Legal Disclaimer
H. Kracht’s Erben AG operates the Hotel Baur au Lac and wine retailer Baur au Lac Vins. It is the operator of the websites
bauraulac.ch I marguita.com I baurs-zurich.ch | bauraulacvins.ch
and therefore responsible for the collection, processing and use of your personal data and ensuring compliance of data processing with applicable data privacy regulations.
Your trust is important to us, and for that reason we take the issue of data protection seriously and ensure we have the appropriate security in place. Of course, we comply with the statutory provisions of the Federal Data Protection Act (DSG), the Regulation on the Federal Data Protection Act (VDSG), the Telecommunications Act (FMG) and other applicable data protection provisions under Swiss or EU law, in particular the General Data Protection Regulation (GDPR).
So that you are aware of what personal data we collect from you and what we use these data for, please note the information below.
1. Responsibility for data protection
The following is responsible for data processing on our website:
H. Kracht’s Erben AG
Talstrasse 1
8001 Zürich
Switzerland
Email: datenschutz@hkeag.ch
The address of our data protection representative in the EU is:
MLL EU-GDPR GmbH
Ganghoferstrasse 33
80339 München
Deutschland
Email: hkrachtserben@mll-gdpr.com
2. Technical partner
For the operation and maintenance of our website and to ensure we are able to provide the contractual services we offer there, we work with our technical partner as follows:
MySign AG
Neuhardstrasse 38
CH-4600 Olten
Website: www.mysign.ch
Email: info@mysign.ch
A. Data processing in connection with our website
3. Accessing our website
When you visit our website, our servers temporarily store every access in a log file. The following technical data are collected and stored without any action on your part, as is the case with every connection to a web server:
- the IP address of the computer making the request
- the name of the owner of the IP address range (usually your Internet access provider)
- the date and time of access
- the website from which access was made (Referrer URL), with the search term used if applicable
- the name and URL of the file accessed
- the status code (e.g. error message)
- your computer’s operating system
- the browser you are using (type, version and language)
- the transmission protocol used (e.g. HTTP/1.1) and
- if applicable, your username from any registration / authentication.
After 30 days we automatically anonymise the IP addresses collected, so that no conclusions can be drawn regarding individual users.
These data are collected and processed for the purpose of enabling the use of our website (establishing a connection), ensuring long-term system security and stability and to help us optimise our Internet offering, and for internal statistical purposes. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f GDPR.
The IP address is also evaluated together with the other data for the purpose of gathering information and initiating defence in the event of attacks on the network infrastructure or other unauthorised or improper use of the website, and if necessary will be used in criminal proceedings for identification and in civil and criminal proceedings against the users concerned. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f GDPR.
4. Using our contact form
You have the option of using a contact form to get in touch with us. For this, we need the following information:
- Name and surname
- Email address
- Message
We use these data, and any telephone number which you voluntarily provide, only to give you the most effective and as personalised a response as possible to your query. The processing of these data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures, or is in our legitimate interests under Art. 6 para. 1 lit. f GDPR.
5. Subscribing to our newsletter
You can subscribe to our newsletter on our website. You will need to register to do this. As part of the registration process, the following data must be provided:
- Email address
The above data are required for data processing. You can also choose to provide additional details (first name, surname, address). We process these data solely for the purpose of telling you about our products and services, and to personalise the information and offers we send you and better match them to your interests.
By registering, you consent to our processing of the data you provide to enable us to regularly send the newsletter to the address specified by you, and for the statistical evaluation of user behaviour and to optimise our newsletter. Within the meaning of Art. 6 para. 1 lit. a GDPR, this consent constitutes our legal basis for the processing of your email address. We are entitled to commission third parties to handle the technical aspects of advertising measures and are entitled to pass on your data for this purpose (see 22 below).
At the end of each newsletter you will find a link where you can unsubscribe at any time. When unsubscribing, you may choose to tell us the reason why you are unsubscribing. Once you have unsubscribed, your personal data will be deleted. Any further processing of these data will be solely in anonymised form for the optimisation of our newsletter.
6. Room booking on the website, by correspondence or by telephone
If you make bookings either via our website, by correspondence (email or letter) or over the telephone, we will require the following information in order to process your booking:
- Title
- Name and surname
- Postal address
- Date of birth
- Telephone number
- Language
- Credit card information
- Email address
We will use these data and any other information voluntarily provided by you (e.g. expected time of arrival, vehicle number plate, preferences, comments) only to process your booking, unless otherwise stated in this data privacy policy or if you have not specifically consented to such use. We will process the data under your name in order to record your booking as requested, to provide the services booked, to contact you in the event of any queries or problems, and to ensure correct payment.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
7. Booking a room or making contact via chat function
On our website, there is the option of booking a room online, or contacting the reservations department via Live Chat. The software for the Chat function, and the booking platform software, are provided by selected third-party providers. Different data will be collected depending on the service you choose (see 4 and 6).
