Data Protection Policy

Andermatt Swiss Alps AG, Gotthardstrasse 2, 6490 Andermatt is the operator of the website www.andermatt-swissalps.ch and is thus responsible for the collection, processing, and use of your personal data and for the compatibility of data processing with applicable data protection law.

1. Data Protection Policy

This Data Protection Policy was prepared and published by Andermatt Swiss Alps AG, Gotthardstrasse 2, 6490 Andermatt, Switzerland, registered in the Commercial Register of the Canton of Uri under the number CHE-113.632.552. You will also find information on our Group companies on this website. If, in the following, the term "Andermatt Swiss Alps" is used, it also refers to the following companies in addition to Andermatt Swiss Alps AG:

  • Bellevue Hotel & Appartment Management AG (The Chedi Andermatt)

  • Hotel 4b Management AG (Radisson Blu Reussen Andermatt)

We, i.e. the named companies of the Group, are jointly responsible in terms of data protection law for the collection, processing and use of your personal data and for data processing that is in conformity with the law. Unless otherwise stated below, the entire Andermatt Swiss Alps Group (hereinafter referred to as “Andermatt Swiss Alps”) is always meant.

The term “personal data” means all information that relates to an identified or identifiable natural person. This includes information that makes it possible to draw conclusions about your identity (e.g. information such as name, postal address, email address, and phone numbers).

Because your trust is important to us, we take data protection very seriously and pay special attention to security. We comply with the statutory provisions of the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz, DSG), the Swiss Ordinance to the Federal Act on Data Protection (Verordnung zum Bundesgesetz über den Datenschutz, VDSG), the Swiss Telecommunications Act (Fernmeldegesetz, FMG), and all other applicable data protection provisions of Swiss or EU law, including the EU General Data Protection Regulation (GDPR).

We ask that you take note of the following information so that you will know what personal data we collect from you and the purposes for which we use them. Please note that the following information will be reviewed and amended from time to time. We therefore recommend that you read this Data Protection Policy regularly. Furthermore, for individual instances of data processing listed below, other companies are responsible under data protection law, either solely or jointly with us, meaning that in such cases, the data protection policies of those providers may also be relevant.

2. Contact details of the data controller and the EU representative

If you have any questions about data protection or would like to exercise your rights, please contact our data protection officer:

Andermatt Swiss Alps AG
Datenschutz
Gotthardstrasse 2
6490 Andermatt
Schweiz

datenschutz@andermatt-swissalps.ch

Our EU representative in accordance with Article 27 GDPR is:

MLL EU-GDPR GmbH
Ganghoferstrasse 33
DE - 80339 Munich

andermattswissalpsag@mll-gdpr.com

A. Data processing on the websites

3. Accessing our websites (and associated microsites)

To enable you to establish a connection to our websites or to any microsites, your browser transfers certain data to the servers of our hosting provider, which temporarily records every access in a log file. The following data will be collected without any action on your part and stored by us until it is automatically deleted:

  • the IP address of the computer submitting the request,

  • the name of the owner of the IP address range,

  • the date and time of your request,

  • your operating system,

  • the name and URL of the retrieved data,

  • the website from which our domain was accessed,

  • the country from which our websites were accessed,

  • the status code,

  • the browser that you are using, and

  • the transmission protocol being used.

These data are collected and processed for the purpose of facilitating the use of our websites, ensuring continuous system security and stability, and facilitating the optimisation of our website, as well as for statistical purposes.

In addition, in the event of attacks on the network infrastructure or other unauthorised use or misuse of our websites, the IP address is analysed together with other data for the purpose of investigation and defence and, if necessary, is also used in connection with criminal proceedings for the purpose of identifying the user in question and holding him or her civilly or criminally liable.

The purposes described above are to be considered our legitimate interest in data processing within the meaning of Article 6(1)(f) GDPR.

4. Use of our contact form

The contact form feature on our websites enables you to get in contact with us at various points (e.g. for general contact, asking for advice or booking requests). For this feature, we require the following information; mandatory information is marked with an asterisk (*):

  • salutation*,

  • first and last name*,

  • mailing address,

  • phone number,

  • email address*,

  • message*.

We use these data, as well as data voluntarily provided by you, only so that we can respond to your contact enquiry as best as possible and in a personalised manner. The processing of these data is therefore necessary in order to take steps prior to entering into a contract within the meaning of Article 6(1)(b) GDPR or is to be considered our legitimate interest within the meaning of Article 6(1)(f) GDPR.

5. Contact by phone or email

At various points on our websites, you have the option to contact us by telephone or email, such as to ask us questions about website functionality, bookings or services.

We collect only the data that you disclose to us. Therefore, you are responsible for the content of your message and are in control of what information you transmit to us. We recommend that you do not transmit any sensitive information. In order to answer your questions, we may ask you to provide us with additional information (e.g. your postal address, your email address, etc.). We will collect from you only the data that are necessary to answer your questions or to provide the services you desire.

