1. Data controller and content of this Privacy Notice
We, Badrutt’s Palace Hotel AG, Via Serlas 27, 7500 St. Moritz, Switzerland, entered in the commercial register of the Canton of Graubünden under number CHE-105.980.962 (we, us, our, etc.), are the operators of Badrutt’s Palace Hotel (hotel) and the website www.badruttspalace.com (website) and, unless stated otherwise in this Privacy Notice, we are responsible for the data processing described in this Privacy Notice.
To find out which personal data we collect from you and for which purposes, please read the following information. Our data protection practices are based primarily on Swiss data protection laws, especially the Federal Act on Data Protection (FADP), though the provisions of the EU General Data Protection Regulation (GDPR) may also apply in certain cases.
Our website contains links to third-party websites at various points of the site. The data processing on these external websites is the sole responsibility of their operators, unless expressly stated otherwise in this Privacy Notice.
Please note that the information below is reviewed and amended from time to time. We therefore recommend that you consult this Privacy Notice regularly. Furthermore, for the individual data processing activities described below, other companies are legally responsible for data protection or they share this responsibility with us; this means that the information from such providers is also relevant in these instances.
2. Data protection contact
If you have any questions about data protection or would like to exercise your rights, please e-mail our contact person for data protection at the following address: dataprotection@badruttspalace.com
You can contact our EU data protection representative at: MLL Bruxelles SPRL, 222 Avenue Louise, 1050 Brussels, Belgium (bph@mll-gdpr.com)
3. Data processing when contacting us (telephone and e-mail)
If you contact us by telephone or e-mail (e.g. by clicking on our e-mail symbol), your personal data will be processed. The data that you have provided, such as your name, e-mail address or telephone number and the reason for contacting us, will be processed. We process this data to fulfil your request (e.g. to provide you with information about our rooms, products and services, to support the performance of the contract, to obtain feedback for the improvement of our products and services, etc.).
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in fulfilling your request or, if your enquiry concerns the conclusion or performance of a contract, the necessity of carrying out the requisite measures within the meaning of Art. 6(1)(b) GDPR.
4. Data processing when contacting us using the contact form
If you contact us using the contact form on our website, your personal data will be processed. In such case, we will collect the following data, whereby the mandatory fields in the forms are marked with an asterisk (*):
- Title
- First name
- Last name
- Company
- E-mail address
- Phone number
- Message
The data that you provide us with in your message will also be processed. In addition, the time of receipt of the enquiry is documented. We process this data to fulfil your request (e.g. to provide you with information about our products and services, to support the performance of the contract, to obtain feedback for the improvement of our products and services, etc.).
To process enquiries submitted through the contact form, we use a software application of Rock Lobster LLC., 812-0011 2nd Floor, NMF Hakata Ekimae Building, 1-15-20 Hakata Ekimae, Hakata-ku, Fukuoka, Japan. As a result, your data is stored in a Rock Lobster LLC. database, which enables Rock Lobster LLC. to access the data if this is necessary for the provision of software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in fulfilling your request or, if your enquiry concerns the conclusion or performance of a contract, the necessity of carrying out the requisite measures within the meaning of Art. 6(1)(b) GDPR.
It is possible that Rock Lobster LLC. might wish to use some of this data for its own purposes (e.g. to send marketing e-mails or for statistical analyses). Rock Lobster LLC. is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find information about data processing by Rock Lobster LLC. at Link.
5. Data processing when contacting us through WhatsApp or Facebook Chat
We offer you the option of contacting us using the WhatsApp messaging service and Facebook Chat provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). When using WhatsApp or Facebook, your personal data is processed. As well as your telephone number, we process the data that you have provided, such as your name and the reason for contacting us. In addition, the time of receipt of the enquiry is documented. We process this data to fulfil your request (e.g. to provide you with information about our rooms and services, to support the performance of the contract, to obtain your feedback for the improvement of our products and services, etc.).
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in using the services of third parties and in fulfilling your request or, if your enquiry concerns the conclusion or performance of a contract, the necessity of carrying out the requisite (pre-)contractual measures within the meaning of Art. 6(1)(b) GDPR.
When using WhatsApp or Facebook, your data is stored in one of Meta’s databases. The data that is processed by Meta may include in particular your telephone number, the contents of your message, information about your devices and your location. Meta is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about the data processing carried out by Meta here.
6. Data processing when registering for a customer account
If you open a customer account on our website, we will collect the following data, whereby all mandatory fields are marked with an asterisk (*) in the corresponding form:
- Personal data:
- First name (the person booking and all guests)
- Last name (the person booking and all guests)
- Postal address
- Login data:
- E-mail address
- Password
- Further details:
- Credit card details
We use your personal details to verify your identity and to check the requirements for the registration. The e-mail address and the password are used together as login data and thus to ensure that the correct person is using the website with your details. We also require your e-mail address to verify and confirm the account opening and for future communication with you that is required for the performance of the contract. In addition, this data is stored in the customer account for future bookings and/or concluding contracts. For this purpose, we also make it possible for you to file further information in your account (e.g. your preferred payment method).
We also use the data to provide an overview of the bookings made and the services used (see in particular Clause 26) and to offer an easy way to manage your personal data. This includes the management of our website and the contractual relationships, i.e. establishing, structuring, performing and modifying the contracts concluded with you via your customer account (e.g. in connection with your booking with us).
The lawful basis for the processing of your data for the aforementioned purpose is your consent according to Art. 6(1)(a) GDPR. You may revoke your consent at any time by withdrawing or deleting the information in your customer account or by requesting that we delete it.
To prevent misuse, you should always treat your login data as confidential, log out after each session and delete your browsing history, particularly if you share your device with others.
7. Data processing when ordering in our online shop
On our website, you have the possibility of ordering products, services and vouchers (particularly various vouchers, objects with the printed Badrutt logo, massages, spa packages, etc.). To this end, we will collect the following data, whereby the mandatory fields in the order process are marked with an asterisk (*):
- Title
- First name
- Last name
- Billing and delivery address
- Date of birth
- Phone number
- Payment method and credit card information
We use the data to confirm your identity before the conclusion of the contract. We also require your e-mail address to confirm your order and for future communication with you that is required for the performance of the contract. We store your data together with the supplementary details of the order (e.g. name, price and characteristics of the products ordered), the payment data (e.g. preferred payment method, confirmation of payment and time; also see Clause 15.2), as well as information related to the performance and fulfilment of the contract (e.g. receipt and handling of complaints) in our CRM database (also see Clause 26), so that we can ensure correct processing of the order and proper performance of the contract.
