Sunstar-Holding AG, which has its registered office at Galmsstrasse 5, 4410 Liestal, manages the 8 Sunstar hotels in Arosa, Brissago, Davos, Grindelwald, Klosters, Lenzerheide, Piemont and Pontresina, as well as the subsidiary Ferienclub Privilège. It is the operator of the websites sunstar.ch, ferienclub.ch and privilege-ferienwelt.ch and is therefore responsible for the collection, processing and use of your personal data and for ensuring the compatibility of the data processing with the prevailing data protection law.
Your trust is important to us, which is why we take the topic of data protection seriously and ensure appropriate security. We naturally comply with the legal provisions of the Federal Data Protection Act (FDPA), the Ordinance to the Federal Data Protection Act (OFDPA), the Telecommunications Act (TCA), and other data protection provisions that may apply under Swiss or EU law, especially the General Data Protection Regulation (GDPR).
In order for you to know what personal data we collect from you and for what purposes we use the data, please take note of the following information.
The address of our representative in the EU under data protection law is:
VGS Datenschutzpartner UG, Am Kaiserkai 69, 20457 Hamburg, Germany.
Contact details: email@example.com
1.1 Accessing our website
When you visit our website, our servers temporarily store each access in a log file. The following technical data are collected without you having to do anything, as is always the case every time you connect to a web server. The data are stored in the webserver logs for the purposes of error analysis and in order to protect the functionality of the web services and are then automatically deleted after a maximum of 7 days.
No further processing takes place. The logs are excluded from data protection.
This data is collected and processed to allow the use of our website (establishing a connection), to permanently ensure system security and stability, and to optimise our Internet offer as well as for internal statistical purposes. We rely on our legitimate interests within the meaning of Art. 6 (1) f) GDPR for these processing purposes.
Furthermore, if there are attacks on the network infrastructure or other prohibited or abusive website uses, the IP address is used together with other data for clarification and defence and may be used to identify and take civil and criminal action against the users concerned as part of a criminal proceeding. We rely on our legitimate interests within the meaning of Art. 6 (1) f) GDPR for this processing purpose.
1.2 Use of our contact form
You have the possibility to use a contact form to contact us. We require the following information for this:
We only use this data as well as a telephone number you may voluntarily provide to answer your contact query in the best possible and personalised way. Processing of this data is therefore required in order to take steps prior to entering into a contract within the meaning of Art. 6 (1) b) GDPR or falls within our legitimate interests pursuant to Art. 6 (1) f) GDPR, respectively.
1.3 Interactive Conversations with ReGuest Messenger
In order to serve you during your enquiry or visit to our website, we provide you with a chat function. If a chat connection is established to the reception, a connection is made to our communication software. At no time will your browser be accessed. Within the framework of the chat, you have the possibility to choose different communication channels by selecting the corresponding menu items.
By using the chat, information is transmitted to the messenger server, which is managed by ReGuest GmbH on our behalf. This data is information that is required for the technical processing of the chat. The standardised data collection is solely for the purpose of online counselling. We store the data required for the above-mentioned functions exclusively for these purposes.
Further evaluations take place at most in anonymous form for statistical purposes. The owner of all data collected during the use of Messenger is Sunstar Hotels Management AG. The stored chat logs, which we must keep for evidence purposes for you and us, will not be forwarded to third parties.
1.4 Registering for our newsletter
You have the option to subscribe to our newsletter on our website. This requires a registration. The following data must be provided in the context of a registration:
The above data is required for the data processing. In addition, you can voluntarily provide additional data (interests, complete contact details, message). We only process this data to personalise the information and offers sent to you and to better tailor them to your interests.
By registering, you consent to the processing of the provided data for the regular delivery of the newsletter to the address you provided and for statistical analysis of user behaviour and for the optimisation of the newsletter. This consent constitutes the legal basis under Art. 6 (1) a) GDPR for the processing of your email address. We have the right to commission third parties for the technical handling of marketing measures and have the right to disclose your data for this purpose (see Section 13 below).
For the distribution and statistical analysis of our Newsletter, we use the CRM software by ReGuest, Kuperionstr. 34, 39012 Meran, Italy. We have implemented all the relevant contractual conditions and any additional guarantees as required by the provider.
At the end of each newsletter you will find a link through which you can unsubscribe from the newsletter at any time. You can voluntarily inform us of the reason for unsubscribing when you unsubscribe. Your personal data is deleted after you unsubscribe. Any further processing will take place solely in anonymised form to optimise our newsletter.
