DATA PROTECTION STATEMENT

Grand Resort Bad Ragaz AG runs the Grand Hotel Quellenhof & Spa Suites, the Grand Hotel Hof Ragaz, the Clinic Bad Ragaz and the Medical Health Center Bad Ragaz, and is thus responsible for the collection, processing and use of your personal data as well as for the compliance of data processing with the applicable data protection legislation.

Your trust is important to us, which is why we take the issue of data protection very seriously and strive to ensure the appropriate level of security. Naturally, we comply with the statutory provisions of the Swiss Federal Act on Data Protection (FADP; Bundesgesetz über den Datenschutz – DSG), the Ordinance to the Federal Act on Data Protection (DPO; Verordnung zum Bundesgesetz über den Datenschutz – VDSG), the Telecommunications Act (TCA; Fernmeldegesetz – FMG) and other potentially applicable data protection provisions under Swiss or EU law, in particular the EU General Data Protection Regulation (GDPR; Datenschutz-Grundverordnung – DSGVO).

Please take note of the following information with regard to details of the personal data we collect from you and the purpose for which we use them.

The address of our data protection officer is: datenschutz@resortragaz.ch

Personal data are all items of information that relate to an identified or identifiable natural person. Personal data form the basis for identifying or contacting a data subject. These include for example your name, address, e-mail address, telephone number and the IP address assigned to you by your internet service provider. Information that does not form a basis for identifying you (anonymous data) does not fall in the category of personal data.

A) Data processing in connection with our website

1. Accessing our website

Whenever you visit our website, our servers temporarily save each access in a log file. Just like any other connection to a web server, the following technical data are recorded automatically and stored by us for up to 26 months before automated deletion:

IP address of the accessing computer
Name of the holder of the IP address range (generally your Internet access provider)
Date and time of access
The website from which the access was requested (referrer URL), possibly with the search term used
Name and URL of the file accessed
Status code (e.g. error message)
The operating system of your computer
The browser you use (type, version and language)
The transfer protocol (e.g. HTTP/1.1)
Possibly your username from a registration/authentication

The collection and processing of these data enable us to facilitate the use of our website (establishment of connection), to ensure consistent system security and stability, and to optimise our Internet offering. We also collect and process data for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.

Furthermore, the IP address is evaluated together with other data in the event of an attack on the network infrastructure or other unauthorised or improper use of the website for the purpose of investigation and defence, and, if appropriate, is used within the framework of legal proceedings to establish identity and initiate civil or criminal proceedings against the users concerned. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.

2. Using our contact form

A contact form is available for you to establish contact with us. We require the following details for this purpose:

First name and last name
E-mail address
Message

We use these data and an optionally provided telephone number exclusively in order to respond in an optimal and personalised manner to your contact request. The processing of this data is therefore necessary within the meaning of Article 6(1)(b) GDPR to take steps prior to entering into a contract, or is in our legitimate interest in accordance with Article 6(1)(f) GDPR.

3. SSL encryption

In order to ensure the security of your data during transmission, we use the most up-to-date encryption techniques (like SSL for example) based on HTTPS.

4. Subscribing to our newsletter(s)

If you subscribe to one or more of our newsletters, we require your e-mail address in order to be able to send you the newsletter(s). Further data are optional. We are entitled to commission third parties to handle the technical aspects of advertising measures and are entitled to pass on your data for this purpose. You will first receive an e-mail with a link for you to click on and confirm that you would like to receive the newsletter(s) (double opt-in). This enables us to prevent anyone from ordering the newsletter(s) in your name. We analyse which of the links were clicked on in order to tailor the newsletter(s) to your individual interests and to find out when you read the newsletter(s) so that we can send it to you at your preferred time. We also save your subscription to the newsletter(s), along with your consent to usage analysis and your confirmation, in order to be able to prove that you subscribed and agreed to the aforegoing. For the purpose of sending the newsletter(s) and for usage analysis, we continue to store your data until your consent is revoked or until the newsletter subscription is cancelled. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Therefore, please confirm your subscription (double opt-in) within 24 hours, or you will need to resubscribe.