The lawful basis for this data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
Data that is not marked as mandatory is provided on a voluntary basis. We process this data to tailor our offerings as closely as possible to your personal needs, to facilitate the performance of the contract, to be able to contact you using an alternative communication method for the purpose of performing the contract, or for statistical recording and analysis aimed at optimising our offerings.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke your consent at any time by writing to us.
For the provision of the online shop, we use an application of TAC Informationstechnologie GmbH, Schildbach 111 in 8230 Hartberg, Austria (TAC). As a result, your data is stored in a TAC database, which enables TAC to access your data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for this data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
It is possible that TAC might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). TAC is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about the data processing carried out by TAC here.
8. Data processing when booking a hotel stay
8.1 Booking through our website
Overnight stays can be booked directly on our website, by post or by using the contact form (see Clause 4) as well as by e-mail or phone (see Clause 3). Depending on the type of booking, we require the following data to process it:
- Title of the person booking
- First name (the person booking and all guests)
- Last name (the person booking and all guests)
- Invoice address
- Phone number
- E-mail address
- IATA number
- Credit card information (see Clause 2)
We will use this data, as well as any further information that you have provided on a voluntary basis (e.g. preferences, comments), for the purpose of performing the contract, insofar as the Privacy Notice does not specify otherwise and/or you have not expressly agreed to this separately. We will process the data specifically to record your booking as requested, provide the booked services, contact you in the event of questions or problems, and ensure correct payment.
The lawful basis for the data processing for this purpose is the performance of a contract according to Art. 6(1)(b) GDPR.
8.2 Booking through a booking platform
If you make a booking using a third-party platform (i.e. through Booking.com, Hotels.com, Escapio, Expedia, Holidaycheck, Hotel Tonight, HRS, Kayak, Mr. & Mrs. Smith, Splendia, Tablet Hotels, Tripadvisor, Trivago, Weekend4Two, etc.), we will receive various personal data from the relevant platform operator in connection with the booking made. This typically concerns the data set out in Clause 15.2 of this Privacy Notice. In addition, we may be forwarded any enquiries about your booking. We will process this data specifically to record your booking as requested and provide the booked services.
The lawful basis for the data processing for this purpose is the performance of pre-contractual measures and the performance of a contract according to Art. 6(1)(b) GDPR.
Finally, we may also exchange personal data with the platform operator in the event of disputes or complaints related to a booking, insofar as this is required in order to protect our legitimate interests. In certain circumstances, this may include data concerning the booking procedure on the platform or data concerning the booking or provision of services and the stay with us. We process this data to protect our legitimate claims and interests in the performance and maintenance of our contractual relationships with the following platform operators:
- com B.V., Oosterdokskade 163 in 1011 DL Amsterdam, Netherlands. You can find further information about data processing in connection with Booking.com B.V. here.
- Expedia Inc., 1111 Expedia Group Way West in WA 98119 Seattle, USA. You can find further information about data processing in connection with Expedia Inc. here.
- com L.P., 5400 LBJ Freeway Suite 500 in 75240 Dallas, USA. You can find further information about data processing in connection with Hotels.com L.P. here.
- STC Switzerland Travel Centre AG, Binzstrasse 38 in 8045 Zurich, Switzerland. You can find further information about data processing in connection with STC Switzerland Travel Centre AG here.
Your data is stored in the databases of the platform operators, which means they have access to your data. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for the data processing for this purpose is our legitimate interests within the meaning of Art. 6(1)(f) GDPR.
9. Data processing to fulfil statutory reporting obligations
Upon your arrival at our hotel, we record the following information about you and your companions:
- First name
- Last name
- Home address
- Nationality
- Copy of the official identity documents of all guests
- Date of arrival and departure
We record this data so that we can fulfil our statutory reporting obligations, particularly according to Art. 16 of the Federal Act on Foreign Nationals and Integration (FNIA) and Art 3 of the implementing regulations governing the hospitality law for the canton of Graubünden. Where we are obliged to do so by the applicable regulations, we forward this information to the relevant police bodies.
The applicable data is processed for fulfilling a legal obligation according to Art. 6(1)(c) GDPR.
10. Data processing within the context of your visit
We can collect and process the following information from you and your companions for your stay, whereby the mandatory fields when registering are marked with an asterisk (*):
- First and last name
- Full home address
- Nationality
- Scan of the official identity documents of all guests
- Date of arrival and departure
- Preferences and wishes
We require this data in case you would like to order extra services during your stay (e.g. from the mini bar), among other reasons; the object of the service as well as the time of delivery are recorded by us for the purposes of invoicing. We collect this data to be able to fulfil our contractual and pre-contractual obligations according to Art. 6(1)(b) GDPR and thus be able to offer you the best possible service in this regard.
11. Data processing in connection with services used in the spa and wellness area
If you use services in our spa and wellness area during your stay at our hotel, the object of the service (e.g. individual entry) as well as the time that the service was used, is recorded and processed for the purpose of invoicing and providing the service booked. We typically require the following information for this:
- First and last name
- Postal address
- E-mail address
- Phone number
- Room number (if available)
The lawful basis for our data processing is the performance of a contract according to Art. 6(1)(b) GDPR.
12. Data processing when reserving a table
You can make a table reservation on our website. We require the following data for this:
- First name
- Last name
- E-mail address
- Phone number
- Date and time of the reservation
- Chosen restaurant
- Number of guests
- Information about special events (optional)
- Comments (optional)
We record and process the data in order to process the reservation and, in particular, to be able to meet any special requests for the reservation and to contact you in the event of questions or problems. We store your data together with the supplementary details of the reservation (e.g. date and time of receipt, etc.), the reservation data (e.g. allotted table), as well as information related to the performance and fulfilment of the contract (e.g. receipt and handling of complaints), so that we can ensure correct processing of the reservation and performance of the contract.
For processing table reservations, we use the software application of aleno AG, Werdstrasse 21, 8004 Zurich, Switzerland (aleno). As a result, your data is stored in an aleno database, which enables aleno to access the data if this is necessary for the provision of the software and for user support. You can find further information concerning the use of aleno in Clause 26 of this Privacy Notice. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for this data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
It is possible that aleno might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). aleno is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about the data processing carried out by aleno here.