Processing your request is to be considered our legitimate interest within the meaning of Article 6(1)(f) GDPR.

6. Subscription to our newsletter

Our websites offer you the ability to subscribe to our newsletter. In order to do so, registration is necessary. In connection with registration, the following data must be provided; mandatory information is marked with an asterisk (*):

  • salutation,

  • first and last name*,

  • email address*, and

  • I’m interested in.

After entering the above-mentioned information, you will be registered for the desired newsletter immediately. Here, we use the so-called double opt-in mechanism. After submitting the registration, you will receive an email from us which includes a confirmation link. To definitively subscribe to the newsletter, you must click this link. If you do not click on the confirmation link, the email address will be irrevocably deleted from our temporary list of people interested in a newsletter and the registration will not take place. To send the newsletter, we work with, among others, the email marketing software Mailchimp, The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. For more information on the transfer of personal information to third parties, please see the section below in this Data Protection Policy.

We will use your data to send the newsletter until you withdraw your consent. You can withdraw your consent at any time with prospective effect or use the unsubscribe link in the newsletter emails.

Our newsletter contains a so-called web beacon or similar technical means (web bug). A web beacon is a 1x1 pixel, invisible graphic associated with the user ID of the respective newsletter subscriber. The web beacon enables us to collect the following information about the newsletter mailing:

  • address file used,

  • subject and number of newsletters sent,

  • information about which addresses did or did not receive the newsletter and for which addresses the mailing failed,

  • information about which addresses opened the newsletter,

  • information about which addresses unsubscribed, and

  • technical information (e.g. time of retrieval, IP address, browser type and operating system).

This information is used for statistical analysis of our newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of recipients. The web beacon will be deleted when you delete the newsletter.

In order to prevent the use of the web beacon, please configure your email program to prevent HTML from being displayed in messages, unless this is already the case by default. The following pages will explain how to change this setting in the most popular email programs.

By registering for the newsletter, you grant us your consent to process the provided data for the purpose of sending regular newsletters to you at the address you provided and for the statistical analysis of user behaviour, as well as for optimising the newsletter. This consent constitutes the legal basis for the processing of your data within the meaning of Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

7. Use of the chat function

On our websites, you are able to contact us using the chat function, such as to ask us questions about website functionality, bookings or services. In doing so, we collect the following data;mandatory information in the registration form is marked with an asterisk (*):

  • dates, and

  • message.

We collect only the personal data that you disclose to us. Therefore, you are responsible for the content of your message and are in control of what information you transmit to us. We recommend that you do not transmit any sensitive information. In order to answer your chat questions, we may ask you to provide us with additional information. We will collect from you only the personal data that are necessary to answer your questions or to provide the services you desire.

In connection with the chat function, we work with a tool provided by the company Enterprise bot GmbH, Baarerstrasse 135, 6300 Zug, Switzerland. The chat data are stored on servers at the following location: Enterprise bot GmbH, Baarerstrasse 135, 6300 Zug, Switzerland.

Processing your chat request or message is to be considered our legitimate interest within the meaning of Article 6(1)(f) GDPR.

8. Opening a customer account

In order to make bookings on our websites, you can book/place an order as a guest or open a customer account. When you register for a customer account, we collect the following data; mandatory information is marked with an asterisk (*):

  • salutation*,

  • first and last name*,

  • mailing address*,

  • country*,

  • date of birth.

  • phone number,

  • email address*,

  • password, and

  • language.

We collect these data, as well as other data voluntarily entered by you, for the purpose of providing you with direct, password-protected access to your basic data stored with us. In the account, you can view your previous and current bookings and manage and modify your personal data. Finally, you can request the deletion of the customer account in full.

The legal basis for processing the data for this purpose is the consent you have given us pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

9. Booking on our websites, by correspondence, or by phone

If you make bookings either on our websites, by correspondence (email or postal mail), or by phone, we require the following data in order to process the contract; mandatory information is marked with an asterisk (*):

  • salutation,

  • first and last name*,

  • mailing address,

  • date of birth.

  • phone number,

  • language,

  • payment method*,

  • email address*, and

  • password.

We will use these data and other information voluntarily provided by you (e.g. expected arrival time, vehicle number plate, preferences, comments) only for processing the contract, unless this Data Protection Policy specifies otherwise or you have given your separate consent for this purpose. We will process the data particularly in order to record your booking in accordance with your wishes, to provide the booked services, to contact you in the event that something is unclear or problems arise, and to ensure correct payment.

If necessary, personal data are disclosed to companies involved in the performance of this contract, e.g. service providers such as hotel operators and banks, for payment processing.