1.5 Booking on the website, by correspondence, or by telephone
If you carry out bookings either via our website, by correspondence (email or post), or by telephone, we require the following data for the execution of the contract:
The legal basis for processing the data for this purpose is the performance of a contract pursuant to Art. 6 (1) b) GDPR.
Cookies help in many ways to make your visit to our website easier, more pleasant, and more useful. Cookies are information files your web browser automatically stores on your computer's hard drive when you visit our Internet page.
Most Internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a notice always appears before you receive a new cookie. On the following pages, you will find explanations as to how to configure the processing of cookies in the most common browsers:
Disabling cookies may prevent you from using all the features of our website.
1.7 Tracking tools
We use the web analysis service Google Analytics for needs-based design and continuous optimisation of our website. Pseudonymised use profiles are generated and small text files that are stored on your computer ("cookies") are used in this context. The information about your use of this website generated by the cookie is sent to the servers of the provider of these services and stored and processed for us there. In addition to the data listed under Section 1, we receive the following information in some circumstances:
The information is used to analyse the use of the website, to compile reports about website activities, and to perform other services related to website use and Internet use for purposes of market research and needs-based design of this webpage. This information may also be sent to third parties if required by law or if third parties are processing this data on a contract basis.
1.7.2 Google Analytics
The provider of Google Analytics is Google Inc., a company owned by the holding company Alphabet Inc, having its registered office in the USA. Prior to transmitting the data to the provider, by activating IP anonymisation (“anonymizeIP”) on this website, the IP address is shortened within the member States of the European Union or in other States that are signatories to the Agreement on the European Economic Area (EEA). The anonymised IP address transmitted by your browser within the context of Google Analytics will not be combined with other data by Google. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. In these cases, we ensure, by means of contractual guarantees, that Google Inc. observes a satisfactory level of data protection. According to Google Inc., the IP address will not under any circumstances be combined with other data concerning the user.
More information about the web analysis service used can be found on the website of Google Analytics. You can find instructions about how you can prevent the processing of your data by the web analysis service at http://tools.google.com/dlpage/gaoptout?hl=de.
Our website uses plugins of the YouTube website, which is operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit one of our pages that is provided with a YouTube plugin, a connection is created to the servers of YouTube. This communicates to the YouTube server which of our pages you have visited,
When you are logged into your YouTube account, you enable YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.
1.7.4 Google Maps
1.8 Data connected with the job application process
During the job application process, in addition to your title, surname, first name, date of birth and nationality, the normal contact details such as your postal address, email address and telephone numbers will also be stored in the database of applicants. Furthermore, all the documents that you submit in connection with your application will also be recorded. This data will only be saved, evaluated, processed or shared internally in connection with your application. In exceptional cases, employees of the software partner that we use for support services may also have access to the data that you have submitted. Unless you tell us otherwise, we reserve the right to consider and check your application in relation to other suitable posts within our company. Your data may be processed for statistical purposes (e.g. reporting). This does not allow individuals to be identified.
By pressing the “Accept data protection terms” button, you give consent for your data to be stored and processed and for your personal data to be made available to our company for the purpose of finding or filling a job vacancy. Your consent to such data processing will be documented. Your data will be stored and processed on systems used by our software partner Ennit (lawful basis for data processing: Art. 13 para. 1 of the FADP [Federal Act on Data Protection], frame of reference: Art. 6 paragraph 1 point (a) of the GDPR (EU)).
Application documents from unsuccessful applicants for a specific, publicly advertised vacancy will be deleted no later than six (6) months after the vacancy is filled, because our company has to have fulfilled all its legal obligations by that time (e.g. compliance with SECO [State Secretariat for Economic Affairs] requirements). Regardless of the above, you are entitled to ask for your electronic data to be deleted at any time.
2. Data processing in connection with your stay
2.1 Data processing for the fulfilment of legal reporting obligations
On arrival at our hotel, we require the following information from you and your travel companion, if applicable:
We collect this information for the fulfilment of legal reporting obligations, which result in particular from hospitality industry or police regulations. If we are obliged to do so under the applicable regulations, we will forward this information to the relevant police authority.
We have a legitimate interest in the fulfilment of the legal requirements within the meaning of Art. 6 (1) f) DSGVO.
