Privacy Policy
With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our hotel-staila.ch website. In particular, we explain for what purposes, how, and where we process personal data. We also inform about the rights of individuals whose data we process.
For specific or additional activities and operations, further privacy policies or other data protection information may apply.
We are subject to Swiss data protection law and, where applicable, foreign data protection law, including that of the European Union (EU) with the European General Data Protection Regulation (GDPR).
On July 26, 2000, the European Commission recognized that Swiss data protection law ensures an adequate level of data protection. On January 15, 2024, the European Commission confirmed this adequacy decision.
1. Contact Details
Responsible for processing personal data:
Staila SA
Hotel Landgasthof Staila
Via cumünala 27
7533 Fuldera
In individual cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.
1.1 Data Protection Officer
We have the following data protection officer as a contact point for data subjects and authorities regarding data protection queries:
Irène Hohenegger-Heini
Hotel Landgasthof Staila
Via cumünala 27
7533 Fuldera
1.2 Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representation according to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representation serves as an additional contact point for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) regarding GDPR-related queries.
2. Terms and Legal Bases
2.1 Terms
Data Subject: Natural person whose personal data we process.
Personal Data: All information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data concerning union, political, religious, or ideological views and activities, health, private life, ethnicity, or race, genetic data, biometric data uniquely identifying a person, criminal and administrative sanctions or prosecutions, and social assistance measures.
Processing: Any operation with personal data, regardless of the methods and procedures applied, such as querying, aligning, modifying, archiving, storing, reading, disclosing, acquiring, recording, collecting, deleting, revealing, sorting, organizing, storing, changing, distributing, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU), along with Liechtenstein, Iceland, and Norway.
2.2 Legal Bases
We process personal data in accordance with Swiss data protection law, such as the Federal Act on Data Protection (Data Protection Act, DPA) and the Data Protection Ordinance (Data Protection Ordinance, DPO).
Where the European General Data Protection Regulation (GDPR) applies, we process personal data under at least one of the following legal bases:
- Art. 6(1)(b) GDPR for processing personal data necessary to perform a contract with the data subject or to take pre-contractual measures.
- Art. 6(1)(f) GDPR for processing personal data to protect legitimate interests – including those of third parties – unless such interests are overridden by the fundamental rights and freedoms of the data subject. Such interests particularly include the continuous, user-friendly, secure, and reliable execution of our activities and operations, ensuring information security, protecting against misuse, enforcing our own legal claims, and complying with Swiss law.
- Art. 6(1)(c) GDPR for processing personal data necessary to comply with a legal obligation to which we are subject, as applicable under the laws of the EEA member states.
- Art. 6(1)(e) GDPR for processing personal data necessary for the performance of a task carried out in the public interest.
- Art. 6(1)(a) GDPR for processing personal data with the consent of the data subject.
- Art. 6(1)(d) GDPR for processing personal data necessary to protect the vital interests of the data subject or another natural person.
- Art. 9(2) et seq. GDPR for processing special categories of personal data, particularly with the consent of the data subject.
The European General Data Protection Regulation (GDPR) designates the processing of personal data as the processing of personal data, and the processing of special categories of personal data as processing special categories of personal data (Art. 9 GDPR).
3. Nature, Scope, and Purpose of Data Processing
We process personal data only as needed to carry out our activities and operations sustainably, user-friendly, securely, and reliably. The personal data processed may fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data, including inventory and contact data, location data, transaction data, contract data, and payment data.
We also process personal data received from third parties, obtained from publicly accessible sources, or collected during our activities and operations, as permitted by law.
We process personal data when necessary, with the consent of the data subject. In many cases, we can process personal data without consent, such as to fulfill legal obligations or protect overriding interests. We may also request consent from data subjects when not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly considering legal retention and limitation periods.
4. Disclosure of Personal Data
We may disclose personal data to third parties, have them processed by third parties, or jointly process them with third parties. These third parties primarily consist of specialized providers whose services we use.
We may disclose personal data, for example, to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information services, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurers.
5. Communication
We process personal data to communicate with third parties. In this context, we process data provided by a data subject when contacting us, for example, by letter or email. We may store such data in an address book or similar tools.
Third parties transmitting data about other individuals must ensure data protection for these data subjects, including ensuring the accuracy of the transmitted personal data.
6. Data Security
We take appropriate technical and organizational measures to ensure data security commensurate with the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, while we cannot guarantee absolute data security.
Access to our website and other online presence occurs via transport encryption (SSL / TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn before visiting websites without transport encryption.
Our digital communication is subject – like virtually all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, other parts of Europe, the United States of America (USA), and other countries. We have no direct influence on the respective processing of personal data by intelligence services, police authorities, and other security authorities. We cannot exclude the possibility that a data subject may be specifically monitored.
7. Personal Data Abroad
We process personal data primarily in Switzerland and the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, particularly to process it there or have it processed.
We may export personal data to all countries on Earth and elsewhere in the universe if the applicable law in those locations, according to the decision of the Swiss Federal Council and – where the GDPR applies – also according to the decision of the European Commission, ensures an adequate level of data protection.