The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

10. Purchase of products or vouchers

If you purchase products or order vouchers via our websites, we need the following data for the processing of the contract; mandatory information is marked with an asterisk (*):

  • salutation,

  • first and last name*,

  • company,

  • mailing address*,

  • country,

  • phone number,

  • payment method*,

  • email address*,

  • shipping method*, and

  • billing address.

We will use these data and other information voluntarily provided by you only for processing the contract, unless this Data Protection Policy specifies otherwise or you have given your separate consent for this purpose. We will process the data particularly in order to record your order in accordance with your wishes, to send the products or vouchers purchased, to contact you in the event that something is unclear or problems arise, and to ensure correct payment.

If necessary, personal data are disclosed to companies involved in the performance of this contract, e.g. service providers such as hotel operators and banks, for payment processing.

We offer a voucher shop by E-Guma on our websites. E-Guma is operated by Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. The information you provide to us in connection with the purchase of the voucher is used for the purpose of contacting you, carrying out and processing the contractual service and fulfilling the legal obligations associated with this. We are supported in this by payment service providers in order to process the purchase.

The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

11. Purchasing tickets

If you purchase tickets (e.g. for events, cableways, etc.) via our websites, we need the following data to process the contract; mandatory information is marked with an asterisk (*):

  • ticket type*,

  • ticket holder (postal address, email, phone number)*,

  • ticket category*,

  • date*,

  • billing address*, and

  • payment method*.

We will use these data and other information voluntarily provided by you only for processing the contract, unless this Data Protection Policy specifies otherwise or you have given your separate consent for this purpose. We will process the data particularly in order to record your order in accordance with your wishes, to send the tickets purchased, to contact you in the event that something is unclear or problems arise, and to ensure correct payment.

If necessary, personal data are disclosed to companies involved in the performance of this contract, e.g. service providers such as hotel operators and banks, for payment processing.

The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

12. Applications for job openings

Our websites offer you the opportunity to apply for job openings. We collect the following data when applying; mandatory information is marked with an asterisk (*):

  • salutation*,

  • first name*,

  • last name*,

  • date of birth*,

  • email address*,

  • password*,

  • user language*.

  • personal information:

    • mobile phone*,

    • country of residence*,

    • nationality*, and

    • residence permit*.

  • documents (upload):

    • application letter*,

    • CV*,

    • certificates, diplomas*, and

    • other documents.

  • relationship with our company:

    • how did you find out about us?*,

    • I am a current employee of your company,

    • I have worked for your company before, and

    • comment on previous employment.

  • further information:

    • message.

  • I agree with the Data Protection Policy*, and

  • data release*:

    • I agree that my data will be stored (for three months) in accordance with the Data Protection Policy even after a specific job is filled, or

    • I would like my data to be deleted after the current application process.

In connection with your online application, we work with the tool Umantis from Haufe-Lexware GmbH & Co. KG, Munzinger Strasse 9, 79111 Freiburg, Germany. The data are stored by Umantis on a server in Germany.

We need this information in order to review your application and to contact you in this regard if necessary. The legal basis for the processing of your personal data is taking steps prior to entering into a contract and performance of a contract within the meaning of Article 6(1)(b) GDPR, as well as our legitimate interest within the meaning of Article 6(1)(f) GDPR. You may object to this data processing at any time if reasons for not processing data exist in your particular situation.

If you use our application-per-WhatsApp function, the legal basis for the communication is your consent, which can be revoked at any time (Art. 6 para. 1 a GDPR). The application-per-WhatsApp function is provided to us by an IT service provider (PitchYou), which may access your data for this purpose as a processor. Further information can be found here: https://www.pitchyou.de/datenschutz. WhatsApp's data protection information, for example on its processing or on exercising your data protection rights against WhatsApp, can be found here: https://www.whatsapp.com/legal/privacy-policy-eea .

13. Booking of hotel rooms and apartments

If you book a hotel room or apartment on www.alpine.apartments , www.thechediandermatt.com or similar websites, we need the following data for the processing of the contract; mandatory information is marked with an asterisk (*):

  • number of guests*,

  • day of arrival and departure*,

  • apartment category*,

  • extras,

  • special requests,

  • salutation,

  • first and last name*,

  • phone number,

  • email address*,

  • mailing address*,

  • additional guests (salutation, first and last name),

  • please inform me about offers by email,

  • payment method*, and

  • yes, I have read and accepted the General Terms and Conditions and the Data Protection Policy.*

We will use these data and other information voluntarily provided by you only for processing the contract, unless this Data Protection Policy specifies otherwise or you have given your separate consent for this purpose. We will process the data particularly in order to record your booking in accordance with your wishes, to provide the booked services, to contact you in the event that something is unclear or problems arise, and to ensure correct payment.

If necessary, personal data are disclosed to companies involved in the performance of this contract, e.g. service providers such as banks, for payment processing.

