With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name visitgraubunden.com. In particular, we explain the purposes, methods, and locations of our personal data processing. We also inform about the rights of individuals whose data we process.
For specific or additional activities and operations, we may publish further privacy policies or other data protection information.
We are subject to Swiss law and, where applicable, to foreign laws such as those of the European Union (EU), in particular the European General Data Protection Regulation (GDPR).
On 26 July 2000, the European Commission recognized that Swiss data protection law provides an adequate level of data protection. On 15 January 2024, the European Commission confirmed this adequacy decision.
The controller under data protection law is:
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
In individual cases, third parties may be responsible for processing personal data or there may be joint responsibility with third parties. Upon request, we will inform data subjects about the respective responsibility.
We have appointed the following data protection officer or advisor as a point of contact for data subjects and authorities regarding data protection inquiries:
Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
We have appointed the following GDPR representative pursuant to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The GDPR representative serves as an additional point of contact for data subjects and authorities within the European Union (EU) and the rest of the European Economic Area (EEA) regarding GDPR matters.
Data subject: A natural person whose personal data we process.
Personal data: All information relating to an identified or identifiable natural person.
Special categories of personal data: Data relating to trade union, political, religious, or philosophical views and activities; data on health, privacy, or racial or ethnic origin; genetic or biometric data that uniquely identifies a natural person; data on criminal and administrative sanctions or prosecutions; and data on social welfare measures.
Processing: Any handling of personal data, regardless of the methods and procedures used, for example querying, comparing, adapting, archiving, storing, retrieving, disclosing, collecting, recording, deleting, publishing, organizing, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU), as well as the Principality of Liechtenstein, Iceland, and Norway.
We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (FADP) and the Ordinance on Data Protection (DPO).
Where and insofar as the European General Data Protection Regulation (GDPR) applies, we process personal data in accordance with at least one of the following legal bases:
The GDPR refers to the processing of personal data as “processing of personal data” and to the processing of special categories of personal data as “processing of special categories of personal data” (Art. 9 GDPR).
We process personal data that is necessary for the ongoing, user-friendly, secure, and reliable performance of our activities and operations. The processed personal data may fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact details, location data, transaction data, contract data, and payment data. Personal data may also include special categories of personal data.
We also process personal data received from third parties, obtained from publicly accessible sources, or collected during the course of our activities and operations, provided such processing is permitted.
Where required, we process personal data with the data subject’s consent. In many cases, we may process personal data without consent – for example, to fulfill legal obligations or safeguard overriding interests. We may also request consent even where it is not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, especially in accordance with legal retention and limitation periods.
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include specialized service providers we use.
In particular, we may disclose personal data in the context of our activities and operations to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurers, and payment service providers.
We process personal data to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we primarily process data that a data subject provides when contacting us, for example by postal mail or email. We may store such data in an address book or similar tools.
Third parties who transmit data about other individuals to us are required to independently ensure the data protection of those individuals. In particular, they must ensure that such data is accurate and may be transmitted.
We process personal data about applicants insofar as it is necessary for assessing their suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data arises in particular from the requested information, for example, as part of a job posting. We may publish job advertisements with the help of suitable third parties, for example in electronic and printed media or on job portals and employment platforms.
We also process personal data that applicants voluntarily disclose or publish, particularly as part of cover letters, résumés, and other application documents as well as online profiles.
If and to the extent that the General Data Protection Regulation (GDPR) is applicable, we process personal data about applicants in particular pursuant to Art. 9 para. 2 lit. b GDPR.
We implement appropriate technical and organizational measures to ensure data security appropriate to the risk. In particular, our measures safeguard the confidentiality, availability, traceability, and integrity of the personal data processed, without guaranteeing absolute data security.
Access to our website and our digital presence is secured via transport encryption (SSL / TLS), in particular using HTTPS (Hypertext Transfer Protocol Secure). Most browsers warn when visiting a site without transport encryption.
Our digital communication is subject – as is generally the case – to mass surveillance without cause or suspicion by security authorities in Switzerland, elsewhere in Europe, in the United States of America (USA), and other countries. We cannot exercise direct influence over the corresponding processing of personal data by intelligence services, police authorities, and other security agencies. We also cannot exclude the possibility that an individual person may be specifically targeted for surveillance.
We generally process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular for the purpose of processing it there or having it processed.
We may export personal data to all countries in the world and elsewhere in the universe, provided that the data protection in that jurisdiction is deemed adequate under the decision of the Swiss Federal Council and – where and insofar as the GDPR applies – under adequacy decisions by the European Commission.
We may transfer personal data to countries whose laws do not ensure adequate data protection, provided data protection is guaranteed for other reasons, in particular on the basis of standard contractual clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the specific legal requirements are met, for example, the explicit consent of the data subject or a direct link to the conclusion or performance of a contract. Upon request, we will be happy to provide data subjects with information about any safeguards or provide copies of any such safeguards.
We grant data subjects all claims to which they are entitled under applicable law. In particular, data subjects have the following rights:
We may lawfully postpone, restrict, or refuse the exercise of data subject rights. We may inform data subjects of any requirements that must be met to exercise their data protection rights. For example, we may partially or fully refuse access due to confidentiality obligations, overriding interests, or protection of others. We may also refuse erasure of personal data, for instance, due to statutory retention obligations.
In exceptional cases, we may impose fees for exercising rights. We inform data subjects in advance of any applicable fees.
We are obliged to identify data subjects appropriately when they request access or exercise rights. Data subjects are obligated to cooperate.
Data subjects have the right to assert their data protection claims through legal channels or to file a report or complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities have a federal structure, particularly in Germany.
