Privacy Policy of MONDI Hotels & Resorts

 

In accordance with the EU General Data Protection Regulation (GDPR), we inform you with this privacy notice about the processing of your personal data by us and about your rights under data protection law. If necessary, these notices will be updated and published at www.mondihotels.com.

 

1. Controller and Contact Details

Controller:

MONDI-HOLIDAY GmbH & Co. KG
Würmstraße 13a
82166 Gräfelfing

Phone: +49 (0)89 55 229 0
Fax: +49 (0)89 55 229 191
Email: info@mondihotels.com

 

Data Protection Officer:

Projekt 29 GmbH & Co. KG
Christian Volkmer
Ostengasse 14
93047 Regensburg

Phone: +49 (0)941 29 869 30
Email: info@projekt29.de

 

2. Purposes and Legal Bases of Data Processing

2.1 Fulfilment of Contractual and Pre-contractual Obligations (Art. 6(1)(b) GDPR)

We process your data to carry out contracts and reservations (e.g., bookings, cancellations, guest cards, invoicing, payment processing, customer service).

2.2 Legitimate Interests (Art. 6(1)(f) GDPR)

We also process data to protect our legitimate interests or those of third parties, such as:

• Operation, security, and optimization of our website
• IT security and fraud prevention
• Marketing and direct advertising (where consent is not required)
• Customer history and statistical analyses
• Product development and campaign optimization
• Enforcement of legal claims and defense in legal disputes
• Profiling for personalized communication, as permitted by law
• Building and facility security (e.g., video surveillance)

2.3 Based on Your Consent (Art. 6(1)(a) GDPR)

Where you have given us consent (e.g., for newsletters, marketing cookies, social media plugins, or participation in sweepstakes), this forms the legal basis for processing.

You may withdraw your consent at any time with effect for the future.

 

2.4 Legal Obligations (Art. 6(1)(c) GDPR)

We are subject to various legal obligations (e.g., commercial and tax laws, regulatory requirements). Processing for these purposes includes:

• Tax control and reporting obligations (e.g., Fiscal Code, VAT Act)
• Commercial retention obligations (e.g., Commercial Code)
• Reporting obligations under national registration laws (recording and forwarding of guest data to local authorities)
• Obligations under the Anti-Money Laundering Act (AML Act), where applicable
• Occupational safety, security, and hygiene regulations (e.g., Working Hours Act, Food Hygiene Regulation, Infection Protection Act)

This also includes data archiving for data protection and security purposes, as well as reviews by tax or other authorities. Disclosure of personal data may also be required during official or judicial proceedings.

 

3. Categories of Processed Data

• Master data (name, date of birth, nationality)
• Contact data (address, email, phone number)
• Payment data (bank details, credit card information)
• Contract and booking data
• Online data (IP address, device information, cookies, log files)
• Communication content (contact forms, inquiries, newsletter sign-ups)
• Special categories of personal data (e.g., allergies, mobility restrictions, if voluntarily provided)

 

4. Recipients of Personal Data

• Internal departments (booking, marketing, IT, administration, service)
• External service providers acting as processors (e.g., IT, hosting, newsletter dispatch, CRM, call center, payment service providers)
• Public authorities and courts, where legally required
• Partner companies for marketing cooperation or to fulfill your booking

 

5. Use of Google Services (Analytics, Ads, Tag Manager)

5.1 Google Tag Manager (GTM)

We use Google Tag Manager, a service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Tag Manager is used for the technical administration of website tags (scripts). It does not itself set cookies or process personal data, except those technically required for delivery and troubleshooting.

Legal basis: Art. 6(1)(f) GDPR.

Where non-essential cookies are used via the Tag Manager, this occurs only with consent (Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG).

5.2 Google Consent Mode v2

We use Google Consent Mode v2 to transmit users’ consent decisions to Google services.

Depending on consent, tags are triggered fully, in consent mode (with aggregated/modelled metrics), or not at all.

 

Legal basis: Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG.

Without consent, Consent Mode operates only with cookieless pings that do not create personal profiles.

 

5.3 Google Analytics 4 (GA4)

We use Google Analytics 4, a web analytics service of Google Ireland Limited.

