We process your personal data in compliance with the provisions of the European General Data Protection Regulation (GDPR), national data

protection legislation and all other relevant legislation. You can find further information and the current version of this data protection information at:

  1. Who is responsible for the data processing and who can I contact?

The responsible party is 

Munich Rooms Hotel e.K., owner: Selcuk Gürler

Herzogstr. 51

80803 München

Hereinafter each referred to as “Controller”

Contact details for the data protection officer:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 27

91522 Ansbach



  1. Legal basis for the data processing


2.1. Contractual fulfilment

Munich Rooms Boutique Hotel collects, processes and uses personal data to settle an existing business relationship with you including the necessary communication, in particular to provide contractually agreed services, the settlement of payment transactions and accounting. The Controller processes personal data on the basis of Article 6(1)(b) GDPR. This is permissible as long as the processing is necessary for the fulfilment of a contract one of whose contracting parties is the data subject or this serves the performance of pre-contractual measures which are carried out as the result of an enquiry.

2.2. Justified interests

In addition the Controller processes personal data on the basis of Art.6(1)(f) GDPR to the extent that this is necessary to protect its own justified interests or those of a third party and provided these are not outweighed by the interests or basic rights of the data subject which require the protection of personal data. This applies in particular in the prevention and investigation of criminal acts, for the purposes of business management and other administration purposes.

2.3. Consent

In addition the Controller processes personal data on the basis of Art. 6(1)(a) GDPR provided the contractual partners have given consent for the processing of the personal data relating to them for one or more specific purposes. The voluntarily issued consent can be withdrawn at any time.


2.4. Legal obligations

A legal duty to provide personal data in line with Art.6 (1)(c) GDPR may result from statutory provisions affecting us such as tax legislation, the German Federal Act on Registration and other public law obligations.


3.Origin of the data

We generally receive your personal data from you or from contractual partners, service providers and clients with whom we have concluded appropriate data protection law agreements. In certain situations your personal data will also be collected by other offices on the basis of legal provisions. These include in particular specific requests for tax-related information from the relevant tax authority.

  1. Categories of processed personal data

The categories of personal data processed include in particular the following data or data categories Upon booking:

  • Personal details (first name, surname, title, date of birth, nationality and passport or ID card number);
  • Number of accompanying persons, their nationality, passport number
  • Reason for stay (business/private)
  • Name and address of employer
  • Contact details (private address, telephone number, e-mail address), any protocol data created through use of IT systems;
  • Bank details;
  • Tax ID number;
  • Overnight stays with associated turnover.

For the purposes of quality management, marketing, security and other purposes:

  • Recordings of telephone calls for quality and training purposes
  • Video files from security cameras situated in the public areas of our premises, such as corridors and lobbies
  1. Categories of recipients of the personal data

Within the company of the Controller the only persons and offices (e. g. specialist sections) which receive your personal data are those which need this to fulfil our services and legal obligations. Under some circumstances certain data will be transmitted to all affiliated enterprises, if this data processing task is undertaken centrally for enterprises affiliated with the company. In addition the Controller may avail itself of various service providers for the fulfilment of its contractual and legalduties with whom – depending on the situation – an agreement for order processing has been concluded in line with the requirements of Articles 28, 29 GDPR. In addition the Controller can transmit your personal data to other recipients outside the company to the extent that this is necessary for the fulfilment of legal duties as the responsible office (e.g. German Federal Act on Registration, Tax Code and tax legislation, etc.). These may be, e.g.:

  • Public authorities, communal authorities, town councils;
  • Tax authorities, courts, banks (SEPA payment medium);
  • Offices to enable asset-creating payments;
  • Bankruptcy administrators in the case of private insolvency

  1. Duration of data storage

After the end of a contractual relationship personal data is stored for as long as the Controller is legally obliged to do so, Article 17 GDPR. This is often the result of legal duties to provide proof and retention duties under commercial and taxation legislation. The storage periods under these laws are up to ten years. In addition it may be that personal data is stored for the period in which claims can be asserted against the Controller. After the expiry of the purpose or of these time limits the data is routinely blocked or deleted in line with the legal provisions.

  1. Rights of data subjects

Data subjects can request details of the data stored on them from the address given above. In addition they can under certain preconditions demand the correction or deletion of their data. There is also a right to restriction of the processing of the data and a right to receipt of the data provided in a structured, commonly used and machine-readable form. Moreover data subjects have the right to withdraw an issued consent. They may lodge a complaint with the data protection officer or with a supervisory authority if they are of the opinion that the processing of personal data relating to them violates the GDPR.

According to Article 21(1) GDPR an objection to the processing of data for reasons arising out of the specific situation of the data subject can be lodged at the address given above.

The affected person has the right to object to the processing of their personal data for the purpose of direct advertising without giving reasons. If the Controller is processing the data for the protection of justified interests you can object to this processing for reasons arising out of the specific situation. The Controller will then no longer process this personal data unless they can prove urgent reasons for the data processing which are worthy of protection which outweigh the affected interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.