The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

14. Registration of a user account

You can open a user account on our websites. When you register for a user account, we need to collect the following data; mandatory information is marked with an asterisk (*):

  • first and last name*,

  • email address*,

  • password*,

  • I would like to receive news regularly, and

  • I accept the Terms of Use and the Data Protection Policy*.

We collect these data, as well as other data voluntarily entered by you, for the purpose of providing you with direct, password-protected access to your basic data stored with us. In the account, you can, for example, view your purchase history and manage and modify your personal data. Finally, you can request the deletion of the customer account in full.

The legal basis for processing the data for this purpose is the consent you have given us pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

B. Data processing outside the websites

15. General information

Andermatt Swiss Alps also procures personal data from you outside of the websites. This may be the case, e.g. where you contact us by email or phone independently of the websites and we need to record your data in order to be able to contact you for the purpose of handling your enquiries.

Andermatt Swiss Alps also records your personal data when, e.g. you register for an event or book lodging through us on site. Andermatt Swiss Alps essentially procures the same data from offline contact that it asks for when a booking is made on the website.

The legal basis for data processing is the satisfaction of your contact enquiries and thus a legitimate interest within the meaning of Article 6(1)(f) GDPR and the performance of a contract within the meaning of Article 6(1)(b) GDPR.

In the case of third-party services, Andermatt Swiss Alps is only the broker and carries out the bookings on behalf of the service providers. Andermatt Swiss Alps discloses the data for processing the booking to the service providers you have chosen. These service providers are responsible in terms of data protection law for the further processing of the data. For further information on the handling of personal data by service providers, please consult the data protection policy of the service provider you have selected.

16. Data processing for the purpose of fulfilling the statutory reporting obligation

When you arrive at one of our lodgings, we require the following information from you and, if applicable, the persons accompanying you; mandatory information is marked with an asterisk (*):

  • first and last name, 

  • mailing address, 

  • date of birth. 

  • place of birth, 

  • nationality, 

  • official identity document, 

  • day of arrival and departure, and 

  • name of the lodging.

We collect this information for the purpose of fulfilling the statutory reporting obligation, particularly as required by hospitality and police law. To the extent that we are obligated to do so in accordance with the applicable provisions, we forward this information to the responsible police authority.

The data are processed on the basis of a legal obligation within the meaning of Article 6(1)(c) GDPR.

17. Recording of services purchased

To the extent that you purchase additional services (e.g. spa, restaurant, activities) in the course of your stay, the nature of the service and the time at which it is purchased are recorded by us for billing purposes.

The processing of these data is necessary for the purpose of performing the contract with us within the meaning of Article 6(1)(b) GDPR.

18. Storage of your personal data in an Andermatt Swiss Alps central database

The personal data described in this Data Protection Policy are stored and processed by Andermatt Swiss Alps at a central location. The specified data are stored in a central electronic data processing system (so-called CRM). The data relating to you will be collected, linked and evaluated systematically for the processing of your enquiries and of our services (e.g. in order to be able to offer you personalised services or product information to improve our products and services, etc.). In connection with these analyses, user profiles may be created about you. Within the framework of data protection regulations, we also enrich the data with data from publicly accessible sources (e.g. press or internet). For this purpose we use the software Azure from Microsoft, South County Business Park, Leopardstown, Dublin 18, Ireland. Further we use the software Braze, 330 West 34th Street, 18th floor, New York, NY 10001 USA, of the company Alturos Destinations Lakeside, B03, 9020 Klagenfurt, Austria, as well as the software Salesforce, Salesforce UK Limited, Village 9, floor 26, Salesforce Tower, 110 Bishopsgate, London, UK, EC2N 4AY. The processing of these data using the software is based on our legitimate interest within the meaning of Article 6(1)(f) GDPR in customer-friendly and efficient customer data management as well as on taking steps prior to entering into a contract in accordance with Article 6(1)(b) GDPR.

If you have given Andermatt Swiss Alps your consent to evaluate your personal data for advertising purposes, we may also use the data collected for advertising purposes. This consent constitutes the legal basis for processing within the meaning of Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

19. Use of our apps

In addition to our online offer, we provide you with two mobile apps that you can download to your mobile device. When you download the myASA app, the information required for this is transferred to the App Store. This includes, in particular, the username, email address and customer number of your account, the time of download, the unique number of the device (IMEI), the mobile phone number (MSISDN), the MAC address for WiFi use and the unique number of the network participant (IMSI). We have no influence on this data collection and are not responsible for it. We will process these provided data to the extent necessary to download the apps to your smartphone. The data will not be saved beyond this.

When you log in to your customer account through the app, or place orders through the app, we will collect the following additional personal data to enable these services; mandatory information is marked with an asterisk (*):

  • first and last name,

  • address,

  • phone number, if applicable,

  • email,

  • user name,

  • customer number,

  • password, and

  • date of birth.

