Privacy Policy

With this privacy policy, we inform about the personal data we process in connection with our activities and operations, including our graubuenden.ch website. We particularly inform about why, how, and where we process personal data. We also inform about the rights of individuals whose data we process.

For individual or additional activities and operations, additional privacy policies as well as other legal documents such as Terms and Conditions (AGB), Terms of Use, or Participation Conditions may apply.

We are subject to Swiss data protection law as well as any applicable foreign data protection law, especially that of the European Union (EU) with the General Data Protection Regulation (GDPR). The European Commission acknowledges that Swiss data protection law ensures adequate data protection.

1. Contact Addresses

Responsibility for the processing of personal data:

Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland

contact@graubuenden.ch

In individual cases, there may be other controllers for the processing of personal data or joint responsibility with at least one other controller.

1.1 Data Protection Officers or Advisors

We have the following data protection officer or advisor as a point of contact for affected individuals and authorities regarding data protection inquiries:

Manuela Ruinatscha
Graubünden Ferien
Alexanderstrasse 24
7001 Chur
Switzerland

manuela.ruinatscha@graubuenden.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation according to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

datenschutz@graubuenden.ch

The data protection representation serves affected individuals and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) as an additional point of contact for inquiries related to the GDPR.

2. Terms and Legal Bases

2.1 Terms

Personal data refers to any information relating to an identified or identifiable natural person. An affected person is a person whose personal data we process.

Processing includes any handling of personal data, regardless of the means and procedures used, such as querying, comparing, adapting, archiving, retaining, extracting, disclosing, acquiring, recording, collecting, deleting, disclosing, organizing, storing, altering, disseminating, linking, destroying, and using personal data.

The European Economic Area (EEA) includes the Member States of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway. The General Data Protection Regulation (GDPR) refers to the processing of personal data as processing of personal data.

2.2 Legal Bases

We process personal data in accordance with Swiss data protection law, especially the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process - if and to the extent the General Data Protection Regulation (GDPR) is applicable - personal data according to at least one of the following legal bases:

• Art. 6 para. 1 lit. b GDPR for the necessary processing of personal data for the performance of a contract with the data subject and for the implementation of pre-contractual measures.
• Art. 6 para. 1 lit. f GDPR for the necessary processing of personal data to safeguard the legitimate interests of us or third parties, unless the fundamental rights and freedoms as well as interests of the data subject prevail. Legitimate interests include, in particular, our interest in being able to exercise our activities and operations permanently, user-friendly, securely, and reliably as well as communicate about them, ensuring information security, protection against misuse, enforcement of our own legal claims, and compliance with Swiss law.
• Art. 6 para. 1 lit. c GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under any applicable law of Member States in the European Economic Area (EEA).
• Art. 6 para. 1 lit. e GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
• Art. 6 para. 1 lit. a GDPR for the processing of personal data with the consent of the data subject.
• Art. 6 para. 1 lit. d GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.

3. Nature, Scope, and Purpose

We process those personal data that are necessary to permanently, user-friendly, securely, and reliably carry out our activities and operations. Such personal data may include, in particular, categories of master and contact data, browser and device data, content data, meta or edge data and usage data, location data, sales data, as well as contract and payment data.

We process personal data for the duration necessary for the respective purpose(s) or as required by law. Personal data that is no longer required for processing will be anonymized or deleted.

We may have personal data processed by third parties. We may jointly process or transmit personal data with third parties. Such third parties include specialized providers whose services we use. We also ensure data protection with such third parties.

We generally process personal data only with the consent of the data subjects. If and to the extent that processing is permissible for other legal reasons, we may forego obtaining consent. For example, we may process personal data without consent to fulfill a contract, to comply with legal obligations, or to safeguard overriding interests.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect in the course of our activities and operations, to the extent that such processing is permissible for legal reasons.

