Privacy Policy

With this Privacy Policy, we inform about the personal data we process in connection with our activities and operations, including our website. We particularly inform about the purposes, methods, and locations of our processing of personal data. We also provide information about the rights of individuals whose data we process.

For specific or additional activities and operations, additional privacy policies as well as other legal documents such as Terms and Conditions (AGB), Terms of Use, or Participation Conditions may apply.

We are subject to Swiss data protection law as well as any applicable foreign data protection law, such as that of the European Union (EU), in particular the General Data Protection Regulation (GDPR). The European Commission recognizes that Swiss data protection law ensures adequate data protection.

1. Contact Information

Responsible for the processing of personal data:

Staila SA
Hotel Landgasthof Staila
Via cumünala 27
7533 Fuldera

In individual cases, there may be other controllers for the processing of personal data or joint responsibility with at least one other controller.

1.1 Data Protection Officer or Advisor

We have the following data protection officer or advisor as a contact point for data subjects and authorities regarding data protection inquiries:

Irène Hohenegger-Heini
Hotel Landgasthof Staila
Via cumünala 27
7533 Fuldera

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutz­partner GmbH
Am Kaiserkai 69
20457 Hamburg

The data protection representation serves as an additional contact point for inquiries regarding the GDPR for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA).

2. Terms and Legal Basis

2.1 Terms

Personal data refers to any information relating to an identified or identifiable natural person. A data subject is a person about whom we process personal data.

Processing includes any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.

2.2 Legal Basis

We process personal data in accordance with Swiss data protection law, especially the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

Where and to the extent that the General Data Protection Regulation (GDPR) is applicable, we process personal data based on at least one of the following legal bases:

  • Art. 6(1)(b) GDPR for the necessary processing of personal data to fulfill a contract with the data subject or to take pre-contractual measures.
  • Art. 6(1)(f) GDPR for the necessary processing of personal data to safeguard our legitimate interests or those of third parties, unless the fundamental freedoms and rights as well as interests of the data subject prevail. Legitimate interests include, in particular, our interest in exercising our activities and operations permanently, user-friendly, safely, and reliably, as well as communicating about them, ensuring information security, protection against misuse, enforcing our own legal claims, and complying with Swiss law.
  • Art. 6(1)(c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of Member States in the European Economic Area (EEA).
  • Art. 6(1)(e) GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
  • Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
  • Art. 6(1)(d) GDPR for the necessary processing of personal data to protect vital interests of the data subject or another natural person.

3. Nature, Scope, and Purpose

We process those personal data that are necessary to permanently, user-friendly, safely, and reliably exercise our activities and operations. Such personal data may include, in particular, categories of inventory and contact data, browser and device data, content data, meta or marginal data and usage data, location data, sales data as well as contract and payment data.

We process personal data for the duration necessary for the respective purpose(s) or as required by law. Personal data that is no longer required for processing will be anonymized or deleted.

We may have personal data processed by third parties. We may jointly process or transmit personal data to third parties. Such third parties include, in particular, specialized providers whose services we use. We also ensure data protection with such third parties.

We generally process personal data only with the consent of the data subjects. If and to the extent that processing is permissible for other legal reasons, we may waive the requirement to obtain consent. For example, we may process personal data without consent to fulfill a contract, to comply with legal obligations, or to safeguard overriding interests.

We also process personal data that we receive from third parties, obtain from publicly available sources, or collect in the exercise of our activities and operations, provided that such processing is permissible for legal reasons.

4. Communication

We process personal data to communicate with third parties. In this context, we process, in particular, data that a data subject provides when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.

Third parties transmitting data about other individuals are required to ensure data protection for such affected individuals. This includes ensuring the accuracy of the transmitted personal data.

5. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure, in particular, the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.

Access to our website and other online presence is encrypted (SSL / TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.

Our digital communication is subject – like all digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the processing of personal data by intelligence services, police authorities, and other security authorities. We also cannot rule out that individual data subjects are monitored deliberately.

6. Personal Data Abroad

We generally process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, especially to process them there or have them processed.

We may export personal data to all countries and territories on Earth as well as elsewhere in the Universe, provided that the local law ensures adequate data protection according to a decision of the Swiss Federal Council and – where and to the extent that the General Data Protection Regulation (GDPR) is applicable – according to a decision of the European Commission.

We may transmit personal data to countries whose law does not ensure adequate data protection, provided that data protection is ensured for other reasons, especially based on standard data protection clauses or other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the special data protection requirements are met, such as the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we provide data subjects with information about any safeguards or provide a copy of any safeguards.

7. Rights of Data Subjects

7.1 Data Subject Rights

We grant data subjects all rights under applicable data protection law. Data subjects have, in particular, the following rights:

  • Access: Data subjects can request information about whether we process personal data about them and, if so, what personal data it is. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the processed personal data itself, but also information about the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data, among other things.
  • Rectification and Restriction: Data subjects can correct inaccurate personal data, complete incomplete data, and restrict the processing of their data.
  • Erasure and Objection: Data subjects can request the deletion of personal data (“right to be forgotten”) and object to the processing of their data with effect for the future.
  • Data Disclosure and Data Portability: Data subjects can request the disclosure of personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of data subjects’ rights within the legally permissible framework. We may inform data subjects about any requirements to be fulfilled for the exercise of their data protection rights. For example, we may refuse to provide information based on trade secrets or to protect other persons entirely or partially. For example, we may also refuse to delete personal data based on legal retention obligations entirely or partially.