The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR, and your consent pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

When you first use them, the apps require the following access rights for the following purpose:

  • location data (using GPS and anonymised IP address): to receive personalised notifications on a location-by-location basis,

  • camera: this can be used to scan barcodes to pre-book the corresponding services/product or to obtain information about them,

  • photos/media/files: for the barcode scanner, in conjunction with the use of the camera,

  • device ID and call information: used in app stores for statistics,

  • fingerprint/biometric information: for easy login & purchase with fingerprint or face recognition, and

  • app history.

If you decline, we will not use this information. However, you will then not be able to use the corresponding features of the apps. You can grant or revoke permission later in settings. If you allow access to these data, the apps will access only these data and transfer them to our server to the extent necessary for providing functionality. We will treat these data confidentially and delete them if you withdraw the rights to use them, or if they are no longer required for the provision of the service and there are no legal retention obligations.

This consent constitutes the legal basis for processing within the meaning of Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

If necessary, personal data are disclosed to companies involved in the performance of the services required, e.g. service providers such as hotel operators and banks for payment processing.

20. Push notifications

If you have consented to this, Andermatt Swiss Alps can send notifications to your device (e.g. smartphone, tablet). The myASA app use push notifications to provide you with information about the Andermatt Swiss Alps destination (e.g. products, promotions, competitions) as well as to inform you about offers from our partners. Your data will not be shared with these partners.

In this regard, we also access the location data of your mobile device, if you have enabled this. Andermatt Swiss Alps uses the location-related information for storing and evaluating movement data, as well as for sending messages. If you are within a narrowly defined "Geo Fence" near the Andermatt Swiss Alps destination, we use push notifications to alert you to current offers.

You can configure the receipt of push notifications at any time in your operating system settings and adjust the receipt of push notifications under “Settings” within the myASA app.

This consent constitutes the legal basis for processing within the meaning of Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

21. Booking platforms

If you make bookings on a third-party platform, we receive various bits of personal information from the platform operator. This is usually the information specified in this Data Protection Policy in connection with a booking. In addition, enquiries about your booking may be forwarded to us in some cases. We process these data particularly in order to record your booking in accordance with your wishes and to provide the booked services. The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

Finally, we may be informed by the platform operators about disputes in connection with a booking. In this regard, we might obtain data about the booking procedure, which may include a copy of the booking confirmation as proof of the actual finalisation of the booking. We process these data for the purpose of preserving and enforcing our claims. This is to be considered our legitimate interest within the meaning of Article 6(1)(f) GDPR.

Please also take note of the respective booking platform’s information concerning data protection.

22. Image rights

The participant is aware that photos may be taken of him/her at events. By participating in the event, he/she agrees that Andermatt Swiss Alps AG may use this material without restriction for its own documentation and send the photos to participants. Excluded are photos or videos that depict the participant in a discriminatory manner.

C. Tools and tracking technologies

23. Cookies

Among many other things, cookies help to make your visit to our websites easier, more convenient, and more meaningful. Cookies are information files that your web browser automatically stores on your device’s hard drive when you visit our website.

We use cookies, for instance, in order to temporarily store the services you selected and the entries you made when filling out a form on the website so that you don’t have to enter them again when you access a different subpage. In some cases, cookies are also used in order to be able to identify you as a registered user following registration on the website without you having to log in again when accessing a different subpage.

Most internet browsers automatically accept cookies. However, you can configure your browser in such a way that no cookies are stored on your computer or that a message is displayed when you receive a new cookie. The following pages will explain how to configure the processing of cookies for most popular browsers:

Complete deactivation of cookies may mean that you will be unable to use all features of our websites.

24. Tracking tools

a. Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA ("Google") on our websites. Google Analytics uses methods that enable use of the websites to be analysed, such as cookies. The information generated by the cookie about your use of our websites, such as

  • navigation path that a visitor takes while using the website,

  • time spent on the website or a subpage,

  • the subpage from which the website is exited,

  • the country, region, or city from which access is made,

  • device (type, version, colour depth, resolution, width and height of the browser window),

  • returning or new visitor,

  • browser type/version,

  • operating system used,

  • referrer URL (i.e. the previously visited website),

  • host name of the accessing computer (IP address), and

  • time of the server request.

is generally transferred to a Google server in the U.S. and stored there. By activation of IP anonymisation on this website (“anoymizeIP”), the IP address is shortened prior to transmission within the Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area or Switzerland. According to Google, the masked IP address transmitted by your browser within the framework of Google Analytics will not be merged with other Google data. Only in exceptional cases is the full IP address transferred to a Google server in the U.S. and shortened there. In these cases, we ensure through contractual guarantees that Google maintains an adequate level of data protection.

