We are pleased that you are visiting our website and thank you for your interest in our hotels. The protection of personal data is very important to us. For this reason, the processing of personal data, such as the name, address, e-mail address or telephone number of a person concerned, is carried out in accordance with the applicable European and national legislation.
If it is necessary to process personal data and there is no legal basis for such processing, we generally obtain the consent of the person concerned.
You can of course revoke your declaration(s) of consent at any time with effect for the future. Please contact the person responsible for this. You will find the contact details at the bottom of this data protection declaration.
This data protection declaration applies to Main Square GmbH & Co. KG (hereinafter referred to as “Company”).
In the following, the above-mentioned companies would like to inform the public about the type, scope and purpose of the personal data processed by them. In addition, this data protection declaration informs affected persons about the rights to which they are entitled.
The companies’ data protection declaration is based on the terms used by the European legislator for directives and regulations when the EU data protection basic regulation (hereinafter: “EU-DSGVO”) was adopted. Our data protection declaration should be easy to read and understand for the public as well as for our guests and business partners. To ensure this, we would like to explain the terms used in advance.
We use the following terms, among others, in this data protection declaration and on our website:
Personal data is any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject means any identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, alignment, restriction, erasure or destruction.
Restriction of processing is the marking of stored personal data with a view to limiting their processing in the future.
Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, the economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or movements of that natural person.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the need for additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.
Controller or data controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller to be designated in accordance with Union law or the law of the Member States.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means any natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not that person is a third party. However, authorities which may receive personal data in the course of a specific investigation, in accordance with Union law or the law of the Member States, are not regarded as recipients.
A third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
Consent means any freely given specific and informed expression of the data subject’s wishes in an informed and unequivocal manner, in the form of a declaration or other unequivocal affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
Personal data are also processed by the companies if you provide them on your own initiative. This happens, for example, every time you contact us. We will of course use the personal data transmitted in this way solely for the purpose for which you provide us with the data when you contact us. Any communication of this information is expressly on a voluntary basis and with your consent. If this information concerns communication channels (e.g. e-mail address, telephone number), you also agree that we may contact you via this communication channel in order to answer your request.
The companies take numerous technical and organisational measures to protect your personal data against accidental or unlawful deletion, alteration or loss and against unauthorised disclosure or access.
Nevertheless, Internet-based data transmissions, for example, may have security gaps, so that absolute protection cannot be guaranteed. For this reason, every person concerned is free to transmit personal data to us by alternative means, for example by telephone.
Links to other websites
This website contains links to other websites (so-called external links). As providers, the companies are responsible for their own content in accordance with the applicable European and national laws. These own contents are to be distinguished from links to contents provided by other providers. We have no influence on whether the operators of other websites comply with the applicable European and national legal provisions. Please refer to the data protection declarations provided on the respective website. The companies do not accept any responsibility for third-party content that is made available for use via links and is specially marked and do not adopt the content as their own. The provider of the website to which reference is made is solely liable for illegal, incorrect or incomplete content as well as for damages resulting from the use or non-use of the information.
You can consent to or reject cookies – also for web tracking purposes – via the settings of your web browser. You can configure your browser so that the acceptance of cookies is generally refused or you are informed in advance if a cookie is to be stored. In this case, however, the functionality of the website may be impaired (e.g. for orders). Your browser also offers a function for deleting cookies (for example, via “Delete browser data”). This is possible in all common web browsers. You can find more information on this in the operating instructions or in the settings of your browser.
