Dolder Hotel AG, Kurhausstrasse 65, 8032 Zurich (hereinafter referred to as “Dolder”, and also “we”, “us”) collects and processes personal data that could relate to you or other people (hereinafter referred to as “third parties”). In this document, the term “data” is used synonymously with “personal data” or “personal information”.
2. WHO IS RESPONSIBLE FOR PROCESSING YOUR DATA?
Dolder Hotel AG
8032 Zurich, Switzerland
+41 44 456 60 00
We have also engaged the following additional entities:
Data protection representative in the European Union (EU) under Article 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
You can also contact this office regarding data protection matters.
3. WHAT DATA DO WE PROCESS?
We process various different categories of your personal data. The most important categories are the following:
- Master data: This is the basic data (e.g. name, contact information), further information about you (e.g. roles and functions) as well as your relationship with us (e.g. guest, other customer, supplier, service provider or employee thereof, etc.), bank details, date of birth, photos, copies of identity documents, customer history, any powers of attorney, signing authorisations and declarations of consent, information about third parties (e.g. contact persons, representatives). This may also include health data such as food intolerances.
- Registration data: This is data that arises during registration with us or that you provide to us (e.g. name, e-mail address), but also data that arises in the context of competitions or when redeeming vouchers and, if applicable, access data in the context of access controls.
- Contract data: This is data that arises in connection with a contract concluded by us or in the context of the provision of our services, such as information about the nature of the contract, date of conclusion of the contract, contract term, contractual services, data from the period before concluding the contract, information required or used for processing (e.g. information regarding invoicing or customer service), information about reactions (e.g. complaints or information about satisfaction, etc.), financial data (e.g. information about solvency/creditworthiness, reminders and debt collection). This may also include health data.
- Communication data: This is data that arises in connection with communication between us and third parties (e.g. via contact form, e-mail, telephone, letter or other means of communication), such as the content of e-mails or letters, your contact details and marginal data related to the communication, or a copy of an identity document, if applicable.
- Technical data: This is data that arises in the context of using of our electronic services (e.g. website, WLAN), such as the IP address, information about the operating system of your device, the region and the time of use. Technical data in itself does not allow any conclusions to be drawn about your identity.
- Behavioural and preference data: This is data about your behaviour and preferences (such as reactions to electronic messages, navigation on the website, interactions with our social media profiles, participation in competitions or events, etc.), potentially supplemented by information from third parties (also from publicly accessible sources). For information about tracking, see section 13.
- Application data: This includes all data that you submit to us as part of your application materials, for example information about your education and degrees, marks, your professional experience, work certificates and references as well as your activities outside of work. We may also seek references from third parties if you have provided those references to us or otherwise given your consent for this.
- Other data: This may include the following information and data: Data that arises in connection with official or judicial proceedings (e.g. files, evidence, etc.), data that is collected for reasons of health protection (e.g. as part of precautionary measures), photos, videos or sound recordings that we produce or receive from third parties and in which you are recognisable (e.g. at events, by security cameras, etc.), access data or rights (e.g. according to the guest list, when you enter certain buildings or what access rights you have), participation in events or campaigns (e.g. competitions and functions), and when you use our infrastructure and systems. Data in connection with your position as a shareholder of or investor in our company (e.g. information for various registers, the exercise of your rights and the holding of events, such as general meetings).
4. WHERE DOES THE DATA COME FROM?
- From you: Much of the data specified in section 3 is provided to us by you (e.g. during communication with us, in connection with contracts or our services, through the use of our website and other services, etc.). You are not obliged to disclose your data except in specific cases (e.g. legal obligations such as legally required identification or precautionary measures). However, if you enter into contracts with us or want to use our services (for yourself or your employer or client), you must disclose certain data to us (in particular master data, contract data and registration data). When you use our website, the processing of technical data is unavoidable. If you want to access certain systems or buildings, you must provide us registration data. However, in the case of behavioural and preference data, you have the option of objecting or not giving consent.
