Data Protection Policy

As at 23 May 2018

Giardino Group AG
Buochserstrasse 86
6375 Beckenried

and is the operator of the website

www.giardino.ch
shop.giardino.ch
www.ayurvedabygiardino.ch
www.dipiu-cosmetics.ch

and is thereby responsible for the collection, processing and use of your personal data, and the compliance of data processing activities with the applicable data protection laws.

Your trust is important to us, which is why we take the issue of data protection seriously and strive to ensure an adequate level of security. Naturally, we comply with the statutory requirements of the Swiss Federal Act on Data Protection (FADP; Bundesgesetz über den Datenschutz – DSG), the Swiss Ordinance to the Federal Act on Data Protection (DPO; Verordnung zum Bundesgesetz über den Datenschutz – VDSG), the Swiss Telecommunications Act (TCA; Fernmeldegesetz – FMG) and other data protection provisions of Swiss or EU law, the General Data Protection Regulation (GDPR) in particular, as applicable in Switzerland.

Please take note of the following information regarding the personal data we collect from you and the purpose for which they are used.
The address of our data protection representative in the EU is:

VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany

A. Data processing in connection with our website

1. Access to our website
Whenever you visit our website, our servers temporarily store each access in a log file. As is generally the case with every connection to a web server, the following technical data are recorded without your involvement, and stored by us until their automatic deletion after 14 months at the latest:

– the IP address of the computer used to access the website;
– the name of the holder of the IP address range (generally your Internet access provider);
– the date and time of access;
– the website from which the access was made (referrer URL), possibly with the search term used;
– the name and URL of the file accessed;
– the status code (e.g. error message);
– the operating system of your computer;
– the browser you use (type, version and language);
– the transfer protocol used (e.g. HTTP/1.1); and
– possibly your username from a registration/authentication process.

These data are collected and processed in order to facilitate your use of our website (establishing a connection), to ensure sustainable system security and stability and to facilitate the optimisation of our Internet offer, as well as for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.

The IP address is also evaluated together with other data in the event of attacks on network infrastructure, or other unauthorised or improper website usage for the purpose of investigation and defence, and possibly used in a preliminary stage, but not exclusively, within the framework of criminal proceedings to establish identity and instigate civil or criminal proceedings against the users concerned. This is our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.

2. Use of our contact form
A contact form is available for you to establish contact with us. We require the following mandatory information for this purpose:

– Given name and family name
– E-mail address or telephone number
– Message (optional, if the reason for establishing contact is not otherwise clear)

We only use these data and an optionally provided telephone number or e-mail address in order to respond in an optimal and personalised manner to your contact request. The processing of these data is therefore necessary within the meaning of Article 6(1)(b) GDPR in order to take steps prior to entering into a contract or is in our legitimate interest in accordance with Article 6(1)(f) GDPR.

3. Subscribing to our electronic newsletter
You can subscribe to our electronic newsletter on our website and will need to register your details in order to do so. The following details are required:

• E-mail address

The data mentioned above are necessary for data processing. You are also welcome to provide further optional details (title, name, date of birth and country). We process these data exclusively in order to personalise the information and offers we sent to you, and to tailor them to suit your interests.

In subscribing to our newsletter, you give your consent for the processing of the data provided for regular dispatch of the newsletter to the address you provide, for statistical evaluation of your user behaviour and for optimisation of the newsletter. This consent is our legal basis for processing your e-mail address within the meaning of Article 6(1)(a) GDPR. We are authorised, and you give us your consent (subject to explicit withdrawal), to delegate the technical implementation of marketing activities to third parties, and we are consequently authorised to disclose your data for this purpose (see section 13).
A link at the end of each electronic newsletter can be used to unsubscribe from the newsletter at any time, and you will be given the option of providing a reason for unsubscribing. Once you have unsubscribed, your personal data will be erased. Any further processing will be exclusively in anonymised form for the purpose of optimising our newsletter.