4. Communication

We process personal data to be able to communicate with third parties. In this context, we process data that an affected person submits when contacting us, for example, by postal mail or email. We may store such data in an address book or similar tools.

Third parties transmitting data about other individuals are obliged to ensure data protection for such affected individuals. This includes, among other things, ensuring the accuracy of the transmitted personal data.

We use selected services from suitable providers to better communicate with third parties.

We particularly use:

• Salesforce: Customer Relationship Management (CRM); Providers: Salesforce.com Inc. (USA) / Salesforce.com Germany GmbH (Germany); Privacy Information: "Privacy" (including the "most important contents of the privacy policy"), Privacy Policy.

5. Applications

We process personal data about applicants to the extent necessary to assess suitability for employment or for the subsequent execution of an employment contract. The necessary personal data arises in particular from the information provided, for example, within the framework of a job advertisement. We may publish job advertisements with the help of suitable third parties, for example, in electronic and printed media or on job portals and job platforms.

We also process personal data voluntarily provided or published by applicants, especially as part of cover letters, resumes, and other application documents as well as online profiles.

We process - if and to the extent the General Data Protection Regulation (GDPR) is applicable - personal data about applicants especially according to Art. 9 para. 2 lit. b GDPR.

6. Data Security

We implement suitable technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure, in particular, the confidentiality, availability, traceability, and integrity of the processed personal data, without being able to guarantee absolute data security.

Access to our website and our other online presence is via transport encryption (SSL / TLS, especially with Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate transport encryption with a small padlock in the address bar.

Our digital communication is subject - as generally all digital communication - to mass surveillance without cause and suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We cannot directly influence the processing of personal data by intelligence services, police authorities, and other security authorities. We also cannot exclude that individual affected persons are specifically monitored.

7. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other states, particularly to process them there or have them processed.

We may export personal data to all countries and territories on Earth as well as elsewhere in the Universe, provided that the local law ensures adequate data protection according to decision of the Swiss Federal Council and - if and to the extent the General Data Protection Regulation (GDPR) is applicable - according to decision of the European Commission.

We may transfer personal data to states whose law does not ensure adequate data protection, provided that data protection is ensured for other reasons, particularly based on standard data protection clauses or other suitable guarantees. In exceptional cases, we may export personal data to states without adequate or suitable data protection if the special data protection requirements are met, such as the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we are happy to provide affected persons with information about any guarantees or provide a copy of any guarantees.

8. Rights of Data Subjects

8.1 Data Protection Claims

We grant data subjects all claims under the applicable data protection law. Data subjects have, in particular, the following rights:

• Information: Data subjects can request information about whether we process personal data about them, and if so, what personal data it is. Data subjects also receive the information necessary to assert their data protection claims and to ensure transparency. This includes the processed personal data itself, but also information about the purpose of processing, the duration of storage, any disclosure or export of data to other states, and the origin of the personal data.
• Correction and Restriction: Data subjects can correct incorrect personal data, complete incomplete data, and request the restriction of processing of their data.
• Deletion and Objection: Data subjects can request the deletion of personal data ("right to be forgotten") and object to the processing of their data for the future.
• Data Disclosure and Data Portability: Data subjects can request the disclosure of personal data or the transfer of their data to another controller.

We may postpone, restrict, or refuse the exercise of data subject rights within the legally permissible framework. We may inform data subjects about any conditions that may need to be met to exercise their data protection claims. For example, we may refuse information referring to trade secrets or to protect other individuals wholly or partially. For instance, we may also refuse the deletion of personal data referring to legal retention obligations wholly or partially.

We may, exceptionally, impose costs for the exercise of rights. We inform data subjects in advance about any costs.

We are obligated to identify data subjects who request information or assert other rights with appropriate measures. Data subjects are obliged to cooperate.

8.2 Legal Protection

Data subjects have the right to enforce their data protection claims through legal means or to file a complaint with a competent data protection supervisory authority.

