Privacy Policy
With this Privacy Policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name
For specific or additional activities and operations, we may publish further privacy policies or other data protection information.
We are subject to Swiss law as well as any applicable foreign law, in particular that of the European Union (EU) with the General Data Protection Regulation (GDPR).
The European Commission recognized in its decision of 26 July 2000 that Swiss data protection law ensures an adequate level of data protection. In its report of 15 January 2024, the European Commission confirmed this adequacy decision.
Table of Contents
- 1. Contact Addresses
- 2. Terms and Legal Bases
- 3. Nature, Scope, and Purpose of Data Processing
- 4. Automation and Artificial Intelligence (AI)
- 5. Disclosure of Personal Data
- 6. Communication
- 7. Applications
- 8. Data Security
- 9. Personal Data Abroad
- 10. Rights of Data Subjects
- 11. Use of the Website
- 12. Notifications and Communications
- 13. Social Media
- 14. Third-Party Services
- 15. Performance and Reach Measurement
- 16. Final Notes on this Privacy Policy
1. Contact Addresses
The controller within the meaning of data protection law is:
Hotel Bellevue Flims AG
Via Nova 66
7017 Flims Dorf
In individual cases, third parties may be responsible for processing personal data or there may be joint responsibility with third parties. Upon request, we will be happy to inform affected individuals about the respective responsibility.
1.1 Data Protection Officer or Advisor
We have appointed the following data protection officer or advisor as the point of contact for data subjects and authorities regarding data protection inquiries:
Marianne Tobler
Hotel Bellevue Flims AG
Via Nova 66
7017 Flims Dorf
1.2 Data Protection Representation in the European Economic Area (EEA)
We have appointed the following data protection representative in accordance with Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representative serves as an additional point of contact for individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) regarding inquiries related to the GDPR.
2. Terms and Legal Bases
2.1 Terms
Data Subject: A natural person about whom we process personal data.
Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data concerning trade union, political, religious or ideological views and activities; data concerning health, intimate life or ethnic or racial origin; genetic data; biometric data that uniquely identifies a natural person; data concerning criminal and administrative sanctions or prosecutions; and data concerning social assistance measures.
Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, adapting, archiving, retaining, reading, disclosing, obtaining, collecting, acquiring, deleting, revealing, arranging, organizing, storing, altering, distributing, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal Bases
We process personal data in accordance with Swiss law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process personal data – if and to the extent that the European General Data Protection Regulation (GDPR) is applicable – based on at least one of the following legal grounds:
- Art. 6(1)(b) GDPR for the processing of personal data necessary to perform a contract with the data subject or to carry out pre-contractual measures.
- Art. 6(1)(f) GDPR for the processing of personal data necessary for the purposes of legitimate interests – including the legitimate interests of third parties – provided these are not overridden by the fundamental rights and freedoms of the data subject. Such interests include, in particular, the sustainable, user-friendly, secure, and reliable performance of our activities and operations, ensuring information security, preventing misuse, enforcing legal claims, and complying with Swiss law.
- Art. 6(1)(c) GDPR for the processing of personal data necessary for compliance with a legal obligation under applicable law of EEA member states to which we are subject.
- Art. 6(1)(e) GDPR for the processing of personal data necessary for the performance of a task carried out in the public interest.
- Art. 6(1)(a) GDPR for the processing of personal data based on the data subject’s consent.
- Art. 6(1)(d) GDPR for the processing of personal data necessary to protect the vital interests of the data subject or another natural person.
- Art. 9(2) ff. GDPR for the processing of special categories of personal data, particularly with the consent of the data subject.
The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of special categories of personal data as the processing of special categories of personal data (Art. 9 GDPR).
3. Type, Scope, and Purpose of Personal Data Processing
We process the personal data that is necessary to sustainably, user-friendly, securely, and reliably carry out our activities and operations. The processed personal data may in particular fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also include special categories of personal data.
We also process personal data received from third parties, obtained from publicly accessible sources, or collected in the course of carrying out our activities and operations, where such processing is permitted.
We process personal data, if required, based on the consent of the data subjects. In many cases, we may process personal data without consent, for example, to comply with legal obligations or to safeguard overriding interests. We may also request consent even if it is not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data in particular in accordance with legal retention and limitation periods.
4. Automation and Artificial Intelligence (AI)
We may process personal data in an automated manner or use artificial intelligence to process personal data.
