This data protection declaration provides information about how, where and why we process what personal data, in particular in connection with our hotelcard.com website and our other offerings. In addition to this, the data protection declaration provides information about the rights of individuals whose data we process.
Special, supplementary or further data protection declarations and other legal documents such as our General Terms and Conditions of Business (GTCB), terms of usage or conditions of participation may apply for individual or additional offerings and services.
Our offering is subject to Swiss data protection law and to any applicable foreign data protection law such as, in particular, the laws of the European Union (EU) including the General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection law ensures an adequate level of data protection.
1. Contact addresses
Responsible for processing of personal data:
Should, in individual cases, other entities be responsible for processing of personal data, then we will draw attention to this.
Data protection representation in the European Economic Area (EEA)
As per Art. 27 GDPR we have the following data protection representation in the European Economic Area (EEA), comprising the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway, as an additional point of contact for supervisory authorities and data subjects making enquiries relating to the General Data Protection Regulation (GDPR):
Am Kaiserkai 69
2. Processing of personal data
Personal data means all information relating to an identified or identifiable natural person. A data subject is a natural person whose personal data is processed. Processing means any handling of personal data, independent of the means and procedures which are used and, in particular, the storage, disclosure, acquisition, collection, erasure, saving, alteration, destruction and use of personal data.
The European Economic Area (EEA) comprises the European Union (EU) and the Principality of Liechtenstein, Iceland and Norway. The General Data Protection Regulation (GDPR) defines the processing of personal data as the processing of personal data relating to a specific natural person.
2.2 Legal bases
If and insofar as the General Data Protection Regulation (GDPR) is applicable, we process personal data according to at least one of the following legal bases:
- Art. 6 Para. 1 (b) GDPR where processing of personal data is necessary to perform a contract with the data subject and to take steps prior to entering into a contract.
- Art. 6 Para. 1 (f) GDPR where processing of personal data is necessary to safeguard our or third-party legitimate interests insofar as these interests are not overridden by the fundamental rights and freedoms of the data subject. Legitimate interests are, in particular, our interest in providing our offering in the long term and in a manner which is user-friendly, secure and reliable as well as to advertise this offering if required; information security and protection against misuse and unauthorised use; exercising of our own legal claims; and compliance with Swiss law.
- Art. 6 Para. 1 (c) GDPR where processing of personal data is necessary to comply with a legal obligation to which we are subject as per any applicable law of member states of the European Economic Area (EEA).
- Art. 6 Para. 1 (e) GDPR where processing of personal data is necessary to perform a task carried out in the public interest.
- Art. 6 Para. 1 (a) GDPR to process personal data given with the data subject’s consent.
- Art. 6 Para. 1 (d) GDPR where processing of personal data is necessary to protect the vital interests of the data subject or of another natural person.
2.3 Type, extent and purpose
We process personal data which is necessary to provide our offering in the long term and in a manner which is user-friendly, secure and reliable. Such personal data can fall into the following categories: master and contact data, browser and device data, content data, meta- respectively peripheral data and usage data, location data or sales, contractual and payment data.
We process personal data for the period which is required for the relevant purpose or purposes or which is required by law. Personal data which must no longer be processed is anonymised or erased. Data subjects whose data we process have a fundamental right to erasure.
As a matter of principle we only process personal data after obtaining the data subject’s consent unless processing is permissible for other legal reasons, such as to perform a contract with the data subject and to take steps prior to entering into a contract; to safeguard our overriding legitimate interests; because processing is evident from the circumstances; or based on prior information.
Within this framework we process in particular the information which the data subject transmits to us voluntarily and themselves when establishing contact with us – for example by letter, email, contact form, social media or telephone – or when registering for a user account. We may, for example, store such information in an address book, a customer relationship management system (CRM system) or using comparable aids. Insofar as the data subject transmits personal data to us via third parties, they are obliged to ensure data protection vis-à-vis such third parties and to ensure the correctness of such personal data.
