Data protection statement

1 Introduction and general information

Grand Resort Bad Ragaz AG operates the Hotel Quellenhof and affiliated hotels, the Tamina Therme Bad Ragaz, the Clinic Bad Ragaz, the Medical Health Center Bad Ragaz (“GRBR Group”), and the two golf clubs Bad Ragaz and Heidiland and is therefore responsible for the collection, processing and use of your personal data, as well as for ensuring that data is processed in compliance with the applicable data protection laws.

Your trust is important to us, which is why we take the issue of data protection very seriously and strive to ensure the appropriate level of security. This means we comply with the statutory provisions of the Swiss Federal Act on Data Protection (FADP; Bundesgesetz über den Datenschutz – DSG), the Ordinance to the Federal Act on Data Protection (DPO; Verordnung zum Bundesgesetz über den Datenschutz – VDSG) and other potentially applicable data protection provisions under Swiss or EU law, especially the EU General Data Protection Regulation (GDPR; Datenschutz-Grundverordnung – DSGVO).

If you have any questions about this document or the handling of your data, you can contact us at any time at the following address:

The address of our data protection officer is:

Grand Resort Bad Ragaz AG
Bernhard-Simon Strasse
7310 Bad Ragaz

E-mail: datenschutz@resortragaz.ch
Telephone: +41 81 303 30 30

1.1 Special provisions and separate data protection statements

This umbrella data protection statement (“Data Protection Statement”) covers the following Group companies of Grand Resort Bad Ragaz AG:

Grand Resort Bad Ragaz
Website: https://www.resortragaz.ch/en/

Medical Health Center Bad Ragaz
Website: https://www.medizin-badragaz.ch/en/

Clinic Bad Ragaz
Website: https://www.clinic-badragaz.ch/

Golf and Sports
Website Golf Club Bad Ragaz: https://www.golfclubragaz.ch/
Website Golf Club Heidiland: https://www.gcheidiland.ch/

The following subsidiaries of the GRBR Group have their own separate data protection statements; please refer to their websites directly for the relevant information:

Tamina Therme AG
Hans Albrecht-Strasse
7310 Bad Ragaz
Website: https://www.taminatherme.ch/datenschutz

Casino Bad Ragaz AG
Hans Albrecht-Strasse
7310 Bad Ragaz
Website: https://www.casinoragaz.ch/en/data-protection.html

When you book Group services through us, we will transfer your data to the relevant service provider in your interest.

All companies of the GRBR Group have agreed to a common privacy policy (“binding corporate rules”) in which the consistent handling of personal data is comprehensively governed.

1.2 Video surveillance

A separate data protection statement has been created for video surveillance on GRBR premises. You can find it here: https://www.resortragaz-gruppe.ch/en/video-surveillance

2 Scope of this Data Protection Statement

This Data Protection Statement describes our commitment to protecting the privacy of individuals who visit our websites (“website visitors”), who register to use our products and services, who use our services or who provide us with their data in the context of other processing activities (e.g. when completing customer surveys). For the purposes of this Data Protection Statement, the term “websites” collectively means resortragaz.ch and other websites operated by GRBR that refer to this Data Protection Statement. If a website has its own data protection statement, then this Data Protection Statement shall apply in a subsidiary capacity.

In the context of this Data Protection Statement, personal data refers to information about a specific or identifiable natural person. An identifiable person is someone who can be identified directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data or an online identifier (e.g. IP address) or by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

The use of information collected through our service is limited to the purpose of providing the service that you have registered or signed up for.

Our websites may contain links to other websites; the information practices and content of these other sites are subject to their own data protection statements. We encourage you to read the data protection statements of these websites to understand their information practices.

Account information (as defined below) and other information that we collect in connection with your registration or authentication for our services fall under this Data Protection Statement. The data security and data protection practices, including how we protect, collect and use electronic data, text, messages, notifications or other material that you transmit to the services and which are stored within the services (“service data”) are detailed individually in this Data Protection Statement. If you have concluded a contract with a member of the GRBR Group concerning your access to and use of a particular service (collectively referred to as “service agreement”), this service agreement will apply in addition to this Data Protection Statement. The order of precedence of different contracts will be specified in the service agreement.

