Data Protection Notice pursuant to Art. 13 GDPR in connection with the issuance and enforcement of bans from the premises

Scope and Purpose of Data Processing

Purposes of Processing Personal Data

Your personal data are processed for the following purposes:

• Exercise and enforcement of the domiciliary rights, in particular the issuance of a ban from the premises (temporary or permanent) and the documentation of violations of house rules or statutory provisions
• Monitoring compliance with the ban from the premises
• Prevention of further disturbances or legal violations
• Enforcement of additional measures or sanctions in the event of non-compliance
• Preservation of evidence for civil or criminal proceedings

Categories of Personal Data Processed

Depending on the individual case, the following data in particular may be processed:

• Master data (e.g. surname, first name, date of birth if applicable)
• Contact details (e.g. address)
• Details of the ban from the premises (duration, territorial scope)
• Information regarding the underlying incident
• Photographs if applicable (e.g. for identification by authorized personnel)
• File notes, witness statements or other documentation

Legal Basis for Processing

Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interests). The legitimate interest lies in particular in exercising and enforcing domiciliary rights, protecting guests, employees and property, and maintaining safety and order within the facilities.

Recipients or Categories of Recipients

Your personal data are processed exclusively by authorized employees of Kur- und Badegesellschaft mbH Aachen and, where applicable, commissioned security services. All persons entrusted with processing are bound to confidentiality in writing.

Data will only be disclosed to third parties if required by law (e.g. law enforcement authorities) or necessary for legal enforcement.

Transfer to Third Countries

Your personal data will not be transferred to third countries or international organizations.

Storage Period / Erasure Periods

Your personal data will be stored for the duration of the existing ban from the premises, if temporary, and thereafter only as long as necessary to safeguard legitimate interests (e.g. preservation of evidence, legal enforcement). In the case of permanent bans, the necessity of continued storage will be reviewed regularly.

Data will be erased as soon as storage is no longer necessary or overriding legitimate interests of the data subject oppose further storage.

Rights of the Data Subject

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
• Right to erasure, provided the legal requirements are met (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object on grounds relating to your particular situation (Art. 21 GDPR)
• Right to data portability, provided the requirements of Art. 20 GDPR are met

If you assert any of these rights, we will promptly examine whether the statutory requirements are fulfilled.

Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority.

Provision of Data

The provision of your personal data is not legally required; however, it is necessary in order to fulfill the aforementioned purposes (exercise of domiciliary rights).

Automated Decision-Making

Automated decision-making, including profiling pursuant to Art. 22 GDPR, does not take place.