In addition to this, we process personal data which we receive from third parties; acquire from publicly accessible sources; or collect when providing our offering, if and insofar as such processing is legally permissible.
Personal data originating from job applications is only processed insofar as it is required to assess suitability for an employment relationship or for subsequent performance of an employment contract. The personal data which is required to carry out an application process arises from the information which is requested and/or provided, for example within the scope of a job description. Candidates have the option of transmitting further voluntary information for their corresponding job application.
2.4 Processing of personal data by third parties, also abroad
We can have personal data processed by contracted third parties or process it together with third parties or with the help of third parties as well as transmit this data to third parties. Such third parties are, in particular, providers whose services we use. Should we use such third parties, then we will ensure an adequate level of data protection.
Such third parties are, as a matter of principle, located in Switzerland and the European Economic Area (EEA). Such third parties may, however, also be located in other states and territories around the world or elsewhere in the universe insofar as their data protection law is, according to the adequacy decision of the Swiss Federal Data Protection and Information Commissioner (EDÖB) and – if and insofar as the General Data Protection Regulation (GDPR) is applicable – according to the adequacy decision of the European Commission, applicable and ensures adequate data protection or if, for other reasons, such as a corresponding contractual agreement, in particular based on standard contractual clauses, or corresponding certification, adequate data protection is ensured. In the case of third parties in the United States of America (USA) certification according to the privacy shield may ensure adequate data protection. In exceptional cases, such a third party may be located in a country without adequate data protection insofar as the data protection law-related prerequisites, such as the data subject’s explicit consent, are fulfilled.
3. Data subjects’ rights
Swiss data protection law grants data subjects whose personal data we process specific rights. These include the right to information and the right to rectification, erasure or blocking of the processed personal data.
Data subjects whose personal data we process may – if and insofar as the General Data Protection Regulation (GDPR) is applicable – demand a confirmation whether we are processing their personal data and, if the answer is yes, information about processing of their personal data; have processing of their personal data restricted; exercise their right to data portability; and exercise their right to have their personal data rectified, erased (“right to be forgotten”), blocked or completed.
Data subjects whose personal data we process may – if and insofar as the GDPR is applicable – withdraw any consent with effect for the future and object to processing of their personal data at any time.
Data subjects whose personal data we process have a right to lodge a complaint with a responsible supervisory authority. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (EDÖB).
4. Data security
We take adequate and appropriate technical and organisational measures to ensure data protection and, in particular, data security. Despite these measures there will, however, always be security gaps when personal data is processed on the Internet. We cannot thus guarantee absolute data security.
Access to our online offering is via transport encryption (SSL / TLS, in particular using hypertext transfer protocol secure, or HTTPS for short). Most browsers identify transport encryption with a padlock in the address bar.
Access to our online offering is – as is, as a matter of principle, all Internet use – subject to groundless, non-suspicion-related mass surveillance and other surveillance by security agencies in Switzerland, the European Union (EU), the United States of America (USA) and other states. We have no direct influence on the corresponding processing of personal data by secret services, police authorities and other security agencies.
5. Use of the website
When you visit our website cookies can be temporarily stored in your browser as “session cookies” or for a predefined period of time as so-called permanent cookies. “Session cookies” are automatically erased when you close your browser. Permanent cookies make it possible in particular to recognise your browser when you next visit our website and thus, for example, measure the website’s reach. Permanent cookies can, however, also be used for purposes such as online marketing.
Where cookies are used to measure success and range or for advertising it is possible to make a general objection (“opt-out”) via the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA) for numerous web services.
5.2 Server log files
Each time you visit our website we are able to log the following information insofar as your browser transmits them to our server infrastructure or our web server is able to identify them: date and time including time zone; Internet protocol (IP) address; access status (HTTP status code); operating system including user interface and version; browser including language and version; the sub-pages of our website which were retrieved including the transmitted data volume; and the prior website retrieved in the same browser window (referrer).
