Privacy Policy

With this privacy policy, we inform about the processing of personal data in connection with our activities and operations including our website under the domain name wilerbad.ch. We specifically inform for what, how, and where we process which personal data. We also inform about the rights of individuals whose data we process.

For individual or additional activities and operations, we may publish further privacy policies or other information on data protection.

We are subject to Swiss law and, if applicable, to foreign law, particularly that of the European Union (EU) with the European General Data Protection Regulation (GDPR).

On July 26, 2000, the European Commission recognized that Swiss data protection law ensures adequate data protection. With a report from January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact Addresses

Responsible in the data protection sense is:

Seehotel Wilerbad
Wilerbadstrasse 6
6062 Wilen am Sarnersee

info@wilerbad.ch

In individual cases, third parties may be responsible for processing personal data or there may be joint responsibility with third parties. We are happy to provide affected individuals with information about the respective responsibility upon request.

2. Terms and Legal Bases

2.1 Terms

Affected Person: Natural person whose personal data we process.

Personal Data: All information relating to a specific or identifiable natural person.

Particularly Sensitive Personal Data: Data about union, political, religious, or philosophical views and activities, data about health, intimate sphere, or membership of an ethnicity or race, genetic data, biometric data that uniquely identify a natural person, data about criminal and administrative sanctions or prosecutions, and data about social assistance measures.

Processing: Any handling of personal data, regardless of the means and procedures applied, such as querying, matching, adjusting, archiving, storing, reading out, disclosing, obtaining, recording, collecting, deleting, revealing, arranging, organizing, storing, modifying, distributing, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – insofar and as far as the European General Data Protection Regulation (GDPR) is applicable – personal data or personal data according to at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the affected person and to carry out pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard legitimate interests – also the legitimate interests of third parties – provided that the fundamental freedoms and fundamental rights as well as the interests of the affected person do not prevail. Such interests are particularly the permanent, humane, secure, and reliable execution of our activities and operations, ensuring information security, protection against misuse, enforcement of own legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under applicable law of member states in the European Economic Area (EEA).
• Art. 6 para. 1 lit e GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the affected person.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the affected person or another natural person.
• Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, particularly with the consent of the affected persons.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of particularly sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Type, Scope, and Purpose of Processing of Personal Data

We process the personal data that is necessary to be able to permanently, humanely, securely, and reliably carry out our activities and operations. The processed personal data can particularly fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data can also represent particularly sensitive personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect when exercising our activities and operations, insofar as such processing is permissible.

We process personal data, if necessary, with the consent of the affected persons. We can process personal data in many cases without consent, for example, to fulfill legal obligations or to safeguard overriding interests. We can also ask affected persons for their consent if their consent is not required.

We process personal data for the duration that is necessary for the respective purpose. We anonymize or delete personal data particularly depending on legal retention and limitation periods.

4. Disclosure of Personal Data

We can disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties can be, for example, specialized providers whose services we use.

We can disclose personal data in the context of our activities and operations, particularly to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

5. Communication

We process personal data to be able to communicate with individual persons as well as with authorities, organizations, and companies. In doing so, we particularly process data that an affected person transmits to us when contacting us, for example, by postal mail or email. We can store such data in an address book or with comparable tools.

Third parties who transmit data about other persons to us are obliged to independently ensure the data protection of these affected persons. They must particularly ensure that such data is correct and may be transmitted.

We use selected services from suitable providers to enable and improve communication with individual persons and other communication partners. We can also manage and otherwise process the data of the affected persons with such services beyond direct communication.

We particularly use:

• Smart-Host: Customer-Relationship-Management (CRM) for hotels; Provider: Smart Host GmbH (Germany); Information on data protection: Privacy Policy, FAQ also with answers to data protection questions.

6. Applications

We process personal data about applicants to the extent necessary to assess suitability for an employment relationship or for the later execution of an employment contract. The necessary personal data is determined in particular from the requested information, for example, as part of a job advertisement. We can publish job advertisements with the help of suitable third parties, for example in electronic and printed media or on job portals and job platforms.

We also process the personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application documents as well as online profiles.

