Bürgenstock Hotels AG Bürgenstock 6363 Obbürgen Switzerland (CHE-105.841.711)
operator of the website
are responsible for collecting, processing and using your personal data and for the compliance of this data processing with the data protection legislation which applies to the relevant website.
Your trust is important to us, which is why we take data protection seriously and ensure the appropriate level of security. We observe the statutory provisions of the Swiss Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (DPO), the Swiss Telecommunications Act (TCA) and any other data protection provisions which may apply under Swiss or EU law, in particular the General Data Protection Regulation (GDPR), as a matter of course.
Please take note of the following information so that you are aware of the personal data we collect from you and the purposes for which we use it.
A. Processing data in connection with our website
1. Accessing our website When you visit our websites, our server temporarily stores each access in a protocol file. The following technical data is recorded automatically at that time, as is usually the case when you connect to any web server, and stored by us until the next automatic erasure after no more than 12 months: - The IP address of the computer sending the query - The name of the owner of the IP address range (usually your Internet access provider) - The date and time of access - The website from which access was gained (referrer URL) with the search term used if applicable - The name and URL of the file accessed - The status code (e.g. error message) - The operating system of your computer - The browser you used (type, version and language) - The transfer protocol used (e.g. HTTP/1.1) - Your user name if you registered/logged in This data is collected and processed to allow users to use our websites (to establish a connection), to ensure permanent system security and stability, to enable us to optimise our online offering and for internal statistical purposes. This is the basis for our legitimate interest in processing the data within the meaning of Art. 6 para. 1 letter f GDPR.
The IP address is also analysed together with the other data to investigate and prevent attacks on our network infrastructure or other unauthorised use or abuse of the websites and, if applicable, during criminal proceedings for identifying and prosecuting the relevant users under civil and criminal law. This is the basis for our legitimate interest in processing the data within the meaning of Art. 6 para. 1 letter f GDPR.
2. Using our contact form Where you have the option on our websites to use a contact form to get in touch with us, we generally require the following information: - Title - First name and surname - E-mail address - Telephone number - Message The information that is required to process your request smoothly is marked as a mandatory entry. Entering other information is optional. We use this data and your address, if you provide it voluntarily, to reply to your request for contact as effectively as possible and in a personalised manner. Processing this data is therefore necessary to take steps prior to entering into a contract within the meaning of Art. 6 para. 1 letter b GDPR and is in our legitimate interest pursuant to Art. 6 para. 1 letter f GDPR.
3. Signing up for our newsletter Where you have the option on our websites to subscribe to our newsletter, you need to register. The following data must be submitted during the registration process: Title First name and surname E-mail address The data above is required for data processing. We only process this data to personalise the information and offers sent to you and to better match them to your interests. When you register, you give us your consent to process the data provided to regularly send the newsletter to the address you specified, to statistically analyse your usage behaviour and to optimise the newsletter. This consent constitutes our legal basis for processing your e-mail address within the meaning of Art. 6 para. 1 letter a GDPR. We are entitled to commission third parties with the technical implementation of advertising initiatives and to pass on your data for this purpose (see no. 20 below). At the end of every newsletter, there is a link for you to unsubscribe from the newsletter at any time. When you unsubscribe you can give a reason if you wish. After you have unsubscribed from the newsletter, your personal data will be erased. It will only be processed further in an anonymised form to optimise our newsletter.
4. Opening a customer account Where you have the option on our websites to make bookings, you can place an order as a guest or open a customer account. When you register for a customer account, we generally collect the following data: - Title - First name and surname - Postal address - Telephone number - E-mail address - Password and security question The information that is required to process the opening of your customer account smoothly is marked as a mandatory entry. Entering other information is optional. We collect this data and other information you provide voluntarily (e.g. company name) to provide you with direct, password-protected access to your basic data stored with us. In your account, you can view previous and current bookings or manage and amend your personal data.
The legal basis for processing the data for this purpose is the consent you have given in accordance with Art. 6 para. 1 letter a GDPR.