13. Data processing when reserving a table (King’s Social House)
You can make a table reservation for our King’s Social House restaurant on our website. We require the following data for this:
- First name
- Last name
- E-mail address
- Phone number
- Date and time of the reservation
- Chosen restaurant
- Number of guests
- Information about special events (optional)
- Comments (optional)
We record and process the data in order to process the reservation and, in particular, to be able to meet any special requests for the reservation and to contact you in the event of questions or problems. We store your data together with the supplementary details of the reservation (e.g. date and time of receipt, etc.), the reservation data (e.g. allotted table), as well as information related to the performance and fulfilment of the contract (e.g. receipt and handling of complaints), so that we can ensure correct processing of the reservation and performance of the contract.
For processing table reservations, we use the software application of aleno AG, Werdstrasse 21, 8004 Zurich, Switzerland (aleno). As a result, your data is stored in an aleno database, which enables aleno to access the data if this is necessary for the provision of the software and for user support. You can find further information concerning the use of aleno in Clause 26 of this Privacy Notice. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for this data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
It is possible that aleno might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). aleno is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about the data processing carried out by aleno here.
14. Data processing when contacting us for the organisation of an event
If you contact us using the contact form on our website for the organisation of an event (e.g. a wedding), your personal data will be processed. In such case, we will collect the following data, whereby the mandatory fields in the forms are marked with an asterisk (*):
- Title
- First name
- Last name
- Company
- E-mail address
- Telephone number
- Type of event
- Number of guests
- Information about whether rooms are required
- Start and end of the event
- Message
The data that you provide us with in your message will also be processed. In addition, the time of receipt of the enquiry is documented. We process this data to fulfil your request (e.g. to provide you with information about our products and services, to support the performance of the contract, to obtain feedback for the improvement of our products and services, etc.).
15. Data processing in connection with payment processing
15.1 Payment processing in the hotel
If you purchase products, procure services or pay for your stay in our hotel using an electronic payment method, it is necessary to process your personal data. By using the payment terminals, you transfer the information that is stored in your payment method (e.g. the name of the cardholder, the card number) to the payment service providers involved (e.g. the payment solution provider, the credit card issuer and the credit card acquirer). In addition, they receive the information that the payment method was used in our hotel, as well as the amount and the time of the transaction. Conversely, we only receive the credit for the amount of the payment made at the corresponding time, which we can assign to the relevant receipt number, or we are informed that the transaction was not possible or was aborted. Please also note the information of the relevant company, particularly the privacy notice and the general terms and conditions.
In the case of wallet payment solutions (Twint, Apple Pay, PayPal), your card details are already securely stored in the Wallet in advance. If you decide to use a wallet solution for your payment, you generally do not need to enter any credit card information. Only the data required for authorisation and transaction processing is then transmitted through the wallet. Please also note the information of the relevant company, particularly the privacy notice and the general terms and conditions.
For processing payments, we use the software applications of Worldline Schweiz AG, Hardturmstrasse 201 in 8005 Zurich, Switzerland, Swisscard AECS GmbH, Neugasse 18 in 8810 Horgen, Switzerland and PostFinance AG, Mingerstrasse 20 in 3030 Bern, Switzerland. As a result, your data is stored in a database of Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG, which enables Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for our data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
It is possible that Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find information about the data processing carried out by Worldline Schweiz AG here. You can find information about the data processing carried out by Swisscard AECS GmbH here and information about the data processing carried out by PostFinance AG here.
15.2 Online payment processing
If you make bookings or order products or services that incur a cost through our website, then – depending on the product or service or the preferred payment method – further information may be required in addition to the information mentioned in Clause 15.1, such as your credit card information or your login with your service provider. This information, as well as the fact that you acquired a service from us for the relevant amount and at the relevant time, is forwarded to the payment service provider concerned (e.g. the payment solution provider, the credit card issuer and the credit card acquirer). Please also note the information of the relevant company, particularly the privacy notice and the general terms and conditions.
The lawful basis for our data processing is the performance of a contract according to Art. 6(1)(b) GDPR.
We reserve the right to store a copy of the credit card information as security. In order to avoid default of payment, the requisite data, particularly your personal data, may be transferred to a credit agency for the automatic assessment of your creditworthiness. In this context, the credit agency may give you a credit score. This is an estimated value regarding the future risk of a payment default, e.g. using a percentage value. The value is ascertained by using a mathematical-statistical procedure together with the inclusion of data from the credit agency from other sources. We reserve the right, based on the information received, not to offer you the “invoice” payment method. The lawful basis for this data processing is our legitimate interest according to Art. 6(1)(f) GDPR in avoiding default of payment.
In the case of wallet payment solutions (Twint, Apple Pay, PayPal), your card details are already securely stored in the Wallet in advance. If you decide to use a wallet solution for your payment, you generally do not need to enter any credit card information. Only the data required for authorisation and transaction processing is then transmitted through the wallet. Also always note the information of the relevant company, particularly the privacy notice and the general terms and conditions.
For processing payments, we use the software applications of Worldline Schweiz AG, Hardturmstrasse 201 in 8005 Zurich, Switzerland, Swisscard AECS GmbH, Neugasse 18 in 8810 Horgen, Switzerland and PostFinance AG, Mingerstrasse 20 in 3030 Bern, Switzerland. As a result, your data is stored in a database of Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG, which enables Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use of services of third-party providers.
It is possible that Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). Worldline Schweiz AG, Swisscard AECS GmbH or PostFinance AG is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing.
For carrying out credit checks, we use a software application of Worldline Schweiz AG, Hardturmstrasse 201 in 8005 Zurich, Switzerland. As a result, your data is stored in a Worldline Schweiz AG database, which enables Worldline Schweiz AG to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice.
The lawful basis for this data processing is our legitimate interest according to Art. 6(1)(f) GDPR in avoiding default of payment.
It is possible that Worldline Schweiz AG might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). Worldline Schweiz AG is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find information about the data processing carried out by Worldline Schweiz AG here.
16. Data processing in connection with e-mail marketing
If you register for our marketing e-mails, the following data is collected. Mandatory fields when registering are marked with an asterisk (*):
- Title
- E-mail address
- First name
- Last name
To avoid misuse and ensure that the owner of the e-mail address has themselves consented to receiving marketing e-mails, we use the double opt-in method for the registration. After you have sent your registration, you will receive an e-mail from us with a confirmation link. You have to click on this link in order to definitively register for the marketing e-mails. If you do not confirm your e-mail address within the specified period by clicking on the confirmation link, your data will be deleted and our marketing e-mails will not be sent to this address.
