPR and passed on to the server host as its subcontractor. The servers are located in data centers in Germany.
Communication
Contacting us
In order to enable quick electronic contact and direct communication with us, you will find a general email address and telephone number in our imprint. If you contact us, we will process the data you provide, the content and the history of the communication. The data processing is carried out exclusively for the purpose of processing and answering your request in order to provide you with the information you require. Any further processing of your data for advertising purposes or for market research will only take place with your express consent. This processing is carried out on the basis of our legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR or on the basis of Art. 6 Para. 1 lit. b GDPR in the case of a specific request or an existing contractual relationship. After your request has been fully processed and after the statutory retention periods have expired, your data will be deleted unless there are other legally permissible purposes that prevent deletion.
Online Meetings (Microsoft Teams)
If you communicate with us via Microsoft Teams, your personal data may be processed by both us and Microsoft. As soon as you join the meeting or access the Microsoft Teams website, Microsoft is responsible for data processing. Within the EU, this is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Information on data processing by Microsoft can be found at https://www.microsoft.com/en-us/privacy/privacystatement and https://docs.microsoft.com/en-us/microsoftteams/teams-privacy.
We process registration data and participant data (actual participants, start and end times of participation) on the legal basis of Art. 6 Para. 1 lit. f GDPR, our legitimate interest in hold online meetings and making them efficient. If we record a meeting, this is done on the basis of Art. 6 Para. 1 lit. a GDPR, your consent.
In addition, Microsoft processes all technical data required to hold the meeting. This includes in particular IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or loudspeaker, and the type of connection. Please note that we have no influence on the data processing by Microsoft. In particular, under the CLOUD Act, US investigative authorities also have the option of requesting that Microsoft release data stored on servers in the EU. We have concluded a data processing agreement with Microsoft that includes the EU standard contractual clauses. Furthermore, Microsoft is certified according to the EU-US Data Privacy Framework https://www.dataprivacyframework.gov/list.
AI-Chatbot
To improve interaction with our website visitors, we have integrated the chatbot of the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA on our website. If you interact with the chatbot, data will also be processed by the provider. Google stores user data that has been checked and commented on by human reviewers for up to three years. This information is stored separately along with the feedback and related data such as language, device type or location and is not linked to the user’s Google account. The data reviewed by humans is used to create data sets for generative machine learning models and thus improve the responsiveness of the chatbots over time.
The data transfer to the USA is based on the EU standard contractual clauses. Details can be found under https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/. Google is also certified under the EU-US Data Privacy Framework. Information on data processing can be found at https://support.google.com/gemini/answer/13594961#privacy_notice
Translation service DeepL
For automated text translation, we use the DeepL Translator Pro service from DeepL GmbH Maarweg 165, 50825 Cologne. You can find more information on data protection at https://www.deepl.com/en/privacy.html. The content of emails and texts that we send to our customers and that we receive from customers in foreign languages may be translated using this service. The data contained in the message is collected. The legal basis for using DeepL is a legitimate interest in accordance with Art. 6 Para. 1 lit. f GDPR. The transfer of data to DeepL is based on Art. 28 GDPR. We have concluded a data processing agreement with DeepL in accordance with Art. 28 GDPR.
Contractual relationship
In order to establish or carry out a contractual relationship with our customers, it is regularly necessary to process the master, contact, order, contract and payment data provided to us. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR. We also process customer and prospective customer data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6 Para. 1 lit. f GDPR and serves our interest in further developing our offer and informing you specifically about offers for our services. Further data processing can take place if you have consented (Art. 6 Para. 1 lit. a GDPR) or to fulfill a legal obligation (Art. 6 Para. 1 lit. c GDPR).
Regular guests
If you are a regular guest or during the application to become a regular guest or within the application for a Masskrug safe, we process your personal data such as first name, last name, address, telephone number, email address, date of birth for the following purposes: reservation requests / event requests, birthday mailings / offer mailings, allocation / booking of regulars’ tables, allocation / payment of the Masskrug safe, billing in the case of a booking that is made via our merchandise management program.
