Privacy Policy

With this privacy policy, we provide information about the processing of personal data in connection with our activities and operations, including our website under the domain name marina-walensee.ch. In particular, we explain why, how and where we process which personal data. We also inform about the rights of individuals whose data we process.

For individual or additional activities and operations, we may publish further privacy policies or other privacy-related information.

We are subject to Swiss law and, where applicable, foreign law such as that of the European Union (EU), including the European General Data Protection Regulation (GDPR).

On 26 July 2000, the European Commission recognised that Swiss data protection law ensures an adequate level of data protection. On 15 January 2024, the European Commission reaffirmed this adequacy decision.

1. Contact Addresses

The party responsible in terms of data protection law is:

Marina Walensee AG
Gostenstrasse 20
8882 Unterterzen

reservation@marina-walensee.ch

In individual cases, third parties may be responsible for the processing of personal data, or there may be joint responsibility with third parties. We are happy to provide information about the respective responsibilities upon request from affected individuals.

1.1 Data Protection Officer or Consultant

We have appointed the following data protection officer or consultant as a point of contact for data subjects and authorities regarding inquiries related to data protection:

Duri Maissen
Marina Walensee AG
Gostenstrasse 20
8882 Unterterzen

gastgeber@marina-walensee.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have appointed the following data protection representative pursuant to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

gastgeber@marina-walensee.ch

The data protection representation serves as an additional point of contact for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) regarding inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Data Subject: Natural person whose personal data we process.

Personal Data: Any information relating to an identified or identifiable natural person.

Particularly Sensitive Personal Data: Data concerning trade union, political, religious, or ideological views and activities; health data; intimate sphere or ethnic or racial affiliation; genetic data; biometric data uniquely identifying a natural person; data related to criminal and administrative sanctions or prosecutions; and data concerning measures of social assistance.

Processing: Any handling of personal data, regardless of the methods and procedures used, such as querying, comparing, adjusting, archiving, storing, reading, disclosing, obtaining, recording, collecting, deleting, revealing, arranging, organizing, saving, altering, distributing, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

2.2 Legal Bases

We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process personal data – if and to the extent that the European General Data Protection Regulation (GDPR) is applicable – on the basis of at least one of the following legal grounds:

• Art. 6 para. 1 lit. b GDPR for the processing of personal data necessary to perform a contract with the data subject and to take steps prior to entering into a contract.
• Art. 6 para. 1 lit. f GDPR for the processing of personal data necessary for the purposes of legitimate interests – including those of third parties – except where such interests are overridden by the fundamental rights and freedoms of the data subject. Such interests include, in particular, the sustainable, user-friendly, secure, and reliable execution of our activities and operations, ensuring information security, protection against misuse, enforcement of legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the processing of personal data necessary to comply with a legal obligation under applicable law of EEA member states to which we are subject.
• Art. 6 para. 1 lit. e GDPR for the processing of personal data necessary for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data based on the data subject’s consent.
• Art. 6 para. 1 lit. d GDPR for the processing of personal data necessary to protect the vital interests of the data subject or another natural person.
• Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, in particular with the data subject’s consent.

The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data, and the processing of particularly sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).

3. Nature, Scope, and Purpose of the Processing of Personal Data

We process the personal data that is necessary to sustainably, user-friendly, securely, and reliably carry out our activities and operations. The personal data processed may in particular fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. Personal data may also include special categories of personal data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, insofar as such processing is legally permitted.

We process personal data, where necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example to comply with legal obligations or to protect overriding interests. We may also request consent from data subjects even when it is not legally required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, in particular depending on legal retention and limitation periods.

4. Automation and Artificial Intelligence (AI)

We may process personal data automatically or use artificial intelligence to process personal data.

We may use profiling to automatically evaluate certain personal aspects relating to data subjects. Profiling may be used, for example, to analyze or predict interests, behaviors, or personal preferences.

We provide information on a case-by-case basis about decisions that are based solely on automated processing of personal data and that result in legal consequences for the affected individuals or significantly impact them (automated individual decisions).

5. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties are in particular specialized providers whose services we use.

We may disclose personal data, for example, to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, insurance companies, and payment service providers.

6. Communication

We process personal data to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we primarily process data provided to us by a data subject when making contact, for example by postal mail or email. We may store such data in an address book or with comparable tools.

