Data protection

  1. Home
  2. Data protection

Privacy Policy

With this privacy policy, we inform you about the processing of personal data in connection with our activities and operations, including our appenzellerland.ch website. We inform you in particular about the purposes, methods, and locations of our processing of personal data. We also inform you about the rights of individuals whose data we process.

Additional privacy policies or other data protection information may apply to specific or additional activities and operations.

We are subject to Swiss data protection law and, if applicable, foreign data protection laws, such as the European Union's (EU) General Data Protection Regulation (GDPR).

The European Commission recognized in its decision of July 26, 2000 that Swiss data protection law provides adequate protection. In its report of January 15, 2024, the European Commission confirmed this adequacy decision.

1. Contact Addresses

Responsibility for the processing of personal data:

Appenzellerland Tourismus AG
St. Gallerstrasse 49, Building 3
9100 Herisau

contact@dataprotection.appenzellerland.ch

In individual cases, third parties may be responsible for the processing of personal data or joint responsibility with third parties may exist.

1.1 Data Protection Officer or Data Protection Advisor

We have the following data protection officer or data protection advisor as a contact point for data subjects and authorities for inquiries related to data protection:

Kevin Signer
Appenzellerland Tourismus AG
St. Gallerstrasse 49, Building 3
9100 Herisau

contact@dataprotection.appenzellerland.ch

1.2 Data Protection Representation in the European Economic Area (EEA)

We have the following data protection representation in accordance with Article 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

info@datenschutzpartner.eu

The data protection representation serves as an additional contact point for data subjects and authorities in the European Union (EU) and the rest of the European Economic Area (EEA) for inquiries related to the GDPR.

2.1 Terms

Data subject: A natural person whose personal data we process.

Personal data: All information relating to an identified or identifiable natural person.

Particularly sensitive personal data: Data about union, political, religious, or philosophical views and activities, data about health, the intimate sphere, or membership of an ethnicity or race, genetic data, biometric data uniquely identifying a natural person, data about criminal and administrative sanctions or prosecutions, and data about measures of social assistance.

Processing: Any handling of personal data, regardless of the means and procedures used, such as querying, matching, modifying, archiving, storing, reading, disclosing, acquiring, recording, collecting, deleting, disclosing, organizing, storing, changing, distributing, linking, destroying, and using personal data.

European Economic Area (EEA): Member states of the European Union (EU) as well as the Principality of Liechtenstein, Iceland, and Norway.

Note: The European General Data Protection Regulation (GDPR) refers to the processing of personal data as the processing of personal data and the processing of particularly sensitive personal data as the processing of special categories of personal data (Article 9 GDPR).

We process personal data in accordance with Swiss data protection law, such as the Federal Act on Data Protection (Data Protection Act, DPA) and the Ordinance on Data Protection (Data Protection Ordinance, DPO).

We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data in accordance with at least one of the following legal bases:

  • Article 6(1)(b) GDPR for the necessary processing of personal data for the performance of a contract with the data subject and to take pre-contractual measures.
  • Article 6(1)(f) GDPR for the necessary processing of personal data to safeguard legitimate interests – including the legitimate interests of third parties – unless the fundamental rights and freedoms of the data subject prevail. Such interests include, in particular, the permanent, user-friendly, secure, and reliable performance of our activities and operations, ensuring information security, protecting against misuse, enforcing our legal claims, and complying with Swiss law.
  • Article 6(1)(c) GDPR for the necessary processing of personal data to fulfill a legal obligation to which we are subject under the applicable law of member states in the European Economic Area (EEA).
  • Article 6(1)(e) GDPR for the necessary processing of personal data for the performance of a task carried out in the public interest.
  • Article 6(1)(a) GDPR for the processing of personal data with the consent of the data subject.
  • Article 6(1)(d) GDPR for the necessary processing of personal data to protect the vital interests of the data subject or another natural person.
  • Article 9(2) et seq. GDPR for the processing of special categories of personal data, particularly with the consent of the data subject.

3. Nature, Scope, and Purpose of the Processing of Personal Data

We process personal data that is necessary to permanently, user-friendly, securely, and reliably perform our activities and operations. The processed personal data may fall into the categories of browser and device data, content data, communication data, metadata, usage data, master data including inventory and contact data, location data, transaction data, contract data, and payment data.

We also process personal data that we receive from third parties, obtain from publicly accessible sources, or collect during the performance of our activities and operations, provided such processing is lawful.