Collection of general data and informationen
The Companies’ website collects a number of general data and information each time a data subject or automated system accesses the website. These general data and information are stored in the log files of the server. can be recorded:
- the types and versions of browser used
- the operating system used by the accessing machine
- the website from which an accessing system reaches our website (so-called referrer)
- the sub-websites, which are accessed via an accessing system on our website
- the date and time of access to the website
- a Web protocol address (IP address)
- the Internet service provider of the accessing system
- other similar data and information which serve to avert danger in the event of attacks on our information technology systems
When using this general data and information, the companies do not draw any conclusions about the person concerned. Rather, this information is needed to:
- deliver the contents of our website correctly
- to optimise the content of our website and the advertising for it
- to ensure the permanent functioning of our information technology systems and the technology of our website
provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber attack
These anonymously collected data and information are therefore evaluated by the companies on the one hand statistically and also with the aim of increasing data protection and data security in our companies, in order to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
Routine deletion and blocking of personal data
The controller processes (in this sense also: stores) personal data of the data subject only for the period of time necessary to achieve the purpose of storage or if this has been provided for by the European Directive and Regulation Giver or another legislator in laws or regulations to which the controller is subject.
If the purpose of storage ceases to apply or if a storage period prescribed by the European Directive and Regulation Giver or any other competent legislator expires, the personal data will be blocked or deleted as a matter of routine and in accordance with the statutory provisions.
Rights of the data subject
Right to confirmation: Every data subject has the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may at any time contact the controller.
Right of access: every data subject has the right to obtain at any time and free of charge from the controller information on the personal data relating to him or her recorded in the system and a copy thereof. In addition, the European Data Protection Supervisor has granted the data subject access to the following information:
- the processing purposes
- the categories of personal data processed
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or to international organisations
- if possible, the planned duration for which personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right of rectification or erasure of personal data relating to them or of a right of objection to their processing by the controller
- the existence of a right of appeal to a supervisory authority
- if the personal data are not collected from the data subject: all available information on the origin of the data
the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) of the EU-DSCR and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.
The data subject also has the right to know whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to exercise this right of access, he or she may contact the controller at any time.
Right of rectification: Any person affected by the processing of personal data has the right to ask for the rectification without delay of inaccurate personal data concerning him. The data subject also has the right to ask for the completion of incomplete personal data, including by means of a supplementary declaration, having regard to the purposes of the processing.
If a data subject wishes to exercise this right of rectification, he or she may contact the controller at any time.
Right of erasure (right to be forgotten): Every person concerned by the processing of personal data has the right to obtain from the controller the immediate erasure of personal data relating to him or her, where one of the following reasons applies and where the processing is not necessary:
- The personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject withdraws the consent on which the processing was based under Article 6(1)(a) of the EU-DSA or Article 9(2)(a) of the EU-DSA and there is no other legal basis for the processing.
- the data subject objects to the processing in accordance with Article 21(1) EU-DSA and there are no overriding legitimate reasons for processing, or the data subject objects to the processing in accordance with Article 21(2) EU-DAS.
- The personal data have been processed unlawfully.
- The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
- The personal data were collected in relation to information society services offered, in accordance with Article 8(1) of the EU’s data protection regulation.
- If one of the above reasons applies and a data subject wishes to have personal data held by the companies deleted, he may at any time contact the data controller. The data subject’s request for deletion will then be complied with immediately.
- If the personal data have been made public by the companies and if these companies, as data controllers, are obliged to delete the personal data pursuant to Art. 17 (1) EU-DSGVO, the companies will take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process the published personal data that the data subject has requested these other data controllers to delete all links to these personal data or copies or replications of these personal data unless the processing is necessary. The data controller will then take the necessary steps in each individual case.
Right to limit processing: Any person affected by the processing of personal data has the right to ask the controller to limit processing if one of the following conditions is met:
- The accuracy of the personal data is contested by the data subject, for a period of time that allows the data controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted.
- The controller no longer needs the personal data for the purposes of the processing, but the data subject needs them in order to assert, exercise or defend legal claims.
- The data subject has lodged an objection to the processing pursuant to Art. 21 (1) EU-DSGVO and it is not yet clear whether the legitimate reasons of the controller outweigh those of the data subject.
- If one of the above-mentioned conditions is met and a data subject wishes to request the restriction of personal data stored by the companies, he or she can contact the data controller at any time. The restriction of processing will then be implemented without delay.
