Privacy and Cookie policy

1. DATA CONTROLLERS

The following entities are independent data controllers for the processing of your personal data in relation to their respective areas of activity and responsibility:

• Lübker Golf Resort ApS (VAT No. 30827708)
• Lübker Formidling ApS (VAT No. 29932212)
• Lübker Golf Klub (VAT No. 40159142)
• Lübker Residents Club (VAT No. 39591553)
• Ejerforeningen Lübker Lodge (VAT No. 32595286)
• Grundejerforeningen Lübker Golf Resort Syd (VAT No. 34005141)
• Grundejerforeningen Lübker Golf Resort Nord (VAT No. 34005168)
• Grundejerforeningen Trent Jones Terrace (VAT No. 32686656)
• Støtteforeningen Lübker Friends (VAT No. 39894777)
• LGR Ejendomme ApS (VAT No. 29422443)
• LGR Development ApS (VAT No. 33255969)
• LGR Lodge (VAT No. 30006267)

whereby Lübker Golf Resort ApS processes personal data based on approved administration agreements – alternatively, data processor agreements (DPAs) – in connection with the tasks agreed upon between the parties.

 

2. PURPOSES, LEGAL BASIS, AND TYPES OF PERSONAL DATA

We have outlined below the purposes for which the resort processes your personal data when you interact with us. 

2.1 To Respond to Inquiries

If you contact us via our websites, email, or other means, we will process your personal data to respond to your inquiry. We typically process the following ordinary personal data about you: Name, address, email, telephone number, company name, title, and other information related to your inquiry.

We use the legitimate interest assessment rule in Article 6(1)(f) of the General Data Protection Regulation (GDPR) as the legal basis for this processing, as it is necessary to respond to your inquiry and communicate with you.

We collect personal data directly from you and will only retain it for as long as necessary to fulfill the above purpose.

2.2 Holiday Homes/Apartments

If you book accommodation or a stay, we process ordinary personal data about you. We typically process the following personal data to book your accommodation or stay: name, invoice details, address, email, telephone number, company name, country, bank details, license plate number, any remarks entered by you during booking, confirmation of acceptance of terms, information about your chosen stay and included amenities, and passport or identification.

We use Article 6(1)(b) of the GDPR as the basis for processing this information, as these are personal data necessary to process to fulfill the agreement with you. Additionally, the basis for our processing is the legitimate interest assessment rule in Article 6(1)(f) of the GDPR, as we have a legitimate interest in adapting the delivered services to your needs and wishes and sending evaluation forms in connection with your stay.

In some instances, we are obligated to process information about your name, nationality, position, address, arrival date, passport information, or other travel documentation. The basis for processing this personal data is Article 6(1)(c) of the GDPR and statutory provisions regarding the obligation to maintain an authorized guest registry pursuant to Executive Order 2022-08-23 No. 1206 and Executive Order 2021-12-28 No. 2693 on passports, etc.

We collect personal data directly from you and will only retain it for as long as necessary to fulfill the above purposes. In accordance with Danish accounting legislation, we retain invoice information for the current financial year plus five years.

Passport and identification information is retained for a maximum of two years, after which it is deleted in accordance with the aforementioned executive orders.

We note that other sections of this privacy policy describe stays that include spa/wellness, golf, or other events.

If you are a property owner, we process personal data about you. We typically process the following personal data to administer your property: name, CPR number (Danish personal identification number), invoice details, bank details, address, email, telephone number, company name, license plate number, and country. We need information on all household residents, and in case of potential rental of your property, we will also need license plate information for guests for access to the area via the resort's automatic barrier system.

We process this information according to Article 6(1)(b)(f) of the GDPR. This is personal data necessary to fulfill our agreement with you and pursue our legitimate interests.

2.3 Lübker Square (Spa and Wellness)

In connection with visits or membership to Lübker Square (the resort's spa and wellness center), we collect, process, and register information about you and any accompanying guests to process your booking or inquiry. In this context, we may process information about name, address, telephone number, email address, treatment type, CPR number, preferences, and photo (for personal cards and membership).

We create a guest profile for all our guests to plan and service the wellness and spa area and to modify and maintain an overview of occupancy. In case of violations of our house rules, we may use the guest profile to handle potential expulsion.