By registering, you consent to the processing of this data so that you can receive marketing e-mails about our products and services. These marketing e-mails can also include invitations to participate in competitions, to provide feedback or to rate our products and services. The collection of your title and first and last names permits us to associate the registration with an existing customer account, if applicable, and thereby personalise the content of the marketing e-mails. Linking you to a customer account allows us to ensure that the offers and contents in the marketing e-mails are even more relevant to you and tailored even more closely to your potential needs.
Your consent forms the lawful basis for this data processing within the meaning of Art. 6(1)(f) GDPR. We use your data for sending marketing e-mails until you decide to revoke your consent. You can revoke your consent at any time, particularly by means of the unsubscribe link that you can find in all the marketing e-mails.
Our marketing e-mails may contain a web beacon, 1×1 pixel (tracking pixel) or similar technical tool. A web beacon is an invisible graphic that is linked with the user ID of the relevant subscriber. For every marketing e-mail sent, we receive information about which e-mail addresses successfully received the e-mail, which e-mail addresses have not yet received the e-mail and which e-mail addresses failed to receive the e-mail. It is also shown how long the marketing e-mail was open for and which links were activated for which e-mail addresses. Finally, we also receive information about which subscribers have unsubscribed from the distribution list. We use this data for statistical purposes and to optimise the marketing e-mails in relation to frequency and the time they were sent as well as with regard to the structure and content. In this way, we can tailor the information and offers in our marketing e-mails more closely to the individual interests of the recipients.
By registering for the marketing e-mails, you also consent to the statistical analysis of user behaviour for the purpose of optimising and refining the marketing e-mails. This consent forms our lawful basis for this data processing within the meaning of Art. 6(1)(a) GDPR. The web beacon is deleted when you delete the marketing e-mail. You can prevent the use of the web beacon in our marketing e-mails and thus revoke your consent by configuring your e-mail programme to not display HTML in messages. In the Help settings for your e-mail software application, you can find information about how to configure this setting, e.g. here for Microsoft Outlook.
For sending marketing e-mails, we use a software application of Revinate, 2345 Yale Street, First Floor, Palo Alto, CA 94306, United States. As a result, your data may be stored in a Revinate database, which enables Revinate to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use of services of third-party providers.
It is possible that Revinate might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). Revinate is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about the data processing carried out by Revinate here.
17. Data processing when providing ratings
To help other users with their decision and to support our quality management (particularly when handling negative feedback), you have the opportunity to rate your stay with us on our website. To do so, you must click on the provided link, which will connect you to the website of Tripadvisor Inc. 400 1st Avenue, Needham, 02494 MA, USA (Tripadvisor). The data that you made available to Tripadvisor will be processed and published on their website, i.e. not only the rating but also the time of the rating and possibly also the comment that you left with your rating or the name that you gave. It is also possible that your IP address will be forwarded to Tripadvisor’s server (see Clause 22.1). Tripadvisor is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about the data processing carried out by Tripadvisor here.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can withdraw your consent at any time and request the anonymisation of your feedback at any time.
We reserve the right to delete unlawful ratings and, in the event of suspicion, to contact you for comment.
The lawful basis for this processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in providing a lawful and genuine commenting and rating function and preventing its misuse.
18. Data processing when providing customer feedback
If you have made a hotel booking and your e-mail address is stored with us, we will carry out a satisfaction survey after your hotel stay (e.g. to give you the opportunity for praise, criticism and suggestions for improvement). To this end, we will collect the following data, whereby the mandatory fields in the corresponding form are marked with an asterisk (*):
- First and last name
- E-mail address
- Time of order or contact
- Order number
- Feedback
The processing of your data is carried out within the framework of our quality management with the aim of tailoring our products and services more closely to the needs of our customers. Specifically, your data is processed for the following purposes:
- Clarifying your request, e.g. obtaining statements from the employees and superiors involved, seeking further clarification from you, etc.;
- Evaluating and analysing your information, e.g. compiling satisfaction statistics, comparing individual services, etc.; or
- Taking organisational measures based on the findings, e.g. such as remedying shortcomings/deficiencies/misconduct, such as by repairing faulty equipment, providing instructions, praising or warning employees.
The lawful basis for this processing is your consent according to Art. 6(1)(a) GDPR. You can revoke this consent for the future at any time.
19. Data processing in connection with video surveillance
To protect our customers, employees and property and to prevent and/or punish illegal behaviour (particularly theft and damage to property), the reception area and the publicly accessible areas of our premises (except the sanitary facilities) can be monitored with cameras. The video recordings are only viewed if there is a suspicion of illegal behaviour. Otherwise the footage is automatically deleted after 14 days.
For the provision of our video surveillance system, we use the services of Aptex Security AG, Zürcherstrasse 133, 8952 Schlieren, Switzerland. Aptex Security AG has access to the data, insofar as this is necessary for the provision of the system. If the suspicion of unlawful behaviour is confirmed, the data can be forwarded in the scope required to advisory organisations (particularly to law firms) and to the authorities in order to enforce claims or report the matter. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about data processing in connection with Aptex Security AG here. The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use of services of third-party providers.
20. Data processing in connection with using our Wi-Fi network
In our hotel, we provide free Wi-Fi access. When you use it, you provide us with:
- The MAC address of your device (automatic)
In addition to the above data, data about the time and date of use and the device used is recorded each time the Wi-Fi network is used. This data processing is carried out for the purpose of providing and operating the Wi-Fi network as well as to prevent misuse. The lawful basis for this processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke this consent for the future at any time.
21. Data processing in connection with job applications
You have the option of sending a spontaneous application to us or applying in response to a specific job advertisement. To this end, we will process the personal data that you made available to us. If the jobs are offered on our website, you can apply directly online for the position that is being advertised. In the case of an online application, we collect the following data, whereby the mandatory fields in the corresponding form are marked with an asterisk (*):
- Title
- First name
- Last name
- Nationality
- Civil status
- Date of birth
- E-mail address
- Phone number
- Cover letter
- CV with photo
- Employer references/certificates
- Information about how you became aware of the position
- Information about whether you are an employment agency
In addition, you can make an application for an apprenticeship online. To this end, we will collect the following data from you, whereby the mandatory fields in the corresponding form are marked with an asterisk (*):
- Title
- First name
- Last name
- Nationality
- Civil status
- Date of birth
- E-mail address
- Phone number
- Information about general school education
- Final year
- Information about any taster apprenticeships you have carried out
- Information about your preferred apprenticeship (career choice)
- Preferred training year
- Desired date for taster apprenticeship
- Cover letter and photo
- School reports from 6th grade (11–12 years)
- Taster apprenticeship reports
- Multi-check/personal position check
We use the information you have provided to check your application and your suitability for employment with us. Application documents from applicants who are not considered are deleted once the application process has finished, unless you have expressly requested that they should be stored for longer or we are obliged to store them for a longer period by law.