We process personal data as necessary, with the consent of the data subjects. In many cases, we may process personal data without consent, for example, to fulfill legal obligations or to protect overriding interests. We may also request the consent of data subjects if their consent is not required.

We process personal data for the duration necessary for the respective purpose. We anonymize or delete personal data, in particular, based on legal retention and limitation periods.

4. Disclosure of Personal Data

We may disclose personal data to third parties, have it processed by third parties, or process it jointly with third parties. Such third parties are, in particular, specialized providers whose services we use.

We may disclose personal data to banks and other financial service providers, authorities, educational and research institutions, advisors and lawyers, interest groups, IT service providers, cooperation partners, credit and economic information agencies, logistics and shipping companies, marketing and advertising agencies, media, organizations and associations, social institutions, telecommunications companies, and insurance companies.

5. Communication

We process personal data to communicate with third parties. In this context, we process in particular data provided by a data subject when contacting us, for example, by mail or email. We may store such data in an address book or comparable tools.

Third parties who transmit data about other individuals must ensure data protection for such data subjects. This includes ensuring the accuracy of the transmitted personal data.

We use selected services from suitable providers to communicate better with third parties.

We use in particular:

  • Odoo: Platform for all business functions and processes, particularly customer relationship management (CRM); Provider: Odoo SA (Belgium); Data protection information: Privacy Policy, "Odoo Security".

6. Applications

We process personal data about applicants to the extent necessary to assess suitability for an employment relationship or for the subsequent performance of an employment contract. The required personal data is obtained, in particular, from the requested information, for example, as part of a job posting. We may publish job postings with the help of suitable third parties, such as in electronic and print media or on job portals and job platforms.

We also process personal data that applicants voluntarily provide or publish, particularly as part of cover letters, resumes, and other application documents, as well as online profiles.

We process – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – personal data about applicants in particular according to Article 9(2)(b) GDPR.

7. Data Security

We take appropriate technical and organizational measures to ensure data security appropriate to the respective risk. With our measures, we ensure, in particular, the confidentiality, availability, traceability, and integrity of the processed personal data, although absolute data security cannot be guaranteed.

Access to our website and other online presence is secured using transport encryption (SSL / TLS, especially with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers warn against visiting websites without transport encryption.

Our digital communication is subject to mass surveillance without cause and suspicion by security authorities in Switzerland, other parts of Europe, the United States of America (USA), and other countries, as is generally the case with all digital communication. We cannot directly influence the corresponding processing of personal data by intelligence agencies, police departments, and other security authorities. We also cannot rule out that a data subject may be specifically monitored.

8. Personal Data Abroad

We generally process personal data in Switzerland and the European Economic Area (EEA). However, we may also export or transfer personal data to other countries, particularly to process it there or have it processed.

We may export personal data to all countries and territories on Earth if the local law ensures adequate data protection in accordance with the decision of the Swiss Federal Council and – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – also in accordance with the decision of the European Commission.

We may transfer personal data to countries whose laws do not ensure adequate data protection, provided that data protection is guaranteed for other reasons, particularly based on standard data protection clauses or other appropriate safeguards. Exceptionally, we may export personal data to countries without adequate or appropriate data protection if the specific data protection requirements are met, such as the explicit consent of the data subjects or a direct connection to the conclusion or performance of a contract. We are happy to provide information about any safeguards or a copy of any safeguards upon request.

9. Rights of Data Subjects

9.1 Data Protection Claims

We grant data subjects all rights under applicable data protection law. Data subjects, in particular, have the following rights:

  • Access: Data subjects can request information on whether we process personal data about them and, if so, which personal data. Data subjects also receive the information necessary to exercise their data protection rights and ensure transparency. This includes the processed personal data as such, but also information about the processing purpose, retention duration, any disclosure or export of data to other countries, and the source of the personal data.
  • Rectification and Restriction: Data subjects can correct incorrect personal data, complete incomplete data, and restrict the processing of their data.
  • Deletion and Objection: Data subjects can request the deletion of personal data ("right to be forgotten") and object to the processing of their data with future effect.
  • Data Portability: Data subjects can request the release of personal data or the transfer of their data to another controller.

We may postpone, restrict, or deny the exercise of the rights of data subjects within the legally permissible framework. We may inform data subjects about any prerequisites that need to be met to exercise their data protection claims. For example, we may refuse access with reference to trade secrets or the protection of other individuals, either wholly or partially. We may also refuse the deletion of personal data with reference to legal retention obligations, either wholly or partially.

