Badrutt’s Palace Hotel AG, Via Serlas 27, 7500 St. Moritz, Switzerland (entered into the Commercial Register of the Canton of Graubünden under the number CHE-105.980.962) runs the Hotel “Badrutt’s Palace Hotel”, is also the operator of the website www.badruttspalace.com and is thereby responsible for the collection, processing and use of your personal data and the compliance with the applicable data protection law.
Your trust is important to us, which is why we take the issue of data privacy seriously and ensure a corresponding level of security. Of course, we comply with the legal provisions of the Federal Law on Data Protection (DSG), the Ordinance to the Federal Act on Data Protection (VDSG), the Telecommunications Act (FMG) and any other applicable data privacy provisions in Swiss or EU law, or the EU General Data Protection Regulation (GDPR), where applicable.
So that you are aware which personal data we collect from you and what purposes we use it for, please acknowledge the following information.
The address of our data privacy law representative in the EU is: MLL EU-GDPR GmbH, Ganghoferstrasse 33, 80339 Munich, Germany (bph@mll-gdpr.com).
A. Data processing associated with our website
1. Accessing our website
When visiting our website, our servers temporarily save each access in a log file. The following technical data is thereby fundamentally collected for every connection with a web server without requiring any action by you, and is maintained until the business rela-tionship is terminated:
– The IP address of the requesting computer,
– The name of the owner of the IP address (normally your internet access provider),
– The date and time of the access,
– The website from which the access was made (referrer URL), where ap-plicable with the search word used,
– The name and the URL of the accessed file,
– The status code (e.g., error report),
– The operating system of your computer,
– The browser you use (type, version and language),
– The transfer log used (e.g., HTTP/1.1) and
– Where applicable your user’s name from registration/authentication.
– The host header name
– The number of bytes sent by the server
– The number of bytes received and processed by the server
– The duration of access
– The requested verb or word, such as the GET method (GETlocation)
– The goal of the requested verb or word, e.g., Default.htm
The collection and processing of this data is done with the purpose of allowing the use of the website (establishing a connection), ensuring permanent system security and stability and optimising the website, as well as for internal statistical purposes. This represents our justified interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
The IP address is also evaluated together with other data, in the event of attacks on the network infrastructure or other illegal or abusive use of the website to resolve the issue and defend against it, and, if necessary, within the scope of criminal proceedings, for identification purposes and for civil and criminal proceedings against the affected user. This represents our justified interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
2. The use of our contact form
You have the option to use a contact form to get in touch with us. For this purpose, we require you to provide your e-mail address. Your e-mail address and other data you have provided voluntarily (e.g., your first name and surnames, telephone number etc.) are re-quired by us so that we can provide the best possible, personalised response to your en-quiry. This processing of this data is therefore required in accordance with Art. 6, para-graph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
3. The use of the e-mail symbol for contact purposes
You have the option to get in contact by e-mail. To be able to get in touch with us, you have to click on the e-mail symbol. By clicking on this symbol, a connection is automati-cally created to your e-mail program and a window is opened to send an e-mail. You can send us questions by e-mail about the functions or the content of the website. You are solely responsible for the messages and the content you send to us using the e-mail func-tion. We recommend not sending any sensitive information via the e-mail function. To be able to use the e-mail function, you simply have to enter your e-mail address. Your e-mail address and other data you have provided voluntarily (e.g., your first name and surnames, telephone number etc.) are required by us so that we can provide the best possible, personalised response to your enquiry. This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
4. The use of our enquiry form
You have the option to use an enquiry form to get in touch with us. You can use the en-quiry form to ask about our premises, particularly if you are planning a conference or a party and would like to use our services and rooms for this. For this purpose, we require you to provide your e-mail address. Your e-mail address and other data you have provid-ed voluntarily (e.g., your first name and surnames, telephone number etc.) are required by us so that we can provide the best possible, personalised response to your enquiry. This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
5. Subscribing for our newsletter
On our website you have the option of subscribing for our newsletter. Registration is re-quired for this. During the registration process it is mandatory to enter your e-mail ad-dress. Your e-mail address and other data you have provided voluntarily (e.g., your first name and surname) are only processed by us to personalise the information and offers we send to you, and to better align them to your interests.
