Privacy Statement of Hapimag AG
Thank you for visiting our website and for your interest in Hapimag AG and its subsidiaries. We take the protection of your personal data seriously and act in accordance with the applicable legal provisions on data privacy and data security.
Under the European General Data Protection Regulation (GDPR), personal data refers to any information relating to an identified or identifiable natural person. The Swiss Data Protection Act (DPA) describes personal data as “any information that relates to a specific or specifiable person.” We regard both definitions as being equal, as they refer to information assigned to you personally (hereinafter the “data subject”) and may convey something about you. Consequently, we prefer to use the term “personal data”.
This privacy statement applies to Hapimag AG and its subsidiaries (hereinafter “Hapimag”) as well as to the mobile App of Hapimag AG. Any differing national data protection provisions remain reserved (e.g. statutory time limits for deletion of data).
2. Legal basis for processing
The legal basis for processing personal data is deemed to be the principles of the DPA and Article 6 (1) GDPR, specifically
(a) if the data subject has given consent;
(b) if processing is necessary for the performance of a contract to which the data subject is party. This also applies to the steps required prior to entering into a contract.
c) if our company must comply with a legal obligation;
(d) if the vital interests of the data subject or another natural person are to be protected;
(e) if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our company;
(f) if processing is required for the purposes of the legitimate interests pursued by our company or a third party, and the interests or fundamental rights and freedoms of the data subject will not be overridden. The legitimate interest of our company lies in conducting our business activity.
3. Collection and processing of personal data
We use the data you have given without your explicit consent solely for the necessary performance and processing of the services offered and on the basis of legitimate interests. On completion of the services, your data are excluded from further use and are deleted after the storage time limits have expired under tax and commercial law, provided you have not expressly given your consent for your data to be used further or there is no other legal justification.
The user is made clearly aware of the scope of any consent to be given upon registration for the respective service and that consent is recorded. The content of the consent given will be kept available for the user within the service. If you do not give your consent, we trust you will understand that you may not be able to take part in the respective service.
If you record personal data of other persons in connection with the use of our services, it is your responsibility to ensure that these persons are aware of this process and have accepted how Hapimag uses their information.
3.1 Visiting our website
You may visit the Hapimag website without disclosing your identity. However, our web servers automatically save technical information of the device used for the visit, including the IP address, type of web browser, operating system, domain name of your internet service provider, date and duration of your visit to our internet pages and the website you came from to visit us. This information is evaluated anonymously for statistical purposes only.
These data are processed for the purpose of making navigation of the website easier (connection set-up), system security, technical administration of the network infrastructure as well as for optimising the internet offering, and as such on the basis of our legitimate interests under Article 6 (1) f GDPR and to protect users and prevent unauthorised use. We do not pass on these data to third parties or make any other kind of evaluation. We do not create a personal user profile.
3.2 Registration for and use of the online service
To use the personal Hapimag online service, you must have a user account. To set up such an account, we need the following personal data from you: membership number or e-mail address, first name, last name, date of birth and verification, either by providing the name of the last resort you booked or the last reservation number, or a product number. This data is used solely for the administration/processing of your Hapimag membership and, with your consent, for notifying you about new features and offers connected with the holiday world of Hapimag (newsletter).
Use of Hapimag online services is voluntary. We store and use the data you have provided without your explicit consent solely for the necessary performance and processing of the services offered, i.e. for the purposes of performing our contractual obligations and services under Article 6 (1) b of the European General Data Protection Regulation (GDPR).
3.3 Contact through our website (contact form)
If there are any queries about the holiday world of Hapimag from members or interested parties/non-members and for a booking enquiry for an introduction offer, we need the following personal data as a one-off to get in touch with you: title, membership number, first and last names, full postal address, telephone number and e-mail address.
For such enquiries, the personal data are processed for handling and administration under Article 6 (1) b GDPR (inclusive pre-contractual communication) and Article 6 (1) f GDPR (other inquiries).
The type of data we collect when the contact form is used can be seen on the contact form or it depends on your e-mail message. These data are saved and used for responding to your enquiry, for contacting you and for related technical administration work. After your enquiry has been processed, your data are deleted, provided you request this and there are no statutory storage obligations to prevent deletion.