Our processing of your personal data is based on Article 6(1)(b) of the GDPR, as the information is necessary to fulfill our agreement regarding the service in question and create your guest profile.

Additionally, the legitimate interest assessment rule in Article 6(1)(f) of the GDPR is the basis for our processing of your information. The legitimate interests justifying the processing are to efficiently organize our tasks for you, including managing appointments and bookings and registering completed treatments to establish treatment courses and internal reporting. We also want to ensure that guests behave properly in accordance with applicable house rules and that expelled guests do not gain access to Lübker Square in the future.

We retain your personal data as long as necessary to fulfill the agreement with you and its evaluation. We retain invoice information for the current financial year plus 5 years in accordance with Danish accounting legislation. Information in your user profile is only deleted when you delete it or contact us to delete the data.

To enforce our zero-tolerance policy regarding any form of euphoric or illegal performance-enhancing substances in our fitness department, in case of suspicion of such use, we will share information about you with Anti Doping Denmark and/or relevant police authorities.

Legal basis: The processing of personal data is pursuant to Article 6(1)(b)(f) of the GDPR.

2.4. Restaurant (Lübker Lodge + Square)

If you book a table or order accommodation with dining, we process standard personal data about you. When booking your table, we typically process the following personal data: email, telephone number, name, address, country, company name, number of guests, special requests, dietary requirements, and confirmation. For online bookings, we typically use the information specified in section 2.5 below.

We process this information pursuant to Article 6(1)(b) of the General Data Protection Regulation (GDPR), as these personal data are necessary to fulfill the agreement with you. Additionally, the legal basis for our processing is the legitimate interest rule in Article 6(1)(f) of the GDPR, as we have a legitimate interest in adapting our services to your needs and preferences.

We process the information you have provided in connection with your reservation and any information from your profile.

We retain your personal data for as long as necessary to fulfill our agreement with you and its evaluation. We retain invoice information for the current fiscal year plus 5 years in accordance with Danish accounting legislation. Information in your user profile is only deleted when you delete it or contact us to delete the data.

2.5. Digital Customer Card

Restaurant:
When booking a table in a restaurant, a digital customer card is created in the restaurant's booking system for planning and service purposes. This enables us to modify and maintain an overview of reservations.

The customer card contains the information specified under section 2.4 and the reservation ID.

We process this information pursuant to Article 6(1)(b) of the GDPR, as these personal data are necessary to reserve your table and plan restaurant operations accordingly. Additionally, the legal basis for processing your customer card is the legitimate interest rule in Article 6(1)(f) of the GDPR, as we have a legitimate interest in storing your preferences and history and offering access to future bookings, including modifications.

Information in your customer card is only deleted when you delete your customer card or contact us to delete information or your customer card.

Holiday Homes/Apartments and Spa and Wellness:

When booking a stay at the spa and wellness center Lübker Square or in the resort's holiday homes/apartments, a digital customer card is created in the booking system to register your booking and any additional selections to accommodate your specific wishes and needs. The customer card is necessary for managing and settling your stay. Additionally, the resort is interested in using the customer card to optimize our service by storing your service preferences.

The customer card contains the personal data specified under sections 2.2 and 2.3.

We process this information pursuant to Article 6(1)(b) of the GDPR, as these personal data are necessary to reserve your stay, manage your stay, and for resort operations. Additionally, the legal basis for processing your customer card is the legitimate interest rule in Article 6(1)(f) of the GDPR, as we have a legitimate interest in storing your preferences and history to fulfill future bookings.

Information on the customer card is deleted when there is no longer a purpose for retaining it, but no later than five years after the last booking on the customer card. You are welcome to contact us if you wish to have your customer card deleted. However, please note that after deletion, we will no longer be able to service you according to the previously provided and registered information on your customer card.

2.6. Gift Cards

When you order a gift card, we process standard personal data about you. To create your gift card, we typically process the following personal data: email, telephone number, name, amount, address, date of birth, delivery, and payment information.

We process this information pursuant to Article 6(1)(b) of the GDPR, as these personal data are necessary to fulfill the agreement with you.

We process the information you have provided in connection with your order.

We retain your personal data for as long as necessary to fulfill our agreement with you and its evaluation. We retain invoice information for the current fiscal year plus 5 years in accordance with Danish accounting legislation.

