Information on the processing of your data
Thank you for your interest in data protection in our hotel and on our website. The basic European data protection regulation also affects our hotel in Switzerland. With this documentation we inform you about the processing of your personal data by Neueret AG in the context of the use of our services.
Responsible for data processing
NEUERET AG
Hotel LE GRAND CHALET
Neueretstrassse 43
3780 Gstaad
Telefon : +41 33 748 76 76
Telefax : +41 33 748 76 77
E-Mail: hotel@grandchalet.ch
Sales tax identification number: CHE-101.523.005
- purpose and scope
The present data protection concept of Neueret AG/Hotel Le Grand Chalet takes into account the importance and significance of data protection in the sense of respecting the privacy and personal rights of its guests, its employees and, if applicable, also its business partners. It forms the binding basis for all data protection-relevant measures and activities at Neueret AG/Hotel Le Grand Chalet, namely for the processing of
– Personal data of guests;
– Personal data of employees, including data on job applicants and former employees;
– information on business partners and other third parties, insofar as personal data is concerned.
2.Legal basis
The basis for this data protection concept is the Federal Law on Data Protection of 25 September 2020 (DSG; SR 235.1) and the Ordinance on Data Protection of 31 August 2022 (DSV; SR 235.11) as well as the data protection law of the Canton of Bern if applicable.
- terms
Important terms are defined in Appendix 1.
- scope of application
This data protection concept applies to all bodies and employees of Neueret AG/Hotel Le Grand Chalet who process personal data in the course of fulfilling their functions and duties.
It also applies to external persons and companies, provided that they undertake to comply with it by means of a corresponding written agreement.
- objective
The main objective of this concept is to guarantee the protection of the personality of natural persons against unlawful or disproportionate processing of the data of persons in accordance with point 1. This concept is intended as a binding guideline to support all persons working for Hotel Le Grand Chalet in acting on their own responsibility in accordance with data protection law.
By implementing this objective, Neueret AG/Hotel Le Grand Chalet also avoids material disadvantages and damage to its image that could arise as a result of actions contrary to data protection.
6. Principles of data protection
6.1 Legality
Data processing is lawful if it is justified by the consent of the person concerned, a legal authorization or an overriding public or private interest.
6.2 Proportionality
The collection of data must be necessary and there must be an overriding interest in the collection. Data collection on a retained basis is unlawful; data that is no longer required must be destroyed.
6.3 Purpose limitation
Data may only be processed for the purpose stated when the data was collected. Your data may not be processed for any purpose that is not apparent to the data subject.
6.4 Transparency
Data collection and processing must be clearly recognizable. The necessary information should be obtained directly from the data subject.
6.5 Data quality
It must be ensured that the processed data is correct, complete and up-to-date. Incorrect and incomplete data must be corrected or destroyed.
6.6 Good faith
Contradictory and abusive behavior is inadmissible.
7. Data Security: Measures
Organizational and technical measures shall be taken to ensure data protection and to protect personal data in particular from access by unauthorized persons, misuse, destruction, loss, technical errors, forgery, theft, etc.
7.1 Organizational measures
Access to personal data at Neueret AG/ Hotel Le Grand Chalet is based on the principle of “as much as necessary, as little as possible”.
The data protection officer, in cooperation with the relevant management personnel, therefore regulates for each data collection who has access to personal data and under what conditions, and how this is to be monitored.
He/she keeps a register of processing activities in accordance with the legal requirements and keeps it up to date.
He/she shall also regulate who is granted access to archived data.
7.2 Technical measures
The protection of electronically processed data is ensured in particular by the use and regular comprehensive encryption, the use of firewalls, virus protection programs, etc. and the logging of access.
Access and personal data carrier controls prevent unauthorized persons from accessing, modifying, destroying, stealing, etc. data.
7.3 Archiving
Personal data that is no longer required for processing is processed in accordance with the guidelines of the data protection officer and archived for the defined period.
7.4 Destruction
Data of minor importance is destroyed (physically destroyed or irretrievably deleted electronically) immediately after the purpose of processing has been achieved. The data protection officer shall determine the details.
- rights of the persons concerned
The following instructions are intended to ensure that situations that regularly occur in everyday life are handled correctly in terms of data protection law.
8.1 Clarification/Orientation
Guests and employees are informed of their rights and obligations under data protection law upon entry.
The data protection officer will then inform them appropriately about the acquisition of personal data concerning them.
8.2 Right to information/inspection
The person affected by the processing of his/her data may request information about the collection, origin, content, purpose, category and legal basis and inspect the data collection. They also have the right to be informed of the parties involved in the collection and the recipients of the data.
