With this Privacy Policy, we inform you of the personal data we process in connection with our activities and operations including our visitgraubunden.com website. We specifically inform you what, how, and where we process personal data. We also inform about the rights of individuals whose data we process.
For individual or additional activities and operations, further privacy policies and other legal documents such as General Terms and Conditions (GTC), Terms of Use, or Participation Conditions may apply.
We are subject to Swiss data protection law and any applicable foreign data protection law, particularly that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission recognises that Swiss data protection law ensures adequate data protection.
Responsibility for the processing of personal data:
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
We point out if there are other responsible parties for the processing of personal data in individual cases.
We have the following Data Protection Officer or Data Protection Advisor as a contact point for affected persons and authorities for inquiries related to data protection:
Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
We have the following data protection representation according to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representation serves as an additional point of contact for affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.
Personal data are all information relating to an identified or identifiable natural person. An affected person is a person about whom we process personal data.
Processing includes any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, organizing, organizing, saving, altering, distributing, linking, destroying, and using personal data.
The European Economic Area (EEA) includes the member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data.
We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process – where and to the extent the General Data Protection Regulation (GDPR) is applicable – personal data according to at least one of the following legal bases:
We process those personal data that are necessary to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. Such personal data may fall into categories such as inventory and contact data, browser and device data, content data, metadata or marginal data and usage data, location data, sales data, and contract and payment data.
We process personal data for the duration required for the respective purpose or purposes or as legally required. Personal data that are no longer necessary for processing are anonymized or deleted.
We may have personal data processed by third parties. We may process personal data jointly with third parties or transfer it to third parties. Such third parties are particularly specialized providers whose services we use. We also ensure data protection with such third parties.
We generally process personal data only with the consent of the affected individuals. If and to the extent that processing is permissible for other legal reasons, we may forego obtaining consent. For example, we may process personal data without consent to fulfill a contract, to comply with legal obligations, or to protect overriding interests.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the exercise of our activities and operations, provided and to the extent that such processing is permissible for legal reasons.
We process data to communicate with third parties. In this context, we particularly process data that an affected person transmits when making contact, for example by mail or email. We may store such data in an address book or with similar tools.
Third parties who transmit data about other persons are obliged to ensure data protection for such affected persons. This includes, among other things, ensuring the accuracy of the transmitted personal data.
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.
Access to our website and other online presences is made using transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.
Our digital communication is – like generally all digital communication – subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police stations, and other security authorities. We also cannot rule out that individual affected persons are specifically monitored.
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we can also export or transmit personal data to other countries, particularly to process them or have them processed there.
We can export personal data to all countries and territories on Earth and elsewhere in the Universe, provided that the law there ensures adequate data protection according to the decision of the Swiss Federal Council and – where and to the extent the General Data Protection Regulation (GDPR) is applicable – according to the decision of the European Commission.
We can transmit personal data to countries whose law does not ensure adequate data protection, provided that data protection is guaranteed for other reasons, in particular based on standard data protection clauses or other suitable guarantees. Exceptionally, we can export personal data to countries without adequate or suitable data protection if the special data protection legal requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or execution of a contract. We are happy to provide affected persons with information about any guarantees upon request or provide a copy of any guarantees.
We grant affected persons all claims according to applicable data protection law. Affected persons have, in particular, the following rights:
We may postpone, limit, or deny the exercise of the rights of affected persons within the legally permissible framework. We may inform affected persons about any prerequisites to be met for exercising their data protection rights. For example, we may partially or fully refuse to provide information with reference to trade secrets or the protection of other persons. We may also partially or fully refuse the deletion of personal data with reference to statutory retention obligations.
We may exceptionally charge costs for exercising rights. We will inform affected persons in advance about any possible costs.
We are obliged to identify affected persons who request information or assert other rights, with appropriate measures. Affected persons are required to cooperate.
Affected persons have the right to enforce their data protection legal claims through legal proceedings or to file a complaint or report with a competent data protection supervisory authority.
The data protection supervisory authority for reports from affected persons against private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
Possible data protection supervisory authorities for complaints from affected persons – where and to the extent the General Data Protection Regulation (GDPR) is applicable – are organized as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.
We may use cookies. Cookies – both our own cookies (First-Party-Cookies) and those of third parties whose services we use (Third-Party-Cookies) – are data stored in the browser. Such stored data need not be limited to traditional text-form cookies.
Cookies can be temporarily stored in the browser as "Session Cookies" or for a specific period as so-called permanent cookies. "Session Cookies" are automatically deleted when the browser is closed. Permanent cookies have a specified storage duration. Cookies, in particular, allow a browser to be recognized upon the next visit to our website, thereby enabling us to measure the reach of our website, for instance. However, permanent cookies can also be used for online marketing purposes.
Cookies can be completely or partially deactivated in the browser settings at any time and can also be deleted. Without cookies, our website may not be fully available. We request – at least as far as necessary – active explicit consent for the use of cookies.