- From third parties: Where permitted, we may also obtain data from publicly available sources (e.g. debt enforcement register, commercial register, media or the Internet incl. social media) or obtain it from authorities and other third parties (e.g. credit agencies, list brokers, associations, contractual partners, Internet analytics services, etc.). This includes in particular the following categories: Master data, contract data and other data, as well as all other data categories in accordance with section 3 and data arising from correspondence and meetings with third parties. If you work for an employer or client or someone else who has a business relationship or other dealings with us, they may also share data about you with us.
5. FOR WHAT PURPOSES DO WE PROCESS YOUR DATA?
- Communication: In order to communicate with you (e.g. to answer inquiries, or in the context of consultations or contract performance), we must process your data (in particular communication and master data, as well as registration data in connection with the services you use). If we need or want to establish your identity, we collect additional data (e.g. a copy of an identity document). In particular, we use communication data and master data for this purpose, as well as registration data in connection with the services you use.
- Preparation, administration and processing of contracts: In connection with the initiation, conclusion and processing of contracts with our guests (e.g. in the context of reservation management), other customers, suppliers, subcontractors or other contractual partners (e.g. project partners), we process related personal data. For this purpose, we also process data to check creditworthiness, to open and manage the customer relationship, to provide customer service and to provide and procure contractual services (which also includes the involvement of third parties, such as logistics companies, advertising service providers or credit agencies, which in turn may provide us with data). This also includes the enforcement of legal claims arising from contracts (debt collection, legal proceedings, etc.), accounting, termination of contracts and public communications. For this purpose, we use in particular master data, contract data and communication data, as well as registration data and technical data, if applicable (e.g. in the case of digital services).
- Marketing purposes and relationship maintenance: We process data for marketing and relationship maintenance purposes, for example to send our guests and other customers, other contractual partners and other interested parties personalised advertising (e.g. as printed matter, via e-mail, via other electronic channels or via telephone) regarding products, services and other news from us and from third parties (e.g. from product partners), in connection with free services (e.g. invitations, vouchers, etc.) or in the context of individual marketing campaigns (e.g. events, competitions, etc.). You may refuse such contacts or revoke your consent to be contacted for advertising purposes by notifying us (section 2) at any time. With your consent, we can tailor our online advertising on the Internet more specifically to you (see section 13). This also includes interaction with existing customers and their contacts, which can be personalised based on behavioural and preference data. In the context of relationship management, we may also operate a customer relationship management (CRM) system in which we store the data of guests, other customers and other business partners. In particular, we process communication, registration, behavioural and preference data for marketing and relationship maintenance purposes.
- Market research, improvement of our services and operations, and product development: In order to continuously improve our products and services (incl. our website) and to be able to react promptly to changing requirements, we analyse information such as how you navigate our website, which products are used by which groups of people in which way, and how new products and services can be designed (for further details, see section 13). This gives us insights into the market acceptance of existing products and services and the market potential of new ones. For this purpose, we process in particular master data, behavioural and preference data, as well as communication data, information from customer questionnaires, surveys and studies, and other information, for example in the media, on social media, from the Internet and from other public sources. To the extent reasonably practicable, we use pseudonymised or anonymised information for these purposes.
- Registration and security purposes as well as technical and physical access controls: In order to use certain services (e.g. WLAN), you must register (directly with us or via our external login service providers); we process data for this purpose. We also collect further personal data about you during your use of the respective service. We continuously monitor and improve the security of our IT and other infrastructure (e.g. buildings). We therefore process data for the purposes of monitoring, checking, analysing and testing our networks and IT infrastructure, for system and error checks, for documentation purposes, and for the production of backups. Access controls include, in particular, physical access control, but in some cases also control of access to electronic systems. For security purposes (preventive and to investigate incidents), we also keep access logs and guest lists and use surveillance systems (e.g. security cameras). Appropriate signs at the respective locations indicate the presence of surveillance systems. For this purpose, we process in particular registration and technical data, but also other data mentioned in section 3.
- Compliance with laws, directives and recommendations from authorities and internal regulations (“compliance”): We may process personal data to ensure compliance with laws, (e.g. anti-money laundering, tax obligations, reporting foreign guests to the cantonal aliens department or for the implementation of health and safety precautions). In addition, data may be processed in the context of internal or external investigations (e.g. by a law enforcement or supervisory authority or a commissioned private entity). For this purpose, we process in particular master data, contract data and communication data; in some cases, we also process behavioural data, technical data and data from the categories of other data. The applicable legal obligations may be from Swiss law or from foreign regulations to which we are subject, as well as self-regulation, industry standards, our own corporate governance and official directives and requests.