Third parties who provide us with data about other individuals are obligated to ensure the data protection of those affected persons independently. In particular, they must ensure that such data is accurate and may be transmitted.

We use selected services from suitable providers to enable and improve communication with individuals and other communication partners. With such services, we may also manage and otherwise process the data of affected persons beyond direct communication.

In particular, we use:

• Mews: Property Management System (PMS) for hotels and other accommodations; provider: Mews Systems B.V. (Netherlands); Privacy information: Privacy Policy, “Data Privacy”.

7. Applications

We process personal data about applicants to the extent necessary to assess their suitability for employment or to later execute an employment contract. The required personal data is determined in particular by the requested information, such as in a job posting. We may publish job postings with the help of suitable third parties, for example in electronic and printed media or via job portals and platforms.

We also process any personal data that applicants voluntarily provide or publish, especially as part of cover letters, CVs, other application documents, and online profiles.

We process – if and to the extent the General Data Protection Regulation (GDPR) is applicable – personal data about applicants in particular pursuant to Art. 9 para. 2 lit. b GDPR.

8. Data Security

We take appropriate technical and organizational measures to ensure data security that is appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the personal data processed, although we cannot guarantee absolute data security.

Access to our website and other digital presence is protected by transport encryption (SSL / TLS, in particular via Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn before visiting a website without transport encryption.

Our digital communication is – as generally all digital communication – subject to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence on the corresponding processing of personal data by intelligence agencies, police authorities, and other security services. Nor can we rule out the possibility that an affected individual may be specifically monitored.

9. Personal Data Abroad

We generally process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process it there or have it processed.

We may export personal data to all countries on Earth and elsewhere in the universe, provided that local law ensures adequate data protection in accordance with the decision of the Swiss Federal Council and – if and to the extent the GDPR is applicable – also according to the decision of the European Commission.

We may transfer personal data to countries whose laws do not ensure adequate data protection if protection is guaranteed by other means, especially on the basis of standard data protection clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if the special legal conditions under data protection law are met, such as the explicit consent of the data subjects or a direct connection with the conclusion or execution of a contract. Upon request, we are happy to provide information about any safeguards or provide a copy of them.

10. Rights of Data Subjects

10.1 Data Protection Rights

We grant all rights to data subjects in accordance with applicable law. In particular, data subjects have the following rights:

• Access: Data subjects may request confirmation of whether we process personal data about them, and if so, which personal data is involved. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the personal data processed, as well as details about the purpose of processing, the retention period, any disclosure or transfer to other countries, and the source of the personal data.
• Rectification and restriction: Data subjects may request the correction of inaccurate personal data, the completion of incomplete data, and the restriction of the processing of their data.
• Opportunity to present their own position and request human review: In the case of decisions based solely on automated processing of personal data that result in legal consequences or significantly affect them (automated individual decisions), data subjects may present their own position and request a human review.
• Erasure and objection: Data subjects may request the deletion of personal data (“right to be forgotten”) and object to future processing of their data.
• Data provision and portability: Data subjects may request the release of personal data or the transfer of their data to another controller.

We may postpone, restrict, or deny the exercise of data subject rights within the legally permissible scope. We may inform data subjects of any requirements that must be met in order to exercise their rights. For example, we may fully or partially deny access with reference to confidentiality obligations, overriding interests, or the protection of others. Likewise, we may refuse deletion of personal data, in whole or in part, particularly with reference to statutory retention obligations.

We may exceptionally charge fees for the exercise of rights. If so, we inform the data subjects in advance.

We are obligated to identify data subjects who request information or assert other rights using appropriate measures. Data subjects are required to cooperate in this process.

10.2 Legal Remedies

Data subjects have the right to enforce their data protection rights through legal action or to file a report or complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, supervisory authorities are federally structured, particularly in Germany.

11. Use of the Website

11.1 Cookies

We may use cookies. Cookies – including our own (first-party cookies) and those from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.

Cookies may be stored temporarily in the browser as “session cookies” or for a specific period as so-called permanent cookies. Session cookies are automatically deleted when the browser is closed. Permanent cookies have a defined expiration period. Cookies enable us, in particular, to recognize a browser on a return visit and, for example, to measure the reach of our website. Permanent cookies may also be used for online marketing.