3 Information that you provide to us

3.1 Opening a customer account

If you wish to carry out bookings on our website, you can either book as a guest or open a customer account. When opening a customer account, we collect the following mandatory personal details:

  • Title
  • First name and surname
  • Postal address
  • Date of birth
  • Telephone number
  • E-mail address
  • Password

This data, as well as other information that you provide voluntarily (e.g. company name), is collected in order to provide you with direct, password-protected access to your basic data stored by us. Here you can view your past and current bookings, or manage or modify your personal data. We use an electronic booking platform; more details can be found here: GRBR_External_Contractors_EN.pdf.

3.2 Booking via the website, by correspondence or by telephone

If you make bookings via our website, by correspondence (e-mail or post) or by telephone, we will require the following mandatory personal details to perform the contract:

  • Title
  • First name and surname
  • Postal address
  • Date of birth
  • Telephone number
  • Language
  • Credit card information
  • E-mail address

This data, as well as other information that you provide voluntarily (e.g. expected time of arrival, vehicle number plate, preferences, comments), will only be used by us to perform the contract, unless stated otherwise in this Data Protection Statement or unless you have not provided your separate consent. The data will be processed in particular to record your booking in accordance with your wishes, to provide the services booked, to contact you in the event of any issues or problems, and to facilitate correct payment.

3.3 Other account and registration information

We ask you to provide personal data, such as your name, address, telephone number, e-mail address, gender and date of birth.

For the purposes of this Data Protection Statement, we refer to all of the aforementioned information as “account information”. By providing us with account information voluntarily, you confirm that you are the owner of this personal data or that you have the necessary permission to provide it to us.

3.4 Other submissions

We may ask for and collect personal data from you when you submit online forms on our websites or use interactive features of the websites, including participating in surveys, contests, promotions and competitions, requesting customer support, or communicating with us by other means.

3.5 Mobile applications

When you download and use our services, we automatically collect information about the type of device you are using and the version of your operating system. The following data is collected by our apps (in addition to the “account information”):

  • First name and surname
  • Language
  • Telephone number
  • E-mail address

3.6 Subscribing to our newsletter(s)

If you subscribe to one or more of our newsletters, we require your e-mail address in order to be able to send you the newsletter(s). Further data is optional. You will first receive an e-mail with a link for you to click on and confirm that you would like to receive the newsletter (“double opt-in”). This enables us to prevent anyone from subscribing to the newsletter in your name. We analyse which of the links were clicked on in order to tailor the newsletter to your individual interests and to find out when you read it, so that we can send it to you at your preferred time. We also save your subscription to the newsletter, along with your consent to usage analysis and your confirmation, in order to be able to prove that you have subscribed and given your consent. For the purpose of sending the newsletter and for usage analysis, we continue to store your data until your consent is withdrawn or until the newsletter subscription is cancelled. If you do not confirm your newsletter subscription, we will delete your data after 24 hours. Therefore, please confirm your subscription (“double opt-in”) within 24 hours, or you will have to resubscribe.

We are authorised to use third parties for the technical execution of advertising measures and may share your data with them for this purpose. The list of data processors can be found here: GRBR_External_Contractors_EN.pdf

3.7 Data processing in connection with our website

Whenever you visit our website, our servers temporarily save each access in a log file. Just like any other connection to a web server, the following technical data is recorded automatically and stored by us before automated deletion:

  • The IP address of the accessing computer
  • The name of the holder of the IP address range (generally your Internet access provider)
  • The date and time of access
  • The website from which the access was requested (referrer URL), possibly with the search term used
  • The name and URL of the file accessed
  • The status code (e.g. error message)
  • The operating system of your computer
  • The browser you use (type, version and language)
  • The transfer protocol (e.g. HTTP/1.1)
  • Possibly your username from a registration/authentication

This data is collected and processed to enable the use of our website (establish a connection), to ensure consistent system security and stability, and to optimise our Internet offering. We also collect and process data for internal statistical purposes.

