Data privacy

Legal notice/privacy policy

We take data protection very seriously here at Arabella Hospitality SE. This means that we always follow the legal data protection provisions when processing the personal data of all applicants.
The following information explains how we process your personal data and sets out your rights under the applicable data protection legislation.

1. Who is responsible for collecting and processing data, and who can I contact regarding these matters?

Data controller pursuant to data protection laws
Arabella Hospitality SE
Denninger Strasse 165
81925 Munich, Germany
Tel.: +49 (0)89 93001-6403
Fax: +49 (0)89 93001-6803

Contact details for the data protection officer
Arabella Hospitality SE
Data protection officer
Denninger Strasse 165
81925 Munich, Germany

2. Processing purposes and data categories
We collect and process your personal data as part of the selection process for the job vacancy you have applied to fill. The data you provide will be processed so that your application can be considered. If you are successful, this data will also be used to create and implement your employment contract. We do not process your data for any other purpose. We use the ho:re:so applicant portal for the aforementioned purposes ( You can set up an applicant account on the portal and add, update, change, or delete your details as you wish.

Personal data refers to any data and information you have provided us that identifies you personally or helps to identify you personally. We collect and process the following personal data relating to you:
First name, surname, home address, telephone number, e-mail address, date of birth, CV, education and vocational training, references and certificates, professional development information, qualifications, and supporting documents.

The aforementioned personal data is processed for the following purposes:

• initiating a contract with you, including the confirmation of your identity and communication with you, e.g. to respond to your queries, invite you to an interview, and/or inform you that your application has not been successful
• settling legal disputes and asserting, exercising, and defending legal claims

3. Legal basis for data processing
We need to process your personal data for the aforementioned purposes. The legal basis for data processing is set out in Article 6(1)(b) and (f) of the General Data Protection Regulation (GDPR).

4. Data sharing
We treat any data you provide to us as strictly confidential. Within our company, job applications are only made available to the people directly involved in filling the vacancy in question. Your documents are submitted to the Works Council if we decide that we want to offer you an employment contract. Applications that are also to be used for other positions are forwarded to the relevant departments within the company. You can object to your documents being shared or processed further at any time. In this case, it will no longer be possible for us to consider your documents or personal data for the ongoing application process.

We share your personal data with courts, tax authorities and regulatory bodies when permitted and required by law in order to comply with current legislation or assert, exercise, or defend legal claims. However, we take every suitable and reasonable precaution to guarantee the protection of your personal data.

We will not share your personal data with third parties unless it is in your own interest or we are required to do so by law or for contractual reasons. Third parties include people or bodies outside of our company that process personal data without being instructed to do so by us.

The technical platform for the ho:re:so applicant portal ( is provided and operated by an external service provider: YOURCAREERGROUP AG, Kaiserwerther Strasse 282, 40474 Düsseldorf, Germany. This external service provider does not have the permission or capability to access your data. Regardless, this service provider is obliged to comply with the applicable data protection regulations.

5. Transfer of data outside the EU
Data is only transmitted to recipients in third countries (outside the EU/EEA) if the European Commission has established that the third country in question can provide a sufficient level of data protection and/or if we have agreed upon sufficient contractual guarantees with the recipient to ensure that a sufficient level of data protection is provided.

6. Data storage
If we conclude an employment contract with you, we will store the data provided by you to process the terms of your employment with us with consideration for the legal regulations. If we decide not to offer you an employment contract, your application documents will be automatically deleted six months after you are notified that your application has not been successful, provided that deleting the documents will not conflict with our company’s legitimate interests. One such legitimate interest that may apply here is the obligation to provide proof as part of proceedings under the General Act on Equal Treatment (AGG).

7. Your rights (“rights of the data subject”)
Right of access by the data subject and right to rectification
Upon your request, we will inform you in writing of whether or not we are storing personal data concerning you and, where that is the case, which personal data we are storing, as required by law. If you have created your own account on our recruitment system, you can log in to view your data and update or delete it as you wish. If, despite our best efforts to keep your data secure and correct, we end up storing inaccurate information about you, we will rectify this without undue delay upon your request.