The legal basis for data processing for the purpose of newsletter dispatch and usage analysis is Article 6(1)(1)(a) GDPR. The legal basis for data processing in order to provide proof of consent is Article 6(1)(1)(c) in conjunction with Article 5(2) GDPR, Article 7(1) GDPR and Article 24(1) GDPR as well as Article 6(1)(1)(f) GDPR. The legitimate interests in data processing on the basis of Article 6(1)(1)(f) GDPR are promotion of the sale of our products and services, the corresponding marketing measures and proof of your consent, i.e. defence against any legal claims.

5. Opening a customer account

If you wish to carry out bookings on our website, you can either book as a guest or open a customer account. When opening a customer account, we require the following mandatory personal details:

Form of address
First name and last name
Postal address
Date of birth
Telephone number
E-mail address
Password

These data, as well as other optional information you provide (e.g. company name), are collected in order to provide you with direct, password-protected access to your basic data stored by us. Here you can view your past and current bookings, or manage or modify your personal data.

The legal basis of data processing for this purpose is the consent provided by you in accordance with Article 6(1)(a) GDPR.

6. Booking via the website, by correspondence or by telephone

If you make bookings via our website, by correspondence (e-mail or post) or by telephone, we will require the following mandatory personal details to process the agreement:

Form of address
First name and last name
Postal address
Date of birth
Telephone number
Language
Credit card details
E-mail address

These data, as well as other optional information you provide (e.g. expected time of arrival, vehicle number plate, preferences, comments), will exclusively be used to process the agreement, unless stated otherwise in this Data Protection Statement or unless you have not provided your express consent. The data will be processed in particular in order to record your booking in accordance with your wishes, to provide the services booked, to contact you in the event of any issues or problems, and to facilitate correct payment.

The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.

7. Cookies

Cookies help in many ways to make your visit to our website simpler, and more pleasant and rewarding. Cookies are information files that your browser saves automatically on the hard drive of your computer whenever you visit our website.

We use cookies, for example, to temporarily save your selected services and entries when you complete a form on the website, so that you do not have to repeat the entry when accessing a different subpage. Cookies may also be used to identify you as a registered user once you have registered on the website, without you having to log in again when accessing a different subpage.

Most Internet browsers automatically accept cookies. You can, however, configure your browser in such a way that no cookies are saved on your computer, or that a message appears each time you receive a new cookie. The following pages will help you to configure the processing of cookies by the most common browsers:

Deactivating cookies may prevent you from being able to use all of the functions of our website.

8. Tracking tools

a. General

We use the web analysis service from Google Analytics in order to ensure the needs-based design and continuous optimisation of our website. In this connection, pseudonymised usage profiles are created and small text files are stored on your computer (cookies). The information generated by the cookie regarding your use of this website is transferred to the servers of the providers of these services, where they are stored and prepared for our use. In addition to the data listed under section 1, we may also receive the following information:

Navigation path taken by a visitor to the website
Amount of time spent on the website or subpage
The subpage from which the website is left
Country, region or city where access occurs
End device used (type, version, colour depth, resolution, width and height of browser window)
Whether a repeat visitor or a new visitor

The information is used to evaluate usage of the website, to prepare reports on website activity and in order to provide further services related to website usage and Internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law, or if the third party concerned is processing these data on our behalf.

b. Google Analytics

This website uses Google Analytics, a web analysis service of the Google company (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Analytics uses cookies for the purpose. These form the basis for analysis of your use of our site.

The information generated by the cookie about your use of this website will be transmitted to a Google server in the USA and stored there. We use Google Analytics with the extension ‘anonymizeIp()’, so that the IP addresses transmitted to Google will be abbreviated before further processing takes place, to exclude any direct reference to your personal identity (this is known as ‘IP masking’). Google will make use of this information to evaluate your visit to the website, to compile reports about activities on our site and to provide further services associated with website and internet use. Google may also pass on this information to third parties, in so far as this is required by statute or in case the data is to be processed by a third party on Google’s behalf. On no account will Google combine your IP address with other data in its possession.

