Skip to content

Privacy

The responsible party within the meaning of the data protection laws, in particular the EU General Data Protection Regulation (GDPR), is:

esquilin holding UG (haftungsbeschränkt)

Max-Beckmann-Weg 65
DE 65428 Rüsselsheim am Main

info [at] xabia-refugio.com

Overview

Your rights as data subject

You can exercise the following rights at any time using the contact details provided:

  • Information about your data stored by us and its processing (Art. 15 GDPR),
  • Correction of incorrect personal data (Art. 16 GDPR),
  • Deletion of your data stored by us (Art. 17 GDPR),
  • Restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 GDPR),
  • Objection to the processing of your data by us (Art. 21 GDPR) and
  • Data portability, insofar as you have consented to the data processing or have concluded a contract with us (Art. 20 GDPR).

If you have given us consent, you can revoke it at any time with effect for the future.

You may at any time lodge a complaint with a supervisory authority, e.g. the competent supervisory authority of your place of residence or the authority responsible for us as the controller:

The Hessian Commissioner for Data Protection and Freedom of Information
PO Box 3163
DE 65021 Wiesbaden
Tel +49-611-1408-0

https://datenschutz.hessen.de/

Top

Types of processing / legal bases

According to the requirements of the GDPR, all processing activities must be assigned to a legal basis from the catalog from Art. 6 (1). We mention here once the exact places in the law, if you want to read it there. In the following, we will only mention the colloquial ‘legal basis’ in italics.

The GDPR offers a total of six variants or legal bases, of which, however, only four are relevant for us:

  • Processing of data based on consent; Art. 6 (1) a.
  • Processing necessary for the preparation or performance of a contract; Art. 6 (1) b.
  • Processing necessary to process a compelling law or regulation; Art. 6 (1) c.
  • Processing necessary to protect justified and legitimate interests; Art. 6 (1) f.

The respective legal basis gives rise to rules on what, if any, must be done in advance or what special rights arise for you. Above all, the legitimate interest should be emphasized here.

Whenever we process your data on the basis of a legitimate interest, we had to weigh up in advance whether this is at all permissible and reasonable for you. Since we are not infallible, the GDPR grants you the right to object to such processing at any time for the future. We would then have to take this as an opportunity to review our balancing of interests. In order for us to carry out this review in a meaningful way, you would have to justify your objection.

If we do not reach an agreement here (which we do not believe to be the case!), a logical further step would be a complaint to a data protection supervisory authority.

If your objection relates to direct advertising, a simple notice is sufficient for an immediate stop.

Top

Recipients of your data

If we pass on your data to third parties, we explain this below in each case and state the reason / purpose and the recipient.

From the transfer to third parties, who then in turn process your data on their own responsibility (and are consequently then also your contact persons), we also transfer your data to so-called order processors.

Processors are service providers who assist us with data processing on our behalf. Such processors are not allowed to process the data for their own purposes, i.e. to process it only and exclusively according to our instructions, not to evaluate it or even transfer it to third parties. Since we retain sovereignty over the data here, we remain the controller under the rules of the GDPR and thus your contact person, although you could also assert your rights with these service providers – who would then, however, have to contact us again.

We use outside help when it comes to operating our web server or email services. Our service providers are carefully selected and controlled by us. We use specialized service providers because we can better guarantee the security of your data. Your landlord (Joerg) can configure servers, but running an email server in a cyber-secure way is something specialized companies can do better. And we want it to be secure.

Top

Visiting our website

In general

When you access our website, information of a general nature is automatically collected and processed, even for a simple call – otherwise our web server could not even present a page to you in your smartphone or on your PC. This information includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider, your IP address and the like.

In addition to the actual page layout, this data is also processed for the following purposes in particular and is required for this purpose:

  • Ensuring a smooth connection of the website,
  • Ensuring a smooth use of our website,
  • Evaluating system security and stability, and
  • to optimize our website.

We do not use your data to draw conclusions about your person. Information of this kind is statistically evaluated anonymously by us, if necessary, in order to optimize our website and the technology behind it.

All of the aforementioned processing activities are carried out for the legitimate interest of operating the website securely and with high performance.

Top

Guests Only (Attention: Cookie)

On the website we provide our guests with additional information: the manual for the apartment, restaurant tips, an inventory etc. These pages are intended only for booked guests and are therefore protected with a password against general access.

So that you do not have to enter the password every time you browse through the pages or when you call them up again during your stay, our web server places a so-called cookie on your PC / smartphone / tablet – if you have not blocked this in your browser (Firefox, Edge etc.). When you browse or call up the site again, the web server uses your browser to check whether you are allowed to view the pages without re-entering the password. If the cookie is found, you will get access without entering the password again.