By registering, you give us your consent for the processing of the data provided, for the regular sending of the newsletter to the address you have provided, for the statistical evaluation of user behaviour and to optimise the newsletter. This consent forms, in ac-cordance with Art. 6, paragraph 1 a, EU-GDPR, our legal basis for the processing of your e-mail address. We are permitted to commission third parties with the technical pro-cessing of advertising measures and are permitted to forward your data for this purpose (see below under “Transfer of data to third parties”).
At the end of each newsletter there is a link which you can use to unsubscribe at any time. During the unsubscribe process you can notify us voluntarily of the reason why you are unsubscribing. After unsubscribing, your personal data is deleted. Your data is only for-warded anonymously in order to optimise our newsletter.
6. Opening a customer account
To make booking on our website, you can place orders as a guest or open a customer account. When registering a new customer account, we collect the following mandatory data:
– First name and surname, in the event of several guests the first name and surname of the accompanying guests
– Address
– Telephone number
– E-mail address
– Password
– Credit card
The collection of this data, as well as other data provided voluntarily (e.g., a fax number) is done with the purpose of providing you with direct, password-protected access to your basic data held by us. There you can view your previous and current orders or manage and change your personal data.
The legal basis for the processing of your data for this purpose is therefore the consent you have issued, as per Art. 6, paragraph 1a GDPR.
7. Booking of accommodation on the website, by correspondence or by telephone
You have the option of booking accommodation on our website, by correspondence (e-mail or letter) or by telephone. We need the following mandatory data to process the booking:
– The first name and surname of the person making the booking
– The first name and surname of the guests
– Address
– Telephone number
– E-mail address
This data as well as other voluntary information provided by you (e.g., preferences, comments) will only be used by us to process the contract, provided nothing else is specified in this privacy policy, or unless you have consented to it separately. We process the data expressly to implement your booking according to your wishes, to provide the booked services, to contact you in the event of uncertainty or problems and to ensure the correct payment.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
8. Reserving a table
On our website you have the opportunity to reserve a table in one of the restaurants men-tioned on our website. We require the following details for the reservation:
– Salutation
– First name and surname of the person making the reservation
– Number of guests
– E-mail address
– Telephone number
– The choice of restaurant
– Date and time of the reservation
We only collect and process the data to handle the reservation, particularly to compile your reservation enquiry according to your request, to make the reservation and to contact you in the event of uncertainty or problems. For this purpose, your data is also forwarded to the relevant service providers.
Please be aware that we use a technical application of TAC Informationstechnologie GmbH to process the reservation. Your data is therefore also forwarded to TAC Infor-mationstechnologie GmbH, Schildbach 111 in 8230 Hartberg, Austria. Further infor-mation about the forwarding and processing of data by third parties can be found, on the one hand, in point 20 of this privacy policy, and on the other hand on the website of TAC Informationstechnologie GmbH. The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
9. Reserving a table at King’s Social House
On our website you have the opportunity to reserve a table at King’s Social House. We require the following details for the reservation (* mandatory):
– First name and surname of the person making the reservation*
– Number of guests*
– E-mail address*
– Telephone number*
– Date and time of the reservation*
– Comment
– I accept Terms & Conditions*
– Sign up for our newsletter
We only collect and process the data to handle the reservation, particularly to compile your reservation enquiry according to your request, to make the reservation and to contact you in the event of uncertainty or problems.
