Data protection information for guests, applicants and business partners of H24 Hotels
We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and all other relevant legal requirements. This privacy policy informs you, in accordance with Articles 13 et seq. of the GDPR, about the nature, scope, and purposes of the processing of personal data within the framework of our business relationships with guests, applicants, and business partners.
I. Person responsible and contact details of the data protection officer
1. Person responsible for data processing
The respective operating company of the H24 Hotel with which you have a contractual relationship – for example, as a guest, business partner, or applicant – is responsible for processing your personal data. The specific company and its contact details can be found in the respective contract, your booking confirmation, or our official correspondence.
2. Contact details of our data protection officer
If you have any questions about data protection or the assertion of your rights under the GDPR, you can contact our data protection officer at the following email address:
II. Information according to Art. 13 ff. GDPR for guests and business partners
The following information informs you about the processing of your personal data within the scope of our business relationships with guests and business partners of H24 Hotels. This includes, in particular, the booking and use of our hotel services as well as our collaboration with suppliers, service providers, and other partner companies.
1. Purposes and legal bases of processing
Your data is processed on the basis of the following legal bases:
a) Performance of the contract (Art. 6 (1) (b) GDPR)
We process your data to prepare, execute, and terminate an accommodation contract or other business agreement. This includes, among other things:
- Processing reservations and bookings,
- Performing check-in and check-out,
- Invoicing and payment processing,
- Communication during your stay or your business relationship with us.
b) Fulfillment of legal obligations (Art. 6 (1) (c) GDPR)
We process certain data to comply with legal requirements, in particular:
- Tax and commercial retention obligations,
- Obligations under the Federal Registration Act (e.g., upon submission of a registration form),
- Other official reporting and documentation obligations.
c) Legitimate interests (Art. 6 (1) (f) GDPR)
We also process data to protect our legitimate interests or the interests of third parties. These include:
- Ensuring security and order in our buildings (e.g., through video surveillance in public areas),
- internal communication and administration,
- asserting or defending against legal claims,
- maintaining business relationships.
d) Consent (Article 6 (1) (a) GDPR)
For certain purposes—such as sending newsletters or participating in satisfaction surveys—we process your data based on your express consent. This consent can be revoked at any time with future effect.
2. Origin of the data
We usually receive your personal data directly from you, for example:
- as part of a booking via our website or by phone,
- when making a reservation through tour operators, corporate clients, or booking platforms,
- through personal or written communication with our staff on-site or digitally.
In individual cases, we also receive data from third parties, such as travel agencies, sales partners or contractual partners.
3. Categories of data processed
3.1 Categories of personal data of guests
- Last name, first name, and any suffixes
- Date of birth, nationality
- Address, telephone number, email address
- Purpose of trip, booked services, length of stay
- Payment information (e.g., via a tokenized credit card process)
- Employer data (for business trips)
- Video recordings (in public areas of our hotels) – notices regarding video surveillance can also be found clearly visible in the respective hotel areas
- Communication content (e.g., emails, complaints, inquiries, contact via our website or live chat)
- Information on health restrictions or dietary requirements (only if provided voluntarily by the data subject and solely for the purpose of improving service, e.g., in the case of allergies or mobility restrictions)
3.2 Categories of personal data of business partners
- Name, contact details, and position of contact persons
- Company-related data (company address, VAT ID, contract information)
- Bank details, billing information
- History of the business relationship and correspondence
4. Recipients of your data
Within H24 Hotels, only those departments and individuals who need your data to fulfill the contract or comply with legal obligations will have access to your data.
In addition, as part of an existing or future customer relationship, your personal data may be transferred within the H24 Hotels group of companies – for example, for follow-up bookings, comprehensive guest service, or to handle service processes. This transfer will only take place in compliance with applicable data protection regulations and only if there is a legitimate interest or another legal basis.
In addition, we will transfer your data – where necessary – to the following external recipients:
- IT and software service providers (e.g., for booking systems and payment processing),
- Tax consultants, lawyers, and auditors,
- Banks and payment service providers,
- Authorities such as tax offices or registration authorities,
- Processors within the meaning of Art. 28 GDPR with corresponding contractual obligations.
Data will only be transferred to third countries if this is legally permissible and in compliance with Articles 44 et seq. of the GDPR.
When jointly processing personal data, the participating companies within H24 Hotels may act within the framework of joint controllership under Art. 26 GDPR. In this case, coordinated data processing takes place with clearly defined responsibilities, which we will be happy to inform you about upon request.
In cases of joint controllership, the parties involved jointly determine the purposes and means of data processing. Such cooperation is based on a data protection agreement pursuant to Art. 26 GDPR, which, in particular, regulates responsibilities, information obligations, and the rights of the data subjects. We will provide you with the essential contents of this agreement upon request.
