Privacy policy
1. Data controller and content of this Privacy Notice
2. Data protection contact
3. Data processing when contacting us by e-mail
4. Data processing when booking accommodation
5. Data processing in connection with online payment processing
6. Data processing to fulfil statutory reporting obligations
7. Data processing within the context of your visit
8. Data processing in connection with using our Wi-Fi network
9. Background data processing on our website
9.1 Data processing when visiting our website (log file data)
9.2 Cookies
9.3 Google Tag Manager
9.4 Tracking and web analysis tools
10. Social media profiles
11. Central data storage and analysis in the CRM system
12. Forwarding and transfer abroad
12.1 Forwarding to third parties and access by third parties
12.2 Transfer of personal data abroad
12.3 Information concerning data transfer to the USA
13. Retention periods
14. Data security
15. Your rights
1. Data controller and content of this Privacy Notice
We, Badrutt’s Palace Hotel AG, Via Serlas 27, 7500 St. Moritz, Switzerland, entered in the commercial register of the Canton of Graubünden under number CHE-105.980.962 (we, us, our, etc.), are the operators of the rental accommodation “Townhouse St. Moritz” (rental accommodation) and the website www.townhouse-stmoritz.com (website) and, unless stated otherwise in this Privacy Notice, we are responsible for the data processing described in this Privacy Notice.
To find out which personal data we collect from you and for which purposes, please read the following information. Our data protection practices are based primarily on Swiss data protection laws, especially the Federal Act on Data Protection (FADP), though the provisions of the EU General Data Protection Regulation (GDPR) may also apply in certain cases.
Please note that the information below is reviewed and amended from time to time. We therefore recommend that you consult this Privacy Notice regularly. Furthermore, for the individual data processing activities described below, other companies are legally responsible for data protection or they share this responsibility with us; this means that the information from such providers is also relevant in these instances.
2. Data protection contact
If you have any questions about data protection or would like to exercise your rights, please e-mail our contact person for data protection at the following address: dataprotection@badruttspalace.com
You can contact our EU data protection representative at: MLL Brussels SPRL, 222 Avenue Louise, 1050 Brussels, Belgium (bph@mll-gdpr.com)
3. Data processing when contacting us by e-mail
If you contact us by e-mail, your personal data will be processed. The data that you have provided, such as your name, address or e-mail address and the reason for contacting us, will be processed. In addition, the time of receipt of the enquiry is documented. We process this data to fulfil your request (e.g. questions about website functions, information about our rental accommodation or services, etc.).
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in fulfilling your request.
4. Data processing when booking accommodation
On our website, you have the exclusive option of booking our rental accommodation. To this end, we collect the following data, whereby the mandatory fields when registering are marked with an asterisk (*):
- Reservation period
- Number of guests
- First name
- Last name
- Address
- E-mail address
- Phone number
- Expected arrival time
- Other requests
- Credit card data (see Clause 5)
We record and process the data in order to process the booking and, in particular, to be able to meet any special requests for the booking and to contact you in the event of questions or problems. We store your data together with the supplementary details of the reservation (e.g. date and time of receipt, etc.), the booking data (e.g. accommodation selected), as well as information related to the performance and fulfilment of the contract (e.g. receipt and handling of complaints), so that we can ensure correct processing of the booking and proper performance of the contract.
We use the software application “Kross” provided by Solutions Plus s.r.l., Strada Provinciale Bitonto - Aeroporto Palese, 28, 70128 Bari-Palese BA, Italy (Solutions Plus). As a result, your data may be stored in a Solutions Plus database, which enables Solutions Plus to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 13 of this Privacy Notice.
The lawful basis for this data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
It is possible that Solutions Plus might wish to use some of this data for its own purposes (e.g. to provide marketing e-mails or for statistical analyses). Solutions Plus is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find information about data processing using the software application “Kross” by Solutions Plus here.
