Events 
Webcams 
Webshop 
Weather 
Vouchers Legal & data protection
Privacy Policy
With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our website under the domain name berguen-filisur.graubuenden.ch. We specifically inform you about why, how, and where we process which personal data. We also inform you about the rights of individuals whose data we process.
For individual or additional activities and operations, we may publish further privacy policies or other information about data protection.
We are subject to Swiss law as well as any applicable foreign law, in particular that of the European Union (EU) with the European General Data Protection Regulation (GDPR).
On 26 July 2000, the European Commission recognized that Swiss data protection law ensures adequate data protection. On 15 January 2024, the European Commission confirmed this adequacy decision in a report.
Table of Contents
- 1. Contact Addresses
- 2. Terms and Legal Bases
- 3. Type, Scope, and Purpose of Personal Data Processing
- 4. Disclosure of Personal Data
- 5. Communication
- 6. Applications
- 7. Data Security
- 8. Personal Data Abroad
- 9. Rights of Data Subjects
- 10. Use of the Website
- 11. Notifications and Messages
- 12. Social Media
- 13. Third-Party Services
- 14. Performance and Reach Measurement
- 15. Video Surveillance
- 16. Final Notes on the Privacy Policy
1. Contact Addresses
The responsible entity in terms of data protection law is:
Bergün Filisur Tourismus AG
Veja Alvra 99
7482 Bergün
In individual cases, third parties may be responsible for the processing of personal data, or joint responsibility with third parties may exist. Upon request, we will gladly provide information to data subjects regarding the respective responsibility.
1.1 Data Protection Officer or Advisor
We have appointed the following data protection officer or advisor as a point of contact for data subjects and authorities regarding data protection inquiries:
Niculin Josty
Bergün Filisur Tourismus AG
Veja Alvra 99
7482 Bergün
1.2 Data Protection Representation in the European Economic Area (EEA)
We have appointed the following data protection representation pursuant to Art. 27 GDPR:
VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany
The data protection representation serves as an additional point of contact for data subjects and authorities within the European Union (EU) and the rest of the European Economic Area (EEA) regarding GDPR-related inquiries.
2. Terms and Legal Bases
2.1 Terms
Data subject: Natural person whose personal data we process.
Personal data: All information relating to an identified or identifiable natural person.
Particularly sensitive personal data: Data regarding trade union, political, religious or ideological views and activities; data concerning health, intimate life, or ethnic or racial origin; genetic data, biometric data that uniquely identifies a natural person; data concerning criminal and administrative sanctions or prosecutions; and data on social welfare measures.
Processing: Any handling of personal data, regardless of the means and procedures used – for example, querying, matching, adapting, archiving, storing, reading, disclosing, procuring, recording, collecting, deleting, revealing, arranging, organizing, saving, modifying, distributing, linking, destroying, and using personal data.
European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.
2.2 Legal Bases
We process personal data in accordance with Swiss law, in particular the Federal Act on Data Protection (Data Protection Act, FADP) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).
We process personal data – insofar as and to the extent that the European General Data Protection Regulation (GDPR) is applicable – based on at least one of the following legal bases:
- Art. 6(1)(b) GDPR for the processing of personal data as necessary to fulfil a contract with the data subject or to carry out pre-contractual measures.
- Art. 6(1)(f) GDPR for the processing of personal data as necessary to safeguard legitimate interests – including the legitimate interests of third parties – provided these are not overridden by the fundamental rights and freedoms or interests of the data subject. Such interests include, in particular, the sustainable, user-friendly, secure, and reliable operation of our activities and services, ensuring information security, protection against misuse, the enforcement of our legal claims, and compliance with Swiss law.
- Art. 6(1)(c) GDPR for the processing of personal data as necessary to fulfil a legal obligation to which we are subject under applicable law of the EEA member states.
- Art. 6(1)(e) GDPR for the processing of personal data as necessary for the performance of a task carried out in the public interest.
- Art. 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
- Art. 6(1)(d) GDPR for the processing of personal data as necessary to protect vital interests of the data subject or another natural person.
- Art. 9(2) ff. GDPR for the processing of special categories of personal data, in particular with the consent of the data subjects.
The European General Data Protection Regulation (GDPR) refers to the processing of personal data as "processing of personal data" and the processing of particularly sensitive personal data as "processing of special categories of personal data" (Art. 9 GDPR).