To process your reservation, we work with a tool of the company aleno AG, Aeger-tenstrasse 6, 8003 Zürich, Switzerland. The reservation data is stored on servers at the following location: Aegertenstrasse 6, 8003 Zürich, Switzerland. Further information about the transfer and processing of data by third parties can be found, on the one hand, in 24. of this privacy policy, and on the other hand on the website of aleno AG in its privacy policy.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
10. Purchasing products, services and vouchers on our web shop
On our website you have the option to purchase a wide range of products and services (in particular diverse vouchers, objects with the Badrutt logo printed on them, massages, spa packages etc.). We require the following details for these purchases:
– Salutation
– First name and surname
– Address
– E-mail address
– Telephone number
– Purchased object
– Method of payment and credit card information
We only collect and process this data to handle your purchases, especially to provide you with the purchased products and services, and to contact you in the event of uncertainty or problems. For this purpose, your data is also forwarded to the relevant service provid-ers.
Please be aware that we use a technical application of TAC Informationstechnologie GmbH to process the purchase. Your data is therefore also forwarded to TAC Infor-mationstechnologie GmbH, Schildbach 111 in 8230 Hartberg, Austria. Further infor-mation about the forwarding and processing of data by third parties can be found, on the one hand, in point 20 of this privacy policy, and on the other hand, on the website of TAC Informationstechnologie GmbH.
The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
11. Applying for a job vacancy
On our website you have the option to apply for a job vacancy, or spontaneously apply to us. You have to submit a full application for this purpose. It is mandatory to enter the following data in the online form:
– Salutation
– First name and surname
– Address
– Nationality
– Marital status
– Date of birth
– E-mail address
– Telephone number
– Work experience in luxury hotels and Switzerland
– Professional field of interest
– Cover letter, CV, photo
– Employer’s reference
This data is used for the application process. If you do not explicitly consent to the further processing, the data is deleted after the respective application process.
The legal basis for the processing of data therefore lies in the execution of pre-contractual measures and in our justified interest as per Art. 6, paragraph 1 b and f, GDPR. For other data processing, the legal basis lies in the consent you have issued as per Art. 6, para-graph 1a, GDPR.
12. Submitting a review
On our website you have the option to submit a review. To do so you have to click on the intended link, which connects you to the website of TripAdvisor Inc., 400 1st Avenue, Needham, 02494 MA, USA. It is possible that your IP address may be forwarded to the server of TripAdvisor. The data protection provisions of TripAdvisor apply in this case.
The legal basis for the processing of data therefore lies in our justified interest as per Art. 6, paragraph 1 f, GDPR.
13. Cookies
Along with many other things, cookies help us to make your visit to our website easier, more pleasant and effective. Cookies are information files which your web browser au-tomatically saves on the hard drive of your computer, when you visit our website.
We use cookies, for example, to temporarily save the selected services and details when completing a form on the website, so that you do not have to repeat the input when visit-ing another sub-page. Cookies are also used, where applicable, to be able to identify you as a registered user after you have registered on the website, without having to log in again when visiting another sub-page.
Most internet browsers accept cookies automatically. You can, however, configure your browser so that no cookies are saved on your computer, or a warning is always shown when you receive a new cookie. On the following pages you can find explanations of how to configure the handling of cookies with the most popular browsers:
– Microsoft Edge
– Microsoft Edge Mobile
– Mozilla Firefox
– Google Chrome for Desktop
– Google Chrome for Mobile
– Apple Safari for Desktop
– Apple Safari for Mobile
The deactivation of cookies may, however, mean that you are not able to use all of the functions of our website.
14. Tracking tools and re-targeting
a. Google Analytics and Google Tag Manager
To allow us to design our website to meet your needs and to continually optimise our website, we use the web analysis service of Google Analytics. Consequently, pseudony-mised usage profiles are created and cookies are used (see above). The information gen-erated by the cookie about your use of this website is transferred to a server of the provid-er of these services, and saved and processed there. In addition to the data listed under point 1, we also may receive the following information:
– The navigation path which the website visitor took,
– The time spent on the website or sub-page,
– The sub-page on which the website was exited,
– The country, region or city in which access was made,
– The end user device (type, version, colour depth, resolution, width and height of the browser window) and
– Whether it was a repeat or new visitor.
