Crystal Hotels und Restaurants AG, Via Traunter Plazzas 1, CH-7500 St. Moritz, Switzerland (entered into the Commercial Register of the Canton of Graubünden under the number CHE-101.062.062) runs the hotel “Crystal Hotel”, is also the operator of the website www.crystalhotel.ch and is thereby responsible for the collection, processing and use of your personal data and the compliance with the applicable data protection law.
Your trust is important to us, which is why we take the issue of data privacy seriously and ensure a corresponding level of security. Of course, we comply with the legal provisions of the Federal Law on Data Protection (DSG), the Ordinance to the Federal Act on Data Protection (VDSG), the Telecommunications Act (FMG) and any other applicable data privacy provisions in Swiss or EU law, or the EU General Data Protection Regulation (GDPR), where applicable.
So that you are aware which personal data we collect from you and what purposes we use it for, please acknowledge the following information.
When visiting our website, our servers temporarily save each access in a log file. The following technical data is thereby fundamentally collected for every connection with a web server without requiring any action by you, and is maintained until the business relationship is terminated:
- The IP address of the requesting computer,
- The name of the owner of the IP address (normally your internet access
provider),
- The date and time of the access,
- The website from which the access was made (referrer URL), where applicable with the search word used,
- The name and the URL of the accessed file,
- The status code (e.g. error report),
- The operating system of your computer,
- The browser you use (type, version and language),
- The transfer log used (e.g. HTTP/1.1) and
- Where applicable your user name from registration/authentication.
- The host header name
- The number of bytes sent by the server
- The number of bytes received and processed by the server
- The duration of access
- The requested verb or word, such as the GET method (GETlocation)
- The goal of the requested verb or word, e.g. Default.htm
The collection and processing of this data is done with the purpose of allowing the use of the website (establishing a connection), ensuring permanent system security and stability and optimizing the website, as well as for internal statistical purposes. This represents our justified interest in data processing in accordance with Art. 6, paragraph 1 f, GDPR.
The IP address is also evaluated together with other data, in the event of attacks on the network infrastructure or other illegal or abusive use of the website to resolve the issue and defend against it, and, if necessary, within the scope of criminal proceedings, for identification purposes and for civil and criminal proceedings against the affected user. This represents our justified interest in data processing in accordance with Art. 6, para- graph 1 f, GDPR.
You have the option to use a contact form to get in touch with us. For this purpose, we require you to provide your e-mail address. Your e-mail address and other data you have provided voluntarily (e.g. your first name and surnames, telephone number etc.) are required by us so that we can provide the best possible, personalized response to your enquiry. This processing of this data is therefore required in accordance with Art. 6, para- graph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
You have the option to get in contact by e-mail. To be able to get in touch with us, you have to click on the e-mail symbol. By clicking on this symbol, a connection is automatically created to your e-mail program and a window is opened to send an e-mail. You can send us questions by e-mail about the functions or the content of the website. You are solely responsible for the messages and the content you send to us using the e-mail function. We recommend not sending any sensitive information via the e-mail function. To be able to use the e-mail function, you simply have to enter your e-mail address. Your e-mail address and other data you have provided voluntarily (e.g. your first name and surnames, telephone number etc.) are required by us so that we can provide the best possible, personalized response to your enquiry. This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
You have the option to use an enquiry form to get in touch with us. You can use the enquiry form to ask about our premises, particularly if you are planning a conference or a party and would like to use our services and rooms for this. For this purpose, we require you to provide your e-mail address. Your e-mail address and other data you have provided voluntarily (e.g. your first name and surnames, telephone number etc.) are required by us so that we can provide the best possible, personalized response to your enquiry. This processing of this data is therefore required in accordance with Art. 6, paragraph 1 b, GDPR to execute pre-contractual measures, or is in our justified interest as per Art. 6, paragraph 1 f, GDPR.
On our website you have the option of subscribing for our newsletter. Registration is re- quired for this. During the registration process it is mandatory to enter your e-mail ad- dress. Your e-mail address and other data you have provided voluntarily (e.g. your first name and surname) are only processed by us to personalize the information and offers we send to you, and to better align them to your interests. By registering, you give us your consent for the processing of the data provided, for the regular sending of the newsletter to the address you have provided, for the statistical evaluation of user behavior and to optimize the newsletter. This consent forms, in accordance with Art. 6, paragraph 1 a, EU-GDPR, our legal basis for the processing of your e-mail address. We are permitted to commission third parties with the technical processing of advertising measures and are permitted to forward your data for this purpose (see below under “Transfer of data to third parties”). At the end of each newsletter there is a link which you can use to unsubscribe at any time. During the unsubscribe process you can notify us voluntarily of the reason why you are unsubscribing. After unsubscribing, your personal data is deleted. Your data is only for- warded anonymously in order to optimize our newsletter.