You can prevent the installation of the cookie for Google Analytics by adjusting your browser software accordingly; but we beg to inform you that in this case you may not be able to make use of all the functions of our website to the full extent. You can prevent the collection and storage of data for Google Analytics at any time, with effect for the future, by using Google’s opt-out browser plug-in (https://tools.google.com/dlpage/gaoptout?hl=de). Please be aware that you will have to opt out more than once if you make a practice of deleting the cookies on your browser, or if you access our website with a different browser. Further information about Google Analytics may be found here: http://www.google.com/intl/de/analytics/learn/privacy.html

Further information regarding the web analysis service used can be found on the Google Analytics website. Instructions on how to prevent your data from being processed by the web analysis service can be found at https://tools.google.com/dlpage/gaoptout?hl=en-GB

c. Google Tag Manager

Google Tag Manager is another Google product, which makes it possible for us to manage website tags by way of an interface. The Tag Manager is a cookie-free domain, and does not register any personal data. The tool serves for the activation of other tags, which in their turn may then register data in certain circumstances. Google Tag Manager does not access these data itself. If a deactivation is carried out at domain or cookie level, this remains in force for all tracking tags that have been implemented by Google Tag Manager. If you would rather not be sent advertising based on your interests, you can disable the use of cookies by Google for these purposes by going to https://www.google.com/settings/ads/plugin.

d. Google AdWords and Remarketing

This website uses Google AdWords, an analysis service from Google, and in this connection also relies on Conversion Tracking. Google AdWords places a cookie (‘conversion cookie’) on your computer’s hard disk for the purpose of conversion tracking, whenever you click on an ad displayed by Google. These cookies lose their validity after 30 days, and do not identify you personally. If you visit certain pages on our website, we and Google can detect that you have clicked on the ad and have been redirected to this page. The information obtained by means of the conversion cookies serves to generate statistics for AdWords customers who use conversion tracking. We learn from the statistics the total number of users who have clicked on the ad shown by Google, and so visited a page provided with a conversion tracking tag. We do not however have any information that would make it possible for us to identify the user personally. The data we obtain cannot be assigned to specific users.

Along with Conversion Tracking, we also make use of the following functions:

Remarketing
Target groups with common interests
User-defined target groups with common interests
Target groups wishing to make a purchase
Similar target groups
Demographic and geographical characteristics.

Google’s Remarketing function makes it possible for us to reach users who have already visited our website. So, we can present our advertising to target groups that have already shown an interest in our products or services. AdWords also determines, in the light of user behaviour over the last few days on websites forming part of Google’s advertising network (the ‘Google Display Network’), and with the help of the context-related search engine, what common interests and features are evidenced by users of our website. On the basis of this information AdWords can then find new potential customers for marketing purposes, whose interests and characteristics resemble those of the users of our site. Target-group-specific remarketing is based on the combined use of cookies, including for example Google Analytics cookies and Google DoubleClick cookies.

Further information about the terms and conditions of use and data protection in connection with Google AdWords may be found by following this link: http://www.google.de/policies/technologies/ads/.

e. Google DoubleClick

We use Google’s DoubleClick function on our websites, in order to evaluate use of the sites and make it possible for Google, and other advertisers working with DoubleClick, to offer you use-related advertising. For this purpose, a cookie is installed on the hard disk of your computer. This cookie gives your browser a pseudonymous ID, and collects information about the advertising displayed by your browser and the pages you have accessed. The information collected by the cookie about your use of websites is as a rule transmitted to a Google server in the USA and stored there. On the basis of the information collected, interest-related categories will be allocated to your browser. These categories are then used in order to show you the kind of advertising you are interested in.