We store such information, which can also be personal data, in server log files. The information is necessary to provide our online offering in the long term and in a user-friendly, reliable form as well as to ensure data security and thus in particular the protection of personal data – also by third parties or with the help of third parties.
5.3 Tracking pixels
We may use tracking pixels on our website. Tracking pixels are also known as web beacons. They are small, generally invisible images which are automatically retrieved when you visit our website and also used by third parties whose services we employ. Tracking pixels can gather the same information as server log files.
6. Notifications and announcements
We send notifications and announcements such as newsletters by email and via other communication channels such as instant messaging.
6.1 Measurement of success and reach
Notifications and announcements can contain web links or tracking pixels which record whether the specific notification was opened and which corresponding web links were clicked. Such web links and tracking pixels can also record the use of notifications and announcements by specific data subjects. We require this statistical recording of use within the scope of measuring success and reach, which is in turn intended to ensure that notifications and announcements are based on recipients’ needs and reading habits and thus effective and user-friendly, as well as to be able to offer notifications and announcements in the long term and in a secure, reliable manner.
6.2 Consent and objection
You must as a matter of principle expressly consent to the use of your email address and your other contact addresses unless this use is permitted for other legal reasons. Wherever possible we use the “double opt-in” procedure when obtaining any consent to the receipt of emails. In other words, you receive an email with a web link which you must click as confirmation and to ensure that no unauthorised third parties can abuse your personal data. Such consents, including the Internet protocol (IP) address and the date and time, may be logged as evidence and for security reasons.
You may as a matter of principle unsubscribe from notifications and announcements such as newsletters at any time. Notifications and announcements which are absolutely essential for our offering may be excluded from this. When you unsubscribe you can, in particular, object to the statistical recording of use to facilitate the measurement of success and reach.
6.3 Use of service providers to send notifications and announcements
We use the services or help of third parties to transmit notifications and announcements. When doing so, cookies may be used. We ensure adequate data protection when using such services.
7. Social media
We have a presence on social media platforms and other online platforms so that we can communicate with potential members and provide information about our offering. Personal data generated in this context may also be processed outside of Switzerland and the European Economic Area (EEA).
Among other services we use Facebook. With regard to our corresponding social media presence we are, if and insofar as the GDPR is applicable, jointly responsible together with Facebook Ireland Ltd. in Eire respectively Facebook Inc. in the USA for the so-called Page Insights. Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to make our Facebook social media presence effective and user-friendly. Facebook has published information on Page Insights data plus a supplement regarding responsibility for Page Insights.
We make use of the option to embed Instagram features and content into our website. This allows us, for example, to show images which were posted on Instagram on our website. When doing so, cookies are also used. Instagram is an offering of Facebook Ireland Ltd. in Eire respectively of Facebook Inc in the USA. Insofar as you are registered as a user of Instagram or other Facebook offerings, Facebook can link use of our online offering to your profile. For more information on the type, extent and purpose of the data processing see Instagram data protection guidelines.
8. Third-party services
We use third-party services so that we can provide our offering in the long term and in a manner which is secure and reliable. Such services also allow us to embed content in our website. These services – for example, hosting and storage services, video services and payment services – require your Internet Protocol (IP) address since they would not otherwise be able to transmit corresponding content. Such services may be located outside of Switzerland and the European Economic Area (EEA) insofar as adequate data protection is ensured.
Third parties whose services we use may also process data related to our offering and from other sources – including cookies, log files and tracking pixels – in an aggregated, anonymised or pseudonymised manner for their own security-relevant, statistical and technical purposes.
8.1 Map data
We use Google Maps to embed maps in our website. When doing so cookies are also used. Google Maps is a service of Google LLC in the USA. Google Ireland Limited, located in Eire, is responsible for users in the European Economic Area (EEA) and Switzerland. For more information about the type, extent and purpose of data processing, see the principles of data protection and security and the guidelines on data protection in Google products (including Google Maps); the information on how Google uses data from websites which employ Google services and the information on cookies at Google. In addition to this it is also possible to make an objection to personalised advertising.