You have the option of booking accommodation on our website, by correspondence (e- mail or letter) or by telephone. We need the following mandatory data to process the booking:
- The first name and surname of the person making the booking
- The first name and surname of the guests
- Address
- Telephone number
- E-mail address
This data as well as other voluntary information provided by you (e.g. preferences, comments) will only be used by us to process the contract, provided nothing else is specified in this privacy policy, or unless you have consented to it separately. We process the data expressly to implement your booking according to your wishes, to provide the booked services, to contact you in the event of uncertainty or problems and to ensure the correct payment. The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
On our website you have the opportunity to reserve a table in our restaurant mentioned on our website. We require the following details for the reservation:
- Salutation
- First name and surname of the person making the reservation
- Number of guests
- E-mail address
- Telephone number
- The choice of restaurant
- Date and time of the reservation
We only collect and process the data to handle the reservation, particularly to compile your reservation enquiry according to your request, to make the reservation and to contact you in the event of uncertainty or problems. The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR.
On our website you have the option to apply for a job vacancy, or spontaneously apply to us. You have to submit a full application for this purpose. It is mandatory to enter the following data in the online form: - Salutation - First name and surname - Address - Nationality - Marital status - Date of birth - E-mail address - Telephone number - Work experience in luxury hotels and Switzerland - Professional field of interest - Cover letter, CV, photo - Employer’s reference This data is used for the application process. If you do not explicitly consent to the further processing, the data is deleted after the respective application process. The legal basis for the processing of data therefore lies in the execution of pre-contractual measures and in our justified interest as per Art. 6, paragraph 1 b and f, GDPR. For other data processing, the legal basis lies in the consent you have issued as per Art. 6, para- graph 1a, GDPR.
On our website you have the option to submit a review. To do so you have to click on the intended link, which connects you to the website of TripAdvisor Inc., 400 1st Avenue, Needham, 02494 MA, USA. It is possible that your IP address may be forwarded to the server of TripAdvisor. The data protection provisions of TripAdvisor apply in this case.
The legal basis for the processing of data therefore lies in our justified interest as per Art. 6, paragraph 1 f, GDPR.
Along with many other things, cookies help us to make your visit to our website easier, more pleasant and effective. Cookies are information files which your web browser au- tomatically saves on the hard drive of your computer, when you visit our website.
We use cookies, for example, to temporarily save the selected services and details when completing a form on the website, so that you do not have to repeat the input when visit- ing another sub-page. Cookies are also used, where applicable, to be able to identify you as a registered user after you have registered on the website, without having to log in again when visiting another sub-page.
Most internet browsers accept cookies automatically. You can, however, configure your browser so that no cookies are saved on your computer, or a warning is always shown when you receive a new cookie. On the following pages you can find explanations of how to configure the handling of cookies with the most popular browsers:
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari for Desktop
- Apple Safari for Mobile
The deactivation of cookies may, however, mean that you are not able to use all of the functions of our website.
a. Google Analytics and Google Tag Manager
To allow us to design our website to meet your needs and to continually optimize our website, we use the web analysis service of Google Analytics. Consequently, pseudonymized usage profiles are created and cookies are used (see above). The information generated by the cookie about your use of this website is transferred to a server of the provider of these services, and saved and processed there. In addition to the data listed under point 1, we also may receive the following information:
- The navigation path which the website visitor took,
- The time spent on the website or sub-page,
- The sub-page on which the website was exited,
- The country, region or city in which access was made,
- The end user device (type, version, color depth, resolution, width and
height of the browser window) and
- Whether it was a repeat or new visitor.
The information is used to evaluate the use of the website, to compile reports about web- site activities and to provide other services associated with the use of the website and the internet, for the purpose of market research and designing this website to meet your needs. This information is also transferred to third parties if necessary, if this is specified by law or if third parties processing this data on our behalf.
We also use Google Tag Manager to manage usage-based advertising services. The Tool Tag Manager itself if a cookie-free domain and does not compile any personal data. In- stead, the tool removes other tags which may compile your data. If you perform deactivation at domain or cookie level, this applies to all tracking tags which are implemented with Google Tag Manager.
Google Analytics is a service provided by Google Inc., a company of the holding company Alphabet Inc, with its registered office in the USA. Before being transferred to the service provider, the IP address is abbreviated by activating the IP anonymizing function (“anonymize IP”) on this website within a Member State of the European Union or in another EEC state. The anonymised IP address transferred by your browser due to Google Analytics is not compiled with other data from Google. Only in exceptions is the full IP address transferred to a server of Google in the USA and abbreviated there. In these cases, we ensure, by undertaking contractual guarantees, that Google Inc. maintains a sufficient level of data protection. According to Google Inc. the IP address is not linked to other data associated with the user.
