DATA PRO­TEC­TION
DECLARATION

Hotel Hermitage Luzern AG, Seeburgstrasse 72, 6006 Lucerne, Switzerland (registered in the Commercial Register of the Canton of Lucerne under the number CHE-102.032.626) manages the Hermitage and is the operator of the website www. hermitage.ch, and is thus responsible for the collection, processing, and use of your personal data and the compatibility of data processing with the applicable data protection law.

Your trust is important to us, which is why we take the subject of data protection seriously and pay close attention to taking appropriate security measures. Of course, we hereby comply with the legal provisions of the Federal Data Protection Act (DSG), the Ordinance to the Federal Data Protection Act (VDSG), the Telecommunications Act (FMG), and other applicable data protection provisions of Swiss or EU law, in particular the General Data Protection Regulation (GDPR).

For you to know which personal data we collect from you and for what purposes we use them, please take note of the information below.

The address of our data protection representative in the EU is: mll, Meyerlustenberger Lachenal Ltd. , PO Box 1765, 8031 Zurich, Switzerland.


A. Data processing in connection with our website

1. Calling up our website

When visiting our website, our servers temporarily store every access in a log file. As with any connection to a web server, the following technical data are recorded without any action on your part and stored by us until the business relationship is terminated.

  • IP address of the requesting computer,
  • the name of the owner of the IP address range (usually your Internet access provider),
  • the date and time of access,
  • the website from which access was made (referrer URL), potentially with the search term used,
  • the name and URL of the retrieved file,
  • the status code (for example, error message),
  • the operating system of your computer,
  • the browser you are using (type, version, and language),
  • the transmission protocol used (e. g. HTTP/1.1) and if necessary, your username from registration/authentication,
  • the host header name,
  • the number of bytes sent by the server,
  • the number of bytes received and processed by the server,
  • the duration of access,
  • the requested verb or word, e. g. when using the GET method (GETlocation),
  • the target of the requested verb or word, e.g. default.htm.

These data are collected and processed for the purpose of enabling the use of our websites (establishing a connection), to guarantee system security, and to ensure lasting stability and optimise our internet presence, as well as for internal statistical purposes. This is our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

The IP address is also evaluated together with the other data in the event of attacks on the network infrastructure or other unauthorised or improper use of the website for explanatory and defensive purposes and may be used in the course of criminal proceedings to identify and prosecute the users concerned under civil and criminal law. This is our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f GDPR.

2. Use of our contact form

You have the possibility to use a contact form to get in touch with us. This is only possible if you provide us with your email address, first and last name, and your telephone number. We require this information, as well as other data voluntarily provided by you (salutation, remarks), to be able to provide the best-possible, personalised response to your contact request. The processing of these data is therefore required within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

3. Use of email hyperlink to establish contact

You have the option of contacting us via email. To be able to use this option, you must click on the email hyperlink. By clicking on the hyperlink, a connection to your email program is automatically established and a window to send the email opens. You can email us your questions about the website's functionality or contents. You are responsible for the messages and content which you send to us using the email function. We recommend that you refrain from sending any sensitive information using the email function. In order to use the email functionality, you only need to provide us with your email address. We require your email address, as well as other data voluntarily provided by you (such as your first and last name), to be able to provide the best-possible, personalised response to your contact request. The processing of these data is therefore required within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures or is in our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

4. Subscribing to our newsletter

You have the possibility of subscribing to our newsletter through our website. This requires registration. As part of the registration process, you must provide us with your email address. Your email address, as well as other data voluntarily provided by you (such as your first and last name), are solely processed to personalise the information and offers sent to you and to better align them with your interests. The newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in these emails, which are sent in HTML format, to enable log file recording and log file analysis. This allows statistical evaluation of the success or failure of online marketing campaigns. By using the embedded tracking pixel, we can detect whether and when an email was opened by you and which links in the email were accessed.