Furthermore, the IP address is evaluated together with other data in the event of an attack on the network infrastructure or other unauthorised or improper use of the website for the purpose of investigation and defence, and, if appropriate, is used within the framework of legal proceedings to establish identity and initiate civil or criminal proceedings against the users concerned.

4 How we use the information that we collect

4.1 General use

We may use the information that we collect about you (including personal data, where applicable) for various purposes, including: (a) providing, operating, maintaining, improving and promoting the services; (b) enabling you to access and use the services; (c) processing and completing transactions and sending you related information, including purchase confirmations and invoices, or job postings; (d) sending transactional messages, including responses to your comments, questions and requests; providing customer service and support; sending you technical notifications, updates, security alerts, and support and administrative messages; (e) processing contest entries and providing rewards; (f) monitoring and analysing trends, usage and activities in connection with the websites and services for marketing or advertising purposes; (g) investigating and preventing fraudulent transactions, unauthorised access to the services and other illegal activities; and (h) for any other purpose for which we obtain your consent.

We will ask for your express consent (through a double opt-in process or similar) before sending you advertising material, such as information about our products and services, features, surveys, newsletters, offers, promotions, contests and events, or other news or information about us and our partners.

You can opt out of receiving marketing communications from us by contacting us at datenschutz@resortragaz.ch or by following the unsubscribe instructions contained in our marketing communications.

4.2 Lawful basis for processing

We will only collect personal data from you under the following conditions: a) we have your consent to do so, (b) we need the personal data to conclude a contract with you (e.g. to provide the GRBR services requested by you); or (c) the processing is in our own legitimate interest or that of a third party pursuant to the applicable data protection laws. In some instances, we also have a legal obligation to collect personal data from you.

If we have relied on your consent to process personal data, you have the right to withdraw that consent at any time. However, please note that this will not affect the lawfulness of processing based on the consent provided before its withdrawal.

When we ask you to provide personal data to fulfil a legal obligation or to conclude a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal data is mandatory and, if so, will inform you of the potential consequences of not providing your personal data. If we collect and use your personal data on the basis of our own (or a third party’s) legitimate interests that are not already described in this Data Protection Statement, we will notify you of these legitimate interests at the relevant time.

If you have any questions or would like more information about the lawful basis on which we collect and use your personal data, please contact us using the contact details provided in Chapter 1.

5 Cookies

5.1 What are cookies?

Cookies help in many ways to make your visit to our website simpler, and more pleasant and rewarding. Cookies are information files that your browser saves automatically on the hard drive of your computer whenever you visit our website.

The use of cookies depends on your consent; you will have the option to accept or reject cookies in the cookie banner that appears when you first access the website. Cookies that are necessary for the correct functioning of the website cannot be disabled.

5.2 Use of cookies

We use cookies for purposes such as temporarily saving your selected services and entries when you complete a form on the website, so that you do not have to repeat the entry when accessing a different subpage. Cookies may also be used to identify you as a registered user once you have registered on the website, without you having to log in again when accessing a different subpage. We also log whether and how you have accepted or rejected the use of cookies.

Most web browsers accept cookies automatically. You can configure your browser in such a way that no cookies are saved on your computer, or that a message appears each time you receive a new cookie. Please consult your browser’s user guide for details.

Disabling cookies may prevent you from being able to use all of the functions of our website.

6 Tracking tools

The following tools are used on our website. You can completely or partially disable cookies by configuring your browser accordingly, rejecting cookies in the cookie banner or using special blockers (Ghostery, Privacy Badger).

6.1 Google AdWords und Remarketing

This website uses the Google service Google Adwords, which includes data analysis and conversion tracking. When you click on an ad published by Google, Google AdWords will store a “conversion cookie” on your computer’s hard drive for the purpose of tracking conversions. These cookies expire after 30 days and are not used for personal identification purposes. When you visit certain pages of our website, we and Google can tell that you clicked on the ad and were redirected to that page. The information obtained using conversion cookies is used to compile statistics for AdWords customers who use conversion tracking. From these statistics, we can determine the total number of users who clicked on the ad published by Google and visited a page featuring a conversion tracking tag. However, we do not obtain information that would allow us to identify individual users. The data that we collect cannot be attributed to specific users.