The information is used to evaluate the use of the website, to compile reports about web-site activities and to provide other services associated with the use of the website and the internet, for the purpose of market research and designing this website to meet your needs. This information is also transferred to third parties, if necessary, if this is specified by law or if third parties processing this data on our behalf.
We also use Google Tag Manager to manage usage-based advertising services. The Tool Tag Manager itself if a cookie-free domain and does not compile any personal data. In-stead, the tool removes other tags which may compile your data. If you perform deactiva-tion at domain or cookie level, this applies to all tracking tags which are implemented with Google Tag Manager.
Google Analytics is a service provided by Google Inc., a company of the holding compa-ny Alphabet Inc, with its registered office in the USA. Before being transferred to the service provider, the IP address is abbreviated by activating the IP anonymising function (“anonymizeIP”) on this website within a Member State of the European Union or in another EEC state. The anonymised IP address transferred by your browser due to Google Analytics is not compiled with other data from Google. Only in exceptions is the full IP address transferred to a server of Google in the USA and abbreviated there. In these cas-es, we ensure, by undertaking contractual guarantees, that Google Inc. maintains a suffi-cient level of data protection. According to Google Inc. the IP address is not linked to other data associated with the user.
To manage the usage-based advertising service, we use Google Tag Manager, which is also a service of Google. The Tool Tag Manager itself if a cookie-free domain and does not compile any personal data. Instead, the tool removes other tags which may compile your data. If you perform deactivation at domain or cookie level, this applies to all track-ing tags which are implemented with Google Tag Manager.
Further information about the web analysis service can be found on the website of Google Analytics.
b. Mouseflow
We use Mouseflow, a web analysis tool which is used by our websites to analyse the user behaviour on our website and to make corresponding optimisations. Mouseflow obtains and processes the following data:
– Clicks, mouse movements, hovering, scrolling
– Browser and device (desktop/tablet/mobile)
– Language
– Operating system and screen resolution
– Duration of visit
– Navigation (URLs) and page content (HTML), referrer URL
– IP address and location (city, country)
– Type of visitor (first visitor/repeat visitor)
– Individual tags or variables
– The information is used to evaluate the use of the website, to compile re-ports and heatmaps about the website activities and to provide other ser-vices associated with the use of the website and the internet for the pur-pose of market research and to design our website to meet your needs.
The provider of Mouseflow is a company of Mouseflow ApS, with its registered office at Flaesketorvet 68, 1711 Copenhagen, Denmark. Further information about the web analy-sis services used can be found on the Mouseflow website.
Further information about the forwarding and processing of data by third parties can be found, in point 20 of this privacy policy, and on the website of Mouseflow ApS.
c. Meta Custom Audiences
We use a communication tool called Meta Custom Audiences. In general, a non-reversible and non-personal related test value (fingerprint) is generated from your usage data by Custom Audience, which can be sent to Meta for analysis and marketing purposes (using so-called Meta cookies).
Custom Audiences is a service of Meta Platforms, Inc., located at 471 Emerson St, Palo Alto, CA 94301, USA or, if you are a resident in the EU, Meta Platforms Ireland, Mer-rion Road, Dublin, D04 X2K5, Ireland. Further information about the re-targeting tool used can be found on the website of Meta.
15. Links to our social media channels
On our website we have links to our social media profiles. The links lead to the following networks:
– Meta Platforms, Inc., 471 Emerson St, Palo Alto, CA 94301-1605, USA (or Meta Platforms Ireland for EU residents)
– YouTube of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA
– Google+ of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective
network, you may have to log in to your user account. By doing so, the network receives information that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while you are logged in to your account on the respective network, the content of our page can be linked with your profile on the network, which means that the network can directly allocated your visit to our website to your user ac-count. If you want to prevent this, you should log out before clicking on the respective links. In any case, the information is linked if you login to the respective network after clicking on the link.