A cookie is a small file containing a cryptic string of characters. We use the cookie exclusively for the purpose described here. User tracking does not take place.

By the way, every guest receives the same password. If we would set up an individual account for each guest, tracking would be possible easily. But we do not want that. And although the information behind the registration should not be accessible to the public, it is not secret either. So a technically simple solution seemed appropriate to us. The cookie is necessary to control this very simple and privacy-preserving access. We are thus pursuing a legitimate interest.

Although we set a cookie, you will not see a cookie banner. Such a banner would be necessary if we wanted to track you or pursue other purposes that are not necessary. However, this is exactly what we do not do. Or to put it another way: if you see cookie banners, someone obviously wants to do things with your data that go beyond what is necessary. Cookie banners should therefore always be understood as a warning.

The cookie lifetime is automatically limited to 10 days and is based on the typical length of stay of our guests.

You don’t want our cookie either? Simply disable cookies in the browser and delete existing ones.

Top

Administrative accesses

Attempts to log in to our administrative accesses are not logged anonymously. We store and process this data in order to prevent possible misuse, for example by blocking access, or to support law enforcement agencies in their investigations; after all, hacking websites is illegal (even attempted).

We generally keep such log files for at least four months, as cyberattacks are often long-term in nature. We base the maximum storage period on the specifications that the BDSG (national German data privacy legislation) prescribes for operators of government web servers (the BDSG or the GDPR does not provide any specifications for private-sector web servers). Section 76 (4) BDSG: “The log data shall be deleted at the end of the year following its generation.”

All of the aforementioned processing activities are carried out on the basis of a balancing of interests, i.e. the legitimate interest in operating a secure website.

Top

Booking and use of Refugio Xàbia

Booking through our website

In order to respond to requests, we need to process your data. Since you had asked for an answer, we are certainly acting here in your as well as in our legitimate interest. So that we still know later to whom we had given which answers, we store these for max. two years*.

If the inquiries lead to a binding booking via our website, then we process and store the data in order to be able to conclude and execute the contract.

Once the contract has been completely fulfilled, we have to store all commercially relevant data for another ten years* for commercial and tax law reasons for possible tax audits and, if necessary, disclose it to a tax auditor (German and Spanish laws).

We also use the contact information of our former guests after check-out for the following three years* to be able to contact you again for quality control purposes and or advertising for possible future bookings (legitimate interest). If you do not wish your data to be used in this way, simply let us know; we will then store the data exclusively to comply with the commercial and tax laws applicable to us and will not use it for any promotional approach.

Top

Bookings via portals

If the booking is made via a portal such as Airbnb, your first contact is usually the portal. This means that the decision to use this portal comes from you. The processing of your data is then also first of all the sole responsibility of the portal. The data protection information of the portal operator applies.

If an inquiry or a booking is made with us via the portal, you ultimately request the portal to also transmit your data to us so that we can answer the inquiry and/or confirm a booking. At this point, we also transfer your data to our systems and are responsible for this. If further communication with you continues (for the time being) via the portal, we are joint users of the portal.

In fact, we have no influence on how booking portals process your (and our) data in detail. For the processing of your data there, therefore, the privacy policy of the portal (which you originally selected) continues to apply, even if you have already concluded a contract with us. For processing on our site, we are the sole data controller. With regard to the legal basis and retention periods, the same then applies as we have already explained above for the booking via our website.

Top

The stay

Pre Check-In and Notification to the Guardia Civil

We ask you to submit us data about all persons aged 16 and up who will stay overnight during the time you have rented Xabia Refugio. These data must be transferred to the Guardia Civil after check-in.

Since collecting and transmitting these data about the people staying at Xabia Refugio is required by law, no check-in shall be done if the data are not provided and proved with an ID Card or Passport latest at arrival of each person (please refer for the contractual consequences our terms). We collect the data prior to your arrival via a web form. The data will be printed on a paper form which will be used by the reception staff to verify the data against your passport during the actual check-in. You finally have to sign that document and we have to keep it for three years. In case of you travel as a group or family and some members will not be present at the actual check-in the ID verification might be done by use of a video conference system.

KYC (Know your customer): Beside the pure legal requirement to collect and transmit the personal data of our guests, we would like to know as well who is actually staying in our home and who is paying us money to do so. In case we are subject to investigations of other governmental authorities in Spain or in Germany we may (have to) transmit the data to these entities as well (e.g. tax office). Plus, in case guests will leave us with damages we will use the data to claim compensation (never happened; will probably not happen; all guests have been very nice people so far!). However, we consider these purposes as a legitimate interest, if not enforced by law.

All data about your stay which have any relevance for taxation in Germany (that is, where your landlord has its legal home base) must and will be kept up to 12 years to comply with the German tax law. Details about your ID documents do not have any relevance for taxation but must be kept for three years, according to the Spanish law. Once these periods are passed, the data will be deleted accordingly.