Right to restriction of processing
Furthermore, you have the right to a restriction to the processing of your personal data. You also have the right to obtain the data you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to object to us processing your personal data.

Right to erasure
You have the right to the deletion of your personal data, provided that no legal retention periods apply.

Right to withdraw consent
If you have consented your personal data to be processed, you have the right to withdraw said consent with future effect at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Right to lodge a complaint
You also have the right to lodge a complaint about the way in which our company has processed data with the relevant supervisory authority. The data protection authority responsible for our company is:
Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision)
Bayerisches Landesamt für Datenschutzaufsicht
Postfach 1349
91504 Ansbach, Germany
Tel.: +49 981 180093-0

8. Changes to the privacy policy
We will review our privacy policy at regular intervals and adapt it in accordance with current legal regulations.

Implemented technologies

9. Hosting
We are hosting the content of our website at the following provider:


The provider is the RAIDBOXES GmbH, Hafenstr. 32, 48151 Münster, Germany (hereinafter referred to as: RAIDBOXES). Whenever you visit our website, RAIDBOXES will record a variety of logfiles, including your IP addresses.

For details, please refer to the Data Privacy Policy of RAIDBOXES:

We use RAIDBOXES on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in making the depiction of our website as dependable as possible. If you have been asked for your respective consent, processing shall occur exclusively on the basis of Art. 6 (1)(a) GDPR and § 25(1) TTDSG, if the consent comprises the archiving of cookies or access to information on the user’s device (e.g., device finger printing) as defined in the TTDSG. Such consent may be revoked at any time.

Data processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

10. Cookies
Our websites and pages use what the industry refers to as “cookies.” Cookies are small data packages that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or they are permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them, or they are automatically eradicated by your web browser.

Cookies can be issued by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services of third-party companies into websites (e.g., cookies for handling payment services).
Cookies have a variety of functions. Many cookies are technically essential since certain website functions would not work in the absence of these cookies (e.g., the shopping cart function or the display of videos). Other cookies may be used to analyze user behavior or for promotional purposes.

Cookies, which are required for the performance of electronic communication transactions, for the provision of certain functions you want to use (e.g., for the shopping cart function) or those that are necessary for the optimization (required cookies) of the website (e.g., cookies that provide measurable insights into the web audience), shall be stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is cited. The operator of the website has a legitimate interest in the storage of required cookies to ensure the technically error-free and optimized provision of the operator’s services. If your consent to the storage of the cookies and similar recognition technologies has been requested, the processing occurs exclusively on the basis of the consent obtained (Art. 6(1)(a) GDPR and § 25 (1) TTDSG); this consent may be revoked at any time.

You have the option to set up your browser in such a manner that you will be notified any time cookies are placed and to permit the acceptance of cookies only in specific cases. You may also exclude the acceptance of cookies in certain cases or in general or activate the delete-function for the automatic eradication of cookies when the browser closes. If cookies are deactivated, the functions of this website may be limited.
Which cookies and services are used on this website can be found in this privacy policy.

Consent with Borlabs Cookie
Our website uses the Borlabs consent technology to obtain your consent to the storage of certain cookies in your browser or for the use of certain technologies and for their data privacy protection compliant documentation. The provider of this technology is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany (hereinafter referred to as Borlabs).

Whenever you visit our website, a Borlabs cookie will be stored in your browser, which archives any declarations or revocations of consent you have entered. These data are not shared with the provider of the Borlabs technology.

The recorded data shall remain archived until you ask us to eradicate them, delete the Borlabs cookie on your own or the purpose of storing the data no longer exists. This shall be without prejudice to any retention obligations mandated by law. To review the details of Borlabs’ data processing policies, please visit

We use the Borlabs cookie consent technology to obtain the declarations of consent mandated by law for the use of cookies. The legal basis for the use of such cookies is Art. 6(1)(c) GDPR.

Server log files
The provider of this website and its pages automatically collects and stores information in so-called server log files, which your browser communicates to us automatically. The information comprises:

• The type and version of browser used
• The used operating system
• Referrer URL
• The hostname of the accessing computer
• The time of the server inquiry
• The IP address

This data is not merged with other data sources.