5. Data processing in connection with online payment processing
If you book our rental accommodation online (see Clause 4), further information may be re-quired in addition to the information mentioned in Clause 4, such as your credit card information or your login with your service provider. This information, as well as the fact that you acquired a service from us for the relevant amount and at the relevant time, is forwarded to the payment service provider concerned (e.g. the payment solution provider, the credit card issuer and the credit card acquirer). Please also note the information of the relevant company, particularly the privacy notice and the general terms and conditions. The lawful basis for our data processing is the performance of a contract according to Art. 6(1)(b) GDPR.
We reserve the right to store a copy of the credit card information as security. In order to avoid default of payment, the requisite data, particularly your personal data, may be transferred to a credit agency for the automatic assessment of your creditworthiness. In this context, the credit agency may give you a credit score. This is an estimated value regarding the future risk of a payment default, e.g. using a percentage value. The value is ascertained by using a mathematical-statistical procedure together with the inclusion of data from the credit agency from other sources. Automated decision making (and profiling with or without high risk) may also take place in this context, which may result in you not being offered the “invoice” payment method. If the legal requirements are met, you have the right to present your argument and to request that the decision be reviewed by a natural person. The lawful basis for this data processing is our legitimate interest according to Art. 6(1)(f) GDPR in avoiding default of payment.
For processing payments, we use a software application of Worldline Schweiz AG, Hardturm-strasse 201 in 8005 Zurich, Switzerland (Worldline). As a result, your data may be stored in a Worldline database, which enables Worldline to access the data if this is necessary for the provision of the software and for user support. You can find further information about the data processing carried out by Worldline here. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 13 of this Privacy Notice. The lawful basis for our data processing is the performance of a contract with you according to Art. 6(1)(b) GDPR.
6. Data processing to fulfil statutory reporting obligations
A few days before your arrival, you will receive an e-mail for the online check-in. To this end, we collect the following data, whereby the mandatory fields when registering are marked with an asterisk (*):
- First name
- Last name*
- Home address*
- Nationality*
- Copy of the official identity documents of all guests*
- Date of arrival and departure
We record this data so that we can fulfil our statutory reporting obligations, particularly accord-ing to Art. 16 of the Federal Act on Foreign Nationals and Integration (FNIA) and Art 3 of the implementing regulations governing the hospitality law for the canton of Graubünden. Where we are obliged to do so by the applicable regulations, we forward this information to the relevant police bodies.
The applicable data is processed for fulfilling a legal obligation according to Art. 6(1)(c) GDPR.
7. Data processing within the context of your visit
We can collect and process the following information from you and your companions for your stay, whereby the mandatory fields when registering are marked with an asterisk (*):
- First and last name
- Full home address
- Nationality
- Scan of the official identity documents of all guests
- Date of birth
- Date of arrival and departure
- Room number(s)
- Preferences and wishes
We collect this data to be able to fulfil our contractual and pre-contractual obligations according to Art. 6(1)(b) GDPR and thus be able to offer you the best possible service in this regard.
8. Data processing in connection with using our Wi-Fi network
In our Townhouse, you have the option of using the Wi-Fi network free of charge. The Wi-Fi network is provided by i-Community AG, Via dal Bagn 52, 7500 St. Moritz, Switzerland (i-Community). When using the Wi-Fi network, you transfer the following data to i-Community:
- The MAC address of your device (automatic)
In addition to the above data, data about the time and date of use and the device used is recorded each time the Wi-Fi network is used. This data processing is carried out for the purpose of providing and operating the Wi-Fi network as well as to prevent misuse and to penalise unlawful behaviour. i-Community is the data controller for the described data processing.
The lawful basis for this processing is your consent within the meaning of Art. 6(1)(a) GDPR. You can revoke this consent for the future at any time.
The lawful basis for this processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the provision of a Wi-Fi network in compliance with the applicable legal provisions.
9. Background data processing on our website
9.1. Data processing when visiting our website (log file data)
The web servers temporarily store every visit to our website in a log file (log file). The following data is recorded without your involvement and stored with us until it is automatically deleted:
- IP address of the requesting computer;
- Name of the owner of the IP address (normally your internet service provider);
- Date and time of access;
- Website from which the website was accessed (referrer URL), possibly with details of the search term;
- Name and URL of the file retrieved;
- Status code (e.g. error message);
- Operating system of your computer;
- Browser used (type, version and language);
- Transmission protocol used (e.g. HTTP/1.1); and possibly your username from registra-tion/authentication;
- Name of the host header;
- Number of bytes sent by the server;
- Number of bytes received and processed by the server;
- Duration of access;
- The verb or word requested, such as the GET method (GETlocation); and
- The purpose of the verb or word requested, e.g. default.htm.