Top

Check-in and services

The actual check-in may be carried out by a local company we trust. After careful selection, we have engaged MMC Property Services SL from Xàbia / Jávea as our partner. Beside check-in they might do the check-out, run the service telephone, answer 24/7 emergency calls or coordinate urgent repair services during your stay). They will receive all data needed to fulfill these services. We contracted MMC as a processor according to Art. 28 GDPR based on the Standard Contract Clauses issued by the European Commission. This contract is binding MMC to use your data exclusively for the purpose specified by us and described above.

In case of you ask for additional services like fresh linen or a cleaning during your stay, we would refer you to MMC as well. In these cases MMC will be your contract partner and therefore the responsible person for processing your data according to the GDPR. To ease this process we allowed MMC in these cases to use your contact information (names, telephone) for their purpose to provide you the services you are interested in and you have requested (not for any annoying sales activities, of course). We believe, this serves legitimate interests of all participating parties.

Top

Internet access

At Refugio Xàbia we provide internet access. Spanish providers report to their customers (us) sometimes very differentiated and on a daily basis, to what extent (traffic/volume) the Internet was used. We do not receive information about which services were accessed on the Internet. We may see on the invoice whether and how intensively the Internet was used per calendar day. We do not use this information, but we must keep the invoices for tax reasons. If the usage statistics are separable from the actual bill, we will destroy them. All logging functions are disabled in the router (the device that connects to the Internet on our end).

Top

Smart meter

In Spain, smart meters are common for measuring electricity consumption. The electricity supplier (here: Iberdrola) can read online virtually at any time how much electricity is currently being consumed in the apartment. The electricity suppliers use the data to create detailed monthly bills. In addition, as a customer, you can read in an online portal with a few days delay how high your consumption was on individual days. We use this information to determine if our tenants’ consumption was significantly above average and then bill them for this according to the rules of the booking conditions. Without analyzing the consumption data on a daily basis, we cannot fulfill the regulation from the contract.

Water consumption is determined with the help of central meters in the facility. We read these meters at the beginning and at the end of the rent, in order to be able to invoice the additional costs regulated in the contract in case of strongly above-average consumption here as well.

Top

Smart TV

Like many modern devices, our TV is considered a so-called smart TV because, in addition to the actual TV reception via an antenna, the device also offers services via the Internet. As soon as services are accessed from the Internet, personal data are processed by third parties (in some cases also outside the EU). In the case of smart TVs, this is often very extensive (e.g., tracking of usage habits).

We only use the device as a TV; therefore, the device has no connection to the Internet. To use streaming services, we connect our notebook to the TV and use the TV as a monitor. We chose this way because for us personally, it is easier to manage the issue of data protection (tracking, operating system updates, etc). You are also welcome to connect your notebook; an HDMI cable is required to do so.

Formally (and also technically), with this solution the processing of personal data takes place primarily on your notebook under your own responsibility. The TV doesn’t receive any connection to the Internet through this.

If you nevertheless want to connect the TV directly to the Internet, please read the privacy policy of the TV (available there). Please remember that any consent requested by the device may already have been given by a previous user. In this case, it would help if you reset the device to its initial state. However, you would then have to store the receivable TV channels again so that the device can continue to function as a TV.

For our, like owners and like you as guest, intended use of the device as a TV and possibly as a monitor for a notebook, a connection to the Internet isn’t required. If you connect the device to the Internet, you do so voluntarily and beyond the use intended by us; formally, this is thus done from our point of view on the basis of consent, which you can be revoked at any time by disconnecting from the Internet in the future.

The TV device may also store data from offline use. We don’t use this data, of course. If the device is connected to the Internet, this possibly aggregated user data could be transmitted to the manufacturer or third parties. However, if you don’t establish this connection yourself and thus become identifiable, your historical data then loses its personal reference to you, so that we are convinced that you can use the device without worrying – even if you should attach great importance to data protection.

Top

Too much info? Shocked?

We process the data as all landlords (must) process them. However, not all of them inform about it in such detail – although it should be like this according to Art. 13 / 14 GDPR. Joerg (your landlord+) works as a data protection consultant and auditor (esquilin GmbH[>]). So you can be sure that your data is really in good hands with us.

Top

Change of our privacy policy

We reserve the right to adapt this privacy policy to ensure that it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g. when introducing new services. The new privacy policy will then apply to your next visit.

Top

as of: 2024-04-13

+) Formally, your landlord is the esquilin holding UG (see responsible person). Joerg is the owner of this company and its managing director.

*) Deletion routines
Detailed information about the deletion routines is beyond the scope of this article. We will be happy to send you more information on request.