We may use profiling to automatically assess certain personal aspects relating to data subjects. Profiling is used, for example, to analyze or predict interests, behavior, or personal preferences.
We provide information in individual cases about decisions based solely on automated processing of personal data that have legal effects on or significantly affect the data subjects (automated individual decisions).
5. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties may include specialized providers whose services we use.
In the course of our activities and operations, we may disclose personal data in particular to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and rating agencies, logistics and shipping companies, marketing and advertising agencies, media, parent, sister, and subsidiary companies, organizations and associations, social institutions, telecommunications companies, insurance providers, and payment service providers.
6. Communication
We process personal data in order to communicate with individuals, as well as with authorities, organizations, and companies. In doing so, we process in particular data provided to us by the data subject when contacting us, for example by postal mail or email. We may store such data in an address book or comparable tools.
Third parties who transmit data to us about other individuals are obligated to independently ensure the data protection of those individuals. In particular, they must ensure that such data is correct and may be shared.
7. Applications
We process personal data of applicants to the extent necessary for assessing suitability for employment or for the subsequent execution of an employment contract. The required personal data results in particular from the requested information, for example as part of a job posting. We may publish job postings with the help of suitable third parties, such as in electronic and print media or on job portals and employment platforms.
We also process the personal data voluntarily provided or published by applicants, especially as part of cover letters, CVs, and other application documents, as well as online profiles.
We process personal data of applicants – if and to the extent the General Data Protection Regulation (GDPR) is applicable – in particular in accordance with Art. 9(2)(b) GDPR.
We use selected services from suitable third parties to publish job offers through e-recruiting and to enable and manage applications.
8. Data Security
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. Our measures particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data – although we cannot guarantee absolute data security.
Access to our website and other digital presence is secured via transport encryption (SSL / TLS, in particular using Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn users before visiting a website without transport encryption.
Our digital communication is – as fundamentally all digital communication – subject to mass surveillance without cause and suspicion by security authorities in Switzerland, other parts of Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence services, police forces, and other security authorities. We also cannot rule out that a data subject may be specifically targeted for surveillance.
9. Personal Data Abroad
As a general rule, we process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transmit personal data to other countries, particularly to process it or have it processed there.
We may export personal data to all countries on Earth and elsewhere in the universe, provided that the local legislation, according to the decision of the Swiss Federal Council and – if and insofar as the General Data Protection Regulation (GDPR) applies – also according to the decision of the European Commission, ensures adequate data protection.
We may transmit personal data to countries whose laws do not ensure adequate data protection if protection is guaranteed on other grounds, particularly based on standard data protection clauses or other suitable safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the specific legal requirements for data protection are fulfilled – for example, the explicit consent of the data subject or a direct connection with the conclusion or performance of a contract. We are happy to provide affected individuals with information about such safeguards or provide a copy upon request.
10. Rights of Data Subjects
10.1 Data Protection Rights
We grant data subjects all rights under applicable law. In particular, data subjects have the following rights:
- Access: Data subjects can request confirmation as to whether we process personal data about them and, if so, which data. They also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data itself and, among other things, the purpose of processing, retention period, any disclosure or export to other countries, and the origin of the data.
- Rectification and Restriction: Data subjects can request correction of incorrect personal data, completion of incomplete data, and restriction of data processing.
- Right to Explanation and Human Review: Data subjects can explain their own point of view and request a human review in case of decisions based solely on automated processing that have legal effects or significantly affect them (automated individual decisions).
- Erasure and Objection: Data subjects may request deletion of their personal data (“right to be forgotten”) and object to its future processing.
- Data Portability: Data subjects may request the handover or transfer of their data to another controller.
We may defer, restrict, or refuse the exercise of data subject rights within the legally permitted framework. We may also point out any requirements that must be met. For example, we may refuse access on the grounds of confidentiality obligations, overriding interests, or the protection of others. Likewise, we may refuse deletion with reference to statutory retention obligations.
We may exceptionally charge a fee for exercising rights. We inform data subjects in advance of any applicable costs.
We are obligated to adequately identify data subjects who request information or assert other rights. Data subjects are required to cooperate accordingly.
10.2 Legal Remedies
Data subjects have the right to enforce their data protection rights through legal action or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, the supervisory authorities are structured federally, particularly in Germany.
11. Use of the Website
11.1 Cookies
We may use cookies. Cookies – both our own (first-party cookies) and those of third parties whose services we use (third-party cookies) – are data stored in the browser. These data do not necessarily have to be traditional text-based cookies.