By registering, you give us your consent to process the data provided for the regular distribution of the newsletter and for the statistical evaluation of usage behaviour and optimisation of the newsletter. This consent constitutes, within the meaning of Art. 6 para. 1 lit. a GDPR, our legal basis for the processing of your email address. We are entitled to commission third parties with the technical handling of advertising measures and are entitled to pass on your data for this purpose (also see "Data transfer to third parties" further below).

At the end of each newsletter, you will find a link with which you can unsubscribe at any time. After unsubscribing, your personal data will be deleted.

5. Booking of overnight stays through the website, through correspondence, or through a telephone call

You have the possibility to book overnight stays or so-called packages through our website, by means of correspondence (email or letter), or by making a phone call. For the processing of your booking, we always require the following data:

  • First and last name of the person booking
  • Postal address
  • Telephone number
  • E-mail address
  • Payment details (e.g. credit card number)

We will only use these data and other information you voluntarily provide (e. g. first and last name of the accompanying person, comments, and the like) to process the contract, unless otherwise stated in this data protection declaration or unless you have given your separate consent. We will process these data in order to record your booking as requested, to make the booked services available, to contact you in case of ambiguities or problems, and to ensure correct payment.

Please note that we use a technical application of the HotelNetSolutions GmbH company to process the booking. Your data will thus also be forwarded to HotelNetSolutions GmbH, Genthinerstrasse 8, 10785 Berlin, Germany. Further information on the transfer of data and data processing by third parties can be found in this data protection declaration under Number 19 as well as here, on the website of HotelNetSolutions. The legal basis of data processing for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

6. Table reservation

You have the possibility to reserve a table through the website. We always require the following information to make the reservation:

  • Salutation
  • First and last name of the reserving person
  • Number of guests
  • E-mail address
  • Telephone number
  • Date and time of reservation

We will only collect and process these data to process your reservation, i. e. to record your reservation as requested, to make the reservation available, and to contact you in case of ambiguities or problems.

Please note that we use a technical application of the Bookatable Ltd. company to process the reservation. Your data will thus be forwarded to Bookatable Ltd, 5th Floor, Elizabeth House 39 York Road London SE1 7NQ, England. Further information on the transfer of data and data processing by third parties can be found in this data protection declaration under Number 19 as well as here, on the website of Bookatable.

The legal basis of data processing for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

7. Purchasing a voucher

You have the possibility to buy vouchers for overnight stays, activities, and/or other services through our website. When purchasing a voucher, the following information is absolutely necessary:

  • Salutation
  • First and last name of the purchasing person
  • Postal address
  • E-mail address
  • Telephone number
  • Payment details (e.g. credit card number)
  • Shipping method

Please be informed that we need the preceding data to process the order and to issue the vouchers.

Please note that we use a technical application of the Idea Creation GmbH company to process the purchase of the voucher (E-Guma). Your data will thus also be forwarded to Idea Creation GmbH, Walchestrasse 15, 8006 Zurich, Switzerland. Further information on the transfer of data and data processing by third parties can be found in this data protection declaration under Number 19 as well as here, on the website of Idea Creation.

The legal basis of the processing of your data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

8. Applying for a job advertisement

Through our website, you have the possibility to apply for a job advertisement or to submit an unsolicited application. To this end, you will need to submit a complete application. The following data must always be provided in the online form:

  • Salutation
  • First and last name
  • E-mail address
  • Telephone number
  • Application documents

These data are used to process the application process. If you do not explicitly agree to further processing, the data will be deleted after the respective application process is completed.

The legal basis for data processing thus lies in the implementation of precontractual measures and our legitimate interest pursuant to Art. 6 para. 1 lit. b and f GDPR. The legal basis of the further processing of the data is the consent given by you pursuant to Art. 6 para. 1 lit. a GDPR.

9. Submission of a rating

Through our website, you have the possibility to access rating platforms and to submit ratings there. To do so, you must click on the provided links. The links will take you to the respective rating platforms; this carries with it the possibility that your IP address will be forwarded to the platform operators' servers. The relevant data protection provisions of the rating platforms are decisive in this case.