GA4 uses cookies and similar technologies to process, among others:

• Page views and interactions (events)
• Location data (derived from anonymized IP addresses)
• Device and browser information
• Referrer URLs
• Online identifiers (e.g., cookie ID, client ID) 

IP addresses are processed only in truncated or derived form.

Legal basis: Your consent (Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG, statistics category).

5.3.1 Google Signals

With Google Signals, we receive — only with consent and when users have enabled personalized ads in their Google account — aggregated and anonymized cross-device reports (e.g., demographics, interests).

5.3.2 User-Provided Data

If you enter personal data (e.g., email address, phone number) in forms, this data may—after consent—be hashed client-side (SHA-256) and transmitted to Google Analytics to improve cross-device conversion tracking.

5.4 Google Ads (incl. Enhanced Conversions)

We use Google Ads for reach measurement, conversion tracking, and, where applicable, remarketing.

Enhanced Conversions uses hashed contact data (SHA-256) for more precise conversion attribution.

Legal basis:

• Conversion tracking / Enhanced Conversions: Consent (Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG)
• Remarketing: Consent (Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG)

5.5 Recipients and Third-Country Transfers

Recipients are Google Ireland Limited and affiliated companies.

Data may be transferred to third countries (in particular, the USA).

Transfers are based on EU Commission Standard Contractual Clauses and additional safeguards.

5.6 Storage Period

• Google Tag Manager / Consent Mode: no independent storage beyond the session
• Google Analytics 4: user and event data for 14 months; aggregated reports longer
• Google Ads / Enhanced Conversions: hashed identifiers stored only for matching purposes per Google’s retention policy

5.7 Consent Management Platform (CMP)

Non-essential cookies and comparable technologies are set only with your consent.

You can change or withdraw your consent at any time via the CMP icon or banner on our website.

6. Other Online Services and Tools

6.1 Cookies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device serving various purposes.

Cookie categories may include:

• Essential cookies: required for website operation (e.g., shopping cart, login, session management)
• Functional cookies: save settings and preferences (e.g., language, location, font size)
• Preference cookies: store individual selections and comfort functions
• Analytics / statistics cookies: collect data on website usage to improve our services
• Marketing / tracking cookies: create user profiles and enable personalized advertising
• Social media cookies: set by social networks to share content or track interactions
• Performance cookies: measure site speed, stability, and load times
• Security cookies: prevent fraud and ensure account security
• Third-party cookies: from external providers (e.g., advertising partners, analytics tools)

Non-essential cookies are set only after your consent (Art. 6(1)(a) GDPR in conjunction with §25(1) TTDSG).

You may revoke or modify your consent at any time via our CMP.

6.2 Newsletter and Direct Marketing

With your consent, we use your data to send newsletters and other offers.

You may withdraw this consent at any time.

6.3 Social Media Plugins and Pixels

Our website may use social media plugins (e.g., Meta/Facebook, Instagram, YouTube, LinkedIn) and marketing pixels.

Upon consent, these collect usage data and transmit it to the respective providers.

6.4 Map and Video Services

We integrate external services such as Google Maps, YouTube, or Vimeo.

When accessing such content, data (e.g., IP address, browser information) is transmitted to the respective providers.

7. Third-Country Transfers

Transfers to recipients in third countries (e.g., USA) may occur.

We use the EU Commission’s Standard Contractual Clauses and additional safeguards for such transfers.

8. Storage Duration

Data is stored only as long as necessary for the purposes stated or as required by statutory retention obligations.

9. Your Data Protection Rights

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Withdrawal of consent
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

10. Obligation to Provide Data

To use our services, you need only provide data strictly necessary for processing.

Without such data, we cannot process your request.

11. Automated Decision-Making / Profiling

We do not use automated decision-making within the meaning of Art. 22 GDPR.

However, tracking and analytics tools may—upon consent—be used for profiling to enable personalized offers.

12. Visiting Our Website / Server Logs

When you visit our website, we automatically store: 

• IP address
• Date and time
• Retrieved file/page
• Browser type and version
• Operating system

Legal basis: Art. 6(1)(f) GDPR (security and website functionality).

Information on Your Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

Where your data are processed for direct marketing purposes, you may object to such processing at any time; this also applies to profiling related to direct marketing.