8. Cookies
Cookies help in many ways to make your visit to our website more straightforward, more enjoyable and more effective. Cookies are information files that your web browser automatically saves to your computer’s hard drive when you visit our website. We use cookies, for example, to temporarily store your chosen services and inputs when you fill out a form on our website, so that you don’t need to re-enter that information when accessing a sub-page. Cookies may also be used to enable our system to identify you as a registered user after you have registered on the website, so you don’t need to log in again when accessing another sub-page.
Most internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are placed on your computer or you are notified whenever you receive a new cookie. On the following pages you will find explanations on how to configure the processing of cookies in the most commonly used browsers:
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari for Desktop
- Apple Safari for Mobile
Disabling cookies may mean that you cannot use all the features of our website.
9. Tracking tools
a) General
For the purpose of designing our website to meet our needs and those of our users, and for the ongoing optimisation of the website, we use the Google Analytics web analysis service. In this context, pseudonymised user profiles are created and small text files that are stored on your computer (‘cookies’) are used. The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed under 1 above, this may provide us with the following information:
- navigation path taken by a visitor to the site
- length of stay on the website or sub-page
- the sub-page on which the website is exited
- the country, region or city from which the site is accessed
- end device (type, version, colour depth, resolution, width and height of the browser window) and
- returning or new visitor.
The information is used to evaluate the use of the website, to compile reports on website activities and to provide other services associated with website and internet usage for the purpose of market research and tailoring the design of this website to suit our needs and those of users. This information may also be shared with third parties if required by law or if third parties are processing these data on our behalf.
b) Creation of pseudonymised user profiles
In order to provide you with personalised services and information on our website (on-site targeting), we use and analyse the data that we collect about you when you visit the website. So-called cookies may also be used when processing these data. The analysis of your user behaviour may result in the creation of a so-called user profile. Your usage data will only ever be consolidated using pseudonyms; we never do this with non-pseudonymised personal data.
c) Re-targeting
We use re-targeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising that is individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym.
This website uses Google AdWords Remarketing, services provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’), to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to this website (including your IP address) is transmitted to a Google server in the United States and stored there.
Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and internet usage. Google may also share this information with third parties if required by law or if third parties are processing these data on Google’s behalf. However, Google will never associate your IP address with other Google data.
You can prevent re-targeting at any time by refusing or disabling the relevant cookies in the menu bar of your web browser. You can also visit the website of the Digital Advertising Alliance at
https://optout.aboutads.info/?c=2&lang=EN
and opt out of receiving the further advertising and re-targeting tools referred to.
d) Google Analytics
The Google Analytics service is provided by Google Inc., an undertaking of the holding company Alphabet Inc, based in the United States. The IP address communicated by your browser within the scope of Google Analytics will be anonymized and will not be associated with any other data held by Google. According to Google Inc., under no circumstances will the IP address be associated with other data relating to the user.
For further information about the web analysis service used, visit the Google Analytics website. For instructions on how to prevent your data being processed by the web analysis service, see http://tools.google.com/dlpage/gaoptout?hl=de.
10. Email traffic
Based on Art. 957 et seq. of the Swiss Code of Obligations (OR), all business correspondence sent by email is archived for 10 years in encrypted form. The archived emails are automatically deleted after 10 years. The email data are stored in Switzerland.
B. Data processing in connection with your stay
11. Data processing to comply with legal reporting obligations
Upon arrival at our hotel, we may require the following information from you and anyone accompanying you:
- Name and surname
- Postal address and canton
- Date of birth
- Place of birth
- Nationality
- Official identification document and number
- Arrival and departure dates
- Room number
We collect this information in order to comply with legal reporting obligations, which arise in particular from legislation relating to the hospitality industry and police. Insofar as we are required to do so under the applicable provisions, we will pass on this information to the relevant police authority.
Complying with the legal requirements is in our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR.
12. Records of services purchased
If you purchase additional services during your stay (e.g. restaurant visits, using the mini-bar or the pay TV offer, etc.), we will keep a record of the purchased item or service and the time of purchase, for billing purposes. The processing of these data is necessary within the meaning of Art. 6(1)(b) GDPR for the performance of our contract with you.