We may use cookies. Cookies—both first‑party cookies and third‑party cookies whose services we utilize—are data stored in the browser. Such stored data is not limited to traditional text cookies.
Cookies may be stored in the browser temporarily as “session cookies” or, for a specified period, as persistent cookies. Session cookies are automatically deleted when the browser is closed. Persistent cookies have a specified retention period. Cookies enable, among other things, recognizing a browser on a subsequent visit to our website, for example to measure reach. Persistent cookies may also be used for online marketing.
Cookies can be disabled, restricted, or deleted at any time in browser settings. Browser settings often allow automated deletion and other management of cookies. Without cookies, our website may not be fully functional. We request – at least where required by applicable law – explicit consent for cookie use.
For cookies used for performance, reach measurement, or advertising, many services offer general opt‑out options via AdChoices, Network Advertising Initiative (NAI), YourAdChoices, or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
For each access to our website and digital presence, we may log at least the following information—if transmitted to our digital infrastructure during such accesses: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed page of our website including data volume transmitted, and referrer.
We log such information, which may constitute personal data, in log files. The information is necessary to provide our digital presence in a user‑friendly and reliable way over time. It is also necessary to ensure data security—even with the assistance of third parties.
We may embed tracking pixels (also known as web beacons) in our digital presence. Tracking pixels—including third‑party ones—are typically small, invisible images or JavaScript scripts automatically fetched when accessing our digital presence. Tracking pixels can capture at least the same information as logged in log files.
Notifications and messages may include web links or tracking pixels that collect whether a message was opened and which links were clicked. Such links and pixels may collect personal usage data. We need this statistical usage tracking for performance and reach measurement to send notifications and messages effectively, user‑friendly, secure, and reliably based on recipients’ needs and reading habits.
You must generally consent to the use of your email address and other contact details unless their use is permitted for other legal reasons. To obtain consent, we may use a double opt‑in procedure. In that case, you receive a message with instructions for the double confirmation. We may record obtained consents—including IP address and timestamp—for evidential and security reasons.
You may generally object to receiving notifications and messages such as newsletters at any time. By doing so, you may also object to the statistical usage tracking for performance and reach measurement. Required notifications and messages related to our activities remain unaffected.
We send notifications and messages with the help of specialized service providers.
In particular, we use:
We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
The terms of service, privacy policies, and other provisions of the respective platform operators also apply. These provisions inform data subjects of their rights directly vis‑à‑vis the platform, including, for example, the right of access.
For our social media presence on Facebook, including so‑called Page Insights, we are—where and insofar as the General Data Protection Regulation (GDPR) applies—jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (including in the USA). Page Insights show how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook effectively and user‑friendly.
Further information about the nature, scope, and purpose of data processing, data subject rights, and the contact details of Facebook and Facebook’s data protection officer is available in the Facebook Data Policy. We have concluded the so‑called “Addendum for Data Controllers” with Facebook, under which Facebook is responsible for ensuring data subject rights. For Page Insights specifically, refer to the “Information About Page Insights Data”.
We use services from specialized third parties to conduct our operations in a user‑friendly, secure, and reliable manner. Such services may enable us to embed functionality and content on our website. In doing so, the services used will, for technical reasons, at least temporarily collect users’ IP addresses.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities in aggregated, anonymized, or pseudonymized form—for example, performance or usage data, to provide their services.
We use in particular:
We use third‑party services to access digital infrastructure needed for our operations, such as hosting and storage by selected providers.
We use in particular:
We use specialized services for audio and video conferences to communicate online. We may host virtual meetings or webinars. Additional terms and privacy policies of the respective services apply.
We recommend muting microphones and using blurred or virtual backgrounds where appropriate.
We use in particular:
We use third‑party services for online collaboration under their terms and privacy statements.
We use third‑party services and plugins to embed social media functions and content, and to enable content sharing.
We use in particular:
We use third-party services to embed maps into our website.
We use in particular:
We use services from specialized third parties to embed digital content into our website. Digital content includes image and video material, music, and podcasts.
We use in particular:
We use the option to display targeted advertising via third parties, such as social media platforms and search engines, for our activities and operations.
Our aim with such advertising is to reach individuals who are already interested in or might be interested in our activities and operations (remarketing and targeting). For this purpose, we may transmit relevant—including possibly personal—data to third parties that enable such advertising. We may also determine whether our advertising is successful, i.e. whether it leads to visits on our website (conversion tracking).
Third parties where we advertise, and where you are logged in, may associate your usage of our website with your profile on that platform.
We use in particular:
We use extensions on our website to enable additional functionality. We may use selected services from suitable providers or host such extensions on our own digital infrastructure.
We use in particular:
We aim to measure the success and reach of our activities and operations. As part of this, we may evaluate third-party cues or test how different parts or versions of our digital presence are used (A/B testing). Based on the results, we may fix errors, enhance popular content, or implement improvements.
For performance and reach measurement, we often collect users’ IP addresses. In such cases, IP addresses are generally truncated (“IP masking”) to pseudonymize them and comply with data minimization principles.
Cookies and user profiles may be used in performance and reach measurement. Any profiles created may include, for example, visited pages or content, screen size or browser window dimensions, and an approximate location. Profiles are generally pseudonymized and not used to identify individual users. However, individual third-party services where users are logged in may link usage of our online offering to the user account/profile.
We use in particular:
We created this privacy policy using the privacy policy generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.
We may update this privacy policy at any time. We will inform you of updates in an appropriate manner, particularly by publishing the current version on our website.