3.4 Live chat function
On our website you can also contact us via our live chat function. For this purpose, we use the services of Guuru, which is operated by guuru AG, Bösch 67, 6331 Hünenberg, Switzerland. If you send us a question through this chat function, depending on what this is, either a Hapimag-qualified expert (Hapimag member/shareholder) or a Hapimag employee will get back to you with the answer. The data sent in the chat is neither recorded via our website nor stored by Hapimag. The data is transmitted to guuru AG directly and stored for evaluation purposes. Data that is no longer required in order to perform contractual or legal obligations is regularly deleted. If the data collected contains references through which the data subject can be identified, it is processed and handled in accordance with Art. 6 (1) b GDPR and Art. 6 (1) f GDPR.
For further information about the collection, processing and use of data by Guuru, please refer to the Guuru data protection guidelines at https://www.guuru.com/en/privacy-policy/.
3.5 Registration for our newsletter
Personal data are processed when you register for our newsletter. The data you give for this (e.g. name and e-mail address) are used by us for our own marketing purposes and for other electronic notifications with marketing information on our products, offers, actions and our company for our newsletter after you have expressly given us your consent to do so.
You can unsubscribe from the newsletter at any time using a link in the newsletter e-mail or by sending us a corresponding message telling us that you are withdrawing your consent. By unsubscribing, your e-mail address will be automatically deleted from our newsletter distribution list.
Our newsletter contains a pixel tag that collects technical information such as browser, operating system and links that were clicked whenever the customer opens the newsletter. We use this information to make technical and content improvements to our newsletter service.
The newsletter is sent and the analyses are made on the basis of consent pursuant to Article 6 (1) a and Article 7 GDPR, or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Article 6 (1) f GDPR.
For newsletter distribution, we sometimes use features of Mailchimp’s online marketing platform, which is operated by The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, United States (“Mailchimp”). For further information about the collection, processing and use of data by Mailchimp, please refer to the Mailchimp data protection guidelines at https://mailchimp.com/legal/privacy/.
Before or after a newsletter is sent out, we sometimes use the services of ZeroBounce, which is operated by Hertza LLC, 10 E. Yanonali Street, Santa Barbara, CA 93101, United States (“ZeroBounce”), to verify self-registered e-mail addresses. ZeroBounce receives your e-mail address and stores it for the period of time required for verification. Your e-mail address is then deleted immediately after having been verified. For further information about the collection, processing and use of data by ZeroBounce, please refer to the ZeroBounce data protection guidelines at https://www.zerobounce.net/privacy-policy.html.
3.6 Comment functions on the website (company news, Hapimag Blog)
Hapimag fosters open communication with its members and regularly publishes company news and blog contributions on its website. In the CEO Blog, our CEO gives his opinion on a specific topic. As part of an open and honest culture of discussion, you can submit your comments on the CEO Blog only in the protected customer area and by giving your name. Your comments and name can be seen only in the protected customer area by other members. By contrast, your comments in all other blog contributions and company news can be left by giving a user name of your choice (pseudonym). These comments can be seen publicly and may also be commented on by third parties.
The website uses the comment function of the online service provider Disqus Inc., 717 Market Street, Suite 700, San Francisco, CA 94103, United States (“Disqus”). When a comment is submitted, a valid e-mail address is requested and this is saved together with the time at which the comment was submitted.
It is for legitimate interests under Article 6 (1) f GDPR and for security reasons so that the IP addresses of authors are saved in case unlawful content is posted in comments and contributions. Should this occur, we ourselves could be sued because of the comment or contribution and we are therefore interested in the author’s identity.
Satisfied members can refer potential new members very easily. On the website the members enter their membership number on the relevant page and generate a recommendation link. The recommendation link includes the encrypted membership number so that the recommendation bonus can subsequently be assigned to the members if their recommendation is successful. The members then send the recommendation link via their own preferred communication channel (e-mail, Facebook etc.) to the prospective customer. Clicking on the recommendation link takes the prospective customers to the contact form on the Hapimag website, where they can register for a one-off contact (see section “Contact through our website”).