16. Social media functions
We use social media functions on our website, in particular to share information on social networks. The functions are available for the following social networks:
– Meta Platforms, Inc., 471 Emerson St Palo Alto, CA, 94301-1605 USA or, if you are a resident in the EU, Meta Platforms Ireland, Merrion Road Dublin, D04 X2K5 Ireland
– Google+ of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA – Pinterest of Pinterest Inc., 651 Brannan Street, San Fran-cisco, CA 94103, USA or, if you are a resident of the EU, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
– LinkedIn of LinkedIn Corp., 2029 Stierlin Ct, Mountain View, CA 94043, USA or, if you are a residence of the EU, LinkedIn Ireland Unlim-ited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
– Xing of New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany
If you click on the symbols of the social networks, you are connected to the respective social network to execute the selected function, i.e., to share content on Facebook. For this purpose, however, you must log in to, or be logged in to, your user account.
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account. By doing so, the network receives information that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while you are logged in to your account on the respective network, the content of our page can be linked with your profile on the network, which means that the network can directly allocate your visit to our website to your user ac-count. If you want to prevent this, you should log out before clicking on the respective links. In any case, the information is linked if you log in to the respective network after clicking on the link.
Further information about the use of data and your options and rights to suitably protect your privacy, can be found in the privacy policy of the respective provider.
B. Data processing associated with your visit
17. Data processing to meet legal reporting obligations
When arriving at our hotel, we may require the following details from you and the people travelling with you:
– First name and surname
– Address and Canton
– Nationality
– Official ID card and number
– Date of arrival and departure
We collect these details in order to meet our legal reporting obligations, based in particu-lar on the hospitality and police laws. If we are obliged to do so by the applicable regula-tions, we forward this information to the responsible police authorities.
Our justified interest lies in the fulfilment of legal provisions as per Art. 6, paragraph 1 f, GDPR.
18. Data processing to execute booked services in general
For your stay we may process and collect the following details from you and the other people travelling with you:
– First name and surname
– Address and Canton
– Nationality
– Official ID card and number
– Date of arrival and departure
– Room number
– Preferences and habits
We collect these details not only to fulfil our contractual and post-contractual obligations to you, but also to be able to offer you the best-possible service.
The legal basis for this data processing thereby lies in the processing of the contract, as per Art. 6, paragraph 1b GDPR.
19. Data processing to perform related spa services
If you book spa services during your stay at our hotel, the subject of the service (e.g., single admission) and the time of the service are compiled and processed by us for invoicing purposes and to perform the booked service. Normally we require the following de-tails for this:
– First name and surname
– Address
– E-mail address
– Telephone number
– Room number (if available)
The legal basis for this data processing thereby lies in the processing of the contract, as per Art. 6, paragraph 1b GDPR.
20. Data processing to perform other services
If you use extra services during your stay (e.g., the mini bar) the subject of the service and the time of the service are recorded by us for invoicing purposes. This processing of this data is therefore required for us to execute the contract in accordance with Art. 6, paragraph 1 b, GDPR.
C. Saving and exchange of data with third parties
21. Booking platforms
If you make bookings via a third-party platform, we receive various personal information from the respective operator of the platform. This usually concerns the data listed in point 5 of this privacy policy. Any requests associated with your booking are also forwarded to us. We process this data to handle the booking according to your request and to provide the booked services. The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
Eventually, we may be notified by the platform operators about disputes associated with a booking. In this case we may also receive data about the booking process, whereby a copy of the booking confirmation may be used as proof that the booking has actually been completed. We process this data to protect and assert our claims. This represents our jus-tified interest in accordance with Art. 6, paragraph 1 f, GDPR.
Please also note the data privacy guidelines of the respective provider.
22. Central saving and linking of data
We save the data in a central electronic data processing system. The data concerning you is then systematically recorded and linked to process your booking and execute the con-tractual services. Furthermore, the data in the system is used for advertising purposes, in particular to be able to offer you personalised services and products.
The legal basis for the processing of data for customer management lies in the processing of the contract, in accordance with Art. 6, paragraph 1 b, GDPR. With regards to the pro-cessing of data for advertising activities, the legal basis lies, on the one hand, in the pro-cessing of the contract (the existing customer relationship justified the processing of data for advertising activities) and, on the other hand, in the consent issued by you in accord-ance with Art. 6, paragraph 1 a, GDPR, when registering for the newsletter (see point 3).
