Privacy Policy
With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name
For individual or additional activities and operations, we may publish further privacy policies or other information regarding data protection.
We are subject to Swiss data protection law as well as any applicable foreign data protection laws, such as those of the European Union (EU) under the European General Data Protection Regulation (GDPR).
The European Commission recognized in its decision of July 26, 2000 that Swiss data protection law ensures an adequate level of data protection. In its report of January 15, 2024, the European Commission confirmed this adequacy decision.
Table of Contents
- 1. Contact Addresses
- 1.1 Data Protection Officers or Advisors
- 1.2 Data Protection Representation in the European Economic Area (EEA)
- 2. Terms and Legal Bases
- 2.1 Terms
- 2.2 Legal Bases
- 3. Type, Scope, and Purpose of Personal Data Processing
- 4. Disclosure of Personal Data
- 5. Communication
- 6. Data Security
- 7. Personal Data Abroad
- 8. Rights of Data Subjects
- 8.1 Data Protection Claims
- 8.2 Legal Protection
- 9. Use of the Website
- 9.1 Cookies
- 9.2 Logging
- 9.3 Tracking Pixels
- 10. Third-Party Services
- 10.1 Digital Infrastructure
- 10.2 Mapping Services
- 10.3 Digital Content
- 10.4 Fonts
- 11. Success and Reach Measurement
- 12. Final Notes on the Privacy Policy
1. Contact Addresses
Responsibility for processing personal data:
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
In individual cases, third parties may be responsible for processing personal data, or there may be joint responsibility with third parties.
1.1 Data Protection Officer or Data Protection Consultant
We have the following Data Protection Officer or Data Protection Consultant as a point of contact for affected persons and authorities regarding inquiries related to data protection:
Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland
manuela.ruinatscha@graubuenden.ch
1.2 Data Protection Representation in the European Economic Area (EEA)
We have the following data protection representation in accordance with Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representation serves as an additional point of contact for affected persons and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.
2. Terms and Legal Bases
2.1 Terms
Affected Person: A natural person whose personal data we process.
Personal Data: All information relating to an identified or identifiable natural person.
Particularly Sensitive Personal Data: Data concerning trade union, political, religious, or ideological views and activities, data on health, intimate life, or ethnic or racial origin, genetic data, biometric data uniquely identifying a natural person, data on criminal and administrative sanctions or prosecutions, and data on social assistance measures.
Processing: Any handling of personal data, regardless of the methods and procedures used, such as querying, matching, adjusting, archiving, storing, retrieving, disclosing, obtaining, recording, collecting, deleting, making public, arranging, organizing, saving, modifying, distributing, linking, destroying, and using personal data.
European Economic Area (EEA): Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal Bases
We process personal data in accordance with Swiss data protection law, particularly the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process personal data – insofar as the European General Data Protection Regulation (GDPR) is applicable – based on at least one of the following legal bases:
- Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data to fulfill a contract with the data subject and to carry out pre-contractual measures.
- Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to protect legitimate interests – including the legitimate interests of third parties – unless the fundamental freedoms, fundamental rights, and interests of the data subject outweigh them. Such interests include, in particular, the continuous, human-friendly, secure, and reliable exercise of our activities, ensuring information security, protection against misuse, enforcement of legal claims, and compliance with Swiss law.
- Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under applicable law of the member states in the European Economic Area (EEA).
- Art. 6 para. 1 lit e GDPR for the necessary processing of personal data to perform a task carried out in the public interest.
- Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
- Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
- Art. 9 para. 2 ff. GDPR for the processing of special categories of personal data, particularly with the consent of the data subjects.
The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of particularly sensitive personal data as the processing of special categories of personal data (Art. 9 GDPR).
3. Type, Scope, and Purpose of Processing Personal Data
We process personal data that is necessary to sustainably, humanely, securely, and reliably conduct our activities. The processed personal data may fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect while conducting our activities, as long as such processing is legally permitted.