As well as changing your browser settings, you can also make use of a browser plug-in to disable the DoubleClick cookie permanently. With this plug-in, the deactivation settings will remain in force on your browser, even if you are deleting all cookies. The browser plug-in for permanent disabling of the cookie may be found here: https://www.google.com/settings/ads/plugin?hl=de.

f. Google Optimize

Google Optimize is a testing tool that we use to optimize our website. Google Optimize analyzes the performance of different variants of our website and helps us to improve the user experience according to the behavior of the users on our website. Google Optimize is a tool integrated with Google Analytics.

g. Monotype web fonts

For the display of fonts on our website we make use of font types provided by Monotype Imaging Holdings Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA (‘Monotype’). This involves use of a Content Delivery Network (CDN), which forms a basis for the display of fonts. The CDN is linked in by means of a JavaScript code, which is conditional on Monotype’s being able to see the IP address of the user. This use of web fonts in connection with Monotype’s services may involve calling an external Monotype server located outside the EU (e.g. in the USA). We beg to inform you that Monotype has its own privacy guidelines, which are independent of our own. Please advise yourself of Monotype’s data protection provisions at www.monotype.com/de/rechtshinweise/datenschutzrichtlinie/. Web fonts are based on a JavaScript code, so you can prevent them executing altogether by disabling JavaScript in the settings of your browser, or by installing a JavaScript blocker. Please be aware that in that case our webpages may display incorrectly.

h. Facebook Custom Audiences & Pixel

Our website makes use of Facebook Custom Audiences for Websites, a service provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (‘Facebook’). This involves the incorporation of a remarketing pixel from Facebook on our website, as a result of which Facebook can register the users of our site and use their data for advertising purposes (Facebook Ads). The pixel transmits to Facebook general information about the browser session, along with a non-reversible and non-personal check total or hash value which is generated from your Facebook ID. Further details about the way in which Facebook handles your data, and about your rights and possibilities of adjusting settings to protect your personal data, may be found in Facebook’s notes on data protection at https://www.facebook.com/privacy/explanation. If you want to opt out of Facebook Website Custom Audiences for the future, you can do this by going to https://www.facebook.com/ads/website_custom_audiences.

Our website moreover uses Facebook’s ‘visitor action pixel’. This makes it possible to trace the actions of users if they click on a Facebook advertisement and are redirected to the website of the provider. This forms a basis for evaluating the effectiveness of Facebook advertising for statistical and market research purposes, and so helps optimise advertising strategies. The data collected are anonymous as far as we are concerned. The data will however be processed by Facebook, so that a connection may be made with your personal Facebook account. Further information may be found in Facebook’s notes on privacy at https://www.facebook.com/about/privacy. In this connection, a cookie may also be stored on your computer for advertising purposes.

i. Tracking with fusedeck

This Website uses “fusedeck”, a tracking solution provided by Capture Media AG (hereinafter referred to as “Capture Media”). Capture Media is a Swiss company having its registered office in Zurich which, on behalf of its customers, measures website usage in the context of engagements and events. Tracking is anonymous so that it is impossible to attribute any information gained to any identified or identifiable persons.
For more information on data protection and the rights which data subjects have in connection with “fusedeck”, including their right to “opt out” (right to object), please refer to the Privacy Policy and the Information on the Right to Object.

https://privacy.fusedeck.net/en/vmlI42pc6K

j. DialogShift chat

Our website uses the chat application of DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin. This application processes and stores data for the purpose
of web analysis, to operate the chat application and to answer queries.
For the operation of the chat function, the chat texts are stored and a cookie with a unique ID is set – this is used to recognise you as a customer.
A cookie is a small text file that is stored locally in the cache on your device. Using this cookie, our application recognises the device and can retrieve past
chat logs. This cookie is stored for 90 days since last use. You can disable the storage of cookies in your browser settings. However, without the use of
cookies, the chat function cannot be performed.
The possible disclosure of e.g. name, e-mail address or a telephone number is voluntary and with the consent to temporarily use and store this data for the
purpose of contacting you until the end of the contact. This personal data is deleted after 90 days.
The legal basis for data processing is Article 6 (1) lit. F DS-GVO based on our legitimate interest in effective customer support, for statistical analysis of user
behaviour and for optimisation purposes of our offers.
DialogShift offers at
https://www.dialogshift.com/de/dsvgo
for further information on the collection and use of data and on your rights and options for protecting your privacy.