23. Duration of storage
The maximum storage time for personal data is as long as a business relationship is main-tained, in order to use the afore-mentioned tracking services as well as the further pro-cessing within the scope of our justified interest. Contract data is stored for us for a longer period of time, if this is specified by legal storage obligations. Storage obligations which oblige us to store data, arise from the provisions concerning the right of registration, in-voicing and the tax law. According to these provisions, business communication, con-cluded contracts and accounting documents have to be stored for up to 10 years. If we no
longer require this data to provide the services for you, the data is blocked. This means that the data can only be used for invoicing and tax purposes.
24. Forwarding of data to third parties
We only forward your personal data if you have explicitly agreed to it, if there is a legal obligation to do so, or if this is necessary to assert our rights, in particular to assert claims from the contractual relationship. Furthermore, we forward your data to third parties if this is necessary within the scope of the use of the website and the processing of the con-tract (also outside of the website), namely the processing of your bookings.
Various third-party service providers have been mentioned explicitly in this privacy poli-cy (e.g., TAC Informationstechnologie GmbH, Facebook etc.) and the purpose of the transfer of data has been mentioned. Another service provider to whom personal data is forwarded or who has or could have access, is our web hosting company Positioner (web-site data), iWay AG, Badenerstr. 569, 8048 Zurich; Dailypoint (newsletter data), dai-lypoint GmbH, Augustenstr. 79, 80333 Munich; TAC (web shop data), RKP IT-Solutions GmbH, Schildbach 111, 8230 Hartberg. The website is hosted on servers in Switzerland, Germany and Austria. The transfer of data is done with the purpose of providing and maintaining the functions of our website. This represents our justified interest in accord-ance with Art. 6, paragraph 1 f, GDPR.
Finally, for payments by credit card made on our website, we forward your credit card information to your credit card issuer and the credit card acquirer. If you decide to make a payment by credit card, you will be requested to enter all the mandatory information. The legal basis for the transfer of data lies in the fulfilment of a contract in accordance with Art. 6, paragraph 1 b, GDPR. With regards to the processing of your credit card infor-mation by these third parties, we request that you also read the general terms and condi-tions and the data privacy statement of your credit card issuer.
25. Transfer of personal data abroad
We are permitted to also transfer your personal data to third-party companies (commis-sioned service providers) for the purpose of data processing described in this privacy policy. They are obliged to maintain the same level of data protection as we have. If the level of data protection in a particular country does not correspond to the Swiss or Euro-pean level, we will ensure by means of a contract, that the protection of your personal data meets the level of protection in Switzerland or the EU at all times.
D. Further information
26. Your rights
If the legal requirements are met, as a data subject, you have the following rights with respect to data processing:
Right of access: You have the right to request access to your personal data stored by us at any time and free of charge if we process such data. This gives you the opportunity to check what personal data concerning you we process and whether we process it in ac-cordance with applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, we will also inform the recipients of the data concerned about the adaptations we have made, unless this is im-possible or involves dis-proportionate effort.
Right to erasure: You have the right to obtain the erasure of your personal data under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to erasure may be excluded. In this case, the erasure may be re-placed by a blocking of the data if the requirements are met.
Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to receive from us, free of charge, the per-sonal data you have provided to us in a readable format.
Right to object: You have the right to object at any time to data processing, especially with regard to data processing related to direct marketing (e.g., marketing emails).
Right to withdraw consent: You have the right to withdraw your consent at any time. However, processing activities based on your consent in the past will not become unlaw-ful due to your withdrawal.
To exercise these rights, please send us an e-mail to the following address: dataprotection@badruttspalace.com.
Right of complaint: You have the right to lodge a complaint with a competent supervisory authority, e.g., against the manner in which your personal data is processed.
