Privacy Policy

Privacy Policy Hotel Schweizerhof AG
Table of contents
1. responsible person and content of this privacy policy
2. contact person for data protection
3. scope and purpose of the collection, processing and use of personal data
3.1 Data processing when contacting us
3.2. data processing when ordering via our online store
3.3. data processing for bookings
3.4. data processing when reserving a table
3.5. data processing during the handling of payments
3.6. data processing during the registration and billing of purchased services
3.7. data processing during e-mail marketing
3.8. data processing during video surveillance
3.9. data processing during the use of our WiFi network
3.10. Data processing in connection with the fulfillment of statutory reporting obligations
3.11. Data processing for job applications
4. central data storage and analysis in the CRM system
5. disclosure and transfer abroad
5.1. disclosure to third parties and access by third parties
5.2 Transfer of personal data abroad
5.3. notes on data transfers to the USA
6. background data processing on our website
6.1 Data processing when visiting our website
6.2 Cookies
6.3 Tracking and web analysis tools
6.4. social media
6.5. online advertising and targeting
7. retention periods
8. data security
9. your rights

1. responsible person and content of this privacy policy

We, Hotel Schweizerhof AG, Swiss Alp Resort 1, 3818 Grindelwald, Switzerland are the operator of the Romantik Hotel Schweizerhof / Swiss Alp Resort & SPA (hotel) as well as the website www.hotel-schweizerhof.com (website) and are responsible for the data processing listed in this privacy policy, unless otherwise stated.

In order for you to know what personal data we collect from you and for what purposes we use it, please take note of the information below. When it comes to data protection, we are guided primarily by the legal requirements of Swiss data protection law, in particular the Swiss Federal Data Protection Act (DSG), as well as the DSGVO, the provisions of which may be applicable in individual cases.

Please note that the following information will be reviewed and amended from time to time. We therefore recommend that you regularly review this privacy policy. Furthermore, for individual data processing listed below, other companies are responsible under data protection law or jointly responsible with us, so that in these cases the information of these providers is also authoritative.

2. contact person for data protection

If you have any questions about data protection or wish to exercise your rights, please contact our data protection contact by sending an e-mail to the following address: marketing@hotel-schweizerhof.com
3. scope and purpose of the collection, processing and use of personal data

3.1 Data processing when you contact us

If you contact us via our contact addresses and channels (e.g. by e-mail, telephone or contact form), your personal data will be processed. The data you have provided us with, such as your name, e-mail address or telephone number and your request, will be processed. In addition, the time of receipt of the request is documented. Mandatory data is marked with an asterisk (*) in contact forms. We process this data in order to implement your request (e.g. providing you with information about our hotel, assisting you with the processing of contracts such as questions about your booking, incorporating your feedback into the improvement of our services, etc.).

For the processing of contact via contact form we use a software application of ennit interactive GmbH, Gerhard-Fröhler-Str. 14, 24106 Kiel, Germany. Therefore, your data may be stored in a database of ennit interactive GmbH, which may allow ennit interactive GmbH to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in the implementation of your request or, if your request is directed towards the conclusion or performance of a contract, the necessity for the implementation of the required measures within the meaning of Art. 6 (1) lit. b DSGVO.

It may be that ennit interactive GmbH wishes to use some of this data for its own purposes (e.g. for the delivery of marketing e-mails or for statistical analyses). For these data processing operations, ennit interactive GmbH is the controller and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by ennit interactive GmbH can be found at https://www.ennit.de/datenschutz/.

3.2 Data processing when ordering via our online store.

On our website you have the opportunity to order products, services and vouchers. For this purpose, we collect the following data, whereby mandatory data are marked with an asterisk (*) during the ordering process:

- Salutation(*)
- First name(*)
- Last name(*)
- Billing and delivery address(*)
- Telephone number(*)
- E-mail(*)
- Payment method(*)
- Shipping method(*)
- Information about subscription to marketing e-mails
- Acknowledgement and consent to terms and conditions and privacy policy(*)

We use the data to establish your identity before concluding a contract. We need your e-mail address to confirm your order and for future communication with you - necessary for the execution of the contract. We store your data together with the marginal data of the order (e.g. designation, price and characteristics of the ordered products), the data for payment (e.g. selected payment method, confirmation of payment and time; see also section 3.5.2) as well as the data for the processing and fulfillment of the contract (e.g. receipt of and handling of complaints) in our CRM database (see section 4), so that we can ensure correct order processing and contract fulfillment.