- Risk management and business management: We may process personal data in the context of risk management (e.g. to protect against criminal activities) and business management, including our operational organisation (e.g. resource planning) and corporate development (e.g. acquisition and sale of parts of the business or companies). We process in particular master data, contract data, registration data and technical data, as well as behavioural and communication data.
- Job applications: If you apply for a job with us, we collect and process the information we need to check the application, carry out the application process and, in the case of a successful application, prepare and conclude the contract. For this purpose, we in particular process master data and application data.
- Other purposes: This includes, for example, training purposes, administrative purposes (e.g. the administration of master data or accounting), the enforcement of our rights and the evaluation and improvement of internal purposes. These other purposes also include the enforcement of legitimate interests, which cannot be exhaustively specified. We also process data in connection with your position as a shareholder of or investor in our company (e.g. information for various registers, the exercise of your rights and the holding of events, such as general meetings).
6. ON WHAT BASIS DO WE PROCESS YOUR DATA?
The processing of your data by us is based, insofar as this is required, on the following principles, depending on the situation and processing purpose:
- Contract: If we process data for the conclusion and performance of contracts concluded for or with you or your employer, client or other persons for whom you are working, this is also the legal basis for our processing of your data.
- Legal obligations: Furthermore, we may process your data to comply with applicable legal, regulatory or professional conduct provisions to which we are subject.
- Legitimate interest: We may process your data based on our own legitimate interest or the legitimate interest of a third party. This applies in particular to achievement of the purposes and objectives set forth in section 5 and the execution of related measures. Among other things, we have a legitimate (and overriding) interest in the marketing of our products and services as well as a better understanding of the markets relevant to us and our activities (in particular in the efficient and secure performance of our processes and the further development of our activities), in the efficient and effective management of our company, and in safeguarding the security of our systems, buildings and our interests vis-à-vis third parties.
- Consent: When we request your consent for the processing of your data, this is the legal basis on which we process your data. We will inform you of the purpose of the processing. You can revoke your consent in writing (via post or, if not otherwise specified or agreed, via e-mail) at any time, with future effect (see section 2 regarding our contact information and section 13 regarding the revocation of your consent in the area of online tracking). As soon as we receive and process the revocation of your consent, we will no longer process your data for the purposes to which you originally consented (unless the further processing is permitted on another legal basis).
- Other legal bases: In specific cases, we may also process data on other legal bases. When this occurs, we will inform you on a case-by-case basis.
7. WHAT IS THE SITUATION WITH PROFILING?
Profiling is a procedure in which personal data is automatically processed in order to analyse personal aspects or make predictions (e.g. to analyse the personal interests, preferences and inclinations of a person or to predict probable behaviour). For example, we conduct profiling in connection with reservations and orders on our website (e.g. in order to determine which other services and products could be of interest to you based on your purchases). In particular, we use behavioural and preference data, technical data and communication data (e.g. your reaction to advertising and other messages). Profiling helps us continuously improve our products and services and better adapt them to your specific requirements, plan our business activities, determine the likelihood that a transaction is fraudulent and assist you more effectively through our customer service. To improve the quality of our analyses and forecasts, we may also create profiles, i.e. link personal data from different sources in order to understand you better as a person with various interests and characteristics. In both cases, we ensure the proportionality and reliability of the results and take measures against any misuse.
8. WITH WHOM DO WE SHARE YOUR DATA?
In connection with our contracts, the website, our services and products, our legal obligations, the enforcement of our legitimate interests and the other purposes listed in section 5, we share your personal data with third parties, and in particular the following categories of recipients:
- Service providers: We work with service providers in Switzerland and abroad (third parties) that process data about you (i) on our behalf, (ii) jointly with us or (iii) process data that they have received from us on their own authority (e.g. IT providers, shipping companies, advertising service providers, cleaning companies, security companies, banks, insurance companies, debt collection companies, credit agencies, address verifiers, consultancies or lawyers). For more information on service providers engaged in connection with the website, see section 13.