For recruitment purposes and to simplify the hiring process, we use the services of Teamtailor AB, Östgötagatan 16, 11621 Stockholm, Sweden. We process, manage, use and protect the personal data of users in accordance with this Privacy Notice. You can find more information about data processing in connection with Teamtailor here. The lawful basis for this data processing with the services of Teamtailor is your consent within the meaning of Art. 6(1)(a) GDPR.
The lawful basis for this data processing with the following services is your consent within the meaning of Art. 6(1)(a) GDPR. Part of the data processing can be classed as profiling (with or without high risk), which is also included in your consent. You can revoke your consent and/or refuse processing at any time (see Clause 30).
It is possible that Teamtailor might wish to use some of this data for its own purposes (e.g. for statistical analyses). Teamtailor is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing.
22. Background data processing on our website
22.1 Data processing when visiting our website (log file data)
The web servers temporarily store every visit to our website in a log file (log file). The following data is recorded without your involvement and stored with us until it is automatically deleted:
- IP address of the requesting computer;
- Date and time of access;
- Name and URL of the file retrieved;
- Operating system of your computer;
- Browser used (type, version and language);
- Transmission protocol used (e.g. HTTP/1.1); and possibly your username from registration/authentication;
- The verb or word requested, such as the GET method (GETlocation).
The collection and processing of this data is carried out to enable the use of our website (establish a connection), to guarantee system security and stability on an ongoing basis and to facilitate the error and performance analysis and optimisation of our website (also see Clause 22.4 with regard to the last points).
In the event of an attack on the network infrastructure of the website or if other unauthorised or improper use of the website is suspected, the IP address and other data will be analysed for investigation and defence purposes and possibly used to identify the user within the context of civil or criminal proceedings.
Our legitimate interest within the meaning of Art. 6(1)(f) GDPR lies in the purposes described above and this constitutes the lawful basis for the data processing.
For the operation of our website, we use the services of our hosting provider Raidboxes GmbH, Via Hafenstrasse 32, 48153 Münster, Germany. As a result, your data is stored in databases managed by Raidboxes, which enables Raidboxes to access the data if this is necessary for the provision of the software and for user support. The website is hosted on servers in Switzerland, Germany and Austria. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use of services of third-party providers.
It is possible that Raidboxes might wish to use some of this data for its own purposes (e.g. for statistical analyses). Raidboxes is solely responsible for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about data processing in connection with Raidboxes here.
Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. In connection with these, the data described here can also be processed. You can find more information about this in the following clauses of this Privacy Notice, particular Clause 22.2 below.
22.2 Cookies
Cookies are information files that your web browser stores on the hard disk or in the main memory of your computer when you visit our website. Cookies are assigned identification numbers through which your computer is identified and the information contained in the cookie can be read.
Among other things, cookies help to make your visit to our website easier, more pleasant and more relevant. We use cookies for different purposes that are required, i.e. “strictly necessary”, for you to use the website as you wish. For example, we use cookies to identify you after logging in as a registered user and to enable you to navigate to and from the different sub-pages without having to log in again. The provision of website elements, such as the order function, is also based on the use of cookies, since your information when completing a form is temporarily stored on the website so that you do not have to re-enter it after accessing a different sub-page. In addition, cookies also carry out the technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the pages over the different web servers in order to relieve the server or content delivery network (CDN), so that content can be distributed more quickly to the end user. Cookies are also used for security purposes, in order to prevent the posting of illegal content. Finally, we use cookies within the framework of the structure and programming of our website, e.g. to facilitate the uploading of scripts or codes.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the provision of a user-friendly and modern website.
Most internet browsers automatically accept cookies. However, when you access our website, we ask for your permission to use cookies that are not strictly necessary, particularly cookies from third-party providers for marketing purposes. By using the corresponding function buttons in the cookie banner, you can select the desired settings. Details regarding the services and data processing associated with individual cookies can be found in the cookie banner and in the following clauses of this Privacy Notice.
For cookie control and consent on our website, we use the services of TRUENDO Technologies GmbH, Leonard-Bernstein-Straße 10, 1220 Vienna, Austria (TRUENDO). When using TRUENDO, your data is stored in a TRUENDO database. TRUENDO is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about the data processing carried out by TRUENDO here.
You may also be able to configure your browser in such a way that no cookies are stored on your computer or you always receive an alert when you receive a new cookie. On the following pages, you can find information about how to configure the processing of cookies for certain browsers.
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
The deactivation of cookies may result in you being unable to use all the functionalities of our website.
22.3 Google Tag Manager
To manage the functions of our website, we use Google Tag Manager provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). With Google Tag Manager, tracking codes and associated code fragments (tags) can be managed without the code having to be manually altered. Following implementation, it is possible for the tracking tools we have set to be managed, triggered and controlled through Google Tag Manager. Google Tag Manager is therefore closely involved in the data processing specified below and is used indirectly for the purposes described therein, which is why the lawful basis for the processing can be found in the sections on the individual tools. If some autonomous data processing is deemed to be carried out by Google Tag Manager, our legitimate interest within the meaning of Art. 6(1)(f) GDPR is the use of third parties for the efficient management of our websites and the performance of our marketing activities.
22.4 Tracking and web analysis tools
22.4.1 General information about tracking
For the purposes of the tailored design and ongoing optimisation of our website, we use the web analytics services specified below. In this connection, pseudonymised user profiles are created and cookies are used (also see Clause 22.2). The information generated by the cookie regarding your use of this website is generally transferred to a server of the service provider together with the log file data set out in Clause 22.1, where it is stored and processed. This may also involve data being transferred to a server abroad, such as in the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3).
Information that we receive when processing the data includes:
- Navigation path that the visitor to the website uses (including contents viewed and selected or purchased products and/or services booked);
- Length of stay on the website or sub-page;
- Sub-page from which the website is exited;
- Country, region or city from where the website is accessed;
- Device (type, version, colour depth, resolution, height and depth of the browser window); and
- Returning or new visitor.
