Confidentialité

Privacy policy in accordance with Art. 13 of the General Data Protection Regulation (GDPR) for the Whistleblowing Channel of Revo Hospitality Group

The protection of your personal data and identity is of utmost importance to us. This privacy notice informs you, in accordance with Art. 13 GDPR, about how your data is processed when you use our whistleblowing channel.

I. Who is responsible for data processing?

The controller within the meaning of the GDPR and other data protection regulations is:

HRG Hospitality B.V. & Co. KG

Hauptstraße 66

D-12159 Berlin, Germany

If you have any questions regarding data protection, you may contact our data protection officer at any time: dataprivacy@revo-h.com 

II. Why and on what legal basis do we process your data?

We process your data to provide a secure and functional whistleblowing channel, to handle complaints and to comply with our legal obligations.

Your data is processed on the following legal bases:

• Your consent (Art. 6 para. 1 lit. a GDPR), e.g., if you voluntarily provide your identity,
• A legal obligation, in particular under the Whistleblower Protection Act (Art. 6 para. 1 lit. c GDPR),
• Our legitimate interest in operating a secure whistleblower system and investigating incidents (Art. 6 para. 1 lit. f GDPR) and
• Section 26 (1) sentence 2 BDSG for the investigation of criminal offences in the employment relationship.

III. What data is processed in detail?

 1. Technical access data

When you visit our portal, certain technical information is automatically collected, such as a partially anonymized IP address, device type, operating system, browser, as well as the date and time of access. This data is used exclusively to ensure the security and functionality of the system and is deleted after 14 days at the latest.

2. Use of cookies

To ensure the portal functions properly, we use technically necessary cookies. These are essential for the operation of the whistleblowing channel and are not used for advertising purposes. Marketing or tracking cookies are only set with your explicit consent.

Below is an overview of all cookies used and their purposes:

3. Data in the context of a complaint

When you file a complaint, we process all information you provide. These may include, in particular:

• Your identity details (if provided)
• Your employee status or your relationship with our company
• Details of other data subjects
• Information about the reported facts

After submitting the complaint, you will receive a password consisting of numbers and letters, which is linked to your complaint and allows you to access it at any time.

This information helps us to carefully investigate complaints and, if necessary, take action to prevent or prosecute violations of laws or internal policies.

IV. Who has access to your data

1. Data recipients

For the operation of the whistleblower system, we cooperate with Rexx Systems GmbH as a technical service provider. This company is contractually obliged to process your data only in accordance with our instructions and under strict data protection requirements.

Your data will only be disclosed to other parties if required by law, if you have given your consent or if a balancing of interests justifies this. Recipients may include technical service providers, internal specialist departments (e.g. legal department, compliance), group companies, authorities or persons bound by confidentiality (e.g., lawyers).

2. Transfer to third countries

Your personal data will not be transferred to a third country (outside the EU/EEA). If a transfer is necessary in individual cases, it will only occur in compliance with the legal requirements of Art. 44 et seq. GDPR (e.g., by concluding EU standard contractual clauses). For more information, please contact us using the details above.

V. How long do we store your data?

As a general rule, we only store your personal data for as long as is necessary for the purposes for which it was collected. Specifically:

• Technical access data (such as IP address, device information, etc.) collected when visiting the whistleblowing channel is deleted after 14 days at the latest, unless security-related reasons require longer storage.
• Data from complaints is stored for as long as necessary to process the complaint and carry out any required follow-up actions. In accordance with Section 11 (5) of the Whistleblower Protection Act, the documentation of a report under the Whistleblower Protection Act is deleted three years after the conclusion of the procedure, unless longer retention is necessary and proportionate to meet legal requirements.
• Legal retention obligations (e.g. from commercial or tax law) or legal proceedings (e.g. ongoing proceedings) may require certain data to be stored for longer. In such cases, the data will be deleted after the respective period has expired.

Once storage of your data for the aforementioned purposes is no longer necessary and there are no statutory retention obligations, your data will be deleted or anonymised.

VI. Is the provision of data mandatory?

The use of the whistleblower system and the provision of personal data are generally voluntary. However, please note that certain technical data (e.g. IP address) is automatically collected when accessing the portal, as it is necessary for operation.

VII. Automated decision-making / profiling

No automated decision-making, including profiling, takes place within the framework of the whistleblowing channel in accordance with Art. 22 GDPR.

VIII. Your rights

You have the following rights:

• Access to your stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)
• Withdrawal of consent (Art. 7 para. 3 GDPR)

To exercise these rights, you may contact us at any time using the contact details above.

• Complaint to a supervisory authority (Art. 77 GDPR): If you believe that the processing of your data violates the GDPR, you may contact a data protection supervisory authority at any time. The supervisory authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin, e-mail: mailbox@datenschutz-berlin.de.

IX. Changes to this Privacy Policy

We regularly review this notice and update it in the event of changes in the legal situation or our processing activities.