- Contractual partners, including customers: This refers to customers and other contractual partners of ours where there is a contractual basis for the transfer of your data (e.g. because you work for a contractual partner or they perform services for you). This may also include health data. The recipients may also be other contractual partners with which we are cooperating or which conduct advertising for us. Contractual partners receive, for example, registration data on issued and redeemed vouchers, invitations, and more. The recipients are responsible for their own processing of the data.
- Authorities: We may share personal data with government agencies, courts and other authorities (such as the cantonal aliens department) in Switzerland or abroad if we are legally obliged or entitled to do so or this appears necessary to enforce our interests. The recipients are responsible for their processing of the data.
- Other people: This refers to other cases in which the involvement of third parties arises from the purposes described in section 5. Other recipients include the delivery addressees or payment recipients specified by you, third parties in the context of representative relationships (e.g. your lawyer or your bank) or people involved in official and court proceedings. When we work with media and share material with them (e.g. photos), you may also be affected. In the course of developing the business, we may sell or acquire businesses, parts of companies, assets or companies or enter into partnerships, which may result in the disclosure of data (incl. from you, e.g. as a customer or supplier or their representative) to the parties involved in the transaction. We may also share data concerning you in the context of communications with our competitors, industry organisations, associations and other bodies.
All of these categories may in turn also involve third parties, thus making your data accessible to them as well. We can restrict processing by certain third parties (e.g. IT providers), but not by other third parties (e.g. authorities, banks, etc.).
We also allow certain third parties to collect personal data about you on our website and at events held by us (e.g. media photographers, providers of tools that we have integrated on our website, etc.). If we are not significantly involved in the collection of this data, these third parties are solely responsible for it. In case of issues or the enforcement of your data protection rights, please contact these third parties directly. See section 13 for the website.
9. IS YOUR PERSONAL DATA TRANSFERRED TO OTHER COUNTRIES?
We primarily process and store your personal data in Switzerland and the European Economic Area (EEA). In specific cases, however, we may transfer personal data to service providers and other recipients (see section 8) located outside of this geographical area or which process personal data outside of this area, which may be in any country in the world.
If a recipient is located in a country without adequate legal data protection, we contractually require the recipient to comply with the applicable data protection provisions (for which we use the revised standard contract clauses from the European Commission [EC], which can be accessed here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj? ), insofar as the recipient is not already subject to a legally recognised data protection policy and we cannot rely on an exemption provision. An exception may apply in particular to legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires such disclosure, if you have consented, or if it concerns data made generally accessible by you and you have not objected to its processing.
Please also note that data exchanged via the Internet is frequently routed via third countries. So your data can be transferred to another country even when the sender and recipient are in the same country.
10. FOR HOW LONG DO WE PROCESS YOUR DATA?
We process your data for as long as required according to our processing purposes, legal retention periods and our legitimate interests in processing for documentation and evidential purposes, or the storage is for technical reasons (e.g. in the case of backups or document management systems). If there are no legal or contractual obligations to the contrary, we erase or anonymise your data following expiration of the storage or processing period in the course of our usual procedures.
If there are no applicable legal retention regulations in a given case, we generally process personal data for the duration of the business relationship or contract term and then for a further 5, 10 or more years depending on the applicable legal requirements. This corresponds to the time period in which we can assert legal claims against third parties or third parties can assert legal claims against us. Pending or expected legal proceedings may result in processing extending beyond this time period. Further information on the storage period for cookies is found in section 13.2.
11. HOW DO WE PROTECT YOUR DATA?
We undertake appropriate security measures to maintain the confidentiality, integrity and availability of your personal data in order to protect it against unauthorised or illegal processing and to minimise the risk of loss, unintentional change, unwanted disclosure or unauthorised access. However, such security risks can generally not be entirely eliminated and a certain degree of residual risk is unavoidable.
12. WHAT ARE YOUR RIGHTS?
Under certain circumstances, the applicable data protection law grants you the right to object to the processing of your data, in particular processing for direct marketing purposes, profiling for direct advertising purposes and other legitimate interests in processing.