We may transfer personal data to countries whose laws do not ensure adequate data protection if other reasons guarantee data protection, particularly based on standard data protection clauses or other suitable safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, such as the explicit consent of the data subject or a direct connection with the conclusion or fulfillment of a contract. We are happy to provide information upon request about any guarantees or provide copies of any guarantees.
8. Rights of Data Subjects
8.1 Data Protection Claims
We grant data subjects all rights in accordance with applicable data protection law. In particular, data subjects have the following rights:
- Access: Data subjects may request information about whether we process their personal data and, if so, which personal data is involved. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data processed as such, but also details such as the purpose of processing, retention duration, any disclosure or transfer of data to other countries, and the source of the personal data.
- Correction and Restriction: Data subjects may correct incorrect personal data, complete incomplete data, and restrict the processing of their data.
- Deletion and Objection: Data subjects may request the deletion of personal data (“right to be forgotten”) and object to the processing of their data with future effect.
- Data Release and Transfer: Data subjects may request the release of personal data or the transfer of their data to another controller.
We may postpone, restrict, or deny the exercise of data subjects’ rights within the legally permissible scope. We may inform data subjects about any prerequisites for exercising their data protection rights. For example, we may refuse access entirely or partially by referring to confidentiality obligations, overriding interests, or the protection of other persons. We may also refuse to delete personal data entirely or partially, particularly with reference to statutory retention obligations.
We may exceptionally impose costs for exercising rights. We will inform data subjects in advance of any potential costs.
We are obligated to take reasonable measures to verify the identity of data subjects who request access or exercise other rights. Data subjects must cooperate.
8.2 Legal Protection
Data subjects have the right to enforce their data protection rights through legal action or file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal authorities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, data protection supervisory authorities have a federal structure, particularly in Germany.
9. Use of the Website
9.1 Cookies
We may use cookies. Cookies – our own (first-party cookies) as well as cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.
Cookies may be temporarily stored in the browser as “session cookies” or for a specific period as “persistent cookies.” “Session cookies” are automatically deleted when the browser is closed. Persistent cookies have a specific storage duration. Cookies allow a browser to be recognized the next time a user visits our website, enabling us, for example, to measure the reach of our website. Persistent cookies may also be used for online marketing.
Cookies can be entirely or partially deactivated and deleted in the browser settings at any time. Without cookies, our website may not be available in full. We actively seek explicit consent for the use of cookies – at least where and when necessary.
For cookies used for success and reach measurement or for advertising purposes, a general opt-out is available for numerous services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
9.2 Logging
We may log at least the following data for every access to our website and other online presence, provided such data is transmitted to our digital infrastructure during such access: date and time, including time zone, IP address, access status (HTTP status code), operating system, including user interface and version, browser, including language and version, specific sub-page of our website accessed, including the volume of data transmitted, and the last website accessed within the same browser window (referrer).
We log such data, which may also be personal data, in log files. This information is necessary to ensure the continuous, user-friendly, and reliable availability of our online presence and to ensure data security – either by ourselves or with the help of third parties.
9.3 Web Beacons
We may integrate web beacons into our online presence. Web beacons, also known as tracking pixels, are usually small, invisible images or JavaScript scripts that are automatically retrieved when our online presence is accessed. Web beacons can capture at least the same data as log files.
10. Notifications and Announcements
10.1 Success and Reach Measurement
Notifications and announcements may contain hyperlinks or web beacons that track whether a notification has been opened and which links have been clicked. These hyperlinks and web beacons may also track the usage of notifications and announcements on an individual basis. We need this statistical tracking to measure success and reach, to send notifications and announcements effectively and user-friendly based on the preferences and reading habits of recipients, as well as to send them securely, reliably, and sustainably.
10.2 Consent and Objection
You must generally consent to the use of your email address and other contact information, except where such use is permitted on other legal grounds. For collecting a double opt-in consent, we may use the “double opt-in” procedure. In this case, you will receive a message with instructions for double confirmation. We may log collected consents, including IP address and timestamp, for evidence and security purposes.
You can generally object to receiving notifications and announcements, such as newsletters, at any time. By objecting, you may also object to statistical tracking for success and reach measurement. Excluded are necessary notifications and announcements in connection with our activities and operations.
10.3 Service Providers for Notifications and Announcements
We send notifications and announcements with the help of specialized service providers.
In particular, we use:
- Mailchimp: Communication platform; Provider: The Rocket Science Group LLC DBA Mailchimp (USA), a subsidiary of Intuit Inc. (USA); Privacy information: Privacy Statement (Intuit), including “Country and Region-Specific Terms,” “Frequently Asked Questions about Mailchimp Privacy”, “Mailchimp and European Data Transfers”, “Security”, Cookie Policy, “Privacy Rights Requests”, “Legal Terms”.
11. Social Media
We are present on social media platforms and other online platforms to communicate with interested parties and inform them about our activities and operations. Personal data may be processed outside Switzerland and the European Economic Area (EEA) in connection with these platforms.
