A) Data processing in connection with our website
1. Accessing our website
Whenever you visit our website, our servers temporarily save each access in a log file. Just like any other connection to a web server, the following technical data are recorded automatically and stored by us for up to 26 months before automated deletion:
- IP address of the accessing computer
- Name of the holder of the IP address range (generally your Internet access provider)
- Date and time of access
- The website from which the access was requested (referrer URL), possibly with the search term used
- Name and URL of the file accessed
- Status code (e.g. error message)
- The operating system of your computer
- The browser you use (type, version and language)
- The transfer protocol (e.g. HTTP/1.1)
- Possibly your username from a registration/authentication
The collection and processing of these data enable us to facilitate the use of our website (establishment of connection), to ensure consistent system security and stability, and to optimise our Internet offering. We also collect and process data for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.
Furthermore, the IP address is evaluated together with other data in the event of an attack on the network infrastructure or other unauthorised or improper use of the website for the purpose of investigation and defence, and, if appropriate, is used within the framework of legal proceedings to establish identity and initiate civil or criminal proceedings against the users concerned. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.
2. Using our contact form
A contact form is available for you to establish contact with us. We require the following details for this purpose:
- First name and last name
- E-mail address
We use these data and an optionally provided telephone number exclusively in order to respond in an optimal and personalised manner to your contact request. The processing of this data is therefore necessary within the meaning of Article 6(1)(b) GDPR to take steps prior to entering into a contract, or is in our legitimate interest in accordance with Article 6(1)(f) GDPR.
3. SSL encryption
In order to ensure the security of your data during transmission, we use the most up-to-date encryption techniques (like SSL for example) based on HTTPS.
4. Subscribing to our newsletter(s)
If you subscribe to one or more of our newsletters, we require your e-mail address in order to be able to send you the newsletter(s). Further data are optional. We are entitled to commission third parties to handle the technical aspects of advertising measures and are entitled to pass on your data for this purpose. You will first receive an e-mail with a link for you to click on and confirm that you would like to receive the newsletter(s) (double opt-in). This enables us to prevent anyone from ordering the newsletter(s) in your name. We analyse which of the links were clicked on in order to tailor the newsletter(s) to your individual interests and to find out when you read the newsletter(s) so that we can send it to you at your preferred time. We also save your subscription to the newsletter(s), along with your consent to usage analysis and your confirmation, in order to be able to prove that you subscribed and agreed to the aforegoing. For the purpose of sending the newsletter(s) and for usage analysis, we continue to store your data until your consent is revoked or until the newsletter subscription is cancelled. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Therefore, please confirm your subscription (double opt-in) within 24 hours, or you will need to resubscribe.
The legal basis for data processing for the purpose of newsletter dispatch and usage analysis is Article 6(1)(1)(a) GDPR. The legal basis for data processing in order to provide proof of consent is Article 6(1)(1)(c) in conjunction with Article 5(2) GDPR, Article 7(1) GDPR and Article 24(1) GDPR as well as Article 6(1)(1)(f) GDPR. The legitimate interests in data processing on the basis of Article 6(1)(1)(f) GDPR are promotion of the sale of our products and services, the corresponding marketing measures and proof of your consent, i.e. defence against any legal claims.
5. Opening a customer account
If you wish to carry out bookings on our website, you can either book as a guest or open a customer account. When opening a customer account, we require the following mandatory personal details:
- Form of address
- First name and last name
- Postal address
- Date of birth
- Telephone number
- E-mail address
These data, as well as other optional information you provide (e.g. company name), are collected in order to provide you with direct, password-protected access to your basic data stored by us. Here you can view your past and current bookings, or manage or modify your personal data.
The legal basis of data processing for this purpose is the consent provided by you in accordance with Article 6(1)(a) GDPR.
6. Booking via the website, by correspondence or by telephone
If you make bookings via our website, by correspondence (e-mail or post) or by telephone, we will require the following mandatory personal details to process the agreement:
- Form of address
- First name and last name
- Postal address
- Date of birth
- Telephone number
- Credit card details
- E-mail address
These data, as well as other optional information you provide (e.g. expected time of arrival, vehicle number plate, preferences, comments), will exclusively be used to process the agreement, unless stated otherwise in this Data Protection Statement or unless you have not provided your express consent. The data will be processed in particular in order to record your booking in accordance with your wishes, to provide the services booked, to contact you in the event of any issues or problems, and to facilitate correct payment.
The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.
Cookies help in many ways to make your visit to our website simpler, and more pleasant and rewarding. Cookies are information files that your browser saves automatically on the hard drive of your computer whenever you visit our website.