13. Restaurant reservations
Restaurant reservations can be taken online on the websites
- aupavillon.ch and
- baurs-zurich.ch
. The following data are collected and processed for this purpose:
- Surname and first name
- Email address
- Telephone number
We will use these data and any other information voluntarily provided by you (‘Add comment’ function) only to perform our contract with you, unless otherwise stated in this data privacy policy or if you have not specifically consented to such use. We will process the data under your name in order to record your booking as requested, to provide the services booked, to contact you in the event of any queries or problems, and to ensure correct payment.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
14. Purchase of event tickets and gift vouchers
Customers are able to purchase and pay for event tickets and gift vouchers via the website. The following data are collected and processed for this purpose:
- Surname and first name
- Address, country
- Email address
- Telephone number
- Credit card number (via Datatrans, see 16 below)
We will use these data and any other information voluntarily provided by you (‘Add comment’ function) only to perform our contract with you, unless otherwise stated in this data privacy policy or if you have not specifically consented to such use. We will process the data under your name in order to record your booking as requested, to provide the services booked, to contact you in the event of any queries or problems, and to ensure correct payment.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
C. Usage of social media
15. Facebook plug-ins (Like & Share button)
Our website integrates Facebook plug-ins. The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You’ll recognise these plug-ins by the Facebook logo or the ‘Like’ button on our website. You’ll find a summary of the Facebook plug-ins at https://developers.facebook.com/docs/plugins/.
When you visit our website, the plug-in establishes a direct connection between your browser and the Facebook server. This link lets Facebook know that you have visited our website from your IP address. If you click on the Facebook ‘Like’ button while logged in to your Facebook account, you can link the content of our pages to your Facebook profile. This allows Facebook to link the visit to our website to your user account. H. Kracht's Erben AG has no knowledge of the content of the transmitted data or how Facebook uses those data.
For further information, please see Facebook’s data privacy policy at
https://de-de.facebook.com/privacy/policy.
If you do not want Facebook to be able to link the visit to our website to your Facebook user account, please log out of your Facebook user account.
16. Twitter plug-in
Our website integrates Twitter plug-ins. The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the ‘Retweet’ function, your visit to our website will be linked to your Twitter account and shared with other users. Data will also be transmitted to Twitter. H. Kracht's Erben AG has no knowledge of the content of the transmitted data or how Twitter uses those data. You can change your privacy settings on Twitter in the account settings at
https://twitter.com/account/settings
. For further information, please see Twitter’s data privacy policy at
https://twitter.com/en/privacy.
17. Instagram plug-in
Our website integrates Instagram plug-ins. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. If you are logged in to your Instagram account, you can link the content of our pages to your Instagram profile by clicking on the Instagram button. This allows Instagram to link the visit to our website to your user account. H. Kracht's Erben AG has no knowledge of the content of the transmitted data or how Instagram uses those data.
For further information, please see Instagram’s data privacy policy at
https://privacycenter.instagram.com/policy/.
18. YouTube plug-in
Our website integrates YouTube plug-ins. The provider is YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. The YouTube plug-in establishes a connection to the YouTube servers. This tells the YouTube server which of our pages you have visited.
If you are logged in to your YouTube account, YouTube can link your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube user account.
For further information, please see YouTube’s data privacy policy at
https://policies.google.com/privacy.
D. Storage and exchange of data with third parties
19. Booking platforms
If you make bookings via a third-party platform, we will receive various personal information from the relevant platform operator. This is usually the data listed under 4 of this data privacy policy. In addition, queries about your booking may be forwarded to us. We will process these data under your name in order to record your booking as requested and to provide the services booked. The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
Finally, we may be notified by the platform operators of any disputes in relation to a booking. This may sometimes involve data on the booking process, which could also include a copy of the booking confirmation as proof of the actual booking being made. We process these data for the purpose of safeguarding and asserting our claims. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
Please also read the privacy policy of the relevant provider.
20. Centralised storage and linking of data
We store the data indicated in paragraphs 2-5 and 9-10 in a central electronic data processing system. The data relating to you are systematically recorded and linked for the processing of your bookings and performance of the contractual services. For this we use a software package provided by the firm ‘protel hotelsoftware gmbh’ based in Dortmund, DE 44269. Personal data collected within the scope of a CRM programme are processed using software provided by the firm ‘Toedt, Dr. Selk & Coll. GmbH’ based in Munich, DE 80333. The processing of these data in the context of the software is based on our legitimate interest, within the meaning of Art. 6 para. 1 lit. f GDPR, in a customer-friendly and efficient management of customer data.
21. Retention period
We store personal data only for as long as is necessary to use the tracking services referred to above and for any further processing within the scope of our legitimate interest. We retain contract information for a longer period, as this is required by statutory retention requirements. Retention requirements which obligate us to store data arise out of regulations covering legislation on reporting, financial accounting and taxation. Pursuant to those regulations, business communications, accounting records and any contracts concluded must be kept for up to 10 years. Unless we still need these data in order to provide the services for you, the data will be made inaccessible. This means that the data may then be used only for accounting and tax purposes.
22. Disclosure of data to third parties
We only pass on your personal data if you have expressly consented to our doing so, there is a legal requirement for us to do so, or this is necessary to enable us to assert our rights, particularly for the assertion of claims arising from the contractual relationship. In addition, we pass on your data to third parties if this is necessary within the context of using the website and performing the contract (including outside the website), especially for processing your booking.