Members can also fill out the contact form provided on the website, confirming when doing so that the interested party has given their consent for their personal data to be passed on to Hapimag so that Hapimag may get in touch with them for advertising purposes. We use the personal data shared by members on the basis of Art. 6 (1) a GDPR to present the Hapimag concept to the interested party and provide them with a personal offer.
Use of these recommendation options is voluntary. We use the membership numbers, without obtaining separate consent, solely in order to meet and carry out our contractual obligations pursuant to Article 6 (1) b GDPR.
3.8 Ordering Hapimag vouchers
We use the data shared when placing orders for Hapimag vouchers to verify and process the order and to send out the voucher. The data that is collected can be seen using the respective input screen. We save the data that is recorded and use it to process transactions. For non-members, a customer number is generated for this purpose, which is used only for processing the contract.
4. Compliance with legal provisions or public interest (Article 6 (1) c, e GDPR)
Like everyone involved in the economic process, we are also subject to a wide range of legal obligations. The primary ones are statutory requirements (e.g. registration and tax law), but sometimes provisions of supervisory and other authorities too. The fulfilment of control and reporting requirements under tax law as well as the archiving of data for the purposes of data protection and data security plus audits by tax and other authorities are actions deemed to be for the purposes of processing. Personal data may also have to be disclosed under judicial and official measures for the purposes of collecting evidence, law enforcement or implementing claims under civil law.
When it comes to cookies, a distinction is generally made between “session cookies” and “persistent cookies”. Session cookies do not remain on your computer once you leave a website or close your browser. Using the information collected, we can analyse usage patterns and structures for our website. This allows us to optimise our website by improving the content or personalisation features and making it easier to use. Persistent cookies are cookies that remain on your computer. They are used to simplify shopping, personalisation and registration services. For example, they enable text that has been input once to be saved in form fields on the website so that you don’t have to enter this text again on your next visit to the website or when you switch between the website’s individual functions. They also mean you don’t have to input the password required to access your personal Hapimag user account more than once. Persistent cookies can be manually removed at any time.
We use four kinds of cookies on our website: “Strictly necessary cookies”, which are strictly necessary for the running of the website. “Functional cookies”, which are used to remember user preferences so that the website can be customised to them. “Performance cookies”, which collect and analyse anonymised data on statistics in order to improve our offering and our website for you. “Targeting or advertising cookies”, which create anonymised user profiles in order to display personalised content to you that is tailored to your respective interests.
6. Web analysis services
6.1 Google Analytics, Google Ads, Conversion Tracking, Universal Analytics and Google Remarketing
Our website uses the Google Analytics demographics function. In this way we obtain information about the age, gender or general interests of website visitors. However, the data obtained cannot be assigned to a particular person. We use this information to develop our services and to present them in a way that is tailored to our website users. The data mostly come from Google’s own network (e.g. Google accounts or YouTube) or from third-party providers.
Our website also uses Google’s Universal Analytics. This provides us with information about the use of our services on different devices (“cross-device” use). By means of cookies technology we use a pseudonymised user ID that includes no personal data and does not transmit such data to Google. The collection and storage of data can be opted out of at any time, with effect for the future, by means of a browser plugin from Google (https://tools.google.com/dlpage/gaoptout?hl=en). This opt-out needs to be activated on all systems that you use, such as in a different browser or on your mobile end device. Further information about Universal Analytics can be found at https://support.google.com/analytics/answer/2838718?hl=en&ref_topic=6010376.
Google uses this collected information to evaluate your website activity, to compile reports on website activities for the website operators and to supply us with further services related to website usage and internet usage. If necessary, Google will also transmit this information to third parties if this is legally required or if third parties are processing these data on behalf of Google.
Third-party providers, including Google, display advertisements on websites on the internet. Third parties, including Google, use stored cookies in order to display advertisements based on a user’s previous visits to our website.
However, we would like to point out that if you do so, you may not be able to use all functions of this website in full. By using this website, you agree to Google processing the data it has collected about you in the manner described above and for the aforementioned purpose. Consent for data collection and storage may be withdrawn at any time with effect for the future. You can find further information in Google’s terms and conditions here: https://policies.google.com/privacy?hl=en-GB.