The legal basis for this data processing is Art. 6 Para. 1 lit. b GDPR, the contractual relationship or contract initiation. Birthday or offer mailings are carried out on the legal basis of Art. 6 Para. 1 lit. f GDPR of our legitimate interests. Further data processing can take place if you have consented (Art. 6 Para. 1 lit. a GDPR) or if this serves to fulfill a legal obligation (Art. 6 Para. 1 lit. c GDPR).
We also save a portrait photo of you to create the regular guest card. The legal basis for this is Art. 6 Para. 1 lit. b GDPR. If we publish photos of you in publicly accessible areas (noticeboards, etc.), we will obtain your consent for this.
Transfer of data
If we work with external third parties, data will only be passed on with legal permission, e.g. if this is necessary for the implementation of the business relationship (contract), we are legally obliged to pass on the data, consent has been given or the transfer is permissible on the basis of a balancing of interests within the meaning of Art. 6 Para. 1 lit f GDPR. If we work with processors or joint controllers, we conclude corresponding contracts or agreements with the recipients of the data (e.g. a contract processing contract in accordance with Art. 28 GDPR).
Online reservations, vouchers
On our website you have the option of reserving a table online for the first floor, the Bräustüberl, or buying vouchers. For this purpose, we use the software tool from the provider RESERViSiON GmbH, Seestr. 29, 64354 Reinheim. We have concluded a data processing agreement with the service provider in accordance with Art. 28 GDPR. You can find further information at https://reservision.de/en/privacy-policy/. For one-time user registration, at least your email address, name and telephone number will be processed, as well as other data you provide, such as the reservation date, number of guests, voucher value. The IP address and payment details will also be processed. Data processing is carried out on the basis of Art. 6 Para. 1 lit. b GDPR.
Payment processing
Stripe
To process payment transactions, we use the Stripe service from the US provider Stripe Inc. The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. Your name, debit and credit card details, purchase date and amount, and other information provided during the ordering process are processed. The legal basis for this data processing is Art. 6 Para. 1 lit. b GDPR. Stripe can also process the data in the USA. Stripe is certified under the EU-US Data Privacy Framework. Data transfer to the USA is also based on the EU standard contractual clauses https://stripe.com/de/guides/general-data-protection-regulation. Further information on data processing by Stripe can be found at https://stripe.com/de/legal/privacy-center.
PayPal
As a payment option for online orders, we offer PayPal, a service of the European operating company PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg. By selecting this payment option, you consent to the transmission of personal data required for payment processing. This usually includes first name, last name, address, email address, IP address, telephone number, mobile phone number or other data that is necessary for payment processing. Personal data that is related to the respective order is also necessary for processing the purchase contract.
The purpose of transmitting the data is to process payments and prevent fraud. The data is passed on in accordance with Art. 6 Para. 1 lit. b GDPR and only to the extent that this is necessary for payment processing. PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal and direct debit via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 Para. 1 lit f GDPR on the basis of PayPal’s legitimate interest in determining your ability to pay.
For more information, including on the credit agencies used, see PayPal’s privacy policy: at https://www.paypal.com/us/legalhub/paypal/privacy-full
Reviews
You have the option of leaving us a review anonymously using the table number. If you voluntarily provide personal data, it will be processed on the basis of Art. 6 Para. 1 lit a GDPR or legitimate interests in accordance with Art. 6 Para. 1 lit f GDPR.
Storage period
Your data will be deleted if the circumstances indicate that your request or the matter in question has been conclusively clarified.
If, however, a contract is concluded, we will retain the data required under commercial and tax law for the legally specified periods, i.e. usually ten years (cf. Para. 257 HGB, Para. 147 AO).
In general, the data will be blocked or deleted as soon as the storage purpose no longer applies or the right to deletion under Art. 17 GDPR applies or consent is withdrawn and there are no statutory retention periods or other legally permissible purposes that prevent deletion.