Most Internet browsers automatically accept cookies. You can, however, configure your browser in such a way that no cookies are saved on your computer, or that a message appears each time you receive a new cookie. The following pages will help you to configure the processing of cookies by the most common browsers:
- Microsoft Windows Internet Explorer desktop version
- Microsoft Windows Internet Explorer mobile version
- Mozilla Firefox
- Google Chrome desktop version
- Google Chrome mobile version
- Apple Safari desktop version
- Apple Safari mobile version
Deactivating cookies may prevent you from being able to use all of the functions of our website.
8. Tracking tools
We use the web analysis service from Google Analytics in order to ensure the needs-based design and continuous optimisation of our website. In this connection, pseudonymised usage profiles are created and small text files are stored on your computer (cookies). The information generated by the cookie regarding your use of this website is transferred to the servers of the providers of these services, where they are stored and prepared for our use. In addition to the data listed under section 1, we may also receive the following information:
- Navigation path taken by a visitor to the website
- Amount of time spent on the website or subpage
- The subpage from which the website is left
- Country, region or city where access occurs
- End device used (type, version, colour depth, resolution, width and height of browser window)
- Whether a repeat visitor or a new visitor
The information is used to evaluate usage of the website, to prepare reports on website activity and in order to provide further services related to website usage and Internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law, or if the third party concerned is processing these data on our behalf.
b. Google Analytics
The information generated by the cookie about your use of this website will be transmitted to a Google server in the USA and stored there. We use Google Analytics with the extension ‘anonymizeIp()’, so that the IP addresses transmitted to Google will be abbreviated before further processing takes place, to exclude any direct reference to your personal identity (this is known as ‘IP masking’). Google will make use of this information to evaluate your visit to the website, to compile reports about activities on our site and to provide further services associated with website and internet use. Google may also pass on this information to third parties, in so far as this is required by statute or in case the data is to be processed by a third party on Google’s behalf. On no account will Google combine your IP address with other data in its possession.
You can prevent the installation of the cookie for Google Analytics by adjusting your browser software accordingly; but we beg to inform you that in this case you may not be able to make use of all the functions of our website to the full extent. You can prevent the collection and storage of data for Google Analytics at any time, with effect for the future, by using Google’s opt-out browser plug-in (https://tools.google.com/dlpage/gaoptout?hl=de). Please be aware that you will have to opt out more than once if you make a practice of deleting the cookies on your browser, or if you access our website with a different browser. Further information about Google Analytics may be found here: http://www.google.com/intl/de/analytics/learn/privacy.html
Further information regarding the web analysis service used can be found on the Google Analytics website. Instructions on how to prevent your data from being processed by the web analysis service can be found at https://tools.google.com/dlpage/gaoptout?hl=en-GB
c. Google Tag Manager
d. Google AdWords and Remarketing
This website uses Google AdWords, an analysis service from Google, and in this connection also relies on Conversion Tracking. Google AdWords places a cookie (‘conversion cookie’) on your computer’s hard disk for the purpose of conversion tracking, whenever you click on an ad displayed by Google. These cookies lose their validity after 30 days, and do not identify you personally. If you visit certain pages on our website, we and Google can detect that you have clicked on the ad and have been redirected to this page. The information obtained by means of the conversion cookies serves to generate statistics for AdWords customers who use conversion tracking. We learn from the statistics the total number of users who have clicked on the ad shown by Google, and so visited a page provided with a conversion tracking tag. We do not however have any information that would make it possible for us to identify the user personally. The data we obtain cannot be assigned to specific users.
Along with Conversion Tracking, we also make use of the following functions:
- Target groups with common interests
- User-defined target groups with common interests
- Target groups wishing to make a purchase
- Similar target groups
- Demographic and geographical characteristics.
Further information about the terms and conditions of use and data protection in connection with Google AdWords may be found by following this link: http://www.google.de/policies/technologies/ads/.
e. Google DoubleClick
We use Google’s DoubleClick function on our websites, in order to evaluate use of the sites and make it possible for Google, and other advertisers working with DoubleClick, to offer you use-related advertising. For this purpose, a cookie is installed on the hard disk of your computer. This cookie gives your browser a pseudonymous ID, and collects information about the advertising displayed by your browser and the pages you have accessed. The information collected by the cookie about your use of websites is as a rule transmitted to a Google server in the USA and stored there. On the basis of the information collected, interest-related categories will be allocated to your browser. These categories are then used in order to show you the kind of advertising you are interested in.
