Legal Disclaimer & Privacy Policy
Data Privacy Policy
H. Kracht’s Erben AG operates the Hotel Baur au Lac and wine retailer Baur au Lac Vins. It is the operator of the websites
- bauraulac.ch
- aupavillon.ch
- marguita.ch
- baurs-zurich.ch
- bauraulacvins.ch
and therefore responsible for the collection, processing and use of your personal data and ensuring compliance of data processing with applicable data privacy regulations.
Your trust is important to us, and for that reason we take the issue of data protection seriously and ensure we have the appropriate security in place. Of course, we comply with the statutory provisions of the Federal Data Protection Act (DSG), the Regulation on the Federal Data Protection Act (VDSG), the Telecommunications Act (FMG) and other applicable data protection provisions under Swiss or EU law, in particular the General Data Protection Regulation (GDPR).
So that you are aware of what personal data we collect from you and what we use these data for, please note the information below.
1. Responsibility for data protection
The following is responsible for data processing on our website:
H. Kracht’s Erben AG
Talstrasse 1
8001 Zurich
Switzerland
Email: datenschutz@hkeag.ch
The address of our data protection representative in the EU is:
Meyerlustenberger Lachenal Ltd.
Attorneys at Law
222 Avenue Louise
1050 Brussels
Belgium
The address of our data protection representative in the EU is:
Meyerlustenberger Lachenal Ltd.
Attorneys at Law
222 Avenue Louise
1050 Brussels
Belgium
2. Technical partner
For the operation and maintenance of our website and to ensure we are able to provide the contractual services we offer there, we work with our technical partner as follows:
MySign AG
Neuhardstrasse 38
CH-4600 Olten
Website: www.mysign.ch
Email: info@mysign.ch
3. Accessing our website
When you visit our website, our servers temporarily store every access in a log file. The following technical data are collected and stored without any action on your part, as is the case with every connection to a web server:
- the IP address of the computer making the request
- the name of the owner of the IP address range (usually your Internet access provider)
- the date and time of access
- the website from which access was made (Referrer URL), with the search term used if applicable
- the name and URL of the file accessed
- the status code (e.g. error message)
- your computer’s operating system
- the browser you are using (type, version and language)
- the transmission protocol used (e.g. HTTP/1.1) and
- if applicable, your username from any registration / authentication.
After 30 days we automatically anonymise the IP addresses collected, so that no conclusions can be drawn regarding individual users.
These data are collected and processed for the purpose of enabling the use of our website (establishing a connection), ensuring long-term system security and stability and to help us optimise our Internet offering, and for internal statistical purposes. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f GDPR.
The IP address is also evaluated together with the other data for the purpose of gathering information and initiating defence in the event of attacks on the network infrastructure or other unauthorised or improper use of the website, and if necessary will be used in criminal proceedings for identification and in civil and criminal proceedings against the users concerned. This is our legitimate interest in the processing of data within the meaning of Art. 6 para. 1 lit. f GDPR.
4. Using our contact form
You have the option of using a contact form to get in touch with us. For this, we need the following information:
- Name and surname
- Email address
- Message
We use these data, and any telephone number which you voluntarily provide, only to give you the most effective and personalised response to your query as possible. The processing of these data is therefore necessary within the meaning of Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures, or is in our legitimate interests under Art. 6 para. 1 lit. f GDPR.
5. Subscribing to our newsletter
You can subscribe to our newsletter on our website. You will need to register to do this. As part of the registration process, the following data must be provided:
- Title
- First name and surname
- Email address
The above data are required for data processing. We process these data solely for the purpose of telling you about our products and services, and to personalise the information and offers we send you and better match them to your interests.
By registering, you consent to our processing of the data you provide to enable us to regularly send the newsletter to the address specified by you, and for the statistical evaluation of user behaviour and to optimise our newsletter. Within the meaning of Art. 6 para. 1 lit. a GDPR, this consent constitutes our legal basis for the processing of your email address. We are entitled to commission third parties to handle the technical aspects of advertising measures and are entitled to pass on your data for this purpose (see 16 below).