We may charge costs for the exercise of rights in exceptional cases. We will inform data subjects of any potential costs in advance.

We are required to take appropriate measures to identify data subjects requesting access or exercising other rights. Data subjects are required to cooperate.

Data subjects have the right to enforce their data protection claims through legal channels or to file a complaint with a data protection supervisory authority.

The data protection supervisory authority for private controllers and federal bodies in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

European data protection supervisory authorities – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – are organized as members of the European Data Protection Board (EDPB). In some member states of the European Economic Area (EEA), data protection supervisory authorities are federally structured, particularly in Germany.

10. Use of the Website

10.1 Cookies

We may use cookies. Cookies – both our own cookies (first-party cookies) and cookies from third parties whose services we use (third-party cookies) – are data stored in the browser. Such stored data does not have to be limited to traditional text-form cookies.

Cookies can be stored in the browser temporarily as "session cookies" or for a specified period as so-called permanent cookies. "Session cookies" are automatically deleted when the browser is closed. Permanent cookies have a specific retention period. Cookies allow, in particular, to recognize a browser on the next visit to our website and thus, for example, measure the reach of our website. Permanent cookies can also be used for online marketing.

Cookies can be disabled or deleted at any time in the browser settings, either partially or entirely. Without cookies, our website may no longer be fully available. We request active consent to the use of cookies at least to the extent necessary.

For cookies used for performance and reach measurement or for advertising, a general objection ("opt-out") is possible through the AdChoices (Digital Advertising Alliance of Canada), the Network Advertising Initiative (NAI), YourAdChoices (Digital Advertising Alliance), or Your Online Choices (European Interactive Digital Advertising Alliance, EDAA).

10.2 Logging

We may log at least the following information for each access to our website and other online presence, if such information is transmitted to our digital infrastructure during such access: date and time including time zone, IP address, access status (HTTP status code), operating system including user interface and version, browser including language and version, accessed individual sub-page of our website including transmitted data volume, and the last website accessed in the same browser window (referrer).

We log such information, which may also be personal data, in log files. The information is necessary to provide our online presence permanently, user-friendly, and reliably. The information is also necessary to ensure data security – including by third parties or with the help of third parties.

10.3 Tracking Pixels

We may embed tracking pixels in our online presence. Tracking pixels are also known as web beacons. Tracking pixels – including those from third parties whose services we use – are usually small, invisible images or scripts in JavaScript that are automatically retrieved when accessing our online presence. Tracking pixels can collect at least the same information as log files.

11. Notifications and Communications

11.1 Performance and Reach Measurement

Notifications and communications may contain web links or tracking pixels that record whether an individual notification was opened and which web links were clicked. Such web links and tracking pixels can also record the use of notifications and communications on a personal basis. We need this statistical recording of usage to measure performance and reach, so we can send notifications and communications effectively and user-friendly based on the needs and reading habits of the recipients, and reliably.

As a general rule, you must consent to the use of your email address and other contact addresses unless such use is permitted for other legal reasons. For obtaining a double confirmed consent, we may use the "double opt-in" procedure. In this case, you will receive a notification with instructions for double confirmation. We may log obtained consents, including IP address and timestamp, for evidence and security reasons.

As a general rule, you can object to receiving notifications and communications, such as newsletters, at any time. Such an objection can simultaneously oppose the statistical recording of usage for performance and reach measurement. Required notifications and communications related to our activities and operations are exempt from this.

11.3 Service Providers for Notifications and Communications

We send notifications and communications with the help of specialized service providers.

We use in particular:

12. Social Media

We are present on social media platforms and other online platforms to communicate with interested individuals and inform about our activities and operations. In connection with such platforms, personal data may also be processed outside of Switzerland and the European Economic Area (EEA).

The general terms and conditions (GTC) and terms of use, as well as privacy policies and other provisions of the respective operators of such platforms, apply. These provisions inform, in particular, about the rights of data subjects directly against the respective platform, such as the right of access.

For our social media presence on Facebook including the so-called page insights, we are – if and to the extent that the General Data Protection Regulation (GDPR) is applicable – jointly responsible with Meta Platforms Ireland Limited (Ireland). Meta Platforms Ireland Limited is part of the Meta companies (including in the USA). Page insights provide insights into how visitors interact with our Facebook presence. We use page insights to provide our social media presence on Facebook effectively and user-friendly.