4. Opening a customer account
As a guest, you have the option of opening a customer account in order to make bookings on our website or order the goods and services we offer. We require the following mandatory data in order to open a customer account:

– Title
– Given name and family name
– Postal address
– Date of birth
– Telephone number
– E-mail address
– Password

These data, and other optionally provided data (e.g. company name), are collected in order to provide you with direct password-protected access to your basic data stored by us. Here you can view your past and current bookings or goods or services ordered in the past, or manage and modify your personal data.

The legal basis of data processing for this purpose is the consent provided by you in accordance with Article 6(1)(a) GDPR.

5. Booking on the website, or by correspondence or telephone
If you make bookings via our website or by correspondence (e-mail or post) or telephone, or order services or goods, we will require the following mandatory details to perform the contract:

– Title
– Given name and family name
– Postal address
– Date of birth
– Telephone number
– Language
– Credit card information
– E-mail address

These data, and other optionally provided information (e.g. expected time of arrival, vehicle number plate, preferences, comments), will only be used to perform the contract, unless stated otherwise in this Data Protection Policy or unless you have provided your separate consent. The data will be processed in particular in order to record your booking or your order of goods or services according to your wishes, to provide the services booked, to contact you in the event of any issues or problems, and to facilitate correct payment.

The legal basis of data processing for this purpose is the performance of a contract in accordance with Article 6(1)(b) GDPR.

6. Cookies
Cookies help in many ways to simplify your visit to our website and make it more pleasant and rewarding. Cookies are information files that your web browser stores automatically on your computer’s hard drive whenever you visit our website.

We use cookies, for example, to store your selected services and entries temporarily when you complete a form on the website, so that you do not have to repeat the entry when calling up a different subpage. Cookies may also be used to identify you as a registered user once you have registered on the website, without you having to log in again when calling up a different subpage.

Most Internet browsers automatically accept cookies. You can however configure your browser in such a way that no cookies are stored on your computer, or that a message appears each time you receive a new cookie. The following pages will help you to configure the processing of cookies by the most common browsers:

Microsoft Windows Internet Explorer
Microsoft Windows Internet Explorer Mobile
Mozilla Firefox
Google Chrome for desktop
Google Chrome for mobile
Apple Safari for desktop
Apple Safari for mobile

Deactivating cookies may prevent you from using all of the functions of our website.

7. Tracking tools
a. General

We use the web analytics service from Google Analytics in order to ensure needs-based design and continuous optimisation of our website. In this connection, pseudonymised usage profiles are created and use is made of small text files stored on your computer (“cookies”). The information generated by the cookie regarding your use of this website is transferred to the servers of the providers of these services, where they are stored and prepared for our use. In addition to the data listed under section 1, we may also receive the following information:

– the navigation path taken by a visitor to the site;
– the amount of time spent on the website or subpage;
– the subpage from which the website is left;
– the country, region or city where access occurs;
– the terminal used (type, version, colour depth, resolution, width and height of browser window); and
– whether you are a repeat visitor or a new one.

The information is used to evaluate usage of the website, to prepare reports on website activity and in order to provide further services related to website usage and Internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties if this is required by law or if the third party concerned processes these data on our behalf.

b. Google Analytics

The provider of Google Analytics is Google Inc., a company belonging to the holding company Alphabet Inc., which is based in the USA. Before data are transmitted to the provider, the IP address is shortened by activating the IP anonymisation feature (“anonymizeIP”) on this website within the member states of the European Union or in other states that are contracting parties to the Agreement on the European Economic Area. The anonymised IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure by means of contractual guarantees that Google Inc. maintains an adequate level of data protection. According to Google Inc., it would never be possible to associate the IP address with any other data relating to the user.

