scroll down

Privacy Policy for kuffler.de

Last updated: March 13, 2026

I. Who We Are

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws is:

Roland Kuffler GmbH
Mangostin Asia Gastronomie- und Handelsgesellschaft mbH & Co. Betriebs KG
Nursia Gastronomie GmbH
Kuffler Inn Design GmbH
Haus Kuffler GmbH & Co KG
Kuffler Catering Service GmbH & Co. KG
Kuffler Weinzelt GmbH

Residenzstr. 12
80333 Munich
Germany
+49 89 290 705-0
datenschutz@kuffler.de
www.kuffler.de

Kuffler AOF Restauration GmbH & Co. KG
Hugo-Eckener-Ring 1
FAC Building Section D, 4th Floor, Room 418
60549 Frankfurt
datenschutz@kuffler.de
www.kuffler.de

Kuffler & Bucher GmbH & Co. KG
Hugo-Eckener-Ring 1
FAC Building Section D, 4th Floor, Room 418
60549 Frankfurt am Main
datenschutz@kuffler.de
www.kuffler.de

 

II. Contacting the Data Protection Officer

The controller’s Data Protection Officer is:

DataCo GmbH
Sandstraße 33
80335 Munich
Germany
+49 89 7400 45840
www.dataguard.de

This page explains how we process your personal data on our website.

How we collect and use your personal data depends on how you interact with us or which services you use. We only collect, use, or share your personal data when we have a legitimate purpose and a lawful basis for doing so.

III. What Do We Mean by Legal Basis?

Consent (Art. 6(1)(a) GDPR) – You have given us your consent to process your personal data for the specific purpose we explained to you. You have the right to withdraw consent at any time. For details on how to withdraw consent, see “Exercising Your Rights” in the sections below.

Contract (Art. 6(1)(b) GDPR) – We need to use your data to perform a contract we have with you, or to take steps at your request prior to entering into a contract.

Legal Obligation (Art. 6(1)(c) GDPR) – We must process your data to comply with the law.

Vital Interests (Art. 6(1)(d) GDPR) – Processing is necessary to protect your vital interests or those of another person; for example, to prevent serious physical harm.

Public Task (Art. 6(1)(e) GDPR) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary to pursue a legitimate interest of ours or of a third party, provided your interests do not override those interests.

Please note: If processing is necessary to fulfill a contract or a legal obligation and you do not provide the requested data, we may not be able to provide our website services to you.

 

IV. Data Sharing and International Transfers

As explained in this Privacy Policy, we use various service providers to help us deliver our services and ensure the security of your data. When we use such providers, it may be necessary to share your personal data with them.

We have concluded agreements with all service providers with whom we share data that obligate them to protect your data.

If your personal data is transferred outside the EU, we ensure an equivalent level of protection—either because the destination country has an “adequacy decision” by the European Commission or by applying other safeguards such as the Standard Contractual Clauses (SCCs) adopted by the European Commission.

For example, when we use U.S. service providers, we rely either on SCCs or the EU–U.S. Data Privacy Framework, depending on the provider. You can request a copy of the SCCs we have concluded with our service providers by emailing the address listed in this Privacy Policy.

 

V. Your Rights

If your personal data is processed, you are a data subject under the GDPR and have the following rights vis-à-vis the controller:

1. Right of Access (Art. 15 GDPR)

You may request confirmation as to whether we process your personal data. If so, you have the right to access the data and obtain the following information:

  • purposes of processing
  • categories of personal data
  • recipients or categories of recipients
  • planned storage duration or the criteria used to determine that duration
  • the existence of rights to rectification, erasure, restriction, or objection
  • the right to lodge a complaint with a supervisory authority
  • the source of the data (if not collected from you)
  • the existence of automated decision-making, including profiling, with meaningful information about the logic, scope, and envisaged effects
  • transfers of personal data to a third country or international organization

2. Right to Rectification (Art. 16 GDPR)

If your personal data is inaccurate or incomplete, you have the right to have it corrected or completed without undue delay.