On our behalf, the provider will use this information to analyse the use of the website, particularly to compile reports on the website activities and to provide further services related to website and internet use for the purpose of market research and the tailored design of this website. To a certain degree, both we and the provider can be seen as the data controller for the processing under data protection law.
The lawful basis for this data processing with the following services is your consent within the meaning of Art. 6(1)(a) GDPR. Part of the data processing can be classed as profiling (with or without high risk), which is also included in your consent. You can revoke your consent at any time and/or refuse the processing by blocking/disabling the relevant cookies in the settings of your browser (see Clause 22.2), or by using the service-specific options described in the following.
For the further processing of the data by the relevant provider as the (sole) data controller (particularly the potential transfer of this data to third parties such as authorities due to national legal regulations), please consult the relevant privacy notices of the provider.
22.4.2 Google Analytics
We use the web analytics services of Google Analytics Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) and/or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).
In deviation from the description in Clause 22.4.1, IP addresses are not logged or stored in Google Analytics (in the version “Google Analytics 4” used here). In the case of access from the EU, IP addresses are only used to determine location data, after which they are immediately deleted. In the case of the collection of measurement data in Google Analytics, all the IP searches are carried out on EU-based servers before the traffic is forwarded for processing on Analytics servers. Regional data centres are used for Google Analytics. If a link is established to the nearest available data centre of Google in Google Analytics, the measurement data is sent to Analytics via an encrypted HTTPS connection. The data is further encrypted in these centres before it is forwarded to the processing servers of Analytics and made available on the platform. Based on the IP addresses, the most suitable local data centre is determined. This may also involve data being transferred to a server abroad, e.g. the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3).
We also use the technical extension “Google Signals”, which facilitates cross-device tracking, i.e. technology that enables the tracking of users across multiple devices. This makes it possible to assign an individual website visitor to different devices. However, this only happens if the visitor has logged into a Google service during their website visit and at the same time has activated the option “personalised advertising” in their Google account settings. Even so, we are still unable to access any personal data or user profiles. If you do not wish to use “Google Signals”, you can deactivate the option “personalised ads” in your Google account settings.
Users can prevent Google from recording and processing the data created by the cookie and related to their website use (including the IP address) and revoke their consent by disabling or rejecting the relevant cookies in the cookie banner or in the settings of their web browser (see Clause 22.2) or by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en. For the further processing of the data by Google, please consult the data privacy notices of Google: https://policies.google.com/privacy?hl=en-US.
22.4.3 Triptease.io
We use the web analytics service Triptease.io provided by Triptease Ltd., c/o Knotel, Floor 7 43, W24th Street, New York, NY 10010, USA (Triptease.io). The described data about the use of the website can be transferred to the servers of Triptease.io in the USA for the described processing purposes (see Clause 22.4.1).
You can find further information about Triptease.io and how Triptease.io processes data here.
22.5 Online advertising and targeting
22.5.1 In general
We use the services of different companies to provide you with interesting online offers. In the course of this, your user behaviour on our website and on the websites of other providers is analysed so that we can then show you online advertising that has been individually tailored to you.
Most of the technologies for following your user behaviour (tracking) and for the targeted display of advertisements (targeting) work with cookies (also see Clause 22.2) or similar technologies and unique identifiers (e.g. advertising ID) with which your browser can be recognised across different websites. Depending on the provider, it will then also be possible for you to be recognised online even when using different devices (e.g. laptop and smartphone). This could be the case if you have registered for a service that you use with several devices.
In such case, it is possible that the data used when accessing the websites (log file data, see Clause 22.1) and when using cookies (Clause 22.2) is transferred to the companies involved in the advertising networks and further processed by them. This may also result in the disclosure of data in potentially all countries worldwide (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3). In addition, the following data is used in particular for selecting the potentially most relevant advertising for you:
- Personal information that you divulged when registering or when using a service of advertising partners (e.g. your gender, your age group); and
- User behaviour (e.g. search queries, interactions with advertising, types of websites visited, products or services viewed and purchased, subscriptions to newsletters).
We and our service providers use this data to identify whether you belong to our target group and we take this into account when selecting the advertisements. For example, after you have visited our website, you may see the products or services that you viewed displayed again when you visit other websites (re-targeting). Depending on the scope of the data, it is possible that a profile of the user is created that is automatically analysed, i.e. with the use of profiling, whereby the advertisements are selected according to the information stored in the profile, such as affiliation to certain demographic segments or potential interests or behaviours. Such advertisements can be shown to you across different channels, which, in addition to ones on our website or app (as part of onsite and in-app marketing), may include advertisements delivered through the online advertising networks we use, such as Google.
The data can then be analysed for the purpose of billing with the service provider as well as for assessing the effectiveness of advertising measures, so that we can better understand the needs of our users and customers and improve future campaigns. This can also contain the information that a specific action (e.g. visiting certain sections of our websites or sending information) is attributed to a particular advertisement. In addition, we receive aggregated reports from the service providers about advertising activities, as well as information about how our users interact with our website and our advertisements.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. Part of the data processing can be classed as profiling (with or without high risk), which is also included in your consent. You can revoke your consent at any time by rejecting and/or disabling the relevant cookies in the settings in your web browser (see Clause 22.2). Further options for blocking advertisements can be found in the information of the relevant service provider, such as Google.
22.5.2 Google Ads
For its online advertisements, this website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google), as explained in Clause 22.5.1. Google uses cookies for this (see the list here), which make it possible to recognise your browser when you visit other websites. The information generated by the cookies about the visit to these websites (including your IP address) is transferred to a Google server in the USA, where it is stored (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3). You can find further information about data protection at Google here.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke your consent at any time by rejecting and/or disabling the relevant cookies in the settings in your web browser (see Clause 22.2). Further options for blocking advertisements can be found here.
