Data Protection DSGVO (from 28. May 2018)
We are very pleased about your interest in our company. Data protection is of particular importance to the management of MOROSANI HOTELS DAVOS ("we", "us" and "our" are interpreted accordingly). We are the operators of the website ("Site") www.morosani.ch and therefore responsible for the collection, processing and use of your personal data and the compatibility of data processing with the applicable data protection law. Of course, we observe the legal provisions of the Federal Data Protection Act (DSG), the Federal Data Protection Act (VDSG), the Telecommunications Act (FMG) and other applicable data protection provisions under Swiss or EU law, in particular the General Data Protection Regulation (DSGVO).
2. Name and Address of the controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
MOROSANI HOTELS DAVOS
CH-7270 Davos Platz
Phone: +41 81 415 55 00
Based on Art. 27 GDPR, AG Hotels Schweizerhof and Post Davos have appointed an EU Data Protection Representative. For all questions related to European data protection contact our EU Data Protection Representative:
EU-Datenschutz-Vertreter ADVOVOX Rechtsanwalts GmbH Sven Krüger
Telefon: +49 - (0) 30 - 22 48 75 28
Telefax: +49 - (0) 30 - 22 48 75 29
UID: DE 253207773
WHAT PERSONAL DATA MAY WE COLLECT?
When you access our website, information of a general nature is automatically recorded. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider and the like. This is only information that does not allow conclusions about your person. This information is technically necessary to correctly deliver the contents of web pages requested by you and is mandatory when using the internet. Anonymous information of this kind is statistically evaluated by us, in order to optimize our Internet appearance and the technology behind it.
We may collect the following personal data about you:
- The personal details you provide (such as name, address, e-mail address, business address and phone number) when submitting an enquiry, reservation request or membership application.
- Personal details you choose to give when corresponding with us by phone, e-mail, or that you provide to us when you visit The MOROSANI HOTELS DAVOS.
- Any other personal or private information about you that you choose to submit to this Site or any other websites we operate.
- Information about other guests included in your booking details.
- Information about your preferences (e.g. advertising interests, cookie data, clickstream data, browsing history, responses to direct marketing, and opt-outs from direct marketing) and any information provided to us by third parties.
As the controller, the MOROSANI HOTELS DAVOS has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.
USE OF OUR WEBSITE
When visiting our website, our servers temporarily store every access in a log file. The following technical data will be collected by us, as always with every connection to a web server, without your intervention and stored by us after 7 days until automated deletion:
- the IP address of the requesting computer,
- the name of the owner of the IP address range (i.d.R., your internet access provider),
- the date and time of access,
- the website from which the access was made (referrer URL), if applicable, with the search term used,
- the name and URL of the retrieved file,
- the status code (for example, error message),
- the operating system of your computer,
- the browser you are using (type, version and language), the transmission protocol used (e.g., HTTP / 1.1) and
- If applicable, your username from a registration / authentication.
The collection and processing of this data is for the purpose of facilitating the use of our website (connection establishment), to ensure the long-term security and stability of the system and to optimize our Internet offerings and for internal statistical purposes. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f DSGVO.
The IP address will also be evaluated together with the other data in case of attacks on the network infrastructure or other unauthorized or abusive website use for information and defense and, where appropriate, in criminal proceedings for identification and civil and criminal proceedings against the users concerned used. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f,b DSGVO.
REGISTRATION ON OUR WEBSITE
SUBSCRIPTION & NEWSLETTER
On our website, users are given the opportunity to subscribe to our company newsletter. Which personal data are transmitted to the data controller when the newsletter is ordered results from the input mask used for this purpose. This requires a registration. As part of the registration, the following data must be provided:
- First and Last Name
- E-mail address
The above data is necessary for data processing. We process this data exclusively to personalize the information and offers you have received and to better align it with your interests. By registering you give us your consent to the processing of the given data for the regular sending of the newsletter to the address you have specified and for the statistical evaluation of the user behavior and the optimization of the newsletter. This consent constitutes, within the meaning of Art. 6 para. 1 lit. a DSGVO is our legal basis for the processing of your e-mail address. We are entitled to commission third parties with the technical handling of advertising measures and are entitled to pass on your data for this purpose (see section 13 below).