The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.
The provision of data that is not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you by an alternative communication channel if necessary with a view to fulfilling the contract, or for statistical collection and evaluation to optimize our offers.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a DSGVO. You can revoke your consent at any time by notifying us.

For the provision of the online store, we use a software application from Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. Therefore, your data may be stored in a database of Idea Creation GmbH, which may allow Idea Creation GmbH to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.
It may be that Idea Creation GmbH would like to use some of this data for its own purposes (e.g. for the delivery of marketing emails or for statistical analyses). Idea Creation GmbH is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Idea Creation GmbH can be found at https://www.e-guma.ch/datenschutz/.


3.3 Data processing for bookings

3.3.1 Booking via our website
On our website, you have the option of booking an overnight stay. For this purpose, we collect the following data, whereby mandatory data is marked with an asterisk (*) during the booking process:

- Salutation(*)
- First name(*)
- Surname(*)
- Country(*)
- Billing address
- Company, company address and UID no. for corporate customers
- Telephone number(*)
- E-mail address(*)
- Payment method(*)
- Remarks
- Confirmation of the accuracy of the information provided(*)
- Acknowledgement and consent to the terms and conditions and privacy policy(*)

We use the data to establish your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication with you - necessary for the execution of the contract. We store your data together with the marginal data of the booking (e.g. room category, period of stay as well as designation, price and characteristics of the services), the data for payment (e.g. selected payment method, confirmation of payment and time; see also section 3.5.2) as well as the information on the processing and fulfillment of the contract (e.g. receipt of and handling of complaints) in our CRM database (see section 4), so that we can ensure correct booking processing and contract fulfillment.

Insofar as this is necessary for the fulfillment of the contract, we will also pass on the required information to any third-party service providers (e.g. organizers or transport companies).

The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.

The provision of data that is not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary with a view to fulfilling the contract, or for statistical collection and evaluation to optimize our offers.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a DSGVO. You can revoke your consent at any time by notifying us.

For booking processing via our website, we use a software application from QNT S.r.l., Via Lucca, 52, 50143 Florence, Italy. Therefore, at most, your data will be stored in a database of QNT S.r.l., which may allow QNT S.r.l., to access your data when necessary to provide the software and to assist you in using the software. Information on the processing of data by third parties and any transfer abroad can be found in section 5 of this Privacy Policy.

The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.

QNT S.r.l. may wish to use some of this data for its own purposes (e.g. to deliver marketing emails or for statistical analysis). For these data processing operations, QNT S.r.l. is the data controller and must ensure compliance with data protection laws in connection with these data processing operations. For information on data processing by QNT S.r.l., please visit https://www.simplebooking.travel/privacy-policy.

3.3.2 Booking via a booking platform

If you make bookings via a third-party platform (i.e., Booking, Hotel, Escapio, Expedia, Holidaycheck, Hotel Tonight, HRS, Kayak, Mr. & Mrs. Smith, Splendia, Tablet Hotels, Tripadvisor, Trivago, Weekend4Two, etc.), we receive various personal data from the respective platform operator in connection with the booking made. This is usually the data listed in section 3.5.2 of this privacy policy. In addition, inquiries about your booking may be forwarded to us. We will process this data by name in order to record your booking as requested and to provide the booked services.

The legal basis of data processing for this purpose is the implementation of pre-contractual measures and the fulfillment of a contract according to Art. 6 para. 1 lit. b DSGVO.

Finally, we may exchange personal data with the platform operators in connection with disputes or complaints related to a booking, to the extent necessary to protect our legitimate interests. This may also include data relating to the booking process on the platform or data relating to the booking or processing of services and the stay with us. We process this data to protect our legitimate claims and interests in the processing and maintenance of our contractual relationships with a large number of platform operators, whose data protection conditions can be found on the respective websites.

Your data is stored in the databases of the platform operators, which enables them to access your data. Information about the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.
The legal basis of data processing for this purpose is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO.