As well as changing your browser settings, you can also make use of a browser plug-in to disable the DoubleClick cookie permanently. With this plug-in, the deactivation settings will remain in force on your browser, even if you are deleting all cookies. The browser plug-in for permanent disabling of the cookie may be found here: https://www.google.com/settings/ads/plugin?hl=de.
f. Google Optimize
Google Optimize is a testing tool that we use to optimize our website. Google Optimize analyzes the performance of different variants of our website and helps us to improve the user experience according to the behavior of the users on our website. Google Optimize is a tool integrated with Google Analytics.
g. Monotype web fonts
h. Facebook Custom Audiences & Pixel
Our website makes use of Facebook Custom Audiences for Websites, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’). This involves the incorporation of a remarketing pixel from Facebook on our website, as a result of which Facebook can register the users of our site and use their data for advertising purposes (Facebook Ads). The pixel transmits to Facebook general information about the browser session, along with a non-reversible and non-personal check total or hash value which is generated from your Facebook ID. Further details about the way in which Facebook handles your data, and about your rights and possibilities of adjusting settings to protect your personal data, may be found in Facebook’s notes on data protection at https://www.facebook.com/privacy/explanation. If you want to opt out of Facebook Website Custom Audiences for the future, you can do this by going to https://www.facebook.com/ads/website_custom_audiences.
Our website moreover uses Facebook’s ‘visitor action pixel’. This makes it possible to trace the actions of users if they click on a Facebook advertisement and are redirected to the website of the provider. This forms a basis for evaluating the effectiveness of Facebook advertising for statistical and market research purposes, and so helps optimise advertising strategies. The data collected are anonymous as far as we are concerned. The data will however be processed by Facebook, so that a connection may be made with your personal Facebook account. Further information may be found in Facebook’s notes on privacy at https://www.facebook.com/about/privacy. In this connection, a cookie may also be stored on your computer for advertising purposes.
i. Tracking with fusedeck
This Website uses “fusedeck”, a tracking solution provided by Capture Media AG (hereinafter referred to as “Capture Media”). Capture Media is a Swiss company having its registered office in Zurich which, on behalf of its customers, measures website usage in the context of engagements and events. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons.
j. DialogShift chat
Our website uses the chat application of DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This application processes and stores data for the purpose
of web analysis, to operate the chat application and to answer queries.
For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set - this is used to recognise you as a customer.
A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, our application recognises the device and can retrieve past
chat logs. This cookie is stored for 90 days since last use. You can disable the storage of cookies in your browser settings. However, without the use of
cookies, the chat function cannot be performed.
The possible disclosure of e.g. name, e-mail address or a telephone number is voluntary and with the consent to temporarily use and store this data for the
purpose of contacting you until the end of the contact. This personal data is deleted after 90 days.
The legal basis for data processing is Article 6 (1) lit. F DS-GVO based on our legitimate interest in effective customer support, for statistical analysis of user
behaviour and for optimisation purposes of our offers.
DialogShift offers at
for further information on the collection and use of data and on your rights and options for protecting your privacy.
B) Data processing in connection with your stay
1. Data processing in order to meet legal reporting obligations
On your arrival at our hotel, we will require the following details from you and your companion, if applicable:
- First name and last name
- Postal address and canton
- Date of birth
- Place of birth
- Official identification document and number
- Date of arrival and departure
- Room number
We record these data in order to meet the legal reporting obligations based in particular on hospitality law and police law. Insofar as we are obliged to do so in accordance with the applicable provisions, we pass on this information to the competent police authorities.
Compliance with these legal requirements constitutes our legitimate interest within the meaning of Article 6(1)(f) GDPR.
2. Recording of the services used
If you make use of any additional services during your stay (e.g. minibar, pay TV), both the service and the time of use will be recorded by us for invoicing purposes. The processing of these data is required in accordance with Article 6(1)(b) GDPR for performance of your contract with us.
C) Storage and exchange of data with third parties
1. Booking platforms
When you make bookings via a third-party platform, we receive various items of personal data from the platform operator concerned. As a rule, this information comprises data referred to in section 5 of this Data Protection Statement. Furthermore, any queries regarding your booking will be passed on to us. The data will be processed in particular in order to record your booking in accordance with your wishes, and to provide the services booked. The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.
Moreover, we are informed by the platform operators of any possible disputes arising in connection with a booking. In this context, we may also receive data regarding the booking process, with a copy of the booking confirmation serving as proof of the actual completion of a booking. We process these data with a view to enforcing our rights. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.
Please also refer to the data protection notice of the operator concerned.
2. Central storage and linking of data
We store the data indicated in sections 2 to 5 and 8 to 10 in a central electronic data processing system. The data concerned are recorded in our system and linked in order to enable us to process your bookings and provide contractual services. We use software provided by Oracle, Redwood City, USA, for this purpose. The processing of these data using this software is based on our legitimate interest in customer-friendly and efficient customer data management in accordance with Article 6(1)(f) GDPR.