Right to data transferability: every data subject has the right to obtain, in a structured, standard and machine-readable format, the personal data relating to him which have been supplied by the data subject to a controller. He/she also has the right to have these data communicated to another controller without hindrance by the controller to whom the personal data have been made available, provided that the processing is based on the consent referred to in Article 6(1)(a) of the EU DGR or Article 9(2)(a) of the EU DGR or on a contract as referred to in Article 6(1)(b) of the EU DGR and that the processing is carried out by means of automated procedures, except where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising their right to data transfer, the data subject has the right to obtain, in accordance with Article 20(1) of the EU-DSA, that personal data be transferred directly from one controller to another controller, insofar as this is technically feasible and provided that it does not adversely affect the rights and freedoms of other persons.
To exercise the right to transfer data, the data subject may at any time contact the controller.
Right of objection: Every person concerned by the processing of personal data has the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him which is carried out pursuant to Article 6(1)(e) or (f) of the EU-DSA. This also applies to profiling based on these provisions.
In the event of an objection, the companies will no longer process the personal data unless we can demonstrate compelling legitimate reasons for processing which outweigh the interests, rights and freedoms of the data subject, or unless the processing is for the purpose of asserting, exercising or defending legal claims.
Where companies process personal data for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling, insofar as it relates to such direct marketing. If the data subject objects to the companies processing for direct marketing purposes, the companies will no longer process the personal data for these purposes.
In addition, the data subject has the right to object, for reasons arising from his or her particular situation, to the processing of personal data concerning him or her carried out by the companies for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1) EU-DSGVO, unless such processing is necessary for the performance of a task carried out in the public interest.
To exercise the right of objection, the data subject may contact the controller directly. The data subject is also free to exercise his or her right of objection in relation to the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures involving technical specification.
Automated decisions in individual cases, including profiling: every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way, provided that the decision:
- is not necessary for the conclusion or performance of a contract between the data subject and the controller, or
- is authorised by Union or national legislation to which the controller is subject and that legislation provides for appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, or
- with the express consent of the person concerned.
Where the decision is necessary for the conclusion or performance of a contract between the data subject and the controller, or is taken with the express consent of the data subject, undertakings shall take reasonable steps to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of the controller, to put forward his point of view and to challenge the decision.
If the data subject wishes to exercise rights relating to automated decisions, he or she may at any time contact the controller.
Recht auf Widerruf einer datenschutzrechtlichen Einwilligung: Right to revoke a consent under data protection law: Any person affected by the processing of personal data has the right to withdraw his or her consent to the processing of personal data at any time.
If the data subject wishes to exercise his or her right to withdraw consent, he or she may at any time contact the data controller.
Data protection for applications and the application process
The data controller collects and processes the personal data of applicants for the purpose of processing the application procedure. The processing may also be carried out by electronic means. This is particularly the case if an applicant submits relevant application documents to the controller by electronic means, for example by e-mail. If the data controller concludes an employment contract with an applicant, the transmitted data is stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application files will be automatically deleted six months after notification of the rejection decision, unless deletion is contrary to any other legitimate interests of the controller. Other legitimate interests in this sense include, for example, a duty of proof in proceedings under the General Equal Treatment Act (AGG).
Use of Google Analytics (with anonymisation function)
You can prevent Google Analytics from recording this data by clicking on the link below. This will install an “opt-out cookie” in your browser, so that in future no collection of your data will take place when you visit this website:
Disable Google Analytics
In view of the discussion on the use of analysis tools with complete IP addresses, the companies would like to point out that, in order to exclude the identification or identifiability of a natural person, IP addresses are only processed to a limited extent on this website, as we use Google Analytics with the extension “_anonymizelp()”.
As an additional service, our website offers you so-called social plugins, which enable you to interact with the social services Facebook, Google+ and Twitter. To prevent an unwanted transmission of your usage data, please log out of these services beforehand.