3. Right to Restriction of Processing (Art. 18 GDPR)

You may request restriction of processing if:

  • you contest the accuracy of your personal data, for a period enabling us to verify the accuracy;
  • processing is unlawful and you oppose erasure and request restriction instead;
  • we no longer need the data for processing purposes, but you need it for the establishment, exercise, or defense of legal claims; or
  • you have objected to processing pending the verification whether our legitimate grounds override yours.

4. Right to Erasure (“Right to be Forgotten”) (Art. 17 GDPR)

You may request erasure without undue delay if:

  • your data is no longer necessary for the purposes for which it was collected;
  • you withdraw consent and no other legal basis applies;
  • you object to processing and there are no overriding legitimate grounds, or you object under Art. 21(2) GDPR;
  • your personal data has been unlawfully processed;
  • erasure is required to comply with EU or Member State law applicable to us;
  • data was collected in relation to information society services as per Art. 8(1) GDPR.

Please note the above does not apply to the extent processing is necessary:

  • for exercising freedom of expression and information;
  • for compliance with a legal obligation or a task carried out in the public interest;
  • for reasons of public interest in the area of public health;
  • for archiving in the public interest, scientific or historical research, or statistical purposes;
  • for the establishment, exercise, or defense of legal claims. 

5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format or have it transmitted to another controller.

6. Right to Object to Certain Processing (Art. 21 GDPR)

You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(e) or (f) GDPR, including profiling.
Where your data is processed for direct marketing, you may object at any time; this also applies to profiling related to such direct marketing.

7. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority if you believe the processing of your personal data infringes the GDPR.

The authority will inform you of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

A list of competent German supervisory authorities is available at:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

VI. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected:

  • information about the browser type and version used
  • the user’s operating system
  • date and time of access
  • websites from which the user’s system accesses our website

This data is stored in our system’s log files.
It is not stored together with other personal data of the user.

2. Purpose of Data Processing
Temporarily storing the IP address is necessary to deliver the website to the user’s device. For this, the user’s IP address must remain stored for the duration of the session.

Log files are stored to ensure the website’s functionality. The data also helps us optimize the website and ensure the security of our IT systems. The data is not evaluated for marketing purposes in this context.

3. Legal Basis for Processing
The legal basis for temporary storage of data and log files is Art. 6(1)(f) GDPR.

4. Storage Duration
Data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For data collected to provide the website, this is the case when the respective session ends.
For data stored in log files, this is the case after no more than seven days. Storage beyond this period is possible. In such cases, users’ IP addresses are deleted or anonymized so that the accessing client can no longer be associated.

5. Exercising Your Rights
Collecting data to provide the website and storing data in log files is essential for operating the website. The user may object. Whether the objection is successful will be determined by a balancing of interests.

VII. Newsletter

1. Description and Scope of Data Processing
You can subscribe to a free newsletter on our website. When you register, the data entered in the form is transmitted to us. We collect the following data:

  • email address

During registration, we obtain your consent and refer to this Privacy Policy. No data is shared with third parties in connection with newsletter processing. The data is used exclusively for sending the newsletter..

2. Purpose of Data Processing
We collect the user’s email address to deliver the newsletter.
Other personal data collected during registration helps prevent abuse of the service or the email address used.

3. Legal Basis for Processing
The legal basis for processing data after the user subscribes to the newsletter is the user’s consent under Art. 6(1)(a) GDPR.

4. Storage Duration
Data is deleted as soon as it is no longer necessary for the purpose collected. The user’s email address is stored as long as the subscription is active. Other personal data collected during registration is generally deleted after seven days.

5. Exercising Your Rights
The newsletter subscription can be canceled at any time using the link provided in each newsletter. This also withdraws consent to store the personal data collected during registration.

VIII. Email Contact

1. Description and Scope of Data Processing
You can contact us via the email address provided on our website. In that case, the personal data transmitted with the email is stored.

2. Purpose of Data Processing
When you contact us by email, our legitimate interest in processing the data lies in handling your request.

