Data Privacy policy

 

Chesa Surlej AG, Via dal Corvatsch 30, 7513 Silvaplana runs the Hotel Chesa Surlej and is the operator of the website www.chesa-surlej.ch and therefore responsible for the collection, processing and use of your personal data and the compatibility of the data processing with the applicable data protection law.

Your trust is important to us, which is why we take the subject of data protection seriously and endeavour to ensure an appropriate level of security. We are committed to handling your personal data in a responsible manner. It goes without saying that we comply with the legal provisions of the Federal Data Protection Act (DPA), the Ordinance to the Federal Act on Data Protection (VDSG), the Telecommunications Act (FMG) and any other applicable data protection provisions under Swiss or EU law, in particular the General Data Protection Regulation (GDPR)

To find out which personal data we collect from you and why, please take note of the information provided below.

The address for data protection concerns:  

Chesa Surlej Hotel
Birgit Doll
Via dal Corvatsch 30
7513 Silvaplana
Switzerland
Phone: 081 838 75 75
backoffice@chesa-surlej.ch

 

A. Data processing in connection with our website


1. Visits to our website


Each time you visit our website, our servers temporarily store information about each visit in a log file. As with any connection to a web server, the following technical data is recorded without your intervention, stored by us, and automatically deleted after no more than 6 months:

  • the IP address of the requesting computer
  • the name of the owner of the IP address range (generally your Internet Access provider)
  • the date and time of access
  • the website from which access took place (referrer URL) including the search word used, if applicable
  • the name and URL of the file accessed
  • the status code (e.g. error message)
  • your computer’s operating system
  • which browser you use (type, version and language)
  • the transmission protocol used (e.g. HTTP/1.1) and
  • if applicable, the username used for registration/authentication


This data is collected and processed for the purpose of enabling the use of our website (to establish a connection), to permanently guarantee system security and stability, to enable the optimisation of our Internet offer as well as for internal statistical purposes. This is where our legitimate interest in data processing lies within the meaning of the applicable data protection legislation.

The IP address is also evaluated together with the other data in the event of attacks on the network infrastructure or other unauthorised or abusive use of the website for the purpose of investigating and preventing attacks and may be used in the course of criminal proceedings to identify and prosecute the users concerned under civil and criminal law. This is where our legitimate interest in data processing lies within the meaning of the applicable data protection legislation.

2. Using our contact form


You have the option of using a contact form for general enquiries to get in touch with us. To respond to such enquiries, we usually need the following information:

  • First name and surname
  • E-mail address
  • Message


We will only use this data in order to provide you with the best possible, personalised response to your contact request. The processing of such data is therefore necessary in order to take steps prior to entering into a contract within the meaning of the applicable data protection legislation and/or is based on our legitimate interest in such processing pursuant to it.

3. Subscriptions to our newsletter


We do not currently send out newsletters. From the moment it is up, you will have the option on our website to subscribe to our newsletter, the following data is collected:

  • Title
  • First name and surname
  • E-mail address


The above data are necessary for data processing. In addition, you can voluntarily provide further data (date of birth and country). We process this data exclusively in order to personalise the information and offers sent to you and to better align them with your interests.

By signing up, you consent to the processing of this data in order to receive news about our hotel and related information about our products and services. This may also include invitations to participate in competitions or to review one of the aforementioned products and services. The collection of your title and name allows us to verify whether the new registration is associated with an existing customer account, and to personalise the content of e-mails. Linking to a customer account helps us make the offers and content contained in the newsletter more relevant to you and better tailor them to your potential needs.

We will use your data to send you e-mails until you withdraw your consent. You can withdraw your consent at any time, in particular via the unsubscribe link in all our marketing e-mails.

4. Opening a client account


To make bookings on our website, you can order as a guest or open a client account. When registering, we compulsorily collect the following data:

  • Title
  • First name and surname
  • Postal address
  • Date of birth
  • Phone number
  • E-mail address
  • Password

The collection of this data and other data voluntarily provided by you (e.g. company name) is for the purpose of providing you with password-protected direct access to your basic data stored with us. You can view your previous and current bookings or manage or change your personal data.