Cookies can be stored in the browser temporarily as "session cookies" or for a specified period as "persistent cookies." Session cookies are automatically deleted when the browser is closed. Persistent cookies have a defined expiration period. Cookies enable us, for example, to recognize a browser on a return visit to measure the reach of our website. Persistent cookies may also be used for online marketing purposes.
Cookies can be deactivated, restricted, or deleted at any time via the browser settings. Browsers often also allow for automated deletion and other cookie management. Without cookies, our website may not function fully. Where legally required, we actively seek explicit consent for the use of cookies.
For cookies used for performance and reach measurement or advertising, many services offer a general opt-out via the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
11.2 Logging
We may log the following data for each access to our website and other digital presence, provided such data is transmitted to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including interface and version, browser including language and version, specific subpage accessed including amount of data transferred, previously visited website (referrer).
We log this data – which may include personal data – in log files. This information is necessary to provide our digital presence in a sustainable, user-friendly, and reliable manner. It is also required to ensure data security – also by or with third parties.
11.3 Tracking Pixels
We may include tracking pixels in our digital presence. Tracking pixels – also known as web beacons – are typically small, invisible images or JavaScript-based scripts that are automatically loaded when accessing our digital presence. Tracking pixels – also from third-party providers – can collect at least the same data as logging in log files.
12. Notifications and Messages
12.1 Performance and Reach Measurement
Notifications and messages may contain web links or tracking pixels that record whether a specific message has been opened and which web links have been clicked. Such web links and tracking pixels can also record the use of notifications and messages on a personal basis. We require this statistical recording of usage for performance and reach measurement, so we can send notifications and messages effectively, user-friendly, as well as in a secure and reliable way, based on the needs and reading habits of recipients.
12.2 Consent and Objection
As a general rule, you must consent to the use of your email address and other contact details, unless the use is legally permitted for other reasons. To obtain double-confirmed consent, we may use the "double opt-in" procedure. In such cases, you will receive a message with instructions for the second confirmation. We may log the consents obtained, including the IP address and timestamp, for evidentiary and security purposes.
You may generally object at any time to receiving notifications and messages such as newsletters. With such an objection, you can also object to the statistical recording of usage for performance and reach measurement. Required notifications and messages related to our activities and operations remain reserved.
12.3 Service Providers for Notifications and Messages
We send notifications and messages with the help of specialized service providers.
We specifically use:
- Brevo: Building and maintaining relationships with customers and users, particularly via email and instant messaging; Provider: Sendinblue GmbH (Germany); Data protection information: Privacy Policy, “Data Privacy and Security”, “Security and Data Protection”.
13. Social Media
We maintain a presence on social media platforms and other online platforms in order to communicate with interested individuals and to inform about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).
The terms and conditions (T&Cs), terms of use, privacy policies, and other provisions of the individual platform operators also apply. These provisions in particular inform about the rights of data subjects directly vis-à-vis the respective platform, such as the right to access.
For our Facebook presence, including so-called Page Insights, we are – if and insofar as the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to make our Facebook presence effective and user-friendly.
Further information on the type, scope, and purpose of data processing, data subject rights, and contact details of Facebook and its data protection officer can be found in the Facebook Privacy Policy. We have entered into the so-called "Controller Addendum" with Facebook, in which we have agreed that Facebook is responsible for ensuring the rights of data subjects. For Page Insights, corresponding information can be found on the “Page Insights Information” page, including the “Information about Page Insights Data”.
14. Third-Party Services
We use services from specialized third parties to ensure that we can conduct our activities and operations in a sustainable, user-friendly, secure, and reliable manner. Such services allow us, for example, to embed functions and content into our website. For technical reasons, these services at least temporarily capture users’ IP addresses.
For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities and operations in aggregated, anonymized, or pseudonymized form. This may include performance or usage data required to provide the respective service.
We specifically use:
- Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the EEA and Switzerland; General information on data protection: “Privacy and Security Principles”, “More about how Google uses personal data”, Privacy Policy, “Google’s Commitment to Data Protection Laws”, “Product Privacy Guide”, “How we use data from sites or apps that use our services”, Cookie Policy, “Ads you can influence” (Ad personalization settings).
14.1 Digital Infrastructure
We use services from specialized third parties to obtain the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
We specifically use:
- Cyon: Hosting; Provider: cyon GmbH (Switzerland); Data protection information: "Privacy", Privacy Policy.