5. Storage period
We only store your data for as long as necessary for the respective purposes or as required by statutory retention periods. The legally prescribed retention periods are:
- Up to 6 years according to Section 257 of the German Commercial Code (HGB) (e.g., business correspondence),
- Up to 10 years according to Section 147 of the German Fiscal Code (AO) (e.g., tax-relevant documents).
After expiry of the deadlines or upon revocation of your consent, your data will be deleted unless there are legitimate reasons for longer storage.
6. Your rights
As a data subject, you have the following rights under the GDPR:
- Information about the processing of your data (Art. 15 GDPR),
- Correction of incorrect or incomplete data (Art. 16 GDPR),
- Deletion of your data, provided there is no retention obligation (Art. 17 GDPR),
- Restriction of processing (Art. 18 GDPR),
- Data portability (Art. 20 GDPR),
- Objection to the processing of your data (Art. 21 GDPR),
- Revocation of consent granted with future effect (Art. 7 (3) GDPR).
Please address your data protection inquiries to: [email protected]
You also have the right to lodge a complaint with a data protection supervisory authority.
III. Information according to Art. 13 et seq. GDPR when conducting the Digital Check-In
This notice applies to the processing of personal data in connection with the use of our digital check-in service at H24 Hotels. The aim of this process is to offer our guests a time-saving, low-contact, and convenient way to check in on-site.
1. Purpose and legal basis of data processing
Purpose of processing
The digital check-in is used to automatically record your registration and booking-relevant data in order to enable efficient preparation of your stay and to comply with the legal requirements of the Federal Registration Act (BMG).
Legal basis
- Art. 6 (1) (b) GDPR – for the implementation of pre-contractual measures and the performance of the accommodation contract,
- Art. 6 (1) (c) GDPR in conjunction with Section 30 of the Federal Ministry of Health Act – for the fulfillment of statutory reporting obligations,
- Art. 6 (1) (a) GDPR – for the voluntary provision of additional information (e.g., digital signature, preferences).
2. Categories of personal data processed
As part of the digital check-in, we process the following data in particular:
- Title, first name, last name
- Date of birth, nationality
- Address (street, house number, zip code, city, country)
- Email address, telephone number
- Stay information (arrival and departure dates, purpose of travel, accommodation)
- Travel document data (if applicable) (ID number, date of issue, issuing authority, copy if applicable for foreign guests)
- Technical metadata (e.g., IP address, timestamp of entries)
3. Origin of the data
The data is provided independently by you as the data subject during the digital check-in process. If we already have booking data in our hotel management software (e.g., through a prior reservation), this can be automatically transferred to the check-in system to avoid redundant entries.
4. Recipient of the data
The processing is carried out by the respective location or its operating company as the data protection controller using technical systems of our service providers:
- For digital check-in, we use the software solution from straiv GmbH, Industriestraße 23, 70565 Stuttgart, which acts exclusively on our behalf as a data processor pursuant to Art. 28 GDPR.
- Our hotel management software is provided by apaleo GmbH, Dachauer Straße 15 A, 80335 Munich, with whom we also have a corresponding data processing agreement.
Both companies process the data exclusively according to our instructions, in compliance with the GDPR, and on servers within the European Union or the European Economic Area.
Data will not be transferred to third countries without the express consent of the data subject or appropriate safeguards pursuant to Art. 44 et seq. GDPR (e.g., EU standard contractual clauses).
5. Additional information on automated communication (email & WhatsApp)
As part of the digital check-in process, communication with guests is automated. This includes, for example, sending booking confirmations, reminders, or links to the registration form.
This communication takes place via two channels:
a) Email sending:
The emails are sent by straiv GmbH as part of the order processing. These emails contain information about the reservation and allow for early check-in.
b) WhatsApp messages:
In parallel to email communication, we will automatically send you the same information via the WhatsApp messaging service as so-called “official template messages” based on the mobile number you provided during the booking process. These messages contain, for example, a link to the digital check-in process.
This is done within the framework of the WhatsApp Business API, which allows for data protection-compliant, one-way customer communication via templates.
Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in fast, effective, and user-friendly communication with our guests via a widely used medium. Your mobile number will not be used for advertising purposes.
If you reply to a message from us within the WhatsApp chat, we may respond to your inquiry during a limited communication window (24 hours). Any further communication will only take place at your initiative or with your express consent.
c) Note on WhatsApp:
WhatsApp is a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. It cannot be ruled out that metadata (e.g., time, device information) may be processed and transferred to third countries – particularly the USA – during use.
Further information on data processing by WhatsApp can be found at:
https://www.whatsapp.com/legal/privacy-policy-eea
Possibility of objection:
You can opt out of our use of WhatsApp for communication at any time. In this case, correspondence will take place exclusively via alternative channels (e.g., email).