Cookies can be disabled, restricted, or deleted at any time in browser settings. Browser settings often also allow automated deletion and other management of cookies. Without cookies, our website may no longer be fully functional. We request – at least to the extent required by applicable law – the explicit consent to the use of cookies.

For cookies used in success and reach measurement or for advertising purposes, many services offer a general opt-out via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

11.2 Logging

For each access to our website and other digital presence, we may log at least the following information, provided it is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed subpage of our website including data volume transferred, last webpage accessed in the same browser window (referrer).

We log such information, which may include personal data, in log files. This data is necessary to permanently, user-friendly, and reliably provide our digital presence. It is also necessary to ensure data security – including through third parties or with the help of third parties.

11.3 Tracking Pixels

We may embed tracking pixels into our digital presence. Tracking pixels, also known as web beacons, are typically small, invisible images or JavaScript scripts that are automatically loaded when our digital presence is accessed – including those from third parties whose services we use. Tracking pixels can collect at least the same information as is captured during logging in log files.

12. Notifications and Messages

12.1 Success and Reach Measurement

Notifications and messages may contain web links or tracking pixels that detect whether an individual message has been opened and which web links have been clicked. Such web links and tracking pixels may also record the use of notifications and messages on a personal basis. We require this statistical tracking to measure success and reach, in order to send notifications and messages effectively and in a user-friendly, secure, and reliable manner – based on the needs and reading habits of the recipients.

12.2 Consent and Objection

You generally must consent to the use of your email address and other contact details unless usage is permitted for other legal reasons. We may use the “double opt-in” procedure to obtain confirmed consent. In this case, you will receive a message with instructions for confirmation. We may log collected consents, including IP address and timestamp, for evidence and security purposes.

You can generally object at any time to receiving notifications and messages such as newsletters. By doing so, you may also object to the statistical tracking of usage for success and reach measurement. Required notifications and messages related to our activities and operations remain reserved.

12.3 Service Providers for Notifications and Messages

We send notifications and messages with the help of specialized service providers.

13. Social Media

We are present on social media platforms and other online platforms to communicate with interested persons and to inform them about our activities and operations. In connection with such platforms, personal data may also be processed outside Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC), terms of use, privacy policies, and other provisions of the respective platform operators also apply. These provisions, in particular, inform data subjects about their rights directly against the respective platform, including, for example, the right of access.

For our social media presence on Facebook, including so-called Page Insights, we are – if and to the extent the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook presence. We use Page Insights to provide our social media presence on Facebook effectively and in a user-friendly manner.

Further information on the nature, scope, and purpose of data processing, data subject rights, as well as the contact details of Facebook and Facebook’s data protection officer can be found in the Facebook Privacy Policy. We have entered into the so-called “Controller Addendum” with Facebook, under which Facebook is particularly responsible for ensuring data subject rights. Information about Page Insights can be found on the page “Page Insights Controller Addendum” including “Information about Page Insights Data”.

14. Third-Party Services

We use services from specialized third parties to carry out our activities and operations in a sustainable, user-friendly, secure, and reliable manner. These services enable us to embed functions and content into our website. For technical reasons, these embedded services must at least temporarily collect the IP addresses of users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized form. This includes performance or usage data required to provide the respective service.

We use in particular:

• Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland), partially for users in the European Economic Area (EEA) and in Switzerland; General privacy information: “Privacy and security principles”, “More on how Google uses personal data”, Privacy Policy, “Google’s commitment to data protection laws”, “Product-specific privacy guide”, “How we use data from sites or apps that use our services”, “Types of cookies and similar technologies used by Google”, “Ads you can control” (“Personalized advertising”).

14.1 Digital Infrastructure

We use services from specialized third parties to access the digital infrastructure needed in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We particularly use:

• Cyon: Hosting; Provider: cyon GmbH (Switzerland); Privacy information: “Privacy”, Privacy Policy.
• WordPress.com: Blog hosting and website builder; Providers: Automattic Inc. (USA) / Aut O’Mattic A8C Ireland Ltd. (Ireland) for users in Europe, among others; Privacy information: Privacy Policy, Cookie Policy.

14.2 Maps

We use services from third parties to embed maps into our website.