2.7. Events

If you participate in one of our events, seminars, or workshops, we use your personal data to register you and communicate with you before, during, and after the event. For seminars, webinars, or workshops, we typically only process the following information about you: name, position, email, telephone number, company, and type of event.

When you register for an event, we process this information pursuant to Article 6(1)(b) of the GDPR, as it is necessary to fulfill the agreement with you. We may also use the legitimate interest rule in Article 6(1)(f) of the GDPR as the legal basis for this processing, as it is necessary to manage registrations, send evaluation forms, etc.

We receive most personal data directly from you. Still, we may also receive your personal data from other sources, such as your employer, golf club, etc., if they handle your registration.

We retain your personal data for as long as necessary to conduct and evaluate the event. If you have paid to participate in the event, we retain invoice information for the current fiscal year plus five years in accordance with Danish accounting legislation.

2.8. Images, Video, and Audio Recordings

We frequently take pictures or record (audio and video) our activities (e.g., tournaments, open-air events, or virtual events) to share them on our websites or other social media such as LinkedIn, Facebook, and Instagram.

If you participate in an event that we record, we will always inform you about it when the event begins, and we will notify all participants during the introduction.

When we publish recordings from our virtual events, we use the legitimate interest rule in Article 6(1)(f) of the GDPR as the legal basis for processing them. We have a legitimate interest in marketing the resort and our many offers and experiences.

Please note that we share images and recordings on social media in accordance with the relevant social media terms. Our privacy policy for Instagram and Facebook is in section O of the privacy policy.

We also record other events to document activities and internal training, which we may share on our websites or social media. We process such recordings based on Article 6(1)(a) of the GDPR (consent). However, if we deem it appropriate based on a general assessment of the situation and motive, we may use the legitimate interest rule in Article 6(1)(f) of the GDPR as the legal basis for this processing. We have a legitimate interest in sharing our activities.

Generally, we handle the recordings ourselves or use an external photographer, but we may also receive images and other recordings directly from you or other participants.

We retain your personal data (images and recordings) for as long as necessary to fulfill the above purposes, but at most 5 years after the event in question.

2.9. Marketing/Newsletters

We use your personal data for marketing purposes, including direct marketing, such as newsletters.

Newsletters may also contain marketing material from our partners. In such cases, we may process information about your name, age, email, telephone number, consent declaration, and nationality to send you relevant news.

We process your personal data for direct marketing purposes based on our legitimate interest in selling our and our partners' products and services pursuant to Article 6(1)(f) of the GDPR.

However, we only send marketing materials via email based on your active prior consent in accordance with Section 10(1) of the Danish Marketing Act. You will not be contacted directly by our partners, nor will we share your information with them.

Your personal data is deleted when you withdraw your marketing consent or if we do not use it within 1 year. The consent declaration itself is retained for 2 years after the withdrawal or expiration of the consent.

When marketing consent is withdrawn, we will no longer process your personal data to send newsletters or for other marketing purposes.

2.10. Use of Our Websites and Other Social Platforms

When you access our websites, we use cookies to collect personal data about your activities. We also use various plug-ins that make it easier for you to share content from our website on social media, such as Facebook, Instagram, LinkedIn, etc. The cookie section, which can be accessed here, explains more about this and provides an overview of these third-party providers.

We process your personal data pursuant to Article 6(1)(f) of the GDPR in connection with our use of necessary cookies. We have a legitimate interest in offering you a functioning website.

Suppose you consent to the use and placement of additional categories of cookies. In that case, we process your personal data in connection with this based on Article 6(1)(a) of the GDPR regarding consent.

You can withdraw or modify your consent by rejecting cookies in the cookie overview or by blocking cookies in your browser settings.

2.11. Surveillance

We have installed CCTV surveillance of specific, targeted areas of our indoor and outdoor premises. The video-monitored areas are clearly marked with signage. In this context, we process personal data in the form of CCTV recordings of movement within the resort premises.

Video surveillance is used to control access to the relevant premises, prevent crime, and ensure the safety of our employees and visitors. The recordings may also be used to investigate incidents and document them. However, they will only be viewed and reviewed in cases of suspected criminal acts or during internal/external audits.

