Bullseye! Have you found the perfect apartment at MyStay for your stay while studying or working in Mendrisio? Then we recommend you send us your filled out registration form right away. We look forward to welcoming you!
PRIVERA AG operates the my-stay-mendrisio.ch website and is therefore responsible for the collection, processing and use of your personal data and for assuring compliance of its data processing activities with Swiss law.
We set great store by your trust. That is why we take the subject of data protection seriously and maintain appropriate security. We do of course comply with the statutory provisions of the new Swiss Data Protection Act (nDSG), the Ordinance implementing the Swiss Data Protection Act (VDSG), the Telecommunications Act (FMG) and, where applicable, other provisions of data protection law, in particular the General Data Protection Regulation of the European Union (GDPR).
Please read the following information to find out which of your personal data we collect and for what purposes we use that data.
1. What is the purpose of this data protection declaration?
Privera AG (hereinafter also “we”, ”us”) procures and processes personal data about you and other persons (known as “third parties”). We use the term “data” as a synonym for “personal data” or “data relating to persons.”
“Personal data” are data that refer to identified or identifiable persons, i.e. conclusions as to their identity can be reached on the basis of the data as such or with suitable additional data. “Personal data meriting special protection” are a category of personal data that benefits from particular protection under the applicable data protection law. Personal data meriting special protection include e.g. data from which racial and ethnic origin can be determined, together with healthcare data, information about religious convictions or world views, biometric data for identification purposes and information about trade union membership. In Section 3, you will find details of the data that we process in the context of this data protection declaration. “Processing” means all handling of personal data, such as procurement, storage, use, adaptation, notification and erasure.
In this data protection declaration we explain what we do with your data when you use our website my-stay-mendrisio.ch, procure our services, are in contact with us otherwise under the terms of a contract, communicate or have other dealings with us. Should the need arise, we will inform you by means of a timely written notification of any further processing activities that are not mentioned in this data protection declaration. Furthermore, we may let you know separately how your data are processed, e.g. in declarations of consent, terms and conditions of contract, further data protection declarations, forms and notices.
If you transfer or notify data about other persons, such as family members, work colleagues etc. to us, we assume that you have been authorised to do so and that these data are accurate. By transferring data about third parties you confirm that to be the case. Please also make sure to inform these third parties of this data protection declaration.
2. Who is responsible for processing your data?
Privera AG, with registered office in Gümligen, is legally responsible under the terms of data protection law for the data processing operations described in this data protection declaration, unless otherwise stated in any particular case, e.g. in further data protection declarations, on forms or in contracts. This data protection declaration is applicable unless otherwise specified including, as appropriate, in cases where a member company of the Valores Group instead of us is responsible. That is the case in particular when your data are processed by any such group member company in connection with your own legal obligations or contracts or if you share data with a group member company. In such cases, that group member company is the entity responsible and only if you share your data with other group member companies for their own purposes (see Section 6) do those other group member companies also become the responsible entities.
You can reach us at the following address on data protection matters and to exercise your rights as set out in Section 10:
We process various categories of data about you. The most important categories are listed below:
Technical data: if you use our website or other electronic offers (such as free WLAN), we record the IP address of your terminal device and other technical data in order to assure the functionality and security of these offers. These data also include protocols in which the use of our systems is recorded. As a rule, we retain technical data for three months. A longer time limit may apply if that is necessary to comply with statutory or contractual requirements or for technical reasons. To assure the functionality of these offers, we may also assign an individual code to you or to your terminal device (e.g. in the form of a cookie, see also Section 11). The technical data as such do not on principle allow your identification. In connection with user accounts, registrations, access checks or contract performance, they may, however, be linked to other data categories (and therefore possibly also to your person).
Technical data include e.g. the IP address and details of your terminal device’s operating system, the date, region and time of use and the type of browser with which you access our electronic offers. That may help us to communicate the correct website formatting. Based on the IP address we do in fact know via which provider you access our offers (and hence also the region), but we cannot as a rule determine your identity from that information.
Registration data: some offers and services (such as free WLAN access) can only be used if a user account or registration has been set up or made either directly with us or via our external login service providers. For this purpose you must let us have certain data and we collect those data on the user of the offer or of the service. Registration data may be needed for checks on access to certain facilities. As a rule, we retain registration data for twelve months after use of the service has ceased or the user account has been closed. That time limit may be extended if necessary to comply with legal or contractual requirements or for technical reasons.
Registration data include e.g. the details you provide when you set up an account on our website (such as username, password, name, email). Registration data likewise include data which we may require you to provide before you can make use of certain services without charge, e.g. our WLAN service. You must also register if you wish to subscribe to our newsletter.