At the end of each newsletter you will find a link where you can unsubscribe at any time. When unsubscribing, you may choose to tell us the reason why you are unsubscribing. Once you have unsubscribed, your personal data will be deleted. Any further processing of these data will be solely in anonymised form for the optimisation of our newsletter.
6. Purchases on the internet (webshop)
If you wish to purchase goods via the ‘bauraulacvins.ch’ webshop, we will need the following information in order to process your transaction:
- Title
- Name and surname
- Postal address
- Telephone number
- Email address
- Language
- Payment method
We will use these data and any other information voluntarily provided by you (e.g. separate delivery address, credit card information, additional requests or comments) only to process your booking, unless otherwise stated in this data privacy policy or if you have not specifically consented to such use. We will process the data under your name in order to record your booking as requested, to provide the services booked, to contact you in the event of any queries or problems, and to ensure correct payment. In addition, our technical partner ‘MySign AG’ (see 13 and 15) will be given access to the data collected, for the purpose of ensuring the secure operation of our webshop.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
7. Purchases in our stores
Generally, no personal data are collected from customers who purchase goods in our stores. Exceptions to this rule are purchases on account, and purchases made using credit or debit cards.
Data relating to purchases made on credit or debit cards are handled in accordance with the requirements of the PCI DSS (Payment Card Industry Data Security Standard). Credit card details are collected anonymously for the sales staff and forwarded to SIX Group Payment Services.
8. Purchases on order / on account
If you wish to pre-order and/or buy goods on account at Baur au Lac Vins, we will need the following information in order to process your transaction:
- Title
- Name and surname
- Postal address
- Telephone number
- Email address
We will use these data and any other information voluntarily provided by you (e.g. separate delivery address, credit card information, additional requests or comments) only to process your transaction, unless otherwise stated in this data privacy policy or if you have not specifically consented to such use. We will process the data under your name in order to record your booking as requested, to provide the services booked, to contact you in the event of any queries or problems, and to ensure correct payment. In addition, our technical partner ‘MySign AG’ (see 13 and 15) will be given access to the data collected, for the purpose of ensuring the secure operation of our webshop.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
9. Credit check
After you have entered your personal data with the order information, a credit check is automatically carried out at check-out. A credit check is also carried out for telephone orders and in-store purchases on account.
The buyer authorises H. Kracht’s Erben AG to obtain the information required to process your transaction from public authorities or a central credit-checking agency. The firm
CRIF AG, Hagenholzstrasse 81, CH-8050 Zurich - https://www.crif.ch
is responsible for carrying out the credit checks.
No credit check is carried out for in-store purchases in our branches.
10. Cookies
Cookies help in many ways to make your visit to our website more straightforward, more enjoyable and more effective. Cookies are information files that your web browser automatically saves to your computer’s hard drive when you visit our website. We use cookies, for example, to temporarily store your chosen services and inputs when you fill out a form on our website, so that you don’t need to re-enter that information when accessing a sub-page. Cookies may also be used to enable our system to identify you as a registered user after you have registered on the website, so you don’t need to log in again when accessing another sub-page.
Most internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are placed on your computer or you are notified whenever you receive a new cookie. On the following pages you will find explanations on how to configure the processing of cookies in the most commonly used browsers:
- Microsoft Windows Internet Explorer
- Microsoft Windows Internet Explorer Mobile
- Mozilla Firefox
- Google Chrome for Desktop
- Google Chrome for Mobile
- Apple Safari for Desktop
- Apple Safari for Mobile
Disabling cookies may mean that you cannot use all the features of our website.
11. Tracking tools
a. General
For the purpose of designing our website to meet our needs and those of our users, and for the ongoing optimisation of the website, we use the Google Analytics web analysis service. In this context, pseudonymised user profiles are created and small text files that are stored on your computer (‘cookies’) are used. The information generated by the cookie about your use of this website is transmitted to the servers of the providers of these services, stored there and processed for us. In addition to the data listed under 1 above, this may provide us with the following information:
- navigation path taken by a visitor to the site
- length of stay on the website or sub-page
- the sub-page on which the website is exited
- the country, region or city from which the site is accessed
- end device (type, version, colour depth, resolution, width and height of the browser window) and
- returning or new visitor.