The data protection supervisory authority for complaints from data subjects against private controllers and federal authorities in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities for complaints from data subjects - if and to the extent the General Data Protection Regulation (GDPR) is applicable - are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are structured federally, especially in Germany.

9. Use of the Website

9.1 Cookies

We may use cookies. Cookies - both first-party cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) - are data stored in the browser. Such stored data does not necessarily have to be limited to traditional cookies in text form.

Cookies can be stored in the browser temporarily as "session cookies" or for a specific period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, in particular, recognition of a browser on the next visit to our website, thereby, for example, measuring the reach of our website. However, permanent cookies can also be used for online marketing.

Cookies can be deactivated or deleted entirely or partially in the browser settings at any time. Without cookies, our website may possibly not be available in full. We request - at least if and to the extent necessary - express consent to the use of cookies.

For cookies used for success and reach measurement or for advertising, a general objection ("opt-out") is possible for numerous services via AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

9.2 Logging

We may log the following information for each access to our website and other online presence, provided that such information is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transferred data volume, last visited website in the same browser window (referrer).

We log such information, which can also represent personal data, in log files. The information is necessary to provide our online presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security - also by third parties or with the help of third parties.

9.3 Tracking Pixels

We may integrate tracking pixels into our online presence. Tracking pixels are also called web beacons. Tracking pixels - also from third parties whose services we use - are usually small, invisible images or scripts formulated in JavaScript that are automatically retrieved when accessing our online presence. With tracking pixels, at least the same information as in log files can be recorded.

10. Notifications and Communications

We send notifications and communications by email and through other communication channels such as instant messaging or SMS.

10.1 Success and Reach Measurement

Notifications and communications may contain web links or tracking pixels that record whether an individual notification was opened and which web links were clicked. Such web links and tracking pixels can also record the use of notifications and communications on a personal basis. We need this statistical recording of usage for success and reach measurement to effectively and user-friendly as well as permanently, securely, and reliably send notifications and communications based on the needs and reading habits of the recipients.

10.2 Consent and Objection

You must generally consent to the use of your email address and

You must generally consent to the use of your email address and your other contact addresses, unless such use is permitted for other legal reasons. For the possible obtaining of double-confirmed consent, we can use the "Double Opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We may log obtained consents, including the IP address and timestamp, for evidential and security purposes.

You can generally object to the receipt of notifications and communications such as newsletters at any time. With such an objection, you can simultaneously object to the statistical recording of usage for success and reach measurement. Necessary notifications and communications related to our activities and operations remain reserved.

10.3 Notification Service Providers

We send notifications and communications with the help of specialized service providers.

11. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use as well as privacy policies and other provisions of the respective operators of such platforms also apply. These provisions inform in particular about the rights of data subjects directly vis-à-vis the respective platform, including, for example, the right to information.

For our Social Media presence on Facebook, including the so-called Page Insights, we are - if and to the extent the General Data Protection Regulation (GDPR) is applicable - jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta Companies (among others in the USA). The Page Insights provide information on how visitors interact with our Facebook presence. We use Page Insights to effectively and user-friendly provide our social media presence on Facebook.

Further information about the nature, scope, and purpose of data processing, information about the rights of data subjects, as well as contact details of Facebook and the data protection officer of Facebook can be found in the Facebook Privacy Policy. We have concluded the so-called "Controller Addendum" with Facebook and have thereby agreed, among other things, that Facebook is responsible for ensuring the rights of data subjects. For the so-called Page Insights, the relevant information can be found on the page "Information about Page Insights", including "Information about Page Insights Data".

12. Third-Party Services

We use services from specialized third parties to exercise our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can embed functions and content into our website. When embedding such content, the used services necessarily temporarily record the IP addresses of users.

For necessary security-related, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes, for example, performance or usage data to be able to offer the respective service.