3. Nature, Scope, and Purpose of the Processing of Personal Data
We process the personal data that is necessary to operate our activities and services in a sustainable, user-friendly, secure, and reliable manner. The personal data processed may fall into categories such as browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data. The personal data may also include particularly sensitive personal data.
We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect during the course of our activities and services, provided such processing is legally permitted.
We process personal data where necessary with the consent of the data subjects. In many cases, we may process personal data without consent – for example, to comply with legal obligations or to protect overriding interests. We may also request consent from data subjects even where it is not strictly necessary.
We process personal data for the duration necessary to fulfil the respective purpose. We anonymize or delete personal data in particular in accordance with statutory retention and limitation periods.
4. Disclosure of Personal Data
We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties are in particular specialized service providers whose services we use.
We may disclose personal data, for example, to banks and other financial service providers, authorities, educational and research institutions, consultants and lawyers, interest groups, IT service providers, cooperation partners, credit and business information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, insurance providers, and payment service providers.
5. Communication
We process personal data in order to communicate with individuals as well as with authorities, organizations, and companies. In doing so, we particularly process data that a data subject provides to us when making contact, for example by postal mail or email. We may store such data in an address book or using comparable tools.
Third parties who transmit data to us about other individuals are required to ensure the data protection of those data subjects independently. In particular, they must ensure that such data is accurate and may be transmitted.
6. Applications
We process personal data about applicants to the extent necessary to assess suitability for an employment relationship or for the subsequent execution of an employment contract. The required personal data arises in particular from the requested information, for example, in a job posting. We may publish job postings with the help of appropriate third parties, such as in electronic and printed media or via job portals and employment platforms.
We also process personal data that applicants voluntarily disclose or publish, particularly as part of cover letters, résumés, other application documents, and online profiles.
We process personal data about applicants – insofar as and to the extent that the General Data Protection Regulation (GDPR) applies – in particular in accordance with Art. 9(2)(b) GDPR.
7. Data Security
We take appropriate technical and organizational measures to ensure a level of data security appropriate to the respective risk. In particular, our measures ensure the confidentiality, availability, traceability, and integrity of the processed personal data, although we cannot guarantee absolute data security.
Access to our website and other digital presence is encrypted using transport encryption (SSL / TLS, particularly via Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting a website without transport encryption.
Our digital communication is subject – like any digital communication – to mass surveillance without cause or suspicion by security authorities in Switzerland, the rest of Europe, the United States of America (USA), and other countries. We have no direct influence over how personal data is processed by intelligence services, police departments, and other security authorities. We also cannot rule out the possibility that a data subject is being specifically monitored.
8. Personal Data Abroad
As a general rule, we process personal data in Switzerland and in the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, in particular to process it there or have it processed.
We may export personal data to any country on Earth and even elsewhere in the universe, provided that the local law ensures adequate data protection according to a decision by the Swiss Federal Council and – insofar as the General Data Protection Regulation (GDPR) applies – also according to a decision by the European Commission.
We may transfer personal data to countries whose laws do not guarantee adequate data protection, provided that data protection is ensured by other means – in particular based on standard data protection clauses or other suitable safeguards. In exceptional cases, we may export personal data to countries without adequate or appropriate data protection if specific legal requirements are met, for example, the explicit consent of the data subjects or a direct connection with the conclusion or performance of a contract. Upon request, we are happy to inform data subjects about any safeguards in place or provide a copy of such safeguards.
9. Rights of Data Subjects
9.1 Data Protection Rights
We grant data subjects all rights in accordance with applicable law. In particular, data subjects have the following rights:
- Access: Data subjects can request confirmation as to whether we process personal data about them and, if so, which data is involved. Data subjects also receive the information required to assert their data protection rights and ensure transparency. This includes the personal data itself, but also, among other things, details about the purpose of processing, the duration of retention, any disclosure or export of data to other countries, and the origin of the data.
- Correction and restriction: Data subjects can request the correction of incorrect personal data, the completion of incomplete data, and the restriction of data processing.
- Right to be heard and human review: In the case of decisions based solely on automated processing of personal data that have legal effects or significantly affect them (automated individual decisions), data subjects may present their viewpoint and request a human review.