Communication data: if you contact us using the contact form, by email, telephone, letter or other means of communication, we collect the data exchanged between you and us, including your contact data and peripheral communication data. If we wish, or are obliged, to ascertain your identity, e.g. to respond to a request for information made by you, we collect data in order to identify you (such as a copy of an identity document). As a rule, we retain such data for twelve months after the last exchange with you. That time limit may be extended if necessary to provide evidence or to comply with legal or contractual requirements or for technical reasons. As a rule, emails and written correspondence are retained for at least ten years.
Communication data are your name and contact details, the method and place and time of the communication and as a rule also its content (i.e. the content of emails, letters etc.). These data may also include details of third parties.
Master data: we use the term master data to denote the basic data that we require alongside the contractual data (see below) to handle our contractual and other business relations or for marketing and advertising purposes, such as your name, contact data and information e.g. about your role and function, your bank account(s), your date of birth, customer history, powers of attorney, authorities to sign and declarations of consent. We process your master data if you are a customer or other business contact or work on behalf of such a person (e.g. as the contact person for the business partner) or because we wish to contact you for our own purposes or for those of a contractual partner (e.g. for marketing and advertising purposes, invitations to events, newsletters etc.). We receive master data from you personally (e.g. when the business relationship is opened), from entities for which you are active or from third parties such as our contracting partners, federations and from sources that are accessible to the public, such as public registers or the Internet (websites, social media etc.). In the master data context, we may also process details of third parties. As a rule we retain such data for ten years from the last exchange with you, but at least from the expiry of the contract. This time limit may be extended if that is necessary to provide evidence or to comply with legal or contractual requirements or for technical reasons.
Master data include e.g. data such as name, address, email address, telephone number and other contact data, gender, date of birth, nationality, information about affiliated persons, websites, photos and videos, copies of identity documents as well as information about your relationship with us (customer, supplier, receiver of services etc.), details of your status with us, allocations, classifications and distribution lists, information about our interactions with you (possibly their history with corresponding entries), reports (e.g. from the media) or official documents e.g. commercial register extracts, licences etc.) concerning you. As payment details we collect e.g. your banker’s name and account number. Consent or blocking notices also count as master data, as do particulars of third parties such as contact persons, recipients of services or representatives.
In the case of our customers’ contact persons and representatives, suppliers and partners, we process such master data as name and address, details of the role, function in the company concerned, qualifications and, as appropriate, details of superiors, colleagues and subordinates, as well as information on interactions with such persons.
Not all master data are collected for all contacts. The specific data that we collect in each individual case will depend in particular on the purpose of the processing.
Contract data: these are data obtained in connection with the closing or performance of a contract, e.g. information about contracts and the services to be provided or which have been provided, together with data from the lead-up to completion of a contract, the details required or used for implementation and details about reactions (e.g. complaints or information about satisfaction etc.). As rule, we collect such data from you, from contractual partners and from third parties involved in contract performance, as well as from third party sources (such as public authorities, credit rating agencies) and from sources that are accessible to the public. We retain such data as a rule for ten years from the last contractual activity or at least from the expiry of the contract. This time limit may be extended if that is necessary to provide evidence or to comply with legal or contractual requirements or for technical reasons.
Contract data include information about the closing of the contract, about your contracts, e.g. nature and date of contract closing, details of the application process (e.g. an application to use our services) and particulars of the relevant contract (e.g. its lifetime) and the performance and management of the contracts (e.g. information in connection with billing and enforcement of rights under the contract). Contract data likewise include information about defects, complaints and amendments of the contract terms, together with information about customer satisfaction that we may obtain e.g. by means of surveys. Contract data likewise include financial data such as information about creditworthiness (i.e. information that enables a conclusion to be drawn as to the likelihood that claims will be settled), about payment reminders and debt collection. We receive some of these data from you (e.g. when you make payments) and some also from business information providers and debt collection companies, as well as sources open to the public (such as a commercial register).
Other data: we also collect data about you in other situations. For instance, on the occasion of official or legal proceedings data that may also concern you might be obtained (e.g. documents, evidence etc.). We may likewise collect data for health protection reasons (e.g. as part of a protection concept). We may obtain or take photos, videos and audio recordings in which you can be identified (e.g. at events etc.). The time for which such data are retained depends on the purpose and is kept as short as possible.
You yourself provide us with many of the data items referred to in this Section 3 (e.g. on forms, as part of your communication with us, in connection with contracts, when the website is used etc.). You are not obliged to do so, except in specific cases e.g. as part of binding protection concepts (statutory requirements). If you wish to close contracts with us or make use of our services, you are also under a contractual obligation as stipulated in the relevant contract to provide us with data, in particular master data, contract and registration data. When you use our website, technical data will inevitably be processed.