To manage the usage-based advertising service, we use Google Tag Manager, which is also a service of Google. The Tool Tag Manager itself if a cookie-free domain and does not compile any personal data. Instead, the tool removes other tags which may compile your data. If you perform deactivation at domain or cookie level, this applies to all tracking tags which are implemented with Google Tag Manager.
Further information about the web analysis service can be found on the website of Google Analytics.
On our website we have links to our social media profiles. The links lead to the following networks:
- Facebook of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you are a resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland,
- Instagram of Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA,
- YouTube of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA,
- Google+ of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA.
If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account. By doing so, the network receives information that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while you are logged in to your account on the respective network, the content of our page can be linked with your profile on the network, which means that the network can directly allocated your visit to our website to your user ac- count. If you want to prevent this, you should log out before clicking on the respective links. In any case, the information is linked if you login to the respective network after clicking on the link.
We use social media functions on our website, in particular to share information on social networks. The functions are available for the following social networks: - Facebook of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you are a resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, - Google+ of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA, - Instagram of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA or, if you are a resident of the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, - Pinterest of Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA or, if you are a resident of the EU, Palmerston House, 2nd Floor, Fe- nian Street, Dublin 2, Ireland, - LinkedIn of LinkedIn Corp., 2029 Stierlin Court, Mountain View, CA 94043, USA or, if you are a residence of the EU, LinkedIn Ireland Unlim- ited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland If you click on the symbols of the social networks, you are connected to the respective social network to execute the selected function, i.e. to share content on Facebook. For this purpose, however, you must log in to, or be logged in to, your user account. If you click on symbols of the social networks, you are automatically forwarded to our profile page on the respective network. To be able to use the functions of the respective network, you may have to log in to your user account. By doing so, the network receives information that you visited our website with your IP address, and clicked on the link. If you click on a link to a network while you are logged in to your account on the respective network, the content of our page can be linked with your profile on the network, which means that the network can directly allocate your visit to our website to your user ac- count. If you want to prevent this, you should log out before clicking on the respective links. In any case, the information is linked if you log in to the respective network after clicking on the link. Further information about the use of data and your options and rights to suitably protect your privacy, can be found in the privacy policy of the respective provider.
When arriving at our hotel, we may require the following details from you and the people travelling with you:
- First name and surname
- Address and Canton
- Nationality
- Official ID card and number
- Date of arrival and departure
We collect these details in order to meet our legal reporting obligations, based in particular on the hospitality and police laws. If we are obliged to do so by the applicable regulations, we forward this information to the responsible police authorities.
Our justified interest lies in the fulfilment of legal provisions as per Art. 6, paragraph 1 f, GDPR.
For your stay we may process and collect the following details from you and the other people travelling with you:
- First name and surname
- Address and Canton
- Nationality
- Official ID card and number
- Date of arrival and departure
- Room number
- Preferences and habits
We collect these details not only to fulfil our contractual and post-contractual obligations
to you, but also to be able to offer you the best-possible service.
The legal basis for this data processing thereby lies in the processing of the contract, as per Art. 6, paragraph 1b GDPR.
If you book spa services during your stay at our hotel, the subject of the service (e.g. single admission) and the time of the service are compiled and processed by us for invoicing purposes and to perform the booked service. Normally we require the following details for this:
- First name and surname
- Address
- E-mail address
- Telephone number
- Room number (if available)
The legal basis for this data processing thereby lies in the processing of the contract, as
per Art. 6, paragraph 1b GDPR.
If you use extra services during your stay (e.g. the mini bar) the subject of the service and the time of the service are recorded by us for invoicing purposes. This processing of this data is therefore required for us to execute the contract in accordance with Art. 6, para- graph 1 b, GDPR.
If you make bookings via a third-party platform, we receive various personal information from the respective operator of the platform. This usually concerns the data listed in point 5 of this privacy policy. Any requests associated with your booking are also forwarded to us. We process this data to handle the booking according to your request and to provide the booked services. The legal basis for the processing of your data for this purpose lies in the fulfilment of a contract as per Art. 6, paragraph 1 b, GDPR. Eventually, we may be notified by the platform operators about disputes associated with a booking. In this case we may also receive data about the booking process, whereby a copy of the booking confirmation may be used as proof that the booking has actually been completed. We process this data to protect and assert our claims. This represents our justified interest in accordance with Art. 6, paragraph 1 f, GDPR. Please also note the data privacy guidelines of the respective provider.