The processing of this data is therefore necessary within the meaning of the applicable data protection legislation for the implementation of pre-contractual measures or is in our legitimate interest in accordance with this.  

5. Booking online, by post or by phone


If you make bookings via our website, by means of correspondence (e-mail or letter post) or by phone, we require the following data to process the order:

  • Title
  • First name and surname
  • Postal address
  • Date of birth
  • Phone number
  • Language
  • Credit card information
  • E-mail address

Unless otherwise stated in this Privacy Policy or you have given your explicit consent, we will only use this data and other information you provide voluntarily (expected time of arrival, motor vehicle number plate, preferences, comments, etc.) for the purpose of performing the contract. We will process the data in order to record your booking as requested, to provide the booked services, to contact you if something is unclear or in the case of problems and to ensure correct payment.

We will automatically delete your credit card details after you leave us.

The legal basis of data processing for this purpose is the performance of a contract pursuant to the applicable data protection legislation and/or your consent pursuant to the applicable data protection legislation. You may withdraw your consent with future effect at any time.

6. Data processing when contacting us by phone


You have the possibility to contact us by phone and ask us questions about website functionalities, bookings or services.

We only collect personal data that you disclose to us. Consequently, you are responsible for the content of your communication and it is up to you what information you submit to us. We recommend that you do not submit any sensitive information. In order to answer your questions, we may ask you to provide us with additional information (e.g. your address, e-mail address, etc.). We will only collect the personal data from you that is necessary to answer your questions or to provide the services you have requested.

The processing of your telephone enquiry is our legitimate interest within the meaning of the relevant data protection legislation.

7. Data processing when contacting us by e-mail


You have the possibility to contact us by e-mail and ask us questions about website functionalities, bookings or services.

We only collect personal data that you disclose to us. Consequently, you are responsible for the content of your communication and it is up to you what information you submit to us. We recommend that you do not submit any sensitive information. In order to answer your questions, we may ask you to provide us with additional information (e.g. your address, telephone number, etc.). We will only collect the personal data from you that is necessary to answer your questions or to provide the services you have requested.

The processing of your enquiry by e-mail is our legitimate interest within the meaning of the relevant data protection legislation.

8. Cookies


Cookies help in many ways to make your visit to our website easier, more enjoyable and more meaningful. Cookies are information files that your web browser automatically stores on your computer's hard drive when you visit our website.

For example, we use cookies to temporarily store your selected services and entries when you fill out a form on the website so that you do not have to repeat the entry when you call up another sub-page. Cookies may also be used to identify you as a registered user after you have registered on the website, without you having to log in again when you call up another sub-page.

Most internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in the most common browsers:

 
Deactivating cookies may mean that you cannot use all the functions of our website.

On our website, we use the cookie consent technology of the provider SiteMinder Ltd, ACN 121 931 744 of Bond Store 3, 30 Windmill Street, Millers Point, NSW 2000, Australia. The service is used to obtain your consent to the storage of certain cookies on your end device and to document this in accordance with data protection regulations.

When you visit our website, a connection is established to the SiteMinder servers in order to obtain your consent or other declarations regarding the use of cookies. SiteMinder then stores a cookie in your browser in order to be able to allocate the consent given to you or its revocation. The data collected in this way is stored until you request us to delete it, delete the cookie yourself or the purpose for storing the data no longer applies.

SiteMinder is used to obtain your consent for the use of cookies in accordance with the applicable data protection legislation.

Further information on data protection and the cookies used can be found on the SiteMinder website at: https://www.siteminder.com/legal/privacy/

9. Tracking-Tools


a. General


We use Google Analytics on our website. Google Analytics uses methods that enable an analysis of the use of the website, such as cookies (see section 8). The information generated by the cookie about your use of our website, such as your IP address, is used for

  • Navigation path that a visitor follows on the site,
  • Dwell time on the website or a sub-page,
  • the sub-page on which the website is left,
  • the country, region or city from which access is made,
  • End device (type, version, colour depth, resolution, width and height of the browser window),
  • Returning or new visitor,
  • Browser-Tep/-Version,
  • Operating system used,
  • Referrer URL (i.e. the website visited previously),
  • Host name of the accessing computer (IP address) and
  • Time of the server request,


The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services associated with the use of the website and the internet for the purposes of market research and demand-oriented design of this website. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf.