Applications
The data you provide as part of the application will be used exclusively to process the application process. The legal basis is Art. 6 Para. 1 lit. b GDPR, the implementation of pre-contractual measures or, when concluding the employment contract, the fulfillment of the contract. The data will not be passed on to third parties. Your data and the documents sent to us (e.g. cover letter, CV, certificates, qualifications, etc.) will be deleted immediately, but no later than 6 months after completion of the application process (awarding the position to you or another person), unless longer storage is legally required or permitted. In the event that you have agreed to longer storage of your data, we will store it in accordance with your declaration of consent on the legal basis of Art. 6 Para. 1 lit. a GDPR.
Personnel questionnaire
We process data collected via a personnel questionnaire in order to provide information about the applicant’s personality and his or her skills, training and experience. This includes personal information, residence and work permits of foreign applicants, school education, professional experience, type of previous employment, language skills, clothing size, other information, desired employment. The legal basis for data processing is Art. 6 Para. 1 lit. b GDPR, the implementation of pre-contractual measures or, when concluding the employment contract, the fulfillment of the contract. Further processing only takes place if you have consented or there is legal permission. The data will be deleted as soon as the storage purpose no longer applies or the right to deletion according to Art. 17 GDPR applies or consent is withdrawn and there are no statutory retention periods or other legally permissible purposes that prevent deletion.
Guest Wi-Fi
As guest you have the option of using our guest Wi-Fi. General usage data such as the MAC address (= hardware address) of your device, accessed target addresses (IP addresses), data volume transferred, entry and selection times, success or failure of the call are recorded. As far as possible, this data is processed anonymously. The data is processed for the purpose of logging the content accessed via the guest Wi-Fi to ensure operation. The legal basis for the processing of the log data is Art. 6 Para. 1 lit. f GDPR. If you have accepted a contract or terms of use when registering for the guest Wi-Fi, Art. 6 Para. 1 lit. b GDPR is the legal basis for the contractual provision of services (provision of Internet access via the guest Wi-Fi). The data is stored in log files as long as this is necessary for the purpose of data processing or for other legally permissible purposes. If necessary, data will be passed on for criminal prosecution purposes in accordance with Art. 6 Para. 1 lit. c GDPR.
Video surveillance
We have installed several video cameras for visual control in the exercise of our house rules based on legitimate interests in accordance with Art. 6 Para. 1 lit. b GDPR. Places where we use video surveillance are identified by a sign. Our legitimate interests are:
- the prevention of criminal offenses (such as burglary, assault, theft, arson, damage to property, trespassing)
- prevention and investigation of vandalism, or violent crimes such as fights or harassment
- the protection of employees, guests and visitors (e.g. investigation of emergencies and accidents, prevention of fraud, investigation of complaints)
- the securing of company facilities and protection of property
- in the area of incoming and outgoing goods for the purpose of reversing the burden of proof and settling claims (damage to cargo, etc.)
The video recordings are deleted after their purpose has been fulfilled by overwriting them with new recordings. If criminal offenses are detected, data is stored until the criminal prosecution is completed. The data will only be passed on to third parties if we are legally obliged to do so. The data will not be transmitted to third countries. Internally, only a limited number of people have access to the video recordings.
YouTube
We occasionally embed YouTube videos. In order to use YouTube content on our website, you must consent to data processing by YouTube. The legal basis for the processing is Art. 6 Para. 1 lit. a GDPR. You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=en
Google Maps
This website uses the Google Maps service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to plan routes and display our location. User data such as your IP address, entered search terms as well as location data and entered start address (when using the route planner function) may also be processed by Google on servers in the USA.
In order to use the content of Google Maps on our website, you must consent to data processing by Google. The legal basis for the processing is Art. 6 Para. 1 lit. a GDPR. Consent can be withdrawn at any time by preventing cookies from being saved using the corresponding settings in your browser. Details can be found above under the heading Cookies.
Google sets at least one cookie (name: NID, purpose: unlocking Google Maps, storage period: 6 months). Google also processes data about your user behavior for its own purposes in order to optimize services and provide personalized advertising.