The information is utilised in order to analyse the use of the website, compile reports about website activities, and provide other services associated with website use and internet use for the purposes of market research and designing this website in line with demands. In some cases, this information is also transmitted to third parties if this is required by law or where these data are processed by third parties on behalf of another.

The legal basis for processing the data for this purpose is your consent pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

Users can prevent Google from collecting the data generated by the cookie and relating to the use of the website by the user concerned (including the IP address) and prevent the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en

For more information about Google and how Google handles data, click here .

b. Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA ("Google") on our websites. Google Tag Manager is a solution that enables marketers to manage website tags from a single interface. The Tag Manager tool is a cookie-free domain and does not collect any personal data. It does, however, trigger other tags that do collect personal data. According to Google, Google Tag Manager does not access these data. If deactivation is enabled at the domain or cookie level, it will also be enabled for all tracking tags implemented with Google Tag Manager. You can prevent the setting of tags at any time.

The legal basis for processing the data for this purpose is our legitimate interest pursuant to Article 6(1)(f) GDPR.

c. Google Ads Remarketing

We use Google Ads Remarketing on our websites. Google Ads Remarketing is an online advertising program provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA ("Google"). We use the Remarketing function. This allows us to use cookies to display ads to users of our websites based on their interests. For this purpose, our users’ interactions on our websites are analysed, e.g. which offers the user was interested in, in order to be able to display targeted advertising to the users on other pages even after visiting our websites. The utilised cookies are used to uniquely identify a web browser on a particular computer and not to identify a person. According to Google, no personal data are stored.

The legal basis for processing the data for this purpose is your consent pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

You can disable the use of cookies by Google by following the link below and downloading and installing the plugin provided there: http://tools.google.com/dlpage/gaoptout?hl=en .

For more information about how Google handles data, click here .

d. Google Ads Conversion Tracking

We use Google Ads provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google Inc., 1600 Amphitheater Pkwy, Mountain View, CA 94043-1351, USA ("Google") on our websites. Google Ads is a service for internet advertising that permits advertisers to place advertisements both in Google search engine results and in the Google advertising network. Google Ads enables an advertiser to specify keywords in advance, by means of which an advertisement is displayed in Google search engine results only if the user clicks on a keyword-relevant search result with the search engine. In the Google advertising network, advertisements are distributed to topic-relevant websites by means of an automated algorithm, taking into account the previously specified keywords.

We use Google Ads in order to promote our website through the displaying of relevant advertising on the websites of other companies and in the results returned by Google’s search engine. If a data subject reaches our website through a Google advertisement, Google sets what is known as a “conversion cookie” on the data subject’s device. A conversion cookie loses its validity after 30 days, and it is not used to identify the data subject. If the conversion cookie has not yet expired, it tracks whether certain subpages on our websites have been accessed. The conversion cookie enables both us and Google to track whether a sale was generated by a data subject who reached our website through a Google Ads advertisement.

The legal basis for processing the data for this purpose is your consent pursuant to Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

You can disable the use of cookies by Google by following the link below and downloading and installing the plugin provided there: http://tools.google.com/dlpage/gaoptout?hl=en .

For more information about how Google handles data, click here .

e. Google Signals

We also use the technical extension "Google Signals", which enables cross-device tracking. This allows an individual website visitor to be assigned to different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the "personalised advertising" option in their Google account settings. Even then, however, no personal data or user profiles are made available to us; they remain anonymous to us.

If you do not wish to use "Google Signals", you can deactivate the "personalised advertising" option in your Google account settings.

f. Google Optimize

We use Google Optimise, a service provided by Google. This analyses the use of different variants of the website so that we are able to adapt the user-friendliness to the behaviour of the website users. Google Optimize is a tool integrated into Google Analytics and uses cookies. The IP address received in this way is anonymised immediately after processing. In exceptional cases, the full IP address is transmitted to a Google server in the USA and encrypted there. The transmitted IP address is not merged with other Google data. You can manage and revoke the storage of cookies at any time by making the appropriate setting in the consent management solution. You can find more information at: https://policies.google.com/privacy?hl=de

e. Facebook Pixel

We use the so-called "Facebook pixel", provided by the social network Facebook, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, on our websites. The Facebook pixel allows Facebook to identify visitors to our site as the target audience for displaying ads (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display Facebook ads placed by us only to Facebook users who have shown an interest in our websites or who have certain characteristics (e.g. interests in certain topics or products determined by the websites visited) that we submit to Facebook (so-called "custom audiences").

By using the Facebook pixel, we also seek to ensure that our Facebook ads are in line with users' potential interests and do not appear annoying. By using the Facebook pixel, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our websites after clicking on a Facebook ad (a so-called "conversion").

The Facebook pixel is integrated by Facebook as soon as you visit our website and can store a cookie on your device. If you subsequently log in to Facebook, or visit Facebook while logged in, your visit to our website will be recorded in your profile. The data collected about you is anonymous for us and thus does not allow us to identify the users. However, the data are stored and processed by Facebook, so that a connection to the respective user profile is possible. The data may therefore be used by Facebook for its own market research and advertising purposes.

