With this Privacy Policy, we inform about the processing of personal data in connection with our activities and operations, including our visitgraubunden.com website. In particular, we inform you about the purposes, methods, and locations where we process personal data. We also inform you about the rights of individuals whose data we process.
For specific or additional activities and operations, additional privacy policies or other information on data protection may apply.
We are subject to Swiss data protection law and, where applicable, foreign data protection law, such as that of the European Union (EU) with the European General Data Protection Regulation (GDPR).
The European Commission recognised on 26 July 2000 that Swiss data protection law ensures adequate data protection. On 15 January 2024, the European Commission confirmed this adequacy decision.
Responsibility for the processing of personal data:
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
In some cases, third parties may be responsible for the processing of personal data or there may be joint responsibility with third parties.
We have the following data protection officers or data protection advisors as contact points for affected persons and authorities for queries related to data protection:
Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
We have the following data protection representation in accordance with Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representation serves as an additional point of contact for affected persons and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for queries related to the GDPR.
Affected Person: Natural person about whom we process personal data.
Personal Data: All information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data concerning trade union membership, political opinions, religious or philosophical beliefs, health, intimate sphere, ethnicity or race, genetic data, biometric data uniquely identifying a natural person, data concerning criminal and administrative sanctions or prosecutions, and data concerning social assistance measures.
Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adjusting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, organising, storing, changing, disseminating, linking, destroying, and using personal data.
European Economic Area (EEA): Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
Note: The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of special categories of personal data as the processing of special categories of personal data (Art. 9 GDPR).
We process personal data in accordance with Swiss data protection law, such as the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process – where and to the extent the General Data Protection Regulation (GDPR) is applicable – personal data or personal data in accordance with at least one of the following legal bases:
We process the personal data that is necessary to sustainably, user-friendly, securely, and reliably carry out our activities and operations. The processed personal data can fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data, including inventory and contact data, location data, transaction data, contract data, and payment data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect while carrying out our activities and operations, to the extent such processing is legally permissible.
We process personal data, where necessary, with the consent of the affected persons. In many cases, we can process personal data without consent, for example, to fulfil legal obligations or to protect overriding interests. We can also request consent from affected persons even when it is not required.
We process personal data for the duration necessary for the respective purpose. We anonymise or delete personal data, particularly depending on legal retention and limitation periods.
We can disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. These third parties are, in particular, specialised providers whose services we use.
We can disclose personal data, for example, to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, organisations and associations, social institutions, telecommunications companies, and insurance companies.
We process personal data to be able to communicate with third parties. In this context, we particularly process data that an affected person transmits to us when contacting us, for example, by postal mail or email. We can store such data in an address book or similar tools.
Third parties who transmit data about other persons are obliged to ensure data protection for such affected persons. This includes, among other things, ensuring the accuracy of the transmitted personal data.
We use selected services from suitable providers to communicate better with third parties.
We take appropriate technical and organisational measures to ensure a level of data security appropriate to the respective risk. With our measures, we ensure, in particular, the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.
Access to our website and other online presence is carried out using transport encryption (SSL / TLS, particularly with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.
Our digital communication is subject – like generally all digital communication – to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police stations, and other security authorities. We also cannot rule out that an affected person is specifically monitored.
We generally process personal data in Switzerland and the European Economic Area (EEA). However, we can also export or transfer personal data to other countries, particularly to process it there or have it processed.
We can export personal data to all countries and territories on Earth, provided that the respective law ensures adequate data protection according to the decision of the Swiss Federal Council and – where and to the extent the General Data Protection Regulation (GDPR) is applicable – also according to the decision of the European Commission.
We can transfer personal data to countries whose law does not ensure adequate data protection, provided data protection is ensured for other reasons, particularly based on standard data protection clauses or other appropriate safeguards. Exceptionally, we can export personal data to countries without adequate or suitable data protection if the specific data protection requirements are met, for example, the explicit consent of the affected persons or a direct connection with the conclusion or performance of a contract. We will gladly provide affected persons with information about any safeguards or provide a copy of any safeguards upon request.
We grant affected persons all claims in accordance with applicable data protection law. Affected persons have, in particular, the following rights:
We can postpone, restrict, or refuse the exercise of affected persons' rights within the legally permissible framework. We can inform affected persons about any conditions that must be met for the exercise of their data protection claims. For example, we can fully or partially refuse information with reference to business secrets or the protection of other persons. For example, we can also fully or partially refuse the deletion of personal data with reference to legal retention obligations.
We can exceptionally provide for costs for the exercise of rights. We will inform affected persons in advance about any costs.
We are obliged to identify affected persons requesting information or asserting other rights with appropriate measures. Affected persons are obliged to cooperate.
Affected persons have the right to enforce their data protection claims through legal channels or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities – where and to the extent the General Data Protection Regulation (GDPR) is applicable – are organised as members of the European Data Protection Board (EDPB). In some member states in the European Economic Area (EEA), the data protection supervisory authorities are federally structured, particularly in Germany.
We may use cookies. Cookies – both first-party cookies (own cookies) and third-party cookies (cookies from third parties whose services we use) – are data stored in the browser. Such stored data need not be limited to traditional cookies in text form.
Cookies can be stored temporarily in the browser as "session cookies" or for a specific period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies allow, among other things, a browser to be recognised during the next visit to our website and thus, for example, to measure the reach of our website. However, permanent cookies can also be used for online marketing, for example.