14.2 Map Services
We use third-party services to embed maps into our website.
We specifically use:
- Google Maps including Google Maps Platform: Map service; Provider: Google; Google Maps-specific information: “How Google uses location information”.
14.3 Digital Content
We use services from specialized third parties to embed digital content into our website. Digital content includes images and videos, music, and podcasts.
We specifically use:
- Vimeo: Video platform; Provider: Vimeo Inc. (USA); Data protection information: Privacy Policy, “Private Video Hosting”.
- YouTube: Video platform; Provider: Google; YouTube-specific information: “Privacy and Safety Center”, “Your Data on YouTube”.
14.4 Fonts
We use third-party services to embed selected fonts as well as icons, logos, and symbols into our website.
We specifically use:
- Google Fonts: Fonts; Provider: Google; Google Fonts-specific information: “Your Privacy and Google Fonts”, “Privacy and Data Collection” (Google Fonts).
14.5 E-Commerce
We operate e-commerce and use third-party services to successfully offer services, content, or goods.
We specifically use:
- Holidu Smart Destination: Booking platform; Provider: Holidu GmbH (Germany); Data protection information: Privacy Policy.
14.6 Payments
We use specialized service providers to process payments securely and reliably. The legal texts of the individual providers, such as general terms and conditions (GTC) or privacy policies, also apply to payment processing.
We specifically use:
- PostFinance: Payment processing; Provider: PostFinance AG (Switzerland); Data protection information: "Legal information and accessibility", "Privacy" (including privacy policies).
- TWINT: Payment processing in Switzerland; Provider: TWINT AG (Switzerland); Data protection information: Privacy Policy, "Security based on Swiss standards".
- Worldline: Payment processing, particularly with mobile payment solutions; Providers: Worldline SA (France), Worldline Schweiz AG (Switzerland), and other Worldline companies worldwide (including in the USA); Data protection information: Privacy Policy, "Responsible Disclosure Program", Cookie Policy.
14.7 Advertising
We use the option to display advertising via third parties, such as social media platforms and search engines, to promote our activities and operations.
With such advertising, we aim in particular to reach individuals who are already interested in or may be interested in our activities and operations (remarketing and targeting). To that end, we may transmit appropriate – potentially also personal – data to third parties that enable such advertising. We may also determine whether our advertising is successful, i.e., whether it leads to visits to our website (conversion tracking).
Third parties with whom we advertise and where you are registered as a user may potentially associate your use of our website with your profile there.
We specifically use:
- Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, using various domains – especially doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads; Advertising Privacy Policy, "Manage the ads you see directly from ads".
15. Performance and Reach Measurement
We aim to measure the success and reach of our activities and operations. In this context, we may also measure the effect of third-party references or analyze how different parts or versions of our digital presence are used ("A/B testing" method). Based on the results of performance and reach measurement, we may fix errors, reinforce popular content, or make improvements.
In most cases, IP addresses of individual users are collected for performance and reach measurement. These IP addresses are generally truncated ("IP masking") to comply with data minimization principles through appropriate pseudonymization.
Cookies may be used for performance and reach measurement, and user profiles may be created. Any user profiles created may include, for example, the specific pages visited or content viewed on our digital presence, screen or browser window size, and the – at least approximate – location. As a general rule, any user profiles are created exclusively in pseudonymized form and are not used to identify individual users. Some third-party services with which users are registered may associate usage of our online offering with the respective account or profile on their platform.
We specifically use:
- Google Marketing Platform: Performance and reach measurement, in particular with Google Analytics; Provider: Google; Google Marketing Platform-specific information: measurement across browsers and devices (cross-device tracking) using pseudonymized IP addresses, which are only exceptionally fully transmitted to Google in the USA; Google Analytics Privacy Policy, "Browser Add-on to deactivate Google Analytics".
- Google Tag Manager: Integration and management of Google and third-party services, especially for performance and reach measurement; Provider: Google; Google Tag Manager-specific information: Google Tag Manager Privacy Policy; further data protection information is provided in the individual integrated and managed services.
16. Final Notes on this Privacy Policy
We created this privacy policy using the Privacy Policy Generator from Datenschutzpartner.
We may update this privacy policy at any time. We inform about updates in an appropriate manner, in particular by publishing the current version of the privacy policy on our website. The present privacy policy is an unofficial translation from the original German version.