The personal data collected in the context of registering for the newsletter will be used exclusively to send our newsletter. Subscribers to the newsletter may also be notified by e-mail if this is necessary for the operation of the newsletter service or registration, as might be the case in the event of changes to the newsletter or technical changes. Subscription to our newsletter may be terminated by the person concerned at any time. The consent to the storage of personal data that the data subject has given us for the newsletter dispatch can be revoked at any time. For the purpose of revoking the consent, there is a corresponding link in each newsletter. At the end of each newsletter you will find a link where you can unsubscribe at any time. As part of the deregistration you can voluntarily inform us of the reason for the deregistration. We will periodically delete the information you provide when we are confident that no business relationship will be established between you and us. Reserved are statutory retention periods.Any further processing will only be done anonymously to optimize our newsletter. It is also possible to unsubscribe from the newsletter at any time, directly on the controller's website, or to inform the controller in a different way.
Our website contains information that enables a quick electronic contact to our company, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties.
You have the option to use a contact form to contact us. For this we need the following information:
- Contact subject
- First and Last Name
- E-mail address
We use this data as well as a voluntarily given telephone number only to answer your contact request in the best possible and personalized way. The processing of this data is therefore within the meaning of Art. 6 para. 1 lit. b DSGVO is required for the implementation of precontractual measures or is in our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO. We will periodically delete the information you provide when we are confident that no business relationship will be established between you and us. Reserved are statutory retention periods.
APPLICATIONS & APPLICATION PROCEDURE
The data controller shall collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail on the website to the controller. If the data controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the controller, the application documents shall be erased after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. b DSGVO.
PROVISION OF PAID SERVICES
To provide paid services we ask for additional data, such as: Payment details.
Opening a customer account
To make reservations on our website, you can order as a guest or create a customer account. When registering for a customer account, we collect the following data:
- First and Last Name
- Mailing address
- Date of birth
- Phone number
- E-mail address
The collection of these and other data voluntarily provided by you (eg company name) is done for the purpose of providing you with password-protected direct access to your basic data stored with us. You can view your past and current bookings or manage or change your personal information. The legal basis for the processing of the data for this purpose lies in the consent given by you pursuant to Art. 6 (1) lit. a,b GDPR. We will periodically delete the information you provide when we are confident that no business relationship will be established between you and us. Reserved are statutory retention periods.
Booking on the website, by correspondence or by phone call
If you make bookings either via our website, by correspondence (email or letter post) or by telephone call, we need the following data for the execution of the contract:
- First and Last Name
- Mailing address
- Date of birth
- Phone number
- Credit card information
- E-mail address
We will only use this information and other information voluntarily provided by you (eg expected time of arrival, motor vehicle license plate, preferences, remarks) to process the contract, unless otherwise stated in this privacy statement or you have not specifically consented thereto. We will process the data by name in order to record your booking as requested, to provide the booked services, to contact you in case of any uncertainties or problems and to ensure the correct payment. The legal basis for data processing for this purpose lies in the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b DSGVO.
Any credit/debit card payments and other payments you make through this Site will be processed by our third party payment provider, and the payment data you submit will be securely stored by us. We may also store and use this card or payment information for the purpose of processing any future payments that you make for additional goods and services. We will store this data in accordance with our legal obligations under applicable law and only for so long as legally permitted. You may choose to opt-out of us, or our service providers, holding your card or payment data, although this means that you will need to re-supply us with card/payment details to initiate any future bookings. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. b DSGVO.
DATA PROCESSING IN CONNECTION WITH YOUR STAY
Data processing to fulfill legal reporting obligations Upon arrival at our hotel, we may need the following information from you and your escorts:
- First and Last Name
- Postal address and canton
- Date of birth
- Place of birth
- Official ID and number
- Arrival and departure day
- Room number
We provide this information for the fulfillment of legal reporting obligations, which arise in particular from the hospitality or police law. Insofar as we are required to do so under the applicable regulations, we will forward this information to the relevant police authority. In fulfilling the legal requirements, our legitimate interest within the meaning of Art. 6 para. 1 lit. f, b DSGVO.
Acquisition of related services
If you receive additional services during your stay (for example, make use of the mini-bar or the pay-TV service), we will collect the service and the date of receipt of the service for billing purposes. The processing of this data is within the meaning of Art. 6 para. 1 lit. b DSGVO required for the execution of the contract with us.