Cookies can be deactivated or deleted at any time in the browser settings. Without cookies, our website may no longer be fully available. We request – at least where and to the extent necessary – active explicit consent to the use of cookies.
For cookies used for success and reach measurement or for advertising, a general objection ("opt-out") is possible for many services through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance) or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
We may log at least the following information for each access to our website and other online presence, provided this information is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, individual sub-page of our website accessed including data volume transmitted, last website accessed in the same browser window (referrer).
We log such information, which may also be personal data, in log files. This information is necessary to be able to provide our online presence sustainably, user-friendly, and reliably. This information is also necessary to ensure data security – also by third parties or with the help of third parties.
We may integrate tracking pixels into our online presence. Tracking pixels are also referred to as web beacons. Tracking pixels – also from third parties whose services we use – are usually small, invisible images or JavaScript scripts that are automatically retrieved when accessing our online presence. Tracking pixels can capture at least the same information as in log files.
Notifications and communications may contain web links or tracking pixels that capture whether an individual notification was opened and which web links were clicked. Such web links and tracking pixels can also capture the use of notifications and communications on a personal level. We need this statistical capture of use for success and reach measurement to send notifications and communications effectively and user-friendly, tailored to the needs and reading habits of the recipients, and sustainably, securely, and reliably.
You must generally consent to the use of your email address and other contact addresses unless the use is permitted for other legal reasons. For obtaining a double-confirmed consent, we may use the "Double Opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We may log obtained consents, including IP address and timestamp for evidence and security reasons.
You can generally object to receiving notifications and communications such as newsletters at any time. By doing so, you can also object to the statistical capture of use for success and reach measurement. Required notifications and communications related to our activities and operations remain unaffected.
We send notifications and communications with the help of specialised service providers.
In particular, we use:
We are present on social media platforms and other online platforms to communicate with interested persons and inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the individual operators of such platforms apply. These provisions, in particular, inform about the rights of affected persons directly towards the respective platform, such as the right to information.
For our social media presence on Facebook including the so-called Page Insights, we – where and to the extent the General Data Protection Regulation (GDPR) is applicable – are jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook effectively and user-friendly.
Further information on the type, scope, and purpose of data processing, information on the rights of affected persons, and the contact details of Facebook and the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called "Controller Addendum" with Facebook, agreeing, in particular, that Facebook is responsible for ensuring the rights of affected persons. For the so-called Page Insights, the corresponding information can be found on the page "Information on Page Insights", including "Information on Page Insights Data".
We use services from specialised third parties to sustainably, user-friendly, securely, and reliably carry out our activities and operations. With such services, we can embed functions and content into our website. For such embedding, the used services technically need to capture the IP addresses of users at least temporarily.
For necessary security-related, statistical, and technical purposes, third parties whose services we use can process data in connection with our activities and operations in an aggregated, anonymised, or pseudonymised manner. This includes, for example, performance or usage data to offer the respective service.
In particular, we use:
We use services from specialised third parties to utilise the required digital infrastructure in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.
In particular, we use:
We use specialised services for audio and video conferences to communicate online. This allows us to hold virtual meetings or conduct online classes and webinars, for example. Participation in audio and video conferences is subject to the additional legal texts of the respective services, such as privacy policies and terms of use.
We recommend, depending on your living situation, to mute the microphone by default during participation in audio or video conferences and to blur the background or display a virtual background.
In particular, we use:
We use services from third parties to enable online collaboration. In addition to this privacy policy, the terms and conditions visible directly from the used services, such as terms of use or privacy policies, also apply.
In particular, we use:
We use services and plugins from third parties to embed functions and content from social media platforms and to enable the sharing of content on social media platforms and in other ways.
In particular, we use:
We use services from third parties to embed maps into our website.
In particular, we use:
We use services from specialised third parties to enable the direct playback of digital audio and video content such as music or podcasts.
In particular, we use:
We use the opportunity to display advertising with third parties such as social media platforms and search engines for our activities and operations.
We particularly aim to reach people with such advertising who are already interested in or may be interested in our activities and operations (remarketing and targeting). For this purpose, we can transmit corresponding – possibly also personal – information to third parties enabling such advertising. We can also determine whether our advertising is successful, i.e., particularly if it leads to visits to our website (conversion tracking).
Third parties, where we advertise and where you are logged in as a user, may potentially associate the use of our website with your profile there.
In particular, we use:
We use extensions for our website to utilise additional functions. We can use selected services from suitable providers or use such extensions on our own digital infrastructure.
In particular, we use:
We attempt to measure the success and reach of our activities and operations. In this context, we can also measure the effectiveness of third-party notices or check how different parts or versions of our online offering are used (A/B testing method). Based on the results of success and reach measurement, we can, in particular, correct errors, strengthen popular content, or make improvements.
For success and reach measurement, the IP addresses of individual users are usually captured. In this case, IP addresses are generally shortened ("IP masking") to follow the principle of data minimisation through corresponding pseudonymisation.
Cookies may be used for success and reach measurement, and user profiles may be created. User profiles created may include, for example, the individual pages visited or content viewed on our website, information on the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles created are pseudonymised and not used to identify individual users. Individual services of third parties, where users are registered, may associate the use of our online offering with the user account or user profile at the respective service.
In particular, we use:
We created this privacy policy using the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.
We may adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in an appropriate form, particularly by publishing the current privacy policy on our website.