We use the TV Surveillance Act and the balancing of interests rule in Article 6(1)(f) of the General Data Protection Regulation as the legal basis for our processing of your personal data, as it is necessary to record this personal data in order to ensure an adequate level of security for our employees and guests regarding unauthorized access, suspicious behavior, protection of assets, and to prevent and prosecute crime. We use Section 8(3) of the Data Protection Act as the legal basis if surveillance reveals criminal acts.

CCTV recordings made for crime prevention may be disclosed to the police in cases of criminal acts or if disclosure otherwise follows from applicable law. We may also disclose the recordings to attorneys and other advisors as well as public authorities where required by applicable law. If it is necessary to disclose the recordings for purposes other than those mentioned above, we will request your consent for such disclosure if you appear in the recordings. CCTV recordings made for crime prevention will be deleted or anonymized 30 days after recording unless we must retain the recordings for the purpose of handling a specific case, e.g., in connection with investigating a violation of the law. In such cases, the information will be retained as long as necessary for the processing of the specific incident.

CCTV recordings made for other purposes will be deleted when the retention of the information no longer serves a purpose.

2.12. Lübker Golf Club

Personal data that you voluntarily provide and which is otherwise processed by Lübker Golf Club in connection with the administration of your membership is subject to this privacy policy.

2.13. Golf

We use various modules in the GolfBox/"Mit Golf" application to book tee times, green fees, training, etc. In connection with these bookings, we may process information about you, such as your name, bank details, address, date of birth, telephone number, email address, current golf handicap, civil registration number, Danish Golf Union membership number, and previous/current golf club. We collect this information from GolfBox.

If you are not a member of a golf club, you will be registered as a guest. In this context, we will register your name, which golf club you are a member of and your handicap.

We use Article 6(1)(b) of the General Data Protection Regulation as the legal basis for processing this information, as these are personal data necessary to process to fulfill the agreement with you.

Users of GolfBox (members, clubs/organizations, teaching Pros, tour operators, and DGU) can search for other members via GolfBox, and the aforementioned users can add members to tee times, tournaments, lessons, and courses. Personal data (membership number, name, gender, handicap, and age) is visible to all GolfBox users, as well as information about booked tee times in your club and other clubs. If you register for a tournament, the above personal data is also visible to other GolfBox users. Additionally, the club/organization managing the tournament can see your contact information for purposes such as cancellations or changes to the event. If you book training, your personal data is visible to the Pro/trainer/club/organization providing the training but not to other members.

If you do not wish your personal data to be visible to others when using GolfBox, you can choose to be anonymous in your user settings when logged into GolfBox.

If you have questions about the use of GolfBox, you are always welcome to contact us.

2.14. Facebook Page and Instagram

The guidelines in this section apply to the resort's processing of personal data that you leave and/or submit when you visit the resort's Facebook page ("Facebook Page"), Instagram page, or when you participate in competitions via Facebook and Instagram held by the resort.

These guidelines supplement Facebook Ireland Ltd.'s ("Facebook") general privacy policy.

In the following, "Facebook" and "Facebook Page" are also used as designations for the Instagram page.

Who is the data controller for my personal data? The resort and Facebook are joint data controllers for the processing of your personal data.

Facebook's company information is:

Facebook Ireland Ltd.
4 GRAND CANAL SQUARE, GRAND CANAL HARBOUR
D2 Dublin IRELAND
Reg. no.: 462932

The resort follows the Danish Data Protection Agency's guidelines regarding joint data controllership and attempts, using the available tools, to ensure that you receive information about the processing of your personal data when you visit the Facebook Page.

In this connection, Facebook has published an addendum regarding joint controllership for "Facebook Insights," which you can find at https://www.facebook.com/legal/terms/page_controller_addendum.

What personal data is collected on Facebook? Depending on your behavior on the Facebook Page, the resort and Facebook may receive the following personal data about you:

• Whether you "Like" or have used other reactions on the Facebook Page
• Comments you leave on Facebook
• That you have visited the Facebook Page
• Your behavior and interests on the Facebook Page
• Personal data collected in connection with competitions (e.g., name and interests)

Facebook also uses Facebook Insights on the Facebook Page to collect statistical information about visitors' behavior on the page, including age, gender, relationship status, occupation, lifestyle, areas of interest, information about purchases, and geographical data. For this purpose, Facebook places cookies on your device when you visit the Facebook Page. Each cookie contains a unique identification code that remains active for two years unless deleted before the expiration of this period. Facebook receives, stores, and processes your personal data through these cookies.