You can deactivate personalized advertising by Google using the following link https://adssettings.google.com/authenticated. You can find more information about how user data is handled in Google’s privacy policy https://policies.google.com/privacy?hl=en. Data transfer to the USA is based on the EU standard contractual clauses. You can find details here: https://privacy.google.com/businesses/gdprcontrollerterms/ and https://privacy.google.com/businesses/gdprcontrollerterms/sccs/. Google is also certified according to the EU-US Data Privacy Framework.
If Google Maps is activated, Google can use Google Fonts for the purpose of uniform display. When you open Google Maps, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly. When the map service is activated, data is exchanged with these external addresses: fonts.googleapis.com, fonts.gstatic.com, maps.google.com, google.com, gstatic.com, maps.gstatic.com, maps.googleapis.com
Google Analytics
If you have given your consent, we use Google Analytics 4, a web analysis service provided by Google LLC, on our website. Responsible for users in the EU, EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. The information collected via cookies about your use of this website is processed on Google servers. Transmission to the USA is also possible. With Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address is shortened by Google within EU / EEA member states. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The data collected is stored for a period of two months and then deleted.
During your visit to the website, your user behavior is recorded in the form of events such as page views, first visit to the website, web pages visited, your “click path”, interaction with the website, scrolls (every time a user scrolls to the end of the page (90%)), clicks on external links, internal searches, file downloads, interaction with videos, ads viewed / clicked, language settings. The following are also recorded: your approximate location (region), date and time of the visit, your IP address (in abbreviated form), technical information about your browser and the devices you use (e.g. language settings, screen resolution), your internet provider, the referrer URL (via which website / via which advertising medium you came to this website).
All processing described above, in particular the setting of cookies on the device used, only takes place if you have given us your express consent to do so. The data processing is therefore carried out on the legal basis of Art. 6 Para. 1 lit. a GDPR. The maximum lifespan of Google Analytics cookies is 2 years. Without your consent, Google Analytics 4 will not be used during your visit to the site. You can revoke your consent at any time with effect for the future. To do this, please deactivate this service using the cookie consent tool provided on the website. A browser add-on for deactivating Google Analytics can be downloaded and installed at the following link: https://tools.google.com/dlpage/gaoptout.
We have concluded a data processing agreement with Google that ensures the protection of our site visitors’ data and prohibits unauthorized disclosure to third parties. For the transmission of data to the USA, Google relies on EU standard contractual clauses, which are intended to ensure compliance with European data protection standards.
Further information and the EU standard contractual clauses can be found at https://policies.google.com/privacy?hl=en
https://policies.google.com/technologies/partner-sites
https://business.safety.google/adsprocessorterms/sccs/eu-c2p/
Cookies
Our website uses cookies and information that are necessary to provide the service expressly requested by the user. The legal basis for the use of these absolutely necessary cookies and information is the legitimate interest in the proper, economical and secure operation of our website in accordance with Art. 6 Para. 1 lit. f GDPR, which prevails within the framework of a balancing of interests. These cookies are usually deleted when the browser is closed. You can delete cookies that have been stored for a longer period of time at any time using the settings in your browser. We will obtain your consent for all other cookies, e.g. for analysis or marketing purposes. The legal basis for data processing by these cookies is Art. 6 Para. 1 lit. a GDPR.
Borlabs Cookie-Management
For consent management, we use Borlabs, a Consent Management Platform (CMP) from the provider Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg. The use of Borlabs is based on Art. 6 Para. 1 lit. c GDPR, our legal obligation to obtain your consent to the storage of certain cookies in your browser or to the use of certain technologies and to document this in compliance with data protection regulations. For this purpose, the technically necessary cookie (borlabs-cookie) is set, which stores the consent you gave when you first accessed the website. You can withdraw your consent at any time by deleting the borlabs-cookie in your browser. If you reload the website, the cookie banner will appear again. The data is stored locally on our server. No data is transmitted to third parties. Details on the data processing of Borlabs Cookie can be found at https://borlabs.io/kb/what-information-does-borlabs-cookie-store/
3D tour
You have the option of taking a virtual 3D tour through the Hofbräuhaus. The 3D tour is provided via the Matterport service provided by Matterport, Inc. 352 E. Java Dr. Sunnyvale, CA 94089 USA. When you access the 3D tour (https://my.matterport.com/show/?m=nNawkcPtb2w), a connection is established to Matterport servers and data such as the IP address, browser version, display device, origin and destination URL as well as the ID of the respective 3D tour are transmitted to Matterport. We bear no liability or responsibility for the processing of your data on the external site my.matterport.com. The Matterport terms of use apply, which you can access in the footer of the 3D application and at the following link https://matterport.com/terms-of-use. Further information on data processing by Matterport can be found at https://matterport.com/legal/privacy-policy/.