We process personal data as necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to fulfill legal obligations or to safeguard overriding interests. We may also seek consent from data subjects when their consent is not required.
We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, particularly depending on statutory retention and limitation periods.
4. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties primarily include specialized service providers whose services we use.
We may disclose personal data to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurance companies.
5. Communication
We process personal data to communicate with individuals, authorities, organizations, and companies. In doing so, we primarily process data provided to us by a data subject when contacting us, for example, by mail or email. We may store such data in an address book or comparable tools.
Third parties who transmit data about other people to us are required to ensure the data protection of these data subjects independently. They must particularly ensure that such data is correct and can be transmitted.
6. Data Security
We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we particularly ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although absolute data security cannot be guaranteed.
Access to our website and other online presence is encrypted using transport encryption (SSL / TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.
Our digital communication is subject – like any digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, Europe, the United States of America (USA), and other countries. We have no direct influence on the processing of personal data by intelligence services, police departments, and other security authorities. We also cannot rule out that a data subject is specifically monitored.
7. Personal Data Abroad
We primarily process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, particularly to process or have it processed there.
We may export personal data to all countries on Earth and elsewhere in the universe, provided that the local law ensures adequate data protection in accordance with the decision of the Swiss Federal Council and – where applicable – also under the decision of the European Commission.
8. Rights of Data Subjects
8.1 Data Protection Claims
We grant data subjects all rights in accordance with applicable data protection laws. Data subjects in particular have the following rights:
- Access: Data subjects can request information on whether we process personal data about them and, if so, which personal data is involved. Data subjects also receive the information necessary to assert their data protection rights and ensure transparency. This includes the processed personal data itself, as well as details on the purpose of processing, retention period, any disclosure or transfer of data to other countries, and the source of the personal data.
- Correction and Restriction: Data subjects can correct incorrect personal data, complete incomplete data, and request the restriction of processing their data.
- Deletion and Objection: Data subjects can request the deletion of their personal data ("Right to be Forgotten") and object to the processing of their data with effect for the future.
- Data Release and Transfer: Data subjects can request the release of personal data or the transfer of their data to another responsible party.
We may defer, restrict, or refuse the exercise of data subjects' rights to the extent legally permissible. We may inform data subjects of any prerequisites that must be met to exercise their data protection rights. For example, we may refuse access based on confidentiality obligations, overriding interests, or the protection of other individuals. Likewise, we may refuse the deletion of personal data, particularly if there are legal retention obligations.
In exceptional cases, we may impose costs for exercising rights. We will inform data subjects in advance about any potential costs.
We are obligated to reasonably verify the identity of data subjects who request access or assert other rights. Data subjects must cooperate in this process.
8.2 Legal Protection
Data subjects have the right to assert their data protection rights through legal proceedings or to file a complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal authorities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are structured federally, particularly in Germany.
9. Use of the Website
9.1 Cookies
We may use cookies. Cookies – both first-party cookies and third-party cookies from services we use – are data stored in the browser. Such stored data is not necessarily limited to traditional text-based cookies.
Cookies may be stored temporarily as "session cookies" or for a specific period as "persistent cookies." "Session cookies" are automatically deleted when the browser is closed. Persistent cookies have a defined storage duration. Cookies allow a browser to be recognized on subsequent visits to our website and, for example, help measure the reach of our website. Persistent cookies may also be used for online marketing.
Cookies can be deactivated or deleted at any time in the browser settings. Without cookies, our website may not be fully available. We request – at least where and to the extent required – explicit consent for the use of cookies.
For cookies used for performance and reach measurement or advertising, a general opt-out is possible via services such as AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
9.2 Logging
We may log the following data for each access to our website and other online presence, provided it is transmitted to our digital infrastructure: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, specific sub-pages accessed on our website including transferred data volume, and the last page visited in the same browser window (Referrer).
We log such data, which may also include personal data, in log files. These records are necessary to provide our online presence in a reliable, user-friendly, and secure manner. They also help ensure data security – including through third parties or with the help of third parties.