3. Retention period
We store personal data only as long as necessary in order to use the tracking services mentioned above and for other processing within the scope of our legitimate interest. Contractual data are stored for longer periods, as required by statutory retention obligations. The obligation to retain data is based on provisions regarding the right to report, accounting and tax law. According to these provisions, business communications, contracts and booking documents must be stored for up to 10 years. These data are blocked once they are no longer required in order to provide the services you require. This means that the data may then only be used for accounting and tax purposes.
4. Disclosure of data to third parties
We only disclose your personal data to any third parties if you have given your explicit consent for us to do so, if such disclosure is required by law or if it is necessary in order to enforce our rights, in particular those arising from the contractual relationship. Furthermore, we also disclose your data to third parties if this is necessary within the framework of your use of the website and for performance of the contract (including outside the website), i.e. for processing your bookings.
One service provider to which personal data collected via the website are disclosed, or which has or may have access to such data, is our web host sitegeist media solutions GmbH, Poßmoorweg 2, 22301 Hamburg, Germany. The website is hosted by servers located in Germany. Data is disclosed in order to provide and maintain the functionalities of our website. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.
Finally, when credit card payments are made on the website, we forward your credit card details to your credit card issuer and to the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all the necessary information. The legal basis of data disclosure is the performance of an agreement in accordance with Article 6(1)(b) GDPR. With regard to the processing of your credit card details by these third parties, please also read the general terms and conditions and the data protection statement of your credit card issuer.
5. Transfer of personal data abroad
We are authorised to transfer your personal data to third-party companies abroad (contracted providers) for the purpose of the data processing described in this Data Protection Statement. These providers are subject to data protection requirements in the same scope as us. Should the level of data protection in a given country not be equivalent to the level applicable in Switzerland or the EU, we will ensure by contractual means that the level of protection of your personal data corresponds to the level of protection provided in Switzerland or the EU at all times.
D) Further information
1. Right of access, right to rectification, right to erasure, right to restriction of processing and right to data portability
You have the right to obtain information about your personal data stored by us. In addition, you have the right to request the rectification of any incorrect data and the right to erasure of your personal data, provided the data concerned are not subject to any legal retention obligation or our processing of the data is justified.
Furthermore, you have the right to request to be returned the data you provided (right to data portability). At your request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a standard file format.
You can reach us for the aforementioned purposes via the e-mail address email@example.com. We may, at our discretion, request proof of identity when processing your request.
3. Data security
We take the appropriate technical and organisational security measures in order to protect the personal data stored by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are being improved on an ongoing basis in line with technological developments.
You should treat your access data confidentially at all times and close your browser window following any communication with us, in particular if you share your computer with others.
We also take internal data protection within the company very seriously. Our employees and the service providers contracted by us are obliged to maintain confidentiality and comply with data protection provisions.
4. Links to other websites
This Privacy Statement only applies to our own website. Our website may however include links to external websites not bound by the content of this Declaration. If you use a link to leave our website, you would be recommended to pay careful attention to the data protection policy of any website you visit.
5. Note on data transfer to the USA
For reasons of completeness, we would like to inform users with their place of residence or registered office in Switzerland that the US authorities implement surveillance measures that generally facilitate the storage of all personal data regarding all persons whose data are transferred from Switzerland to the USA. This is carried out without differentiation, restriction or exception on the basis of the respective aim and with no objective criteria that enable access by the US authorities to the data and their later use to be restricted to very specific, strictly limited purposes which would justify access to these data and the intervention related to their use. We would also like to point out that there are no means of legal redress in the USA for data subjects from Switzerland that would enable them to gain access to their data and request their rectification or erasure, and that there is no effective legal protection against the general access rights of US authorities. We refer those affected explicitly to this legal and factual basis in order to enable them to make an informed decision concerning the provision of consent to the use of their data.
Users resident in an EU member state should be aware that, from the perspective of the EU, the USA does not have a sufficient level of data protection – based, among other things, on the issues outlined in this section. Where we have stated in this Data Protection Statement that the recipients of data (e.g. Google Inc.) are based in the USA, we will ensure, by means of either contractual arrangements with these companies or by certification of these companies under the EU or the Swiss–US Privacy Shield, that your data are adequately protected by our partners.
6. Changes to our and conditions of data protection
We hereby reserve the right to modify this Privacy Statement on occasion, in order to comply at all times with current legal requirements, or in order to incorporate changes in our services in the context of the Declaration, e.g. if new services are introduced. When you visit us again thereafter, your visit will be subject to the terms of the Privacy Statement in the new version.
7. Right to lodge a complaint with a data protection authority
You have the right to lodge a complaint with a data protection authority at any time.
8. Data protection representative
We have the following data protection representative pursuant to art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as an additional point of contact for supervisory authorities and data subjects for requests in connection with the General Data Protection Regulation (GDPR):
MLL EU-GDPR GmbH
Your Grand Resort Bad Ragaz AG
As at: July 2020