For cookies used for success and reach measurement or for advertising, a general objection ("Opt-out") is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
We may log each access to our website and other online presences with at least the following information, provided they are transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, the specific sub-page of our website accessed including the amount of data transferred, the last page accessed in the same browser window (referrer or referrer).
We log such information, which can also constitute personal data, in log files. This information is necessary to provide our online presence in a sustainable, user-friendly, and reliable manner. The information is also necessary to ensure data security – either directly or with the help of third parties.
We may incorporate tracking pixels into our online presence. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are typically small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as logged in log files.
We send notifications and communications via email and other communication channels such as instant messaging or SMS.
Notifications and communications may contain web links or tracking pixels that record whether an individual message has been opened and which web links have been clicked. Such web links and tracking pixels may also capture the use of notifications and communications on a personal level. We require this statistical recording of usage for success and reach measurement to be able to send notifications and communications effectively and user-friendly, as well as sustainably, securely, and reliably based on the needs and reading habits of the recipients.
You must generally explicitly consent to the use of your email address and other contact addresses, unless the use is permissible for other legal reasons. For any consent, we preferably use the "Double Opt-in" procedure, meaning you will receive an email with a web link that you must click to confirm, to prevent misuse by unauthorized third parties. We may log such consents including IP address as well as date and time for proof and security reasons.
You can generally object to receiving notifications and communications such as newsletters at any time. With such an objection, you can simultaneously object to the statistical recording of usage for success and reach measurement. Mandatory notifications and communications related to our activities and operations are reserved.
We send notifications and communications with the help of specialized service providers.
In particular, we use:
We are present on social media platforms and other online platforms to communicate with interested persons and inform them about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The General Terms and Conditions (GTC), Terms of Use, Privacy Policies, and other provisions of the individual operators of such platforms also apply. These provisions specifically inform about the rights of affected persons directly against the respective platform, which includes, for example, the right to information.
For our social media presence on Facebook, including the so-called Page Insights, we are – where and to the extent the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information on how visitors interact with our Facebook presence. We use Page Insights to be able to provide our social media presence on Facebook effectively and user-friendly.
Further information about the nature, scope, and purpose of data processing, details about the rights of affected persons, and the contact details of Facebook as well as Facebook's Data Protection Officer can be found in the Facebook Privacy Policy. We have concluded the so-called "Controller Addendum" with Facebook and have particularly agreed that Facebook is responsible for ensuring the rights of affected persons. For the so-called Page Insights, the relevant information can be found on the page "Information on Page Insights" including "Information on Page Insights Data".
We use services from specialized third parties to be able to carry out our activities and operations sustainably, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website, for example. For such embedding, the services used technically and necessarily capture at least temporarily the IP addresses of users.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data to offer the respective service.
We use in particular:
We use services from specialized third parties to access the necessary digital infrastructure related to our activities and operations. This includes, for example, hosting and storage services from selected providers.
We use in particular:
We use specialized services for audio and video conferences to communicate online. This enables us to hold virtual meetings, conduct online classes, and webinars. The legal texts of the individual services, such as privacy policies and terms of use, apply additionally to participation in audio and video conferences.
We recommend, depending on the situation, to mute the microphone by default when participating in audio or video conferences and to blur the background or use a virtual background.
We use in particular:
We use services and plugins from third parties to embed features and content from social media platforms as well as to enable sharing of content on social media platforms and through other means.
We use in particular:
We use services from third parties to embed maps on our website.
We use in particular:
We use services from specialized third parties to enable the direct playback of digital audio and video content, such as music or podcasts.
We use in particular:
We utilize the opportunity to display targeted advertising for our activities and operations on third parties such as social media platforms and search engines.
We aim to reach people with such advertising who are already interested in our activities and operations or might be interested (Remarketing and Targeting). For this purpose, we may transmit corresponding – possibly personal – information to third parties that enable such advertising. We can also determine if our advertising is successful, particularly if it leads to visits to our website (Conversion Tracking).
Third parties, where we advertise and where you as a user are registered, may be able to associate the use of our website with your profile there.
We use in particular:
We use extensions for our website to be able to utilize additional functions. We can use selected services from suitable providers or use such extensions on our own server infrastructure.
We use in particular:
We try to determine how our online offer is used. In this context, for example, we can measure the success and reach of our activities and operations as well as the effect of third-party links on our website. We can also try out and compare how different parts or versions of our online offer are used (using the "A/B testing" method). Based on the results of success and reach measurement, we can particularly fix errors, strengthen popular content, or make improvements to our online offer.
For success and reach measurement, the IP addresses of individual users are usually stored. In this case, IP addresses are generally shortened ("IP masking") to adhere to the principle of data minimization through the corresponding pseudonymization.
Cookies may be used in success and reach measurement, and user profiles can be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles are created exclusively in a pseudonymized form and are not used for the identification of individual users. Individual services from third parties, where users are registered, may be able to associate the use of our online offer with the user account or user profile at the respective service.
We use in particular:
We have created this Privacy Policy using the Data Protection Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.
We may adapt and supplement this Privacy Policy at any time. We will inform about such adaptations and supplements in an appropriate manner, particularly by publishing the current version of the Privacy Policy on our website.