If we transmit data to Facebook for comparison purposes, they are encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of establishing a comparison with the data that are encrypted by Facebook to a similar degree.

In addition, when using the Facebook pixel we use the additional function "extended comparison" in which data for the creation of target groups ("custom audiences" or "lookalike audiences") are transmitted encrypted to Facebook.

Facebook's processing of the data is governed by Facebook's privacy policy. For specific information and details about the Facebook pixel and how it works, visit the Facebook help centre.

You may opt out of collection and use of your data by the Facebook pixel for the purpose of displaying Facebook ads. To control the types of ads you see within Facebook, you can visit the corresponding page on Facebook and follow the guidelines on settings for usage-based ads. You may also opt out of the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative. Further opt-out options can be found here: http://www.aboutads.info/choices and here: http://www.youronlinechoices.com/uk/your-ad-choices/

The legal basis for the aforementioned data processing is your consent in accordance with Article 6(1)(a) GDPR. You can withdraw your consent at any time with prospective effect.

25. Social media profiles

We have included links to our profiles on the social networks operated by the following providers on our websites:

  • Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA,

  • Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA,

  • Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA,

  • YouTube, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland,

  • Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, and

  • LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland,

  • TikTok, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and

  • Giphy, Giphy Inc., 416 W 13th Street, Suite 207, New York, NY 10014.

If you click on the icons of the social networks, you will be automatically re-directed to our profile on the respective network. This creates a direct connection between your browser and the server of the respective social network. This will inform the network that you have visited our websites with your IP address and have clicked on the link.

If you click on a link to a network while you are logged into your account on that network, the content of our websites can be linked to your profile so that the network can link your visit to our website directly to your account. If you want to prevent this, you should log out before clicking on the corresponding links. A connection between your access to our websites and your user account will always take place when you log in to the respective network after clicking on the link. The respective provider is the controller in terms of data protection law for the data processing associated with this. Therefore, please refer to the information on the network's website.

The legal basis for any data processing that may be attributed to us is our legitimate interest within the meaning of Article 6(1)(f) GDPR in the use and promotion of our social media profiles.

26. Social media plugins

We use social plugins ("plugins") from social networks on our websites. In order to increase the protection of your data when visiting our websites, the plugins are integrated in such a way that when a page of our websites containing such plugins is visited, a connection is not initially established with the servers of the provider of the respective social network. Only when you activate the plug-ins and give your consent to the transfer of data does your browser establish a direct connection to the servers of the respective social network. The content of the respective plug-in is then transmitted by the associated provider directly to your browser and is embedded in the page. When you click on the relevant social network icons, you will be linked to the relevant social network in order to perform the selected functionality, e.g. to share content on Facebook. To do this, however, you must log in to your user account or be already logged in.

We make plugins from the following social networks available to you:

  • Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, and Meta Platforms Inc., 1601 Willow Road, Menlo Park, CA 94025, USA,

  • LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2 Ireland,

  • Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA, and

  • Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

If you select one of the provided functionalities and click on the icon of the relevant social network, a direct connection will be established between your browser and the server of the relevant social network. This will inform the network of the fact that you have visited our websites with your IP address and of the link you have visited. If you click on a link to a social network while logged into your account on that social network, the content of our websites may be linked to your social network profile. This means that the social network can assign your visit to our websites directly to your user account. If you would like to prevent this, you should log out before clicking on the corresponding links. An assignment will always take place when you log in to the relevant network after clicking on the link.

For more information about the purpose and scope of data collection and the further processing and use of the data by the respective social network, as well as your rights in this respect and configuration options for protecting your privacy, please see the social network's privacy policy.

D. Further information

27. Retention period

We store personal data only for as long as is necessary for implementing the processing in connection with our legitimate interest explained in this Data Protection Policy. In the case of contract data, storage is required by statutory retention obligations. Provisions that obligate us to retain data result from accounting provisions and tax law. In accordance with these provisions and laws, business communications, concluded contracts, and booking receipts in particular must be retained for a period of up to 10 years. If we no longer need these data for performing the services for you, they are blocked. This means that the data may be used only if this is necessary to fulfil the retention obligations or to defend and enforce our legal interests. Data will be deleted as soon as there is no longer any obligation to retain them or any legitimate interest in doing so.

28. Disclosure of data to third parties

We disclose your personal data only if you have expressly consented to it, if there is a statutory obligation to do so, or if this is necessary for the purpose of enforcing our rights, including the enforcement of claims under the contractual relationship. We also transfer your data to our affiliated companies (see above). In addition, we pass on your data to third parties if this is necessary in connection with the use of the website, our apps or our services or the execution of the contract, if we are obliged by law to do so (e.g. request of a law enforcement authority) or if this is necessary for the enforcement of our claims within the scope of the contractual relationship (e.g. debt collection procedures). The third party’s use of the data passed on is strictly limited to the stated purposes.