3. Legal Basis for Processing
The legal basis for processing data transmitted via email is Art. 6(1)(f) GDPR. Our legitimate interest is to respond to your email inquiry appropriately.
If the email contact aims at concluding a contract, the additional legal basis is Art. 6(1)(b) GDPR.

4. Storage Duration
Data is deleted when it is no longer necessary for the purpose collected. For personal data sent by email, this is the case when the conversation with the user has ended, i.e., when it can be inferred that the matter has been conclusively resolved.
Personal data additionally collected during sending is deleted after seven days at the latest.

5. Exercising Your Rights
If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of contact will then be deleted.

IX. Contact Form

1. Description and Scope of Data Processing
Our website includes a contact form for electronic communication. If a user uses this option, the data entered in the form is transmitted to us and stored. At the time of sending, the following data is stored:

  • email address
  • last name
  • first name
  • address
  • telephone/mobile number
  • date and time

2. Purpose of Data Processing
We process the personal data from the contact form (or via the provided email address) solely to handle your inquiry. Other personal data processed during submission helps prevent misuse of the contact form and ensure the security of our IT systems.

3. Legal Basis for Processing
The legal basis for processing data transmitted via the contact form is Art. 6(1)(f) GDPR—our legitimate interest is to respond appropriately to your inquiry. If the contact aims to conclude a contract, the additional legal basis is Art. 6(1)(b) GDPR.

4. Storage Duration
Data is deleted when no longer necessary for the purpose collected. For personal data from the contact form and emails, this is when the conversation with the user has ended (i.e., the matter is conclusively resolved).
Personal data additionally collected during submission is deleted after seven days at the latest.

5. Exercising Your Rights
If the user contacts us via the contact form, they may object to the storage of their personal data at any time—by email, phone, or post. All personal data stored in the course of contact will then be deleted.

X. Applications via Email and Application Form

1. Description and Scope of Data Processing
Our website provides an application form for electronic job applications. If an applicant uses this option, the data entered in the form is transmitted to us and stored. This data includes:

  • salutation
  • last name
  • first name
  • address
  • telephone/mobile number
  • email address
  • salary expectations
  • information on education and schooling
  • language skills
  • curriculum vitae (CV)
  • references/certificates
  • photo

Alternatively, you can send your application by email. In that case, we process your email address and the data you provide in the email.
Your data is not shared with third parties and is used solely to process your application.

2. Purpose of Data Processing
We process the personal data from the application form solely to handle your application. If you contact us by email, our legitimate interest in processing the data lies in handling your request. Other personal data processed during submission helps prevent misuse of the application form and ensure the security of our IT systems.

3. Legal Basis for Processing
The legal basis is the initiation of a contract at the request of the data subject (Art. 6(1)(b) GDPR) and Section 26(1) sentence 1 BDSG (German Federal Data Protection Act).

4. Storage Duration
After the application process ends, data is stored for up to six (6) months and deleted thereafter at the latest. If a statutory obligation applies, data will be stored in accordance with applicable provisions. Personal data additionally collected during submission is deleted after seven days at the latest.

XI. Corporate Profiles

Instagram:
Instagram, part of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

On our corporate page, we provide information and offer Instagram users an opportunity to communicate.
If you perform actions on our Instagram presence (e.g., comments, posts, likes), you might disclose personal data publicly (e.g., your real name or profile photo).

As we generally have little to no influence over Instagram’s processing of your personal data, we cannot make binding statements about the purposes and scope of processing by Instagram.

We use our social media presence for communication and information exchange with (potential) customers. In particular, we use it to:

  • inform about our services and job openings

Publications on our corporate profile may include:

  • information about products
  • information about services
  • sweepstakes
  • advertising

Each user is free to publish personal data through their activities.
Where we process your personal data to analyze online behavior, offer sweepstakes, or run lead campaigns, this is based on your explicit consent (Art. 6(1)(a), Art. 7 GDPR).
The legal basis for processing personal data for communication with customers and prospects is Art. 6(1)(f) GDPR. Our legitimate interest is to respond to your inquiry appropriately and provide requested information.
If the contact aims to conclude a contract, the additional legal basis is Art. 6(1)(b) GDPR.
Data generated via our social media presence is not stored in our own systems.
For processing your personal data in third countries, we have appropriate safeguards in place in the form of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. You can request a copy of the SCCs from us.