3.4 Data processing when reserving a table

On our website, you have the option of reserving a table in a restaurant named on our website. For this purpose, we collect - depending on the respective offer - the following data, whereby mandatory data are marked with an asterisk (*) when reserving via the website:

- Name(*)
- Number of guests(*)
- E-mail address(*)
- Phone number(*)
- Commentary
- Date and time of reservation(*)

We collect and process the data to process the reservation, in particular to make your reservation request according to your wishes and to contact you in case of any ambiguity or problem. We store your data together with the marginal data of the reservation (e.g. date and time of receipt etc.), the data on the reservation (e.g. assigned table) as well as information on the processing and fulfillment of the contract (e.g. receipt of and handling of complaints) in our CRM database (see section 4), so that we can ensure correct reservation processing and contract fulfillment.

For the processing of table reservations, we use a software application from Reservino GbR, Tannenweg 1, 55218 Ingelheim, Germany. Therefore, at most, your data will be stored in a database of Reservino GbR, which may allow Reservino GbR to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis for this data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.

Reservino GbR may wish to use some of this data for its own purposes (e.g. to deliver marketing emails or for statistical analysis). Reservino GbR is the data controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Reservino GbR can be found at https://reservino.de/#/datenschutz.

3.5 Data processing during payment processing

3.5.1 Payment processing in the hotel

When you purchase products, obtain services or pay for your stay in our hotel using electronic means of payment, the processing of personal data is required. By using the payment terminals, you transmit the information stored in your payment means, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. payment solution providers, credit card issuers and credit card acquirers). They also receive the information that the payment method was used in our hotel, the amount and the time of the transaction.Conversely, we only receive credit for the amount of the payment made at the relevant time, which we can assign to the relevant document number, or information that the transaction was not possible or was cancelled. In this regard, please always also observe the information provided by the respective company, in particular the data protection declaration and the general terms and conditions.

For payment processing via contact form, we use a software application from QNT S.r.l., Via Lucca, 52, 50143 Florence, Italy. Therefore, at most, your data will be stored in a database of QNT S.r.l., which may allow QNT S.r.l. to access your data when necessary to provide the software and to assist you in using the software. Information about the processing of data by third parties and any transfer abroad can be found in section 5 of this privacy policy.

The legal basis of our data processing is the fulfillment of a contract with you according to Art. 6 para.1 lit. b DSGVO.

QNT S.r.l. may wish to use some of this data for its own purposes (e.g. to deliver marketing emails or for statistical analysis). For these data processing operations, QNT S.r.l. is the data controller and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing operations by QNT S.r.l. can be found at https://www.simplebooking.travel/privacy-policy.

3.5.2 Online payment processing

If you make chargeable bookings on our website, order services or products, depending on the product or service and the desired method of payment - in addition to the information mentioned in section 3.3.1 - it may be necessary to provide further data, such as your credit card information or login to your payment service provider. This information, as well as the fact that you have purchased a service from us for the amount and at the time in question, will be forwarded to the respective payment service providers (e.g. payment solution providers, credit card issuers and credit card acquirers). In this regard, please also always observe the information provided by the respective company, in particular the data protection declaration and the general terms and conditions.

The legal basis of our data processing is the fulfillment of a contract according to Art. 6 para.1 lit. b DSGVO.

We reserve the right to store a copy of the credit card information as security. In order to avoid payment incidents, the necessary data, in particular your personal details, may also be transmitted to a credit agency for the automated assessment of your creditworthiness. In this context, the credit agency may assign you a so-called score value. This is an estimate of the future risk of non-payment, e.g. based on a percentage. The value is collected using mathematical-statistical methods and including data from the credit agency from other sources.  We reserve the right, in accordance with the information received, not to offer you the payment method "invoice".

The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f. DSGVO in the avoidance of payment defaults.

We use a software application from Concardis GmbH, Helfmann-Park 7, 65760 Eschborn, Germany for the credit check via contact form. Therefore, at most, your data will be stored in a database of Concardis GmbH, which may allow Concardis GmbH to access your data if this is necessary for the provision of the software and for support in the use of the software. Information about the processing of data by third parties and any transfer abroad can be found and you under Section 5 of this Privacy Policy.

The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f. DSGVO in the prevention of payment defaults.

Concardis GmbH may wish to use some of this data for its own purposes (e.g. to deliver marketing emails or for statistical analysis). Concardis GmbH is the data controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Concardis GmbH can be found at https://www.concardis.com/datenschutz .