22.5.3 Facebook Pixel / Facebook Custom Audience
On our website, we use “Facebook Pixel” provided by the social network Facebook, which is operated by Meta Platforms Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta). With the aid of Facebook Pixel, Facebook is able to determine the visitors to our website as a target group for displaying advertisements (Facebook Ads). Accordingly, we use Facebook Pixel to show the Facebook Ads only to those Facebook users who have shown an interest in our website or who demonstrate certain characteristics (e.g. interest in specific topics or products that are determined based on visited websites) that we transfer to Facebook (Custom Audiences). With the help of Facebook Pixel, we aim to guarantee that our Facebook Ads meet the potential interest of the user and are not a nuisance. In addition, with the help of Facebook Pixel, we can trace the effectiveness of Facebook Ads for statistical and market research purposes by seeing whether users are forwarded to our website after clicking on the Facebook Ad (conversion). Facebook Pixel is directly integrated by Facebook when our website is accessed and can store a cookie on your device (see Clause 22.2). If you then log in with Facebook or visit Facebook while you are logged in, the visit to our website is recorded in your profile. The personal data that has been collected about you is anonymous for us and therefore offers us no clues as to the identity of the user. However, the data is stored and processed by Facebook, so that a link to the relevant user profile is possible. The data can therefore be used by Facebook for its own market research and advertising purposes. If we have to transfer data to Facebook for comparison purposes, this is encrypted locally on the browser and only then transferred to Facebook via a secure HTTPS connection. This is carried out with the sole purpose of creating a comparison with the similar data encrypted by Facebook. Furthermore, with the use of Facebook Pixel, we use the additional “advanced matching” feature, whereby the data used to create target groups (custom audience or lookalike audience) is transferred to Facebook in encrypted form.
We also use Facebook Pixel for the purposes of re-targeting (see Clause 22.5.1). With the aid of Facebook Pixel, we can track the Facebook advertisements that you looked at during your visit to our website, the sub-pages that you accessed and which products you placed in your basket. This information is used to offer you individually tailored advertisements on a partner website.
The processing of your data by Facebook is carried out within the framework of the data protection guidelines of Facebook (https://www.facebook.com/about/privacy/update). Special information and details about Facebook Pixel and its operating modes can be found in Facebook’s help section. You can object to the recording and use of your data by Facebook Pixel to display Facebook Ads and/or revoke your consent. To configure what kind of advertisements are displayed to you within Facebook, you can access the page provided by Facebook and follow the directions there for the settings for interest-based advertising.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke your consent at any time by rejecting and/or disabling the relevant cookies in the settings in your web browser (see Clause 22.2).
Based on your prior consent, we can use data within the context of a customer match and the “advanced matching” feature of Facebook Custom Audience. To this end, we transfer data (such as your e-mail address, telephone number or other identifying characteristics) in encrypted form to Facebook, which then compares this data with the data available for you. If there is a match, this means that the user is also active on this third-party platform. Based on the matched customer data, a target group is created that enables us to tailor advertising campaigns specifically to this target group in order to make the advertising more relevant and effective.
The lawful basis for this data processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke your consent for the future at any time.
23. Embedding videos
At various places on our websites, you can access videos and webcams. Videos are displayed through embedding (iFrame) or directly via a link to the website of Vimeo, LLC, 330 W 34th St Fl 5, New York City, New York, 10001, USA (Vimeo) as well as the website of Google Ireland Limited (YouTube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
By clicking on the video, a link is established to the servers of Vimeo and YouTube. As part of this, your browser and possibly the log file data (including IP address) detailed in Clause 22.1 are transferred to Vimeo and YouTube. This may also result in data being transferred to a server abroad (e.g. the USA) (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3). You can find further information about the data processing carried out by Vimeo here. You can find further information about the data processing carried out by YouTube here.
24. Social media profiles
On our website, we have incorporated links to our profiles in the social networks of the following providers:
- Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Notices;
- Google Ireland Limited (YouTube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Notices;
- LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Notices.
- Pinterest Inc., 651 Brannan Street San Francisco, CA 94107, USA, Privacy Notices.
If you click on the icons of the social networks, you will be automatically forwarded to our profile in the relevant network, during which a direct link between your browser and the server of the relevant social network will be established. As a result, the network receives in particular the data that was described in the section on log files (Clause 22.1), i.e. namely the information that you visited our website with your IP address and clicked on the link. This may also involve data being transferred to a server abroad, e.g. the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 27.2 and 27.3).
If you click on a link to a network while you are logged in to your user account in the network, the contents of our website can be linked with your profile so that the network can directly associate your visit to our website with your account. If you wish to prevent this, you should log out before clicking on the corresponding links. A connection between your visit to our website and your user account is established whenever you log in to the respective network after clicking on the link. The respective provider is the data controller for the data processing. Therefore, please consult the privacy notice on the website of the network.
The lawful basis for any data processing that may be attributed to us is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use and advertising of our social media profiles.
25. Google Maps
On our website, you can find a link to Google Maps provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (Google Maps). Google Maps is a web service that displays interactive (country) maps to visually represent geographical information. When you use this service, our locations are displayed to you, making it easier for you to find us.
By clicking on the links to Google Maps, cookies are stored and read once the pages are accessed and Google Maps is used (see general section 22.2). In this way, Google collects data about the browsing behaviour of the user and infers information about their possible interests in order to display advertisements on Google services and partner services that are tailored to the personal interests of the user. In certain circumstances, Google can associate this information with your user account. If you do not want Google to collect data about you through this website and associate it with your stored member data, you must log out of Google before visiting this website. The lawful basis for the processing of your data is your consent according to Art. 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future by rejecting and/or disabling the relevant cookies in the settings in your web browser (see Clause 22.2). Further information about the collection and use of your data by Google can be found in Google’s privacy notice: https://policies.google.com/privacy.
26. Central data storage and analysis in the CRM system
If a clear association with your person is possible, we will save and link the data described in this Privacy Notice, particularly your personal details, your contact details, your contract data and your browsing behaviour on our website, in a central database. This facilitates the efficient management of customer data, allows us to adequately fulfil your request and enables efficient provision of the requested services and performance of the associated contracts.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the efficient management of user data.
In addition, we analyse this data to further develop our products and services in line with your needs and to show you and suggest the most relevant information and offers. Moreover, we use methods that predict possible interests and future orders based on your use of our website.
For the central data storage and analysis in the CRM system, we use a software application of Revinate, 2345 Yale Street, First Floor, Palo Alto, CA 94306, United States. As a result, your data may be stored in a Revinate database, which enables Revinate to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about data processing in connection with Revinate here.
In addition, we use a Restaurant Management System of aleno AG, Werdstrasse 21, 8004 Zurich, Switzerland (aleno). As a result, your data is stored in an aleno database, which enables aleno to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about data processing in connection with aleno here.