The collection and processing of this data is carried out to enable the use of our website (establish a connection), to guarantee system security and stability on an ongoing basis and to facilitate the error and performance analysis and optimisation of our website (also see Clause 10.4 with regard to the last points).
In the event of an attack on the network infrastructure of the website or if other unauthorised or improper use of the website is suspected, the IP address and other data will be analysed for in-vestigation and defence purposes and possibly used to identify the user within the context of civil or criminal proceedings.
Our legitimate interest within the meaning of Art. 6(1)(f) GDPR lies in the purposes described above and this constitutes the lawful basis for the data processing.
For the operation of our website, we use the services of our hosting provider Solutions Plus s.r.l., Strada Provinciale Bitonto - Aeroporto Palese, 28, 70128 Bari-Palese BA, Italy (Solutions Plus). As a result, your data may be stored in a Solutions Plus database, which enables Solutions Plus to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 13 of this Privacy Notice. The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use of services of third-party providers.
It is possible that Solutions Plus might wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Solutions Plus is the data controller for this data processing and must ensure compliance with the data protection laws in connection with this data processing. You can find further information about data processing in connection with Solutions Plus here.
Finally, when you visit our website, we use cookies as well as applications and tools that are based on the use of cookies. In connection with these, the data described here can also be processed. You can find more information about this in the following clauses of this Privacy Notice, particular Clause 10.2 below.
9.2 Cookies
Cookies are information files that your web browser stores on the hard disk or in the main memory of your computer when you visit our website. Cookies are assigned identification numbers through which your computer is identified and the information contained in the cookie can be read.
Among other things, cookies help to make your visit to our website easier, more pleasant and more relevant. We use cookies for different purposes that are required, i.e. “strictly necessary”, for you to use the website as you wish. For example, we use cookies to identify you after logging in as a registered user and to enable you to navigate to and from the different subpages without having to log in again. The provision of website elements, such as the order function, is also based on the use of cookies, since your information when completing a form is temporarily stored on the website so that you do not have to reenter it after accessing a different subpage. In addition, cookies also carry out the technical functions required for the operation of the website, such as load balancing, i.e. the distribution of the performance load of the pages over the different web servers in order to relieve the server or content delivery network (CDN), so that content can be distributed more quickly to the end user. Cookies are also used for security purposes, in order to prevent the posting of illegal content. Finally, we use cookies within the framework of the structure and programming of our website, e.g. to facilitate the uploading of scripts or codes.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the provision of a user-friendly and modern website.
Most internet browsers automatically accept cookies. However, when you access our website, we ask for your permission to use cookies that are not strictly necessary, particularly cookies from third-party providers for marketing purposes. By using the corresponding function buttons in the cookie banner, you can select the desired settings. Details regarding the services and data processing associated with individual cookies can be found in the cookie banner and in the following clauses of this Privacy Notice.
For cookie control and consent on the website, we use the services of Solutions Plus s.r.l., Strada Provinciale Bitonto - Aeroporto Palese, 28, 70128 Bari-Palese BA, Italy (Solutions Plus). When using Solutions Plus, your data is stored in a Solutions Plus database. Solutions Plus is the data controller for the data processing that it carries out and must ensure compliance with the data protection laws in connection with this data processing. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 13 of this Privacy Notice. You can find further information about the data processing carried out by Solutions Plus here.
You may also be able to configure your browser in such a way that no cookies are stored on your computer or you always receive an alert when you receive a new cookie. On the following pages, you can find information about how to configure the processing of cookies for certain browsers.
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
The deactivation of cookies may result in you being unable to use all the functionalities of our website.