We may exceptionally impose costs for the exercise of rights. We inform data subjects in advance about any costs.

We are obliged to identify data subjects who request information or exercise other rights with appropriate measures. Data subjects are obliged to cooperate.

7.2 Legal Protection

Data subjects have the right to enforce their data protection rights through legal action or to lodge a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints from data subjects against private controllers and federal authorities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints from data subjects – where and to the extent that the General Data Protection Regulation (GDPR) is applicable – are organized as members of the European Data Protection Board (EDPB). In some Member States of the European Economic Area (EEA), data protection supervisory authorities are federally structured, especially in Germany.

8. Use of the Website

8.1 Cookies

We may use cookies. With cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – data is stored in the browser. Such stored data may not be limited to traditional text cookies.

Cookies can be stored in the browser temporarily as “session cookies” or for a specific period as so-called permanent cookies. “Session cookies” are automatically deleted when the browser is closed. Permanent cookies have a specific storage period. Cookies, in particular, enable a browser to be recognized on the next visit to our website and, for example, measure the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be disabled or deleted entirely or partially in the browser settings at any time. Without cookies, our website may not be fully available. We request – at least if and to the extent necessary – active consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection (“opt-out”) is possible for numerous services via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

8.2 Logging

We may log at least the following information for each access to our website and other online presence, provided that such information is transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including transferred data volume, last website accessed in the same browser window (referer or referrer).

We log such information, which may also constitute personal data, in log files. The information is necessary to provide our online presence permanently, in a user-friendly and reliable manner. The information is also necessary to ensure data security – also by third parties or with the help of third parties.

8.3 Tracking Pixels

We may integrate tracking pixels into our online presence. Tracking pixels are also referred to as web beacons. With tracking pixels – also from third parties whose services we use – small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as in log files.

9. Notifications and Communications

We send notifications and communications via email and other communication channels such as instant messaging or SMS.

9.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that capture whether an individual notification has been opened and which web links were clicked. Such web links and tracking pixels may also capture the usage of notifications and communications on a personal level. We require this statistical capture of usage for success and reach measurement in order to effectively and user-friendly, as well as permanently, securely, and reliably deliver notifications and communications based on the needs and reading habits of the recipients.

9.2 Consent and Objection

You must generally consent to the use of your email address and other contact addresses unless the use is permissible for other legal reasons. For the possible obtaining of double-confirmed consent, we can use the “double opt-in” procedure. In this case, you will receive a notification with instructions for double confirmation. We may log obtained consents, including IP address and timestamp, for evidence and security reasons.

You can generally object to receiving notifications and communications such as newsletters at any time. With such objection, you can simultaneously object to the statistical capture of usage for success and reach measurement. Necessary notifications and communications related to our activities and operations remain reserved.

9.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We use in particular:

10. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the respective operators of such platforms also apply. These provisions inform in particular about the rights of data subjects directly vis-à-vis the respective platform, including the right to information.

For our Social Media presence on Facebook, including so-called page insights, we are – if and to the extent the General Data Protection Regulation (GDPR) applies – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (including in the USA). Page insights provide information on how visitors interact with our Facebook presence. We use page insights to effectively and user-friendly provide our social media presence on Facebook.

Further information about the nature, scope, and purpose of data processing, information about the rights of data subjects, as well as contact details of Facebook as well as the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called “Addendum for Controllers” with Facebook and have thereby agreed in particular that Facebook is responsible for ensuring the rights of data subjects. For the so-called page insights, the relevant information can be found on the page “Information about Page Insights” including “Information about Page Insights Data.”

11. Third-Party Services

We use services from specialized third parties to exercise our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website. In such embedding, the used services, for technical reasons, capture at least temporarily the IP addresses of the users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. These include, for example, performance or usage data to be able to offer the respective service.

We use in particular:

11.1 Digital Infrastructure

We use services from specialized third parties to be able to utilize the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We use in particular:

11.2 Mapping Services

We use services from third parties to embed maps into our website.

We use in particular:

11.3 Digital Audio and Video Content

We use services from specialized third parties to enable the direct playback of digital audio and video content such as music or podcasts.

We use in particular:

12. Website Extensions

We use extensions for our website to be able to use additional functions. We can use selected services from suitable providers or use such extensions on our own server infrastructure.

We use in particular:

  • Google reCAPTCHA: Spam protection (distinguishing between desired content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA specific information: “What is reCAPTCHA?”.

13. Success and Reach Measurement

We try to determine how our online offering is used. In this context, we can measure the success and reach of our activities and operations as well as the impact of third-party links to our website. However, we can also, for example, test and compare how different parts or versions of our online offering are used (the “A/B test” method). Based on the results of the success and reach measurement, we can, in particular, fix errors, strengthen popular content, or make improvements to our online offering.

In most cases, IP addresses of individual users are stored for success and reach measurement. IP addresses are generally shortened (IP masking) in this case to follow the principle of data minimization through the appropriate pseudonymization.

Cookies may be used for success and reach measurement, and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles created are exclusively pseudonymized and not used to identify individual users. Individual services from third parties, where users are logged in, may possibly assign the use of our online offering to the user account or user profile with the respective service.

We use in particular:

14. Final Provisions

We have created this privacy policy with the privacy policy generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We reserve the right to adapt and supplement this privacy policy at any time. We will inform about such adaptations and supplements in an appropriate form, in particular by publishing the respective current privacy policy on our website.