B) Data processing in connection with your stay

1. Data processing in order to meet legal reporting obligations

On your arrival at our hotel, we will require the following details from you and your companion, if applicable:

First name and last name
Postal address and canton
Date of birth
Place of birth
Nationality
Official identification document and number
Date of arrival and departure
Room number

We record these data in order to meet the legal reporting obligations based in particular on hospitality law and police law. Insofar as we are obliged to do so in accordance with the applicable provisions, we pass on this information to the competent police authorities.

Compliance with these legal requirements constitutes our legitimate interest within the meaning of Article 6(1)(f) GDPR.

2. Recording of the services used

If you make use of any additional services during your stay (e.g. minibar, pay TV), both the service and the time of use will be recorded by us for invoicing purposes. The processing of these data is required in accordance with Article 6(1)(b) GDPR for performance of your contract with us.

C) Storage and exchange of data with third parties

1. Booking platforms

When you make bookings via a third-party platform, we receive various items of personal data from the platform operator concerned. As a rule, this information comprises data referred to in section 5 of this Data Protection Statement. Furthermore, any queries regarding your booking will be passed on to us. The data will be processed in particular in order to record your booking in accordance with your wishes, and to provide the services booked. The legal basis of data processing for this purpose is the performance of an agreement in accordance with Article 6(1)(b) GDPR.

Moreover, we are informed by the platform operators of any possible disputes arising in connection with a booking. In this context, we may also receive data regarding the booking process, with a copy of the booking confirmation serving as proof of the actual completion of a booking. We process these data with a view to enforcing our rights. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.

Please also refer to the data protection notice of the operator concerned.

2. Central storage and linking of data

We store the data indicated in sections 2 to 5 and 8 to 10 in a central electronic data processing system. The data concerned are recorded in our system and linked in order to enable us to process your bookings and provide contractual services. We use software provided by Oracle, Redwood City, USA, for this purpose. The processing of these data using this software is based on our legitimate interest in customer-friendly and efficient customer data management in accordance with Article 6(1)(f) GDPR.

3. Retention period

We store personal data only as long as necessary in order to use the tracking services mentioned above and for other processing within the scope of our legitimate interest. Contractual data are stored for longer periods, as required by statutory retention obligations. The obligation to retain data is based on provisions regarding the right to report, accounting and tax law. According to these provisions, business communications, contracts and booking documents must be stored for up to 10 years. These data are blocked once they are no longer required in order to provide the services you require. This means that the data may then only be used for accounting and tax purposes.

4. Disclosure of data to third parties

We only disclose your personal data to any third parties if you have given your explicit consent for us to do so, if such disclosure is required by law or if it is necessary in order to enforce our rights, in particular those arising from the contractual relationship. Furthermore, we also disclose your data to third parties if this is necessary within the framework of your use of the website and for performance of the contract (including outside the website), i.e. for processing your bookings.

One service provider to which personal data collected via the website are disclosed, or which has or may have access to such data, is our web host sitegeist media solutions GmbH, Poßmoorweg 2, 22301 Hamburg, Germany. The website is hosted by servers located in Germany. Data is disclosed in order to provide and maintain the functionalities of our website. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.

Finally, when credit card payments are made on the website, we forward your credit card details to your credit card issuer and to the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all the necessary information. The legal basis of data disclosure is the performance of an agreement in accordance with Article 6(1)(b) GDPR. With regard to the processing of your credit card details by these third parties, please also read the general terms and conditions and the data protection statement of your credit card issuer.

