Data Protection DSGVO (from 28. May 2018)
We are very pleased about your interest in our company. Data protection is of particular importance to the management of MOROSANI HOTELS DAVOS ("we", "us" and "our" are interpreted accordingly). We are the operators of the website ("Site") www.morosani.ch and therefore responsible for the collection, processing and use of your personal data and the compatibility of data processing with the applicable data protection law. Of course, we observe the legal provisions of the Federal Data Protection Act (DSG), the Federal Data Protection Act (VDSG), the Telecommunications Act (FMG) and other applicable data protection provisions under Swiss or EU law, in particular the General Data Protection Regulation (DSGVO).
The data protection declaration of the MOROSANI HOTELS DAVOS is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used. In this data protection declaration, we use, inter alia, the following terms:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or controller responsible for the processing
Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
j) Third party
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and Address of the controller
Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is: MOROSANI HOTELS DAVOS - Promenade 50 - CH-7270 Davos Platz - Schweiz Phone: +41 81 415 55 00 Email: email@example.com Website: www.morosani.ch
WHAT PERSONAL DATA MAY WE COLLECT?
When you access our website, information of a general nature is automatically recorded. This information (server log files) includes, for example, the type of web browser, the operating system used, the domain name of your Internet service provider and the like. This is only information that does not allow conclusions about your person. This information is technically necessary to correctly deliver the contents of web pages requested by you and is mandatory when using the internet. Anonymous information of this kind is statistically evaluated by us, in order to optimize our Internet appearance and the technology behind it.
We may collect the following personal data about you:
- The personal details you provide (such as name, address, e-mail address, business address and phone number) when submitting an enquiry, reservation request or membership application.
- Personal details you choose to give when corresponding with us by phone, e-mail, or that you provide to us when you visit The MOROSANI HOTELS DAVOS.
- Any other personal or private information about you that you choose to submit to this Site or any other websites we operate.
- Information about other guests included in your booking details.
- Information about your preferences (e.g. advertising interests, cookie data, clickstream data, browsing history, responses to direct marketing, and opt-outs from direct marketing) and any information provided to us by third parties.
As the controller, the MOROSANI HOTELS DAVOS has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.
USE OF OUR WEBSITE
When visiting our website, our servers temporarily store every access in a log file. The following technical data will be collected by us, as always with every connection to a web server, without your intervention and stored by us after 7 days until automated deletion:
- the IP address of the requesting computer,
- the name of the owner of the IP address range (i.d.R., your internet access provider),
- the date and time of access,
- the website from which the access was made (referrer URL), if applicable, with the search term used,
- the name and URL of the retrieved file,
- the status code (for example, error message),
- the operating system of your computer,
- the browser you are using (type, version and language), the transmission protocol used (e.g., HTTP / 1.1) and
- If applicable, your username from a registration / authentication.
The collection and processing of this data is for the purpose of facilitating the use of our website (connection establishment), to ensure the long-term security and stability of the system and to optimize our Internet offerings and for internal statistical purposes. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f DSGVO.
The IP address will also be evaluated together with the other data in case of attacks on the network infrastructure or other unauthorized or abusive website use for information and defense and, where appropriate, in criminal proceedings for identification and civil and criminal proceedings against the users concerned used. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f DSGVO.
REGISTRATION ON OUR WEBSITE
SUBSCRIPTION & NEWSLETTER
On our website, users are given the opportunity to subscribe to our company newsletter. Which personal data are transmitted to the data controller when the newsletter is ordered results from the input mask used for this purpose. This requires a registration. As part of the registration, the following data must be provided:
- First and Last Name
- E-mail address
The above data is necessary for data processing. We process this data exclusively to personalize the information and offers you have received and to better align it with your interests. By registering you give us your consent to the processing of the given data for the regular sending of the newsletter to the address you have specified and for the statistical evaluation of the user behavior and the optimization of the newsletter. This consent constitutes, within the meaning of Art. 6 para. 1 lit. a DSGVO is our legal basis for the processing of your e-mail address. We are entitled to commission third parties with the technical handling of advertising measures and are entitled to pass on your data for this purpose (see section 13 below).
The personal data collected in the context of registering for the newsletter will be used exclusively to send our newsletter. Subscribers to the newsletter may also be notified by e-mail if this is necessary for the operation of the newsletter service or registration, as might be the case in the event of changes to the newsletter or technical changes. There will be no transfer of the personal data collected as part of the newsletter service to third parties.
Subscription to our newsletter may be terminated by the person concerned at any time. The consent to the storage of personal data that the data subject has given us for the newsletter dispatch can be revoked at any time. For the purpose of revoking the consent, there is a corresponding link in each newsletter. At the end of each newsletter you will find a link where you can unsubscribe at any time. As part of the deregistration you can voluntarily inform us of the reason for the deregistration. After the cancellation your personal data will be deleted. Any further processing will only be done anonymously to optimize our newsletter. It is also possible to unsubscribe from the newsletter at any time, directly on the controller's website, or to inform the controller in a different way.
