Privacy policy
Data protection declaration and consent to data use
for the websites https://www.q4me.de, www.q4me.be, www.q4me.fr, www.q4me.nl
Data protection is a matter of trust and your trust is important to us. We respect your privacy and personal sphere. The protection and lawful collection, processing and use of your personal data is therefore an important concern for us. To ensure that you feel secure when visiting our websites, we strictly observe the legal provisions when processing your personal data and would like to inform you here about how we collect and use data.
We are committed to complying with the GDPR and nationally applicable data protection laws. For us, data protection is a company-wide issue that takes high priority. We only work with partners who can also demonstrate an appropriate level of data protection in their processing framework. We only process your data if you have given us your express consent to do so, if this relates to a contract or pre-contractual measures on a service basis, or if the relevant laws permit or require data processing. The following data protection information covers both the currently applicable national legal framework and the requirements of the EU General Data Protection Regulation (GDPR), which will apply throughout Europe from 25 May 2018. References to the legal basis of the GDPR are decisive from 25 May 2018. Under no circumstances do we sell your data or pass it on to unauthorised third parties. We are happy to provide you with detailed information below about how your data is handled in our company divisions.
You can print or save this document using the usual functionality of your browser. The following data protection declaration explains which data is collected on our websites and which data we process and use and how.
I. Name and address of the controller
The controller within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:
HOGA GmbH Servicegesellschaft für das Gastgewerbe
Managing Directors: Christoph Becker, Thomas Kolaric
Hammer Landstr. 45
41460 Neuss
Germany
Tel.: 02131 751816-2
E-Mail: info@hoga-service-gmbh.de
Website: www.q4me.de
Responsible for web content:
Christoph Becker, Thomas Kolaric
Tel.: 02131 7518-162
Email: info@hoga-service-gmbh.de
II. Name and address of the data protection officer
The data protection officer of the controller is:
TÜV Informationstechnik GmbH
IT Security – Business Security & Privacy
Data Protection Office
Peter Kattner
Langemarckstraße 20
45141 Essen
Telephone: +49 (0) 201 – 8999-899
Fax: +49 201 – 8999-666
E-mail: privacyguard@tuvit.de
III. General information on data processing
Scope of personal data processing
We collect and use our users‘ personal data only to the extent necessary to provide a functional website and our content and services. The collection and use of our users’ personal data takes place regularly only with the consent of the user. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.
Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
When processing personal data that is necessary for the performance of a contract to which the data subject is party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is required for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing.
Data deletion and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage beyond that time may occur if it is provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. Blocking or erasure of the data also occurs when a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
IV. Provision of the website and creation of log files
Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the accessing computer system.
The following data is collected:
- Information about the browser type and version used
- The user’s operating system
- The user’s IP address
- Date and time of access
- Websites from which the user’s system accesses our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DSGVO.
Purpose of data processing
The system needs to store the IP address temporarily to enable the website to be delivered to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes also include our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.
Duration of storage
The data are deleted as soon as they are no longer required for the purpose for which they were collected. In the case of data collection for the provision of the website, this is the case when the respective session has ended.
If the log files are stored permanently, the IP addresses of the users are deleted or anonymised after 12 months, so that it is no longer possible to identify the accessing client.
Right of objection and removal
The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Consequently, there is no right of objection on the part of the user.
V. Use of cookies
Description and extent of data processing
Our website uses cookies. Cookies are text files that are stored in or by the internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.
We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. Cookies are used to identify a user after login. For this purpose, a session token is stored in the user’s browser, which is automatically deleted when logging out. In addition, the last filters and search settings are stored in the user’s browser. This information is only transferred to the Q4me system as a filter when the system is used and can be changed and viewed via the Q4me system interface.
How can you prevent cookies from being stored?
Depending on the browser you are using, you can set your browser to only accept cookies if you agree to them. If you only want to accept the cookies we use, but not those of our service providers and partners, you can select the ‘Block third-party cookies’ setting in your browser. The help function in the menu bar of your web browser will usually show you how to reject new cookies and how to disable cookies that have already been received. You can find detailed information on how to adjust the settings in the browser you are using at the following link. We recommend that you always log out completely when you have finished using shared computers that are set up to accept cookies and flash cookies.
Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.
Purpose of data processing
The purpose of using technically necessary cookies is to make it easier for users to use websites. Some of our website’s functions cannot be offered without the use of cookies. For these functions, it is necessary that the browser be recognised even after a page change.
We need cookies for the following applications:
- User identification after login
The user data collected by technically necessary cookies are not used to create user profiles.
This purpose also includes our legitimate interest in the processing of personal data in accordance with Art. 6 (1) point f GDPR.
Duration of storage, right to object and opt out
Cookies are stored on the user’s computer and transmitted by it to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it is possible that not all of the website’s functions can be used to their full extent.
VI. Registration
Description and scope of data processing
On our website, we offer users the opportunity to register by providing personal data. The data is entered into an input mask and transmitted to us and stored. The data will not be passed on to third parties. The following data is collected during the registration process:
- Company or business name
- Full address of the company or business
- Title First name, surname and email address of a contact person
- A password for accessing the system
- Optionally, the DEHOGA NRW membership number
As part of the registration process, the user’s consent to the processing of this data is obtained.
