We are subject to Swiss data protection law and, if applicable, foreign data protection law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law ensures adequate data protection.
1. Contact Addresses
Responsible for the processing of personal data:
Hotel Vorab AG
Via Nova 38
7017 Flims Dorf
We point out if there are other parties responsible for the processing of personal data in individual cases.
1.1 Data Protection Officer or Data Protection Consultant
We have the following data protection officer or the following data protection consultant as a contact point for affected persons and authorities with inquiries related to data protection:
Hotel Vorab AG
Via Nova 38
7017 Flims Dorf
1.2 Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representation according to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
The data protection representation serves affected persons and authorities in the European Union (EU) and in the rest of the European Economic Area (EEA) as an additional contact point for inquiries related to the GDPR.
2. Definitions and Legal Bases
Personal data refers to all information relating to an identified or identifiable natural person. A data subject is a person whose personal data we process.
Processing encompasses every handling of personal data, irrespective of the means and methods used, for example querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, arranging, organizing, storing, altering, disseminating, linking, destroying, and using personal data.
The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.
2.2 Legal Bases
We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DSG) and the Ordinance on Data Protection (Data Protection Ordinance, DSV).
If and to the extent that the General Data Protection Regulation (GDPR) applies, we process personal data based on at least one of the following legal bases:
- Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the data subject and for taking pre-contractual measures.
- Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard our or a third party’s legitimate interests, provided the fundamental freedoms and rights and interests of the data subject do not prevail. Legitimate interests particularly include our interest in being able to carry out our activities and operations permanently, user-friendly, securely, and reliably, ensuring information security, protection against misuse, enforcing our own legal claims, and complying with Swiss law.
- Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of member states in the European Economic Area (EEA).
- Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
- Art. 6 para. 1 lit. a GDPR for processing personal data with the consent of the data subject.
- Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.
3. Type, Scope and Purpose
We process those personal data that are necessary to carry out our activities and operations consistently, user-friendly, safely, and reliably. Such personal data can particularly fall into categories such as inventory and contact data, browser and device data, content data, meta or marginal data, usage data, location data, sales data, and contract and payment data.
We process personal data for the duration necessary for the respective purpose or purposes or as required by law. Personal data whose processing is no longer necessary are anonymized or deleted.
We can have personal data processed by third parties. We can process personal data together with third parties or transfer it to third parties. These third parties, in particular, are specialized providers whose services we use. We also ensure data protection with such third parties.
We process personal data primarily with the consent of the affected individuals. If and insofar as processing is permissible for other legal reasons, we may waive obtaining consent. For example, we can process personal data without consent to fulfill a contract, to meet legal obligations, or to safeguard predominant interests.
In this context, we particularly process data that an affected person voluntarily submits to us when making contact – for example, by mail, email, instant messaging, contact form, social media, or telephone – or when registering for a user account. We can store such data, for instance, in an address book, a Customer Relationship Management System (CRM system), or using similar tools. If we receive data about other persons, the transmitting persons are obliged to ensure data protection towards these persons and to ensure the accuracy of this personal data.
We also process personal data that we obtain from third parties, procure from publicly accessible sources, or collect when carrying out our activities and operations, as long as such processing is legally permissible.
4. Personal Data Abroad
We process personal data primarily in Switzerland and in the European Economic Area (EEA). However, we can also export or transfer personal data to other states, especially to have them processed there or be processed by others.
We can export personal data to all countries and territories on Earth and elsewhere in the Universe, provided the local law, according to the decision of the Swiss Federal Council, ensures adequate data protection and, if and as far as the General Data Protection Regulation (GDPR) applies, in accordance with the decision of the European Commission, guarantees adequate data protection.
We can transfer personal data to states whose law does not ensure adequate data protection if data protection is guaranteed for other reasons, particularly based on standard data protection clauses or with other suitable guarantees. Exceptionally, we can export personal data to states without adequate or suitable data protection if the special data protection legal prerequisites are met, for instance, the express consent of the affected persons or a direct connection with the conclusion or handling of a contract. We gladly provide affected persons with information about any guarantees upon request or deliver a copy of any guarantees.
5. Rights of Affected Persons
5.1 Data Protection Rights
We grant affected individuals all rights according to the applicable data protection law. Affected individuals, in particular, have the following rights:
- Information: Affected individuals can request information about whether we process personal data about them and, if so, which personal data is involved. They also receive the information required to assert their data protection rights and ensure transparency. This includes the processed personal data as such, but also, among other things, details about the processing purpose, the duration of storage, any disclosure or potential export of data to other countries, and the origin of the personal data.