The links lead to:

  • TripAdvisor by TripAdvisor Inc. , 400 1st Avenue, Needham, 02494 MA, US. The data protection statement of TripAdvisor can be found here.
  • Booking by Booking. com BV, Herengracht 597, 1017 CE Amsterdam, the Netherlands. The data protection statement of Booking. com can be found here.
  • TrustYou by TrustYou GmbH, Steinerstrasse 15, 81369 Munich, Germany. The data protection statement of TrustYou can be found here.
  • HolidayCheck by HolidayCheck AG, Bahnweg 8, 8598 Bottighofen, Switzerland. The data protection statement of HolidayCheck can be found here.

The legal basis of data processing therefore lies in our justified interest pursuant to Art. 6 para. 1 lit. f GDPR.

10. Cookies

Cookies help in many ways to make your visit to our website easier, more pleasant, and more meaningful. Cookies are information files that your web browser automatically stores on your computers hard drive when you visit our website.

For example, we use cookies to temporarily save your selected services and entries when you fill out a form on the website, so that you do not have to repeat the entry when you access another subpage. Cookies may also be used to identify you as a registered user after registering on the website, without you having to log in again when accessing another subpage.

Most internet browsers automatically accept cookies; however, you can configure your browser such that no cookies are stored on your computer, or a notification always appears before you receive a new cookie. On the following pages, you will find more information on how you can configure the processing of cookies using the most common browsers:

  • Microsofts Windows Internet Explorer
  • Microsofts Windows Internet Explorer Mobile
  • Mozilla Firefox
  • Google Chrome for Desktop
  • Google Chrome for Mobile
  • Apple Safari for Desktop
  • Apple Safari for Mobile

If you deactivate cookies, however, you might not be able to use all the functions of our website.

11. Tracking tools and Re-Targeting

a. Google-Analytics

We use the web analysis service of Google Analytics for the purpose of demand- oriented design and the continuous optimisation of our website. In this context, pseudonymised user profiles are created and cookies are used (also see Number 10). The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services to be stored there and processed for us. In addition to the data specified in this data protection statement, we may receive the following information under certain circumstances:

  • the navigation path that a visitor takes on the website,
  • duration of stay on the website or subpage,
  • the subpage through which the website is left,
  • the country, region, or city from which access is made,
  • the terminal (type, version, colour depth, resolution, width, and height of the browser window) and
  • information on whether a visitor is a new or a recurring visitor

The information is used to evaluate the use of the website, to compile reports regarding website activity, and to provide other services related to website activity and internet usage for the purposes of market research and the needs-based design of this website. This information may also be transferred to third parties, provided this is legally required or if such third parties are commissioned to process the information.

The provider of Google Analytics is Google Inc. , a company of the Alphabet Inc holding based in the USA. Before the data are transmitted to the provider, the IP address is truncated through the activated IP anonymisation ("anonymizeIP") function on this website within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The anonymised IP address transmitted by your browser within the scope of Google Analytics will not be combined with other data from Google. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. In these cases, we provide contractual guarantees to ensure that Google Inc. complies with a sufficient level of data protection. According to information provided by Google Inc. , under no circumstances will the IP address be linked to other data relating to the user.

Further information on the web analytics service used can be found on the Google Analytics website. Instructions on how to prevent the processing of your data through the web analytics service can be found here. More information on Google and its privacy policies can be found here.

12. Links to our social media presences

We have included links to our social media profiles on our website. The links lead to the following networks:

  • Facebook by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, US
  • Twitter by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, US
  • YouTube by Google Inc., Amphitheatre Parkway, Mountain View, Ca 94043, US
  • YouTube by Google Inc., Amphitheatre Parkway, Mountain View, Ca 94043, US
  • Flickr by Yahoo, 701 1st Ave. Sunnyvale, CA 94089, US
  • Instagram by Instagram Inc., 1601 Willow Road, Meno Park, CA 94025, US,
  • Google+ by Google Inc., Amphitheatre Parkway, Mountain View, Ca 94043, US

If you click on the social network icons, you will be automatically redirected to our profiles with the concerned networks. You might need to log into your user account to use some functions of the network. This will provide the networks with information that you have visited our website and have accessed the link, with your IP address. If you access a link to a network while logged in to your account on said network, the contents of our page may be linked to your network profile. In this case, the network can directly associate your visit to our website with your user account. If you want to prevent the connection of data with your profile, you should log out before clicking on these types of links. Data allocation will always take place if you log into the relevant network after clicking on the link.