We only provide certain services for you if you let us have registration data because we or our contractual partners wish to know who is making use of our services or has accepted an invitation to an event, because it is necessary for technical reasons or because we wish to communicate with you. If you or a person whom you represent (such as your employer) wishes to close or perform a contract with us, we must collect relevant master, contract and communication data from you and we process technical data if you wish to use our website or other electronic offers for this purpose. If you fail to give us the data needed to close and perform the contract, you must expect us to decline the contract; you may be in breach of contract or we will not perform the contract. Similarly, we can only let you have an answer to an enquiry if we process the necessary communication data and – if you communicate with us online – possibly also technical data. Our website likewise cannot be used unless we process technical data. Use of our website is also not possible unless we receive technical data.
In so far as this is not prohibited, we also procure data from sources that are open to the public (e.g. debt collection registers, land registers, registers of commerce, media or the Internet including social media) or receive data from other member companies of our group, from public authorities and from other third parties.
The categories of personal data that we obtain about you from third parties include in particular details taken from public registers, information that we acquire in connection with official and legal proceedings, details of your professional functions and activities (to enable us e.g. to conclude and perform transactions with your employer with your assistance); information about you in correspondence and in discussions with third parties, credit rating information (in cases where we implement transactions with you personally), information about you provided by persons around you (family members, consultants, legal representatives etc.) to enable us to enter into or perform contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney, information about compliance with legal requirements such as the prevention of fraud, money laundering and terrorism and export restrictions, information from banks, insurance companies and distribution and other contracting partners employed by us to enable you to use or provide services (such as payments etc.), your personal details taken from the media and the Internet (to the extent that this is necessary in a specific case, e.g. for candidacies, marketing, press reviews etc.).
4. For what purposes do we process your data?
We process your data for the purposes explained below. Further information about the online sector will be found in Sections 11 and 12. These purposes or the objectives on which they are based constitute legitimate interests on our part and possibly also on that of third parties. You will find further information about the legal bases for our processing in Section 5.
We process your data for purposes connected with communication with you, in particular to answer enquiries and enforce your rights (Section 10) and to contact you if we need further information. For this purpose we make particular use of communication data and master data and data in connection with offers and services used by you. We retain these data in order to document our communication with you, for training purposes, for quality assurance and to answer further enquiries.
This concerns all purposes in connection with which you and we communicate, for consultation, authentication in the event of website use etc. We likewise process communication data to enable us to communicate with you by email and telephone, social media, letter and fax. Communication with you generally takes place in connection with other processing purposes, e.g. to enable us to provide services. Our data processing operations are also used to provide evidence of the communication and of its contents.
We process data to establish, administer and implement contractual relationships.
We close contacts of many different kinds with our business and private customers, with suppliers, subcontractors or other contracting partners, such as project partners or parties to legal disputes. For this purpose, we process in particular master data, contract data and communication data of the persons for whom the customer arranges a service.
For business acquisition purposes, personal data – in particular master data, contract data and communication data – for potential customers or other contracting partners (e.g. on an order form or in a contract) are collected by us or obtained from a communication. Likewise in connection with the closing of a contract, we process data to review creditworthiness and to open a customer relationship. This information is sometimes reviewed to comply with legal requirements.
In the context of the performance of our contractual relations, we process data to administer the customer relationship, to provide and procure contractual services (this also involves the use of third parties such as banks and insurance companies), for consultancy and for customer care. The enforcement of legal claims arising out of contracts (debt collection, legal proceedings etc.) is likewise part of implementation, as too are bookkeeping, termination of contracts and such public communication as may be necessary.
We process data for marketing purposes and to maintain our relations, e.g. to send our customers and other contracting partners personalized advertising of our own services or those of third parties affiliated to us. This may be done e.g. in the form of newsletters and other regular contacts (electronically, by post, by telephone), through other channels for which you have provided us with contact information and also on the occasion of individual marketing campaigns (e.g. events). You may decline such contacts at any time (see at the end of this Section 4) or decline or withdraw consent when contact is made for advertising purposes. With your consent, we may also send you our targeted online advertising via the Internet (see Section 11).
For example, with your consent we send you information, advertising and service offers of our own and those of third parties within the Privera AG / Valores Group as printed matter, electronically or by telephone. For this purpose, we process, in particular, communication and registration data. Like most business enterprises we personalize communications to enable us to send you individual information and offers which correspond to your needs and interests. To that end, we link data that we process about you and determine preferred data that we then use as the basis for personalization (see Section 3).
Maintenance of our relationship also includes an approach to existing customers and their contacts – which may be personalized on the basis of data about activity and preferences. In order to maintain relations, we may also operate a Customer Relationship Management-System (“CRM”) in which we store the data about customers, suppliers and other business partners needed to maintain the relationship e.g. about contact persons, history of the relationship (services procured, interactions etc.), interests, wishes, marketing actions (newsletters, invitations to events etc.), together with further details.
We also process your data for market research and to improve our services and our business.