- Correction and Restriction: Affected individuals can correct incorrect personal data, complete incomplete data, and have their data processing restricted.
- Deletion and Objection: Affected individuals can have personal data deleted (“right to be forgotten”) and object to the processing of their data with future effect.
- Data Release and Data Transfer: Affected individuals can request the release of personal data or the transfer of their data to another responsible party.
We may postpone, limit, or deny the exercise of the rights of affected individuals within the legally permissible framework. We may inform affected individuals about any prerequisites that may need to be met for the exercise of their data protection rights. For example, we can partially or wholly refuse to provide information citing business secrets or the protection of other individuals. We can also partially or wholly refuse the deletion of personal data, citing statutory retention obligations.
We may exceptionally set charges for exercising the rights. We will inform affected individuals in advance about any possible costs.
We are obligated to identify affected individuals who request information or assert other rights using appropriate measures. Affected individuals are obligated to cooperate.
5.2 Right to Complain
Affected individuals have the right to enforce their data protection rights through legal means or to file a complaint with a competent data protection supervisory authority.
The data protection supervisory authority for private responsible parties and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
Affected individuals have – if and insofar as the General Data Protection Regulation (GDPR) applies – the right to file a complaint with a competent European data protection supervisory authority.
6. Data Security
We implement suitable technical and organizational measures to ensure data security commensurate with the respective risk. However, we cannot guarantee absolute data security.
Access to our website is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a padlock in the address bar.
Our digital communication is – as is fundamentally the case with any digital communication – subject to mass surveillance without cause or suspicion, as well as other monitoring by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over the respective processing of personal data by intelligence services, police stations, and other security agencies.
7. Use of the Website
Cookies can be stored temporarily in the browser as “session cookies” or for a specified period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies particularly allow recognizing a browser during its next visit to our website and, for example, measuring the reach of our website. However, permanent cookies can also be used for online marketing.
For cookies used for success and reach measurement or advertising, a general objection (“opt-out”) is possible for numerous services through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
7.2 Server Log Files
We may collect the following information for each access to our website, provided it is transmitted by your browser to our server infrastructure or can be determined by our web server: date and time including timezone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, specific sub-page of our website accessed including transferred data volume, the last webpage visited in the same browser window (referer or referrer).
We store such information, which can also represent personal data, in server log files. This data is essential to provide our website permanently, user-friendly, and reliably, and to ensure data security, particularly protecting personal data – either by third parties or with the help of third parties.
7.3 Tracking Pixels
We may use tracking pixels on our website. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are small, typically invisible images that are automatically fetched when visiting our website. With tracking pixels, the same information can be captured as in server log files.
8. Notifications and Communications
We send notifications and communications via email and through other communication channels, such as instant messaging or SMS.
8.1 Success and Reach Measurement
Notifications and communications can contain web links or tracking pixels that record whether an individual message was opened and which web links were clicked on. Such web links and tracking pixels can also capture the use of notifications and communications on a personal level. We require this statistical recording of usage for success and reach measurement, to send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients, and to do so consistently, securely, and reliably.
8.2 Consent and Objection
You must generally expressly consent to the use of your email address and your other contact addresses, unless the use is permitted for other legal reasons. Whenever possible, we use the “double opt-in” procedure for obtaining consent, which means you receive an email with a web link that you must click to confirm, ensuring there’s no misuse by unauthorized third parties. We can log such consents, including the IP address, date, and time, for evidence and security reasons.
You can generally object to receiving notifications and communications, such as newsletters, at any time. With such an objection, you can simultaneously object to the statistical recording of usage for success and reach measurement. This does not affect required notifications and communications related to our activities and operations.
8.3 Service Providers for Notifications and Communications
We send notifications and communications with the help of specialized service providers.
We use, in particular:
9. Social Media
We have a presence on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In the context of such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
For our Facebook social media presence, including the so-called page insights, we are jointly responsible with Meta Platforms Ireland Limited (Ireland) – as far as the General Data Protection Regulation (GDPR) is applicable. The Meta Platforms Ireland Limited is part of the Meta companies (among others in the USA). The page insights provide insights into how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly design our Facebook presence.