To facilitate your control over the processing of your personal data, depending on the applicable data protection provisions you may also have the following rights in connection with our data processing:
- the right to request information from us regarding whether and which data of yours we process;
- the right to have us correct data if it is incorrect;
- the right to request the erasure of data;
- the right to request the release of specific personal data in a common electronic format or its transfer to another controller;
- the right to revoke consent, insofar as our processing is based on your consent;
- the right to obtain, on request, other information required to exercise these rights.
If you wish to exercise the aforementioned rights, please contact us in writing, in person or, if not otherwise specified or agreed, via e-mail; our contact information is found in section 2. To exclude the possibility of misuse, we must establish your identity (e.g. with a copy of an identity document, if this is not possible by less intrusive means).
You also have these rights with respect to other entities that work with us on their own authority – please contact them directly if you wish to exercise rights in connection with their processing. Information about our most important cooperation partners and service providers is found in section 8; further information is found in section 13.
Please note that prerequisites, exceptions and restrictions apply to these rights under the applicable data protection law (e.g. for the protection of third parties or trade secrets). We will notify you of this where applicable.
If you do not agree with our handling of your rights or privacy, please notify us or our data protection officer (section 2) of this. In particular if you are located in the EEA, the United Kingdom or Switzerland, you also have the right to file a complaint with the data protection supervisory authority in your country. A list of authorities in the EEA is found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. The UK’s Information Commissioner’s Office is found here: https://ico.org.uk/global/contact-us/. You can also contact the Swiss Federal Data Protection and Information Commissioner: www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html.
13. DO WE USE ONLINE TRACKING, ONLINE MARKETING TECHNOLOGIES AND SIMILAR TECHNOLOGIES?
On our website (incl. the newsletter and reservation portal), we use various technologies (e.g. cookies, fingerprinting, tracking pixels and similar technologies) with which we and third parties engaged by us can recognise you when you use it and may also be able to track you over multiple visits.
We use our own tools as well as services from third-party providers, in particular to improve the functionality or contents of our website (e.g. integration of videos or maps), to generate statistics and to place ads. This enables us and authorised third-party providers to offer you a personalised web experience (e.g. personalised advertising, interactions on social media sites, etc.).
13.1 What are cookies and similar technologies?
A cookie is a small text file with an ID (series of letters and numbers) that is transmitted between the server and your system. This enables us and the third-party providers commissioned by us to recognise visitors to our website and to track them over multiple visits and multiple different websites. Cookies make it possible to recognise a specific device or browser and do not necessarily contain information that can personally identify a specific user. However, personal data stored by us or third-party providers commissioned by us (e.g. if you have a user account with us or these providers) can be linked with the information stored in and obtained from cookies and thus potentially associated with you personally.
In addition to cookies, there are other similar technologies such as pixel tags and social media plug-ins. Pixel tags are small, normally invisible images or blocks of code that are loaded by a server and supply certain information to the server operator (e.g. access to a website). We reserve the right to use fingerprints. Fingerprints consist of information collected during your visit to the website through the configuration of your end device or your browser and make it possible to distinguish your device from other devices. Social media plug-ins are small software modules that establish a link between your visit to our website and the social media platform of a third-party provider. The social media plug-in tells the third-party provider that you have visited our website and may send the third-party provider cookies that it previously placed on your web browser. Further information about how these third-party providers use your data collected via social media plug-ins can be found in their respective privacy policies.
13.2 What types of cookies do we use?
The cookies and similar technologies that we use on our websites are used for the following purposes (this includes comparable technologies):
- Required cookies: Some cookies are essential for the use of the website and its functions. These cookies guarantee the essential functionality of the website, for example the ability to navigate from page to page without the products in the shopping cart disappearing. They also ensure that you remain connected to the website. These cookies have an expiry time of up to 24 months.
- Performance and analytics cookies: Performance and analytics cookies collect information about how our website is used and enable us to carry out analyses about the use of the website, for example which pages are accessed most frequently and how visitors navigate our website. These cookies are used to make visiting the website easier and faster and to improve the overall user experience and convenience. We use third-party analytics services for this. These cookies have an expiry time of up to 24 months.