Last updated: December 2025

Privacy Notice for Applicants

Welcome to our job portal and thank you for your interest in working with us or one of our affiliated hotels! The protection and transparent handling of your personal data are very important to us. We want you to feel confident in your application and to know exactly how and for what purposes we process your data.

Below, we inform you about how we – HRG Hospitality B.V. & Co. KG as the operator of this portal – and the respective subsidiaries for whose positions you are applying, process your personal data in the context of the application process. We comply with all applicable data protection laws.

For ease of reading, the following information mainly refers to the General Data Protection Regulation (GDPR). For companies or individuals with a connection to Switzerland, the relevant provisions of the Swiss Data Protection Act (FADP) apply accordingly, insofar as comparable rights and obligations exist.

1. Data Controllers and Data Protection Officer

1.1 Operator of the job portal

For the technical operation and central administration of your application data,

HRG Hospitality B.V. & Co. KG

Hauptstraße 66

12159 Berlin

acts as the controller

1.2 Company responsible for the application process

As soon as you apply for a specific position, the respective subsidiary (e.g. the hotel for which the position is advertised) also acts as an independent controller for the processing of your application data as part of the selection process. This company will be named to you during the application process (e.g. in the job advertisement or in the application form). If you have any questions or need the contact details of the respective company, please contact the person specified in the job advertisement directly.

1.3 Data Protection Officer

If no separate data protection officer has been appointed for individual companies, the data protection officer of HRG Hospitality B.V. & Co. KG is available as a central contact for all data protection-related concerns. The contact details are:

Intersoft consulting services AG, Beim Strohhause 1720097, Hamburg, Germany

E-Mail: dataprivacy@revo-h.com

If a company has its own data protection officer, you will find the contact details in the job advertisement or receive them upon request.

2. Website Visit

2.1 Cookies and Analytics: When you access and use our job portal, certain personal data is automatically collected by our IT systems. This includes in particular:

This data is processed using cookies and similar technologies to ensure the technical operation, security, and optimization of the portal, as well as to analyze its use. If your consent is required for this, we obtain it via a consent banner.

Overview of Cookies Used:

Web Analytics and Hosting: Web analytics are performed using Matomo (https://matomo.org/privacy/). Data processing takes place exclusively within the EU.

Withdrawal of Consent: You can withdraw your consent for non-essential cookies at any time via the cookie settings on the website.

Processing is carried out either on the basis of our legitimate interest in providing a secure and functional online offering (Art. 6 para. 1 lit. f GDPR) or – where required – on the basis of your consent (Art. 6 para. 1 lit. a GDPR).

2.2 Contacting us and online forms: If you contact us via a contact form or by e-mail, the data you provide will be used to process your request. 

The data transmitted by you will be processed exclusively for the purpose of processing your enquiry on the basis of Art. 6 (1) (b) GDPR (pre-contractual measures) or, if no contractual relationship exists, on the basis of our legitimate interest in processing enquiries (Art. 6 (1) (f) GDPR).

2.2 Contact and Online Forms: If you contact us via a contact form or by e-mail, the data you provide will be used solely to process your request. This processing is based on Art. 6 (1) (b) GDPR (pre-contractual measures) or, if no contractual relationship exists, on our legitimate interest in processing enquiries (Art. 6 (1) (f) GDPR).

3. Application Data Processing

As part of the application process, we process the following categories of personal data in particular:

• Master data (e.g. surname, first name, title, address, contact details)
• Qualification data (e.g. cover letter, CV, previous positions, professional qualifications)
• References and certificates (e.g. job references, appraisals)
• Login data (e.g. e-mail, password, if a user account is created)
• Other contact details (e.g. telephone number, e-mail address, place of residence)
• Other data (e.g. country of residence, source of applicant)
• Special information required for certain positions (e.g. police clearance certificate, credit bureau information, results of aptitude tests or medical examinations)
• Publicly available work-related data, in particular from professional social networks such as LinkedIn or XING (e.g. as part of active sourcing or when you share your profile with us)
• Data transmitted to us by external recruiters, headhunters or agencies, if you are involved in an application process with them
• Data related to appointments: If you receive an invitation to an interview via Microsoft Bookings as part of the application process, the data required to make an appointment (e.g. name, email address, desired appointment) will be processed.
• Voluntary information (e.g. application photo, salary expectations, language skills or other information you provide to us as part of your application)
• Special categories of personal data (e.g. health data, information on severe disability), if this is provided by you as part of the application process or collected by us within the framework of legal requirements
• We receive this data either directly from you during the application process via our portal, through your active contact, by contacting you via social networks (active sourcing), by making appointments (e.g. via Microsoft Bookings) or – if you have consented to this – from external recruiters, headhunters or agencies.

4. Purposes and Legal Bases

Your personal data will be processed as part of the application process for the following purposes and on the legal bases listed below.

4.1 Conducting the application process: Processing your personal data is necessary to review your application, carry out the selection process and, if applicable, to conclude an employment contract with you (Art. 6 para. 1 lit. b GDPR).