Are usually transferred to a Google server in the USA and stored there. In the process, the IP address is saved by the standard and automatic activation of IP anonymisation („anonymizeIP") on this website is shortened before transmission within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Area or Switzerland. The masked IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data, according to Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we provide contractual guarantees to ensure that Google complies with a sufficient level of data protection.

The information is used to evaluate the use of the website, to compile reports on the activities on the website and to provide further services associated with the use of the website and the use of the internet for the purposes of market research and the design of the website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf.

The legal basis for processing the data for this purpose is your consent in accordance with the applicable data protection legislation. The consent can be revoked at any time with effect for the future.

Users can prevent the collection of the data generated by the cookie and related to the website use by the user concerned (incl. the IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

For more information about Google and how Google processes data, see here.

10. Links to our social media presences


You will find links to social media networks on our website. These are not plugins provided by the social media network, which already transmit data to the provider when the page is loaded, without the user having any influence. The buttons to the social media networks merely provide a link to our presence on the social media network. No user data is transmitted from the website to the social media network.

The links lead to our appearances on the following networks:

  • Facebook by Meta Platforms Inc. One Hacker Way Menlo Park, CA 94025, USA, or, if you are a resident of the EU or Switzerland, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Instagram by Meta Platforms Inc., One Hacker Way Menlo Park, CA 94025, USA, or, if you are a resident of the EU or Switzerland, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Pinterest Inc., 635 High Street, Palo Alto, CA 94301, USA, or, if you are a resident of the EU or Switzerland, Pinterest Europe Ltd. Palmerston House, Fenian Street, Dublin 2, Ireland


When you call up a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network concerned. This provides the network with the information that you have visited our website with your IP address and called up the link. If you call up a link to a network while you are logged into your account with the network in question, the content of our site may be linked to your profile with the network, which means that the network can assign your visit to our website directly to your user account. If you would like to prevent this, you should log out before clicking on the corresponding links. An assignment will take place in any case if you log in to the relevant network after clicking on the link.

B. Data processing in connection with your stay


11. Data processing for the fulfilment of legal reporting obligations


On arrival at our hotel, we may require the following information from you and your companions:

  • First name and Surname
  • Postal address and Canton
  • Date of birth
  • Nationality
  • Arrival and departure day


We collect this information in order to comply with legal reporting obligations, which arise in particular from the hospitality industry or police law. Insofar as we are obliged to do so under the applicable regulations, we forward this information to the competent police authority.

The processing of this data is carried out on the basis of a legal obligation within the meaning of the applicable data protection legislation.

12. Recording of purchased services


If you purchase additional services during your stay (e.g. restaurant, use of the mini-bar or the pay TV offer), we will record the subject of the service and the time of the service purchase for billing purposes. The processing of this data is necessary in the sense of the relevant data protection legislation for the processing of the contract with us.

C. Storage and exchange of data with third parties


13. Booking platforms


If you make bookings via a third-party platform, we receive various personal information from the respective platform operator in connection with the booking made. As a rule, this is the data listed in section 5 of these data protection declarations. In addition, we may receive enquiries about your booking. We will process this data by name in order to record your booking as requested and to provide the booked services. The legal basis for data processing for this purpose is the implementation of pre-contractual measures and the fulfilment of a contract within the meaning of the applicable data protection legislation.

Finally, we may be informed by the platform operators of disputes relating to a booking. In the process, we may also receive data on the booking process, which may include a copy of the booking confirmation as proof of the actual booking completion. We process this data to protect and enforce our claims. This is our legitimate interest within the meaning of the relevant data protection legislation.


