A) Data processing in connection with our website
1. Accessing our website
Whenever you visit our website, our servers temporarily save each access in a log file. Just like any other connection to a web server, the following technical data are recorded automatically and stored by us for up to 26 months before automated deletion:
- IP address of the accessing computer
- Name of the holder of the IP address range (generally your Internet access provider)
- Date and time of access
- The website from which the access was requested (referrer URL), possibly with the search term used
- Name and URL of the file accessed
- Status code (e.g. error message)
- The operating system of your computer
- The browser you use (type, version and language)
- The transfer protocol (e.g. HTTP/1.1)
- Possibly your username from a registration/authentication
The collection and processing of these data enable us to facilitate the use of our website (establishment of connection), to ensure consistent system security and stability, and to optimise our Internet offering. We also collect and process data for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.
Furthermore, the IP address is evaluated together with other data in the event of an attack on the network infrastructure or other unauthorised or improper use of the website for the purpose of investigation and defence, and, if appropriate, is used within the framework of legal proceedings to establish identity and initiate civil or criminal proceedings against the users concerned. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.
2. Using our contact form
A contact form is available for you to establish contact with us. We require the following details for this purpose:
- First name and last name
- E-mail address
We use these data and an optionally provided telephone number exclusively in order to respond in an optimal and personalised manner to your contact request. The processing of this data is therefore necessary within the meaning of Article 6(1)(b) GDPR to take steps prior to entering into a contract, or is in our legitimate interest in accordance with Article 6(1)(f) GDPR.
3. Subscribing to our newsletter(s)
If you subscribe to one or more of our newsletters, we require your e-mail address in order to be able to send you the newsletter(s). Further data are optional. Your data will not be disclosed to third parties, and we will use them exclusively to send our newsletter(s). You will first receive an e-mail with a link for you to click on and confirm that you would like to receive the newsletter(s) (double opt-in). This enables us to prevent anyone from ordering the newsletter(s) in your name. We analyse which of the links were clicked on in order to tailor the newsletter(s) to your individual interests and to find out when you read the newsletter(s) so that we can send it to you at your preferred time. We also save your subscription to the newsletter(s), along with your consent to usage analysis and your confirmation, in order to be able to prove that you subscribed and agreed to the aforegoing. For the purpose of sending the newsletter(s) and for usage analysis, we continue to store your data until your consent is revoked or until the newsletter subscription is cancelled. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Therefore, please confirm your subscription (double opt-in) within 24 hours, or you will need to resubscribe. The Marketing department has access to your data, as does the Legal department, where appropriate.
The legal basis for data processing for the purpose of newsletter dispatch and usage analysis is Article 6(1)(1)(a) GDPR. The legal basis for data processing in order to provide proof of consent is Article 6(1)(1)(c) in conjunction with Article 5(2) GDPR, Article 7(1) GDPR and Article 24(1) GDPR as well as Article 6(1)(1)(f) GDPR. The legitimate interests in data processing on the basis of Article 6(1)(1)(f) GDPR are promotion of the sale of our products and services, the corresponding marketing measures and proof of your consent, i.e. defence against any legal claims.
4. Opening a customer account
If you wish to carry out bookings on our website, you can either book as a guest or open a customer account. When opening a customer account, we require the following mandatory personal details:
- Form of address
- First name and last name
- Postal address
- Date of birth
- Telephone number
- E-mail address
These data, as well as other optional information you provide (e.g. company name), are collected in order to provide you with direct, password-protected access to your basic data stored by us. Here you can view your past and current bookings, or manage or modify your personal data.
The legal basis of data processing for this purpose is the consent provided by you in accordance with Article 6(1)(a) GDPR.
5. Booking via the website, by correspondence or by telephone
If you make bookings via our website, by correspondence (e-mail or post) or by telephone, we will require the following mandatory personal details to process the agreement:
- Form of address
- First name and last name
- Postal address
- Date of birth
- Telephone number
- Credit card details
- E-mail address
These data, as well as other optional information you provide (e.g. expected time of arrival, vehicle number plate, preferences, comments), will exclusively be used to process the agreement, unless stated otherwise in this Data Protection Statement or unless you have not provided your express consent. The data will be processed in particular in order to record your booking in accordance with your wishes, to provide the services booked, to contact you in the event of any issues or problems, and to facilitate correct payment.
The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.