You can object at any time to the processing of your personal data that we collect via your use of our corporate presence and exercise your data subject rights as set out in “Your Rights” in this Privacy Policy. To do so, send us a simple email to datenschutz@kuffler.de.
For Instagram’s processing and objection options, see:
Instagram: https://help.instagram.com/519522125107875

YouTube:
YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States

On our corporate page, we provide information and offer YouTube users an opportunity to communicate.
If you perform actions on our YouTube presence (e.g., comments, posts, likes), you might disclose personal data publicly (e.g., your real name or profile photo).
As we generally have little to no influence over YouTube’s processing of your personal data, we cannot make binding statements about the purposes and scope of processing by YouTube.
We use our social media presence for communication and information exchange with (potential) customers. In particular, we use it to inform about our services and job openings.

Publications on our corporate profile may include:

  • information about products
  • information about services
  • sweepstakes
  • advertising

Each user is free to publish personal data through their activities.
Where we process your personal data to analyze online behavior, offer sweepstakes, or run lead campaigns, this is based on your explicit consent (Art. 6(1)(a), Art. 7 GDPR).
The legal basis for processing personal data for communication with customers and prospects is Art. 6(1)(f) GDPR. Our legitimate interest is to respond to your inquiry appropriately and provide requested information.
If the contact aims to conclude a contract, the additional legal basis is Art. 6(1)(b) GDPR.
For processing your personal data in third countries, we have appropriate safeguards in the form of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. You can request a copy of the SCCs from us.

You can object at any time to the processing of your personal data that we collect via your use of our corporate presence and exercise your data subject rights as set out in “Your Rights.” To do so, send a simple email to datenschutz@kuffler.de.
For YouTube’s processing and objection options, see:
YouTube: https://policies.google.com/privacy?gl=DE&hl=en

Use of Corporate Profiles on Professional Networks

1. Scope of Data Processing

Our corporate presence is used for recruitment, information/PR, and active sourcing. We have no information on how the companies jointly responsible for these platforms process your personal data. For details, please see the privacy policies of:

LinkedIn: https://www.linkedin.com/legal/privacy-policy
XING: https://privacy.xing.com/de

On our pages we provide information and offer users an opportunity to communicate.
Our corporate presence is used for recruitment, information/PR, and active sourcing.

If you perform actions on our corporate presence (e.g., comments, posts, likes), you may publicly disclose personal data (e.g., your real name or profile photo).

2. Legal Basis for Processing
The legal basis for processing personal data for communication with customers and prospects is Art. 6(1)(f) GDPR. Our legitimate interest is to respond to your inquiry appropriately and provide the requested information.
If the contact aims to conclude a contract, the additional legal basis is Art. 6(1)(b) GDPR.

3. Purpose of Processing
Our corporate presence is used to inform users about our services. Each user is free to publish personal data through their activities.

4. Storage Duration
Data generated via our corporate presence is not stored in our own systems.

5. Exercising Your Rights
You can object at any time to the processing of your personal data that we collect via your use of our corporate presence and exercise your rights as a data subject as set out in “Your Rights” in this Privacy Policy. To do so, send an informal email to the address stated in this Privacy Policy. Further information:

LinkedIn: https://www.linkedin.com/legal/privacy-policy
XING: https://privacy.xing.com/en

Hosting
The website is hosted on servers of a service provider engaged by us.
Our service provider is:

1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.
Further information on the processing of personal data by 1&1 can be found at: https://www.ionos.com/terms-gtc/privacy-policy/

The servers automatically collect and store information in server log files that your browser transmits when visiting the website. The stored information includes:

  • information about the browser type and version used
  • the user’s operating system
  • date and time of access
  • websites from which the user’s system accesses our website

This data is not merged with other data sources. Data collection takes place on the basis of Art. 6(1)(f) GDPR. Our legitimate interest in processing this data is to display our website without errors and to optimize its functions.