4.2 Active sourcing: We may proactively approach potential candidates via job-related social networks (e.g. LinkedIn, XING) to inform them about vacancies and encourage them to apply. This processing is based on our legitimate interest in efficient recruitment (Art. 6 para. 1 lit. f GDPR). You may object to such contact at any time.

4.3 Collaboration with recruiters and agencies: We work with external headhunters, recruiters and, where applicable, agencies that assist us in the search and selection of suitable candidates. In this context, we receive applicant data either directly from you or through these external partners. Processing is based on Art. 6 (1) (b) GDPR (pre-contractual measures) or, if necessary, on your consent (Art. 6 (1) (a) GDPR).

4.4 Scheduling appointments via Microsoft Bookings: We may use Microsoft Bookings, a service provided by Microsoft Corporation, to organize appointments. Microsoft acts as a processor for us. The data required to make an appointment is transmitted to Microsoft and processed on its servers.

4.5 Disclosure to other group companies: If your qualifications are also relevant for other companies in our group, we will only share your application documents with them after obtaining your explicit consent (Art. 6 para. 1 lit. a GDPR). You may withdraw your consent at any time with effect for the future.

4.6 Compliance with legal obligations: In certain cases, we are legally obliged to process your data, e.g. to comply with employment, tax or regulatory requirements (Art. 6 para. 1 lit. c GDPR).

4.7 Legitimate interests: Where necessary, we process your data to protect our legitimate interests of those of third parties, for example to defend against legal claims (e.g. under the General Equal Treatment Act – AGG) or to carry out checks against EU anti-terrorism lists (Art. 6 para. 1 lit. f GDPR).

5. Obligation to Provide Data

The provision of your personal data is necessary to carry out the application process. Without this data, your application cannot be processed and the selection procedure cannot take place. You are not required to provide voluntary information (e.g. application photo, salary expectations, language skills); the absence of such information does not affect the selection process

6. Recipients of Your Data

As part of the application process, your personal data will only be shared with internal and external parties involved in the decision on your application or supporting us in carrying out the application process. This includes in particular:

·        the HR department and the responsible department heads (e.g. hotel director and/or department head)

·        the respective works council, if applicable

·        group companies, provided that you have given your express consent

·        external recruiters, headhunters or agencies, if you are involved in an application process with them (these usually act as independent controllers)

·        IT service providers (e.g. maintenance service providers, hosting service providers)

·        authorities, courts or other public bodies, insofar as this is required by law

Your personal data will only be transmitted to other recipients if you have expressly consented to this or if there is a legal obligation.

7. Transfer to Third Countries

As a rule, we do not transfer your personal data to countries outside the European Union or the European Economic Area (“third countries”). The only exception is if you make an appointment via Microsoft Bookings as part of the application process. Microsoft Bookings is a service provided by Microsoft Corporation that processes personal data on Microsoft servers. In this context, it is possible that data will be transferred to the USA. For more information about data processing by Microsoft, please see Microsoft’s privacy statement: https://privacy.microsoft.com/de-de/privacystatement.

8. Automated Decision-Making

No automated decision-making, including profiling, takes place as part of the application process within the meaning of Art. 22 GDPR.

9. Data Retention

In principle, we only store your personal data for as long as necessary for the respective purposes.

9.1 Website use: Data processed in connection with visiting our job portal (e.g. IP address, usage data, cookies) will only be stored for as long as necessary to provide and secure the website as well as to analyse and optimise the service. The specific storage period depends on the type of data and the technologies used (e.g. session cookies until the end of the session, analytics cookies according to consent).

9.2 Application process: We store data collected in the course of the application process for as long as necessary for the decision on your application. If no employment relationship is established, your data will usually be deleted within 6 months of completion of the application process, provided that no statutory retention periods or legitimate interests (e.g. to defend against legal claims) prevent deletion.

9.3 Legal retention obligations and other legal provisions: If there are statutory retention periods or other legal obligations (e.g. under labour, commercial, tax or other national or international law), the data in question will be stored for the duration of the respective statutory period and then deleted. The national provisions applicable in the individual case of the company to which the application is made are decisive.

10. Your Rights

You have the following rights in connection with the processing of your personal data:

• To obtain information about the data stored about you (Art. 15 GDPR)
• To have incorrect or incomplete data corrected (Art. 16 GDPR)
• To have your data deleted, provided that there are no statutory or contractual retention obligations to the contrary (Art. 17
• GDPR)
• To restrict the processing of your data (Art. 18 GDPR)
• To have your data transferred to you or to a third party (Art. 20 GDPR)
• To object to the processing of your data, in particular where processing is based on legitimate interests (Art. 21 GDPR)
• To withdraw consent given, with effect for the future (Art. 7 para. 3 GDPR)
• To lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR)
• To exercise these rights, please contact the above contact details of HRG Hospitality B.V. & Co. KG or the respective
• responsible company.

11. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or adjustments to our processes. We will inform you in good time and in an appropriate manner of any significant changes that affect your rights or the way in which data is processed. You can find the latest version at any time on our job portal.

Last updated: December 2025