In addition to conversion tracking, we also use the following features:

  • Remarketing
  • Audience with shared interests
  • Custom audiences with shared interests
  • Purchase-ready audiences
  • Similar audiences
  • Demographic and geographic targeting

Google’s Remarketing feature allows us to reach users who have previously visited our website. We can thereby display our ads to target groups who are already interested in our products or services. In addition, AdWords identifies the shared interests and characteristics of our website’s users on the basis of their behaviour on websites within the Google Display Network and the contextual search engine from the past 30 days. With the help of this information, AdWords can then identify potential new customers for marketing purposes who share similar interests and characteristics with the users of our website. This targeted remarketing is done by using a combination of cookies, such as ones for Google Analytics and Google DoubleClick.

6.2 Facebook Custom Audiences & Pixel

Our website uses Facebook Custom Audiences, a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). In this context, a Facebook remarketing pixel is integrated into our website, which allows Facebook to track our website visitors and use their data as a basis for advertising (Facebook Ads). The pixel transmits general information about the browser session to Facebook, as well as a non-reversible and non-personal checksum (hash value) generated from your Facebook ID. For details about how Facebook handles your data, as well as your rights and configuration options for protecting your personal information, please refer to Facebook’s privacy policy at https://www.facebook.com/privacy/explanation.

Our website also uses the Facebook pixel to track visitors’ actions. This allows the behaviour of users to be tracked after they have clicked on a Facebook ad and been redirected to the provider’s website. In this way, the effectiveness of Facebook ads can be analysed for statistical and market research purposes in order to optimise advertising measures. The collected data is anonymous to us. However, the data is processed by Facebook, making it possible to link it to the respective Facebook account.

6.3 Tracking with fusedeck

The fusedeck tracking solution of Capture Media AG (hereinafter referred to as “Capture Media”) is integrated into this website. Capture Media is a Swiss company based in Zurich that measures the use of this website on our behalf with regard to engagement and events. Tracking is anonymous, which means that no connection can be made to specific or identifiable persons.

6.4 DialogShift Chat

Our website uses the chat application of DialogShift GmbH, Rheinsberger Str. 76/77, 10115 Berlin.

For the operation of the chat function, chat texts are stored and a cookie with a unique ID is set, enabling you to be recognised as a customer. This cookie is stored for 90 days since its last use. You can disable cookies in your browser settings. However, the chat function will not work if cookies are not enabled.

If you provide your name, e-mail address or phone number, for example, you do so voluntarily and you provide your consent for this data to be used and stored temporarily for contact purposes until the end of the interaction. This personal data is deleted after 90 days.

7 Data processing in connection with your stay

7.1 Data processing in order to meet legal reporting obligations

When you arrive at our hotel, we require the following details from you and any accompanying persons:

  • First name and surname
  • Postal address and canton
  • Date of birth
  • Place of birth
  • Nationality
  • Official identification document and number
  • Date of arrival and departure

We collect this information to fulfil our legal reporting obligations, especially those under hospitality laws or police law (Art. 52bis PG Ct. St. Gallen). Insofar as we are obliged to do so in accordance with the applicable provisions, we pass on this information to the competent police authorities.

In accordance with Article 29 of the Ordinance on the Information System of the Cantonal Police St. Gallen, the following information is stored:

  • Last name and first names
  • Date of birth and nationality
  • ID data
  • Guest arrival and departure dates
  • Name and address of the accommodation provider

The hotel registration data is deleted and the registration forms destroyed after five years at the latest.

In order to improve the guest experience within the resort when purchasing services, we may create a copy of your ID card, provided that you have given us your consent to do so.

7.2 Recording of the services used

If you use additional products or services during your stay (e.g. minibar, pay-TV), we will record the product or service, as well as the time they were used, for billing purposes.