The server location is geographically in Germany.

Integrated Third-Party Services
We use various service providers to deliver the services offered on the website.
In general, we have a legitimate interest in sharing your data with the relevant providers where such services are essential to provide the core service offered on the website.
Where such services are required for additional services, extended features, or additional purposes, your personal data will only be shared with service providers if you give your consent.

Use of CleverReach

1. Scope of Processing Personal Data
We use CleverReach for sending our newsletter. CleverReach is operated by CleverReach GmbH & Co. KG, Mühlenstraße 43, 26180 Rastede, Germany (“CleverReach”). CleverReach is an email marketing provider that enables direct communication with potential customers via email newsletters.
If you register for the newsletter, the data you enter during registration is transmitted to CleverReach and stored there. Additional personal data may be stored and analyzed, especially user activity (in particular which pages were visited and which elements were clicked) and device/browser information (in particular IP address and operating system). Your data is also stored by CleverReach. Your data is not shared with third parties for newsletter purposes, and CleverReach has no right to disclose your data.

Further information on data processing by CleverReach:
https://www.cleverreach.com/de/datenschutz/

2. Purpose of Data Processing
Using the CleverReach plugin serves to acquire new subscribers for our newsletter and to create, send, and analyze newsletter campaigns.

3. Legal Basis for Processing Personal Data
The legal basis for processing users’ personal data is generally the user’s consent pursuant to Art. 6(1)(a) GDPR.

4. Storage Duration
Data is stored and analyzed until you object to processing or unsubscribe from the newsletter.

5. Exercising Your Rights
You have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
You can withdraw your consent to data storage and newsletter delivery via CleverReach at any time—by emailing info@cleverreach.com or by clicking the unsubscribe link in any newsletter.

Further information on objection and removal options vis-à-vis CleverReach:
https://www.cleverreach.com/de/datenschutz/

Use of TikTok

1. Scope of Processing Personal Data
We operate a corporate profile on the “TikTok” platform. For users in the European Economic Area, the provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”).
When you visit our TikTok profile, TikTok processes users’ personal data. This may include registration data, usage data, and information about devices used. TikTok processes this data in particular to provide the platform, personalize content and ads, and analyze platform usage.

We generally have no influence over TikTok’s data processing. TikTok only provides us with aggregated statistical evaluations regarding the use of our profile and interactions with our content (e.g., reach and engagement statistics). In connection with the provision of such statistics, joint controllership under Art. 26 GDPR may exist between us and TikTok.

We process personal data via our TikTok profile only when you actively interact with us, e.g., by commenting on our posts, sending us messages, or linking content to our profile. In such cases, we process the data you provide (e.g., your username and the content of your message or comment).

Further information on TikTok’s data processing:
https://www.tiktok.com/legal/privacy-policy-eea

2. Purpose of Data Processing
We use our TikTok corporate profile for public relations, communication with interested parties and customers, and to present our company and services.

3. Legal Basis for Processing Personal Data
The legal basis for processing personal data in connection with interactions via our TikTok profile is our legitimate interest in effective public relations and communication with users pursuant to Art. 6(1)(f) GDPR.

4. Storage Duration
We store personal data only as long as necessary to process your request or interaction. TikTok’s processing of personal data is otherwise carried out under TikTok’s own responsibility.

5. Exercising Your Rights
You may object to the processing of your personal data at any time (direkt@kuffler.de). If you do not want TikTok to associate your usage behavior with your TikTok account, log out of your account before visiting our profile and delete cookies stored on your device, or adjust your TikTok account settings accordingly.

Further information on objection and settings options vis-à-vis TikTok:
https://www.tiktok.com/legal/privacy-policy-eea

_____________________________________________________________________________

This Privacy Policy was created with the support of DataGuard.

top