We use, in particular:

• Google services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; General data protection information: "Privacy and Security Principles", Privacy Policy, "Google is committed to compliance with applicable privacy laws", "Privacy Guide for Google Products", "How Google uses data from websites or apps that use our services" (information from Google), "Types of cookies and similar technologies used by Google", "Ads that you can influence" ("Personalized advertising").
• Microsoft services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), Switzerland, and the United Kingdom / Microsoft Corporation (USA) for users in the rest of the world; General data protection information: "Privacy at Microsoft", "Privacy and Security", Privacy Statement, "Data and Privacy Settings".

12.1 Digital Infrastructure

We use services from specialized third parties to be able to utilize the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.

We use, in particular:

• Microsoft Azure: Storage space and other infrastructure; Provider: Microsoft; Microsoft Azure-specific data protection information: "Privacy in Azure".

12.2 Automation and Integration of Apps and Services

We use specialized platforms to integrate and connect existing apps and services from third parties. With such "No-Code" platforms, we can also automate processes and activities with apps and services from third parties.

We use, in particular:

• Microsoft Power Automate including Microsoft Power Platform: Integrated application platform; Provider: Microsoft; Microsoft Power Platform-specific data protection information: "Compliance and Privacy", "Data Storage and Governance", "Security".
• Zapier: Automation and integration of apps and services; Provider: Zapier Inc. (USA); Data protection information: Privacy Policy, "Data Privacy at Zapier", "Data Privacy & Security FAQ", "Security and Compliance".

12.3 Scheduling

We use services from specialized third parties to be able to schedule appointments online, for example, for meetings. In addition to this privacy policy, any terms and conditions of the services used, such as terms of use or privacy policies, also apply.

We use, in particular:

• Doodle: Online scheduling; Provider: Doodle AG (Switzerland) as a subsidiary of TX Group AG (Switzerland); Data protection information: Privacy Policy, "General Terms and Conditions of the Processing of Personal Data".
• Microsoft Bookings: Online scheduling; Provider: Microsoft; Microsoft Bookings-specific information: "Microsoft Bookings: Frequently Asked Questions".

12.4 Online Collaboration

We use services from third parties to enable online collaboration. In addition to this privacy policy, any terms and conditions of the services used, such as terms of use or privacy policies, also apply.

We use, in particular:

• Asana: Platform for collaboration in companies; Provider: Asana Inc. (USA); Data protection information: "Trust at Asana", Privacy Policy, Bug Bounty Program.
• Miro: Whiteboard platform; Provider: RealtimeBoard Inc. (USA); Data protection information: Privacy Policy, "Trust in Miro" (Miro Trust Center).
• Microsoft Teams: Platform for productive collaboration, especially with audio and video conferences; Provider: Microsoft; Teams-specific information: "Privacy and Microsoft Teams".

12.5 Social Media Features and Social Media Content

We use services and plugins from third parties to embed features and content from social media platforms and to enable sharing of content on social media platforms and through other means.

We use, in particular:

• Instagram Platform: Embedding Instagram content; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data protection information: Privacy Policy (Instagram), Privacy Policy (Facebook).

12.6 Map Material

We use services from third parties to embed maps into our website.

We use, in particular:

• map.geo.admin.ch: Map service; Provider: Federal Coordination Centre for Geospatial Information of the Swiss Confederation (GKG); Data protection information: Privacy Policy, "Legal Basis".
• OpenStreetMap (OSM): Map service; Provider: OpenStreetMap Foundation (United Kingdom); Data protection information: Privacy Policy.

12.7 Digital Audio and Video Content

We use services from specialized third parties to enable the direct playback of digital audio and video content such as music or podcasts.

We use, in particular:

• YouTube: Video platform; Provider: Google; YouTube-specific information: "Privacy and Security Center", "My Data on YouTube".

12.8 Advertising

We use the opportunity to display targeted advertising with third parties such as social media platforms and search engines for our activities and operations.