STORAGE AND EXCHANGE OF DATA WITH THIRD PARTIES
Central storage and linking of data
We store the data specified in paragraphs 2-5 and 8-10 in a central electronic data processing system. The data relating to you are systematically recorded and linked to the processing of your bookings and the processing of the contractual services. For this we use a software (PROTEL) of REBAG DATA AG, Einsiedlerstrasse 533, PO Box 426, CH-8810 Horgen. The processing of this data as part of the software is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO on customer-friendly and efficient customer data management.
We only store personal information for as long as is necessary to use the above tracking services as well as any further processing within the scope of our legitimate interest. Contract data is kept longer by us, as this is required by statutory storage requirements. Retention requirements, which oblige us to keep data, result from rules on the right to report, over the accounting and from the tax law. According to these regulations, business communication, closed contracts and accounting documents must be kept for up to 10 years. As far as we no longer need this data to carry out the services for you, the data will be blocked. This means that the data may then only be used for accounting purposes and for tax purposes.
Passing on the data to third parties
We only pass on your personal data if you have expressly consented to a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. In addition, we pass your data on to third parties, as far as this in the context of the use of the website and the contract (including outside the website), especially the processing of your bookings is required. A service provider, to whom the personal data collected via the website are passed on or who can access or have access to it, is our web host ENNIT AG, Projensdorfer Str. 324, DE-24106 Kiel. The website is hosted on servers in Germany. The transfer of data is for the purpose of providing and maintaining the functionality of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
Transfer of personal data abroad
For the purpose of the data processing described in this data protection declaration, we are also entitled to transfer your personal data to third parties (contracted service providers) abroad. These are obligated to the same extent as we ourselves for data protection. If the level of data protection in one country does not correspond to the Swiss or the European one, we contractually ensure that the protection of your personal data at all times corresponds to that in Switzerland or in the EU.
Note about data transfers to the USA
For the sake of completeness, we would like to point out to users domiciled or domiciled in Switzerland that there are surveillance measures in the US by US authorities, which generally require the storage of all personal data of all persons whose data were transferred from Switzerland to the USA. allows. This is done without any differentiation, restriction or exemption on the basis of the objective pursued and without an objective criterion that would limit the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes, which would be the same - be able to justify access to these data as well as interference with their use. Furthermore, we would like to point out that in the USA there are no legal remedies for the persons concerned from Switzerland that allow them to obtain access to the data concerning them and to obtain their rectification or deletion, or no effective judicial protection against general access rights of US authorities. We explicitly inform the person concerned about this legal and factual situation in order to make a correspondingly informed decision to consent to the use of his data.
HOW WE USE YOUR DATA?
We may use your personal data in the following ways:
- To operate our business and provide you with services you have requested.
- To display the content of this Site, and any customisations you may select.
- To verify your identity.
- To acknowledge, confirm and deal with your enquiry, including a reservation request.
- Where we are asked to deal with any other enquiries or complaints you may make.
- To notify you about any changes to this Site, or services provided through this Site.
- To provide you, or permit selected third party service providers (e.g. our masseur and fitness trainers and providers) to provide you with information about goods or services we feel may interest you. We, or those selected third parties, will however only contact you if you have previously consented to such contact and only by such means (e.g. email or post) as you have also previously consented to. Any marketing email that you receive from us will allow you to unsubscribe to further email promotions.
- To contact you in connection with user/customer/member surveys and use any information you choose to submit in response.
- To administer our Site and ensure that our Site is presented in the most effective manner for you and for your computer/device.
- For internal business/technical operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes and as part of our efforts to keep our Site secure.
- On an aggregate basis, to understand how individuals collectively use the features of our Site.
- To protect against fraud, identity theft, and other unlawful activity.
- To establish or exercise any legal rights or claims.
DISCLOSURE OF YOUR PERSONAL DATA
We may share your personal data with third parties in the following situations:
- We may disclose your personal data to our employees and agents to the extent necessary to provide you with services you have requested.
- We may make your personal data available to selected third parties who act on our behalf to support our operations (for example, card processing or payment services (see the section below headed ‘Payment Information’) and credit reference agencies to protect against possible fraud, subject to appropriate contractual protections in accordance with applicable law.