To read more about Facebook's use of cookies on the Facebook Page, including deletion, please read Facebook's general cookie policy.

What is the purpose of processing your personal data?

The resort also uses your personal data to improve products, enhance the Facebook Page, conduct research, prepare statistics, and develop and protect our services and products, including based on your feedback.

In this connection, we use aggregated information that Facebook makes available through Facebook's cookies via "Facebook Insights," e.g., information about age, gender, relationship status, occupation, lifestyle, areas of interest and information about purchases and geographical information.

Facebook processes your personal data, among other things, to enable Facebook to improve its advertising system and to provide us with statistics, which Facebook prepares based on your visit to the Facebook Page, with the aim of advertising and adjusting activities on the page. Through cookies, Facebook and the resort thus become aware of whether you "Like" the Facebook Page and use the page's applications, so Facebook and the resort can customize the content on the Facebook Page and develop features that you might be interested in.

What is the legal basis for processing?

The resort processes your personal data due to our legitimate interest in being able to improve products and services so that you, an acquaintance, or a family member can participate in a competition with the aim of winning prizes (Article 6(1)(f) of the General Data Protection Regulation).

Facebook processes your personal data due to Facebook's legitimate interests, including Facebook's interest in providing an innovative, individually customized, secure and profitable service (Article 6(1)(f) of the General Data Protection Regulation). Facebook further processes your personal data in accordance with your consent, which you can withdraw at any time via Facebook settings (Article 6(1)(a) of the General Data Protection Regulation).

For more information about Facebook's legal basis for processing personal data, please refer to Facebook's general privacy policy under the section "What is our legal basis for data processing?"

Who receives my personal data?

The Resort does not disclose your personal data to other companies but uses data processors in the form of, among others, media agencies and IT providers and may in some cases transfer your personal data to third countries. If your personal data is transferred to countries outside the EU/EEA, such transfer will take place on the following legal basis: Binding corporate rules, the country is approved as a so-called "safe" third country or if the country is not approved as a "safe" third country, we transfer data based on standard contractual clauses adopted by the European Commission.

Facebook may share personal data with the following categories of recipients, among others:

• Internally, among Facebook companies
• Externally with Facebook's partners who use analytics services
• Advertisers
• Other persons using the Facebook Page
• Measurement partners
• Researchers and academics

For more information about who Facebook shares your personal data with, see the section "How is this information shared?" in Facebook's general privacy policy.

Your personal data may be transferred by Facebook to Facebook in the USA and other third countries. Facebook uses standard contractual clauses approved by the European Commission and adequacy decisions from the European Commission as a basis for transfer to third countries. You can find more information under the section "How do we process and transfer data as part of our global services?" in Facebook's general privacy policy.

 

3. RECIPIENTS

In some instances, the Resort transfers your personal data to service providers (data processors) who process personal data on behalf of the Resort and in accordance with our instructions. Your personal data may be transferred to: (i) suppliers with whom we collaborate to provide services to you in connection with your visit, membership and/or use of our golf club, Lübker Golf Club, and other services that we offer, and (ii) other third parties in connection with the administration of your membership and/or use of our golf club, including GolfBox A/S (owner of the GolfBox application) or AK Techhotel, which is the provider of our booking and administration system (Picasso).

We also employ data processors in the IT sector, consultants, marketing, and other suppliers with whom the Resort collaborates. Additionally, in some instances, the Resort will transfer or share your personal data with different legal entities within the Resort (see section 1).

Disclosure of your personal data to third parties may occur if you have given consent thereto or if it is necessary for the performance of an agreement to which you are a party. Furthermore, disclosure may occur if it is required to pursue our legitimate interests unless your interests take precedence. Under certain circumstances and in accordance with legislation, it may be necessary to disclose personal data to, for example, public authorities or the police. For instance, information may be disclosed to the police in cases of suspected credit card fraud.