We process – insofar and as far as the General Data Protection Regulation (GDPR) is applicable – personal data about applicants, particularly according to Art. 9 para. 2 lit. b GDPR.

7. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, but cannot guarantee absolute data security.

Access to our website and our other digital presence is via transport encryption (SSL / TLS, particularly with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting a website without transport encryption.

Our digital communication is subject – as basically any digital communication – to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence services, police, and other security authorities. We also cannot rule out that an affected person is specifically monitored.

8. Personal Data Abroad

We process personal data basically in Switzerland and the European Economic Area (EEA). However, we can also export or transfer personal data to other countries, particularly to process or have it processed there.

We can export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection according to the decision of the Swiss Federal Council and – insofar and as far as the General Data Protection Regulation (GDPR) is applicable – also according to the decision of the European Commission.

We can transfer personal data to countries whose law does not guarantee adequate data protection, provided that data protection is ensured for other reasons, particularly on the basis of standard data protection clauses or with other suitable guarantees. Exceptionally, we can export personal data to countries without adequate or suitable data protection if the special data protection requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information about any guarantees or provide a copy of any guarantees upon request.

9. Rights of Affected Persons

9.1 Data Protection Claims

We grant affected persons all claims according to the applicable law. Affected persons have in particular the following rights:

• Information: Affected persons can request information about whether we process personal data about them, and if so, which personal data is involved. Affected persons also receive the information necessary to assert their data protection claims and ensure transparency. This includes the processed personal data as such, but also information on the purpose of processing, the duration of storage, any disclosure or export of data to other countries, and the origin of the personal data.
• Correction and Restriction: Affected persons can have incorrect personal data corrected, incomplete data completed, and the processing of their data restricted.
• Possibility for Own Standpoint and Human Review: Affected persons can, in decisions based solely on automated processing of personal data and associated with a legal consequence or significantly affecting them (automated individual decisions), present their own standpoint and request a review by a human.
• Deletion and Objection: Affected persons can have personal data deleted («Right to be Forgotten») and object to the processing of their data with future effect.
• Data Release and Data Transfer: Affected persons can request the release of personal data or the transfer of their data to another responsible party.

We can defer, restrict, or refuse the exercise of the rights of affected persons within the legally permissible framework. We can inform affected persons of any prerequisites to be met for exercising their data protection claims. We can, for example, refuse information with reference to confidentiality obligations, overriding interests, or the protection of other persons, in whole or in part. We can also refuse the deletion of personal data, particularly with reference to legal retention obligations, in whole or in part.

We can exceptionally provide for costs for the exercise of rights. We inform affected persons in advance about any costs.

We are obliged to identify affected persons who request information or assert other rights with reasonable measures. Affected persons are obliged to cooperate.

9.2 Legal Protection

Affected persons have the right to enforce their data protection claims in court or to file a complaint with a data protection supervisory authority.

Data protection supervisory authority for private responsible parties and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), data protection supervisory authorities are federally structured, particularly in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – own cookies (first-party cookies) as well as cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data does not have to be limited to traditional cookies in text form.

Cookies can be stored temporarily in the browser as «session cookies» or for a certain period as so-called permanent cookies. «Session cookies» are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, in particular, recognizing a browser on the next visit to our website and thereby, for example, measuring the reach of our website. Permanent cookies can also be used for online marketing, for example.

Cookies can be completely or partially deactivated, restricted, or deleted at any time in the browser settings. The browser settings often also allow automated deletion and other management of cookies. Without cookies, our website may no longer be fully available. We request – at least insofar and as far as required by applicable law – active explicit consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection («opt-out») is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

We can log at least the following information for every access to our website and our other digital presence, provided this information is transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transferred data volume, last website accessed in the same browser window (referer or referrer).

We log such information, which can also represent personal data, in log files. The information is necessary to be able to provide our digital presence permanently, humanely, and reliably. The information is also necessary to ensure data security – also by third parties or with the help of third parties.