3.6 Data processing during the recording and billing of purchased services

If you obtain services as part of your stay (e.g. further overnight stays, wellness, restaurant, activities), we will - in addition to your contractual data - record and process the booking data (e.g. time and remarks) as well as the data on the booked and obtained service (e.g. subject of the service, price and time of the service) for the purpose of processing the service, as described in sections 3.3 and 3.4.

The legal basis of our data processing lies in the fulfillment of a contract according to Art. 6 para. 1 lit. b DSGVO.

3.7 Data processing for e-mail marketing

If you register for our marketing emails (e.g. when opening, within your customer account or as part of an order, booking or reservation), the following data is collected. Mandatory data is marked with an asterisk (*) when registering:

- E-mail address(*)
- Salutation(*)
- First and last name(*)

To avoid misuse and to ensure that the owner of an e-mail address has actually given his or her consent to receive marketing e-mails, we use the so-called double opt-in during registration. After sending the registration, you will receive an e-mail from us with a confirmation link. In order to definitely register for the marketing e-mails, you must click on this link. If you do not confirm your e-mail address using the confirmation link within the specified period, your data will be deleted again and our marketing e-mails will not be sent to this address.

By registering, you consent to the processing of this data in order to receive marketing emails from us about our hotel and related information on products and services. These marketing emails may also include invitations to participate in competitions, to provide feedback or to rate our products and services. Collecting the salutation and first and last name allows us to associate the registration with any existing customer account and thereby personalize the content of the marketing emails. The link to a customer account allows us to make the offers and content contained in the marketing emails more relevant to you and better tailored to your potential needs.

We will use your data to send marketing emails until you revoke your consent. Revocation is possible at any time, in particular via the unsubscribe link contained in all marketing emails.

Our marketing emails may contain a so-called web beacon, 1x1 pixel (tracking pixel) or similar technical tools. A web beacon is an invisible graphic that is linked to the user ID of the respective subscriber. For each marketing email sent, we receive information on which email addresses it was successfully transmitted to, which email addresses have not yet received the marketing email and for which email addresses the transmission failed. It is also displayed which e-mail addresses have opened the marketing e-mail and for how long and which links have been clicked. Finally, we also receive information about which subscribers have unsubscribed from the mailing list. We use this data for statistical purposes and to optimize the marketing e-mails in terms of frequency and time of sending as well as regarding the structure and content of the marketing e-mails. This allows us to better tailor the information and offers in our marketing emails to the individual interests of the recipients.

The web beacon is deleted when you delete the marketing email. You can prevent the use of the web beacons in our marketing emails by setting the parameters of your email program so that HTML is not displayed in messages. See the help files for your email software application for information on how to configure this setting, for example, here for Microsoft Outlook. By subscribing to marketing emails, you also consent to the statistical analysis of user behavior for the purpose of optimizing and customizing marketing emails.

For the provision of marketing e-mails, we use a software application from dailypoint - Software made by Toedt, Dr. Selk & Coll. GmbH. Therefore, your data will at most be stored in a database of Toedt, Dr. Selk & Coll. GmbH, which may enable Toedt, Dr. Selk & Coll. GmbH may have access to your data if this is necessary for the provision of the Software and for support in the use of the Software. Information about the processing of data by third parties and any transfer abroad can be found and you under Section 5 of this Privacy Policy.

Your consent is the legal basis for the processing of the data within the meaning of Art. 6 para. 1 lit. a DSGVO. You can revoke your consent for the future at any time.

It may be that Toedt, Dr. Selk & Coll. GmbH may wish to use some of this data for its own purposes (e.g. for the delivery of marketing e-mails or for statistical analyses). For these data processing operations, Toedt, Dr. Selk & Coll. GmbH is the responsible party for these data processing activities and must ensure compliance with data protection laws in connection with these data processing activities. Information about data processing by Toedt, Dr. Selk & Coll. GmbH can be found at https://www.dailypoint.com/privacypolicy/.

3.8 Data processing in connection with video surveillance

For the protection of our guests and employees as well as our property and for the prevention and punishment of illegal behavior (esp. theft and damage to property), the entrance area as well as the publicly accessible areas of our hotel, with the exception of the sanitary facilities, can be monitored by cameras. The image data will only be viewed if there is a suspicion of illegal behavior. Otherwise, the image recordings are automatically deleted after 7 days.