Cookies help in many ways to make your visit to our website simpler, and more pleasant and rewarding. Cookies are information files that your browser saves automatically on the hard drive of your computer whenever you visit our website.
Most Internet browsers automatically accept cookies. You can, however, configure your browser in such a way that no cookies are saved on your computer, or that a message appears each time you receive a new cookie. The following pages will help you to configure the processing of cookies by the most common browsers:
- Microsoft Windows Internet Explorer desktop version
- Microsoft Windows Internet Explorer mobile version
- Mozilla Firefox
- Google Chrome desktop version
- Google Chrome mobile version
- Apple Safari desktop version
- Apple Safari mobile version
Deactivating cookies may prevent you from being able to use all of the functions of our website.
7. Tracking tools
We use the web analysis service from Google Analytics in order to ensure the needs-based design and continuous optimisation of our website. In this connection, pseudonymised usage profiles are created and small text files are stored on your computer (cookies). The information generated by the cookie regarding your use of this website is transferred to the servers of the providers of these services, where they are stored and prepared for our use. In addition to the data listed under section 1, we may also receive the following information:
- Navigation path taken by a visitor to the website
- Amount of time spent on the website or subpage
- The subpage from which the website is left
- Country, region or city where access occurs
- End device used (type, version, colour depth, resolution, width and height of browser window)
- Whether a repeat visitor or a new visitor
The information is used to evaluate usage of the website, to prepare reports on website activity and in order to provide further services related to website usage and Internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law, or if the third party concerned is processing these data on our behalf.
b. Google Analytics
The provider of Google Analytics is Google Inc., a company belonging to the holding company Alphabet Inc., which is based in the USA. Before data are transferred to the provider, the IP address is truncated by activating IP anonymisation (“anonymizeIP”) on this website within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Google will not merge the anonymised IP address transferred from your browser in connection with Google Analytics with other data. Only in exceptional cases will the full IP address be forwarded to a Google server in the USA and truncated there. In these cases, we ensure by means of contractual guarantees that Google Inc. maintains an adequate level of data protection. According to Google Inc., it would never be possible to associate the IP address with any other data relating to the user.
Further information regarding the web analysis service used can be found on the Google Analytics website. Instructions on how to prevent your data from being processed by the web analysis service can be found at https://tools.google.com/dlpage/gaoptout?hl=en-GB
c. Remarketing and behavioural targeting
With this type of service, this website and its partners can analyse how this website was used in previous user sessions in order to transmit, optimise and implement targeted advertising. This activity is carried out by tracking usage data and using cookies – information that is sent to the partners responsible for the remarketing and behavioural targeting campaigns.
B) Data processing in connection with your stay
1. Data processing in order to meet legal reporting obligations
On your arrival at our hotel, we will require the following details from you and your companion, if applicable:
- First name and last name
- Postal address and canton
- Date of birth
- Place of birth
- Official identification document and number
- Date of arrival and departure
- Room number
We record these data in order to meet the legal reporting obligations based in particular on hospitality law and police law. Insofar as we are obliged to do so in accordance with the applicable provisions, we pass on this information to the competent police authorities.
Compliance with these legal requirements constitutes our legitimate interest within the meaning of Article 6(1)(f) GDPR.
2. Recording of the services used
If you make use of any additional services during your stay (e.g. minibar, pay TV), both the service and the time of use will be recorded by us for invoicing purposes. The processing of these data is required in accordance with Article 6(1)(b) GDPR for performance of your contract with us.
C) Storage and exchange of data with third parties
1. Booking platforms
When you make bookings via a third-party platform, we receive various items of personal data from the platform operator concerned. As a rule, this information comprises data referred to in section 5 of this Data Protection Statement. Furthermore, any queries regarding your booking will be passed on to us. The data will be processed in particular in order to record your booking in accordance with your wishes, and to provide the services booked. The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.
Moreover, we are informed by the platform operators of any possible disputes arising in connection with a booking. In this context, we may also receive data regarding the booking process, with a copy of the booking confirmation serving as proof of the actual completion of a booking. We process these data with a view to enforcing our rights. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.
Please also refer to the data protection notice of the operator concerned.
2. Central storage and linking of data
We store the data indicated in sections 2 to 5 and 8 to 10 in a central electronic data processing system. The data concerned are recorded in our system and linked in order to enable us to process your bookings and provide contractual services. We use software provided by Oracle, Redwood City, USA, for this purpose. The processing of these data using this software is based on our legitimate interest in customer-friendly and efficient customer data management in accordance with Article 6(1)(f) GDPR.