9.3 Google Tag Manager
To manage the functions of our website, we use Google Tag Manager provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). With Google Tag Manager, tracking codes and associated code fragments (tags) can be managed without the code having to be manually altered. Following implementation, it is possible for the tracking tools we have set to be managed, triggered and controlled through Google Tag Manager. Google Tag Manager is therefore closely involved in the data processing specified below and is used indirectly for the purposes described therein, which is why the lawful basis for the processing can be found in the sections on the individual tools. If some autonomous data processing is deemed to be carried out by Google Tag Manager, our legitimate interest within the meaning of Art. 6(1)(f) GDPR (EU) is the use of third parties for the efficient management of our websites and the performance of our marketing activities.
9.4 Tracking and web analysis tools
9.4.1 General information about tracking
For the purposes of the tailored design and ongoing optimisation of our website, we use the web analytics services specified below. In this connection, pseudonymised user profiles are created and cookies are used (also see Clause 10.2). The information generated by the cookie regarding your use of this website is generally transferred to a server of the service provider together with the log file data set out in Clause 10.1, where it is stored and processed. This may also involve data being transferred to a server abroad, such as in the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 13.2 and 13.3).
Information that we receive when processing the data includes:
- Navigation path that the visitor to the website uses (including contents viewed and selected or purchased products and/or services booked);
- Length of stay on the website or subpage;
- Subpage from which the website is exited;
- Country, region or city from where the website is accessed;
- Device (type, version, colour depth, resolution, height and depth of the browser window); and
- Returning or new visitor.
On our behalf, the provider will use this information to analyse the use of the website, particularly to compile reports on the website activities and to provide further services related to website and internet use for the purpose of market research and the tailored design of this website. To a certain degree, both we and the provider can be seen as the data controller for the processing under data protection law.
The lawful basis for this data processing with the following services is your consent within the meaning of Art. 6(1)(a) GDPR. Part of the data processing can be classed as profiling (with or without high risk), which is also included in your consent. You can revoke your consent at any time and/or refuse the processing by blocking/disabling the relevant cookies in the settings of your browser (see Clause 10.2), or by using the service-specific options described in the following.
For the further processing of the data by the relevant provider as the (sole) data controller (particularly the potential transfer of this data to third parties such as authorities due to national legal regulations), please consult the relevant privacy notices of the provider.
9.4.2 Google Analytics
We use the web analytics service Google Analytics provided by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) and/or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043,USA (Google).
In deviation from the description in Clause 10.4.1, IP addresses are not logged or stored in Google Analytics (in the version “Google Analytics 4” used here). In the case of access from the EU, IP addresses are only used to determine location data, after which they are immediately deleted. In the case of the collection of measurement data in Google Analytics, all the IP searches are carried out on EU-based servers before the traffic is forwarded for processing on Analytics servers. Regional data centres are used for Google Analytics. If a link is established to the nearest available data centre of Google in Google Analytics, the measurement data is sent to Analytics via an encrypted HTTPS connection. The data is further encrypted in these centres before it is forwarded to the processing servers of Analytics and made available on the platform. Based on the IP addresses, the most suitable local data centre is determined. This may also involve data being transferred to a server abroad, e.g. the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 13.2 and 13.3).
Users can prevent Google from recording and processing the data created by the cookie and related to their website use (including the IP address) and revoke their consent by disabling or rejecting the relevant cookies in the cookie banner or in the settings of their web browser (see Clause 10.2) or by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en. For the further processing of the data by Google, please consult the data privacy notices of Google https://policies.google.com/privacy?hl=en-US.
10. Social media profiles
On our website, we have incorporated links to our profiles in the social networks of the following providers: Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Notices.
If you click on the icons of the social networks, you will be automatically forwarded to our profile in the relevant network, during which a direct link between your browser and the server of the relevant social network will be established. As a result, the network receives in particular the data that was described in the section on log files (Clause 10.1), i.e. namely the information that you visited our website with your IP address and clicked on the link. This may also involve data being transferred to a server abroad, e.g. the USA (see in particular the absence of an adequate level of data protection and the intended safeguards, Clause 13.2 and 13.3).
If you click on a link to a network while you are logged in to your user account in the network, the contents of our website can be linked with your profile so that the network can directly associate your visit to our website with your account. If you wish to prevent this, you should log out before clicking on the corresponding links. A connection between your visit to our website and your user account is established whenever you register with the respective network after clicking on the link. The respective provider is the data controller for the data processing. Therefore, please consult the privacy notice on the website of the network.