Various third-party service providers have been explicitly mentioned in this Data Protection Policy. Another service provider to which personal data are passed or that has or may have access to your personal data is the company that hosts the website, namely Alturos Destinations Lakeside B03, 9020 Klagenfurt, Austria. The servers are located in the following country: [Switzerland]. The legal basis for processing the data for this purpose is our legitimate interest pursuant to Article 6(1)(f) GDPR.

Finally, when you make payments on our websites by credit card, we disclose your credit card information to your credit card issuer as well as to the credit card acquirer. If you decide to pay by credit card, you will be asked to enter all mandatory information. The legal basis for data processing for this purpose is the performance of a contract pursuant to Article 6(1)(b) GDPR.

29. Transmission of personal data abroad

We are entitled to transfer your personal data to third-party companies abroad, in particular group companies, if this is necessary within the scope of the processing purpose. As a matter of course, the legal regulations regarding the transfer of personal data to third parties will be complied with in doing so. These companies are obligated to protect data to the same extent that we are. If the level of data protection in a country does not correspond to that of Swiss or EU data protection law, we ensure by contract that the protection of your personal data corresponds to that in Switzerland or that of the European Economic Area (EEA).

30. Notice concerning the transmission of data to the United States

Some of the third-party service providers mentioned in this Data Protection Policy are based in the United States. For reasons of completeness, we make users with a place of residence or domicile in Switzerland aware of the fact that authorities in the U.S. employ surveillance measures that generally make it possible to store all personal data of all persons whose data have been transmitted from Switzerland or the EU to the U.S. This takes place without differentiation, restriction, or exception on the basis of the aim pursued and without an objective criterion that makes it possible to restrict the access of U.S. authorities to data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the intrusion associated both with the access to these data and with their use. We also make users aware of the fact that no legal remedies are available in the U.S. for data subjects from Switzerland or the EU that enable them to access the data concerning them and to obtain their rectification or erasure and that there is no effective judicial protection against general intrusions by U.S. authorities. We make data subjects explicitly aware of this legal and factual situation in order to allow them to make a correspondingly informed decision concerning consent to the use of their data.

We make users with a place of residence in a Member State of the EU or Switzerland aware of the fact that in the opinion of the European Union and Switzerland – among other things, owing to the issues mentioned in this section – the U.S. does not afford an adequate level of data protection. To the extent that we have explained in this Data Protection Policy that recipients of data (such as Google) are domiciled in the U.S., we will ensure through contractual arrangements with these companies, and if required additional necessary suitable guarantees which ensure the rights of the persons whose personal data are transmitted to a third country, that your data are subject to an appropriate level of protection by our partners.

31. Data security

We make use of appropriate technical and organisational security measures in order to protect your data that are stored with us against manipulation, total or partial loss, and unauthorised access by third parties. Our security measures are continuously improved in keeping with technological developments.

You should always keep your login data confidential and close the browser window once you end communication with us, particularly where you share the computer with others.

We also take internal data protection very seriously. Our employees and the service companies commissioned by us have been obliged by us to maintain confidentiality and to comply with data protection regulations.

32. Your rights

You can object to data processing at any time. You also have the following rights:

Right of access: You have the right to request access to your personal data stored by us free of charge at any time when we process them. This gives you the opportunity to check what personal data we process about you and that we are using them in accordance with applicable data protection regulations.

Right to rectification: You have the right to have inaccurate or incomplete personal data corrected and to be informed of the correction. In this case, we will inform the recipients of the data concerned of the adjustments made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to have your personal data erased under certain circumstances. The right to erasure may be excluded in a given case.

Right to restriction of processing: You have the right, under certain conditions, to request that the processing of your personal data be restricted.

Right to data portability: In certain circumstances, users outside Switzerland have the right to receive from us the personal data that you have provided to us free of charge in a readable format.

Right to lodge a complaint: You have the right to lodge a complaint with a competent supervisory authority about the way in which your personal data are processed.

Right of withdrawal: As a rule, you have the right to withdraw a given consent at any time with prospective effect. Past processing activities performed on the basis of your consent will not become unlawful by your withdrawal.

To enforce your rights, you can contact us at [ datenschutz@andermatt-swissalps.ch ]. If we so choose, we may require proof of identity for processing your request.

33. Minors

We do not seek to collect any personal data of minors. However, we are not always able to verify the age of those who visit and use our websites/apps. If a minor transmits his or her data to us without the permission of his or her parent or guardian, we ask that the parent or guardian contact us so that these data can be erased and the minor will stop receiving any advertising material from us in the future.

Version of November 2023