Please also note the information on data protection provided by the respective booking platform.

14. Central storage and linking of data


We store the data specified in this privacy policy in a central electronic data processing system. The data concerning you is systematically recorded and linked for the purpose of processing your bookings and handling the contractual services. Within the framework of the data protection regulations, we also enrich the data with data from publicly accessible sources (e.g. press or Internet).  For this purpose, we use software from Protel / Rebag Data AG Einsiedlerstrasse 533, 8810 Horgen /Switzerland.

We base the processing of this data within the framework of the software on our legitimate interest within the meaning of the applicable data protection legislation in customer-friendly and efficient customer data management, as well as on the implementation of contractual measures pursuant to this.

15. Storage duration


We only store personal data for as long as it is necessary to use the tracking services mentioned above as well as the further processing within the scope of our legitimate interest. We retain contractual data for longer, as this is required by legal retention obligations. Retention obligations that oblige us to retain data result from regulations on registration law, on accounting and from tax law. According to these regulations, business communication, concluded contracts and accounting vouchers must be kept for up to 10 years. As far as we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

16. Disclosure of data to third parties


We only pass on your personal data if you have expressly consented to this, if there is a legal obligation to do so or if this is necessary to enforce our rights, in particular to enforce claims arising from the contractual relationship. In addition, we pass on your data to third parties if this is necessary within the framework of the use of the website and the processing of the contract, for the provision of the services requested by you as well as the analysis of your user behaviour, if we are obliged to do so by law (e.g. request by a law enforcement agency) or if this is necessary for the enforcement of our claims within the framework of the contractual relationship (e.g. collection measures). The use of the data passed on for this purpose by the third party is strictly limited to the stated purposes.

 

Webhosting


A service provider to whom the personal data collected via the website is transferred or who has or may have access to it is our web hosting provider (iWay AG, Badenerstrasse 569, 8048 Zurich/Switzerland). The website is hosted on servers in Switzerland. The data is transferred for the purpose of providing and maintaining the functionalities of our website.

The legal basis for processing the data for this purpose is our legitimate interest according to the applicable data protection legislation.

Digital guest service


In connection with the electronic service provider, we use the service straiv of the company CODE2ORDER (Eichwiesenring 4F, 70567 Stuttgart, DE). Straiv is used for Pre-CheckIn, to fill out or adapt digital registration forms, Self-CheckIn, Self-CheckOut, guest folder (making relevant information and requests digitally available to the guest) and Chatbot as a chat function with the guest.

Further information on straiv's data protection can be found in the provider's privacy policy under the following link: https://straiv.io/privacy-policy/  

The legal basis for processing the data for these purposes is the implementation of contractual measures and the fulfilment of a contract in accordance with the applicable data protection legislation.

Credit card information


We forward your credit card information to your credit card issuer and to the credit card acquirer when you pay by credit card on the website or via a payment terminal. We work with Worldline Schweiz AG, Hardturmstrasse 201, 8005 Zurich, Switzerland. If you decide to pay by credit card, you will be asked to enter all mandatory information. The legal basis for passing on the data is the fulfilment of a contract in accordance with the relevant data protection legislation. Regarding the processing of your credit card information by these third parties, we ask you to also read the General Terms and Conditions as well as the privacy policy of your credit card issuer. Your credit card data will be automatically deleted after your departure.

Guest cards, ski tickets


In our destination, guest cards (e.g. Engadin Card) can be issued to visitors. The guest cards are linked to the collection of data for the visitor's tax. Your personal data will only be passed on by us to the issuer of the guest card (Engadin St. Moritz Tourismus AG) insofar as this is explicitly necessary for the issuing of the guest card or the settlement of the visitor's tax, unless otherwise stated in this data protection declaration or you have given your separate consent to this. For the issuing of ski tickets, data is also passed on to the respective mountain railway or its operator (Bergbahnen Engadin St. Moritz AG).

The legal basis for processing the data for these purposes is the implementation of pre-contractual measures and the fulfilment of a contract in accordance with the applicable data protection legislation.