B. Data processing in connection with your stay

13. Data processing for the fulfilment of legal reporting obligations

When arriving at our hotel, we may need the following information from you and any persons accompanying you:

  • First and last name
  • Postal address and canton
  • Nationality
  • Day of arrival and departure
  • Date of birth
  • ID number

We collect this information to fulfil legal reporting obligations, which arise in particular from hospitality legislation. Where we are required to do so by applicable regulations, we will forward this information to the appropriate police authority.

We have a legitimate interest in the fulfilment of the legal requirements within the meaning of Art. 6 para. 1 lit. f GDPR.

14. Data processing to fulfil the booked overnight stay

On the occasion of your stay, we might process and collect the following information from you and any persons accompanying you:

  • First and last name
  • Postal address
  • Nationality
  • Day of arrival and departure
  • Preferences and habits

We not only collect this information in order to fulfil our contractual and post- contractual obligations towards you, but it also allows us to offer you the best- possible service.

As such, the legal basis of this data processing, within the meaning of Art. 6 para. 1 lit. b GDPR, lies in the processing of the contract.

15. Data processing for the fulfilment of services used

If you book any services from our wellness corner or make use of other services (e. g. minibar) and/or packages within the context of your stay in our hotels, the service object as well as the date on which the service was received can be recorded and processed by us for billing purposes as well as to provide the booked service. We generally need the following information for this:

  • First and last name
  • Postal address
  • E-mail address
  • Telephone number

As such, the legal basis of this data processing, within the meaning of Art. 6 para. 1 lit. b GDPR, lies in the processing of the contract.

C. Storage and exchange of data with third parties

16. Booking platforms

If you make bookings through a third-party platform, we receive various pieces of personal information from the respective platform operator. As a rule, these are those data referred to in Number 5 of this data protection declaration. In addition, we may be forwarded requests about your booking. We will thus process these data in order to record your booking as requested and to make the booked services available. The legal basis of data processing for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.

Finally, we may be informed by the platform operators of any disputes in connection with a booking. We may under certain circumstances also receive information about the booking process, which may include a copy of the booking confirmation as proof of the actual booking completion. We process these data to protect and enforce our claims. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

Please also take note of the data protection declaration of the respective provider.

17. Central storage and linking of data

We store data in a central electronic data processing system. The data concerning your person are systematically recorded and linked in order to process your bookings and the contractual services. In addition, the data will be processed within the system for advertising purposes, in particular to offer you personalised services and products. For this, we use software from Rebag Data AG, Einsiedlerstrasse 533, 8810 Horgen, Switzerland.

The legal basis for the data processing within the context of customer management is in the processing of a contract within the meaning of Art. 6 para. 1 lit. b GDPR. If data are processed for advertising activities, the legal basis on the one hand also lies in the performance of the contract (the existing customer relationship justifies data processing for the purpose of advertising activities), as well as on the other hand in the consent granted by you within the meaning of Art. 6 para. 1 lit. a GDPR. You provide this consent when you subscribe to the newsletter (see also Number 3).

18. Data retention period

The maximum storage period of the personal data is as long as a business relationship is maintained, for using the tracking services mentioned above and the further processing within the scope of our justified interest. We store contractual data for a longer period of time, as this is prescribed by legal storage obligations. The storage obligations which oblige us to store data are underpinned by regulations concerning the right to report, by accounting regulations, and by tax law. According to these regulations, business communications, contracts concluded, and accounting records must be stored for up to 10 years. If we no longer need these data to perform the services for you, the data will be blocked. This means that the data may from then on only be used for accounting and tax purposes.