We endeavour to improve our services (including our website) constantly so as to be able to respond quickly to changing needs. To that end, we analyse e.g. the way in which you navigate our website or which particular services are used by which groups of persons in which way and how new services can be designed (for further details, see Section 11). This gives us an idea of the acceptance of existing services by the market and the market potential of new services. For that purpose, we process in particular master data and data on behaviour and preferences, as well as communication data and details obtained from customer questionnaires, surveys and studies and further details e.g. taken from the media, social media, the Internet and from other public sources. Whenever possible, we use pseudonymized or anonymized data for these purposes. We may also call upon media watch services or make our own media observations and when doing so process personal data for media work purposes and in order to understand and respond to the latest developments and trends.
We may also process your data for security purposes and for access checks.
We constantly review and improve the appropriate degree of security of our IT and other infrastructure (including buildings). In common with every business, we cannot rule out breaches of data security with absolute certainty, but we do our utmost to curtail the risks. We therefore process data e.g. for surveillance, verifications, analyses and tests of our networks and IT infrastructures, for system and fault verifications, for documentation purposes and to make backup copies. Access verifications include checks on access to electronic systems (e.g. logging on to user accounts) as well as physical access checks (e.g. entries into buildings). For security purposes (both preventive and to investigate incidents), we also keep access protocols or lists of visitors and employ surveillance systems (such as security cameras).
We process personal data in order to comply with laws, instructions and recommendations of the authorities and internal regulations (compliance).
This includes e.g. measures to prevent money laundering and the financing of terrorism as required by law. In certain cases, we may have to conduct specific investigations of customers (“Know your Customer”) or make reports to the authorities. The performance of obligations to provide information and reports or supervisory obligations and those laid down by tax law also presupposes or entails data processing operations e.g. compliance with archiving duties and the prevention, detection and investigation of criminal acts and other breaches. This also includes the acceptance and processing of complaints and other reports, the supervision of communication, internal investigations or the disclosure of documents to an authority if we have adequate grounds for doing so or are required to do so by law. Your personal data may under certain circumstances likewise be processed when external investigations are made, e.g. by a prosecuting or supervisory authority or by a retained private entity. For all these purposes, we process in particular your master data, your contract data and communication data and, under certain circumstances, also data about your activity and information falling into the ”other data” category. Legal obligations may involve Swiss law and also foreign provisions by which we are governed, as well as self-regulation, branch standards, our own corporate governance and official instructions and requests.
We also process data for our own risk management purposes and as part of our prudent business management, including business organization and business development.
For these purposes we process in particular master data, contract data, registration data and technical data as well as activity and communication data. For instance, as part of our financial management we must supervise our receivables and payables and avoid falling victim to malfeasance and malpractice; this may necessitate the evaluation of data to detect relevant patterns. For these purposes and for your and our own protection we may also engage in profiling and draw up and process profiles. As part of the planning of our resources and the organisation of our business, we must evaluate data about the use of our services and other offers and process or exchange relevant details with other persons (such as outsourcing partners) which may also include your data. The same applies to services provided for us by third parties. For the purposes of business development we may sell businesses, parts of businesses or enterprises to others or acquire them from such other persons or enter into partnerships which may likewise lead to the exchange and processing of data (including your own e.g. as a customer or supplier or as a supplier’s representative).
We may process your data for other purposes, e.g. as part of our internal procedures and administration.
These other purposes include e.g. administrative purposes (such as master data management, bookkeeping and data archiving and the verification, management and ongoing improvement of our IT infrastructure), the safeguarding of our rights (e.g. in order to enforce our claims in the courts, prior to legal proceedings or out of court and in relation to the authorities, both in Switzerland and elsewhere, or to defend ourselves against claims, for instance by securing evidence, making legal investigations and taking part in proceedings in courts or with the authorities) and evaluating and improving our own internal processes. The safeguarding of other legitimate interests is also part of the other purposes which cannot be listed in full.
5. On what basis do we process your data?
In cases where we ask for your consent to certain types of processing, we inform you separately of the purposes for which processing is carried out. You may withdraw your consent at any time with effect for the future by letting us know in writing (by post) or, unless otherwise indicated or agreed, by email addressed to us; you will find our contact details in Section 2. For the withdrawal of your consent to online tracking, see Section 11. As soon as we have received notice of withdrawal of your consent, your data will no longer be processed for the purposes to which you had originally consented unless we have another legal basis for doing so. The withdrawal of your consent does not affect the lawfulness of processing effected on the basis of your previous consent until such time as it is withdrawn.