3. Retention period
We store personal data only as long as necessary in order to use the tracking services mentioned above and for other processing within the scope of our legitimate interest. Contractual data are stored for longer periods, as required by statutory retention obligations. The obligation to retain data is based on provisions regarding the right to report, accounting and tax law. According to these provisions, business communications, contracts and booking documents must be stored for up to 10 years. These data are blocked once they are no longer required in order to provide the services you require. This means that the data may then only be used for accounting and tax purposes.
4. Disclosure of data to third parties
We only disclose your personal data to any third parties if you have given your explicit consent for us to do so, if such disclosure is required by law or if it is necessary in order to enforce our rights, in particular those arising from the contractual relationship. Furthermore, we also disclose your data to third parties if this is necessary within the framework of your use of the website and for performance of the contract (including outside the website), i.e. for processing your bookings.
One service provider to which personal data collected via the website are disclosed, or which has or may have access to such data, is our web host sitegeist media solutions GmbH, Poßmoorweg 2, 22301 Hamburg, Germany. The website is hosted by servers located in Germany. Data is disclosed in order to provide and maintain the functionalities of our website. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.
Finally, when credit card payments are made on the website, we forward your credit card details to your credit card issuer and to the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all the necessary information. The legal basis of data disclosure is the performance of an agreement in accordance with Article 6(1)(b) GDPR. With regard to the processing of your credit card details by these third parties, please also read the general terms and conditions and the data protection statement of your credit card issuer.
Please also note the information provided in sections 7 to 8 and 10 to 11 of this Data Protection Statement with regard to the disclosure of data to third parties.
5. Transfer of personal data abroad
We are authorised to transfer your personal data to third-party companies abroad (contracted providers) for the purpose of the data processing described in this Data Protection Statement. These providers are subject to data protection requirements in the same scope as us. Should the level of data protection in a given country not be equivalent to the level applicable in Switzerland or the EU, we will ensure by contractual means that the level of protection of your personal data corresponds to the level of protection provided in Switzerland or the EU at all times.
D) Further information
1. Right of access, right to rectification, right to erasure, right to restriction of processing and right to data portability
You have the right to obtain information about your personal data stored by us. In addition, you have the right to request the rectification of any incorrect data and the right to erasure of your personal data, provided the data concerned are not subject to any legal retention obligation or our processing of the data is justified.
Furthermore, you have the right to request to be returned the data you provided (right to data portability). At your request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a standard file format.
You can reach us for the aforementioned purposes via the e-mail address firstname.lastname@example.org. We may, at our discretion, request proof of identity when processing your request.
2. Data security
We take the appropriate technical and organisational security measures in order to protect the personal data stored by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are being improved on an ongoing basis in line with technological developments.
You should treat your access data confidentially at all times and close your browser window following any communication with us, in particular if you share your computer with others.
We also take internal data protection within the company very seriously. Our employees and the service providers contracted by us are obliged to maintain confidentiality and comply with data protection provisions.
3. Note on data transfer to the USA
For reasons of completeness, we would like to inform users with their place of residence or registered office in Switzerland that the US authorities implement surveillance measures that generally facilitate the storage of all personal data regarding all persons whose data are transferred from Switzerland to the USA. This is carried out without differentiation, restriction or exception on the basis of the respective aim and with no objective criteria that enable access by the US authorities to the data and their later use to be restricted to very specific, strictly limited purposes which would justify access to these data and the intervention related to their use. We would also like to point out that there are no means of legal redress in the USA for data subjects from Switzerland that would enable them to gain access to their data and request their rectification or erasure, and that there is no effective legal protection against the general access rights of US authorities. We refer those affected explicitly to this legal and factual basis in order to enable them to make an informed decision concerning the provision of consent to the use of their data.
Users resident in an EU member state should be aware that, from the perspective of the EU, the USA does not have a sufficient level of data protection – based, among other things, on the issues outlined in this section. Where we have stated in this Data Protection Statement that the recipients of data (e.g. Google Inc.) are based in the USA, we will ensure, by means of either contractual arrangements with these companies or by certification of these companies under the EU or the Swiss–US Privacy Shield, that your data are adequately protected by our partners.
4. Right to lodge a complaint with a data protection authority
You have the right to lodge a complaint with a data protection authority at any time.
Your Grand Resort Bad Ragaz AG
As at: February 2019