We save the data in a central electronic data processing system. The data concerning you is then systematically recorded and linked to process your booking and execute the contractual services. Furthermore, the data in the system is used for advertising purposes, in particular to be able to offer you personalized services and products. The legal basis for the processing of data for customer management lies in the processing of the contract, in accordance with Art. 6, paragraph 1 b, GDPR. With regards to the processing of data for advertising activities, the legal basis lies, on the one hand, in the processing of the contract (the existing customer relationship justified the processing of data for advertising activities) and, on the other hand, in the consent issued by you in accordance with Art. 6, paragraph 1 a, GDPR, when registering for the newsletter (see point 3).
The maximum storage time for personal data is as long as a business relationship is maintained, in order to use the afore-mentioned tracking services as well as the further processing within the scope of our justified interest. Contract data is stored for us for a longer period of time, if this is specified by legal storage obligations. Storage obligations which oblige us to store data, arise from the provisions concerning the right of registration, in- voicing and the tax law. According to these provisions, business communication, concluded contracts and accounting documents have to be stored for up to 10 years. If we no longer require this data to provide the services for you, the data is blocked. This means that the data can only be used for invoicing and tax purposes.
We only forward your personal data if you have explicitly agreed to it, if there is a legal obligation to do so, or if this is necessary to assert our rights, in particular to assert claims from the contractual relationship. Furthermore, we forward your data to third parties if this is necessary within the scope of the use of the website and the processing of the contract (also outside of the website), namely the processing of your bookings. Various third-party service providers have been mentioned explicitly in this privacy policy and the purpose of the transfer of data has been mentioned. Another service provider to whom personal data is forwarded or who has or could have access, is our web hosting company Positioner (website data). The website is hosted on servers in Switzerland, Germany and Austria. The transfer of data is done with the purpose of providing and maintaining the functions of our website. This represents our justified interest in accordance with Art. 6, paragraph 1 f, GDPR. Finally, for payments by credit card made on our website, we forward your credit card information to your credit card issuer and the credit card acquirer. If you decide to make a payment by credit card, you will be requested to enter all the mandatory information. The legal basis for the transfer of data lies in the fulfilment of a contract in accordance with Art. 6, paragraph 1 b, GDPR. With regards to the processing of your credit card information by these third parties, we request that you also read the general terms and conditions and the data privacy statement of your credit card issuer.
We are permitted to also transfer your personal data to third-party companies (commissioned service providers) for the purpose of data processing described in this privacy policy. They are obliged to maintain the same level of data protection as we have. If the level of data protection in a particular country does not correspond to the Swiss or European level, we will ensure by means of a contract, that the protection of your personal data meets the level of protection in Switzerland or the EU at all times.
You have the right to receive information about the personal data we have saved about you, on request. In addition, you have the right to correct any incorrect data and the right to delete your personal data, provided no legal storage obligation or legal provision which allows us to process the data, contradicts this.
You also have the right to request back the data that you have given us (right to data port- ability). On request, we will also forward the data to a third party of your choice. You have the right to receive the data in a standard file format.
You can reach us for these purposes via the e-mail address stay@crystalhotel.ch. For the processing of your requests, we can require proof of identity, at our discretion.
We take suitable technical and organizational security measures, to protect your personal data we have saved from manipulation, full or partial loss and unauthorized third-party access. Our safety measures are continually adapted in line with the development of technology. You should always treat your access data as confidential and close the browser window once you have finished communication with us, in particular if you share the computer with other people. We also take the protection of data in our own company very seriously. Our employees and the service providers commissioned by us have been obliged to confidentiality and to comply with the legal provisions concerning data protection.
For the sake of completeness, for users with their place of residence or registered office in Switzerland, we would like to point out that monitoring measures of US authorities exist, which generally allow the saving of personal data of every person whose data is sent from Switzerland to the USA. This is done without differentiation, restriction or exceptions for the intended goal, and without an objective criterion, which allows the US authorities to access the data and the later usage to be restricted to a particular, strictly limited purpose, which may justify both the access to this data as well as interventions associated with its usage. In addition, we would also like to point out that, in the USA there is no legal aid for data subjects from Switzerland, which would allow you to receive access to the affected data and to correct or delete the data, or no effective legal protection exists against the general rights of access of the US authorities. We hereby explicitly refer the affected party to this legal and factual situation, so that an informed decision can be made about the consent to use the data. We would like to point out to users with their place of residence in an EU Member State, that in the view of the European Union, the USA does not have a sufficient data protection level – in part due to the issues mentioned in this section. If we have mentioned in this privacy policy that recipients of data (such as Google) have their registered office in the USA, we will either ensure by contractual regulations with these companies, or by ensuring the certification of these companies under the EU-US or Swiss-US Privacy Shield, that your data is protected to a suitable level by our partners.
You have the right to complain at any time to the data protection authorities