The lawful basis for any data processing that may be attributed to us is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the use and advertising of our social media profiles.
11. Central data storage and analysis in the CRM system
If a clear association with your person is possible, we will save and link the data described in this Privacy Notice, particularly your personal details, your contact details, your contract data and your browsing behaviour on our website, in a central database. This facilitates the efficient management of customer data, allows us to adequately fulfil your request and enables efficient provision of the requested services and performance of the associated contracts.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the efficient management of user data.
In addition, we analyse this data to further develop our products and services in line with your needs and to show you and suggest the most relevant information and offers. Moreover, we use methods that predict possible interests and future orders based on your use of our website. Some of these analyses can also be classed as profiling (with or without high risk).
For central data storage and analysis in the CRM system, we use “Kross Booking” from Solutions Plus s.r.l., Strada Provinciale Bitonto - Aeroporto Palese, 28, 70128 Bari-Palese BA, Italy (Solutions Plus). As a result, your data may be stored in a Solutions Plus database, which enables Solutions Plus to access the data if this is necessary for the provision of the software and for user support. Information about the processing of data by third parties and any transfer of data abroad can be found in Clause 13 of this Privacy Notice. You can find further information about data processing in connection with Solutions Plus here.
12. Forwarding and transfer abroad
12.1 Forwarding to third parties and access by third parties
Without the support of other companies, we would not be able to provide our products and services in the manner we desire. To be able to use the services of these companies, it is necessary for us to forward your personal data to them within a certain scope. Forwarding is carried out to selected third-party providers and only to the degree that is required for the optimum provision of our services.
Various third-party providers have already been explicitly mentioned in this Privacy Notice. This concerns the following service providers in particular:
- Roommatik, Rúa do Doutor Corbal, 16, bajo, Teis, 36207 Vigo, Pontevedra, Spain. You can find further information about data processing in connection with Roommatik here.
- dormakaba International Holding AG, Hofwisenstrasse 24, 8153 Rümlang, Switzerland. You can find further information about data processing in connection with dormakaba here.
In the case of this forwarding, the lawful basis is the necessity to perform a contract within the meaning of Art. 6(1)(b) GDPR.
Your data is also forwarded if this is necessary for fulfilling the contractual relationship, e.g. to transport companies or providers of other services. In the case of this forwarding, the lawful basis is the necessity to perform a contract within the meaning of Art. 6(1)(b) GDPR. It is the third-party providers, not us, who are the data controllers for this data processing within the meaning of the data protection law. It is the duty of these third-party providers to inform you about their own data processing that exceeds the forwarding of the data for the provision of the service and to comply with the data protection laws.
In addition, your data may be forwarded, particularly to authorities, legal advisers or debt collection agencies, if we are obliged to do so by law or if this is necessary for the protection of our rights, particularly for asserting claims arising from our relationship with you. Data can also be forwarded if another company intends to acquire our company or parts thereof and the forwarding is necessary for due diligence or for the completion of the transaction.
The lawful basis for this data processing is our legitimate interest within the meaning of Art. 6(1)(f) GDPR in the protection of our rights and compliance with our duties and/or the sale of our company or parts thereof.
12.2 Transfer of personal data abroad
We are also entitled to transfer your personal data to third parties abroad if this is necessary for data processing as set out in this Privacy Notice. Individual data transfers are mentioned above (see in particular Clauses 10 and 11). The statutory provisions governing the forwarding of personal data to third parties are observed in this. The countries to which data can be transferred include those that, according to the decision of the Federal Council and the EU Commission, have an adequate level of data protection (such as the member states of the EEA or, from the perspective of the EU, Switzerland as well), but also those countries (such as the USA) whose data protection level is not considered to be adequate (see Appendix 1 of the Data Protection Regulation (GDPR) as well as the website of the EU Commission). If the country affected does not have an adequate level of data protection, we take appropriate measures to ensure that your data is adequately protected at these companies, unless an exception is specified for the individual data processing (see Art. 49 GDPR). Unless otherwise specified, this concerns the choice of companies that are certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46(2)(c) GDPR, which can be found on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please get in touch with our data protection contact (see Clause 2).