5. Transfer of personal data abroad

We are authorised to transfer your personal data to third-party companies abroad (contracted providers) for the purpose of the data processing described in this Data Protection Statement. These providers are subject to data protection requirements in the same scope as us. Should the level of data protection in a given country not be equivalent to the level applicable in Switzerland or the EU, we will ensure by contractual means that the level of protection of your personal data corresponds to the level of protection provided in Switzerland or the EU at all times.

D) Further information

1. Right of access, right to rectification, right to erasure, right to restriction of processing and right to data portability

You have the right to obtain information about your personal data stored by us. In addition, you have the right to request the rectification of any incorrect data and the right to erasure of your personal data, provided the data concerned are not subject to any legal retention obligation or our processing of the data is justified.

Furthermore, you have the right to request to be returned the data you provided (right to data portability). At your request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a standard file format.

You can reach us for the aforementioned purposes via the e-mail address datenschutz@resortragaz.ch. We may, at our discretion, request proof of identity when processing your request.

2. Children

Personal data of children under thirteen years of age are not registered by us to the best of our knowledge. We urge parents and guardians to monitor internet use by their children, and to support us in the implementation of our privacy policy by telling their children never to give away personal data via an online service. If you have grounds for supposing that a child under the age of thirteen has provided us with personal data by way of our services section, we would request you please to let us know, and we will delete the data from our databases.

3. Data security

We take the appropriate technical and organisational security measures in order to protect the personal data stored by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are being improved on an ongoing basis in line with technological developments.

You should treat your access data confidentially at all times and close your browser window following any communication with us, in particular if you share your computer with others.

We also take internal data protection within the company very seriously. Our employees and the service providers contracted by us are obliged to maintain confidentiality and comply with data protection provisions.

4. Links to other websites

This Privacy Statement only applies to our own website. Our website may however include links to external websites not bound by the content of this Declaration. If you use a link to leave our website, you would be recommended to pay careful attention to the data protection policy of any website you visit.

5. Note on data transfer to the USA

For reasons of completeness, we would like to inform users with their place of residence or registered office in Switzerland that the US authorities implement surveillance measures that generally facilitate the storage of all personal data regarding all persons whose data are transferred from Switzerland to the USA. This is carried out without differentiation, restriction or exception on the basis of the respective aim and with no objective criteria that enable access by the US authorities to the data and their later use to be restricted to very specific, strictly limited purposes which would justify access to these data and the intervention related to their use. We would also like to point out that there are no means of legal redress in the USA for data subjects from Switzerland that would enable them to gain access to their data and request their rectification or erasure, and that there is no effective legal protection against the general access rights of US authorities. We refer those affected explicitly to this legal and factual basis in order to enable them to make an informed decision concerning the provision of consent to the use of their data.

Users resident in an EU member state should be aware that, from the perspective of the EU, the USA does not have a sufficient level of data protection – based, among other things, on the issues outlined in this section. Where we have stated in this Data Protection Statement that the recipients of data (e.g. Google Inc.) are based in the USA, we will ensure, by means of either contractual arrangements with these companies or by certification of these companies under the EU or the Swiss–US Privacy Shield, that your data are adequately protected by our partners.

6. Changes to our and conditions of data protection

We hereby reserve the right to modify this Privacy Statement on occasion, in order to comply at all times with current legal requirements, or in order to incorporate changes in our services in the context of the Declaration, e.g. if new services are introduced. When you visit us again thereafter, your visit will be subject to the terms of the Privacy Statement in the new version.

7. Right to lodge a complaint with a data protection authority

You have the right to lodge a complaint with a data protection authority at any time.

8. Data protection representative

We have the following data protection representative pursuant to art. 27 GDPR in the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as an additional point of contact for supervisory authorities and data subjects for requests in connection with the General Data Protection Regulation (GDPR):

MLL EU-GDPR GmbH
Ganghoferstrasse 33
DE-80339 München
resortragaz@mll-gdpr.com

Your Grand Resort Bad Ragaz AG