WLAN usage


The WLAN available in our hotel is operated by the company Swisscom (Alte Tiefenaustrasse 6, 3050 Bern, Switzerland) AG. The following data may be processed: IP address, MAC address of your end device, as well as your specified name. Swisscom may also store certain usage data such as websites visited, date and time and IP address.

Swisscom's privacy policy can be viewed at:
https://www.swisscom.ch/en/residential/legal-information/privacy.html

The legal basis for processing the data for this purpose lies in our legitimate interest under the relevant data protection legislation in providing WLAN access during your stay or in your consent under the relevant data protection legislation when using the WLAN. The consent given can be revoked at any time with effect for the future.

17. Transfer of personal data abroad


We are also entitled to transfer your personal data to third party companies (commissioned service providers) abroad for the purpose of the data processing described in this data protection declaration. These are obligated to data protection to the same extent as we ourselves. If the level of data protection in a country does not correspond to that in Switzerland or the EU, we ensure by contract that the protection of your personal data always corresponds to that in Switzerland or the EU.

18. Note on data transfers to the USA


Some of the third-party service providers mentioned in this privacy policy are based in the USA. For the sake of completeness, we would like to point out for users resident or domiciled in Switzerland or the EU that there are surveillance measures in place in the USA by US authorities which generally allow the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, restriction or exception based on the objective pursued and without any objective criterion that would make it possible to restrict the US authorities' access to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the intrusion associated both with access to this data and with its use. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies that would allow them to obtain access to the data concerning them and to obtain their correction or deletion, or that there is no effective judicial legal protection against general access rights of US authorities. We explicitly draw the attention of data subjects to this legal and factual situation in order to make an appropriate informed decision to consent to the use of your data.

We would like to point out to users who are resident in Switzerland or a member state of the EU that the USA does not have a sufficient level of data protection from the point of view of the European Union and Switzerland - among other things due to the issues mentioned in this section. Insofar as we have explained in this data protection declaration that recipients of data (such as Google) are based in the USA, we will ensure that your data is protected at an appropriate level with our partners by means of contractual arrangements with these companies as well as any additional appropriate guarantees that may be required, which protect the rights of persons whose personal data is transferred to a third country.

D. Further information


19. Your rights


Provided that the legal requirements are met, you have the following rights as a person affected by data processing:

Right to information: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check what personal data we are processing about you and that we are using it in accordance with applicable data protection regulations.

Right of rectification: You have the right to have inaccurate or incomplete personal data corrected and to be informed about the correction. In this case, we will inform the recipients of the data concerned about the adjustments made, unless this is impossible or involves a disproportionate effort.

Right to erasure: You have the right to have your personal data deleted under certain circumstances. In individual cases, especially in the case of statutory retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by a blocking of the data if the conditions are met.

Right to restrict processing: You have the right to request that the processing of your personal data be restricted.

Right to data transmission: You have the right to obtain from us, free of charge, the personal data you have provided to us in a readable format.

Right of objection: You can object to data processing at any time, in particular for data processing in connection with direct advertising (e.g. advertising emails).

Right of withdrawal: In principle, you have the right to revoke your consent at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.

To exercise these rights, please send us an e-mail to the following address:

backoffice@chesa-surlej.ch

Right of appeal: You have the right to lodge a complaint with a competent supervisory authority, e.g. against the way your personal data is processed.

20. Data security


We use appropriate technical and organisational security measures to protect your personal data stored with us against loss and unlawful processing, namely unauthorised access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to the personal data to the extent necessary for the fulfilment of their tasks.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot assume any absolute liability for the security of information transmitted in this way.

21. Contact


If you have any questions about data protection on our website, would like information or would like to have your data deleted, please contact us by sending an e-mail to backoffice@chesa-surlej.ch .

Please send your request by post to the hotel management at the following address:

Birgit Doll, Chesa Surlej Hotel, Via dal Corvatsch 30, 7513 Silvaplana

Switzerland

Status: Surlej, August 2023