10.3 Counting Pixels

We can integrate counting pixels into our digital presence. Counting pixels are also referred to as web beacons. Counting pixels – also from third parties whose services we use – are usually small, invisible images or scripts written in JavaScript that are automatically retrieved when accessing our digital presence. With counting pixels, at least the same information as when logging in log files can be recorded.

11. Notifications and Communications

11.1 Success and Reach Measurement

Notifications and communications can contain web links or counting pixels that record whether an individual communication was opened and which web links were clicked. Such web links and counting pixels can also record the use of notifications and communications on an individual basis. We need this statistical recording of usage for success and reach measurement to be able to send notifications and communications effectively and humanely as well as permanently, securely, and reliably based on the needs and reading habits of the recipients.

11.2 Consent and Objection

You must basically consent to the use of your email address and your other contact addresses unless the use is permissible for other legal reasons. For obtaining a double-confirmed consent, we can use the «double opt-in» procedure. In this case, you will receive a communication with instructions for double confirmation. We can log obtained consents including IP address and timestamp for proof and security reasons.

You can basically object to receiving notifications and communications such as newsletters at any time. With such an objection, you can also object to the statistical recording of usage for success and reach measurement. Required notifications and communications related to our activities and operations are reserved.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We particularly use:

• Postmark: Platform for transactional emails; Provider: AC PM LLC (USA); Information on data protection: Privacy Policy, «Security and Privacy».

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested persons and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual operators of such platforms apply. These provisions particularly inform about the rights of affected persons directly against the respective platform, which includes, for example, the right to information.

For our social media presence on Facebook including the so-called page insights, we are – insofar and as far as the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (among others in the USA). The page insights provide information about how visitors interact with our Facebook presence. We use page insights to be able to provide our social media presence on Facebook effectively and humanely.

Further information on the type, scope, and purpose of data processing, information on the rights of affected persons, as well as the contact details of Facebook and the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called «Controller Addendum» with Facebook and have particularly agreed that Facebook is responsible for ensuring the rights of affected persons. The corresponding information for the so-called page insights can be found on the page «Information about Page Insights» including «Information about Page Insights Data».

13. Services from Third Parties

We use services from specialized third parties to be able to carry out our activities and operations permanently, humanely, securely, and reliably. With such services, we can, among other things, embed functions and content into our website. With such embedding, the services used must at least temporarily capture the IP addresses of the users for technical reasons.

For necessary security-related, statistical, and technical purposes, third parties whose services we use can process data in connection with our activities and operations in an aggregated, anonymized, or pseudonymized manner. This involves, for example, performance or usage data to be able to offer the respective service.

We particularly use:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) partly for users in the European Economic Area (EEA) and in Switzerland; General information on data protection: «Privacy and Security Principles», «More information on how Google uses personal data», Privacy Policy, «Google is committed to complying with applicable data protection laws», «Privacy Guide for Google Products», «How we use data from sites or apps that use our services», Cookie Policy, «Ads that you can influence» (Settings for personalized advertising).

13.1 Digital Infrastructure

We use services from specialized third parties to be able to use the required digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We particularly use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Information on data protection: «Privacy», Privacy Policy.

13.2 Appointment Scheduling

We use services from specialized third parties to be able to schedule appointments online, for example, for meetings. In addition to this privacy policy, the terms of use or privacy policies of the services used, which may be directly visible, apply.

13.3 Audio and Video Conferences

We use specialized services for audio and video conferences to be able to communicate online. We can thus, for example, hold virtual meetings or conduct online classes and webinars. For participation in audio and video conferences, the legal texts of the individual services, such as privacy policies and terms of use, apply additionally.

We recommend, depending on the life situation, to mute the microphone by default when participating in audio or video conferences and to blur the background or display a virtual background.

We particularly use:

• Zoom: Platform for collaborative work, particularly with video conferences; Provider: Zoom Video Communications Inc. (USA); Information on data protection: «Privacy at Zoom», Privacy Policy, «Legal Compliance».

13.4 Map Material

We use services from third parties to be able to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: Map service; Provider: Google; Google Maps-specific information: «How Google uses location information».

13.5 Digital Content

We use services from specialized third parties to be able to embed digital content into our website. Digital content includes, in particular, image and video material, music, and podcasts.