In cases where we do not ask for your consent to processing, we base the processing of your personal data on the fact that such processing is necessary to prepare or perform a contract with you (or with the entity represented by you) or that we or third parties have a legitimate interest in particular in pursuing the purposes described in Section 4 above and the related objectives and in being able to take appropriate actions. Our legitimate interests include compliance with legal requirements in so far as these are not in any case already acknowledged as a legal basis by the applicable data protection law (e.g. the GDPR, the law applicable in the EEA and in Switzerland). However, this also includes the marketing of our services, our interest in a better understanding of our markets and in running our enterprise, including its operational business, securely and efficiently and in furthering its future development.
If we receive sensitive data (e.g. healthcare data, information about political, religious or philosophical world views or biometric data for identification purposes) we may also process your data on the basis of other legal provisions, e.g. if disputes arise over the need for processing for a particular purpose or for the enforcement of, or defence against, legal claims. In certain specific cases other legal bases may apply; we will notify you of them separately should that be necessary.
6. To whom do we disclose your data?
In connection with our contracts, the website, our services, our legal obligations or otherwise to safeguard our legitimate interests and for the further purposes listed in Section 4, we also transfer your personal data to third parties, in particular to the following categories of recipients:
Service providers: we work with service providers in Switzerland and elsewhere who process data about you on our behalf or in shared responsibility with us or receive data about you from us under their own responsibility (e.g. IT providers, banks, insurance companies).
To enable us to provide our services efficiently and focus on our core competences, we procure services from third parties in many areas. These include e.g. IT services, information dispatch, marketing, distribution, communication or printing services, building management, building security and cleaning, organization and implementation of events and receptions, debt collection, economic information, address checks (e.g. to update address records when removals occur), fraud prevention measures and the services of business consultants, lawyers, banks, insurance and telecommunication companies. We give these service providers the data necessary for them to provide their particular services; such data may also concern you. Furthermore, we sign contracts with these service providers which contain measures to protect the data in cases where such protection is not stipulated by law.
Contracting partners including customers: this means our customers and other contracting partners because data are transferred on the basis of these contracts. If you yourself work for any such contracting partner, we may also transfer data about you to it in this connection..
If you are the employee of an enterprise with which we have signed a contract, processing of that contract may require us to inform the enterprise of such matters as the way in which you have used our service.
Public authorities: we may transfer personal data to public offices, courts of law and other authorities, both in Switzerland and elsewhere, if we are required or entitled to do so by law or if this appears necessary to protect our interests. These authorities process your data that they receive from us under their own responsibility.
Practical cases include e.g. criminal investigations, policing measures (e.g. health protection concepts, prevention of violence etc.), requirements of supervisory law and investigations, legal proceedings, reporting obligations and preparatory and out-of-court procedures, together with legal obligations to provide information and cooperate. Data may also be disclosed if we wish to obtain information from public bodies e.g. to justify an interest in obtaining such information or because we have to name the person about whom we require information (e.g. from a register).
Other persons: this means other cases in which third parties are involved for the purposes stated in Section 4 (e.g. recipients of services).
Other recipients include e.g. different delivery addressees designated by you or other recipients of payments, other third parties including those involved for representation purposes (e.g. if we send your data to your lawyer or bank or to persons involved in proceedings with the authorities or courts of law). As part of our own business development, we may sell or acquire other businesses, parts of businesses, assets or enterprises or enter into partnerships; all this may also entail the disclosure of data (including data about you e.g. as a customer or supplier or supplier’s representative) to the persons involved in such transactions.
All these categories of recipients may themselves use third parties so that your data may also be made available to the latter. We may restrict processing by specific third parties (e.g. IT providers) but cannot restrict processing by other third parties (e.g. public authorities, banks etc
7. Are your personal data also sent abroad?
As explained in Section 6, we also disclose data to other entities. These are not all located in Switzerland. Your data may therefore also be processed in Europe and in exceptional cases in any other country of the world.
If a recipient is located in a country which does not have appropriate legal data protection, we undertake to require the recipient by contract to respect the applicable data protection. For that purpose, we use the European Commission’s revised standard contract clauses which can be consulted here: [https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj] unless he is already governed by legally acknowledged data protection rules and we cannot refer to an exceptional provision. An exception may in particular apply in the case of legal proceedings abroad and also in cases of overriding public interest or if the performance of a contract requires such disclosure, if you have consented or if the data have been made generally accessible by you and you have not objected to their processing.
Many countries outside Switzerland or the EU and the EEA do not at present have laws which assure an adequate standard of data protection within the meaning of the DSG or GDPR. This weaker or non-existent legal protection can be partially offset by the contractual measures referred to above. However, contractual provisions cannot eliminate all the risks (in particular that of government access abroad). You should be aware of these residual risks, even if the risk may be low in any particular case and we take other measures (such as pseudonymization or anonymization) to minimize it.
Please also be aware that data exchanged over the Internet are frequently routed through third countries. Your data may therefore still go abroad even if the sender and receiver are both situated in the same country.