- Deletion and objection: Data subjects may request the deletion of personal data ("right to be forgotten") and object to the processing of their data with effect for the future.
- Data provision and transfer: Data subjects can request that their personal data be provided or transferred to another controller.
We may postpone, restrict, or refuse the exercise of data subject rights within the legally permissible scope. We may inform data subjects of any conditions that must be met in order to exercise their rights. For example, we may deny access by referring to confidentiality obligations, overriding interests, or the protection of other individuals. We may also deny the deletion of personal data, in particular due to statutory retention obligations.
We may, in exceptional cases, charge a fee for the exercise of data subject rights. In such cases, we will inform the data subjects in advance of any costs.
We are obliged to identify data subjects who request access or assert other rights using appropriate measures. Data subjects are required to cooperate in this process.
9.2 Legal Remedies
Data subjects have the right to enforce their data protection rights through legal proceedings or to file a report or complaint with a data protection supervisory authority.
The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
European data protection supervisory authorities are organized as members of the European Data Protection Board (EDPB). In some EEA member states, supervisory authorities are organized federally, especially in Germany.
10. Use of the Website
10.1 Cookies
We may use cookies. Cookies – both our own (first-party cookies) and those from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data is not limited to traditional cookies in text format.
Cookies can be stored in the browser temporarily as "session cookies" or for a set period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific storage duration. Cookies enable, in particular, recognition of a browser upon revisiting our website, which allows, for example, measuring the reach of our website. Permanent cookies can also be used for online marketing purposes.
Cookies can be disabled, restricted, or deleted in whole or in part at any time via the browser settings. Browser settings often also allow for automated deletion and other cookie management options. Without cookies, our website may no longer be fully functional. We request – at least where required under applicable law – your explicit consent to the use of cookies.
For cookies used for performance and reach measurement or for advertising, many services allow a general opt-out through AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).
10.2 Logging
We may log at least the following details for every access to our website and other digital presence, provided these are transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including interface and version, browser including language and version, individual subpages visited including transferred data volume, and the previously visited website in the same browser window (referrer).
We log such information, which may also constitute personal data, in log files. This information is necessary to ensure the continuous, user-friendly, and reliable availability of our digital presence. It is also required to ensure data security – including through or with the assistance of third parties.
10.3 Tracking Pixels
We may integrate tracking pixels into our digital presence. Tracking pixels are also referred to as web beacons. Tracking pixels – including those from third parties whose services we use – are typically small, invisible images or JavaScript-based scripts that are automatically loaded when accessing our digital presence. Tracking pixels can capture at least the same information as logging in log files.
11. Notifications and Messages
11.1 Performance and Reach Measurement
Notifications and messages may contain web links or tracking pixels that record whether a specific message was opened and which web links were clicked. These links and tracking pixels may also capture the use of notifications and messages on a personal basis. We require this statistical tracking for performance and reach measurement in order to send notifications and messages effectively and in a user-friendly, secure, and reliable manner – tailored to the needs and reading habits of recipients.
11.2 Consent and Objection
You must generally consent to the use of your email address and other contact information unless its use is otherwise legally permitted. To obtain consent, we may use the "double opt-in" procedure. In this case, you will receive a message with instructions for confirming your consent twice. We may log obtained consents – including the IP address and timestamp – for security and proof purposes.
You can generally object to receiving notifications and messages – such as newsletters – at any time. Such an objection also serves as an objection to the statistical performance and reach measurement. Mandatory notifications and messages related to our activities and operations remain reserved.
11.3 Service Providers for Notifications and Messages
We send notifications and messages with the help of specialized service providers.
We specifically use:
- MAILINGWORK: Email marketing platform; provider: Mailingwork GmbH (Germany); privacy information: Privacy Policy, "Privacy Policy and Newsletter Distribution – What Needs to Be Considered?".
12. Social Media
We maintain a presence on social media platforms and other online platforms to communicate with interested individuals and to provide information about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).
The general terms and conditions (GTC), terms of use, privacy policies, and other provisions of each platform operator also apply. These provisions specifically inform users about their rights vis-à-vis the respective platform, such as the right to access.
For our social media presence on Facebook, including so-called Page Insights, we – insofar as the General Data Protection Regulation (GDPR) applies – are jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page Insights provide information about how visitors interact with our Facebook page. We use Page Insights to ensure that our Facebook presence is effective and user-friendly.