The legal basis is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO in the protection of our guests, our employees and our property as well as in the protection and enforcement of our rights.

3.9 Data processing when using our WiFi network

In our hotel you have the possibility to use free of charge the WiFi network operated by Monzoon Networks AG, Spinnerei Lettenstrasse 2, Riverside, 8192 Zweidlen, Switzerland. In order to prevent misuse and to punish illegal behavior, prior registration is required. In doing so, you submit the following data to Monzoon Networks AG:

- Cell phone number
- MAC address of the end device (automatically)

In addition to the above data, data on the time and date of use, the network used and the end device are collected each time the WiFi network is used. The legal basis for these processing operations is your consent within the meaning of Art. 6 (1) lit. a DSGVO. You can revoke this consent at any time for the future.

The responsible party for this data processing is Monzoon Networks AG. Within the registration process you give your consent to Monzoon Networks AG and have to accept the terms of use and the privacy policy of Monzoon Networks AG.

Monzoon Networks AG must comply with the legal obligations of the Federal Act on the Surveillance of Postal and Telecommunications Traffic (BÜPF) and the associated ordinance. If the legal requirements are met, the operator of the WiFi network must monitor the use of the Internet or data traffic on behalf of the authority responsible for this. The operator of the WiFi network may also be required to disclose contact, usage and boundary data of the hotel guest to the authorized authorities. The contact, usage and boundary data will be stored for 6 months in a personalized manner and then deleted.

The legal basis for these processing operations is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in providing a Wifi network in compliance with the applicable legal requirements.

3.10 Data processing for the fulfillment of legal reporting obligations

Upon arrival at our hotel, we may require the following information from you and your accompanying persons, with mandatory information marked with an asterisk (*) in the corresponding form:

- Salutation
- First and last name(*)
- Gender(*)
- Home address(*)
- Nationality(*)
- Identity document for foreign persons(*)
- Arrival and departure date(*)
- Name of the accommodation establishment(*)
- Date of birth
- Credit card details
- Car license plate number
- Cell phone number

We collect this information in order to fulfill legal reporting obligations, which arise in particular from the hospitality industry or police law. Insofar as we are obliged to do so under the applicable regulations, we forward this information to the competent authority.

The legal basis for the processing of this data lies in our legitimate interest within the meaning of Art. 6 (1) lit. c DSGVO in complying with our legal obligations.

3.11 Data processing for job applications

You have the option of applying to us spontaneously or in response to a specific job advertisement for employment in our company. In doing so, we process the personal data provided by you.

We use the data you provide to review your application and suitability for employment. Application documents of unsuccessful applicants will be deleted at the end of the application process, unless you explicitly agree to a longer retention period or we are not legally obliged to retain them for a longer period.

The legal basis for processing your data for this purpose is the execution of a contract (pre-contractual phase) according to Art. 6 para.1 lit. b DSGVO.

4. central data storage and analysis in the CRM system

Insofar as a clear assignment to your person is possible, we will store and link the data described in this data protection declaration, i.e. in particular your personal details, your contacts, your contract data and your surfing behavior on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables the efficient provision of the services you have requested and the processing of the associated contracts.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO in the
efficient management of user data.

Furthermore, we evaluate this data in order to to further develop our offers in a needs-oriented manner and to display and
relevant information and offers to you. We also use methods that predict possible interests and future orders based on your use of our website, interests and future orders based on your use of our website.

For central data storage and analysis in the CRM system, we use a software application from dailypoint - Software
made by Toedt, Dr. Selk & Coll. GmbH. Therefore your data will be stored at most in a database of Toedt, Dr. Selk & Coll. GmbH, which Toedt, Dr. Selk & Coll. GmbH may have access to your data if necessary for the provision of the software and for support in the use of the software.

Information about the processing of data by third parties and possible transmission abroad can be found under section 5 of this privacy policy. Further information about data processing in connection with Toedt, Dr. Selk & Coll. GmbH can be found at https://www.dailypoint.com/privacypolicy/.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO in carrying out marketing activities.

5. disclosure and transfer abroad

5.1 Disclosure to third parties and access by third parties

Without the support of other companies, we would not be able to provide our services in the desired form. In order for us to be able to use the services of these companies, a transfer of your personal data to these companies is also necessary to a certain extent. A transfer is made to selected third-party service providers and only to the extent necessary for the optimal provision of our services.