19. Data transfer to third parties

We only pass on your personal data if you have expressly consented thereto, if there exists a legal obligation, or if this is necessary for the enforcement of our rights, in particular for the enforcement of claims arising from the contractual relationship. Furthermore, we pass on your data to third parties as far as this is necessary in the context of the use of the website and the contract processing (also outside the website), namely the processing of your bookings. Various third-party service providers have been explicitly mentioned in this privacy policy (e. g. Idea Creation GmbH, Bookatable Ltd. , etc. ), with the associated purpose of the data transfer. Another service provider to which personal data are passed on, or which has access or might access these personal data, is our web- hosting provider HOMM in 6003 Lucerne, Switzerland. The website is hosted on servers in Switzerland. The data are passed on for the purpose of providing and maintaining the functionalities of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

Finally, we will forward your credit card information to your credit card issuer and acquirer when payment through the website is made by credit card. If you decide to pay by credit card, you will be asked to enter all the necessary information. The legal basis for the transfer of the data lies in the fulfilment of a contract in accordance with Art. 6 para. 1 lit. b GDPR. Concerning the processing of your credit card information by these third parties, we ask you to also read the General Terms and Conditions and the data protection declaration of your credit card issuer.

20. Transfer of personal data to other countries

We are entitled to, also in the future, transfer your personal data to third parties (commissioned service providers) in different countries for the purpose of the data processing described in this data protection declaration. These are obliged to data protection to a similar extent as we ourselves are. If the level of data protection in a country does not correspond to that in Switzerland or Europe, we contractually ensure that the protection of your personal data corresponds to that in Switzerland or the EU at all times.

D. Additional information

21. Right to information, correction, deletion, and restriction of processing; right to data portability

You have the right to receive information about the personal data that we store on your person upon request. In addition, you have the right to correct incorrect data and to have your personal data deleted, insofar as this does not conflict with any legal obligation to retain data or an event of authorisation exists, which allows us to process the data.

You also have the right to reclaim from us the data that you have provided to us (right to data portability). Upon request, we will also pass the data on to a third party of your choice. You have the right to receive the data in a common file format.

For the aforementioned purposes, you can contact us using the email address direktion@hermitage-luzern.ch. We may, at our sole discretion, require proof of identity to process your requests.

22. Data security

We use appropriate technical and organisational security measures to protect the personal data we store on your person against manipulation, partial or complete loss, as well as against unauthorised access. Our security measures are consistently being improved in accordance with the technological development.

You should keep your access data confidential and close the browser window when you have finished your session, especially if your computer is also used by other people.

We also take internal company privacy very seriously. Our employees and the service providers appointed by us are sworn to secrecy and to comply with data protection regulations.

23. Note on data transfer to the USA

For the sake of completeness, we would like to point out to users living or based in Switzerland that surveillance measures within the USA exist, with which the US authorities are allowed the general storage of all personal data of all persons whose data have been transmitted from the EU or Switzerland to the USA. This is done without differentiation, restriction, or exception with respect to the aim pursued and without an objective criterion that would make it possible to restrict the US authorities' access to data and its subsequent use to very specific, strictly limited purposes, which justify the interference associated with both access to, and use of, such data. Furthermore, we would like to point out that, in the USA, there are no legal remedies available to data subjects from Switzerland that would allow them to gain access to the data concerning them and to obtain its correction or deletion, and that there is no effective legal protection against general access rights by US authorities. We explicitly point out this legal and factual situation to data subjects in order to make an appropriately informed decision to consent to the use of their data.

Users residing in an EU Member State are advised that the USA does not have an adequate level of data protection from the point of view of the European Union, partly because of the issues mentioned in this section. To the extent that we have stated in this data protection declaration that recipients of data (such as Google) are located in the USA, we will ensure that your data are protected at an appropriate level with our partners, either by contractual arrangements with these companies or by ensuring that these companies are certified under the EU/Swiss-US-Privacy Shield.

24. Right to complain to a data protection supervisory authority

You have the right to complain to a data protection supervisory authority at any time.

As of: April 2022