6.2 Mouse tracking and screen recording with Hotjar
In order to better understand the needs of visitors to our website and optimise the offering on our website, we use the web analytics services of a European company.
The cookies required for this purpose are only set with your consent, obtained via the cookie banner on our website. The legal basis for this is set out in Article 6 (1) a GDPR.
These web analysis services are operated by Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (“Hotjar”). Thanks to the reports and visual representations created by Hotjar, we understand, for example, how much time visitors to our website spend on each of our web pages, which links they click on and what content they are interested in. Hotjar works with cookies and other technologies to gather information about the behaviour of website visitors and their devices. This includes, for example, their anonymised IP address, screen size, device type, the browser that they use, their preferred language, or mouse events (movements, position, clicks). This information is stored by Hotjar in a pseudonymised user profile, and neither we nor Hotjar use it to identify individual visitors or combine it with other data about individual visitors. To provide its services, Hotjar also uses the services of third parties, such as Google Analytics. For more information, please see Hotjar’s data privacy statement at https://www.hotjar.com/legal/policies/privacy.
You can also prevent your data from being recorded by Hotjar by clicking on the following link and following the instructions provided https://www.hotjar.com/opt-out.
7. Online marketing networks
7.1 Use of Google Maps
7.2 Use of Facebook Ads
We use communication tools of the social network Facebook, particularly the Custom Audiences and Website Custom Audiences operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, with its parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA (“Facebook”). The cookies required for this purpose are only set with your consent, obtained via the cookie banner on our website. The legal basis for this is set out in Article 6 (1) a GDPR.
In doing so, an irreversible and non-personal hash total is generated from your usage data that can be transmitted to Facebook for analysis and marketing purposes. The Facebook cookie is used for the Website Custom Audiences product.
Please read Facebook’s data privacy guidelines for further information on the purpose and scope of data collection and further processing and use of data by Facebook as well as your privacy setting options, which can be found at https://www.facebook.com/about/privacy. If you would like to reject Facebook Website Custom Audiences, you can do so at https://www.facebook.com/settings? tab=ads.
7.3 Use of SiteMinder channel manager
For bookings and queries via external booking platforms, our website uses techniques of the channel manager of SiteMinder Distribution Limited, Waterfront, Hammersmith Embankment, Manbre Road, London W6 9RH, United Kingdom (“SiteMinder”).
7.4 Emarsys CRM Ads
Emarsys CRM Ads is used to occasionally send you advertisements that we believe are most relevant to you. This function allows us to show you ads based on your preferences as part of a certain group of people. For this purpose, we do not forward any of your personal data, such as surname or e-mail address, to such third-party networks. These networks only receive a unique identifier or a non-personal checksum (hash value). At the end of the match, all uploaded hash values are deleted again.
We use Facebook Audience Manager and Google Customer Match to create such custom audiences. You can manage your privacy settings regarding the use of the mentioned tools on the Privacy tab of your account with the relevant third-party provider.
Further information on the scope of the collection and the further processing and use of the data by Facebook Custom Audiences can be found in the chapter “Use of Facebook Ads”.
8. Third-party services – information on the use of Facebook, Twitter, Instagram, YouTube, Pinterest, Kununu, Xing and LinkedIn
In order to promote dialogue with our members, guests and prospective customers, Hapimag communicates contents and offers on various social media platforms. On the basis of our legitimate interests under Article 6 (1) f GDPR, we use the plug-ins listed below to analyse and optimise our contents and offers.
Our website uses social plug-ins (“plug-ins”) of the social network Facebook, microblogging services Twitter, Instagram as well as the services YouTube, Pinterest, Kununu, Xing and LinkedIn. These services are offered by the companies Facebook Inc.,Twitter Inc. and Instagram LLC., YouTube, Pinterest, Kununu, Xing and LinkedIn (“providers”). These plugins are intended to enable straightforward access to the services referred to above.
Twitter is operated by Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA (“Twitter”). You can find an overview of Twitter buttons and what they look like here: https://dev.twitter.com/web/overview
Instagram is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). You can find an overview of Instagram buttons and what they look like here: https://www.instagram.com/developer/embedding/
Pinterest is operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, with its parent company: Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA (“Pinterest”). You can find further information on Pinterest here: https://developers.pinterest.com/tools/widget-builder/?