One service provider to whom the personal data collected via the website are disclosed, or who has or may have access to those data, is our webhoster, aspectra AG, Weberstrasse 4, CH-8004 Zürich. The website is hosted on servers in Switzerland. The transfer of the data is for the purpose of providing and maintaining the functionalities of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
Room reservation system
Personal data for room bookings on the website are collected and processed by SABRE, a sub-contractor of ‘The Leading Hotels of the World’.
Ultimately, when you pay by credit card on the website we pass on your credit card information to your credit card issuer and to the credit card acquirer. If you opt to pay by credit card, you will be asked to enter all the required information. The legal basis for passing on the data is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR. With regard to the processing of your credit card information by these third parties, please also read the general terms and conditions, and the data privacy policy, of your credit card issuer.
- The Leading Hotels of the World, New York NY, USA – lhw.com
- Sabre Southlake TX USA - sabrehospitality.com
Guest surveys
Our guests have the opportunity to give us feedback on our services and their experience with us. This serves to further develop and improve the service we provide to our guests. For this purpose, email addresses are transmitted to the firm ‘Medallia Ltd.’ in Palo Alto, California, USA.
- Medallia, Palo Alto CA, USA - medallia.com
Regarding the forwarding of data to third parties, please also note the information in paragraphs 7, 9 and 13-14.
Restaurant reservations
Personal data for restaurant reservations on the website are collected and processed by ‘book-a-table’.
- Book-a-table, DE-20459 Hamburg – bookatable.com
Event tickets / gift vouchers
Personal data for [purchasing event tickets and gift vouchers] on the website are collected and processed using ‘E-Guma’.
- Idea Creation GmbH, Zurich, CH – e-guma.ch
Credit card payments
If credit card information is collected and processed when making bookings via this website, this is done by the company ‘Datatrans’.
- Datatrans AG, Zurich CH
23. Transfer of personal data abroad
We are also entitled, for the purposes of the data processing described in this data privacy policy, to transfer your personal data to third parties (contracted service providers) abroad. These third parties are bound by the same data privacy obligations as we ourselves are. If the level of data protection in a particular country does not correspond to that of Switzerland or the European Union, we will ensure by contractual means that the protection of your personal data is equivalent to that in Switzerland or in the EU at all times. Please see 16 above.
E. Further information
24. Right of access, rectification, erasure and restriction of processing; right to data portability
You have the right to receive, on request, information about the personal data which we hold on you. In addition, you have the right to rectify incorrect data and the right to erasure of your personal data, provided this is not preluded by any statutory retention requirement or a legal permission authorising us to process the data.
You also have the right to reclaim from us any data you have given us (right to data portability). You have the right to receive the data in a common file format.
Requests to exercise the rights of data subjects are accepted via the websites (data privacy contact). To process your requests, we require a proof of identify of the person making the request.
25. Data security
We use appropriate technical and organisational security measures to safeguard your personal data held by us against tampering, partial or complete loss and against unauthorised access by third parties. Our security measures are subject to continuous improvement in line with advances in technology.
You should always treat your access data as confidential and close the browser window once you have finished communicating with us, particularly if you are using a shared computer.
We also take data privacy within our own company very seriously. Our employees and the service companies contracted by us have been obligated by us to maintain secrecy and to comply with data privacy regulations.
26. Note on data transmission to the USA
In the interests of completeness, we would point out to users residing in or having their registered office in Switzerland that in the United States surveillance measures by the US authorities are in place which generally allow the storage of all personal data of any individual whose data are sent from Switzerland to the US. This is done without differentiation, restriction or exception on the basis of the objective pursued and without any objective criteria that would restrict access to the data and its subsequent use by the US authorities to very specific and limited purposes that would justify the intervention associated with access to and use of these data. We also wish to point out that no legal remedies are available in the United States for data subjects from Switzerland allowing them to access their data or request that it be rectified or erased, and that no effective legal protection against the general access rights of the US authorities exists. We are explicitly bringing this legal and factual situation to the attention of data subjects, to enable them to make a properly informed decision on giving their consent to the use of their data.
For users residing in an EU Member State, please note that in the view of the European Union – inter alia for the reasons given in this section – the United States does not have an adequate level of data protection. With regard to US-based recipients of data (such as Google) referred to in this data privacy policy, we ensure, either by means of contractual arrangements with those companies or by ensuring that they are certified under the EU or Swiss-US Privacy Shield, that your data are adequately protected while in the custody of our partners.
27. Right to object to a data protection supervisory authority
You have the right at any time to lodge an objection with a data protection supervisory authority.
24 May 2018
Contact details Data Protection Officer:
Mr. Torsten Magewski
E-Mail: datenschutz@hkeag.ch