Various third-party service providers are already explicitly mentioned in this privacy policy.

In the case of these disclosures, the legal basis is the necessity for the fulfillment of a contract within the meaning of Art. 6 (1) lit. b DSGVO.

Your data will also be passed on if this is necessary to fulfill the services you have requested, i.e. e.g. to restaurants or providers of other services for which you have made a reservation through us. The legal basis for these disclosures is the necessity for the fulfillment of a contract within the meaning of Art. 6 (1) lit. b DSGVO. For this data processing, the third-party service providers are responsible parties within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own - beyond the transfer of data for the provision of services - data processing and to comply with data protection laws.

In addition, your data may be passed on, in particular to authorities, legal advisors or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction.

Your data will also be passed on if this is necessary to fulfill the services you have requested, i.e. e.g. to restaurants or providers of other services for which you have made a reservation through us. The legal basis for these disclosures is the necessity for the fulfillment of a contract within the meaning of Art. 6 (1) lit. b DSGVO. For this data processing, the third-party service providers are responsible parties within the meaning of the Data Protection Act and not us. It is the responsibility of these third-party service providers to inform you about their own - beyond the transfer of data for the provision of services - data processing and to comply with data protection laws.

In addition, your data may be passed on, in particular to authorities, legal advisors or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to conduct due diligence or to complete the transaction.

If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies by means of suitable guarantees, unless an exception is specified in individual cases for the individual data processing (cf. Art. 49 DSGVO). Unless otherwise stated, these are standard contractual clauses within the meaning of Art. 46(2)(c) of the GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact our contact person for data protection (see section 2).

5.3 Information on data transfers to the USA

Some of our third-party service providers are based in the USA. For the sake of completeness, we would like to point out for users who are resident or domiciled in Switzerland or the EU that there are monitoring measures in place in the USA by US authorities which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA.

This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the U.S. authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the interference associated with both the access to and the use of these data. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies or effective legal protection against general access rights of US authorities that would allow them to obtain access to the data concerning them and to obtain their correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision about consenting to the use of your data.

We would also like to point out to users who are resident in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have a sufficient level of data protection - among other things due to the explanations given in this section. Insofar as we have explained in this data protection statement that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected by our third-party service providers through contractual arrangements with these companies as well as any additional appropriate guarantees that may be required.

6 Background data processing on our website

6.1 Data processing when visiting our website (log file data)

When you visit our website, the servers of our hosting provider ennit interactive GmbH, Gerhard-Fröhler-Str. 14, 24106 Kiel, Germany, temporarily store every access in a log file. The following data is collected without your intervention and stored until automated deletion by us:

- IP address of the requesting computer;
- Date and time of access;
- Name and URL of the file accessed;
- Website from which the access was made, if necessary with the search word used;
- Operating system of your computer and the browser you are using (including type, version and language setting);
- Device type in the case of access by cell phones;
- City or region from which the access was made; and
- Name of your internet access provider.

This data is collected and processed for the purpose of enabling the use of our website (connection establishment), to ensure system security and stability on a permanent basis, to enable error and performance analysis and optimization of our website (see also section 6.3 for the last points).

In the event of an attack on the network infrastructure of the website or a suspicion of other unauthorized or improper use of the website, the IP address as well as the other data will be evaluated for the purpose of clarification and defense and, if necessary, used in the context of civil or criminal proceedings for identification against the user concerned.
The purposes described above are our legitimate interest within the meaning of Art. 6 (1) f DSGVO and thus the legal basis for data processing.

Finally, when visiting our website, we use cookies as well as applications and tools that are based on the use of cookies. In this context, the data described here may also be processed. You will find more details on this in the other subsequent sections of this data protection declaration, in particular section 6.2 below.

6.2 Cookies

Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers by which your browser is identified and the information contained in the cookie can be read.
Among other things, cookies help to make your visit to our website easier, more pleasant and more meaningful. We use cookies for various purposes that are necessary, i.e. "technically necessary", for your desired use of the website. For example, we use cookies to be able to identify you as a registered user after logging in, without you having to log in again each time when navigating the various sub-pages.