Presences in social media
In addition to our own website, we have presences in the social networks listed below. User data can be comprehensively analyzed by the respective network and processed in the USA. If you visit one of our social media pages, we and the provider of the social media platform are jointly responsible for the data processing triggered during this visit. In principle, you can assert your rights both against us and against the respective provider. Please note that despite our joint responsibility with the social media providers, we do not have full influence on the data processing carried out by them.
Data such as user name, contact details or content data (e.g. messages and statements), usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. IP address or device information) can be processed. The legal basis for this data processing is a balancing of interests in accordance with Art. 6 Para. 1 lit. f GDPR to make our services known to a broad audience, to provide insights into our operations and to contact people who make inquiries. Further data processing, possibly for evaluation and marketing purposes, can take place if you have consented (Art. 6 Para. 1 lit. a GDPR).
Data processed on our systems is deleted as soon as you ask us to do so, revoke your consent or the purpose for the data processing no longer applies and there are no legal provisions to the contrary. Stored cookies remain on your device until you delete them. We have no influence on the storage period that is processed by the provider of the social network for its own purposes.
Facebook and Instagram
Facebook and Instagram are social networks of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, a subsidiary of Meta Platforms, Inc., Menlo Park, California.
Meta privacy policy: https://www.facebook.com/privacy/policy/
The Page Controller Addendum on joint responsibility under Art. 26 GDPR can be found at https://www.facebook.com/legal/terms/page_controller_addendum
Opt-out options can be found at https://www.facebook.com/settings?tab=ads
Details about data processing for the creation of page insights can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data
Your rights as a data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights:
Right to information
You can request information about your personal data processed by us within the scope of Art. 15 GDPR.
Right to rectification
If the information concerning you is no longer correct, you can request rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request completion.
Right to erasure
You can request the erasure of your personal data under the conditions of Art. 17 GDPR.
Right to restriction of processing
Within the framework of the provisions of Art. 18 GDPR, you have the right to request that the processing of data concerning you be restricted.
Right to data portability
According to Art. 20 GDPR, you have the right to receive the personal data concerning you that you have made available to us in a structured, common and machine-readable format or to request that it be transmitted to another responsible party.
Right to withdraw consent under data protection law
According to Art. 7 Para. 3 GDPR, you have the right to withdraw your consent at any time. This does not affect the legality of the processing carried out on the basis of the consent until the withdraw.
Right to complain to a supervisory authority
If you believe that the processing of personal data concerning you violates the GDPR, you have the right to complain to a supervisory authority (in particular in the member state of your residence, place of work or place of the alleged violation) under Art. 77 GDPR.
Right to object
You have the right under Art. 21 GDPR to object to the processing of data concerning you that is carried out on the legal basis of public interest (Art. 6 Para. 1 lit. e GDPR) or legitimate interest (Art. 6 Para. 1 lit. f GDPR). This also applies to profiling based on these provisions. In particular, the objection can be made at any time against processing for direct marketing purposes.
Name and contact details of the controller
Sperger Gaststätten OHG
Platzl 9
D-80331 München
Phone: +49 89 290136100
willkommen@hofbraeuhaus.de
Contact details of the data protection officer
Systemhaus Liebchen GmbH
D-86825 Bad Wörishofen
datenschutz@systemhaus-liebchen.de
Phone: +49 8261 23285-60