8. For how long do we process your data?
We process your data for as long as the purposes of such processing by us, the legal retention periods and our legitimate interests require processing for documentation and evidential purposes or if storage is necessary for technical reasons. For further information about the duration of storage and processing in any particular case, please refer to the individual data categories in Section 3 or to the cookie categories in Section 11. In the absence of other legal or contractual obligations, we erase or anonymize your data upon the expiry of the storage or processing period as part of our usual processes.
Documentation and evidential purposes include our interest in documenting processes, interactions and other circumstances in the event of legal claims, inaccuracies, for purposes of IT and infrastructure security and to provide evidence of good corporate governance and compliance. Retention may be necessary for technical reasons if certain data cannot be separated from other data and we must therefore retain them all (e.g. in the case of backups or document management systems).
9. How do we protect your data?
We take appropriate security measures in order to safeguard the confidentiality, integrity and availability of your personal data, to protect them against unauthorized or unlawful processing and to avert the risk of loss, unintended alteration, undesired disclosure or illegitimate access.
Security measures of a technical and organisational nature may include e.g. the encryption and pseudonymization of data, drawing up protocols, access limitations, storage of backup copies, instructions given to our staff, confidentiality agreements and verifications. We protect your data transferred via our website while in transit by means of suitable encryption mechanisms. However, we can only secure those areas that are under our control. We also require our order processors to take suitable security measures. However, security risks cannot always be ruled out altogether; residual risks are inevitable.
10. What are your rights?
Under certain circumstances, the applicable data protection law grants you the right to object to the processing of your data, especially for direct marketing purposes and to safeguard other legitimate interests in processing.
To facilitate your control over the processing of your personal data, you also have the following rights in respect of our data processing, depending on the applicable data protection law:
the right to ask us to let you know whether and if so which of your data we process;
the right to require us to correct data that are inaccurate;
the right to ask for data to be erased;
the right to ask us to release certain personal data in a current electronic format or to transfer them to a different data controller;
the right to withdraw consent in cases where processing by us requires your consent;
the right to obtain on request further information that is needed to exercise these rights.
WIf you wish to exercise the above rights in relation to us, please contact us in writing, in person or, in cases where not otherwise stated or agreed, by email addressed to us; you will find our contact details in Section 2. To enable us to rule out misuse, we must identify you (e.g. by a copy of an identity document in cases where this is not otherwise possible).
Please note that criteria, exceptions or limitations apply to these rights under the applicable data protection law (e.g. to protect third parties or business secrets). We will inform you suitably as the case may be.
In particular, we may have to continue to store and process your personal data in order to perform a contract with you, to safeguard our own interests that merit protection such as enforcement, exercise of, or defence against, legal claims or in order to comply with legal obligations. To the extent that this is permitted by law, in particular to protect the rights and freedoms of other data subjects and to safeguard interests that merit protection, we may therefore decline a request by a data subject either in whole or in part (e.g. by redacting certain contents that concern third parties or our business secrets).
If you do not agree to the way in which we handle your rights or data protection, please let us know (Section 2). In particular, if you are based in the EEA, in the United Kingdom or in Switzerland, you are also entitled to lodge a complaint with the data protection supervisory authority in your country.
11. Do we use online tracking and online advertising techniques?
We use various techniques on our website by means of which we and third parties retained by us recognize you again when you visit our website and, under certain circumstances, are able to follow you across several visits. Information on that subject is set out in this section.
The central need for us is to be able to distinguish between accesses by you (via your system) and accesses by other users to enable us to assure the functionality of the website and effect evaluations and personalizations. We do not wish to ascertain your identity even if we can do so, to the extent that we or third parties retained by us can identify you by combination with registration data. However, even without registration data, the techniques used are configured in such a way that you are recognized as an individual visitor whenever you retrieve a particular page e.g. because our server (or the third-party server) assigns a particular recognition number to you or your browser (known as a cookie).
Cookies are individual codes (e.g. a serial number) which our server or the server of one of our service providers or contracting advertising partners transfers to your system when the connection to our website is made; your system (browser, mobile phone) receives and stores those cookies until the programmed expiry time. Upon each subsequent access, your system transfers these codes to our server or to the third-party server. In this way you are recognized again even if your identity is unknown.
Other techniques may also be used to enable you to be recognized again with a varying degree of probability (i.e. differentiated from other users).
“Fingerprinting” is one example. When fingerprinting is used, your IP address, your browser, the screen resolution, choice of language and other details which your system notifies to every server are combined to create a more or less unique fingerprint. This dispenses with the need for cookies.
Whenever you access a server (e.g. to use a website or app or because an image – either visible or invisible – is integrated into an email), your visits can be tracked. If we integrate the offers of a contracting advertising partner or provider of an analysis tool into our website, this can track you in the same way, even if you cannot be identified in any particular case.
