Privacy Policy and Principles of Data Processing

We take the protection of your personal data very seriously. With this notice, we inform you in accordance with the requirements of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) about how we process personal data of guests, prospects, contractual partners, suppliers, applicants, and other business partners.

The type and scope of data processed depend primarily on the services requested or agreed upon. The purpose of this information is to give you a comprehensive overview of the processing activities and your rights.

1. Controllers
   The following companies are responsible for data processing:
   – Cortiina Hotel GmbH, Ledererstraße 8, 80331 Munich
   Imprint: https://www.cortiina.com/impressum/
   – Kull und Weinzierl GmbH & Co. KG, Tal 11, Rgb., 80331 Munich
   Imprint: https://www.kull-kg.de/impressum.html
   – Operngrill GmbH & Co. KG, Tal 11 Rgb., 80331 Munich
     Imprint: https://www.brennergrill.de/impressum.html
2. Data Protection Officer
   
   Kull und Weinzierl
   – Data Protection Officer –
   Tal 11, Rgb. 80331 München
   E-Mail: datenschutz@kull-kg.de
3. Purposes and Legal Basis of Processing
   We process personal data in accordance with the provisions of the GDPR and the BDSG.
4. a) Hotel Guests
   To fulfill the accommodation contract, we process data for bookings, stays, billing, and the legally required registration form (§ 29 ff. BMG). The legal basis is Art. 6 (1) lit. b and lit. c GDPR.
   Based on your explicit consent (Art. 6 (1) lit. a GDPR), we may keep a guest history, in which previous stays and your preferences are stored. This allows us to offer you a personalized service during future stays.
   Marketing and direct advertising are carried out only with your consent or where legitimate interests exist (Art. 6 (1) lit. a and f GDPR). Newsletters are sent only after prior registration (Art. 6 (1) lit. a GDPR).
   In connection with restaurant reservations via online tools, we process your data for the purpose of contract performance (Art. 6 (1) lit. b GDPR). After your stay, we may invite you to provide a voluntary review (Art. 6 (1) lit. f GDPR).
   Health data, such as allergies or food intolerances, are processed only on the basis of your consent (Art. 6 (1) lit. a GDPR).
5. b) Restaurant Guests
   We process data of restaurant guests for the purpose of handling reservations and orders (Art. 6 (1) lit. b GDPR). These data may be stored in our reservation system as long as necessary for processing and service quality. Information on allergies or food intolerances is processed exclusively with your consent (Art. 6 (1) lit. a GDPR).
6. c) Business Partners (Customers, Suppliers, Service Providers)
   We process personal data of business partners as far as necessary for the initiation, execution, or handling of contractual and business relationships. This includes master data (e.g., name, company, position), contact data, contractual and billing data, as well as communication data.
   The legal bases are Art. 6 (1) lit. b GDPR (contract performance), Art. 6 (1) lit. c GDPR (legal obligation), and Art. 6 (1) lit. f GDPR (legitimate interest, e.g., documentation or IT security).
7. d) Applicants
   Data in the application process is processed to decide on the establishment of an employment relationship (§ 26 BDSG, Art. 6 (1) lit. b GDPR).
   If no employment is offered, we delete your data after 6 months. If included in our applicant pool, the data will be stored for a maximum of 2 years. In the event of employment, the application data will be transferred to the HR information system.
   Legal bases are § 26 BDSG and Art. 6 (1) lit. f GDPR (defense of legal claims).
8. Categories of Personal Data
   We process in particular:
   – Master data (name, address, date of birth, nationality, company, position)
   – Contact data (telephone number, e-mail address, postal address)
   – Contract and stay data (bookings, restaurant reservations, special requests)
   – Payment and billing data (bank details, credit card details, invoices)
   – Communication data (correspondence, newsletters, reviews)
   – Applicant data (CV, qualifications, certificates)
   – Special categories of personal data (health data such as allergies), only on the basis of your consent
9. Sources of Data
   We usually receive the data directly from you, and in the case of business partners also via their contact persons. In some cases, data may be provided by third parties if necessary for contract processing.
10. Recipients
    Your data is shared within our companies only with the departments that need it (e.g., reception, administration, accounting, marketing, HR).
    Kull und Weinzierl GmbH & Co. KG provides administrative services for the companies listed above and processes personal data exclusively as a processor pursuant to Art. 28 GDPR.
    Other external recipients may include:
    – IT and software service providers
    – Payment service providers, banks, tax advisors
    – Public authorities where legally required (e.g., tax authorities, police, supervisory authorities)
    – Transport companies, event organizers, or other partners in the context of contract performance
    Processing by processors is always carried out on the basis of Art. 28 GDPR.
11. Transfer to Third Countries
    A transfer to countries outside the EU/EEA takes place only if necessary for contract performance or if you have given your consent. In such cases, appropriate safeguards (e.g., EU Standard Contractual Clauses) ensure an adequate level of data protection.
12. Duration of Storage
    We store your personal data for as long as necessary for the purposes for which it was collected. Contractual and billing data are subject to statutory retention periods (6–10 years). Applicant data is deleted after rejection within 6 months, or after 2 years if included in the applicant pool.
    Guest history and marketing data are stored until you withdraw your consent, unless longer statutory retention periods apply.
13. Your Rights
    Under the GDPR you have in particular the following rights:
    – Right of access (Art. 15 GDPR)
    – Right to rectification (Art. 16 GDPR)
    – Right to erasure (Art. 17 GDPR)
    – Right to restriction of processing (Art. 18 GDPR)
    – Right to data portability (Art. 20 GDPR)
    – Right to object (Art. 21 GDPR)
    – Right to withdraw consent (Art. 7 GDPR)
    You can exercise these rights at any time using the contact details provided in section 1. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
14. Obligation to Provide Data
    The provision of certain data is legally required (e.g., registration form). Without the provision of necessary data, contracts or business relationships cannot be concluded.
15. Video Surveillance
    In certain areas of our businesses (e.g., entrances, lobby, underground parking, corridors) we use video surveillance. It serves to protect guests, employees, and property as well as to investigate criminal acts.
    Legal bases: Art. 6 (1) lit. f GDPR (legitimate interest), in individual cases also Art. 6 (1) lit. c GDPR (legal obligation).
    Storage period: Generally a maximum of 72 hours, longer only in the event of security incidents. Recipients are internal security officers and, if necessary, law enforcement authorities. On-site notices inform about video surveillance.