Our website contains information that enables a quick electronic contact to our company, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or via a contact form, the personal data transmitted by the data subject are automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the data controller are stored for the purpose of processing or contacting the data subject. There is no transfer of this personal data to third parties.
You have the option to use a contact form to contact us. For this we need the following information:
- Contact subject
- First and Last Name
- E-mail address
We use this data as well as a voluntarily given telephone number only to answer your contact request in the best possible and personalized way. The processing of this data is therefore within the meaning of Art. 6 para. 1 lit. b DSGVO is required for the implementation of precontractual measures or is in our legitimate interest in accordance with Art. 6 para. 1 lit. f DSGVO.
APPLICATIONS & APPLICATION PROCEDURE
The data controller shall collect and process the personal data of applicants for the purpose of the processing of the application procedure. The processing may also be carried out electronically. This is the case, in particular, if an applicant submits corresponding application documents by e-mail on the website to the controller. If the data controller concludes an employment contract with an applicant, the submitted data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant by the controller, the application documents shall be erased after notification of the refusal decision, provided that no other legitimate interests of the controller are opposed to the erasure.
PROVISION OF PAID SERVICES
To provide paid services we ask for additional data, such as: Payment details.
Opening a customer account
To make reservations on our website, you can order as a guest or create a customer account. When registering for a customer account, we collect the following data:
- First and Last Name
- Mailing address
- Date of birth
- Phone number
- E-mail address
The collection of these and other data voluntarily provided by you (eg company name) is done for the purpose of providing you with password-protected direct access to your basic data stored with us. You can view your past and current bookings or manage or change your personal information. The legal basis for the processing of the data for this purpose lies in the consent given by you pursuant to Art. 6 (1) lit. a GDPR.
Booking on the website, by correspondence or by phone call
If you make bookings either via our website, by correspondence (email or letter post) or by telephone call, we need the following data for the execution of the contract:
- First and Last Name
- Mailing address
- Date of birth
- Phone number
- Credit card information
- E-mail address
We will only use this information and other information voluntarily provided by you (eg expected time of arrival, motor vehicle license plate, preferences, remarks) to process the contract, unless otherwise stated in this privacy statement or you have not specifically consented thereto. We will process the data by name in order to record your booking as requested, to provide the booked services, to contact you in case of any uncertainties or problems and to ensure the correct payment. The legal basis for data processing for this purpose lies in the fulfillment of a contract pursuant to Art. 6 para. 1 lit. b DSGVO.
Any credit/debit card payments and other payments you make through this Site will be processed by our third party payment provider, and the payment data you submit will be securely stored by us. We may also store and use this card or payment information for the purpose of processing any future payments that you make for additional goods and services. We will store this data in accordance with our legal obligations under applicable law and only for so long as legally permitted. You may choose to opt-out of us, or our service providers, holding your card or payment data, although this means that you will need to re-supply us with card/payment details to initiate any future bookings.
DATA PROCESSING IN CONNECTION WITH YOUR STAY
Data processing to fulfill legal reporting obligations Upon arrival at our hotel, we may need the following information from you and your escorts:
- First and Last Name
- Postal address and canton
- Date of birth
- Place of birth
- Official ID and number
- Arrival and departure day
- Room number
We provide this information for the fulfillment of legal reporting obligations, which arise in particular from the hospitality or police law. Insofar as we are required to do so under the applicable regulations, we will forward this information to the relevant police authority. In fulfilling the legal requirements, our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
Acquisition of related services
If you receive additional services during your stay (for example, make use of the mini-bar or the pay-TV service), we will collect the service and the date of receipt of the service for billing purposes. The processing of this data is within the meaning of Art. 6 para. 1 lit. b DSGVO required for the execution of the contract with us.
STORAGE AND EXCHANGE OF DATA WITH THIRD PARTIES
Central storage and linking of data
We store the data specified in paragraphs 2-5 and 8-10 in a central electronic data processing system. The data relating to you are systematically recorded and linked to the processing of your bookings and the processing of the contractual services. For this we use a software (PROTEL) of REBAG DATA AG, Einsiedlerstrasse 533, PO Box 426, CH-8810 Horgen. The processing of this data as part of the software is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO on customer-friendly and efficient customer data management.
We only store personal information for as long as is necessary to use the above tracking services as well as any further processing within the scope of our legitimate interest. Contract data is kept longer by us, as this is required by statutory storage requirements. Retention requirements, which oblige us to keep data, result from rules on the right to report, over the accounting and from the tax law. According to these regulations, business communication, closed contracts and accounting documents must be kept for up to 10 years. As far as we no longer need this data to carry out the services for you, the data will be blocked. This means that the data may then only be used for accounting purposes and for tax purposes.
Passing on the data to third parties
We only pass on your personal data if you have expressly consented to a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. In addition, we pass your data on to third parties, as far as this in the context of the use of the website and the contract (including outside the website), especially the processing of your bookings is required. A service provider, to whom the personal data collected via the website are passed on or who can access or have access to it, is our web host ENNIT AG, Projensdorfer Str. 324, DE-24106 Kiel. The website is hosted on servers in Germany. The transfer of data is for the purpose of providing and maintaining the functionality of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.