7.3 Medical services

(Clinic Bad Ragaz and Medical Health Center)

When you stay at one of these centres, the GRBR Group will provide the services that have been agreed with you. Medical services are offered either by our own staff or by external medical or healthcare professionals. As a general rule, medical data may only be processed by individuals bound by professional confidentiality pursuant to Article 321 of the Swiss Criminal Code (SCC; Schweizerisches Strafgesetzbuch – StGB). The sharing of data within this group of persons does not require additional consent if it relates to your treatment. For further treatments or referrals, your consent will be obtained from the data controller.

For treatments such as massages, sports training or other therapies that may not be performed by medical professionals, we will request your consent to collect any health data that is important for the treatment.

7.4 Golf services

If you are a guest at our golf clubs, in addition to your data, we will also store the name of your golf club, as well as data related to your Swiss Golf card, your eligibility to play and your handicap.

8 Collection and storage of third-party data

8.1 Booking platforms

When you make bookings via a third-party platform, we receive various items of personal data from the platform operator concerned.

This is generally the information described in Section 3 of this Data Protection Statement. Any queries concerning your booking will also be forwarded to us. This data will be processed in particular to record your booking in accordance with your wishes, and to provide the services booked.

In addition, we will also be informed by the platform operators of any disputes arising in connection with a booking. In this context, we may also receive data regarding the booking process, with a copy of the booking confirmation serving as proof of the actual completion of a booking. We process this data with a view to enforcing our rights. Please also refer to the data protection notice of the operator concerned. A list of processors can be found here:

GRBR_External_Constructors_EN.pdf

8.2 Central storage and linking of data

We store the data described in Section 3 in a central electronic data processing system. The data concerned is recorded in our system and linked in order to enable us to process your bookings and provide the contractual services. (List of subcontractors: GRBR_External_Constructor_EN.pdf.

8.3 Retention period

We retain personal data only for as long as is necessary for the provision of the aforementioned services and for further processing within the scope of our legitimate interests. Contractual data is stored for longer periods, as required by statutory retention obligations. The obligation to retain data is based on provisions regarding the right to report, accounting and tax law. According to these provisions, business communications, concluded contracts and accounting documents must be kept for 10 years. This data is blocked once we no longer need it to provide the services for you. This means that the data may then only be used for accounting and tax purposes.

Health data collected in connection with medical treatments is subject to a retention period of 20 years.

9 Sharing of data with payment services and loyalty programmes

9.1 Principles

We only disclose your personal data to any third parties if you have given your explicit consent for us to do so, if such disclosure is required by law or if it is necessary in order to enforce our rights, in particular those arising from the contractual relationship. Furthermore, we also disclose your data to third parties if this is necessary within the framework of your use of the website and for the performance of the contract (including outside the website), i.e. for processing your bookings.

A list of the data recipients, the content, the data transmitted and the lawful basis can be found in this table:

GRBR_External_Contractors_EN.pdf

9.2 Loyalty and bonus programmes

If you participate in a bonus or loyalty programme with us, we will share your information with the respective programme in accordance with its privacy policy. Please refer to the privacy policy published there.

9.3 Credit card and payment providers

Finally, when credit card payments are made on the website, we forward your credit card details to your credit card issuer and to the acquirer. If you decide to pay by credit card, you will be asked to enter all the necessary information. With regard to the processing of your credit card details by these third parties, please also read the general terms and conditions and the data protection statement of your credit card issuer.

10 Transfer of personal data abroad

We are authorised to transfer your personal data to third-party companies abroad (contracted providers) for the purpose of the data processing described in this Data Protection Statement. These providers are subject to data protection requirements in the same scope as us. Should the level of data protection in a given country not be equivalent to the level applicable in Switzerland or the EU, we will ensure by contractual means that the level of protection of your personal data corresponds to the level of protection provided in Switzerland or the EU at all times.

11 Further information

11.1 Right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability

You have the right to obtain information about your personal data stored by us. You also have the right to incorrect data being rectified and the right to your personal data being erased, provided that there is no legal retention obligation.

You also have the right to request that the data that you have provided to us is returned to you in a commonly used electronic format.

You can reach us for the aforementioned purposes via the e-mail address datenschutz@resortragaz.ch. To process your requests, we must ask you to provide proof of identity.