In addition, we use the Reservation Assistant – Spa & Activity Software provided by TAC Informationstechnologie GmbH, Schildbach 111 in 8230 Hartberg, Austria (TAC). As a result, your data is stored in a TAC database, which enables TAC to access your data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 27 of this Privacy Notice. You can find further information about data processing in connection with TAC here.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the performance of marketing activities.
27. Forwarding and transfer abroad
27.1 Forwarding to third parties and access by third parties
Without the support of other companies, we would not be able to provide our products and services in the manner we desire. To be able to use the services of these companies, it is necessary for us to forward your personal data to them within a certain scope. Forwarding is carried out to selected third-party providers and only to the degree that is required for the optimum provision of our services.
Various third-party providers have already been explicitly mentioned in this Privacy Notice. This concerns MP-Network GmbH, Anemonenweg 5, 85586 Poing, Germany. You can find further information about data processing in connection with MP-Network GmbH here.
In the case of this forwarding, the lawful basis is the necessity to perform a contract within the meaning of Art. 6(1)(b) GDPR.
Your data is also forwarded if this is necessary for fulfilling the contractual relationship, e.g. to transport companies or providers of other services. In the case of this forwarding, the lawful basis is the necessity to perform a contract within the meaning of Art. 6(1)(b) GDPR. It is the third-party providers, not us, who are the data controllers for this data processing within the meaning of the data protection law. It is the duty of these third-party providers to inform you about their own data processing that exceeds the forwarding of the data for the provision of the service and to comply with the data protection laws.
In addition, your data may be forwarded, particularly to authorities, legal advisers or debt collection agencies, if we are obliged to do so by law or if this is necessary for the protection of our rights, particularly for asserting claims arising from our relationship with you. Data can also be forwarded if another company intends to acquire our company or parts thereof and the forwarding is necessary for due diligence or for the completion of the transaction.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the protection of our rights and compliance with our duties and/or the sale of our company or parts thereof.
27.2 Transfer of personal data abroad
We are also entitled to transfer your personal data to third parties abroad if this is necessary for data processing as set out in this Privacy Notice. Individual data transfers are mentioned above (see in particular Clauses 22 and 24). The statutory provisions governing the forwarding of personal data to third parties are observed in this. The countries to which data can be transferred include those that, according to the decision of the Federal Council and the EU Commission, have an adequate level of data protection (such as the member states of the EEA or, from the perspective of the EU, Switzerland as well), but also those countries (such as the USA) whose data protection level is not considered to be adequate (see Appendix 1 of the Data Protection Regulation (GDPR) as well as the website of the EU Commission). If the country affected does not have an adequate level of data protection, we take appropriate measures to ensure that your data is adequately protected at these companies, unless an exception is specified for the individual data processing (see Art. 49 GDPR). Unless otherwise specified, this concerns the choice of companies that are certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46(2)(c) GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please get in touch with our data protection contact (see Clause 2).
27.3 Information concerning data transfer to the USA
Some of the third-party service providers mentioned in this Privacy Notice have their registered office in the USA. For the sake of completeness, we would like to point out for users domiciled in Switzerland or in the EU that the US authorities have monitoring measures in place in the USA that generally enable the storage of all the personal data of all the people whose data is transferred from Switzerland or the EU to the USA. This occurs without differentiation, limitation or exception in terms of the aims pursued and without an objective criterion that would allow limiting the access of the US authorities to the data and its subsequent use to very specific, strictly limited purposes that could justify the interference involved in both accessing and using the data. In addition, we would like to point out that in the USA there is no legal recourse for the affected persons from Switzerland and/or the EU, i.e. no effective legal protection against the general access rights of the US authorities that allow them access to the relevant data and to effect the correction or the deletion thereof. We would like to explicitly point out this legal and factual situation so that you can make an informed decision regarding consent or objection to the use of your data.
We would further like to point out to users domiciled in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have an adequate data protection level due to the reasons set out in this clause, among others. Insofar as we have already explained in this Privacy Notice that recipients of data (such as Google) have their registered office in the USA, we will ensure that your data is adequately protected with our third-party providers; we will do so through the choice of companies that are certified under the Privacy Framework Agreement or through contractual arrangements with these companies, as well as through any additionally required, appropriate guarantees.
28. Retention periods
We store personal data only for as long as is necessary for us to carry out the processing as set out in this Privacy Notice within the context of our legitimate interest. In the case of contractual data, the retention period is prescribed by statutory storage obligations. The requirements that oblige us to store data arise from accounting regulations and tax laws. According to these provisions, business communication, contracts concluded and booking receipts must be stored for a period of up to 10 years. Once we no longer require this data to provide services to you, it will be restricted. This means that the data can only be used if this is necessary for fulfilling the retention requirements or for defending and asserting our legal interests. The data is deleted as soon as there is no longer a retention requirement for or a legitimate interest in the storage thereof.
29. Data security
We take appropriate technical and organisational security measures to protect your personal data that is stored with us against loss and illegal processing, particularly any unauthorised access by third parties. Our employees and the service providers that we use are obligated by us to maintain confidentiality and ensure data protection. In addition, these persons are allowed access to personal data only insofar as this is necessary for fulfilling their duties.
Our security measures are constantly revised in line with technological developments. However, the transfer of information over the internet and through electronic communication channels always carries certain security risks, meaning we cannot provide an absolute guarantee regarding the security of information transferred in this way.
30. Your rights
Provided that the legal requirements are met, you have the following rights as a data subject in relation to the processing of data:
Right to be informed: You have the right to request at any time and free of charge what personal data about you is being held by us and how we use it. This makes it possible for you to check whether we process it in accordance with the applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In such cases, we will also inform the recipients of the affected data about the changes we have made, unless this is not possible or would involve a disproportionate amount of effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In some cases, especially if legal retention requirements apply, there may be no right to erasure. In these instances, if the conditions are met, it may be possible to restrict the processing of data instead of erasing it.
Right to restrict processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to receive your provided personal data from us free of charge in a readable format.
Right to object: You have the right to object to data processing at any time, especially in the case of data processing for direct marketing purposes (e.g. marketing e-mails).
Right to withdraw consent: In principle, you have the right to withdraw your consent at any time. However, processing activities based on consent that you have given in the past will not be rendered unlawful by your withdrawal.
To exercise these rights, please e-mail us at the following address: dataprotection@badruttspalace.com
Right to lodge a complaint: You have the right to lodge a complaint with the relevant supervisory authority (e.g. against the way in which your personal data is processed).