Trackman
When using Trackman, personal data is processed in accordance with the applicable terms and conditions, including processing in third countries. You can read more about Trackman's processing of personal data at https://mytrackman.com/system/privacy-policy.  We only upload training videos to Trackman if you have given consent.

Danish Golf Union
Upon membership in Lübker Golf Club, your membership information is shared with the Danish Golf Union, which will assign you a DGU card and DGU number. You can read more about the Danish Golf Union's processing of personal data at https://www.danskgolfunion.dk/artikel/privatlivspolitik.

Social Media
Due to the nature of social media, your posts and other user content may be accessible to others on the Resort's websites and social media worldwide.

Additional recipients of personal data may include payment solution providers, banks, public authorities, and advisors.

 

4. PROCESSING OF PERSONAL DATA OUTSIDE THE EU/EEA

The Resort transfers, stores, and processes your information (including personal data and content) both within and outside Denmark. Wherever in the world your personal data is stored or processed by us or by a supplier on our behalf, we will take reasonable precautions to protect it.

Generally, we store data within the EU/EEA. However, your personal data may be transferred to or accessed from countries outside the EU/EEA.

If your personal data is transferred to countries outside the EU/EEA, such transfer will occur on the following legal basis:

1. Binding Corporate Rules
2. The country is approved by the EU Commission as having an adequate level of protection, or the recipient is certified under, for example, the EU-US Data Privacy Framework
3. If the EU Commission does not approve the country as having an adequate level of security, we will ensure transfer in the following way:
4. By using the EU Commission's Standard Contractual Clauses
5. By obtaining your consent to the transfer

 

5. SOURCES

The Resort primarily processes information that we have received directly from you or the devices you use. In some cases, however, we also process information about you that we have received from other sources, such as DGU, your employer, or the organizer of an event you participate in.

 

6. DELETION

We retain your personal data for as long as necessary to fulfill the above purposes.

We may process and store the information for a longer period if it is anonymized or if we are legally obligated to retain it.

 

7. WITHDRAWAL OF CONSENT

You may at any time withdraw any consent you may have given us. Consent can be withdrawn by contacting us using the contact information provided above in section [reference missing].

If you withdraw your consent, it will only take effect from this point forward. Therefore, it only affects the lawfulness of our processing of the information up until the time you withdraw your consent.

If you withdraw your consent, your photos will not be used in new materials, and pictures of you on websites or similar will be immediately deleted or anonymized. Photos in printed materials will be used while supplies last, after which they will be removed before reprinting. Additionally, we will make reasonable efforts to delete already published recordings that are available on media controlled by the Resort.

 

8. YOUR RIGHTS

Pursuant to the General Data Protection Regulation and the Data Protection Act, you have several rights:

• You have the right to access, rectify, or erase the personal data we process about you.
• You have the right to object to the processing of your personal data and to obtain restrictions on the processing of your personal data.
• You have the unconditional right to object to the processing of your personal data for direct marketing purposes.
• You have the right to receive your personal data in a structured, commonly used, and machine-readable format (data portability).

Please note that these rights may be subject to conditions or limitations. Therefore, you may not always be entitled to data portability – this depends on the specific circumstances of the processing activity. You can exercise your rights by accessing your account settings or by contacting us at gdpr@lubker.com. If you contact us via email, identity verification will be required for security purposes.

 

9. AMENDMENTS TO THIS PRIVACY POLICY

The Resort periodically amends this privacy policy to accommodate new technologies, industry practices, regulatory compliance requirements, or other reasons. The updated and applicable policy is on this page.

 

10. LINKS TO OTHER WEBSITES

Our websites and other social platforms may contain links to other websites or integrated sites. We are not responsible for the content of other companies' websites or such companies' procedures regarding the collection of personal data. When visiting other websites, you should read those sites' privacy policies and other relevant policies.

 

11. INQUIRIES AND COMPLAINTS

If you have any questions regarding this privacy policy or if you wish to file a complaint about our processing of your personal data, please get in touch with us via email (gdpr@lubker.com) or contact the Resort's GDPR Officer (Kenneth Mikkelsen) at tel. +45 3840 8000.

Should you wish to complain about the Resort's processing of your personal data, you may also contact:

The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
T: +45 3319 3200
E: dt@datatilsynet.dk