9.3 Tracking Pixels
We may integrate tracking pixels into our online presence. Tracking pixels, also known as web beacons, are usually small, invisible images or JavaScript scripts that are automatically loaded when our online presence is accessed. Tracking pixels – including those from third-party providers whose services we use – can capture at least the same data as log files.
10. Third-Party Services
We use services from specialized third parties to conduct our activities in a sustainable, user-friendly, secure, and reliable manner. Such services allow us, among other things, to embed functions and content into our website. When such content is embedded, the services used may, for technical reasons, temporarily collect users' IP addresses.
For necessary security, statistical, and technical purposes, third parties whose services we use may process data in connection with our activities in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data required to provide the respective service.
We specifically use:
- Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland), partially for users in the European Economic Area (EEA) and Switzerland; General information on data protection: "Privacy and Security Principles", "More information on how Google uses personal data", Privacy Policy, "Google's commitment to compliance with applicable data protection laws", "Privacy Guide for Google Products", "How we use data from websites or apps where our services are used", "Types of cookies and similar technologies used by Google", "Ads you can influence" ("Personalized Ads").
10.1 Digital Infrastructure
We use services from specialized third parties to utilize the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
We specifically use:
- exigo: Hosting; Provider: exigo ag (Switzerland); Data protection information: Privacy Policy, «Data Protection / Security».
10.2 Maps
We use third-party services to embed maps into our website.
We specifically use:
- OpenStreetMap (OSM): Map service; Provider: OpenStreetMap Foundation (United Kingdom); Data protection information: Privacy Policy.
10.3 Digital Content
We use services from specialized third parties to integrate digital content into our website. Digital content includes, in particular, images, video material, music, and podcasts.
We specifically use:
- YouTube: Video platform; Provider: Google; YouTube-specific information: "Privacy and Security Center", "My Data on YouTube".
10.4 Fonts
We use services from third parties to embed selected fonts as well as icons, logos, and symbols into our website.
We specifically use:
- MyFonts (by Monotype): Fonts; Providers: Monotype Imaging Holdings Inc. (USA) / MyFonts Inc. (USA); Data protection information: "Your Privacy", Privacy Policy, "Web Font Tracking Privacy Policy".
11. Performance and Reach Measurement
We attempt to measure the success and reach of our activities and operations. In this context, we may also evaluate the effectiveness of third-party references or analyze how different parts or versions of our online offering are used ("A/B Testing" method). Based on the results of performance and reach measurement, we can fix errors, strengthen popular content, or implement improvements.
For performance and reach measurement, the IP addresses of individual users are generally collected. In this case, IP addresses are usually shortened ("IP Masking") to ensure pseudonymization and follow the principle of data minimization.
Cookies may be used for performance and reach measurement, and user profiles may be created. These profiles may include information about visited pages or viewed content on our website, screen or browser window size, and at least the approximate location. Generally, any created user profiles are exclusively pseudonymized and not used to identify individual users. Some third-party services where users are logged in may link the use of our online offering to their user account or profile.
We specifically use:
- Google Marketing Platform: Performance and reach measurement, particularly with Google Analytics; Provider: Google; Google Marketing Platform-specific information: Cross-browser and cross-device measurement (Cross-Device Tracking) using pseudonymized IP addresses, which are only exceptionally fully transmitted to Google in the USA, Google Analytics Privacy Policy, "Browser Add-on to Disable Google Analytics".
- Google Tag Manager: Integration and management of Google and third-party services, particularly for performance and reach measurement; Provider: Google; Google Tag Manager-specific information: Google Tag Manager Privacy Policy.
12. Final Notes on the Privacy Policy
We have created this privacy policy using the privacy policy generator from Datenschutzpartner . The present privacy policy is an unofficial translation from the original German version.
We may update this privacy policy at any time. We will inform about updates in an appropriate manner, particularly by publishing the latest version of the privacy policy on our website.