Use of Facebook Social Plugins
Our website uses so-called social plugins (“plugins”) of the social network Facebook, which is operated by Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). The plugins are marked with a Facebook logo or the addition “Social Plug-in from Facebook” or “Facebook Social Plugin”. An overview of the Facebook plugins and their appearance can be found here: https://developers.facebook.com/docs/plugins
When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to your browser and integrated into the page. Through this integration, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook profile or are not currently logged in to Facebook. This information (including your IP address) is transmitted by your browser directly to a Facebook server in the USA and stored there.
If you are logged in to Facebook, Facebook can directly assign your visit to our website to your Facebook profile. If you interact with the plugins, for example by clicking the “Like” button or making a comment, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends.
For the purpose and scope of data collection and the further processing and use of data by Facebook, as well as your rights and setting options for protecting your privacy, please refer to the Facebook data protection information: http://www.facebook.com/policy.php
If you do not want Facebook to assign the data collected via our website directly to your Facebook profile, you must log out of Facebook before visiting our website. You can also completely prevent the loading of the Facebook plugins with add-ons for your browser, e.g. with the “Facebook Blocker” (https://netzstrategen.com/sagen/facebook-plugin-blocker).
Use of Google+ plugins (e.g. “+1” button)
Our website uses so-called social plugins (“Plugins”) of the social network Google+, which is operated by Google Inc, 1600 AmphitheatreParkway, Mountain View, CA 94043, USA (“Google”). The plug-ins can be identified, for example, by buttons with the “+1” sign on a white or coloured background. An overview of the Google plugins and their appearance can be found here:
When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Google servers. The content of the plugin is transmitted by Google directly to your browser and integrated into the page. This integration informs Google that your browser has called up the corresponding page of our website, even if you do not have a Google+ profile or are not currently logged in to Google+. This information (including your IP address) is transmitted by your browser directly to a Google server in the USA and stored there.
If you are logged in at Google+, Google can directly assign the visit to our website to your Google+ profile. If you interact with the plugins, for example by pressing the “+1” button, the corresponding information is also transmitted directly to a Google server and stored there. The information is also published on Google+ and displayed to your contacts.
For the purpose and scope of data collection and the further processing and use of the data by Google, as well as your rights and setting options for protecting your privacy, please refer to Google’s data protection information: http://www.google.com/intl/de/+/policy/+1button.html
If you do not want Google to associate the information collected via our website directly with your profile on Google+, you must log out of Google+ before visiting our website. You can also completely prevent the Google plugins from loading with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).
Use of Twitter plugins (e.g. “Twitter” button)
Our website uses so-called social plugins (“Plugins”) of the microblogging service Twitter, which is operated by Twitter Inc, 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). The plugins are marked with a Twitter logo, for example in the form of a blue “Twitter bird”. An overview of the Twitter plugins and their appearance can be found here:
If you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Twitter servers. The content of the plugin is transmitted by Twitter directly to your browser and integrated into the page. Through the integration, Twitter receives the information that your browser has called up the corresponding page of our website, even if you do not have a profile on Twitter or are not currently logged in to Twitter. This information (including your IP address) is transmitted by your browser directly to a Twitter server in the USA and stored there.
If you are logged in to Twitter, Twitter can directly assign your visit to our website to your Twitter account. If you interact with the plug-ins, for example by clicking the “Twitter” button, the corresponding information is also transmitted directly to a Twitter server and stored there. The information is also published on your Twitter account and displayed to your contacts. For the purpose and scope of data collection and the further processing and use of the data by Twitter, as well as your rights and setting options for protecting your privacy, please refer to the Twitter data protection information: https://twitter.com/privacy. If you do not want Twitter to assign the data collected via our website directly to your Twitter account, you must log out of Twitter before visiting our website. You can also completely prevent the Twitter plugins from loading with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).
Name and address of the person responsible:
Main Square Verwaltung GmbH
Große Elbstraße 47
phone: 040/ 376 60 100
Name and address of the Data Protection Officer:
Please send your request to:
To send an e-mail, please replace (at) with @. The spelling used by us serves as protection against spam.
Hamburg, September 2020