We use such techniques on our website and enable some third parties to do likewise. You can program your browser to block, mislead or erase certain cookies or alternative techniques. You can also extend your browser with software that blocks tracking by specified third parties. You will find further information on this subject on your browser’s help pages (generally under the key words “Data protection”) or on the websites of the third parties listed by us below.
A distinction is made between the following cookies (techniques with comparable working methods such as fingerprinting are included here):
Necessary cookies: some cookies are essential for the website as such or some of its functions to work. They ensure e.g. your ability to move between the pages without losing the details entered on a form. They also ensure that you stay logged in. These cookies are purely temporary (“Session cookies”). The website may not work if you block them. Other cookies are needed to enable the server to store decisions or entries made by you beyond one particular session (i.e. a visit by you to the website) if you select this function (e.g. language choice, consent granted, automatic login function etc.). These cookies have an expiry date of up to 24 months.
At present, we use offers of the following service providers and contracting advertising partners (if the latter use your data or cookies placed by you to direct their advertising):
Google Analytics: Google Ireland (based in Ireland) provides the “Google Analytics” service and acts as our order processor. For this purpose, Google Ireland uses Google LLC (with registered office in the USA) as its order processor (both known as “Google”). Google uses performance cookies (see above) to track the activity of visitors to our website (duration, frequency of page retrieval, geolocation of access etc.) and on that basis reports to us on the use of our website. We have configured the service in such a way that the IP addresses of website visitors are abbreviated by Google in Europe before they are forwarded to the USA and therefore cannot be traced back. We have disabled the “Onward data transfer” and “Signals” settings. Although we assume that the information which we share with Google does not constitute personal data for that company, it is possible that Google may for its own purposes determine the identity of visitors, compile personal profiles and link such data to these persons’ Google accounts. If you consent to the use of Google Analytics, you explicitly also consent to such processing which likewise includes the transfer of personal data (in particular data on use of the website and app, device information and individual IDs) to the USA and to other countries. You will find information about Google Analytics’ data protection here and if you have a Google account you can access further information about processing by Google here.
Google Maps: Google Ireland (based in Ireland) provides the “Google Maps” service and acts as our order processor. For this purpose, Google Ireland works with Google LLC (based in the USA) as its order processor (both known as Google). We use Google Maps to display interactive maps. When our website is retrieved, a link is already established to the Google servers. Google uses performance cookies (see above) in order to track the activity of visitors to our website. We have configured the service in such a way that the visitors’ IP addresses are abbreviated by Google in Europe before being transferred to the USA and therefore cannot be traced back. We have disabled the “Onward data transfer” and “Signals” settings. Although we can assume that the information which we share with Google does not constitute personal data for that company it is possible that Google may, for its own purposes, determine the identity of visitors, compile personal profiles and link such data to these persons’ Google accounts. If you consent to the use of Google Maps, you explicitly consent to such processing which likewise includes the transfer of personal data (in particular, data on website and app use, device information and individual IDs) to the USA and to other countries. The use of Google Maps and of the data acquired via Google Maps is governed by Google’s terms and conditions of use and by the conditions of business for Google Maps.
Google Ads: Google Ireland (based in Ireland) provides the “Google Ads” service and acts as our order processor. For this purpose, Google Ireland works with Google LLC (based in the USA) as its order processor (both known as Google). Google Ads enables us to attract attention to our website by means of advertisements placed on external webpages. We are therefore able to determine the degree of success of our individual advertising actions. For this purpose we use what are known as AdServer cookies. As a rule, the information generated by cookies about your use of our website will be transferred to a Google server in the USA and stored there. These cookies enable Google to recognize your web browser again, so enabling us to ascertain that the user has clicked on the ad and was directed to this page.
The following information is collected by the AdServer cookies:
- Unique Cookie ID
- Number of ad impressions per placing (frequency)
- Latest impression (relevant for post-view conversions),
- Opt-out information (marker that the user does not wish to be contacted again)
No personal data are processed by us on this occasion. Google only makes statistical evaluations available. Those evaluations enable us to ascertain which advertising measures are particularly effective. We do not receive more detailed data about advertising media use; in particular, we cannot identify users on the basis of this information. We have no influence on the scope and further use made of the data that are collected by means of Google Ads. We are aware that Google is notified that you have retrieved the ad on our website or clicked onto an ad placed by us. If you have a Google user account and are registered, Google may associate the visit with your user account. Even if you are not registered with Google or have not logged on, Google may still ascertain and store your IP address.
We use Google Ads for marketing and optimization purposes, especially in order to place ads that are relevant and interesting for you. User activity processing is not necessary for the functionality of our web pages.
You can find further information about the handling of user data by Google Ads in the Google privacy notice at: data protection declaration Google.
You can prevent the acquisition of your data by Google Ads by setting your browser in such a way as to block cookies from the [https://ads.google.com] domain. You will find more information on this subject here.