The person requesting information or inspection must prove his or her identity.
The information must be provided within 30 days in a generally comprehensible manner, in writing and free of charge.
The provision of information and the right of inspection may exceptionally be restricted or refused if important and overriding public interests or interests of third parties that are particularly worthy of protection conflict with this.
If there is a risk that the person concerned (especially minors) could be subjected to too great a burden by providing or inspecting information, he or she may designate another person to provide information or be granted access in his or her place.
Illegally or incorrectly processed as well as incorrect data must be corrected or destroyed.
8.4 Blocking/refusal of data disclosure
Any data subject may have the disclosure of his/her data blocked if he/she can prove an interest worthy of protection. This does not apply if the disclosure of data constitutes a legal obligation, is necessary due to the overriding interests of third parties, or is required to clarify suspected abusive actions on the part of the data subject.
9 .Logica
The following instructions are intended to ensure that situations that regularly occur in everyday life are handled correctly in terms of data protection law:
9.1 Conduct in the case of telephone and written inquiries
Personal data may not be passed on to outsiders without the express consent of the person concerned or without corresponding legal permission.
In the case of telephone inquiries, it must be ensured that the person making the inquiry is clearly identified. If telephone conversations are recorded, this must be pointed out and the consent of the other party must be obtained.
9.2 Principles of e-mail use
E-mails can be read or changed by third parties. In principle, therefore, as little personal data as possible should be transmitted by e-mail and it should not contain any sensitive information or details of passwords and other access data.
Data requiring special protection may only be transmitted by e-mail in encrypted form, unless the person concerned has made a written declaration to the contrary.
Personal data processed for professional purposes may not be stored on private devices.
In addition, the provisions in the regulations of Hotel Le Grand Chalet on the use of IT must also be observed.
9.3 Use of image/sound recordings
Only persons who have given their consent to this may be recorded in pictures, films and/or sound recordings.
The consent of the person concerned must be given voluntarily, expressly and after prior clarification of the purpose and use of the recordings. Consent may be given in writing or – if several persons are present – verbally or non-verbally and must be documented.
10. Responsibilities
- responsibilities
10.1 Management
Management is responsible at the strategic level for ensuring data protection at Neueret AG/ Hotel Le Grand Chalet.
It includes data protection as a relevant topic in its risk management system and assesses the corresponding risks in a strategically level-appropriate manner.
It issues this data protection concept and reviews it regularly.
10.2 Management
The management, in cooperation with the data protection officer, is responsible for the implementation of this concept and for compliance with data protection requirements in the context of all data processing at the operational level.
It shall ensure in an appropriate manner that all employees are regularly sensitized to data protection issues and informed about the requirements of this concept and their application in their daily work.
10.3 Data Protection Officer
The data protection officer shall perform the tasks within the company in accordance with the legislation and the specifications.
He/she is the contact person internally and externally for all questions regarding data protection.
He/she checks the legality of data processing at Neueret AG/ Hotel Le Grand Chalet.
He/she has the right to issue instructions insofar as this is necessary for compliance with the legislation and the implementation of this concept.
He/she shall submit reports to the federal and/or cantonal data protection officers as necessary.
He/she reports regularly to the Board of Directors and the Executive Board on the data processing of Hotel Le Grand Chalet, pointing out identified risks and making recommendations for possible improvements. He/she informs immediately about special incidents of major importance.
He/she shall conduct regular data protection audits and, if necessary, call in external support for this purpose.
He/she shall be available to the Board of Directors, the Executive Board, the Head of HR, employees and guests for advice on data protection issues.
10.4 Head of HR
The Head of HR is responsible for the careful and data-protection-compliant processing of employees’ personal data in the context of HR work.
10.5 Managers
Supervisors at all levels act as role models and encourage employees to take data protection into account in their actions at the workplace.
They are responsible for the enforcement of and compliance with data protection in their areas of responsibility, in particular within the framework of this concept and the business processes.
In cooperation with the data protection officer, they shall ensure that employees are made aware of data protection issues and receive action-oriented guidance.
10.6 Employees
All employees of Hotel Le Grand Chalet who process personal data are responsible for data protection and act in particular in accordance with this concept and the instructions of the data protection officer.
In the event of questions or uncertainties, they shall contact their superiors or the data protection officer.
This concept is valid from September 1, 2023
Gstaad
Hotel Le Grand Chalet
Pedro Ferreira, Co-Director and Data Protection Officer