8.2 Fonts and icons
8.2.3 We use Material Design to embed selected icons in our website. Material Design (abbreviated to Material) is a design language developed by Google. We embed such icons in our website within the scope of Google Fonts. For information about the type, extent and purpose of data processing see the Google Fonts section of this data protection declaration.
We use Getback to improve targeted communications with our customers. This service is a “conversion optimization technology” developed by Swiss company adfocus GmbH. We use it to record use of our online shop and, for example, to remind our customers visiting the shop about orders they have forgotten to place and to inform them about special offers. Our customers can also send shopping baskets to their email accounts. When doing so cookies are also used. adfocus is only permitted to use our customers’ data in the same way as we ourselves are permitted to use it. For more information about the type, extent and purpose of data processing see the Getback data protection declaration.
We use payment service providers to process our customers’ payments securely and reliably. We only use payment service providers who ensure an adequate level of data protection. Processing is subject to the relevant payment service provider’s terms, such as their general terms and conditions of business (GTCB) or data protection declarations.
We use in particular Payrexx to process payments. Payrexx is a service of Swiss company Paysrexx AG. For information about the type, extent and purpose of data processing, see the Payrexx data protection declaration. This states that Payrexx processes personal data in particular in compliance with the European General Data Protection Regulation (GDPR).
8.5 Success and reach measurement
8.5.1 Google Analytics
We use Google Analytics to analyse how our website is used, whereby we can, for example, also measure its reach and the success of third-party links to our website. This is a service of Google LLC in the USA. Google Ireland Limited, located in Eire, is responsible for users in the European Economic Area (EEA) and Switzerland.
Google attempts to also record individual visitors to our website who use a variety of browsers or devices (cross-device tracking). When doing so cookies are also used. Google Analytics requires your Internet Protocol (IP) address, however this information is kept separate from other Google data.
In all cases we have your Internet Protocol (IP) address anonymised before it is analysed by Google. This means that your full IP address is, as a matter of principle, not transmitted to Google in the USA.
8.5.2 Google Tag Manager
We use the Google Tag Manager to integrate the analytics or advertising services provided by Google and other third parties into our website and to manage these services. Tag Manager is a service provided by Google LLC in the USA. Google Ireland Limited, located in Eire, is responsible for users in the European Economic Area (EEA) and Switzerland. When using this service no cookies are used, however cookies may be used within the scope of the services integrated and managed using Tag Manager. This data protection declaration provides information about the processing of personal data by such services.
This type of advertising is intended in particular to reach individuals who are interested in our online offering or already using it. To this end we transmit, in particular using the so-called Facebook pixel, corresponding – possibly also data subject-related – information to Facebook (Custom Audiences including Lookalike Audiences). In addition to this, we can establish whether our advertising is successful – i.e. whether it results in visits to our website (conversion tracking).
9. Participation in partner programmes
We participate in partner programmes. We can, on the one hand, be reimbursed for references to third-party offerings or for linking third-party offerings. On the other, we can reimburse third parties for referring to our offering or for providing a link to our online offering (affiliate marketing). Within the scope of this, data – also data-subject-related – regarding which offerings were used and what weblinks were followed may be gathered. When doing so cookies may also be used.
9.1 We use in particular AWIN (formerly Affili.net), a partner programme of affilinet Schweiz GmbH respectively of Swiss company AWIN AG, which are affiliated to German company affilinet GmbH respectively to its parent company AWIN AG in Germany. Information about the type, extent and purpose of data processing is provided in the AWIN data protection declaration (also including options to object).
9.2 We use in particular Profity, a partner programme of Swiss company adfocus GmbH. Information about the type, extent and purpose of data processing is provided in the Profity data protection declaration.
10. Concluding provisions
We may adjust and add to this data protection declaration at any time. We will provide notification of such adjustments and additions in an appropriate form, in particular by means of publishing the corresponding current data protection declaration on our website.