Further information on the nature, scope, and purpose of data processing, on data subjects' rights, as well as Facebook’s contact details and that of its data protection officer, can be found in the Facebook Privacy Policy. We have entered into the so-called “Controller Addendum” with Facebook, in which it is agreed, among other things, that Facebook is responsible for ensuring the rights of data subjects. Information about Page Insights can be found at “Information about Page Insights”, including “Information about Page Insights Data”.
13. Third-Party Services
We use services from specialized third parties to conduct our activities and operations in a sustainable, user-friendly, secure, and reliable manner. These services allow us to embed features and content into our website. For technical reasons, the services used must at least temporarily collect the IP addresses of users during such embedding.
For necessary security, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This may include performance or usage data needed to provide the respective service.
We specifically use:
- Google Services: Providers: Google LLC (USA) / Google Ireland Limited (Ireland) for users in the European Economic Area (EEA) and Switzerland; general privacy information: “Our commitment to privacy and security”, “Learn more about how Google uses personal data”, Privacy Policy, “Google’s commitment to data protection laws”, “Product-specific privacy guide”, “How Google uses data from sites or apps that use our services”, “Types of cookies and similar technologies used by Google”, “Ads you can control” (“Personalized ads”).
- Microsoft Services: Providers: Microsoft Ireland Operations Limited (Ireland) for users in the European Economic Area (EEA), Switzerland, and the United Kingdom / Microsoft Corporation (USA) for users in the rest of the world; general privacy information: “Microsoft Privacy”, “Privacy and Security”, Privacy Statement, “Data and Privacy Settings”.
13.1 Digital Infrastructure
We use services from specialized third parties to access the necessary digital infrastructure in connection with our activities and operations. This includes, for example, hosting and storage services from selected providers.
13.2 Appointment Scheduling
We use services from specialized third parties to schedule appointments online, for example for meetings. In addition to this privacy policy, the terms and conditions and privacy statements of the services used also apply, where visibly stated.
We specifically use:
- Doodle: Online appointment scheduling; provider: Doodle AG (Switzerland), a subsidiary of TX Group AG (Switzerland); privacy information: Privacy Policy, “General Terms and Conditions of the Processing of Personal Data”.
- Google Calendar: Online appointment scheduling; provider: Google; Google Calendar-specific information: “Appointment scheduling with Google Calendar”, “Privacy in Google Calendar”.
13.3 Audio and Video Conferences
We use specialized services for audio and video conferences in order to communicate online. This allows us to hold virtual meetings or conduct online classes and webinars. For participation in audio and video conferences, the legal documents of each service, such as privacy policies and terms of use, also apply.
Depending on your environment, we recommend muting your microphone by default and blurring your background or using a virtual background when participating in audio or video conferences.
We specifically use:
- Skype: Audio and video conferencing; provider: Microsoft; Skype-specific privacy information: “Skype Legal”.
- Zoom: Platform for collaborative work, particularly video conferencing; provider: Zoom Video Communications Inc. (USA); privacy information: “Zoom Privacy”, Privacy Policy, “Legal Compliance”.
13.4 Online Collaboration
We use third-party services to enable online collaboration. In addition to this privacy policy, the terms and conditions and privacy statements of the respective services used may also apply.
We specifically use:
- Microsoft Teams: Platform for productive collaboration, especially with audio and video conferencing; provider: Microsoft; Microsoft Teams-specific information: “Security and compliance in Microsoft Teams,” especially “Privacy”.
13.5 Map Services
We use third-party services to embed maps into our website.
We specifically use:
- Google Maps including Google Maps Platform: mapping service; provider: Google; Google Maps-specific information: “How Google uses location information”.
- map.geo.admin.ch: mapping service; provider: Federal Coordination Centre for Geoinformation (GKG); privacy information: Privacy Policy, “Legal Framework”.
- OpenStreetMap (OSM): mapping service; provider: OpenStreetMap Foundation (United Kingdom); privacy information: Privacy Policy.
- Outdooractive: mapping service; provider: Outdooractive AG (Germany); privacy information: Privacy Policy.
13.6 E-Commerce
We operate e-commerce and use third-party services to successfully offer services, content, or goods.
We specifically use:
- Holidu Smart Destination: booking platform; provider: Holidu GmbH (Germany); privacy information: Privacy Policy.