The provision of the ordering and booking functions is also based on the use of cookies. Furthermore, cookies also perform other technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the page to different web servers in order to relieve the servers. Cookies are also used for security purposes, e.g. to prevent the unauthorized posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in providing a user-friendly and up-to-date website.

Most internet browsers accept cookies automatically. However, when you access our website, we ask for your consent to the cookies we use that are not technically necessary, in particular when we use cookies from third-party providers for marketing purposes. You can use the corresponding buttons in the cookie banner to make your desired settings. Details on the services and data processing associated with the individual cookies can be found within the cookie banner as well as in the following paragraphs of this privacy policy.

You may also be able to configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in selected browsers.

- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox

Disabling cookies may prevent you from using all features of our website.

6.3 Tracking and web analysis tools

6.3.1 General information on tracking

For the purpose of demand-oriented design and continuous optimization of our website, we use the web analysis services listed below. In this context, pseudonymized usage profiles are created and cookies are used (please also refer to section 6.2). The information generated by the cookie about your use of this website is usually transmitted together with the log file data listed in section 6.1 to a server of the service provider, where it is stored and processed. This may also result in a transfer to servers abroad, e.g. the USA (cf. in this regard, in particular the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3).

By processing the data, we obtain, among other things, the following information:

- Navigation path followed by a visitor on the site (including content viewed and products selected or purchased or services booked);
- Time spent on the website or subpage;
- Subpage on which the website is left;
- Country, region or city from where an access takes place;
- terminal device (type, version, color depth, resolution, width and height of browser window); and
- returning or new visitors.

On our behalf, the provider will use this information for the purpose of evaluating the use of the website, in particular to compile website activity and to provide other services relating to website activity and internet usage for the purposes of market research and demand-oriented design of these websites. For these processing operations, we and the providers can be considered jointly responsible parties under data protection law up to a certain extent.

The legal basis for this data processing with the following services is your consent within the meaning of Art. 6 para. 1 lit. a DSGVO.

You can revoke your consent or refuse processing at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 6.2) or by making use of the service-specific options described below.
For the further processing of the data by the respective provider as the (sole) data protection controller, in particular also any disclosure of this information to third parties, such as authorities based on national legal requirements, please refer to the respective data protection information of the provider.

6.3.2 Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).
In deviation from the description in Section 6.3.1, Google Analytics (in the "Google Analytics 4" version used here) does not log or store IP addresses.

For accesses originating from the EU, IP address data is only used to derive location data and is then immediately deleted. When collecting measurement data in Google Analytics, all IP searches take place on EU-based servers before the traffic is forwarded to Analytics servers for processing. Regional data centers are used in Google Analytics. If a connection is established in Google Analytics to the nearest available Google data center, the measurement data is sent to Analytics via an encrypted HTTPS connection. At these centers, the data is further encrypted before being forwarded to Analytics' processing servers and made available on the platform. The most appropriate local data center is determined based on the IP addresses. This may also result in data being transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an adequate level of data protection and the guarantees provided, section 5.2).

We also use the technical extension "Google Signals", which enables cross-device tracking. This makes it possible to associate an individual website visitor with different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and at the same time has activated the "personalized advertising" option in their Google account settings. Even then, however, no personal data or user profiles become accessible to us; they remain anonymous to us. If you do not wish to use "Google Signals", you can deactivate the "personalized advertising" option in your Google account settings.
Users can prevent the collection of the data generated by the cookie and related to the website usage by the respective user (including the IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

As an alternative to the browser plugin, users can click this link to prevent the collection by Google Analytics on the website in the future. In doing so, an opt-out cookie will be stored on the user's terminal device. If users delete cookies (see section 6 Cookies), the link must be clicked again.

6.4 Social media

6.4.1 Social media profiles

On our website, we have included links to our profiles in the social networks of the following providers:

- Meta Platforms Inc, 1601 S California Ave, Palo Alto, CA 94304, USA, privacy notice.
- LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy
- YouTube LLC, 901 Cherry Avenue, San Bruno, CA, USA, privacy notice

If you click on the icons of the social networks, you will automatically be redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. This provides the network with the information that you have visited our website with your IP address and clicked on the link. This may also result in data being transferred to servers abroad, e.g. the USA (cf. on this, in particular on the lack of an adequate level of data protection and on the guarantees provided, sections 5.2 and 5.3).

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website may be linked to your profile so that the network can assign your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case when you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Please therefore refer to the data protection information on the website of the network.