Further information regarding the web analytics service used can be found on the Google Analytics website. Instructions for how to prevent your data from being processed by the web analytics service can be found at tools.google.com/dlpage/gaoptout?hl=en-GB.

c. Facebook Custom Audience

We use Facebook Website Custom Audiences on our websites and so-called Facebook pixels (JavaScript code) are integrated on our websites for this purpose. These pixels generate a checksum from your user data that is transmitted to Facebook, for example browser information. If available, the Facebook cookie is accessed and your Facebook ID transmitted. If you have a Facebook profile and log in to Facebook, the data transmitted by the pixels may be used to present you with individualised advertising for Giardino products. Data relating to users without a Facebook profile are discarded by Facebook without being used.

B. Data processing in connection with your stay

8. Data processing in order to meet legal reporting requirements
On your arrival at our hotel, we will need the following details from you and any companions (both children and adults):

– Given name and family name
– Postal address and canton
– Date of birth
– Place of birth
– Nationality
– Official identification document and number
– Arrival and departure dates
– Room number

We record these data in order to meet the legal reporting requirements based in particular on hospitality, police and tourism law, and to optimise and personalise our services for you. If we are obliged to do so in accordance with the applicable provisions, we pass on this information to the administrative and police authorities responsible.

Compliance with these legal requirements constitutes our legitimate interest within the meaning of Article 6(1)(f) GDPR.

9. Keeping a record of the services used
If you make use of additional goods and services offered by us during your stay or obtain them for a third party (e.g. the minibar or pay TV), the identity of the beneficiary, the goods/service and the time of purchase will be recorded by us for monitoring and invoicing purposes. The processing of these data is required in accordance with Article 6(1)(b) GDPR for the performance of your contract with us.

C. Storage and exchange of data with third parties

10. Booking platforms
Whenever you make a booking via a third-party platform, we receive various items of personal information from the platform operator concerned. As a rule, this information comprises data referred to in section 5 of this Data Protection Policy. Furthermore, any queries regarding your booking and the associated orders of goods and services will be passed on to us. We will then process these data in order to record your booking in a personalised manner and in accordance with your wishes, and to provide the services booked or goods ordered. The legal basis of data processing for this purpose is the performance of a contract in accordance with Article 6(1)(b) GDPR.

Finally, we may also be informed by the platform operators of any possible disputes in connection with a booking or with the associated goods and services ordered. In this context we may also receive data regarding the booking process, with a copy of the booking confirmation serving as proof of the actual completion of the booking. We process these data with a view to safeguard and enforcing our rights. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.

Please also refer to the data protection notice of the provider concerned.

11. Central storage and linking of data
We store the data indicated in sections 2–5 and 8–10 in a central electronic data processing system. Your data are recorded in our system and linked in order to enable us to process your bookings and provide contractual services.

We use the protel software provided by Rebag Data AG, Einsiedlerstrasse 533, 8810 Horgen, Switzerland, to record your data in connection with your stay.
We use the RIMS software provided by MP-Network GmbH, Anemonenweg 5, 85586 Poing, Germany, for written communication (quotes, confirmations, amendments, cancellations) in connection with your stay.

We use software provided by Bookatable GmbH & Co. KG, Deichstrasse 48–50, 20459 Hamburg, Germany, to record your data regarding reservations in our restaurants.

We use software provided by TAC Informationstechnologie GmbH, Schildbach 111, 8230 Hartberg, Austria, to record your data regarding reservations in our spa.

The processing of these data using software is based on our legitimate interest in customer-friendly and efficient customer data management in accordance with Article 6(1)(f) GDPR.

12. Storage period
We store personal data only as long as necessary in order to use the tracking services mentioned above and for other processing within the scope of our legitimate interest. Contractual data, including the associated documents concerning your booking, are stored for longer periods, as required by our legal obligation to retain data. Our obligation to retain data is based on requirements regarding the right to report, accounting and tax law, as well as hospitality, police and tourism law. According to these requirements, business communications, contracts concluded and booking documents must be stored for up to ten years. Provided that these data are no longer required in order to provide the services you require, related personal data are blocked. This means that the data may then only be used for accounting and tax purposes.