2.2 Recording of services purchased
If you purchase additional services during your stay (e.g. use the mini-bar or the Pay-TV offer), we will record the service and the time of purchase of the service for billing purposes. The processing of this data is necessary for the performance of a contract within the meaning of Art. 6 (1) b) GDPR.
3.1 Booking platforms
Finally, the platform operator may notify us of disputes in connection with a booking. In some circumstances, we may receive data about the booking process, which may include a copy of the booking confirmation as a receipt of the actual booking transaction. We process this data to protect and enforce our claims. This constitutes our legitimate interest within the meaning of Art. 6 (1) f) GDPR.
Please also note the data protection information of the provider Hotel Net Solutions.
3.2 Central storage and linking of data
We store the data specified in Sections 2-5 and 8-10 in a central electronic data processing system. The data relating to you is recorded and linked in the system to process your bookings and to provide contractual services. For this purpose, we use software from Oracle Software (Schweiz) GmbH, Täfernstrasse 4, 5405 Baden-Dättwil, Switzerland. We additionally use cloud-based software, which is hosted by pdc salespitcher ag, Schwimmbadstrasse 45, 5430 Wettingen, for the Ferienclubs Privilège data. For the processing of this data in the framework of the software we rely on our legitimate interest within the meaning of Art. 6 (1) f) GDPR in customer-friendly and efficient customer data management.
3.3 Retention period
We only store personal data as long as it is necessary to use the abovementioned tracking services and to carry out the further processing activities in the framework of our legitimate interests. We retain contractual data for a longer period of time, as this is prescribed by legal retention obligations. Retention obligations that require us to retain data arise from regulations relating to reporting law, accounting, and tax law. According to these regulations, business communication, concluded contracts, and accounting records must be kept for up to 10 years. If we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used for billing and tax purposes.
3.4 Disclosure of data to third parties
We only disclose your personal data if you have given your express consent, if there is a legal obligation to do so, or if this is necessary to enforce our rights, especially to enforce claims arising from the contractual relationship. In addition, we disclose your data to third parties as far as this is necessary in the context of use of our website and contract processing (including outside the website), namely to process your bookings.
One service provider, to which the personal data collected via the website are disclosed, or which has or can have access thereto, is our web hoster Ennit Interactive. The website is hosted on servers at ennit server GmbH in Kiel, Germany. The websites of Ferienclubs Privilège (see also the introduction regarding this) are hosted by Hostpoint Switzerland and Aseco, Switzerland. The data is disclosed for the purpose of providing and maintaining the functionalities of our website. This constitutes our legitimate interest within the meaning of Art. 6 (1) f) GDPR.
Please also note the information in Sections 7-8 and 10-11 regarding the transfer of data to third parties.
3.5 Transmission of personal data abroad
4.1 Right to access, correction, deletion, and restriction of processing; right to data portability
You have the right to know about the personal data that we store about you on request. In addition, you have the right to the correction of incorrect data and the right to the deletion of your personal data, insofar as this does not conflict with any legal obligation to retain data or a legal basis that allows us to process the data.
You further have the right to ask for the release of the data you have given us (right to data portability). On request, we will also pass on the data to a third party of your choice. You have the right to receive the data in a current file format.
You can contact us at the email address firstname.lastname@example.org for the aforesaid purposes. We may, at our discretion, require proof of identity to process your requests.
4.2 Data security
We take appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, full or partial loss or destruction, and unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
You should always treat your access data confidentially and close the browser window when you have ended communication with us, especially if you used a shared computer.
We also take internal data protection very seriously. Our employees and the service providers we retain have been obliged by us to maintain confidentiality and to comply with data protection regulations.
4.3 Notice regarding data transfers to the US
For the sake of completeness, we would like to point out to users residing or domiciled in Switzerland that monitoring measures are in place in the US by US authorities, which generally allow the storage of all personal data of all persons whose data is transmitted from Switzerland to the US. This is done without distinction, restriction, or exception by reference to the goal and without an objective criterion that allows access by US authorities to the data and later use thereof to be restricted to very specific, strictly limited purposes that could justify the intervention associated with access to and use of this data. In addition, we would like to point out that there are no legal remedies in the US for data subjects from Switzerland that would allow them to obtain access to the data relating to them and to obtain the correction or deletion thereof, and that there is no effective court protection against general access rights of US authorities. We explicitly point out this legal and factual situation to the data subject so that he or she can make an informed decision about consenting to the use of his or her data.
4.4 Right to file a complaint with a data protection supervisory authority
You have the right to file a complaint with a data protection supervisory authority at any time.