You have the right to receive information about the personal data we have saved about you, on request. In addition, you have the right to correct any incorrect data and the right to delete your personal data, provided no legal storage obligation or legal provision which allows us to process the data, contradicts this.
27. Data security
We take suitable technical and organisational security measures, to protect your personal data we have saved from manipulation, full or partial loss and unauthorised third-party access. Our safety measures are continually adapted in line with the development of tech-nology.
You should always treat your access data as confidential and close the browser window once you have finished communication with us, in particular if you share the computer with other people.
We also take the protection of data in our own company very seriously. Our employees and the service providers commissioned by us have been obliged to confidentiality and to comply with the legal provisions concerning data protection.
28. Note on the transfer of data to the USA
For the sake of completeness, for users with their place of residence or registered office in Switzerland, we would like to point out that monitoring measures of US authorities exist, which generally allow the saving of personal data of every person whose data is sent from Switzerland to the USA. This is done without differentiation, restriction or exceptions for the intended goal, and without an objective criterion, which allows the US authorities to access the data and the later usage to be restricted to a particular, strictly limited purpose, which may justify both the access to this data as well as interventions associated with its usage. In addition, we would also like to point out that, in the USA there is no legal aid for data subjects from Switzerland, which would allow you to receive access to the af-fected data and to correct or delete the data, or no effective legal protection exists against the general rights of access of the US authorities. We hereby explicitly refer the affected party to this legal and factual situation, so that an informed decision can be made about the consent to use the data.
We would like to point out to users with their place of residence in an EU Member State, that in the view of the European Union, the USA does not have a sufficient data protec-tion level – in part due to the issues mentioned in this section. If we have mentioned in this privacy policy that recipients of data (such as Google) have their registered office in the USA, we will either ensure by contractual regulations with these companies, or by ensuring the certification of these companies under the EU-US or Swiss-US Privacy Shield, that your data is protected to a suitable level by our partners.
29. Use of our Wi-Fi network
In our hotel, you have the opportunity to use the Wi-Fi network operated by Swisscom AG (3050 Bern) free of charge. In order to prevent abuse and take action against unlawful behaviour, prior registration is required. In this process, you will provide the following data to Swisscom AG:
– Mobile phone number
– MAC address of the device (automatically collected)
In addition to the aforementioned data, each time you use the Wi-Fi network, data about the visited hotel, including time, date, and device, will be recorded. The legal basis for these processes is your consent pursuant to Article 6(1)(a) of the EU General Data Protection Regulation (EU-GDPR). The customer can revoke their registration at any time by notifying us.
Swisscom AG must comply with the legal obligations of the Federal Act on the Monitoring of Postal and Telecommunications Traffic (BÜPF) and the associated ordinance. If the legal requirements are met, the Wi-Fi operator, on behalf of the relevant authority, must monitor internet usage or data traffic. The Wi-Fi operator may also be obligated to disclose customer’s contact, usage, and metadata to authorized authorities. The contact, usage, and metadata will be kept for 6 months on a personalized basis and then deleted.
The legal basis for these processes is our legitimate interest pursuant to Article 6(1)(f) of the EU General Data Protection Regulation (EU-GDPR) in providing a Wi-Fi network in compliance with applicable legal regulations.
30. Video Surveillance
To prevent abuses and address unlawful behaviours (especially theft and property dam-age), the entrance area as well as the publicly accessible areas of our hotel are monitored by cameras. Viewing of the image data occurs only if there is suspicion of unlawful be-haviour. Otherwise, the image recordings are automatically deleted after 72 hours.
For the provision of the video surveillance system, we rely on a service provider who may have access to the data if necessary for the system’s operation. Should suspicion of
unlawful behaviour be substantiated, the data can then be shared to the necessary extent with consulting firms (especially our law firm) and authorities for the enforcement of claims or for reporting offenses.
The legal basis is our legitimate interest according to Art. 6(1)(f) of the EU General Data Protection Regulation (EU-GDPR) in protecting our property and safeguarding and en-forcing our rights.
Updated: August 2023