The terms and conditions, usage policies, privacy policies, and other regulations of each platform’s operator apply. These regulations inform data subjects about their rights directly with the platform, such as the right to access.
For our social media presence on Facebook including so-called page insights – where the General Data Protection Regulation (GDPR) applies – we are jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (including the USA). Page insights provide information about how visitors interact with our Facebook presence. We use page insights to provide our social media presence on Facebook effectively and user-friendly.
Further information about the nature, scope, and purpose of data processing, information about the rights of data subjects, and the contact details of Facebook and its data protection officer can be found in the Facebook Privacy Policy. We have entered into a “Controller Addendum” with Facebook, specifying that Facebook is responsible for ensuring the rights of data subjects. For page insights, corresponding information can be found on the “Information about Page Insights” page, including “Information about Page Insights Data”.
12. Services of Third Parties
We use the services of specialized third parties to carry out our activities and operations sustainably, user-friendly, securely, and reliably. These services allow us, among other things, to embed functions and content into our website. For such embedding, the services used necessarily capture at least temporarily the IP addresses of users for technical reasons.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data aggregated, anonymized, or pseudonymized in connection with our activities and operations. This may include performance or usage data to provide the respective service.
In particular, we use:
- Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partially for users in the European Economic Area (EEA) and Switzerland; General information about data protection: “Privacy and Security Principles”, “Information on how Google uses personal data”, Privacy Policy, “Google’s commitment to compliance with applicable data protection laws”, “Privacy Guide for Google Products”, “How we use data from websites or apps that use our services”, “Types of cookies and similar technologies that Google uses”, “Advertising you control” (“Personalized Advertising”).
12.1 Digital Infrastructure
We use the services of specialized third parties to access the necessary digital infrastructure for our activities and operations. This includes hosting and storage services from selected providers.
In particular, we use:
- Hostpoint: Hosting; Provider: Hostpoint AG (Switzerland); Privacy information: Privacy Policy.
- WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users in Europe, among others; Privacy information: Privacy Policy, Cookie Policy.
12.2 Maps
We use the services of third parties to embed maps into our website.
In particular, we use:
- Google Maps including Google Maps Platform: Map service; Provider: Google; Google Maps-specific information: “How Google uses location information”.
12.3 Digital Content
We use the services of specialized third parties to embed digital content into our website. Digital content includes in particular images and videos, music, and podcasts.
In particular, we use:
- Vimeo: Video platform; Provider: Vimeo Inc. (USA); Privacy information: Privacy Policy, “Private Video Hosting”.
12.4 Payments
We use specialized service providers to process payments from our customers securely and reliably. The legal texts of the individual service providers, such as terms and conditions or privacy policies, apply additionally for payment processing.
In particular, we use:
- PostFinance: Payment processing; Provider: PostFinance AG (Switzerland); Privacy information: “Legal Information and Accessibility”, “Privacy” (including privacy statements).
- TWINT: Payment processing in Switzerland; Provider: TWINT AG (Switzerland); Privacy information: Privacy Policy, “Swiss Standards for Security”.
- Worldline: Payment processing, especially with mobile payment solutions; Providers: Worldline SA (France), Worldline Switzerland AG (Switzerland), and other Worldline companies worldwide (including the USA); Privacy information: Privacy Policy, “Responsible Disclosure Program”, Cookie Notice.
13. Website Extensions
We use extensions for our website to enable additional functions. We may use selected services from suitable providers or such extensions on our digital infrastructure.
In particular, we use:
- Google reCAPTCHA: Spam protection (distinguishing between legitimate content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: “What is reCAPTCHA?”.
14. Success and Reach Measurement
We strive to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party notices or check how different parts or versions of our online offering are used (“A/B test” method). Based on the results of success and reach measurement, we can correct errors, strengthen popular content, or make improvements.
In most cases, the IP addresses of individual users are collected for success and reach measurement. IP addresses are generally shortened (“IP masking”) to follow the principle of data minimization through pseudonymization.
Cookies may be used for success and reach measurement, and user profiles may be created. Any user profiles created may include, for example, the specific pages visited or content viewed on our website, screen size or browser window details, and – at least approximately – location. Generally, any created user profiles are pseudonymized and not used to identify individual users. Some third-party services, where users are logged in, may associate the use of our online offering with the user account or profile on the respective service.
In particular, we use:
- Google Marketing Platform: Success and reach measurement, particularly with Google Analytics; Provider: Google; Google Marketing Platform-specific information: Measurement across browsers and devices (cross-device tracking) with pseudonymized IP addresses, which are only exceptionally fully transmitted to Google in the USA, Google Analytics Privacy Policy, “Browser Add-on for Disabling Google Analytics”.
- Google Tag Manager: Embedding and managing Google and third-party services, particularly for success and reach measurement; Provider: Google; Google Tag Manager-specific information: Google Tag Manager Privacy Policy; further information on data protection can be found in the individual embedded and managed services.
15. Final Provisions
We created this privacy policy with the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.
We may amend or supplement this privacy policy at any time. We will inform about such amendments and supplements in an appropriate manner, particularly by publishing the current privacy policy on our website.