Legal basis for data processing
The legal basis for the processing of the data is the consent of the user in accordance with Article 6 (1) (a) of the GDPR.
Purpose of the data processing
The registration of the user is required to fulfil a contract with the user or to carry out pre-contractual measures.
Duration of the storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.
This is the case for data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the fulfilment of the contract. Even after the contract has been fulfilled, it may still be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.
Right to object and right of erasure
As a user, you have the option to cancel the registration at any time. You can have the data stored about you changed at any time.
An account can be changed independently in the settings. The stored employees of a company can also be maintained independently by the company. This means that employees must be entered independently by the company. These can also be changed or deleted. Due to the traceability of the controls carried out and the professional documentation requirement, employees cannot be completely deleted, but only marked as deleted. Companies that wish to delete data can request this via the support team. An email contact address can be found in the system.
If the data is required to fulfil a contract or to carry out pre-contractual measures, early deletion of the data is only possible if there are no contractual or legal obligations to the contrary.
VII. E-mail
Description and scope of data processing
It is possible to contact us via the email address provided. In this case, the user’s personal data transmitted by email will be stored.
System users are informed by email about failed checks or checks that require special attention. Such emails are only sent if the user has created the relevant checks.
In this context, the data is not passed on to third parties. The data is used exclusively for processing the conversation.
Legal basis for data processing
The legal basis for the processing of the data is the consent of the user Art. 6 para. 1 lit. a GDPR.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) point f GDPR. If the e-mail contact aims at concluding a contract, then additional legal basis for the processing is Art. 6 (1) point b GDPR.
Purpose of data processing
In the case of contact by email, this also constitutes the necessary legitimate interest in the processing of the data.
Duration of storage
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.
Right to object and right of erasure
The user has the option at any time to revoke his consent to the processing of personal data. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.
The revocation of consent and the objection to storage can be addressed to us by email or post. The corresponding addresses can be found in this data protection declaration.
In this case, all personal data stored in the course of establishing contact will be deleted.
VIII. Disclosure of your data to third parties
In order to make our website as pleasant and comfortable as possible for you as a user, we occasionally use the services of external service providers. Regular reviews of the privacy policies of these external service providers ensure that data is handled in accordance with the law.
Below, you will find information about the data protection provisions for the use and application of the services and functions used, so that you can also exercise your rights with the service providers if necessary.
External service providers
Use of Matomo
This website uses the web analysis service software Matomo (www.matomo.org), a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, (‘Mataomo’) on the basis of our legitimate interest in the statistical analysis of user behaviour for optimisation and marketing purposes in accordance with Art. 6 para. 1 lit. f DSGVO. Pseudonymised user profiles can be created from this data and evaluated for the same purpose. Cookies may be used for this purpose. Cookies are small text files that are stored locally in the cache of the site visitor’s Internet browser. Among other things, cookies enable the Internet browser to be recognised again. The data collected using Matomo technology (including your pseudonymised IP address) is processed on our servers.
The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor to this website and is not merged with personal data about the pseudonymised user.
If you do not agree to the storage and analysis of this data from your visit, you can object to its storage and use at any time with a single click of the mouse below. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo does not collect any session data. Please note that if you delete all of your cookies, the opt-out cookie will also be deleted and you may need to reactivate it.
IX. Rights of the data subject
According to Art. in conjunction with § 34 BDSG, you have the unrestricted right to free information about your data stored by us and, in accordance with § 35 BDSG, the right to delete or block unauthorised data or the right to correct incorrect data.
Upon request, we will be happy to inform you in writing whether and which personal data we have stored about you. As far as possible, we will take appropriate measures to update or correct your stored data at short notice. Please address all requests for information, requests for disclosure or objections to data processing by e-mail, quoting your full postal address, directly to our data protection officer.
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed by us.
Where that is the case, you can request access to the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
- the envisaged period for which the personal data concerning you will be stored, or, if specific information on this is not possible, the criteria used to determine that period;
- the existence of a right to correction or deletion of the personal data concerning you, a right to restriction of the processing by the controller or a right to object to this processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data if the personal data is not collected from the data subject;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether your personal data is transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
Right to rectification
You have the right to request the data controller to rectify and/or complete the data if the personal data processed concerning you is incorrect or incomplete. The data controller must carry out the rectification without delay.
Right to restriction of processing
You have the right to request the restriction of the processing of personal data concerning you where one of the following applies:
- You contest the accuracy of the personal data for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
- the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
- if you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the processing restriction has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
Right to erasure
Erasure obligation
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
- You object to the processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Article 21(2) of the GDPR.
- The personal data concerning you has been unlawfully processed.
- The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
Information to third parties
If the controller has made the personal data concerning you public and is obliged to delete it in accordance with Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replicas of this personal data.
Exceptions
The right to erasure does not apply to the extent that processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request the data controller to be informed about these recipients.
Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the data controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where
(1) the processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR, and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.
Right to revoke the data protection declaration of consent
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
- is necessary for entering into, or performance of, a contract between you and the data controller,
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
- with your explicit consent.
However, these decisions must not be based on special categories of personal data according to Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g applies and appropriate measures have been taken to protect rights and freedoms as well as your legitimate interests.
In the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.