6. Storage period
The data collected during the digital check-in process will be stored for the duration of your stay and in accordance with statutory retention periods. In particular, the following applies:
- Registration forms according to the Federal Registration Act: 1 year
- Accounting and invoice data: up to 10 years according to tax and commercial law regulations (Section 147 of the Fiscal Code (AO), Section 257 of the Commercial Code (HGB))
After these periods have expired or upon revocation of any consent, your data will be deleted or blocked in accordance with legal requirements.
7. Rights of data subjects
You also have the following rights during digital check-in:
- Right to information (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object to processing (Article 21 GDPR)
- Right to withdraw consent (Article 7 (3) GDPR)
To assert your rights, please contact:
[email protected]
In addition, you have the right to lodge a complaint with the data protection supervisory authority responsible for you.
IV. Information according to Art. 13 ff. GDPR for applicants
This privacy policy applies to the processing of personal data within the scope of application procedures at H24 Hotels. The protection of your personal data is important to us. Below, we inform you about the type, scope, and purpose of the processing, as well as your rights.
1. Purpose and legal basis of processing
1.1 Conducting the application process (Art. 6 (1) (b) GDPR in conjunction with Section 26 BDSG)
We process your personal data to conduct the application process and to decide on the establishment of an employment relationship. This includes, in particular:
- The evaluation of your application documents and qualifications,
- Communication with you during the selection process,
- Organization and conduct of interviews (in person or digitally),
- Internal documentation of the application process.
1.2 Consent (Art. 6 (1) (a) GDPR)
If you voluntarily provide us with additional information – e.g., a photo for your application, information about hobbies, or family circumstances – this data will be processed based on your express consent. The same applies if you give us your consent to be included in our talent pool. You can revoke your consent at any time with future effect.
1.3 Protection of legitimate interests (Art. 6 (1) (f) GDPR)
In individual cases, we process your data to protect legitimate interests – for example, to assert, exercise or defend legal claims (e.g. under the General Equal Treatment Act – AGG) or to improve and internally ensure the quality of our recruiting processes.
2. Origin of the data
We generally receive your data directly from you – for example, through your application via our online form, by email, by personal delivery, or through external application portals (e.g., Indeed, Hotelcareer), provided you have consented to such transmission. Applications may also be submitted through external recruitment agencies with whom we have concluded data protection-compliant contracts.
3. Categories of personal data processed
Mandatory information in the application process:
- First and last name
- Address and contact details (phone number, email address)
- CV and educational documents (certificates, qualifications)
- Information about professional background, specialist knowledge, and language skills
- Availability, desired start date, and salary expectations (if applicable)
Voluntary information (with consent):
- Application photo
- Information about hobbies, volunteer work, or family background
- Additional comments in the cover letter
Note on voluntary information:
Providing this information is voluntary and does not influence the selection process.
4. Recipient of the data
Within H24 Hotels, only authorized persons will have access to your data, provided this is necessary for the application process. This includes, in particular:
- Human Resources staff
- Supervisors of the respective department
- Management and site management, if applicable
In addition, we use data protection-compliant service providers to handle our application process, e.g.:
- Providers of applicant management systems (under a data processing agreement pursuant to Art. 28 GDPR)
- External HR consultants (only if specifically required and with your consent)
Your application data will only be shared with other companies within H24 Hotels if this is necessary for the specific application or if you have given your consent. Data will generally not be transferred to third countries unless you are applying for a position outside the EU or have expressly consented.
If you give us your consent to be included in the talent pool, your application may also be considered by other companies within H24 Hotels – for example, for future vacancies or alternative employment opportunities. Data will only be shared with your prior consent.
5. Storage period
We generally store your personal application data for the duration of the selection process. In the event of a rejection, we will retain your data for up to six months in order to assess any legal claims under Section 15 of the General Equal Treatment Act (AGG).
If you have given us your consent to store your documents in the talent pool for a longer period, we will retain your data for a maximum of twelve months or until you revoke your consent.
If you are hired, your application data will be transferred to your personnel file and will be subject to the company’s internal regulations on employee data processing from that point on.
6. Your rights as a data subject
You also have the following data protection rights during the application process:
- Information about your stored data (Art. 15 GDPR)
- Correction of inaccurate data (Art. 16 GDPR)
- Deletion of your data, where permitted by law (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Objection to processing based on legitimate interests (Art. 21 GDPR)
- Revocation of your consent with future effect (Art. 7 (3) GDPR)
Please address your data protection concerns to:
[email protected]
In addition, you have the right to complain to the competent supervisory authority for data protection if you believe that the processing of your personal data violates the GDPR.