- Our IT suppliers and contractors (e.g. data hosting providers or delivery partners) who may need to have access to your personal data to provide IT support and enable us to provide membership or guest services and other goods/services available on this Site or otherwise available to members or guests, subject to appropriate contractual protections in accordance with applicable law.
- If we sell or transfer all, or any portion, of our business or our company assets to any third party, personal data held by us about you may be one of the transferred assets.
- If we need to disclose your personal data to comply with a legal obligation or to enforce our Terms & Conditions, membership rules or other applicable contract terms that you are subject to.
- To protect us, our guests or contractors against loss or damage (including, without limitation, exchanging information with the police, courts or law enforcement organisations).
- To the extent necessary to establish, exercise or defend legal rights or claims, or for the purposes of investigating actual or suspected unlawful activity.
YOUR DATA PROTECTION RIGHTS
Subject to applicable law, you may have the following rights in relation to your personal data:
- The right of access: In accordance with Article 8 DSG / 15 GDPR, you have the right to request confirmation from us as to whether personal data relating to you is being processed. If this is the case, you have a right to access information about this personal data and to further information mentioned in Article 8 DSG / 15 GDPR.
- The right to rectification: In accordance with Article 5 DSG / 16 GDPR, you have the right to request that we immediately rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- The right to erasure: EU data subjects have the right to request that we immediately erase personal data concerning you. We are obliged to erase personal data immediately, provided that the corresponding requirements of Article 17 GDPR are met. Please refer to Article 17 GDPR for details. Swiss data subjects also have the right of requesting the erasure of data in cases provided for by law, for example, when personal data are no longer necessary or the consent for processing has been revoked.
- The right restriction of processing: In accordance with Article 18 GDPR, under certain circumstances, EU data subjects have the right to request that we restrict the processing of your personal data.
- The right to data portability: In accordance with Article 20 GDPR, EU data subjects have the right to receive the personal data that they have provided us in a structured, common and machine-readable format, and have the right to have us transfer this data to another controller without hindrance, provided that the processing is based on a declaration of consent pursuant to Article 6 (1) a) GDPR or Article 9 (2) a) GDPR or is based on a contract pursuant to Article 6 (1) b) GDPR and the processing is carried out by automated means.
- The right to objection: In accordance with Article 21 GDPR, EU data subjects have the right to object to the processing of personal data concerning them as based on Article 6 (1) e) or f) GDPR. This also applies to profiling based on these provisions. If we process your personal data for direct marketing purposes, you have the right at any time to object to the processing of your personal data for the purposes of such marketing. This also applies to profiling insofar as it is associated with such direct marketing. If you wish to exercise one of your rights, please contact us as the controller at the contact information indicated above or use any of the other forms we offer to communicate with us. If you have any queries, please contact us.
- Right to lodge a complaint with a supervisory authority: In accordance with Article 77 GDPR, without prejudice to any other administrative or judicial remedy, EU data subjects have the right to lodge a complaint with the supervisory authority. This right exists in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. Swiss data subjects can avail themselves of the legal remedies of Art. 15/25/27/29 DSG.
If you wish to exercise any of these rights please contact us as described in the section above headed ‘Contact’. Any access request may be subject to a small fee to meet our costs. We may also need to ask you for further information to verify your identity before we can respond to any request.
Where we have given you (or where you have chosen) a password or log-in which enables you to access certain restricted parts of our Site, you are responsible for doing everything you reasonably can to keep these details secret. We do not to share your password or log-in details with any third parties. Unfortunately, the transmission of information over the internet or public communications networks can never be completely secure.
We also take corporate privacy very seriously. Our employees and the service companies commissioned by us have been obliged by us to secrecy and to comply with data protection regulations.
DATA RETENTION & DELETION
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR. o The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the MOROSANI HOTELS DAVOS, he or she may at any time contact our Data Protection Officer or another employee of the controller. The MOROSANI HOTELS DAVOS or employees shall promptly ensure that the erasure request is complied with immediately. Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The Data Protection Officer of the MOROSANI HOTELS DAVOS or another employee will arrange the necessary measures in individual cases.
Toni C. Morosani
MOROSANI HOTELS DAVOS
CH 7572 Davos Platz