Permaleads: Permagroup GmbH (based in Erlenbach) provides the “Permaleads” web analysis service and acts as our order processor. We use a suitable web analysis tool to analyse user activity and identify the IP address of companies for marketing purposes. Use of this service requires the direct transfer of user activity data (e.g. IP address, time of access, user activity, browser enquiry etc.) to the analysis server; the data are then made available for exclusive use by the visited website. The data gathered are treated in strict confidence and are neither sold nor passed on to third parties. For inform-ation about Permaleads data protection go to: here.
12. Which data do we process on our social media pages, on video platforms and platforms for virtual 360° tours?
We may run pages and other forms of online presence on social networks and other platforms operated by third parties (“Fanpages”, “Channels”, “Profile” etc.) and collect data about you as described in Section 3 and
below. We receive these data from you and the platforms if you contact us via our online presence (e.g. if you communicate with us, comment on our contents or visit us online). At the same time, the platforms evaluate your use of our online presence and link those data to other data about you that are known to the platforms (e.g. your activity and preferences). They also process such data for their own purposes under their own responsibility, in particular for marketing and market research (e.g. to personalize advertising) and to steer their platforms (e.g. to determine the contents that are displayed to you).
We receive data about you when you communicate with us online or view our contents on the relevant platforms, visit our online presences or are active on them (e.g. call attention to contents or make comments). These platforms also collect information about you such as technical data, registration data, communication data, activity and preference data (see Section 3 for an explanation of these terms). These platforms regularly assess the way in which you interact with us, how you use our online presences, our contents or other parts of the platform (what you view, comment, “like”, forward etc) for statistical purposes and link such data with further personal details (such as your age, gender and other demographic information). In this way they also compile profiles of you and statistics about the use of our online presences. They use these data and profiles in order to display our own or third-party advertising and other contents in a personalized manner for you on the platform and to direct the platform performance as well as for market and user research and to provide information to us and other entities about you and your use of our online presence. We may to some extent steer the evaluations which these platforms compile about the use of our online presences.
We process these data for the purposes described in Section 4, in particular for communication, for marketing (including advertising on these platforms, see Section 11) and for market research. Information about the relevant legal bases will be found in Section 5. Contents published by you personally (such as comments on an announcement) may be circulated by us (e.g. in our advertising on the platform or elsewhere). We or the platform operators may also erase or restrict contents by or about you in line with the guidance on use (e.g. inappropriate comments).
Further information about processing done by the platform operators will be found in those platforms’ own data protection notices. Those notices will also let you know in which countries they process your data, which information, erasure and other rights you have as a data subject and how you may exercise these rights or obtain further information. We currently use the following platforms:
LinkedIn: plugins for the LinkedIn social media of the LinkedIn Ireland Unlimited Company, Gardner House, Wilton Place, Dublin 2, Ireland or LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA are integrated into our website. [https://www.linkedin.com/legal/privacy-policy?_l=de_DE#collect].
Instagram:plugins for the Instagram social media of Meta Platforms Inc., City of Menlo Park 701 Laurel St.Menlo Park, CA 94025 are integrated into our website. Privacy Center
Facebook: plugins for the Facebook social media of Meta Platforms Inc., City of Menlo Park 701 Laurel St.Menlo Park, CA 94025 are integrated into our website. [https://www.facebook.com/privacy/policy].
Further information about the use made of user data by Vimeo will be found in the YouTube data protection declaration at: data protection declaration YouTube.
Further information about the use made by Vimeo of user data can be found in the Vimeo data protection declaration at: [https://vimeo.com/privacy].
Notice: the information about use of our website generated by the cookies will be transferred to Vimeo servers in the USA and processed there. The USA is classified as an insecure third country. Your data therefore do not enjoy data protection in the USA comparable to the level which applies in Switzerland or in the EU. In respect of data transfer, Vimeo refers to the standard contract clauses approved by the EU Commission as a guarantee of data protection comparable to the EU level. With the entry into force of the revised Data Protection Act, Switzerland recognizes the authorization of standard clauses by the EU. If you consent to the processing by Vimeo, you therefore consent at the same time to the transfer of your data to the USA pursuant to Art. 17 nDSG or Art. 49 para. 1 letter a GDPR.
We call your attention to the fact that we as the webpage provider have no knowledge of the content of the transferred data and of their use by the platforms. Details of data collection (purpose, scope, further processing, use) and about your rights and possible settings will be found in the LinkedIn data protection notices.
13. Can this data protection declaration be amended?
This data protection declaration is not part of a contract with you. We may amend this data protection declaration at any time. The version published on this website is the latest available edition.
Latest update: 27.08.2023
A welcome gift in the form of a meal voucher at our in-house restaurant (“Comfort” location) awaits you.