Xing is operated by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (“Xing”). You can find more information on Xing plug-ins here: https://dev.xing.com/plugins
Kununu is operated by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany (“Xing”). You can find further information on Kununu here: https://kununuus.desk.com/customer/en/portal/articles/2434100-kununu-awards-top-company-and-open-company-
If you access one of our website pages containing a plug-in of this type, your browser establishes a direct connection to the servers of Facebook, Twitter, Instagram, YouTube, Pinterest, Kununu, Xing and LinkedIn. The content of the plug-in is transferred from the respective provider directly to your browser, which incorporates it in the website. By incorporating the plug-in, the providers are notified that your browser has visited the corresponding page of our website, even if you do not have a profile or you are not even logged in. This information (including your IP address) is transmitted directly to the USA (or Germany) to a server of the respective provider and stored there.
If you are logged in to one of the services, the providers can directly assign your visit to our website to your profile on Facebook, Twitter, Instagram, YouTube, Pinterest, Kununu, Xing or LinkedIn. If you interact with the plug-ins, for example if you press the “Like”, “Twitter” or “Instagram” buttons, the corresponding information is also transferred directly to the server of one of the providers where it is stored there. The information is also published and shown to your contacts on the social networks on Facebook, Twitter, Instagram, YouTube, Pinterest, Kununu, Xing or LinkedIn. Please consult the data privacy statements of those providers for the purpose and scope of data collection and for the further processing and use of data by the providers as well as your rights and privacy setting options:
Privacy statement of Facebook: http://www.facebook.com/policy.php
Privacy statement of Twitter: https://twitter.com/privacy
Privacy statement of Instagram: https://help.instagram.com/155833707900388/
Privacy statement of YouTube: https://www.google.de/intl/en/policies/privacy
Privacy statement of Pinterest: https://about.pinterest.com/en/privacy-policy
Privacy statement of Kununu: https://privacy.xing.com/en/privacy-policy
Privacy statement of Xing: https://privacy.xing.com/en/privacy-policy
Privacy statement of LinkedIn: https://www.LinkedIn.com/legal/privacy-policy
If you do not want Facebook, Twitter, Instagram, YouTube, Pinterest, Kununu, Xing or LinkedIn to assign the data collected through our website to your profile in the respective service, you must log out of the relevant service before visiting our website. You can also fully prevent the loading of plug-ins with add-ons for your browser, e.g. with the script blocker “NoScript” (http://noscript.net/).
9. Online presence on Facebook
On the social network platform Facebook we operate Facebook pages for our Headquarter and our resorts in order to communicate with our members and other interested users, and to inform them about our company. Facebook provides “Facebook Insights” to us as the operator of such pages. If you visit our sites, cookies are set to collect anonymised statistical data. The cookies are set by Facebook and are an integral part of the user relationship between us and Facebook.
Personal data are processed on the basis of our legitimate interests pursuant to Article 6 (1) f GDPR to communicate and inform our members and other interested users as effectively as possible. There is a legitimate interest in designing and optimising our offer on the basis of user behaviour.
With regard to data processing, we and Facebook are joint controllers pursuant to Article 26 GDPR. Facebook has the primary responsibility. We as the operator of the site make no decisions with respect to the processing of data and any other information resulting from Article 13 GDPR.
Agreement on responsibility as joint controllers of personal data: https://www.facebook.com/legal/terms/page_controller_addendum
Facebook Insights: https://www.facebook.com/business/a/page/page-insights
10. Usage and disclosure of collected data to third parties
We use the personal data you have made available solely on an internal basis for the advised and agreed purposes:
- operation of our internet websites and the mobile Hapimag App
- as a shareholder and member, for processing contracts concluded with you on the exercising of your shareholder rights and rights of residence
- as a prospective customer, for processing the booking you requested of an introductory offer
- or very generally for answering your queries.