11.2 Children

With the exception of youth memberships at both golf clubs, we do not knowingly collect personal data from children under the age of 13. Children under 13 are asked not to provide any personal data. We encourage parents and guardians to monitor their children’s Internet use and to help enforce our privacy policy by instructing them never to provide personal data through the services without their permission. Please inform us if you have reason to suspect that a child under the age of 13 has provided us with personal data via the service. We will delete the data from our databases.

11.3 Data security

We take the appropriate technical and organisational security measures to protect the personal data stored by us from manipulation, partial or complete loss and unauthorised access by third parties. Our security measures are being improved on an ongoing basis in line with technological developments. You should always keep your access credentials secret, close the browser window and empty the cache when you have finished communicating with us, especially if you are using a shared computer.

We also take internal data protection within the company very seriously. Our employees are given comprehensive training, and all contractors that we use are obliged by us to maintain confidentiality and comply with the provisions of data protection law.

11.4 Additional links and use of communication channels

This Data Protection Statement only applies to our website. This website may contain links to external websites that do not fall within the scope of this Data Protection Statement. When you leave our website via a link, we recommend that you carefully read the privacy policy of the linked website.

We would like to point out that for the use of external communication channels that you send us messages through (e.g. WhatsApp), the privacy policy of the respective provider applies.

11.5 Note on data transfer to the USA

The new Swiss-US Data Privacy Framework between Switzerland and the USA provides adequate protection for the transfer of personal data to certified US companies. The relevant changes will apply as of 15 September 2024.

The certification for US companies ensures compliance with the envisaged data protection measures and data protection guarantees. In particular, these companies may only process data for the purposes for which it was collected. Disclosure to third parties, such as non-certified companies, is not permitted. Various safeguards are provided for access by US authorities to personal data disclosed from Switzerland, including a complaint mechanism.

For the sake of completeness, users residing or based in Switzerland are hereby made aware that surveillance measures by US authorities in the United States generally allow the storage of all personal data of any individual whose data has been transmitted to the US. This is carried out without differentiation, restriction or exception on the basis of the respective aim and with no objective criteria that enable access by the US authorities to the data and its later use to be restricted to very specific, strictly limited purposes which would justify access to this data and the intervention related to its use. We would also like to point out that there are no means of legal redress in the USA for data subjects from Switzerland that would enable them to gain access to their data and request its rectification or erasure, and that there is no effective legal protection against the general access rights of US authorities. We refer those affected explicitly to this legal and factual basis in order to enable them to make an informed decision concerning the provision of consent to the use of their data.

We would like to point out to users residing in an EU member state that the EU-US Data Privacy Framework has been in effect since July 2023.

12 Changes to this Data Protection Statement

We reserve the right to amend this Data Protection Statement from time to time in order to ensure that it always complies with current legal requirements or to implement changes to our services in the Data Protection Statement (e.g. when introducing new services). The new Data Protection Statement will then apply on your next visit. We also regularly update the list of authorised representatives.

13 Right to lodge a complaint with a data protection supervisory authority

You have the right to lodge a complaint with the competent data protection supervisory authority.

Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter)

Feldeggweg 1
CH-3003 Bern
Telephone: +41 (0)58 462 43 95

Our company has a data protection representative in accordance with Article 27 GDPR within the European Economic Area (EEA) (including the European Union [EU] and the Principality of Liechtenstein), who serves as an additional point of contact for supervisory authorities and data subjects in the case of queries relating to the GDPR:

Consulting Weiss Paulstrasse 13 DE-67346 Speyer grbr@consulting-weiss.de

14 Data protection advice

For data protection impact assessments, the Grand Resort Bad Ragaz AG Group has delegated an external and independent specialist unit:

Dr. Bruno Wildhaber
krm Kompetenzzentrum Records Management AG
Stettbachstrasse 6
CH-8600 Dübendorf

Telephone: +41 (0)44 888 1011
E-mail: bruno.wildhaber@krm.swiss

Your web browser is outdated

Update your browser for more security, speed and a good user experience.

Update browser Continue