Further information on the nature, scope, and purpose of data processing, information on the rights of data subjects, and contact details of Facebook as well as Facebook's data protection officer can be found in the Facebook Privacy Policy. We have entered into the so-called "Controller Addendum" with Facebook, and have agreed, in particular, that Facebook is responsible for ensuring the rights of data subjects. For page insights, the corresponding information can be found on the "Information about Page Insights" page, including "Information about Page Insights Data".

13. Services of Third Parties

We use services of specialized third parties to perform our activities and operations permanently, user-friendly, securely, and reliably. With such services, we can, among other things, embed functions and content into our website. When embedding, the utilized services collect, at least temporarily, the IP addresses of users for technical reasons.

For necessary security, statistical, and technical purposes, third parties whose services we use may process data related to our activities and operations in an aggregated, anonymized, or pseudonymized manner. This includes performance or usage data necessary to provide the respective service.

We use in particular:

13.1 Digital Infrastructure

We use services of specialized third parties to utilize the necessary digital infrastructure in connection with our activities and operations. These include, for example, hosting and storage services from selected providers.

We use in particular:

13.2 Automation and Integration of Apps and Services

We use specialized platforms to integrate and connect existing apps and services from third parties. With such "no-code" platforms, we can also automate processes and activities with apps and services from third parties.

We use in particular:

13.3 Audio and Video Conferencing

We use specialized services for audio and video conferencing to communicate online. This allows us, for example, to hold virtual meetings or conduct online classes and webinars. For participation in audio and video conferences, the legal texts of the individual services, such as privacy policies and terms of use, apply additionally.

We recommend muting the microphone by default and blurring the background or displaying a virtual background during participation in audio or video conferences, depending on the situation.

13.4 Online Collaboration

We use third-party services to enable online collaboration. In addition to this privacy policy, the terms and conditions of the used services, such as terms of use or privacy policies, may apply.

13.5 Social Media Functions and Social Media Content

We use services and plugins from third parties to embed functions and content from social media platforms and to enable sharing content on social media platforms and other channels.

We use in particular:

13.6 Maps

We use services from third parties to embed maps into our website.

We use in particular:

13.7 Digital Audio and Video Content

We use services from specialized third parties to enable the direct playback of digital audio and video content, such as music or podcasts.

We use in particular:

13.8 Documents

We use services from third parties to embed documents into our website. Such documents may include PDF files, presentations, spreadsheets, and text documents. This enables not only viewing but also editing or commenting on such documents.

We use in particular:

13.9 Fonts

We use services from third parties to embed selected fonts, icons, logos, and symbols into our website.

We use in particular:

13.10 E-Commerce

We operate e-commerce and use services from third parties to offer services, content, or goods successfully.

13.11 Payments

We use specialized service providers to process payments from our customers securely and reliably. For payment processing, the legal texts of the individual service providers, such as general terms and conditions (GTC) or privacy policies, apply additionally.

We use in particular:

13.12 Advertising

We use the option to display targeted advertising with third parties such as social media platforms and search engines for our activities and operations.

We aim to reach individuals who are already interested in our activities and operations or who might be interested (remarketing and targeting). To this end, we may transmit corresponding – possibly also personal – information to third parties who enable such advertising. We can also determine whether our advertising is successful, i.e., whether it leads to visits to our website (conversion tracking).

Third parties with whom we advertise and where you are registered as a user may associate the use of our website with your profile there.

We use in particular:

14. Performance and Reach Measurement

We try to measure the success and reach of our activities and operations. In this context, we may also measure the impact of third-party references or test how different parts or versions of our online offerings are used (A/B testing). Based on the results of performance and reach measurement, we can fix errors, enhance popular content, or make improvements.

For performance and reach measurement, IP addresses of individual users are collected in most cases. IP addresses are generally shortened ("IP masking") to follow the principle of data minimization through the corresponding pseudonymization.

Cookies may be used for performance and reach measurement, and user profiles may be created. Any created user profiles may include, for example, the individual pages visited or viewed content on our website, information about the screen size or browser window, and the – at least approximate – location. Generally, any created user profiles are created exclusively in a pseudonymized manner and are not used to identify individual users. Individual services of third parties where users are registered may associate the use of our online offering with the user account or user profile at the respective service.

We use in particular:

15. Final Provisions

We created this privacy policy using the privacy policy generator from Datenschutzpartner.

We may adapt and supplement this privacy policy at any time. We will inform about such adaptations and supplements in an appropriate manner, particularly by publishing the current privacy policy on our website.