As such, data may be forwarded to the following recipients:
- public bodies or authorities that request data under statutory regulations (e.g. tax authorities, social security agencies, municipal administrations, courts, Federal Office of Statistics)
- internal functions involved in the execution and performance of the respective business processes (e.g. HR, Accounting, Marketing, Sales, IT, Legal and Service Points and the Member Services department) as well as Hapimag subsidiaries, if data subjects have given their written consent or transmission is permitted out of overriding legitimate interests
- external contractors (service companies) under Article 28 GDPR or Article 10a DPA
- other external bodies (e.g. banks, debt collection agencies, credit card companies, travel and indemnity insurance companies).
If you use our services, we only collect the personal data we need to provide the requested services. Any additional data collection is made on a voluntary basis and solely to safeguard our own legitimate business interests.
We only process and use your data with your express consent, or if there is legal justification, for the purposes of advice, marketing and market research. You may withdraw your declaration of consent at any time. Your data are neither sold, leased nor made available in any other way to third parties. Hapimag specifically reserves the right to transmit personal data to any processors. The transmission of personal data to government institutions and authorities is carried out solely within the framework of compulsory national legal provisions.
11. Guaranteeing security in data processing
Hapimag uses dedicated technical and organisational measures in accordance with relevant legal provisions to protect your data, which we manage against unlawful or unintended manipulation, loss, destruction or access by unauthorised persons. Our security measures are being constantly improved in line with technological developments to guarantee the protection aims of confidentiality, integrity and availability of your data.
12. Time limits for deleting data
Your personal data are only saved for as long as the purpose for which they were collected and processed has been fulfilled. Statutory storage obligations and time limits remain reserved. After these time limits expire, personal data are routinely deleted and, if they are in paper form, destroyed according to data protection requirements and in observance of specific precautions.
Statutory storage time limits:
- 15 years is the absolute limitation period under Swiss tax law, i.e. the right to demand tax is time-barred 15 years after the tax period has expired. After this period, Hapimag AG deletes all relevant membership-related data, provided they are no longer relevant for further performance of a contract.
- 10 years is the storage time limit for business correspondence (e-mails, letters, contracts, personnel files), annual reports, accounting books (balance sheet and income statements) and related booking records. The storage time limit begins with the end of the calendar year in which the last entries were made, correspondence was received or sent out, or booking vouchers created.
- Shorter storage time limits exist in HR administration (particularly for rejected application files) or for registration forms.
- For Hapimag subsidiaries the valid laws in the corresponding countries apply.
13. Data transmission to other countries
Data may only be transmitted to other countries as part of contract fulfilment, necessary communication as well as due to other exceptions expressly provided for in the relevant data protection laws.
Currently there is an exchange of guest master data between locations in resorts in Austria, the Czech Republic, Finland, France, Germany, Great Britain, Greece, Hungary, Italy, Morocco, the Netherlands, Portugal, Spain, Switzerland, Turkey, USA and the Headquarter in Steinhausen (Switzerland). There is also an exchange of data with our country-specific Area Offices and Service Points as well as with any Hapimag resort cooperations.
The exchange of data between the European Union and Switzerland is carried out in compliance with similarly high-level data protection laws in a data-compliant framework. The exchange of data within the European Union is carried out solely on the basis of the corresponding data protection guidelines of the European Union and/or applicable data protection laws of participating EU Member States.
The Hapimag subsidiaries in Morocco, Turkey and the USA, as well as the operators of any partner resorts, are obliged to provide a reasonable level of data protection on the basis of the EU Standard Contractual Clauses. No data are transmitted to other countries, particularly those where data protection is deemed to be low, and there are currently no plans to do so.
14. Use of the mobile Hapimag App
The Hapimag App provides information on current activities in the resorts, gives recommendations for individual businesses in the area surrounding a resort (museums, restaurants, tourist attractions) and contains all information on the resort itself, all of which can also be found on the website (resort plan, facilities, pictures, travel information, weather report etc.).
When downloading the Hapimag App, the requisite information is transferred to the Apple App Store or Google Play Store (for the Android version), specifically user name, e-mail address, customer number of your account, time of download, payment information and individual device code numbers. We have no influence over this data collection and are therefore not responsible for it. We only process data if this is necessary for downloading the Hapimag App onto your mobile device.