12.3 Information concerning data transfer to the USA
Some of the third-party service providers mentioned in this Privacy Notice have their registered office in the USA. For the sake of completeness, we would like to point out for users domiciled in Switzerland or in the EU that the US authorities have monitoring measures in place in the USA that generally enable the storage of all the personal data of all the people whose data is transferred from Switzerland or the EU to the USA. This occurs without differentiation, limitation or exception in terms of the aims pursued and without an objective criterion that would allow limiting the access of the US authorities to the data and its subsequent use to very specific, strictly limited purposes that could justify the interference involved in both accessing and using the data. In addition, we would like to point out that in the USA there is no legal recourse for the affected persons from Switzerland and/or the EU, i.e. no effective legal protection against the general access rights of the US authorities that allow them access to the relevant data and to effect the correction or the deletion thereof. We would like to explicitly point out this legal and factual situation so that you can make an informed decision regarding consent or objection to the use of your data.
We would further like to point out to users domiciled in Switzerland or a member state of the EU that, from the perspective of the European Union and Switzerland, the USA does not have an adequate data protection level due to the reasons set out in this clause, among others. Insofar as we have already explained in this Privacy Notice that recipients of data (such as Google) have their registered office in the USA, we will ensure that your data is adequately protected with our third-party providers; we will do so through the choice of companies that are certified under the Privacy Framework Agreement or through contractual arrangements with these companies, as well as through any additionally required, appropriate guarantees.
13. Retention periods
We store personal data only for as long as is necessary for us to carry out the processing as set out in this Privacy Notice within the context of our legitimate interest. In the case of contractual data, the retention period is prescribed by statutory storage obligations. The requirements that oblige us to store data arise from accounting regulations and tax laws. According to these provisions, business communication, contracts concluded and booking receipts must be stored for a period of up to 10 years. Once we no longer require this data to provide services to you, it will be restricted. This means that the data can only be used if this is necessary for fulfilling the retention requirements or for defending and asserting our legal interests. The data is deleted as soon as there is no longer a retention requirement for or a legitimate interest in the storage thereof.
14. Data security
We take appropriate technical and organisational security measures to protect your personal data that is stored with us against loss and illegal processing, particularly any unauthorised access by third parties. Our employees and the service providers that we use are obligated by us to maintain confidentiality and ensure data protection. In addition, these persons are allowed access to personal data only insofar as this is necessary for fulfilling their duties.
Our security measures are constantly revised in line with technological developments. However, the transfer of information over the internet and through electronic communication channels always carries certain security risks, meaning we cannot provide an absolute guarantee regarding the security of information transferred in this way.
15. Your rights
Provided that the legal requirements are met, you have the following rights as a data subject in relation to the processing of data:
Right to be informed: You have the right to request at any time and free of charge what personal data about you is being held by us and how we use it. This makes it possible for you to check whether we process it in accordance with the applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data rectified and to be informed about the rectification. In such cases, we will also inform the recipients of the affected data about the changes we have made, unless this is not possible or would involve a disproportionate amount of effort.
Right to erasure: You have the right to have your personal data erased under certain circumstances. In some cases, especially if legal retention requirements apply, there may be no right to erasure. In these instances, if the conditions are met, it may be possible to restrict the processing of data instead of erasing it.
Right to restrict processing: You have the right to request that the processing of your personal data be restricted.
Right to data portability: You have the right to receive your provided personal data from us free of charge in a readable format.
Right to object: You have the right to object to data processing at any time, especially in the case of data processing for direct marketing purposes (e.g. marketing e-mails).
Right to withdraw consent: In principle, you have the right to withdraw your consent at any time. However, processing activities based on consent that you have given in the past will not be rendered unlawful by your withdrawal.
To exercise these rights, please e-mail us at the following address: dataprotection@badruttspalace.com
Right to lodge a complaint: You have the right to lodge a complaint with the relevant supervisory authority (e.g. against the way in which your personal data is processed).
Updated: December 2024