5. Booking on the website or by calling or corresponding with us If you book overnight stays, leisure activities, spa services or medical services and/or purchase vouchers via our websites, by corresponding with us (by e-mail or letter) or by calling us, we generally require the following data to process the contract: - Title - First name and surname - Postal address - Telephone number - Credit card information - E-mail address The information that is required to process your booking smoothly is marked as a mandatory entry or – if you book by telephone – requested from you in person. Entering other information is optional. We will only use other information you provide voluntarily (e.g. date of birth, expected arrival time, vehicle number plate, preferences, comments) to process the contract unless otherwise specified in this privacy statement or unless you have given separate consent. In particular, we will process the data to enter your booking as required, to provide the booked services, to contact you in the event of problems or if anything is unclear, and to ensure that the payment is correct. Please note that we may pass your data on to third parties insofar as this is required for the use of the websites and for processing the contract, for example when purchasing vouchers (see no. 20). The legal basis for processing the data for this purpose is the performance of a contract in accordance with Art. 6 para. 1 letter b GDPR.
6. Applying for a job Where you have the option on our websites to apply for jobs, you must submit a complete application. As a general rule, the following data must be submitted: - Title - First name and surname - Language - Postal address - Date of birth - E-mail address - Application documents (CV, covering letter, etc.) The information that is required to process your application smoothly is marked as a mandatory entry. This data and other information you provide voluntarily (e.g. telephone number) will be used in the application process. Unless you explicitly consent to further processing, the data will be erased after the relevant application procedure. The legal basis for data processing is therefore to take steps prior to entering into a contract and that it is in our legitimate interest pursuant to Art. 6 para. 1 letters b and f GDPR. The legal basis for further data processing is the consent you have given pursuant to Art. 6 para. 1 letter a GDPR.
7. Cookies Cookies help to make your visit to our website easier, more pleasant and more useful in many ways. Cookies are information files placed automatically on your computer’s hard drive by your web browser when you visit our website.
Most Internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are placed on your computer or a message always appears when you receive a new cookie. Please visit the following webpages to find out how to configure the processing of cookies in the most common browsers: - MICROSOFT WINDOWS INTERNET EXPLORER - MICROSOFT WINDOWS INTERNET EXPLORER MOBILE - MOZILLA FIREFOX - GOOGLE CHROME FOR DESKTOP - GOOGLE CHROME FOR MOBILE - APPLE SAFARI FOR DESKTOP - APPLE SAFARI FOR MOBILE Deactivating cookies may mean that you are not able to use all the functions on our website.
8. Tracking tool
a. Google Analytics
We use the web analytics service from Google Analytics to design our websites to meet users’ needs and optimise them continuously. User profiles with pseudonyms are created and cookies placed on your computer are used for this purpose. The information generated by the cookie is transmitted to the Google Analytics server where it is stored and processed for us. In some cases, we may receive the following information in addition to the data listed in no. 1 as a result: - Navigation path taken by a user on the site - Time spent on the website or a subpage - The subpage from which the webpage is left - The country, region or city from which a website is accessed - Device (type, version, colour depth, resolution, width and height of the browser window) - Returning or new visitor The information is used for evaluating use of the website, compiling reports on website activity and providing other services relating to website activity and Internet usage for market research and designing our website to meet users’ needs. This information may also be transmitted to third parties if required by law or if third parties process this data on our behalf (see also no. 17 ff.).
Google Analytics is provided by Google Inc., a company of the holding company Alphabet Inc., which is based in the USA. For the Member States of the European Union or for other parties to the Agreement on the European Economic Area, the IP address is truncated before the data is transmitted to the provider due to the activation of IP anonymisation (“anonymizeIP”) on our website. Google does not associate the anonymised IP address transmitted by your browser for Google Analytics with any other data held by Google. Only in exceptional cases will the full IP address be sent to and shortened by Google servers in the USA. In such cases, we ensure that Google Inc. maintains an adequate level of data protection by means of contractual safeguards. Google Inc. states that the IP address will not be associated with other data concerning users under any circumstances.
Visit the Google Analytics website to find out more about the web analytics service we use. You can find instructions on how to prevent your data being processed by the web analytics service HERE.
b. Mouseflow Mouseflow is a web analytics tool that can be used by our websites to analyse user behaviour on our sites and make suitable improvements. Mouseflow procures and processes the following data: - Clicks, mouse movements, hovering, scrollin - Browser and device (desktop/tablet/mobile) - Language - Operating system and screen resolution - Duration of visit - Navigation (URLs) and page content (HTML), referrer URL - IP and location (city, country - Visitor type (first-time visitor/returner) - Individual tags or variables The information is used for evaluating use of the websites, compiling reports and heat maps on website activity and providing other services relating to website activity and Internet usage for market research and designing our websites to meet users’ needs. This information may also be transmitted to third parties if required by law and if third parties process this data on our behalf (see also no. 17 ff.). Mouseflow is provided by a company of Mouseflow ApS, which is based at Flaesketorvet 68, 1711 Copenhagen, Denmark. Visit the Mouseflow website to find out more about the web analytics service we use. You can find instructions on how to prevent your data being processed by the web analytics service HERE.