Registration including the following personal data is required for the necessary performance and processing of offered services under Article 6 (1) b GDPR for specific activities: first name and last name, e-mail address, number of participants. The type of data collected for registration can be seen on the registration form and depends on the activity. Registration generates an e-mail to the resort where the activity is carried out.
In addition to the option of being informed about special events with push notifications, an apartment can be reserved in the resort via a link directly to the Booking Portal in the protected customer area, but only if membership and a user account exist.
The Hapimag App uses Google Analytics (see section “Web analysis services”) to analyse and optimise our offers based on legitimate interests under Article 6 (1) f GDPR as well as the Geofencing API from Google. This enables your location to be established in order to draw your attention to specific offers through push notifications as soon as you have reached a Hapimag resort.
A movement profile is not created. We only evaluate the information collected by Google in anonymous form for statistical purposes and to improve the app (e.g. number of users of the app per day, most popular features). Consent for data collection and storage may be withdrawn at any time with effect for the future. You can find further information in Google’s terms and conditions here: https://policies.google.com/privacy?hl=en.
If the Hapimag App is used without access to the internet, no personal data are collected. However, functionality will then be limited (e.g. no option to register for activities).
15. Rights of data subjects
Under GDPR, the data subject has the following rights over how his or her personal data are handled:
- Article 15: Right of access
- Article 16: Right to rectification
- Article 17: Right to erasure
- Article 18: Right to restriction of processing
- Article 20: Right to data portability
- Article 21: Right to object
There is also a right to lodge a complaint with a responsible data protection supervisory authority (Article 77 GDPR).
Comparable rights can also be found in the DPA in Articles 5 (Right to rectification), 8 and 9 (Right of access), 12, 13, 15 (Right to erasure, restriction of processing and objection) as well as in Articles 28 and 29 (Right to complain).
You may withdraw your consent for us to process your personal data at any time. This also applies to the withdrawal of declarations of consent that were given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please note that withdrawal is only effective for the future. Processing carried out prior to the withdrawal is not affected by this.
16. Automated individual decision-making (including profiling)
Profiling in the sense of the GDPR is understood to mean any type of automated processing of personal data that consists of evaluating, analysing or predicting certain personal aspects (e.g. holiday interests, preferences for sporting activities, etc.).
We do not use purely automated individual decision-making procedures (including profiling) in accordance with Art. 22 GDPR. If we should nevertheless use such procedures in the future, we will inform you separately, if this is legally required.
17. Right to object under Article 21 GDPR
17.1 Specific right to object
You have the right to enter an objection (for reasons based on your particular situation) at any time against the processing of personal data concerning you that is carried out on the basis of Article 6 (1) e GDPR (data processing in the public interest) and Article 6 (1) f GDPR (data processing on the basis of the balance of interests).
If you enter an objection, we will no longer process your personal data, unless we can prove compelling legitimate reasons to do so that override your interests, rights and freedoms or the processing is used for asserting, exercising or protecting legal claims.
17.2 Right to object to processing of data for the purposes of direct marketing
In specific cases, we process your personal data to carry out direct marketing. You have the right at any time to object to the processing of data related to you for the purposes of such marketing.
18. Changes to this privacy statement
We reserve the right to periodically amend or update this privacy statement. Users are asked to regularly inform themselves about the content of the privacy statement.
This data privacy statement appears in German as well as in a translated English version.
19. Controller, representative and contact for data protection
19.1 Controller and contact
Sumpfstrasse 18, CH – 6312 Steinhausen
Service Line 00800 3030 8080* (*Roaming charges may apply)
If you have any questions or queries, you may contact us as follows:
Hapimag AG, Data Privacy Officer
Sumpfstrasse 18, CH – 6312 Steinhausen
Tel +41 58 733 70 10 Fax +41 58 767 89 20
E-Mail: [email protected]
19.2 Representative of Hapimag AG in the European Union
Hapimag Gesellschaft m.b.H.
Neudeggergasse 16-18, AT – 1080 Wien
Tel +43 1 402 62 40 Fax +43 1 402 62 40 41
E-Mail: [email protected]
Privacy Statement of Hapimag AG: October 2020