This data is recorded on the basis of Art. 6(1)(f) GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded.

11. Contact form
If you submit inquiries to us via our contact form, the information provided in the contact form as well as any contact information provided therein will be stored by us in order to handle your inquiry and in the event that we have further questions. We will not share this information without your consent.

The processing of these data is based on Art. 6(1)(b) GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6(1)(f) GDPR) or on your agreement (Art. 6(1)(a) GDPR) if this has been requested; the consent can be revoked at any time.

The information you have entered into the contact form shall remain with us until you ask us to eradicate the data, revoke your consent to the archiving of data or if the purpose for which the information is being archived no longer exists (e.g., after we have concluded our response to your inquiry). This shall be without prejudice to any mandatory legal provisions, in particular retention periods.

12. Request by e-mail, telephone, or fax
If you contact us by e-mail, telephone or fax, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass these data on without your consent.

These data are processed on the basis of Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or is required for the performance of pre-contractual measures. In all other cases, the data are processed on the basis of our legitimate interest in the effective handling of inquiries submitted to us (Art. 6(1)(f) GDPR) or on the basis of your consent (Art. 6(1)(a) GDPR) if it has been obtained; the consent can be revoked at any time.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

13. Analysis tools and advertising

Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin. This data is assigned to the respective end device of the user. An assignment to a user-ID does not take place.

Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics uses various modeling approaches to augment the collected data sets and uses machine learning technologies in data analysis.

Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (e.g., cookies or device fingerprinting). The website use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.

The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here:

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:

Browser plug-in
You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link:
For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at:

Contract data processing
We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.

14. Plug-ins and Tools

Google Maps
This website uses the mapping service Google Maps. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

To enable the use of the Google Maps features, your IP address must be stored. As a rule, this information is transferred to one of Google’s servers in the United States, where it is archived. The operator of this website has no control over the data transfer. In case Google Maps has been activated, Google has the option to use Google Fonts for the purpose of the uniform depiction of fonts. When you access Google Maps, your browser will load the required web fonts into your browser cache, to correctly display text and fonts.

We use Google Maps to present our online content in an appealing manner and to make the locations disclosed on our website easy to find. This constitutes a legitimate interest as defined in Art. 6(1)(f) GDPR. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: and

For more information on the handling of user data, please review Google’s Data Privacy Declaration under:

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link:

15. Custom Services

Handling applicant data
We offer website visitors the opportunity to submit job applications to us (e.g., via e-mail, via postal services on by submitting the online job application form). Below, we will brief you on the scope, purpose and use of the personal data collected from you in conjunction with the application process. We assure you that the collection, processing, and use of your data will occur in compliance with the applicable data privacy rights and all other statutory provisions and that your data will always be treated as strictly confidential.

Scope and purpose of the collection of data
If you submit a job application to us, we will process any affiliated personal data (e.g., contact and communications data, application documents, notes taken during job interviews, etc.), if they are required to make a decision concerning the establishment or an employment relationship. The legal grounds for the aforementioned are § 26 BDSG according to German Law (Negotiation of an Employment Relationship), Art. 6(1)(b) GDPR (General Contract Negotiations) and – provided you have given us your consent – Art. 6(1)(a) GDPR. You may revoke any consent given at any time. Within our company, your personal data will only be shared with individuals who are involved in the processing of your job application.

If your job application should result in your recruitment, the data you have submitted will be archived on the grounds of § 26 BDSG and Art. 6(1)(b) GDPR for the purpose of implementing the employment relationship in our data processing system.

Data Archiving Period
If we are unable to make you a job offer or you reject a job offer or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application procedure (rejection or withdrawal of the application). Afterwards the data will be deleted, and the physical application documents will be destroyed. The storage serves in particular as evidence in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g., due to an impending or pending legal dispute), deletion will only take place when the purpose for further storage no longer applies.

Longer storage may also take place if you have given your agreement (Article 6(1)(a) GDPR) or if statutory data retention requirements preclude the deletion.

Scroll to Top