9. Re-targeting “Re-targeting” technology may be used on the websites. This technology analyses your user behaviour on our websites to offer you tailor-made advertising on later visits, including to partner websites. Your user behaviour is recorded with a pseudonym. Most re-targeting technology operates using cookies (see no. 7). You can prevent re-targeting at any time by refusing or deactivating the relevant cookies in your web browser’s menu bar.
a. DoubleClick We may use DoubleClick by Google to display advertising based on your use of previously visited websites. To do this, Google uses the “DoubleClick” cookie, which makes it possible to recognise your browser when you visit other websites. The information generated by the cookie about the visit to our websites (including your IP address) is sent to and stored by Google servers in the USA. Google will use this information for analysing your use of the website in view of the advertisements to display, compiling reports on website activity and advertisements for website operators and providing other services relating to website activity and Internet usage. Google may also transmit this information to third parties if required by law or if third parties process this data on its behalf. However, Google will not associate your IP address with other data held by Google under any circumstances.
b. AppNexus We may use AppNexus. AppNexus consists of a technical platform used for buying, selling and offering interest-based online advertising (usually via real-time bidding). AppNexus therefore does not buy, sell or offer advertising itself – it provides us with the technology. To collect and store platform data concerning browsers and devices via websites and apps for a long period of time, the platform uses technology such as cookies and non-cookie technologies. AppNexus does not share the data collected on the platform with others. AppNexus is a service provided by AppNexus Inc., 28 W. 23rd Street, 10010 New York, USA. Visit the AppNexus website to find out more about the re-targeting tool we use. You can find information about privacy at AppNexus HERE.
c. Facebook Connect Our websites can use Facebook Connect. Facebook Connect is a function offered by Facebook allowing Facebook users to log in to other websites, apps and services using their Facebook login. The other service then receives access to certain preferences and connections stored on Facebook on which it can base its own offers. Facebook may use data concerning the steps users take while using these other services to recognise visitors to our website when they use Facebook services and to show personalised offers based on their interests and preferences.
Facebook Connect is a service provided by Facebook Inc., 1601 S California Ave, Palo Alto, CA 94304, USA or, if you are an EU resident, Facebook Ireland, Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Visit the Facebook website to find out more about the re-targeting tool we use. You can refuse this form of advertising by adjusting your browser settings HERE.
d. Facebook Custom Audience We may use Custom Audience, a communication tool. As a basic principle, when Custom Audience is used, a non-reversible and non-personal checksum (hash value) is generated from your usage data and may be transmitted to Facebook for analysis and marketing purposes. The Facebook cookie is accessed to do this. Custom Audience is a service provided by Facebook Inc., 1601 S California Ave, Palo Alto, CA 94304, USA or, if you are an EU resident, Facebook Ireland, Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Visit the Facebook website to find out more about the re-targeting tool we use. You can object to the use of Facebook Custom Audience HERE.
10. Links to our social media pages We have included links to our social media profiles on our websites. The links may lead to the following networks: - Facebook Inc., 1601 S California Ave, Palo Alto, CA 94304, USA - Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA - Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA - YouTube, a service operated by Google Inc. - Tripadvisor Inc., 400 1st Avenue, Needham, MA 02494, USA - Pinterest Inc., 635 High Street, Palo Alto, CA 94301, USA - LinkedIn Ireland Unlimited Company, Dublin 2, Ireland - Xing SE, Dammtorstrasse 30, 20354 Hamburg, Germany - Kununu GmbH, Neutorgasse 4-8, A – 1010 Vienna If you click on the relevant symbols of the social networks, you will automatically be redirected to our profiles on the respective networks. You may have to log in to your user account to use the relevant network’s functions. If you open a link to one of our social media profiles, a direct connection will be established between your browser and the server of the relevant social network. The network will then receive the information that you are visiting our websites with your IP address and have opened the link. If you open a link to a network while you are logged into your account with the relevant network, the content of our website can be linked to your profile on the network, which means that the network can directly associate your visit to our websites with your user account. If you want to prevent this, you should log out before clicking on these links. However, this association will be made anyway if you log into the relevant network after clicking the link.