With such advertising, we aim to reach individuals who are already interested in or could be interested in our activities and operations (Remarketing and Targeting). For this purpose, we may transmit relevant – possibly also personal – information to third parties that enable such advertising. We can also determine whether our advertising is successful, i.e., whether it leads to visits to our website (Conversion Tracking).

Third parties with whom we advertise and with whom you as a user are logged in may potentially associate the use of our website with your profile there.

We use, in particular:

• Facebook Advertising (Facebook Ads): Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data protection information: Remarketing and Targeting especially with the Facebook Pixel as well as Custom Audiences including Lookalike Audiences, Privacy Policy, "Ad Preferences" (user login required).
• Google Ads: Search engine advertising; Provider: Google; Google Ads-specific information: Advertising based on search queries, using various domain names – notably doubleclick.net, googleadservices.com, and googlesyndication.com – for Google Ads, "Advertising" (Google), "Manage Displayed Ads Directly via Ads".
• Instagram Ads: Social media advertising; Providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); Data protection information: Remarketing and Targeting especially with the Facebook Pixel as well as Custom Audiences including Lookalike Audiences, Privacy Policy (Instagram), Privacy Policy (Facebook), "Ad Preferences" (Instagram) (user login required), "Ad Preferences" (Facebook) (user login required).
• TikTok Ads: Social media advertising; Providers: TikTok Information Technologies UK Limited (United Kingdom) and TikTok Technology Limited (Ireland) for users in the European Economic Area (EEA), the United Kingdom, and Switzerland / TikTok Inc. (USA) for users in the USA / TikTok Pte. Ltd. (Singapore) for users in the rest of the world; Data protection information: Remarketing and Targeting especially with the TikTok Pixel, Privacy Policy, "Privacy Policy for Younger Users", Cookie Policy, "Privacy and Cookie Policy for TikTok for Business".

13. Website Extensions

We use extensions for our website to use additional features. We may use selected services from suitable providers or use such extensions on our own server infrastructure.

14. Success and Reach Measurement

We attempt to determine how our online offering is used. In this context, we may, for example, measure the success and reach of our activities and operations as well as the impact of third-party links to our website. However, we may also experiment and compare how different parts or versions of our online offering are used (the "A/B test" method). Based on the results of success and reach measurement, we can in particular correct errors, strengthen popular content, or make improvements to our online offering.

For success and reach measurement, the IP addresses of individual users are usually stored. IP addresses are in this case generally truncated ("IP masking") to follow the principle of data minimization through the corresponding pseudonymization.

During success and reach measurement, cookies may be used and user profiles may be created. Any user profiles created may include, for example, the individual pages visited or content viewed on our website, information about the size of the screen or browser window, and the – at least approximate – location. Generally, any user profiles created are exclusively pseudonymized and are not used to identify individual users. Individual third-party services, where users are logged in, may potentially associate the use of our online offering with the user account or profile at the respective service.

We use, in particular:

• fusedeck: Success and reach measurement; Provider: Capture Media AG (Switzerland); Data protection information: "Privacy Policy and Right to Object" (Website), "Data & Privacy" (fusedeck), Privacy Policy (fusedeck).
• Google Analytics: Success and reach measurement; Provider: Google; Google Analytics-specific information: Measurement across different browsers and devices (Cross-Device Tracking) as well as with pseudonymized IP addresses, which are only exceptionally transmitted in full to Google in the USA, "Privacy", "Browser Add-on to Disable Google Analytics".
• Google Tag Manager: Integration and management of other services for success and reach measurement as well as other services from Google as well as from third parties; Provider: Google; Google Tag Manager-specific information: "Data Collected with Google Tag Manager"; further information on data protection can be found with the individual integrated and managed services.

15. Final Provisions

We have created this privacy policy with the Data Protection Generator from Datenschutzpartner.

We may adjust and supplement this privacy policy at any time. We will inform about such adjustments and supplements in an appropriate manner, in particular by publishing the respective current privacy policy on our website.