10. Third-Party Services
We use services of specialized third parties to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. With such services, we can, among other things, embed functions and content into our website. In such an embedding, for technical reasons, the services used capture the IP addresses of users at least temporarily.
For required security-related, statistical, and technical purposes, third parties, whose services we use, can process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to offer the respective service.
We particularly use:
- Microsoft Services: Providers: Microsoft Corporation (USA) / Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), the UK, and Switzerland; General privacy information: “Privacy at Microsoft”, “Privacy and Confidentiality (Trust Center)”, Privacy Statement, Privacy Dashboard (Data and Privacy Settings).
10.1 Digital Infrastructure
We use services from specialized third parties to obtain the necessary digital infrastructure related to our activities and operations. This includes, for example, hosting and storage services from selected providers.
We particularly use:
10.2 Contact Options
We use services from selected providers to better communicate with third parties such as potential and existing customers.
10.3 Audio and Video Conferences
We recommend, depending on the situation, to mute the microphone by default when participating in audio or video conferences, to blur the background or to display a virtual background.
We particularly use:
- Microsoft Teams: Platform for audio and video conferences among other things; Provider: Microsoft; Teams-specific information: “Privacy and Microsoft Teams”.
We use third-party services to embed maps into our website.
We particularly use:
- Google Maps including Google Maps Platform: Map service; Provider: Google; Specific information about Google Maps: “How Google uses location information”.
We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.
We particularly use:
- Google Fonts: Fonts; Provider: Google; Specific information about Google Fonts: “Privacy and Google Fonts”, “Privacy and Data Collection”.
We operate in e-commerce and use third-party services to successfully offer services, content, or goods.
We use specialized service providers to securely and reliably process payments from our customers. For payment processing, the legal texts of each provider, such as Terms and Conditions (T&C) or privacy policies, apply additionally.
We especially use:
- PostFinance: E-payment solutions; Provider: PostFinance AG (Switzerland); Privacy information: «Legal Notices and Accessibility», «Privacy» (including privacy statements).
We utilize the opportunity to display advertisements for our activities and operations specifically to third parties, such as social media platforms and search engines.
With such advertising, we aim to reach individuals who are already interested in our activities and operations or could be interested (Remarketing and Targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e., in particular, whether it leads to visits to our website (Conversion Tracking).
Third parties, on which we advertise and where you are registered as a user, may possibly assign the use of our online offer to your profile there.
We especially use:
- Google Ads: Search engine advertising; Provider: Google; Google Ads-specific details: Advertising based on search queries, with different domain names – especially doubleclick.net, googleadservices.com, and googlesyndication.com – used for Google Ads, «Advertising» (Google), «Why do I see this ad?».
11. Measurement of Success and Reach
We aim to determine how our online offering is utilized. Within this framework, we can measure the success and reach of our activities and operations, for instance, the impact of third-party links on our website. Additionally, we can experiment with and compare how different parts or versions of our online offering are used (using the “A/B test” method). Based on the results of these measurements, we can fix errors, enhance popular content, or make improvements to our online offer.
For the purpose of success and reach measurement, the IP addresses of individual users are often stored. In this case, IP addresses are generally shortened (“IP-Masking”) to follow the principle of data economy through pseudonymization.
In measuring success and reach, cookies can be used, and user profiles may be created. Possible user profiles might include details like the individual pages visited or content viewed on our website, screen or browser window size, and the — at least approximate — location. Generally, any user profiles are exclusively pseudonymized and are not used to identify individual users. Some third-party services, where users might be logged in, could possibly associate the use of our online offer with the user’s account or profile with that service.
We especially use:
- Google Analytics: Measurement of success and reach; Provider: Google; Specific details about Google Analytics: Measurement across different browsers and devices (Cross-Device Tracking), and using pseudonymized IP addresses which are only occasionally fully transferred to Google in the USA, «Data Protection», «Browser Add-on to Deactivate Google Analytics».
- Google Tag Manager: Integration and management of other services for measuring success and reach as well as other Google services and third-party services; Provider: Google; Specific details about Google Tag Manager: «Data Collected with Google Tag Manager»; further privacy details can be found in the individual integrated and managed services.
12. Final Provisions
We can adjust and amend this privacy statement at any time. We will inform about such adjustments and additions in an appropriate manner, especially by publishing the updated privacy statement on our website.