B. Processing data in connection with your stay
11. Processing data to comply with statutory notification obligations When you arrive at our hotels, we may require the following information from you and the people accompanying you: - First name and surname - Postal address and canton - Date of birth - Place of birth - Nationality - Official form of identification and number - Arrival and departure day - Room number We collect this information to comply with statutory notification obligations arising from hotel and catering industry and police legislation in particular. Insofar as we are obliged to do so by the applicable provisions, we will forward this information to the relevant police authority. Our legitimate interest within the meaning of Art. 6 para. 1 letter f GDPR is to comply with the legal requirements.
12. Processing data to provide the booked service in general When you arrive at our hotels, we may require the following information from you and the people accompanying you: - First name and surname - Postal address and canton - Date of birth - Place of birth - Nationality - Official form of identification and number - Arrival and departure day - Room number We also require a copy of the official form of identification for international guests. We collect this information to comply with our contractual and post-contractual obligations towards you. The processing of this data is necessary for processing the contract with us within the meaning of Art. 6 para. 1 letter b GDPR.
13. Recording services received in the spa and wellness area If you receive services from our spa and wellness area during your stay at our hotels, the service (e.g. single entrance) and the time it was received will be recorded and processed by us for billing purposes and to provide the booked service. As a general rule, we require the following information for this purpose: - First name and surname - Postal address - E-mail address - Telephone number - Room number (if available) You also have the option of joining our Alpine Spa Member’s Club. To process your request to become a member and in particular to contact you, we need to have the following information: - First name and surname - E-mail address - Telephone number The processing of this data is necessary for processing the contract with us within the meaning of Art. 6 para. 1 letter b GDPR.
14. Recording leisure services received and booked activities If you receive leisure services or book activities during your stay at our hotels, the service (e.g. fitness analysis or cinema visit) and the time it was received will be recorded and processed by us for billing purposes and to provide the booked service. As a general rule, we require the following information for this purpose: - First name and surname - Postal address - E-mail address - Telephone number - Room number (if available) The processing of this data is necessary for processing the contract with us within the meaning of Art. 6 para. 1 letter b GDPR.
15. Recording medical services received If you receive medical services during your stay at our hotels, the service (e.g. diagnosis, treatment) and the time it was received will be recorded and processed by us for billing purposes, to provide the booked service and to draw up the treatment plans. As a general rule, we require the following information for this purpose: - First name and surname - Postal address - Date of birth - Health insurance provider’s details - Details of your state of health - E-mail address - Telephone number - Room number (if available) The processing of this data is necessary for processing the contract with us within the meaning of Art. 6 para. 1 letter b GDPR.
16. Recording other services If you use other services in our hotels during your stay (e.g. the minibar or the WiFi), the service and the time it was used will be recorded by us for billing purposes. The processing of this data is necessary for processing the contract with us within the meaning of Art. 6 para. 1 letter b GDPR.
C. Processing data in connection with our CRM system The personal data mentioned in the sections above is stored centrally in our CRM system. The data in the central CRM system is processed by us to manage the customer relationship and for advertising purposes, in particular to offer you personalised services and products.
The legal basis for data processing as part of customer management is the processing of the contract within the meaning of Art. 6 para. 1 letter b GDPR. With regard to data processing as part of advertising activities, the legal basis is also the processing of the contract (the existing customer relationship justifies data processing for advertising activities), as well as the consent you gave within the meaning of Art. 6 para. 1 letter a GDPR when you registered for the newsletter (see no. 3).
D. Storing and exchanging data with third parties
17. Booking platforms If you book via a third-party platform, we receive various personal information from the relevant platform operator (e.g. if you book a table via the external platforms “bookatable” and “LaFourchette”). This is generally the data listed in no. 5 of this privacy statement. Any requests concerning your booking are also forwarded to us. In particular, we will process the data to enter your booking as required and to provide the booked services. The legal basis for processing the data for this purpose is the performance of a contract in accordance with Art. 6 para. 1 letter b GDPR.
Finally, we may be informed by the platform operators about disputes in connection with a booking. If so, we may also receive data concerning the booking process in some cases, which may include a copy of the booking confirmation to serve as evidence of the booking actually being completed. We process this data to safeguard and enforce our claims. This is the basis for our legitimate interest within the meaning of Art. 6 para. 1 letter f GDPR.
Please also observe the privacy information of the relevant provider.
18. Central storage and combination of data We store the data submitted in a central electronic data processing system. Your personal data is systematically recorded and combined to process your bookings and perform the contractual services. We use software from Revinate Inc, 1 Letterman Drive, San Francisco, California 94129, USA to do this. This data is processed using the software based on our legitimate interest within the meaning of Art. 6 para. 1 letter f GDPR in customer-friendly and efficient customer data management.