The information is used to evaluate the use of the website, to compile reports on website activities and to provide other services associated with website and internet usage for the purpose of market research and tailoring the design of this website to suit our needs and those of users. This information may also be shared with third parties if required by law or if third parties are processing these data on our behalf.
b. Creation of pseudonymised user profiles
In order to provide you with personalised services and information on our website (on-site targeting), we use and analyse the data that we collect about you when you visit the website. So-called cookies may also be used when processing these data. The analysis of your user behaviour may result in the creation of a so-called user profile. Your usage data will only ever be consolidated using pseudonyms; we never do this with non-pseudonymised personal data.
c. Re-targeting
We use re-targeting technologies on our website. Your user behaviour on our website is analysed to enable partner websites to offer you advertising that is individually tailored to your preferences. Your user behaviour will be recorded under a pseudonym.
This website uses Google AdWords Remarketing, services provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’), to display ads based on your use of previously visited websites. For this purpose, Google uses the so-called double-click cookie, which allows your browser to be recognised when you visit other websites. The information generated by the cookie about your visit to this website (including your IP address) is transmitted to a Google server in the United States and stored there.
Google will use this information for the purpose of evaluating your use of the website in terms of the advertisements to be displayed, to compile reports for the website operator on website activities and ads, and to perform other services associated with website and internet usage. Google may also share this information with third parties if required by law or if third parties are processing these data on Google’s behalf. However, Google will never associate your IP address with other Google data.
You can prevent re-targeting at any time by refusing or disabling the relevant cookies in the menu bar of your web browser. You can also visit the website of the Digital Advertising Alliance at
and opt out of receiving the further advertising and re-targeting tools referred to.
Our website uses cookies/advertising IDs by Criteo SA, 32 Rue Blanche, 75009 Paris, France for the purpose of advertising. This enables us to show our advertisements to visitors who are interested in our products on partner websites, apps and emails. Re-targeting technologies use your cookies or advertising IDs and display advertisements based on your past browsing behavior. You can opt-out of interest based advertising by visiting the following websites:
http://www.networkadvertising.org/choices/
http://www.youronlinechoices.com/
We may share data, such as technical identifiers derived from your registration information on our website or our CRM system with our trusted advertising partners. This allows them to link your devices and/or environments and provide you a seamless experience across the different devices and environments that you use. To read more about their linking capabilities, please refer to their privacy policy listed in the above-mentioned platforms or listed below:
http://www.criteo.com/privacy/
d. Google Analytics
The Google Analytics service is provided by Google Inc., an undertaking of the holding company Alphabet Inc, based in the United States. The IP address communicated by your browser within the scope of Google Analytics will not be associated with any other data held by Google. According to Google Inc., under no circumstances will the IP address be associated with other data relating to the user.
For further information about the web analysis service used, visit the Google Analytics website. For instructions on how to prevent your data being processed by the web analysis service, see https://tools.google.com/dlpage/gaoptout?hl=en.
e. Crazy Egg
We use the analysis service provided by Crazy Egg Inc. (16220 E. Ridgeview Lane, La Mirada, CA 9063, USA) on our website. Crazy Egg is a user behaviour analysis tool. Using Crazy Egg, we can measure and evaluate the behaviour of visitors to our website (e.g. mouse movement in the form of ‘heatmaps’, clicks, scroll height etc.). To do this, Crazy Egg places cookies on the end devices of people who use the site, and can store data of site visitors, such as browser information, operating system, length of stay and IP address etc.
You can prevent Crazy Egg from processing these data by disabling the use of cookies in the settings in your web browser, and deleting any cookies already active. Another way to prevent data processing by Crazy Egg is to activate the ‘Do not track’ function in your browser.
f. Optimizely
This website uses Optimizely, a web analytics service provided by Optimizely, Inc., (‘Optimizely’). In order to continually improve our website, we carry out tests on individual pages. Optimizely uses cookies for this purpose. The information generated by the cookie about your visit to our website (including your IP address) is transmitted to an Optimizely server in the United States and stored there.