13. Disclosure of data to third parties
We only disclose your personal data to third parties if you have given your explicit consent for us to do so, if such disclosure is required by law or is necessary in order to enforce our rights, in particular those arising out of or in connection with the contractual relationship. Furthermore, we also disclose your data to third parties if necessary within the framework of your use of the website and for contract performance (including outside the website), i.e. for processing your bookings or order of goods or services.

One service provider to which personal data collected via the website are disclosed, or which has or may have access to such data, is our web administrator Mediahirsch AG, Räffelstrasse 32, 8045 Zurich, Switzerland. The website is hosted on the servers of Hostpoint AG, Neue Jonastrasse 60, 8640 Rapperswil-Jona, Switzerland. Data disclosure is carried out in order to provide and maintain the functionalities of our website. This is our legitimate interest within the meaning of Article 6(1)(f) GDPR.

Finally, when credit card payments are made on the website, we forward your credit card information to your credit card issuer and to the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all the necessary information. The legal basis of data disclosure is the performance of a contract in accordance with Article 6(1)(b) GDPR. With regard to the processing of your credit card information by these third parties, please also read the general terms and conditions and the data protection policy of your credit card issuer.
Please also note the information provided in sections 7–8 and 10–11 with regard to the disclosure of data to third parties.

14. Transmission of personal data abroad
We are also authorised to transmit your personal data to third-party companies abroad (providers engaged by us) for the purpose of the data processing described in this Data Protection Policy. If these providers have their residence/registered office or place of performance in Switzerland or an EU country, they are in principle subject to the same level of data protection as we are. Should the level of data protection in a given country not be equivalent to the level applicable in Switzerland or the EU, we will ensure by contractual means, as far as possible and as far as it may be reasonably required, that the protection of your personal data corresponds in principle to the protection provided in Switzerland or the EU at all times.

D. Further information

15. Right of access, right to rectification and erasure, right to restriction of processing and right to data portability
You have the right, upon a written request, of access to information about personal data relating to you, or those of your family members who are minors, held by us. In addition to this, you have the right to request the rectification of inaccurate data or the erasure of your personal data, provided the data concerned are not subject to a legal obligation to retain data or unless our processing of the data is justified for contractual or quasi-contractual reasons.
You also have the right to request that the data you provided be returned to you (right to data portability). At your written request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a standard file format.

We may, at our discretion, request proof of identity when processing your request.

16. Data security
We take the appropriate technical and organisational security measures in order to protect the personal data held by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are adapted continuously, as far as technically possible and economically viable.

You should treat your access data confidentially at all times and close the browser window following any communication with us, especially if using a shared computer.

We also take internal data protection within the company very seriously. Our employees and the service providers engaged by us are under a contractual obligation to maintain confidentiality and comply with data protection requirements.

17. A note on data transmission to the USA
For reasons of completeness, we would like to inform users having their place of residence or registered office in Switzerland or in the EU that the US authorities implement surveillance measures in the USA that generally facilitate the storage of all personal data regarding all persons whose data are transmitted from Switzerland to the USA. This is carried out without differentiation, restriction or exception based on the respective aim and with no objective criteria that enable access by the US authorities to the data and its later use to be restricted to very specific, strictly limited purposes that would justify the access to these data and the intervention related to their use. We would also like to point out that there are no means of legal remedy in the USA for data subjects from Switzerland that would enable them to gain access to their data and request their rectification or erasure, and that there is no effective judicial protection against the general access rights of US authorities. We refer those affected explicitly to this legal and factual basis in order to enable them to make an informed decision concerning the provision of consent to the use of their data.

Users resident in an EU member state should be aware that, from the perspective of the EU, the USA does not have a sufficient level of data protection – based among other things on the issues mentioned in this section. Where we have stated in this Data Protection Policy that the recipients of data (e.g. Google) are based in the USA, we will endeavour to ensure by means of either contractual arrangements with these companies or by certification of these companies under the EU–US or Swiss–US Privacy Shield Framework that your data are adequately protected by our partners.

18. Right to lodge a complaint with a data protection supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority at any time.

As at 23 May 2018