19. Retention period We only store personal data for as long as is necessary to use the tracking services mentioned above and to make use of the further processing for our legitimate interests. Contract data is stored by us for longer as this is required by statutory retention obligations. Retention obligations that oblige us to retain data arise from provisions regarding notification legislation and accounting and from tax legislation. In accordance with these provisions, business communications, contracts concluded and booking documents must be retained for up to 10 years. If we no longer require this data to perform services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.
20. Passing data on to third parties We only pass on your personal data if you have explicitly given your consent, if there is a statutory obligation to do so or if it is necessary to enforce our rights, in particular to enforce claims arising from the contractual relation. We also pass your data on to third parties if it is required for using the website and processing the contract (including outside of the website), in particular for processing your bookings, for example when you purchase vouchers.
One service provider to which the personal data collected via the website is passed on, or which has or may have access to the personal data, is our web hosting provider Positioner SA, Centro Monda 3, 6528 Camorino, Switzerland. The website is hosted on servers in Switzerland. The data is passed on for the purpose of providing and maintaining our website’s functions. This is the basis for our legitimate interest within the meaning of Art. 6 para. 1 letter f GDPR.
Finally, we forward your credit card information to your credit card issuer and the credit card acquirer when you pay by credit card on the website. If you choose to pay by credit card, you will be asked to enter all the necessary information each time. The legal basis for passing on the data is the performance of a contract in accordance with Art. 6 para. 1 letter b GDPR. For information about the processing of your credit card information by these third parties, please also read the general terms and conditions and privacy statement of your credit card issuer.
21. Transmitting personal data to another country We are entitled to transmit your personal data, including to external companies (commissioned service providers) in another country, for the data processing described in this privacy statement. These companies are subject to the same data protection obligations as we are. If the level of data protection in a country is not equivalent to that of Switzerland or Europe, we ensure by means of a contract that the protection of your personal data is equivalent to the protection provided in Switzerland and/or in the EU at all times.
E. Further information
22. Right to access, rectification, erasure and restriction of processing; right to data portability You have the right to receive access to the personal data that we store about you on request. You also have the right to rectification of incorrect data and the right to erasure of your personal data if this is not precluded by any statutory retention obligation or permission which allows us to process the data.
In addition, you have the right to ask us to return the data you have submitted to us (right to data portability). We will also pass the data on to a third party of your choice on request. You have the right to receive the data in a commonly used file format.
You can contact us using the e-mail address email@example.com for the purposes specified above. We reserve the right to ask for proof of your identity to process your requests.
23. Data security We implement technical and organisational security measures that are suitable for us to protect your personal data that we store from manipulation, partial or total loss and unauthorised access by third parties. Our security measures are improved on an ongoing basis in line with technological development.
You should always keep your login details confidential and close the browser window when you have finished communicating with us, especially if you share your computer with others.
We also take data protection within the company very seriously. Our employees and the service providers commissioned by us are subject to confidentiality obligations and are obliged to comply with data protection provisions.
24. Note on transmitting data to the USA For the sake of completeness, we wish to point out to users residing or established in Switzerland that, in the USA, US authorities carry out monitoring activities which allow all personal data belonging to all persons whose data has been transmitted from Switzerland to the USA to be stored as a general rule. These activities are carried out without differentiation, restriction or exception based on the aim pursued and with no objective criterion that makes it possible to restrict the US authorities’ access to the data and its subsequent use to specifically defined, strictly limited purposes which are able to justify the intrusion associated with both access to this data and to its use. We also wish to point out that, in the USA, there are no legal remedies available to the data subjects from Switzerland that enable them to receive access to the data concerning them and to have it rectified or erased, and no effective judicial protection from the general access rights of US authorities. We explicitly make data subjects aware of these facts and the legal situation so that they can make a suitably informed decision about giving their consent to the use of their data.
We wish to point out to users residing in a Member State of the EU that, from the perspective of the European Union, the USA does not have an adequate level of data protection due to the issues mentioned in this section, among other points. Insofar as we have specified in this privacy statement that data recipients (e.g. Google) are based in the USA, we will ensure that your data is protected to an adequate level by our partners, either by means of contractualregulations imposed on these companies or by making sure these companies are certified under the EU- or Swiss-US Privacy Shield framework.
25. Right to lodge a complaint with a data protection authority You have the right to lodge a complaint with a data protection authority at any time.