13.7 Payments
We use specialized service providers to process payments securely and reliably. In addition to this privacy policy, the legal documents of the respective providers, such as terms and conditions or privacy policies, also apply.
We specifically use:
- PostFinance: payment processing; provider: PostFinance AG (Switzerland); privacy information: “Legal Notice and Accessibility”, “Privacy” (including privacy statements).
- TWINT: payment processing in Switzerland; provider: TWINT AG (Switzerland); privacy information: Privacy Policy, “Security according to Swiss standards”.
- Worldline: payment processing, especially with mobile payment solutions; providers: Worldline SA (France), Worldline Schweiz AG (Switzerland), and other Worldline group companies worldwide (including in the USA); privacy information: Privacy Policy, “Responsible Disclosure Program”, Cookie Policy.
13.8 Advertising
We make use of the opportunity to display targeted advertising on third-party platforms, such as social media platforms and search engines, for our activities and operations.
With such advertising, we aim in particular to reach individuals who are already interested or may be interested in our activities and operations (remarketing and targeting). For this purpose, we may transmit relevant – in some cases also personal – information to third parties who enable such advertising. We may also determine whether our advertising is successful, in particular whether it leads to visits to our website (conversion tracking).
Third parties with whom we advertise and where you are registered as a user may potentially associate the use of our website with your profile on their platform.
We specifically use:
- Google Ads: search engine advertising; provider: Google; Google Ads-specific information: advertising based on search queries, using various domains such as doubleclick.net, googleadservices.com, and googlesyndication.com; Advertising Privacy Policy, “Manage ads shown to you directly”.
- Meta Ads: social media advertising on Facebook and Instagram; providers: Meta Platforms Ireland Limited (Ireland) and other Meta companies (including in the USA); privacy information: targeting including retargeting, in particular using the Meta Pixel and Custom Audiences, including Lookalike Audiences, Privacy Policy, “Ad Preferences” (login required).
14. Performance and Reach Measurement
We strive to measure the success and reach of our activities and operations. In this context, we may also measure the effectiveness of third-party references or test how different parts or versions of our digital presence are used (“A/B testing”). Based on the results, we can in particular fix errors, enhance popular content, or implement improvements.
For performance and reach measurement, IP addresses of individual users are usually collected. These IP addresses are generally shortened (“IP masking”) to comply with the principle of data minimization through pseudonymization.
Cookies may be used during performance and reach measurement, and user profiles may be created. Such profiles may include, for example, the specific pages visited or content viewed on our digital presence, screen or browser window size, and the – at least approximate – location. In general, any such user profiles are created in a pseudonymized form and are not used to identify individual users. Certain third-party services where users are registered may potentially associate the use of our online offering with the user's account or profile with that service.
We specifically use:
- Google Marketing Platform: performance and reach measurement, especially using Google Analytics; provider: Google; Google Marketing Platform-specific information: cross-browser and cross-device tracking using pseudonymized IP addresses, which are only exceptionally transmitted in full to Google in the USA, Privacy Policy for Google Analytics, “Browser add-on to disable Google Analytics”.
- Google Tag Manager: integration and management of Google and third-party services, particularly for performance and reach measurement; provider: Google; Google Tag Manager-specific information: Privacy Policy for Google Tag Manager; additional privacy information is provided by each integrated and managed service.
15. Video Surveillance
We use video surveillance to prevent crimes, secure evidence in case of crimes, exercise and enforce our legal rights, defend against third-party claims, and enforce our property rights. These purposes represent overriding legitimate interests according to Art. 6(1)(f) GDPR, and in the case of particularly sensitive personal data, according to Art. 9(2)(f) GDPR.
We store recordings from our video surveillance as long as they are necessary for securing evidence or for another stated purpose. As a rule, recordings are deleted or overwritten after 96 hours.
We may retain recordings from our video surveillance and transmit them to appropriate authorities, particularly judicial or law enforcement bodies, if the transmission is necessary for a stated purpose, within our other legitimate interests, or based on legal obligations.
16. Final Notes on the Privacy Policy
We created this privacy policy using the Privacy Policy Generator from Datenschutzpartner.
The present privacy policy is an unofficial translation from the original German version.
We may update this privacy policy at any time. We will provide information about updates in an appropriate manner, particularly by publishing the current version on our website.