Optimizely does not collect any personal data. The information about your visit to this website is transmitted in anonymised form to an Optimizely server in the United States and stored there. You can disable Optimizely by following the instructions on this page: https://www.optimizely.com/opt_out
g. StatHat
Our website uses the web statistics tool StatHat.com, provided by Numerotron Inc., Chicago IL, USA. With StatHat, the behaviour of site visitors can be tracked and page views evaluated. The data collected are anonymous for us; we cannot identify you. The data are stored and processed by StatHat, and cannot be linked to individual users. We have no control over this use of the data.
For further information, please see StatHat’s data privacy policy at http://www.stathat.com/docs/privacy.
h. Google AJAX Search API
JavaScript code provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter ‘Google’) is loaded on our site. If you have activated JavaScript in your browser and have not installed a JavaScript blocker, your browser may transfer personal data to Google. We do not know what data Google associates with the data it receives, or for what purpose Google uses those data. To prevent altogether the execution of JavaScript code by Google, you can install a JavaScript blocker (for example, www.noscript.net).
i. Google Tag Manager
Use of Google Tag Manager: Google Tag Manager is a solution that enables marketers to manage website tags via a single interface. The ‘Tool Tag Manager’ itself (which implements the tags) is a cookie-free domain and does not collect any personal data. The tool triggers other tags, which may in turn collect data. Google Tag Manager does not access these data. If deactivation has been carried out at domain or cookie level, it remains in effect for all tracking tags that are implemented with Google Tag Manager. http://www.google.de/tagmanager/use-policy.html
j. Behamics
This website uses the technologies of behamics AG for the individualization of website content, display of behavioral incentives, as well as for the execution of anonymous tests to optimize the user experience. The provider behamics AG collects pseudonymous and only based on the individual user session (cookie-less) information about the usage and purchasing behavior in our online store, in order to be able to offer a customized user experience.
k. CRM Ads
We use third-party advertising networks to occasionally send you advertisements that we believe are most relevant to you. This feature allows us to deliver ads to you as part of a specific group of people based on your preferences. We do not share any of your personal data, such as name or email address, with such third-party networks. These networks only receive a unique identifier. You can manage your privacy settings on the privacy tab of your account with such a third-party provider.
12. Email traffic
Based on Art. 957 et seq. of the Swiss Code of Obligations (OR), all business correspondence sent by email is archived for 10 years in encrypted form. The archived emails are automatically deleted after 10 years. The email data are stored in Switzerland.
13. Purchase of event tickets and gift vouchers
Customers are able to purchase and pay for event tickets and gift vouchers via the website. The purchase of event tickets for events operated by Baur au Lac Vins requires users to register on the platform of our partner ‘Eventfrog.ch’.
The legal basis for the processing of data for this purpose is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR. Please also see Eventfrog’s data protection notice at
https://eventfrog.ch/de/datenschutzerklaerung.html.
14. Centralised storage and linking of data
We store the data indicated in paragraphs 4-9 in a central electronic data processing system. The data relating to you are systematically recorded and linked for the processing of your bookings and performance of the contractual services. For this we use a software package provided by the firm ‘SAP’.
We use a management tool provided by the company ‘MySign AG’, based in CH-4600 Olten, to store and process newsletter recipient data and user data from the webshop.
The processing of these data in the context of the software is based on our legitimate interest, within the meaning of Art. 6 para. 1 lit. f GDPR, in a customer-friendly and efficient management of customer data.
15. Retention period
We store personal data only for as long as is necessary to use the tracking services referred to above and for any further processing within the scope of our legitimate interest. We retain contract information for a longer period, as this is required by statutory retention requirements. Retention requirements which obligate us to store data arise out of regulations covering legislation on reporting, financial accounting and taxation. Pursuant to those regulations, business communications, accounting records and any contracts concluded must be kept for up to 10 years. Unless we still need these data in order to provide the services for you, the data will be made inaccessible. This means that the data may then be used only for accounting and tax purposes.