13.6 Fonts

We use services from third parties to be able to embed selected fonts as well as icons, logos, and symbols into our website.

We particularly use:

• Font Awesome: Icons and logos; Provider: Fonticons Inc. (USA); Information on data protection: Privacy Policy.
• Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: «Your Privacy and Google Fonts», «Privacy and Data Collection» (Google Fonts).

13.7 Advertising

We use the option to have targeted advertising displayed by third parties such as social media platforms and search engines for our activities and operations.

We particularly want to reach individuals with such advertising who are already interested in our activities and operations or who may be interested in them (remarketing and targeting). For this purpose, we may transmit corresponding – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e., in particular, whether it leads to visits to our website (conversion tracking).

Third parties, where we advertise and where you are registered as a user, may be able to associate the use of our website with your profile there.

We particularly use:

• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, with various domain names – particularly doubleclick.net, googleadservices.com, and googlesyndication.com – used for Google Ads, Privacy Policy for Advertising, «Manage displayed ads directly via ads».
• LinkedIn Ads: Social media advertising; Providers: LinkedIn Corporation (USA) / LinkedIn Ireland Unlimited Company (Ireland); Information on data protection: Remarketing and targeting particularly with the LinkedIn Insight Tag, «Privacy», Privacy Policy, Cookie Policy, Objection to personalized advertising.
• Meta Ads: Social media advertising on Facebook and Instagram; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Information on data protection: targeting, including retargeting, particularly with the Meta Pixel and with Custom Audiences including Lookalike Audiences, Privacy Policy, «Ad Preferences» (registration as a user required).

14. Extensions for the Website

We use extensions for our website to be able to use additional functions. We can use selected services from suitable providers or use such extensions on our own digital infrastructure.

We particularly use:

• Google reCAPTCHA: Spam protection (distinction between desired content from humans and unwanted content from bots and spam); Provider: Google; Google reCAPTCHA-specific information: «What is reCAPTCHA?».

15. Success and Reach Measurement

We try to measure the success and reach of our activities and operations. In this context, we can also measure the impact of third-party references or check how different parts or versions of our digital presence are used («A/B testing» method). Based on the results of the success and reach measurement, we can particularly fix errors, strengthen popular content, or make improvements.

For success and reach measurement, the IP addresses of individual users are usually recorded. IP addresses are basically shortened («IP masking») in this case to follow the principle of data minimization through the corresponding pseudonymization.

Cookies can be used for success and reach measurement, and user profiles can be created. Any created user profiles include, for example, the individual pages visited or content viewed on our digital presence, information on the size of the screen or browser window, and the – at least approximate – location. Basically, any user profiles created are only pseudonymized and not used to identify individual users. Individual services from third parties, where users are registered, may be able to associate the use of our online offer with the user account or user profile at the respective service.

We particularly use:

• Google Tag Manager: Integration and management of services from Google and third parties, particularly for success and reach measurement; Provider: Google; Google Tag Manager-specific information: Privacy Policy for Google Tag Manager; further information on data protection can be found with the individual integrated and managed services.

16. Video Surveillance

We use video surveillance for crime prevention, evidence preservation in the event of crimes, exercising and asserting our own legal claims, defending against third-party legal claims, and exercising our house rights. This involves – insofar and as far as the General Data Protection Regulation (GDPR) is applicable – overriding legitimate interests according to Art. 6 para. 1 lit. f GDPR, in the case of particularly sensitive personal data with reference to Art. 9 para. 2 lit. f GDPR.

We store recordings from our video surveillance as long as they are necessary for evidence preservation or another mentioned purpose. As a rule, the recordings are deleted or overwritten after 24 hours.

We can secure recordings from our video surveillance and transmit them to competent authorities such as courts or law enforcement authorities if the transmission is necessary for a mentioned purpose, in our other legitimate overriding interest, or due to legal obligations.

17. Final Notes on the Privacy Policy

We have created this privacy policy with the Privacy Policy Generator from Datenschutzpartner.

We can update this privacy policy at any time. We inform about updates in an appropriate form, particularly by publishing the current privacy policy on our website.