- Marketing cookies: Marketing cookies help us and our advertising partners show you advertisements on our website for offers or services that may be of interest to you, or to display our advertisements to you if you continue to browse the Internet after leaving our website, i.e. to show you targeted advertising. These cookies have an expiry time of 24 months.
Details about our third-party providers and advertising partners can be found in the consent management system available on the respective website that you are currently visiting. In the consent management system, you can also deactivate certain categories of cookies by making the corresponding settings.
Some of the third-party providers we use may be located outside of Switzerland. Information regarding the transfer of data to other countries can be found in section 9.
We currently use services from the following service providers and advertising contractual partners (insofar as they use data from you or cookies set by you to manage advertising):
- Google Analytics: Google Ireland (based in Ireland) is the provider of the Google Analytics service and acts as our contracted processor. Google Ireland uses Google LLC (based in the USA) as its contracted processor (hereinafter both referred to as “Google”) for this purpose. Google uses performance cookies (see above) to track the behaviour of visitors to our website (duration, frequency of visits, geographical origin of access, etc.) and compiles reports on the use of our website for us on that basis. We have configured the service in such a way that visitors’ IP addresses are truncated by Google in Europe before being transferred to the USA and can therefore not be traced. We have deactivated the “data sharing” and “signals” settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google may draw conclusions about the identity of visitors from this data for its own purposes, create personal profiles and link the data to the Google accounts of those individuals. If you agree to the use of Google Analytics, you explicitly consent to such processing, which also includes the transfer of personal data (in particular usage data for the website and app, device information and individual IDs) to the USA and other countries where your data may be accessible to authorities that are not subject to adequate data protection provisions. Information about data privacy in Google Analytics can be found here https://support.google.com/analytics/answer/6004245 and if you have a Google account, you can find further information about processing by Google here https://policies.google.com/technologies/partner-sites.
Browsers can automatically accept or reject cookies, but also allow you to change these settings. You can also disable or delete cookies that you previously accepted. Please note that all settings are lost if you delete all cookies, including the setting that you do not want to accept cookies, as this requires that an opt-out cookie has been set. The settings must be made separately for each browser you use. You can learn how to manage cookies in your browser through the browser’s help menu.
You can still use our website if you choose to reject cookies and similar technologies, but your access to some features and areas of our website may be restricted.
14. WHAT DATA DO WE PROCESS ON OUR PAGES ON SOCIAL NETWORKS?
We may operate pages and other online sites (fan pages, channels, profiles, etc.) on social networks and other platforms operated by third parties and process the data collected about you there as described in section 3 and below. We receive this information from you and the platforms when you interact with us through our online pages (e.g. when you communicate with us, comment on our content or visit our pages). At the same time, the platform providers may analyse your use of our online pages (e.g. the way you interact with us, how you use our online pages, what you view, comment on or like) and process this data together with other data they have about you (e.g. information about your age and gender and other demographic information). In this way, they create profiles about you and generate statistics about the use of our online pages. They use the data and profiles to display our ads or other ads and other personalised content on the platform as well as to manage behaviour on the platform, but also for market and user research and to provide us and other parties with information about you and the use of our online pages. Insofar as we are jointly responsible for certain types of processing with the provider, we will conclude a corresponding contract with the provider. You can obtain information about the substantive content of this contract from the provider. They also process this data for their own purposes, in particular for marketing and market research purposes (e.g. to personalise advertising) and to manage their platforms (e.g. to decide what content they show you); for these purposes, they act as a separate data controller.
We are authorised, but not obliged, to check content before or after its publication on our online sites, to delete content without notice and to report it to the provider of the respective platform if appropriate. In the event of violations of codes of decency and conduct, we may also inform the provider of the platform on which the user account is located for the purpose of blocking or deleting it.
Further information on processing by the platform operators can be found in the privacy policies of the respective platforms. There you can also find out which countries your data is processed in, what rights of information and erasure you have and how you can exercise them or receive further information. We currently use the following platforms:
This page was last modified on 1.9.2023. If you have any questions or concerns about our legal notices or data protection, please contact us at firstname.lastname@example.org.