Transfer of personal data abroad
For the purpose of the data processing described in this data protection declaration, we are also entitled to transfer your personal data to third parties (contracted service providers) abroad. These are obligated to the same extent as we ourselves for data protection. If the level of data protection in one country does not correspond to the Swiss or the European one, we contractually ensure that the protection of your personal data at all times corresponds to that in Switzerland or in the EU.
Note about data transfers to the USA
For the sake of completeness, we would like to point out to users domiciled or domiciled in Switzerland that there are surveillance measures in the US by US authorities, which generally require the storage of all personal data of all persons whose data were transferred from Switzerland to the USA. allows. This is done without any differentiation, restriction or exemption on the basis of the objective pursued and without an objective criterion that would limit the US authorities' access to the data and its subsequent use to very specific, strictly limited purposes, which would be the same - be able to justify access to these data as well as interference with their use. Furthermore, we would like to point out that in the USA there are no legal remedies for the persons concerned from Switzerland that allow them to obtain access to the data concerning them and to obtain their rectification or deletion, or no effective judicial protection against general access rights of US authorities. We explicitly inform the person concerned about this legal and factual situation in order to make a correspondingly informed decision to consent to the use of his data.
HOW WE USE YOUR DATA?
We may use your personal data in the following ways:
- To operate our business and provide you with services you have requested.
- To display the content of this Site, and any customisations you may select.
- To verify your identity.
- To acknowledge, confirm and deal with your enquiry, including a reservation request.
- Where we are asked to deal with any other enquiries or complaints you may make.
- To notify you about any changes to this Site, or services provided through this Site.
- To provide you, or permit selected third party service providers (e.g. our masseur and fitness trainers and providers) to provide you with information about goods or services we feel may interest you. We, or those selected third parties, will however only contact you if you have previously consented to such contact and only by such means (e.g. email or post) as you have also previously consented to. Any marketing email that you receive from us will allow you to unsubscribe to further email promotions.
- To contact you in connection with user/customer/member surveys and use any information you choose to submit in response.
- To administer our Site and ensure that our Site is presented in the most effective manner for you and for your computer/device.
- For internal business/technical operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes and as part of our efforts to keep our Site secure.
- On an aggregate basis, to understand how individuals collectively use the features of our Site.
- To protect against fraud, identity theft, and other unlawful activity.
- To establish or exercise any legal rights or claims.
DISCLOSURE OF YOUR PERSONAL DATA
We may share your personal data with third parties in the following situations:
- We may disclose your personal data to our employees and agents to the extent necessary to provide you with services you have requested.
- We may make your personal data available to selected third parties who act on our behalf to support our operations (for example, card processing or payment services (see the section below headed ‘Payment Information’) and credit reference agencies to protect against possible fraud, subject to appropriate contractual protections in accordance with applicable law.
- Our IT suppliers and contractors (e.g. data hosting providers or delivery partners) who may need to have access to your personal data to provide IT support and enable us to provide membership or guest services and other goods/services available on this Site or otherwise available to members or guests, subject to appropriate contractual protections in accordance with applicable law.
- If we sell or transfer all, or any portion, of our business or our company assets to any third party, personal data held by us about you may be one of the transferred assets.
- If we need to disclose your personal data to comply with a legal obligation or to enforce our Terms & Conditions, membership rules or other applicable contract terms that you are subject to.
- To protect us, our guests or contractors against loss or damage (including, without limitation, exchanging information with the police, courts or law enforcement organisations).
- To the extent necessary to establish, exercise or defend legal rights or claims, or for the purposes of investigating actual or suspected unlawful activity.
YOUR DATA PROTECTION RIGHTS
Subject to applicable law, you may have the following rights in relation to your personal data:
- The right to request access to, or copies of, your personal data that we process.
- The right to request correction of any inaccuracies in your personal data.
- The right to object, on legitimate grounds, to the processing of your personal data.
- The right to request that your personal data are deleted. This does not affect your statutory rights.
If you wish to exercise any of these rights please contact us as described in the section above headed ‘Contact’. Any access request may be subject to a small fee to meet our costs. We may also need to ask you for further information to verify your identity before we can respond to any request.
Where we have given you (or where you have chosen) a password or log-in which enables you to access certain restricted parts of our Site, you are responsible for doing everything you reasonably can to keep these details secret. We do not to share your password or log-in details with any third parties. Unfortunately, the transmission of information over the internet or public communications networks can never be completely secure.
We also take corporate privacy very seriously. Our employees and the service companies commissioned by us have been obliged by us to secrecy and to comply with data protection regulations.
DATA RETENTION & DELETION
Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR. o The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the MOROSANI HOTELS DAVOS, he or she may at any time contact our Data Protection Officer or another employee of the controller. The Data Protection Officer of the MOROSANI HOTELS DAVOS or another employee shall promptly ensure that the erasure request is complied with immediately. Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The Data Protection Officer of the MOROSANI HOTELS DAVOS or another employee will arrange the necessary measures in individual cases.
Toni C. Morosani
MOROSANI HOTELS DAVOS
CH 7572 Davos Platz