16. Disclosure of data to third parties
We only pass on your personal data if you have expressly consented to our doing so, there is a legal requirement for us to do so, or this is necessary to enable us to assert our rights, particularly for the assertion of claims arising from the contractual relationship. In addition, we pass on your data to third parties if this is necessary within the context of using the website and performing the contract (including outside the website), especially for processing your booking.
One service provider to whom the personal data collected via the website are disclosed, or who has or may have access to those data, is our webhoster, aspectra AG, Weberstrasse 4, CH-8004 Zurich. The website is hosted on servers in Switzerland. The transfer of the data is for the purpose of providing and maintaining the functionalities of our website. This is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
Webshop
Personal data for purchases in our webshop are collected and processed with ‘MySign’.
- MySign AG, Neuhardstrasse 38, CH-4600 Olten - mysign.ch
Event tickets / gift vouchers
Personal data for event registrations on the website are collected and processed with ‘Eventfrog’.
- Eventfrog AG, Neuhardstrasse 38, CH-4600 Olten - eventfrog.ch
Credit card payments
If credit card information is collected and processed when making bookings via this website, this is done by the company ‘Datatrans’.
- Datatrans AG, Kreuzbühlstr. 26, CH-8008 Zurich
17. Transfer of personal data abroad
We are also entitled, for the purposes of the data processing described in this data privacy policy, to transfer your personal data to third parties (contracted service providers) abroad. These third parties are bound by the same data privacy obligations as we ourselves are. If the level of data protection in a particular country does not correspond to that of Switzerland or the European Union, we will ensure by contractual means that the protection of your personal data is equivalent to that in Switzerland or in the EU at all times. Please see 16 above.
18. Right of access, rectification, erasure and restriction of processing; right to data portability
You have the right to receive, on request, information about the personal data which we hold on you. In addition, you have the right to rectify incorrect data and the right to erasure of your personal data, provided this is not preluded by any statutory retention requirement or a legal permission authorising us to process the data.
You also have the right to reclaim from us any data you have given us (right to data portability). You have the right to receive the data in a common file format.
Requests to exercise the rights of data subjects are accepted via the websites (data privacy form). To process your requests, we require a proof of identify of the person making the request.
19. Data security
We use appropriate technical and organisational security measures to safeguard your personal data held by us against tampering, partial or complete loss and against unauthorised access by third parties. Our security measures are subject to continuous improvement in line with advances in technology.
You should always treat your access data as confidential and close the browser window once you have finished communicating with us, particularly if you are using a shared computer.
We also take data privacy within our own company very seriously. Our employees and the service companies contracted by us have been obligated by us to maintain secrecy and to comply with data privacy regulations.
20. Note on data transmission to the USA
In the interests of completeness, we would point out to users residing in or having their registered office in Switzerland that in the United States surveillance measures by the US authorities are in place which generally allow the storage of all personal data of any individual whose data are sent from Switzerland to the US. This is done without differentiation, restriction or exception on the basis of the objective pursued and without any objective criteria that would restrict access to the data and its subsequent use by the US authorities to very specific and limited purposes that would justify the intervention associated with access to and use of these data. We also wish to point out that no legal remedies are available in the United States for data subjects from Switzerland allowing them to access their data or request that it be rectified or erased, and that no effective legal protection against the general access rights of the US authorities exists. We are explicitly bringing this legal and factual situation to the attention of data subjects, to enable them to make a properly informed decision on giving their consent to the use of their data.
For users residing in an EU Member State, please note that in the view of the European Union – inter alia for the reasons given in this section – the United States does not have an adequate level of data protection. With regard to US-based recipients of data (such as Google) referred to in this data privacy policy, we ensure, either by means of contractual arrangements with those companies or by ensuring that they are certified under the EU or Swiss-US Privacy Shield, that your data are adequately protected while in the custody of our partners.
21. Right to object to a data protection supervisory authority
You have the right at any time to lodge an objection with a data protection supervisory authority.
24 May 2018
Contact details Data Protection Officer:
Mr. Torsten Magewski
E-Mail: datenschutz@hkeag.ch