We particularly use:

• Google Maps including Google Maps Platform: Mapping service; Provider: Google; Google Maps-specific information: “How Google uses location information”.

14.3 Digital Content

We use services from specialized third parties to embed digital content into our website. Digital content includes, in particular, images and videos, music, and podcasts.

We particularly use:

• YouTube: Video platform; Provider: Google; YouTube-specific information: Privacy & Safety Center, “Your data on YouTube”.

14.4 Fonts

We use services from third parties to embed selected fonts, as well as icons, logos, and symbols, into our website.

We particularly use:

• MyFonts (by Monotype): Fonts; Providers: Monotype Imaging Holdings Inc. (USA) / MyFonts Inc. (USA); Privacy information: “Your Privacy”, Privacy Policy, “Web Font Tracking Privacy Policy”.

14.5 E-Commerce

We operate e-commerce and use services from third parties to successfully offer services, content, or goods.

14.6 Payments

We use specialized service providers to process payments securely and reliably. The legal documents of each provider, such as terms and conditions or privacy policies, also apply.

We particularly use:

• PostFinance: Payment processing; Provider: PostFinance AG (Switzerland); Privacy information: “Legal notice and accessibility”, “Privacy” (including privacy policies).
• TWINT: Payment processing in Switzerland; Provider: TWINT AG (Switzerland); Privacy information: Privacy Policy, “Security according to Swiss standards”.
• Worldline: Payment processing, particularly for mobile payment solutions; Providers: Worldline SA (France), Worldline Schweiz AG (Switzerland), and other Worldline entities worldwide (including the USA); Privacy information: Privacy Policy, “Responsible Disclosure Program”, Cookie Policy.

14.7 Advertising

We use the option to display advertising on third-party platforms, such as social media platforms and search engines, for our activities and operations.

With such advertising, we particularly aim to reach people who are already interested in our activities and operations or who may be interested in them (remarketing and targeting). For this purpose, we may transmit relevant – possibly personal – data to third parties who enable such advertising. We can also determine whether our advertising is successful, i.e., whether it leads to visits to our website (conversion tracking).

Third parties where we advertise and where you are registered as a user may be able to associate the use of our website with your profile on their platform.

We particularly use:

• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Ads based on search queries, using various domains – especially doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, Advertising Privacy Policy, “Manage your ads directly via My Ad Center”.
• Meta Ads: Social media advertising on Facebook and Instagram; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Privacy information: Targeting and retargeting, especially using the Meta Pixel and Custom Audiences including Lookalike Audiences, Privacy Policy, “Ad Preferences” (login required).

15. Success and Reach Measurement

We aim to measure the success and reach of our activities and operations. This includes measuring the impact of third-party references or analyzing how different parts or versions of our online offering are used (so-called “A/B testing”). Based on the results, we can fix errors, strengthen popular content, or make improvements.

For success and reach measurement, IP addresses of individual users are usually recorded. These IP addresses are generally shortened (“IP masking”) in order to follow the principle of data minimization through pseudonymization.

Cookies and user profiles may be used for success and reach measurement. Such profiles may include, for example, pages visited or content viewed on our website, screen or browser window size, and the – at least approximate – location. Generally, any such profiles are created exclusively in pseudonymized form and are not used to identify individual users. Some third-party services, where users are logged in, may be able to associate the use of our online offering with the respective user account or profile.

We particularly use:

• Google Marketing Platform: Success and reach measurement, especially with Google Analytics; Provider: Google; Google Marketing Platform-specific information: Measurement across browsers and devices (Cross-Device Tracking) using pseudonymized IP addresses, which are only exceptionally transmitted in full to Google in the USA, Google Analytics Privacy Policy, “Browser Add-on to disable Google Analytics”.
• Google Tag Manager: Integration and management of Google and third-party services, especially for success and reach measurement; Provider: Google; Tag Manager-specific information: Google Tag Manager Privacy Policy; further privacy information is available from the respective integrated and managed services.

16. Final Notes on this Privacy Policy

We created this Privacy Policy using the Privacy Policy Generator from Datenschutzpartner. The present privacy policy is an unofficial translation from the original German version.

We may update this Privacy Policy at any time. We will inform you of updates in an appropriate manner, particularly by publishing the current version on our website.