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in the use and promotion of our social media profiles.

6.5 Online advertising and targeting

6.5.1 In general

We use services of various companies to provide you with interesting offers online. In doing so, your user behavior on our website and websites of other providers is analyzed in order to subsequently display online advertising tailored to you.

Most technologies for tracking your user behavior and for the targeted display of advertising (targeting) work with cookies (see also Section 6.2), which can be used to recognize your browser across different websites. Depending on the service provider, it may also be possible for you to be recognized online even when using different end devices (e.g. laptop and smartphone). This may be the case, for example, if you have registered with a service that you use with multiple devices.

In addition to the data already mentioned, which is generated when websites are called up (log file data, see Section 6.1) and when cookies are used (Section 6.2) and which may reach the companies involved in the advertising networks, the following data in particular is used to select the advertising that is potentially most relevant to you:

- Information about you that you provided when registering or using a service of advertising partners (e.g., your gender, age group); and
- User behavior (e.g., search queries, interactions with advertisements, types of websites visited, products or services viewed and purchased, newsletters subscribed to).

We and our service providers use this data to identify whether you belong to the target group we address and take this into account when selecting advertisements. For example, after you have visited our site, you may be shown ads of the products or services you consulted when you visit other sites (re-targeting). Depending on the scope of the data, a user's profile may also be created and automatically analyzed, with ads selected according to the information stored in the profile, such as membership in certain demographic segments or potential interests or behaviors. Such ads may be displayed to you on various channels, which, in addition to our website or app (as part of onsite and in-app marketing), also include ads served via the online advertising networks we use, such as Google.

The data may then be analyzed for the purpose of billing the service provider and assessing the effectiveness of advertising measures in order to better understand the needs of our users and customers and to improve future campaigns. 

This may also include information that the taking of an action (e.g., visiting certain sections of our websites or submitting information) is due to a particular ad. Furthermore, we receive aggregated reports from the service providers on ad activities and information on how users interact with our website and our ads.
The legal basis for this data processing is your consent within the meaning of Art. 6 (1) lit. a DSGVO. You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (see section 6.2). You can also find further options for blocking advertising in the information provided by the respective service provider, such as Google.

6.5.2 Google Ads

This website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising, as explained in Section 6.5.1. Google uses cookies for this purpose (cf. the list here), which allow your browser to be recognized when you visit other websites.

The information generated by the cookies about your visit to this website (including your IP address) will be transmitted to and stored by Google on servers in the United States (see also, in particular, the lack of an adequate level of data protection and the guarantees provided, sections 5.2 and 5.3). Further information on data protection at Google can be found here.
The legal basis for this data processing is your consent within the meaning of Art. 6 (1) a DSGVO. You can revoke your consent at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 6.2). Further options for blocking advertising can be found here.

7. retention periods

We only store personal data for as long as is necessary to carry out the processing operations explained in this data protection declaration within the scope of our legitimate interest. In the case of contractual data, storage is required by statutory retention obligations. Requirements that oblige us to retain data arise from the provisions on accounting and from tax law regulations. According to these regulations, business communication, concluded contracts and accounting vouchers must be stored for up to 10 years. As soon as we no longer need this data to perform services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfill the retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any obligation to retain the data and no longer any legitimate interest in retaining it.

8. data security

We use appropriate technical and organizational security measures to protect your personal data stored by us against loss and unlawful processing, namely unauthorized access by third parties. Our employees and the service companies commissioned by us are obligated by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary for the performance of their duties.
Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot therefore provide an absolute guarantee for the security of information transmitted in this way.

9. your rights

Provided that the legal requirements are met, as a data subject you have the following rights:

Right of access: You have the right to request access to your personal data stored by us at any time and free of charge if we process it. This gives you the opportunity to check what personal data we process about you and whether we process it in accordance with the applicable data protection regulations.

Right to rectification: you have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to deletion: you have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.

Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.

Right to data transfer: you have the right to receive from us, free of charge, the personal data you have provided to us in a readable format.

Right to object: You can object to data processing at any time, especially in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

Right of revocation: In principle, you have the right to revoke any consent you have given at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.
To exercise these rights, please send us an e-mail to the following address: marketing@hotel-schweizerhof.com.

Right to lodge a complaint: you have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.
***